Disclosure of Invention
The present invention is directed to a method and apparatus for generating an electronic invoice that substantially obviates one or more of the problems due to limitations and disadvantages of the related art.
Additional features and advantages of the invention will be set forth in the detailed description which follows, or may be learned by practice of the invention.
According to a first aspect of the present invention, a method for generating an electronic invoice is provided, which includes the following steps:
binding an invoicing terminal of the electronic invoice with hardware equipment for security authentication;
sending the billing information of the electronic invoice to the hardware equipment so that the hardware equipment encrypts the billing information to obtain a ciphertext;
receiving the ciphertext sent by the hardware equipment;
and generating a network link based on the ciphertext, wherein the network link is used for sending a billing request containing the ciphertext to a server so that the server decrypts the ciphertext to obtain billing information, and generating an electronic invoice based on the billing information.
In some embodiments of the present invention, based on the foregoing solution, the binding between the invoicing terminal of the electronic invoice and the hardware device for performing security authentication includes:
the billing terminal acquires a digital certificate and a trust chain stored in the hardware equipment through a hardware interface of the hardware equipment;
and the billing terminal is bound with the digital certificate and the trust chain so as to be bound with the hardware equipment.
In some embodiments of the present invention, based on the foregoing solution, the method for generating an electronic invoice further includes:
generating a first random number when starting the billing service;
sending the first random number to the hardware equipment so that the hardware equipment signs the first random number based on a digital certificate in the hardware equipment to obtain a signature result;
verifying the signature result according to the digital certificate bound with the billing terminal;
and after the signature result is verified, sending the billing information to the hardware equipment.
In some embodiments of the present invention, based on the foregoing scheme, in a case that the hardware device encrypts the billing information according to a randomly generated second random number, the method further includes:
and receiving the second random number sent by the hardware equipment, wherein the billing request also comprises the second random number.
In some embodiments of the present invention, based on the foregoing scheme, the network link includes a two-dimensional code link.
According to the second aspect of the present invention, there is also provided a method for generating an electronic invoice, including the following steps:
binding hardware equipment for security authentication with an electronic invoice terminal;
receiving the billing information of the electronic invoice sent by the billing terminal;
encrypting the billing information to obtain a ciphertext;
and sending the ciphertext to the billing terminal so that the billing terminal can generate a network link for sending a billing request to a server based on the ciphertext.
In some embodiments of the present invention, based on the foregoing solution, the hardware device stores therein a digital certificate and a trust chain for performing invoicing authentication, and the binding of the hardware device and the invoicing terminal includes:
and sending the digital certificate and the trust chain to the billing terminal so as to bind the billing terminal with the digital certificate and the trust chain.
In some embodiments of the present invention, based on the foregoing solution, the method for generating an electronic invoice further includes:
receiving a first random number sent by the billing terminal;
signing the first random number based on a digital certificate stored in the hardware equipment to obtain a signature result;
and sending the signature result to the billing terminal so that the billing terminal authenticates the identity of the hardware equipment.
In some embodiments of the present invention, based on the foregoing solution, the method for generating an electronic invoice further includes: storing a shared key from the server;
encrypting the billing information, including:
signing the invoicing information based on the digital certificate to obtain a signature value;
generating a second random number, and generating a temporary session key according to the second random number and the shared key;
and encrypting the billing information and the signature value through the temporary session key to obtain the ciphertext.
In some embodiments of the present invention, based on the foregoing solution, the method for generating an electronic invoice further includes: and sending the second random number to the billing terminal.
In some embodiments of the present invention, based on the foregoing scheme, in the case that the server encrypts the shared key through the digital certificate, the method further includes:
decrypting based on the digital certificate to obtain the shared secret key.
According to the third aspect of the present invention, there is also provided a method for generating an electronic invoice, including the following steps:
the method comprises the steps that a server receives an invoicing request of an electronic invoice, wherein the invoicing request comprises a ciphertext obtained by encrypting invoicing information of the electronic invoice through hardware equipment used for security authentication;
decrypting the ciphertext to obtain the billing information;
and generating an electronic invoice based on the invoicing information.
