CN108632036A - A kind of authentication method of electronic media, apparatus and system - Google Patents

A kind of authentication method of electronic media, apparatus and system Download PDF

Info

Publication number
CN108632036A
CN108632036A CN201710153745.5A CN201710153745A CN108632036A CN 108632036 A CN108632036 A CN 108632036A CN 201710153745 A CN201710153745 A CN 201710153745A CN 108632036 A CN108632036 A CN 108632036A
Authority
CN
China
Prior art keywords
key
electronic medium
authentication
read
tid
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710153745.5A
Other languages
Chinese (zh)
Inventor
李长水
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Hikvision Digital Technology Co Ltd
Original Assignee
Hangzhou Hikvision Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Hikvision Digital Technology Co Ltd filed Critical Hangzhou Hikvision Digital Technology Co Ltd
Priority to CN201710153745.5A priority Critical patent/CN108632036A/en
Publication of CN108632036A publication Critical patent/CN108632036A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the present application provides a kind of authentication method of electronic media, apparatus and system.The method is applied to read-write equipment, specifically includes:Obtain the media identification KID of electronic media to be certified;It is encrypted using the KID key KU stored as key pair itself, obtains authentication key Ku1;The Ku1 is sent to the electronic media;The confirmation message that the electronic media is sent is received, determination passes through the certification to the electronic media, wherein the confirmation message is:The message that the electronic media is generated when the authentication key Ku2 that itself is stored is identical as the Ku1.Using scheme provided by the embodiments of the present application, the safety of verification process can be improved.

Description

Authentication method, device and system for electronic medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, and a system for authenticating an electronic medium.
Background
An electronic medium may be understood as an electronic product capable of storing data information. After the user obtains the electronic medium, the user can obtain corresponding services by performing reading or writing operations on the specified reading or writing device. In order to improve the security of data inside these electronic media and to expand the range of applications thereof, the electronic media are put into use after being subjected to encryption processing. These electronic media subjected to encryption processing include electronic products such as MF1(Mifare One) cards, CPU cards, PSAM cards, and the like. The electronic media can be an entrance guard card, a telephone charge card, a transportation charge card, a daily charge card, a road charge card, a bank card and other electronic products in practical application, and the application range of the electronic media is very wide, so that convenience is greatly provided for life of people.
In general, an electronic medium subjected to encryption processing has a key area for storing an authentication key and a data area for storing user data. When the read-write device performs read-write operation on the electronic medium, the read-write device first needs to authenticate the authentication key of the key area in the electronic medium, and after the authentication is passed, the read-write device can process the data area of the electronic medium, so that a user using the electronic medium can obtain corresponding services. Specifically, when the read-write device authenticates the electronic medium, the read-write device may send the authentication key of the electronic medium stored in the read-write device to the electronic medium, so that the electronic medium matches the authentication key stored in the key area of the electronic medium with the received authentication key, if the two are the same, the electronic medium may send a confirmation message to the read-write device, and the read-write device may determine that the electronic medium passes the authentication after receiving the confirmation message.
However, since the read-write device stores the authentication key of the electronic medium, a cracker can obtain the read-write device and decode the authentication key of the electronic medium from the read-write device, and then copy the electronic medium, and then use the copied electronic medium to complete the authentication process on other read-write devices, and steal corresponding services, so that the property security of the user is threatened, and therefore, the security of the authentication method is not high enough.
Disclosure of Invention
The embodiment of the application aims to provide an authentication method, an authentication device and an authentication system for an electronic medium, so as to improve the security of an authentication process. The specific technical scheme is as follows.
In order to achieve the above object, an embodiment of the present application discloses an authentication method for an electronic medium, which is applied to a read-write device, and the method includes:
obtaining a medium identification KID of the electronic medium to be authenticated;
encrypting a key KU stored by the KID serving as a key to obtain an authentication key Ku 1;
sending the Ku1 to the electronic medium;
receiving a confirmation message sent by the electronic medium, and determining that the electronic medium passes the authentication, wherein the confirmation message is as follows: a message generated by the electronic medium when its own stored authentication key Ku2 is identical to the Ku 1.
Optionally, after passing the authentication of the electronic medium, the method further includes:
encrypting first data KD which is stored by the KID and used for identity authentication by taking the KID as a key to obtain an encryption key Kd;
determining a target field, and encrypting the target field by taking the Kd as a key to obtain authentication data Ke 1;
reading authentication data Ke2 from the electronic medium;
according to the Ke1 and Ke2, an authentication result for the electronic medium is obtained.
Optionally, the step of determining the target field includes:
determining the KID as a target field; or,
and determining a second data TID stored by the self for identity verification as a target field.
