CN106533683A - Equipment authentication method using national commercial cryptographic algorithm - Google Patents
Equipment authentication method using national commercial cryptographic algorithm Download PDFInfo
- Publication number
- CN106533683A CN106533683A CN201611009311.XA CN201611009311A CN106533683A CN 106533683 A CN106533683 A CN 106533683A CN 201611009311 A CN201611009311 A CN 201611009311A CN 106533683 A CN106533683 A CN 106533683A
- Authority
- CN
- China
- Prior art keywords
- state
- host computer
- code keypad
- code
- keyboard
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/83—Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Algebra (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Computing Systems (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The invention discloses an equipment authentication method using a national commercial cryptographic algorithm. The method comprises the steps of SM2 public and private key generation, public key issuing flow management, feature code management, random dynamic code and feature code hybrid algorithm implementation, encryption and decryption verification, and state control and the like. The national commercial cryptographic algorithm is applied to an external code keyboard and handshake authentication of an upper computer for the first time, so that security and controllability of equipment access are enhanced. The high-security-level equipment authentication method is realized by using the SM2 algorithm at the external code keyboard that supports the national commercial cryptographic algorithm SM2/SM3/SM4 and is designed and produced by the company. Using the method disclosed by the invention, the external code keyboard can be used securely and only can be used by matching a credit financial terminal or upper computer, so that application of the external code keyboard to an untrusted system can be prevented and financial business security can be guaranteed.
Description
Technical field
The present invention relates to financial information technology field, and in particular to a kind of device authentication using national commercial cipher algorithm
Method.
Background technology
2014,《The General Office of the State Council forwards password Ju Deng departments with regard to the logical of financial field cipher application instruction
Know》Clearly propose to strive tentatively realizing within 2015 domestic password in financial IC card (integrated circuit card), Web bank, movement
Pay, the extensive application in the major fields such as Internet securities, electronic insurance policy, realize domestic password in financial field to the year two thousand twenty
Overall application.2015,《Notice with regard to organizing and implementing national information safety special project relevant issues in 2015》Further requirement
Upgrading is carried out to business bank's bank card correlation software and hardware system, and POS, ATM, the passwords such as SM2/3/4 are supported
Algorithm.
The content of the invention
To solve the above problems, the invention provides a kind of equipment authentication method using national commercial cipher algorithm, adopts
With national commercial cipher canonical algorithm SM2, increase the proprietary protocol and algorithm of designed, designed, realize that safer equipment room is held
Hand authentication management.
For achieving the above object, the technical scheme taken of the present invention is:
A kind of equipment authentication method using national commercial cipher algorithm, comprises the steps:
S1, a pair of SM2 public private key pairs are firstly generated, public key publication is in host computer application software;Private key is retained in password
The cryptoguard area of keyboard;
S2, when code keypad insert credit host computer USB interface, complete CCID kind equipments drive configuration after, on
Position machine finds code keypad equipment, and now code keypad default conditions are un-authenticated state, and host computer is in addition to authentication command
Order cannot all be performed, and return status error.Local state defaults to un-authenticated state, i.e. GM06_state=0;
S3, host computer obtain the status information of keyboard first, obtain code keypad state for un-authenticated state, triggering authentication
Request;
If S4, host computer do not properly resolve keyboard state, any order outside certification is sent, it is wrong that keyboard returns state
False information, and subsidiary keyboard state information;Host computer sends authentication command, and code keypad returns dynamic data, and (4 bytes are random
Number);The dynamic data is generated by real random number generator;
After S5, host computer receive dynamic data, the dynamic data is obtained according to proprietary protocol, and the data and bypass
The condition code of issue regards be-encrypted data together, calls SM2 AESs to complete encryption.The ciphertext of generation is sent to cryptographic key
Disk;
After S6, code keypad receive ciphertext, call SM2 decryption interfaces, decrypted using certification private key, obtain dynamic data and
Condition code, compare respectively dynamic data and condition code it is all correct in the case of, state is switched to normal operating conditions;Otherwise, return
Authentification failure is returned, certification next time is waited;
S7,3 failures of continuous certification, code keypad enter lock-out state, and locking time is 2 hours;2 hours afterwards can be with
Continue to receive certification, repeat aforesaid operations.
The invention has the advantages that:
Take the lead in national commercial cipher algorithm is applied in the handshake authentication of external code keypad and host computer, enhance and set
The standby security for accessing and controllability;The external code keypad that production is designed in our company (supports national commercial cipher algorithm
SM2/SM3/SM4, on), a kind of equipment authentication method of the high safety rank realized using SM2 algorithms can be allowed using the method
External code keypad can only be used cooperatively with the financial terminal of credit or host computer, be prevented external cryptographic key using safer
The system that disk is used for non-credit, it is ensured that financial business safety.