In some embodiments of the present invention, based on the foregoing solution, the method for generating an electronic invoice further includes:
generating a shared key;
storing the shared key to the hardware device so that the hardware device encrypts the billing information based on the shared key.
In some embodiments of the present invention, based on the foregoing solution, the server stores therein a digital certificate for performing invoice certification, and the method for generating an electronic invoice further includes:
and encrypting the shared secret key based on the digital certificate and then importing the encrypted shared secret key into the hardware equipment.
In some embodiments of the present invention, based on the foregoing solution, the server stores therein a digital certificate for performing invoicing authentication, the invoicing request further includes a second random number generated by the hardware device, and decrypting the ciphertext includes:
generating a temporary session key according to the second random number and the shared key;
decrypting the ciphertext based on the temporary session key to obtain the billing information and a signature value of the billing information;
verifying the signature value according to the digital certificate;
and after the signature value is verified, determining to obtain the invoicing information.
According to the fourth aspect of the present invention, there is also provided an electronic invoice generation apparatus, including:
the binding unit binds an invoicing terminal of the electronic invoice with hardware equipment for security authentication;
the sending unit is used for sending the invoicing information of the electronic invoice to the hardware equipment so that the hardware equipment encrypts the invoicing information to obtain a ciphertext;
a receiving unit, configured to receive the ciphertext sent by the hardware device;
and the processing unit is used for generating a network link based on the ciphertext, and the network link is used for sending a billing request containing the ciphertext to a server so as to enable the server to decrypt the ciphertext to obtain billing information and generate an electronic invoice based on the billing information.
In some embodiments of the present invention, based on the foregoing scheme, the binding unit is configured to:
and acquiring a digital certificate and a trust chain stored in the hardware equipment through a hardware interface of the hardware equipment, and binding the billing terminal with the digital certificate and the trust chain so as to bind the billing terminal with the hardware equipment.
In some embodiments of the present invention, based on the foregoing solution, the electronic invoice generating apparatus further includes: a generation unit and a verification unit;
the generation unit is used for generating a first random number when the billing service is started;
the sending unit is further configured to: sending the first random number to the hardware equipment so that the hardware equipment signs the first random number based on a digital certificate in the hardware equipment to obtain a signature result;
the verification unit is used for verifying the signature result according to the digital certificate bound with the invoicing terminal;
the transmitting unit is configured to: and after the signature result is verified, sending the billing information to the hardware equipment.
In some embodiments of the present invention, based on the foregoing scheme, in a case where the hardware device encrypts the billing information according to a randomly generated second random number, the receiving unit is further configured to:
and receiving the second random number sent by the hardware equipment, wherein the billing request also comprises the second random number.
In some embodiments of the present invention, based on the foregoing scheme, the network link includes a two-dimensional code link.
According to the fifth aspect of the present invention, there is also provided an electronic invoice generation apparatus, including:
the binding unit is used for binding the hardware equipment for security authentication with the invoicing terminal of the electronic invoice;
the receiving unit is used for receiving the invoicing information of the electronic invoice sent by the invoicing terminal;
the processing unit is used for encrypting the billing information to obtain a ciphertext;
and the sending unit is used for sending the ciphertext to the billing terminal so that the billing terminal can generate a network link for sending a billing request to a server based on the ciphertext.
In some embodiments of the present invention, based on the foregoing solution, the hardware device stores therein a digital certificate and a trust chain for performing invoicing authentication, and the binding unit is configured to:
and sending the digital certificate and the trust chain to the billing terminal so as to bind the billing terminal with the digital certificate and the trust chain.
In some embodiments of the present invention, based on the foregoing scheme, the receiving unit is further configured to receive a first random number sent by the billing terminal; the processing unit is further configured to sign the first random number based on a digital certificate stored in the hardware device, so as to obtain a signature result; the sending unit is further configured to send the signature result to the billing terminal, so that the billing terminal authenticates the identity of the hardware device.