Optionally, when the target field is the KID, the step of obtaining an authentication result for the electronic medium according to the Ke1 and the Ke2 includes:
determining whether the Ke1 and Ke2 are the same;
if yes, encrypting the TID by taking the Kd as a key to obtain characteristic data Tid 1;
reading characteristic data Tid2 from the electronic medium;
when the Tid1 is the same as the Tid2, it is determined that the authentication of the electronic medium is passed.
Optionally, when the target field is the TID, the step of obtaining an authentication result for the electronic medium according to the Ke1 and Ke2 includes:
determining whether the Ke1 and Ke2 are the same;
if yes, encrypting the KID by taking the Kd as a key to obtain identification data KID 1;
reading identification data Kid2 from the electronic medium;
when the Kid1 is the same as Kid2, it is determined that the electronic medium passed authentication.
Optionally, the KU is stored in its random access memory RAM; and/or the presence of a gas in the gas,
the KD is stored in the RAM of the KD; and/or the presence of a gas in the gas,
the TID is stored in the RAM of itself.
Optionally, first target information is obtained and stored in the following manner, where the first target information includes at least one of the KU, the KD, and the TID:
obtaining a first encryption information group from a server, wherein the first encryption information group is as follows: the server encrypts first target information stored by the server by taking the device identifier UID of the read-write device as a secret key to obtain an encrypted information group;
and decrypting the first encrypted information group by taking the UID as a key to obtain the first target information, and storing the first target information.
Optionally, the method further includes:
and processing the data area of the electronic medium by using the Kd as a key after the electronic medium is authenticated.
In order to achieve the above object, an embodiment of the present application discloses an authentication apparatus for an electronic medium, which is applied to a read-write device, and the apparatus includes:
the first obtaining module is used for obtaining a medium identifier KID of the electronic medium to be authenticated;
the first encryption module is used for encrypting a key KU stored by the first encryption module by taking the KID as a key to obtain an authentication key Ku 1;
a sending module to send the Ku1 to the electronic medium;
a receiving module, configured to receive a confirmation message sent by the electronic medium, and determine that the electronic medium passes authentication, where the confirmation message is: a message generated by the electronic medium when its own stored authentication key Ku2 is identical to the Ku 1.
Optionally, the apparatus further comprises:
the second encryption module is used for encrypting the first data KD for identity verification stored in the electronic medium by taking the KID as a key after the electronic medium is authenticated to obtain an encryption key Kd;
a determination module for determining a target field;
the third encryption module is used for encrypting the target field by taking the Kd as a key to obtain identity authentication data Ke 1;
a reading module for reading authentication data Ke2 from the electronic medium;
and the verification module is used for obtaining an identity verification result for the electronic medium according to the Ke1 and the Ke 2.
Optionally, the determining module is specifically configured to determine the KID as a target field; or
In particular for determining the second data TID stored by itself for authentication as the target field.
Optionally, the verification module includes:
a first judging submodule, configured to judge whether Ke1 is the same as Ke2 when the target field is the KID;
a first encryption submodule, configured to encrypt the TID with the Kd as a key when the Ke1 is the same as Ke2, and obtain feature data TID 1;
a first reading submodule for reading characteristic data Tid2 from the electronic medium;
a first verification sub-module for determining that the electronic medium is authenticated when the Tid1 is the same as the Tid 2.
Optionally, the verification module includes:
a second determining submodule, configured to determine whether Ke1 is the same as Ke2 when the target field is the TID;
a second encryption sub-module, configured to encrypt the KID with the Kd as a key when the Ke1 is the same as Ke2, to obtain identification data KID 1;
a second reading submodule, configured to read identification data Kid2 from the electronic medium;
a second verification sub-module for determining that the electronic medium passes authentication when the Kid1 is the same as Kid 2.
Optionally, the KU is stored in its random access memory RAM; and/or the presence of a gas in the gas,
the KD is stored in the RAM of the KD; and/or the presence of a gas in the gas,
the TID is stored in the RAM of itself.
Optionally, the apparatus further comprises: a second obtaining module and a decryption module;
a second obtaining module, configured to obtain a first encrypted information group from a server, where the first encrypted information group is: the server encrypts first target information stored by the server by taking the device identifier UID of the read-write device as a secret key to obtain an encrypted information group;
and the decryption module is used for decrypting the first encrypted information group by taking the UID as a key to obtain the first target information, and storing the first target information, wherein the first target information comprises at least one of the KU, the KD and the TID.
Optionally, the apparatus further comprises: and the processing module is used for processing the data area of the electronic medium by taking the Kd as a key after the electronic medium is authenticated.
In order to achieve the above object, an embodiment of the present application further discloses an authentication system for electronic media, the system including: read-write equipment and electronic media;
the read-write equipment is used for obtaining a medium identifier KID of the electronic medium to be authenticated; encrypting a key KU stored by the KID serving as a key to obtain an authentication key Ku 1; sending the Ku1 to the electronic medium; receiving a confirmation message sent by the electronic medium, and determining that the electronic medium passes the authentication;
the electronic medium is configured to receive the Ku1 sent by the read-write device, generate a confirmation message when an authentication key Ku2 stored in the electronic medium is the same as the Ku1, and send the confirmation message to the read-write device.