Specific embodiment
In order that objects and advantages of the present invention become more apparent, with reference to embodiments the present invention is carried out further
Describe in detail.It should be appreciated that specific embodiment described herein is not used to limit this only to explain the present invention
It is bright.
In following examples, SM2 is a kind of rivest, shamir, adelman based on elliptic curve, and RSA belongs to mesh
Two kinds of rivest, shamir, adelmans of front main flow, SM2 are more safer than RSA.One lifts curve, and everybody just will recognize that equation, oval bent
Line algorithm be by equation determine, the elliptic curve equation that SM2 algorithms are adopted for:Y2=x3+ax+b, in SM2 algorithm standard rules
In, by specifying a, b coefficient, it is determined that unique calibration curve.Meanwhile, in order to by curve mapping be AES, SM2 standards
In further define other parameters, for algorithm routine use.
SM2 is the public key algorithm that national Password Management office announces, and its Cipher Strength is 256.
Public and private key in following examples generates finite prime field elliptic curve group Fp using SM2 suggestions, generates key
Process is exactly the elliptic curve that a finite field (less than the integer of 256 bytes) is generated on the basis of the parameter of curve of SM2 suggestions
Array, and a G point and a P point are generated, coordinate P (x, y) of P points is public key, and the exponent number between G and P points is private key.
Public key length is 256+256 totally 512 bits, 256 bit of private key.
A kind of equipment authentication method using national commercial cipher algorithm is embodiments provided, including following step
Suddenly:
S1, a pair of SM2 public private key pairs are firstly generated, public key publication is in host computer application software;Private key is retained in password
The cryptoguard area of keyboard;
S2, when code keypad insert credit host computer USB interface, complete CCID kind equipments drive configuration after, on
Position machine finds code keypad equipment, and now code keypad default conditions are un-authenticated state, and host computer is in addition to authentication command
Order cannot all be performed, and return status error.Local state defaults to un-authenticated state, i.e. GM06_state=0;
S3, host computer obtain the status information of keyboard first, obtain code keypad state for un-authenticated state, triggering authentication
Request;
If S4, host computer do not properly resolve keyboard state, any order outside certification is sent, it is wrong that keyboard returns state
False information, and subsidiary keyboard state information;Host computer sends authentication command, and code keypad returns dynamic data, and (4 bytes are random
Number);The dynamic data is generated by real random number generator;
After S5, host computer receive dynamic data, the dynamic data is obtained according to proprietary protocol, and the data and bypass
The condition code of issue regards be-encrypted data together, calls SM2 AESs to complete encryption.The ciphertext of generation is sent to cryptographic key
Disk;
After S6, code keypad receive ciphertext, call SM2 decryption interfaces, decrypted using certification private key, obtain dynamic data and
Condition code, compare respectively dynamic data and condition code it is all correct in the case of, state is switched to normal operating conditions;Otherwise, return
Authentification failure is returned, certification next time is waited;
S7,3 failures of continuous certification, code keypad enter lock-out state, and locking time is 2 hours;2 hours afterwards can be with
Continue to receive certification, repeat aforesaid operations.
The above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (1)
1. a kind of equipment authentication method using national commercial cipher algorithm, it is characterised in that comprise the steps:
S1, a pair of SM2 public private key pairs are firstly generated, public key publication is in host computer application software;Private key is retained in code keypad
Cryptoguard area;
S2, when code keypad insert credit host computer USB interface, complete CCID kind equipments drive configuration after, host computer
It was found that code keypad equipment, now code keypad default conditions are un-authenticated state, order of the host computer in addition to authentication command
Cannot all perform, return status error.Local state defaults to un-authenticated state, i.e. GM06_state=0;
S3, host computer obtain the status information of keyboard first, and it is un-authenticated state to obtain code keypad state, and triggering authentication please
Ask;
If S4, host computer do not properly resolve keyboard state, any order outside certification is sent, keyboard returns status error letter
Breath, and subsidiary keyboard state information;Host computer sends authentication command, and code keypad returns dynamic data (4 byte random number);Should
Dynamic data is generated by real random number generator;
After S5, host computer receive dynamic data, the dynamic data is obtained according to proprietary protocol, and the data and bypass are issued
Condition code together regard be-encrypted data, call SM2 AESs complete encryption.The ciphertext of generation is sent to code keypad;
After S6, code keypad receive ciphertext, SM2 decryption interfaces are called, decrypted using certification private key, obtain dynamic data and feature