In some embodiments of the present invention, based on the foregoing solution, the electronic invoice generation apparatus further includes: a storage unit for storing a shared key from the server;
the processing unit is configured to:
signing the invoicing information based on the digital certificate to obtain a signature value;
generating a second random number, and generating a temporary session key according to the second random number and the shared key;
and encrypting the billing information and the signature value through the temporary session key to obtain the ciphertext.
In some embodiments of the present invention, based on the foregoing scheme, the sending unit is further configured to: and sending the second random number to the billing terminal.
In some embodiments of the present invention, based on the foregoing solution, the storage unit is configured to:
and in the case that the server encrypts the shared key through the digital certificate, decrypting based on the digital certificate to obtain the shared key.
According to the sixth aspect of the present invention, there is also provided an electronic invoice generation apparatus, including:
the receiving unit is used for receiving an invoicing request of the electronic invoice, wherein the invoicing request comprises a ciphertext obtained by encrypting the invoicing information of the electronic invoice by using hardware equipment for security authentication;
the decryption unit is used for decrypting the ciphertext to obtain the billing information;
and the processing unit is used for generating an electronic invoice based on the invoicing information.
In some embodiments of the present invention, based on the foregoing solution, the electronic invoice generation apparatus further includes: and the generating unit is used for generating a shared key and storing the shared key to the hardware equipment so that the hardware equipment encrypts the billing information based on the shared key.
In some embodiments of the present invention, based on the foregoing solution, the server stores therein a digital certificate for performing invoicing authentication, and the generating unit is configured to: and encrypting the shared secret key based on the digital certificate and then importing the encrypted shared secret key into the hardware equipment.
In some embodiments of the present invention, based on the foregoing solution, the server stores therein a digital certificate for performing invoicing authentication, the invoicing request further includes a second random number generated by the hardware device, and the decryption unit is configured to:
generating a temporary session key according to the second random number and the shared key;
decrypting the ciphertext based on the temporary session key to obtain the billing information and a signature value of the billing information;
verifying the signature value according to the digital certificate;
and after the signature value is verified, determining to obtain the invoicing information.
In the technical solutions provided by some embodiments of the present invention, since the billing information is encrypted by the hardware device for security authentication, the encryption algorithm can be executed in hardware, and thus the problem that the billing information is maliciously tampered and forged can be effectively avoided. The invoicing terminal, the hardware equipment for safety certification and the server are matched together, and the electronic invoice is issued according to the digital certificate, so that the data safety of the electronic invoice can be effectively guaranteed, and the further popularization of the value-added tax electronic invoice service is facilitated.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations or operations have not been shown or described in detail to avoid obscuring aspects of the invention.
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations or operations have not been shown or described in detail to avoid obscuring aspects of the invention.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
The technical scheme of the embodiment of the invention is described in the following three aspects of an electronic invoice billing terminal, hardware equipment for security authentication and a server respectively:
electronic invoice billing terminal
Fig. 1 schematically shows a flowchart of a method for generating an electronic invoice, the execution subject of which is a terminal for issuing an electronic invoice, according to a first embodiment of the present invention.
Referring to fig. 1, a method for generating an electronic invoice according to a first embodiment of the present invention includes:
and S102, binding the billing terminal of the electronic invoice with hardware equipment for security authentication.
In the embodiment of the invention, the electronic invoice is the electronic image and the electronic record of the paper invoice, a paper carrier is not needed, and the printing link of the traditional paper invoice is not needed. The invoicing terminal of the electronic invoice can be a computer, a smart phone, a tablet personal computer and other devices, and can be communicated with the hardware device and the server for security authentication. The hardware device used for secure authentication is a hardware encryption based device, such as may be UKEY.
According to an exemplary embodiment of the present invention, step S102 specifically includes: the billing terminal acquires a digital certificate and a trust chain stored in the hardware equipment through a hardware interface of the hardware equipment; and the billing terminal is bound with the digital certificate and the trust chain so as to be bound with the hardware equipment.