Optionally, the read-write device is further configured to: after the electronic medium is authenticated, encrypting first data KD for identity verification stored in the electronic medium by taking the KID as a key to obtain an encryption key Kd; determining a target field, and encrypting the target field by taking the Kd as a key to obtain authentication data Ke 1; reading authentication data Ke2 from the electronic medium; according to the Ke1 and Ke2, an authentication result for the electronic medium is obtained.
Optionally, the read-write device is specifically configured to determine the KID as a target field; or, determining a second data TID stored in the device for identity authentication as a target field.
Optionally, the read-write device is specifically configured to: when the target field is the KID, when the Ke1 is the same as the Ke2, encrypting the TID by taking the Kd as a key to obtain characteristic data Tid 1; reading characteristic data Tid2 from the electronic medium; when the Tid1 is the same as the Tid2, it is determined that the authentication of the electronic medium is passed.
Optionally, the read-write device is specifically configured to: when the target field is the TID, when the Ke1 is the same as the Ke2, encrypting the KID by using the Kd as a key to obtain identification data KID 1; reading identification data Kid2 from the electronic medium; when the Kid1 is the same as Kid2, it is determined that the electronic medium passed authentication.
Optionally, the KU is stored in its random access memory RAM; and/or the presence of a gas in the gas,
the KD is stored in the RAM of the KD; and/or the presence of a gas in the gas,
the TID is stored in the RAM of itself.
Optionally, the system further includes: a server; the server is used for encrypting the first target information stored by the server by taking the device key UID of the read-write device as a key to obtain a first encrypted information group; wherein the first target information comprises at least one of the KU, the KD and the TID;
the read-write equipment is further configured to obtain the first encrypted information group from the server, decrypt the first encrypted information group with the UID as a key, obtain the first target information, and store the first target information.
Optionally, the server is further configured to obtain a second encrypted information group from a key issuing system, decrypt the second encrypted information group with a device identifier YID of the server as a key, obtain the first target information, and store the first target information; wherein the second encryption information group is: the key issuing system encrypts the first target information by using the YID as a key to obtain an encrypted information group;
optionally, the second encryption information group includes:
when the first target information comprises the TID, information D1 obtained by encrypting the TID by taking the YID as a key;
when the first target information comprises the KU, information D2 obtained by encrypting a first information string C1 by using the YID as a key, wherein the C1 is an information string obtained by encrypting the KU by using the TID as a key;
when the first target information includes the KD, information D3 obtained by encrypting a second information string C2 with the YID as a key, wherein C2 is an information string obtained by encrypting the KD with the TID as a key;
the server is specifically configured to:
when the first target information comprises the TID, decrypting the D1 by taking the YID as a key to obtain and store the TID;
when the first target information comprises the KU, decrypting the D2 with the YID as a key to obtain the C1, decrypting the C1 with the TID as a key to obtain and store the KU;
when the first target information comprises the KD, decrypting the D3 by taking the YID as a key to obtain the C2, decrypting the C2 by taking the TID as a key to obtain and store the KD.
Optionally, the system further includes: an issuing device;
the issuing equipment is used for encrypting second target information stored by the issuing equipment by taking the KID as a key to obtain a third encrypted information group and sending the third encrypted information group to the electronic medium; wherein the second target information includes at least one of the KU, the KD and the TID, and the third encrypted information set includes: at least one of the Ku2, the Kid2, the Tid 2; the Ku2 is: an authentication key obtained after encrypting the KU with the KID as a key; the Kid2 is: an identification key obtained after encrypting the KID with the Kd as a key; the Kd is: an encryption key obtained after encrypting the KD by taking the KID as a key; the Tid2 is as follows: a characteristic key obtained after encrypting the TID by taking the Kd as a key;
and the electronic medium is used for receiving the third encryption information group sent by the issuing equipment and storing the third encryption information group.
Optionally, the issuing device is further configured to obtain the fourth encrypted information group from the key issuing system, decrypt the fourth encrypted information group with a device identifier FID of the issuing device as a key, obtain the second target information, and store the second target information; wherein the fourth encryption information group is: and the key issuing system encrypts the second target information by using the FID as a key to obtain an encrypted information group.