Code, compare respectively dynamic data and condition code it is all correct in the case of, state is switched to normal operating conditions;Otherwise, return is recognized
Card failure, waits certification next time;
S7,3 failures of continuous certification, code keypad enter lock-out state, and locking time is 2 hours;Can continue afterwards within 2 hours
Receive certification, repeat aforesaid operations.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611009311.XA CN106533683A (en) | 2016-11-11 | 2016-11-11 | Equipment authentication method using national commercial cryptographic algorithm |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611009311.XA CN106533683A (en) | 2016-11-11 | 2016-11-11 | Equipment authentication method using national commercial cryptographic algorithm |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106533683A true CN106533683A (en) | 2017-03-22 |
Family
ID=58352149
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611009311.XA Pending CN106533683A (en) | 2016-11-11 | 2016-11-11 | Equipment authentication method using national commercial cryptographic algorithm |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106533683A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111882783A (en) * | 2020-06-29 | 2020-11-03 | 银盛支付服务股份有限公司 | Butt-joint-transformation-free plug-and-play MIS-POS system and implementation method |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101873331A (en) * | 2010-07-07 | 2010-10-27 | 中国工商银行股份有限公司 | Safety authentication method and system |
CN103020493A (en) * | 2012-12-28 | 2013-04-03 | 杭州晟元芯片技术有限公司 | Anti-copy software protecting and operating device and anti-copy software protecting and operating method |
CN103763631A (en) * | 2014-01-07 | 2014-04-30 | 青岛海信信芯科技有限公司 | Authentication method, server and television |
CN103929307A (en) * | 2014-04-02 | 2014-07-16 | 天地融科技股份有限公司 | Password input method, intelligent secret key device and client device |
-
2016
- 2016-11-11 CN CN201611009311.XA patent/CN106533683A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101873331A (en) * | 2010-07-07 | 2010-10-27 | 中国工商银行股份有限公司 | Safety authentication method and system |
CN103020493A (en) * | 2012-12-28 | 2013-04-03 | 杭州晟元芯片技术有限公司 | Anti-copy software protecting and operating device and anti-copy software protecting and operating method |
CN103763631A (en) * | 2014-01-07 | 2014-04-30 | 青岛海信信芯科技有限公司 | Authentication method, server and television |
CN103929307A (en) * | 2014-04-02 | 2014-07-16 | 天地融科技股份有限公司 | Password input method, intelligent secret key device and client device |
Non-Patent Citations (1)
Title |
---|
严圣阳: "《互联网金融新业态》", 30 June 2014 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111882783A (en) * | 2020-06-29 | 2020-11-03 | 银盛支付服务股份有限公司 | Butt-joint-transformation-free plug-and-play MIS-POS system and implementation method |
CN111882783B (en) * | 2020-06-29 | 2021-04-16 | 银盛支付服务股份有限公司 | Plug-and-play MIS-POS realization method free of butt joint transformation |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10461927B2 (en) | Secure channel establishment between payment device and terminal device | |
Degabriele et al. | On the joint security of encryption and signature in EMV | |
CN107786550B (en) | A kind of safety communicating method of self-service device, safe communication system and self-service device | |
US8971540B2 (en) | Authentication | |
US7991151B2 (en) | Method for secure delegation of calculation of a bilinear application | |
US9544132B2 (en) | Cryptographic method for protecting a key hardware register against fault attacks | |
Han et al. | An Improved Biometric Based Authentication Scheme with User Anonymity Using Elliptic Curve Cryptosystem. | |
CN110505055A (en) | Based on unsymmetrical key pond to and key card outer net access identity authentication method and system | |
CN103404073A (en) | Protection against passive sniffing | |
CN112818332A (en) | Password management service platform for intelligent manufacturing | |
TWI476629B (en) | Data security and security systems and methods | |
US9641333B2 (en) | Authentication methods, systems, devices, servers and computer program products, using a pairing-based cryptographic approach | |
CN106533683A (en) | Equipment authentication method using national commercial cryptographic algorithm | |
KR20130007097A (en) | Security system of smart phone service and secruity method | |
CN107566125A (en) | The safety certifying method that a kind of more algorithms combine | |
TWI383327B (en) | The use of wafer financial card in the ATM system cardholder authentication methods, systems and computer systems | |
Tapiador et al. | Cryptanalysis of Song's advanced smart card based password authentication protocol | |
CN100566239C (en) | The key transmission method of multi-stage intelligent key apparatus and system | |
EP3556046B1 (en) | Method for secure management of secrets in a hierarchical multi-tenant environment | |
EP3035589A1 (en) | Security management system for authenticating a token by a service provider server | |
Lu et al. | Communication security between a computer and a hardware token | |
Xu et al. | OTP bidirectional authentication scheme based on MAC address | |
Zhang et al. | A New Way to Prevent UKS Attacks Using Hardware Security Chips. | |
TW501013B (en) | High-speed security device | |
CN114329518A (en) | Encryption and decryption method and device for software cryptographic module account |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170322 |