In an embodiment of the present invention, the digital Certificate is a file digitally signed by a Certificate Authority (CA) that contains public key owner information and a public key; trust chains are used to record relationships between trusted digital certificates. The digital certificate and the trust chain are acquired directly through the hardware interface between the billing terminal and the hardware equipment, so that the problem that the digital certificate and the trust chain are maliciously tampered can be effectively solved.
And step S104, sending the billing information of the electronic invoice to the hardware equipment so that the hardware equipment encrypts the billing information to obtain a ciphertext.
In an embodiment of the present invention, the invoicing information of the electronic invoice includes information that needs to be used when invoicing is performed, such as a purchaser name, a seller tax payer identification number, a commodity name, a quantity, a unit price, an amount of money, a tax rate, a tax amount, and the like, when the hardware device and the invoicing terminal are connected through a hardware interface (e.g., a USB interface), the invoicing terminal can send the invoicing information to the hardware device through the connection interface therebetween.
And step S106, receiving the ciphertext sent by the hardware equipment.
And S108, generating a network link based on the ciphertext, wherein the network link is used for sending a billing request containing the ciphertext to a server so that the server decrypts the ciphertext to obtain billing information, and generating an electronic invoice based on the billing information.
In an embodiment of the present invention, the network link may preferably be a two-dimensional code link, so that when a user scans a corresponding two-dimensional code through a mobile device (e.g., a smart phone), the user can link to the server to obtain an electronic invoice generated by the server. Of course, the network link may also be an http address, and the user links to the server by clicking the http address to obtain the corresponding electronic invoice. In addition, network links may be implemented in other forms.
Based on the scheme shown in fig. 1, in some embodiments of the present invention, the method for generating an electronic invoice further includes:
generating a first random number when starting the billing service;
sending the first random number to the hardware equipment so that the hardware equipment signs the first random number based on a digital certificate in the hardware equipment to obtain a signature result;
verifying the signature result according to the digital certificate bound with the billing terminal;
and after the signature result is verified, sending the billing information to the hardware equipment.
According to the technical scheme of the embodiment, the hardware equipment can be verified before the billing information is sent to the hardware equipment by the billing terminal, so that the problem that the billing information is maliciously tampered due to the fact that the hardware equipment is illegal is solved.
In some embodiments of the present invention, based on the foregoing scheme, in a case that the hardware device encrypts the billing information according to a randomly generated second random number, the method further includes: and receiving the second random number sent by the hardware equipment, wherein the billing request also comprises the second random number.
In this embodiment, if the hardware device encrypts the billing information according to the second random number generated at random, the hardware device needs to send the second random number to the billing terminal in order to ensure that the server can decrypt the encrypted ciphertext, and the billing terminal needs to consider the second random number when generating the network link, that is, when the network link needs to be ensured to be triggered, the second random number can be sent to the server through a billing request.
Fig. 2 schematically shows a block diagram of an electronic invoice generation apparatus according to a first embodiment of the present invention.
As shown in fig. 2, an electronic invoice generation apparatus 200 according to a first embodiment of the present invention includes: a binding unit 202, a sending unit 204, a receiving unit 206 and a processing unit 208.
Specifically, the binding unit 202 binds an invoicing terminal of the electronic invoice with hardware equipment for security authentication; the sending unit 204 is configured to send invoicing information of an electronic invoice to the hardware device, so that the hardware device encrypts the invoicing information to obtain a ciphertext; the receiving unit 206 is configured to receive the ciphertext sent by the hardware device; the processing unit 208 is configured to generate a network link based on the ciphertext, where the network link is configured to send an invoicing request including the ciphertext to a server, so that the server decrypts the ciphertext to obtain the invoicing information, and generate an electronic invoice based on the invoicing information.
According to an exemplary embodiment of the invention, the network link comprises a two-dimensional code link.