According to the authentication method, the authentication device and the authentication system for the electronic medium, the medium identification KID of the electronic medium to be authenticated can be obtained, the KID is used as the key to encrypt the key KU stored in the electronic medium, and the authentication key Ku1 is obtained; the Ku1 is transmitted to the electronic medium, and the electronic medium is authenticated by receiving a confirmation message transmitted by the electronic medium, wherein the confirmation message is generated when the authentication key Ku2 stored by the electronic medium is the same as Ku 1. The authentication key used for authentication is not stored in the read-write equipment, but after the medium identifier of the electronic medium is acquired, the key stored by the electronic medium is encrypted by taking the medium identifier as the key, so that the authentication key is obtained, and thus, the authentication keys obtained for different electronic media are different. Therefore, by adopting the electronic medium authentication method provided by the embodiment of the application, the authentication key does not need to be stored in the read-write equipment, and the authentication keys obtained for each electronic medium are different, so that the security of the authentication process can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a schematic flowchart of an authentication method for an electronic medium according to an embodiment of the present disclosure;
fig. 2 is another schematic flowchart of an authentication method for an electronic medium according to an embodiment of the present disclosure;
fig. 3a and 3b are schematic flow charts of the embodiment of step S109 in fig. 2;
FIG. 4 is a schematic diagram of a structure of an electronic medium;
FIG. 5 is a schematic flow chart of the interaction between the reader/writer device and the electronic medium;
fig. 6 is a schematic structural diagram of an authentication apparatus for electronic media according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an authentication device for electronic media according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an authentication system for electronic media according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of another authentication system for electronic media according to an embodiment of the present application.
Detailed Description
The technical solution in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It is to be understood that the described embodiments are merely a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides an authentication method, device and system of an electronic medium, which can improve the safety of an authentication process. The present application will be described in detail below with reference to specific examples.
Fig. 1 is a schematic flowchart of an authentication method for an electronic medium according to an embodiment of the present application, and is applied to a read-write device. The electronic medium may be understood as an electronic product capable of storing user data, and the electronic medium may include an MF1(Mifare One) card, a CPU (smart card), a PSAM (security Access Module) card, and other electronic products. The read-write equipment is used for authenticating the electronic medium and processing user data in the electronic medium after the authentication is passed so as to enable a user holding the electronic medium to obtain corresponding services. The processing of the user data in the electronic medium may specifically include: and reading user data in the electronic medium, performing addition and subtraction processing on the user data, writing new user data and the like. The authentication of the electronic medium is used for obtaining the read-write permission of the user data in the electronic medium.
The method for authenticating the electronic medium includes the following steps S101 to S104:
step S101: and obtaining a medium identification KID of the electronic medium to be authenticated.
The medium identifier may be a number for identifying the electronic medium.
Specifically, when obtaining the KID, the read-write device as the execution subject may directly read the KID of the electronic medium to be authenticated. More specifically, the read-write device may first send a read instruction for the KID to the electronic medium to be authenticated, and when the electronic medium receives the read instruction sent by the read-write device, the electronic medium sends the KID stored in the electronic medium to the read-write device, and the read-write device receives the KID sent by the electronic medium.
It should be noted that the electronic medium in this embodiment may adopt cards such as an MF1 card, a CPU card, and a PSAM card, and when the read-write device performs an interactive operation with the electronic medium, the read-write device may call an APDU (application Protocol Data Unit) instruction or a tpdu (transport Protocol Data Unit) instruction supported by hardware in the industry to complete an interactive process. In the subsequent steps of this embodiment, the interactive process between the read-write device and the electronic medium may also be completed by using an APDU instruction or a TPDU instruction.
Step S102: the key KU stored in the device is encrypted using the KID as a key, and the authentication key KU1 is obtained.
In this embodiment, in order to improve the security of the authentication process, the KU may be a secret key that is obtained by the read-write device from a server for managing the read-write device when the read-write device is powered on and stored in the KU. In the storage, the KU may be stored in a random access memory RAM of the read/write device itself. It should be noted that the RAM is a readable and writable memory, and data in the RAM is lost when power is off. In this embodiment, the read/write device obtains the KU from the server at power-up and loses it in its RAM at power-down. Therefore, even if a decoding person steals the read-write equipment, the KU cannot be obtained from the read-write equipment, and further the authentication key cannot be obtained, so that the security of the authentication process can be improved.
As another specific embodiment, the KU may be a default key stored in the KU, or may be a key stored in the KU after being obtained from the server. The KU may be stored in a Flash memory area (Flash area) of the read/write device, or in an encryption chip, or in a PSAM card. It should be noted that the data stored in the Flash area, the encryption chip, and the PSAM card are not lost after power is turned off, so that the read-write device does not need to repeatedly obtain KU after obtaining KU from the server and storing it.
It can be understood that the read-write device in this embodiment does not directly store the authentication key of the electronic medium, so that a cracking person can be prevented from cracking the authentication key from the obtained read-write device.
When the KID is used as the key to encrypt the key KU stored in the key KU, Encryption algorithms such as shift, xor, and the like may be used, or Encryption algorithms such as DES (Data Encryption Standard), 3DES (Triple DES, Triple Data Encryption Standard), AES (Advanced Encryption Standard) and the like may be used, which is not particularly limited in the present application.