In some embodiments of the present invention, based on the foregoing scheme, the binding unit 202 is configured to: and acquiring a digital certificate and a trust chain stored in the hardware equipment through a hardware interface of the hardware equipment, and binding the billing terminal with the digital certificate and the trust chain so as to bind the billing terminal with the hardware equipment.
In some embodiments of the present invention, based on the foregoing solution, the electronic invoice generating apparatus further includes: a generating unit (not shown in fig. 2) and a verifying unit (not shown in fig. 2);
the generation unit is used for generating a first random number when the billing service is started; the sending unit 204 is further configured to: sending the first random number to the hardware equipment so that the hardware equipment signs the first random number based on a digital certificate in the hardware equipment to obtain a signature result; the verification unit is used for verifying the signature result according to the digital certificate bound with the invoicing terminal; the sending unit 204 is configured to: and after the signature result is verified, sending the billing information to the hardware equipment.
In some embodiments of the present invention, based on the foregoing scheme, in a case where the hardware device encrypts the billing information according to a randomly generated second random number, the receiving unit 206 is further configured to: and receiving the second random number sent by the hardware equipment, wherein the billing request also comprises the second random number.
It should be noted that the electronic invoice generation apparatus 200 shown in fig. 2 can be applied to an electronic invoice terminal, that is, the electronic invoice terminal according to the embodiment of the present invention includes the electronic invoice generation apparatus 200.
Hardware device for secure authentication
Fig. 3 schematically shows a flowchart of a method for generating an electronic invoice, an execution subject of which is a hardware device for security authentication, according to a second embodiment of the present invention.
As shown in fig. 3, a method for generating an electronic invoice according to a second embodiment of the present invention includes:
and step S302, binding hardware equipment for security authentication with an electronic invoice terminal.
In the embodiment of the invention, the invoicing terminal of the electronic invoice can be a computer, a smart phone, a tablet computer and other devices, and can be communicated with a hardware device and a server for security authentication. The hardware device used for secure authentication is a hardware encryption based device, such as may be UKEY.
According to an exemplary embodiment of the present invention, if the hardware device stores a digital certificate and a trust chain for performing invoicing authentication, step S302 specifically includes: and sending the digital certificate and the trust chain to the billing terminal so as to bind the billing terminal with the digital certificate and the trust chain.
And step S304, receiving the invoicing information of the electronic invoice sent by the invoicing terminal.
In the embodiment of the invention, the hardware device for security authentication can receive the invoicing information through a hardware interface with the invoicing terminal so as to prevent the invoicing information from being tampered.
And S306, encrypting the billing information to obtain a ciphertext.
In the embodiment of the invention, the hardware device for security authentication encrypts the billing information in the hardware device, namely, the hardware device encrypts the billing information in a hardware encryption mode, so as to ensure the data security of the billing information.
And S308, sending the ciphertext to the billing terminal so that the billing terminal can generate a network link for sending a billing request to a server based on the ciphertext.
Based on the method for generating the electronic invoice illustrated in fig. 3, in some embodiments of the present invention, the method for generating the electronic invoice further includes:
receiving a first random number sent by the billing terminal;
signing the first random number based on a digital certificate stored in the hardware equipment to obtain a signature result;
and sending the signature result to the billing terminal so that the billing terminal authenticates the identity of the hardware equipment.
The technical scheme of the embodiment can ensure that the billing terminal verifies the identity of the hardware equipment so as to avoid the problem that the billing information is maliciously tampered due to the illegal hardware equipment.
According to an exemplary embodiment of the present invention, if the hardware device for security authentication stores a shared key from the server, step S306 specifically includes:
signing the invoicing information based on the digital certificate to obtain a signature value;
generating a second random number, and generating a temporary session key according to the second random number and the shared key;
and encrypting the billing information and the signature value through the temporary session key to obtain the ciphertext.
The server may import the shared key to a hardware device for security authentication through a hardware interface, and store the shared key in the hardware device. By generating the second random number and generating the temporary session key according to the second random number and the shared key, the billing information and the signature value are encrypted through the temporary session key, so that the problem that the billing information and the signature value are maliciously stolen and tampered due to the fact that the fixed key is used for encrypting the billing information and the signature value can be avoided.