Here, encryption may be understood as a process of disguising data to be encrypted in a specified manner to hide the content of the data to be encrypted. Corresponding to the encryption process is a decryption process.
In this embodiment, the KU may be the same for different electronic media. It can be understood that, in this embodiment, since the media identifications KID corresponding to different electronic media are different, even if the KU stored in the read-write device itself is the same, the obtained authentication keys are different, and it can be ensured that the authentication keys corresponding to different electronic media are different.
It should be noted that the KU may be different for different operators that use the read/write device to provide services for the user. For example, the KU used may be different between an operator for providing access service and an operator for providing subway service.
In addition, since the electronic medium may include a plurality of sectors or a plurality of directories, each sector or each directory may be used to provide different kinds of services, a user may access different sectors or access different directories. For example, the MF1 card is internally composed of sectors, and the CPU card and the PSAM card are internally composed of directories.
Different sectors or directories may correspond to different authentication keys, where each sector or directory may be used to store user data or keys. Correspondingly, KU may be a set of multiple keys. Therefore, when encrypting the KU stored in the reader/writer device with the KID as the key, the reader/writer device may determine the first identifier of the electronic medium to be authenticated, determine the target key corresponding to the first identifier from the KU stored in the reader/writer device, and encrypt the target key with the KID as the key to obtain the authentication key KU 1. The first identifier may be a sector identifier or a directory identifier, and the KU is a set of keys corresponding to the first identifier.
Step S103: the above Ku1 is transmitted to the electronic medium.
Specifically, the APDU command or the TPDU command may be called to transmit the Ku1 to an electronic medium, and the electronic medium may receive the Ku1 transmitted by a reader/writer device.
Step S104: and receiving the confirmation message sent by the electronic medium, and determining that the electronic medium passes the authentication, namely the authentication is successful. Wherein the confirmation message is: the electronic medium generates a message when its own stored authentication key Ku2 is the same as Ku1 described above.
Specifically, the read-write device may also receive a negative-acknowledgement message sent by the electronic device, and determine that the electronic medium fails to be authenticated, i.e., that the authentication fails. Wherein the negative acknowledgement message is: the electronic medium generates a message when Ku2 is different from Ku 1.
Further, the electronic medium may be pre-filled with a certification key Ku2, Ku2 being: and the key obtained by encrypting the key KU by taking the medium identification KID of the electronic medium as a key. When the electronic medium is an electronic product issued in cooperation with the reader/writer, Ku2 in the electronic medium is the same as Ku1 obtained by the reader/writer, and at this time, the reader/writer can pass authentication of the electronic medium.
If the electronic medium is forged, as a decipherer is difficult to decipher the KU from the read-write equipment, the internal authentication key of the electronic medium is difficult to copy, and when Ku2 is different from Ku1, the read-write equipment refuses to pass the authentication of the electronic medium, so that the read-write authority of the electronic medium cannot be obtained, and the safety of user data in the electronic medium is ensured.
As a specific implementation, the authentication process provided by this embodiment may allow the electronic medium to fail authentication for a preset number of times within a preset time duration. And if the authentication failure times of the electronic medium exceed the preset number of times within the preset time length, refusing to authenticate the electronic medium. For example, the read-write device may allow the electronic medium to fail authentication 3 times in a day, and prohibit the electronic device from performing authentication again in the day if the authentication fails more than 3 times in a day.
As can be seen from the above, the authentication method for electronic media provided in this embodiment can obtain a media identifier KID of the electronic media to be authenticated, and encrypt the key KU stored in the electronic media by using the KID as a key to obtain an authentication key KU 1; the Ku1 is transmitted to the electronic medium, and the electronic medium is authenticated by receiving a confirmation message transmitted by the electronic medium, wherein the confirmation message is generated when the authentication key Ku2 stored by the electronic medium is the same as Ku 1. The authentication key used for authentication is not stored in the read-write equipment, but after the medium identifier of the electronic medium is acquired, the key stored by the electronic medium is encrypted by taking the medium identifier as the key, so that the authentication key is obtained, and thus, the authentication keys obtained for different electronic media are different. Therefore, by adopting the electronic medium authentication method provided by the embodiment, the authentication key does not need to be stored in the read-write device, and the authentication keys obtained for each electronic medium are different, so that the security of the authentication process can be improved.
Meanwhile, the embodiment does not need to increase any hardware cost, and the read-write equipment does not need to use a PSAM card or an encryption chip, so that the hardware cost can be reduced.