In some embodiments of the present invention, based on the foregoing solution, the method for generating an electronic invoice further includes: and sending the second random number to the billing terminal.
In this embodiment, the second random number is sent to the billing terminal, so that the billing terminal can consider the second random number when generating the network link, that is, when the network link is guaranteed to be triggered, the second random number can be sent to the server through the billing request, and the server generates the temporary session key by calculation according to the second random number to perform decryption processing.
In some embodiments of the present invention, based on the foregoing scheme, in the case that the server encrypts the shared key through the digital certificate, the method further includes: decrypting based on the digital certificate to obtain the shared secret key.
Fig. 4 schematically shows a block diagram of an electronic invoice generation apparatus according to a second embodiment of the present invention.
As shown in fig. 4, an electronic invoice generation apparatus 400 according to a second embodiment of the present invention includes: a binding unit 402, a receiving unit 404, a processing unit 406 and a sending unit 408.
Specifically, the binding unit 402 binds the hardware device for security authentication with the invoicing terminal of the electronic invoice; the receiving unit 404 is configured to receive invoicing information of an electronic invoice sent by the invoicing terminal; the processing unit 406 is configured to encrypt the billing information to obtain a ciphertext; the sending unit 408 is configured to send the ciphertext to the billing terminal, so that the billing terminal generates a network link for sending a billing request to a server based on the ciphertext.
In some embodiments of the present invention, based on the foregoing solution, the hardware device stores therein a digital certificate and a trust chain for performing invoicing authentication, and the binding unit 402 is configured to: and sending the digital certificate and the trust chain to the billing terminal so as to bind the billing terminal with the digital certificate and the trust chain.
In some embodiments of the present invention, based on the foregoing solution, the receiving unit 404 is further configured to receive a first random number sent by the invoicing terminal; the processing unit 406 is further configured to sign the first random number based on a digital certificate stored in the hardware device, so as to obtain a signature result; the sending unit 408 is further configured to send the signature result to the billing terminal, so that the billing terminal authenticates the identity of the hardware device.
In some embodiments of the present invention, based on the foregoing solution, the electronic invoice generation apparatus further includes: a storage unit (not shown in fig. 4) for storing the shared key from the server;
the processing unit 406 is configured to:
signing the invoicing information based on the digital certificate to obtain a signature value;
generating a second random number, and generating a temporary session key according to the second random number and the shared key;
and encrypting the billing information and the signature value through the temporary session key to obtain the ciphertext.
In some embodiments of the present invention, based on the foregoing scheme, the sending unit 408 is further configured to: and sending the second random number to the billing terminal.
In some embodiments of the present invention, based on the foregoing solution, the storage unit is configured to: and in the case that the server encrypts the shared key through the digital certificate, decrypting based on the digital certificate to obtain the shared key.
It should be noted that the electronic invoice generation apparatus 400 shown in fig. 4 can be applied to a hardware device for security authentication, that is, a hardware device for security authentication according to an embodiment of the present invention includes the electronic invoice generation apparatus 400.
Server
Fig. 5 schematically shows a flowchart of a method for generating an electronic invoice, an execution subject of which is a server, according to a third embodiment of the present invention.
Referring to fig. 5, a method for generating an electronic invoice according to a third embodiment of the present invention includes:
step S502, the server receives an invoicing request of the electronic invoice, wherein the invoicing request comprises a ciphertext obtained by encrypting the invoicing information of the electronic invoice by the hardware equipment used for security authentication.
According to the embodiment of the present invention, the billing request is transmitted after the network link in the above-described embodiments (the embodiment of the billing terminal and the embodiment of the hardware device for security authentication) is triggered by the user. For example, the network link is represented by a two-dimensional code, and the user scans the two-dimensional code through a mobile phone and then sends an invoicing request to the server.
And S504, decrypting the ciphertext to obtain the billing information.