In order to further verify the identity of the electronic medium and improve the safety of the electronic medium in the using process, the application also provides the embodiment shown in fig. 2, and the embodiment shown in fig. 2 is an embodiment obtained on the basis of the embodiment shown in fig. 1. In the embodiment shown in fig. 1, after passing the authentication of the electronic medium, the method may further include the following steps S105 to S109:
step S105: and encrypting the first data KD for identity authentication stored in the KID by taking the KID as a key to obtain an encryption key Kd. Wherein the Kd is used to encrypt the specified data to obtain the authentication data.
In this embodiment, in order to improve the security of the authentication process, the KD may be data obtained by the read-write device from a server for managing the read-write device when the read-write device is powered on and stored in the read-write device. At the time of storage, the above KD can be stored in its RAM. In this embodiment, at power-up, the reader/writer device obtains KD from the server, and at power-down, KD in the RAM of the reader/writer device is lost. Therefore, even if a decoding person steals the read-write equipment, the KD cannot be obtained from the read-write equipment, and further the encryption key cannot be obtained, so that the safety of the authentication key can be improved.
As another specific embodiment, the KD may be default data stored in itself, or may be data stored in itself after being obtained from the server. The KD may be stored in a Flash memory area (Flash area) of the read-write device, or in an encryption chip, or in a PSAM card. Since the data stored in the storage area is not lost after power-off, the read-write device does not need to repeatedly obtain KD after obtaining KD from the server and storing it.
When the KID is used as the key to encrypt the first data KD stored in the device, encryption algorithms such as shift, exclusive or and the like may be adopted, and encryption algorithms such as DES, 3DES, AES and the like may also be adopted, which is not specifically limited in this application.
In this embodiment, the KD may be the same for different electronic media. It can be understood that, in this embodiment, since the media identifications KID corresponding to different electronic media are different, even if KD stored by the read-write device itself is the same, the obtained encryption keys KD are different, and it can be ensured that the encryption keys corresponding to different electronic media are different.
It should be noted that the KD may be different for different operators. For example, an operator for providing access service and an operator for providing subway service, KD used may be different.
In addition, since the electronic media may include multiple sectors or multiple directories, a user may access different sectors or directories, which may correspond to different encryption keys Kd. Correspondingly, KD may be a set of multiple first data. Therefore, when encrypting KD with the KID, the read-write device may determine a first identifier of the electronic medium to be authenticated, determine target first data corresponding to the first identifier from the KD, and encrypt the target first data with the KID as a key to obtain an encryption key KD. The first identifier may be a sector identifier or a directory identifier, and KD is a set of first data corresponding to the first identifier.
Step S106: a target field is determined.
Specifically, when determining the target field, the KID may be determined as the target field, or the second data TID stored in the KID for performing identity authentication may be determined as the target field.
The KID may be a signature code assigned to each operator by a manufacturer's key issuing system, and different operators may correspond to different KIDs.
In order to improve the security of the authentication process, the TID may be data that is obtained from the server by the read-write device when the read-write device is powered on and is stored in the read-write device. At the time of storing, the TID may be stored in its RAM. In this embodiment, at power up, the read-write device obtains the TID from the server, and at power down, the TID in the RAM of the read-write device will be lost. Therefore, even if the decoding personnel steal the read-write equipment, the TID cannot be obtained from the read-write equipment, and further the authentication data cannot be obtained, so that the safety of the authentication data can be improved.
As another specific embodiment, the TID may be default data stored in the server, or may be data stored in the server after being obtained from the server. The TID may be stored in a Flash area (Flash area) of the read/write device, or in an encryption chip, or in a PSAM card. Because the data stored in the storage area cannot be lost after power failure, the read-write equipment does not need to repeatedly obtain the TID after obtaining the TID from the server and storing the TID.
Step S107: and encrypting the target field by taking the Kd as a key to obtain the authentication data Ke 1.
When the Kd is used as a key to encrypt the target field, encryption algorithms such as shift, exclusive or and the like may be used, and encryption algorithms such as DES, 3DES, AES and the like may also be used, which is not specifically limited in this application.
Step S108: the authentication data Ke2 is read from the electronic medium.
It should be noted that after passing authentication of the electronic medium, the read-write authority of the electronic medium can be obtained, so that data information can be read from the electronic medium.
In this embodiment, the electronic medium may include a key area and a data area. The key area is used for storing authentication keys, and the data area is used for storing user data. The Ke2 may be stored in the data area. The read-write apparatus can read Ke2 from the data area when reading Ke2 from the electronic medium.
Further, the electronic medium may be pre-populated with authentication data Ke2, Ke2 being: and encrypting the target field by taking Kd as a key, wherein the Kd is the key obtained by encrypting the first data KD for identity authentication by taking the medium identification KID of the electronic medium as the key. When the electronic medium is an electronic product issued in cooperation with the read-write device, the Ke2 obtained from the electronic medium is the same as the Ke1 obtained from the read-write device, and at this time, the read-write device can pass the authentication of the electronic medium.