And step S506, generating an electronic invoice based on the invoicing information.
In some embodiments of the present invention, based on the foregoing solution, the method for generating an electronic invoice further includes: generating a shared key; storing the shared key to the hardware device so that the hardware device encrypts the billing information based on the shared key.
In the embodiment of the invention, the server can store the shared key into the hardware equipment through a hardware interface between the server and the hardware equipment, so that the shared key is prevented from being stolen.
In some embodiments of the present invention, based on the foregoing solution, the server stores therein a digital certificate for performing invoice certification, and the method for generating an electronic invoice further includes: and encrypting the shared secret key based on the digital certificate and then importing the encrypted shared secret key into the hardware equipment.
In this embodiment, since the hardware device stores therein a digital certificate (the digital certificate is from the server), after the shared key is encrypted by the digital certificate and is imported into the hardware device, the hardware device can acquire the shared key from the stored digital certificate.
In some embodiments of the present invention, based on the foregoing solution, the server stores therein a digital certificate for performing invoicing authentication, the invoicing request further includes a second random number generated by the hardware device, and decrypting the ciphertext includes:
generating a temporary session key according to the second random number and the shared key;
decrypting the ciphertext based on the temporary session key to obtain the billing information and a signature value of the billing information;
verifying the signature value according to the digital certificate;
and after the signature value is verified, determining to obtain the invoicing information.
Fig. 6 schematically shows a block diagram of an electronic invoice generation apparatus according to a third embodiment of the present invention.
As shown in fig. 6, an electronic invoice generation apparatus 600 according to a third embodiment of the present invention includes: a receiving unit 602, a decryption unit 604 and a processing unit 606.
Specifically, the receiving unit 602 is configured to receive an invoicing request of an electronic invoice, where the invoicing request includes a ciphertext obtained by encrypting invoicing information of the electronic invoice by using a hardware device for security authentication; the decryption unit 604 is configured to decrypt the ciphertext to obtain the billing information; the processing unit 606 is configured to generate an electronic invoice based on the billing information.
In some embodiments of the present invention, based on the foregoing solution, the electronic invoice generating apparatus 600 further includes: a generating unit (not shown in fig. 6) configured to generate a shared key and store the shared key to the hardware device, so that the hardware device encrypts the billing information based on the shared key.
In some embodiments of the present invention, based on the foregoing solution, the server stores therein a digital certificate for performing invoicing authentication, and the generating unit is configured to: and encrypting the shared secret key based on the digital certificate and then importing the encrypted shared secret key into the hardware equipment.
In some embodiments of the present invention, based on the foregoing solution, the server stores therein a digital certificate for performing invoicing authentication, and the invoicing request further includes a second random number generated by the hardware device, and the decryption unit 604 is configured to:
generating a temporary session key according to the second random number and the shared key;
decrypting the ciphertext based on the temporary session key to obtain the billing information and a signature value of the billing information;
verifying the signature value according to the digital certificate;
and after the signature value is verified, determining to obtain the invoicing information.
It should be noted that the electronic invoice generation apparatus 600 shown in fig. 6 may be applied to a server, that is, the server according to the embodiment of the present invention includes the electronic invoice generation apparatus 600.
The following describes the technical solution of the embodiment of the present invention with reference to fig. 7 to 9 by taking the hardware device for security authentication as UKEY, the representation form of the network link as two-dimensional code, the billing terminal as billing client, and the server as signature verification server.
In this embodiment, a UKEY is used as a hardware carrier for secure authentication, and an internal composition diagram of the UKEY is shown in fig. 7, which securely stores a digital certificate and a shared secret key. The digital certificate is used for identity authentication and digital signature, and the shared secret key is used for protecting transmission data and identifying the identity of a user. All key and cryptographic operations are performed in hardware, while the user key may be set to be undeliverable.
The invoice background adopts a signature verification server as a hardware carrier, safely stores a shared secret key, performs cryptographic operation, and also ensures that the secret key and the cryptographic operation are executed in hardware.
When the UKEY is used, the identity of the UKEY is firstly verified by using a digital certificate, and the UKEY can be used after the verification is passed. Before generating the two-dimensional code, the billing information is encrypted by using a shared secret key, and the billing information is signed by using a digital certificate. And after receiving the invoicing request, the invoice background decrypts the original text by using the signature verification server and verifies the signature.
Fig. 8 is a basic flowchart of a method for generating an electronic invoice according to an embodiment of the present invention, which specifically includes: generating and issuing a digital certificate according to store information, and safely storing the digital certificate in a UKEY; issuing a shared key; binding UKEY by the billing terminal; the invoicing terminal authenticates UKEY; encrypting billing information to generate a two-dimensional code; sending an invoicing request; decrypting the two-dimensional code; and generating and issuing an electronic invoice to the user. This flow is described in detail below with reference to fig. 9:
as shown in fig. 9, a specific process of the method for generating an electronic invoice according to the embodiment of the present invention includes the following steps:
1. initial issue
(1) Digital certificate issuing
The issuing platform submits specific information (including shop information of selling stores and the like) to a CA company, and the CA company issues a digital certificate and a trust chain and stores the digital certificate in a UKEY and stores the digital certificate in a signature verification server in the issuing platform.
The hardware UKEY has the characteristics of uniqueness, read-only property, encryption, tamper resistance and copy resistance, and the digital certificate stored in the UKEY is unique and is internally encrypted, stored and not exported or modified.
(2) Shared key distribution
The signature verification server randomly generates an AES-256 symmetric key (i.e., a shared key) and stores it securely. Meanwhile, the digital certificate is used for encrypting and importing the key into the UKEY, the whole process is carried out in hardware, and the key is ensured not to be out of the hardware.
(3) Invoicing client-side issuing
When a two-dimensional code billing client (a two-dimensional code component of the billing client is shown in fig. 9, and the billing client is not shown) initiates issuance, a UKEY interface is called to acquire digital certificate information and a trust chain in the UKEY, and the acquired data is bound with the billing client, so that the billing client is bound with the UKEY.
2. Terminal authentication
When the two-dimension code billing service is started, the two-dimension code component firstly generates a random number, and the UKEY signs the random number and other authentication information. And then, the two-dimension code component verifies the validity of the digital certificate in the UKEY of the user and the signature of the UKEY on the random number according to the bound user information during issuing, and after the verification is passed, the two-dimension code billing service can be started.
3. Two-dimensional code generation and billing request
After the service is started, the two-dimensional code billing service transmits billing information to the UKEY, and the UKEY firstly generates a signature value for the billing information by using a digital certificate; and then generating a random number in the UKEY, carrying out MAC operation on the random number and the shared key, calculating a temporary session key, encrypting the invoicing information and the signature value by using the temporary session key, and returning the ciphertext and the random number to the two-dimensional code invoicing service.
The two-dimensional code billing service packages information such as ciphertext, random numbers, entity information (such as billing client information and the like), service addresses (such as sales store information and the like) and the like to generate the two-dimensional code. Preferably, the two-dimensional code may be printed directly in the consumption slip.
4) Two-dimensional code decryption and invoice generation
After scanning the two-dimensional code through the user terminal, the user can initiate an invoicing request, and after receiving the invoicing request, the issuing platform calls a signature and signature verification server; the signature verification server finds out a corresponding shared key, and performs MAC operation on the shared key and a random number to obtain a temporary session key; and decrypting the ciphertext by using the temporary session key to obtain the billing information and the signature, and verifying the authenticity and the integrity of the billing information by using the entity certificate and the signature value. And after the verification is passed, the platform stores the invoicing information and the signature value and generates an electronic invoice. Wherein, the electronic invoice can be in PDF format. After the electronic invoice is generated, the electronic invoice can be pushed to a user in a mode of WeChat, multimedia message, mail and the like.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the invention. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiment of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which can be a personal computer, a server, a touch terminal, or a network device, etc.) to execute the method according to the embodiment of the present invention.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.