Specifically, the APDU command or the TPDU command may be called to read the authentication data Ke2 from the electronic medium.
Step S109: and obtaining an authentication result for the electronic medium according to the Ke1 and the Ke 2.
Specifically, the obtaining of the authentication result for the electronic medium according to the Ke1 and the Ke2 may include: determining that the authentication of the electronic medium is passed when the Ke1 is the same as the Ke 2; when the Ke1 is different from the Ke2, it is determined that the authentication of the electronic medium is not passed.
In this embodiment, when the cracking person wants to forge the electronic medium, since the cracking person is hard to crack KD from the read-write device, that is, hard to obtain KD, it is hard to copy the authentication data for the electronic medium, and when Ke2 is different from Ke1, the read-write device rejects passing the authentication for the electronic medium, and further rejects performing other processing operations on the data area of the electronic medium, thereby ensuring the security of the user data in the electronic medium.
In summary, in the present embodiment, after the electronic medium is authenticated, the first data KD is encrypted with KID as a key to obtain an encryption key KD, the target field is encrypted with KD as a key to obtain the authentication data Ke1, and the authentication data Ke2 is read from the electronic medium to obtain the authentication result for the electronic medium according to Ke2 and Ke 1. The authentication key is not directly stored in the read-write device, but is obtained after the target field is encrypted by using Kd as a key after the encryption key Kd is obtained. Therefore, by adopting the electronic medium authentication method provided by the embodiment, the authentication data does not need to be stored in the read-write device, and the authentication data obtained for each electronic medium is different, so that the electronic medium can be further authenticated, and the safety of the electronic medium in the using process is improved.
In order to further improve the accuracy of the authentication, in a specific implementation manner of the embodiment shown in fig. 2, when the target field is the KID, the step S109, that is, the step of obtaining the authentication result for the electronic medium according to the Ke1 and the Ke2, may be performed according to the flowchart shown in fig. 3a, and specifically includes the following steps S301a to S304 a:
step S301 a: whether the Ke1 is the same as the Ke2 is determined, and if yes, step S302a is executed, which illustrates that the electronic medium can be authenticated for the second time after the first authentication. If not, directly determining that the electronic medium fails to pass the identity authentication, and refusing to perform other processing operations on the data area of the electronic medium.
Step S302 a: and encrypting the TID by using the Kd as a key to obtain characteristic data Tid 1.
When the TID is encrypted by using Kd as a key, an encryption algorithm such as shift, exclusive or and the like may be adopted, and an encryption algorithm such as DES, 3DES, AES and the like may also be adopted, which is not specifically limited in the present application.
Step S303 a: the characteristic data Tid2 is read from the electronic medium.
In this embodiment, the Tid2 may be stored in the data area of the electronic medium. When reading Tid2 from the electronic medium, the read-write device can read Tid2 from the data area.
Further, the electronic medium may be pre-loaded with characteristic data Tid2, Tid2 being: and D is data obtained by encrypting the TID by taking Kd as a key, and Kd is a key obtained by encrypting first data KD for identity verification by taking the medium identifier KID of the electronic medium as a key. When the electronic medium is an electronic product issued in cooperation with the read-write device, the Tid2 obtained from the electronic medium is the same as the Tid1 obtained from the read-write device, and the read-write device can pass the second authentication of the electronic medium.
Specifically, the APDU command or the TPDU command may be called to read the feature key Tid2 from the electronic medium.
Step S304 a: when the Tid1 is the same as the Tid2, it is determined that the electronic medium is authenticated, and then other processing operations can be further performed on the data area of the electronic medium.
When the Tid1 is different from the Tid2, the electronic medium is determined not to pass the authentication, and other processing operations on the data area of the electronic medium are refused.
In this embodiment, the cracker cannot obtain Kd, and thus cannot obtain the feature data. When the Tid2 is different from the Tid1, the read-write equipment refuses to pass the authentication of the electronic medium, and further refuses to perform other processing operations on the data area of the electronic medium, so that the safety of user data in the electronic medium can be improved.
It can be seen that, in this embodiment, KD may be encrypted with KID as a key to obtain KD, KID may be encrypted with KD as a key to obtain authentication data Ke1, Ke1 may be compared with Ke2 read from the electronic medium, if Ke1 is the same as Ke2, TID may be further encrypted with KD as a key to obtain TID1, TID1 may be compared with TID2 read from the electronic medium, and when TID1 is the same as TID2, it may be determined that authentication of the electronic medium is passed. In other words, in the embodiment, when the electronic medium is authenticated, two times of authentication are performed, and since the authentication data and the feature data obtained in the two times of authentication processes are not stored in the read-write device and are different for different electronic media, the embodiment can improve the accuracy of the authentication of the electronic medium, and further improve the security of the user data in the electronic medium.
In order to further improve the accuracy of the authentication, in a specific implementation manner of the embodiment shown in fig. 2, when the target field is the TID, the step S109, that is, the step of obtaining the authentication result for the electronic medium according to the Ke1 and the Ke2, may be performed according to a flowchart shown in fig. 3b, and specifically includes the following steps S301b to S304 b:
step S301 b: whether the Ke1 is the same as the Ke2 is determined, and if yes, step S302b is executed, which illustrates that the electronic medium can be authenticated for the second time after the first authentication. If not, directly determining that the electronic medium fails to pass the identity authentication, and refusing to perform other processing operations on the data area of the electronic medium.
Step S302 b: the KID is encrypted with the Kd as a key to obtain identification data KID 1.
When the KID is encrypted with Kd as the key, an encryption algorithm such as shift, exclusive or, etc. may be adopted, and an encryption algorithm such as DES, 3DES, AES, etc. may also be adopted, which is not specifically limited in the present application.
Step S303 b: the identification data Kid2 is read from the electronic medium.
In this embodiment, the Kid2 can be stored in the data area of the electronic medium. When reading Kid2 from the electronic medium, the reader can read Kid2 from the data area.
Further, the electronic medium may be pre-filled with identification data Kid2, Kid2 is: and the Kd is the key obtained after encrypting the first data KD for identity authentication by taking the medium identification KID of the electronic medium as the key. When the electronic medium is an electronic product issued in cooperation with the read-write device, the Kid2 obtained from the electronic medium is the same as the Kid1 obtained from the read-write device, and the read-write device can pass the second authentication of the electronic medium.
Specifically, the APDU command or the TPDU command may be called to read the identification data Kid2 from the electronic medium.
Step S304 b: when Kid1 is the same as Kid2, it is determined that the electronic medium is authenticated, and then other processing operations can be further performed on the data area of the electronic medium.
When the Kid1 is different from Kid2, it is determined that the electronic medium is not authenticated, and other processing operations on the data area of the electronic medium are rejected.
In this embodiment, the cracker cannot obtain Kd, and thus cannot obtain the identification key. When the Kid2 is different from the Kid1, the read-write device refuses to pass the authentication of the electronic medium, and further refuses to perform other processing operations on the data area of the electronic medium, so that the safety of user data in the electronic medium can be improved.
It can be seen that this embodiment may encrypt KD with KID as a key to obtain KD, encrypt TID with KD as a key to obtain authentication data Ke1, compare Ke1 with Ke2 read from the electronic medium, if Ke1 is the same as Ke2, further encrypt KID with KD as a key to obtain KID1, compare KID1 with KID2 read from the electronic medium, and determine that authentication of the electronic medium is passed when KID1 is the same as KID 2. In other words, in the embodiment, when the electronic medium is authenticated, two times of authentication are performed, and since the authentication data and the identification data obtained in the two times of authentication processes are not stored in the read-write device and are different for different electronic media, the embodiment can improve the accuracy of the authentication of the electronic medium, and further improve the security of the user data in the electronic medium.
In this embodiment, the read-write device may obtain and store the first target information including at least one of the KU, the KD, and the TID by using the following steps 1 and 2:
step 1: a first encrypted information group is obtained from the server. Wherein the first encryption information group is: and the server encrypts the first target information stored by the server by taking the device identifier UID of the read-write device as a secret key to obtain an encrypted information group. The server is used for managing the read-write equipment.
The UID is information for identifying the read-write device, and the UID may be a factory number of the processor CPU. The UIDs of the different read-write devices are also different. The server may read the UID from the processor CPU of the read-write device.
Specifically, when the first encrypted information group is obtained from the server, an obtaining request for obtaining the first encrypted information group may be sent to the server, and after receiving the obtaining request, the server sends the first encrypted information group to the read-write device. Or, when the read-write device is powered on, an acquisition request for acquiring the first encrypted information group is sent to the server, and after receiving the acquisition request, the server sends the first encrypted information group to the read-write device. Therefore, when the read-write equipment is powered off, the first target information stored in the read-write equipment is lost, and when the read-write equipment is powered on, the first encrypted information group is obtained from the server, so that the read-write equipment can not store the first target information when the read-write equipment is powered off, and the safety of the electronic medium authentication process is improved.
Further, the server may obtain the UID of the read-write device in advance, and encrypt the first target information stored in the server by using the UID as a key to obtain the first encrypted information group. In this embodiment, when the server transmits the first target information to the read-write device, the first target information is not transmitted in a plaintext form, but is transmitted in a ciphertext form, so that the security of the first target information is improved.
It should be noted that, when the server encrypts the first target information stored in the server by using the UID as a key, the server may use encryption algorithms such as shift, xor, and the like, and may also use encryption algorithms such as DES, 3DES, AES, and the like, which is not specifically limited in this application.
It can be understood that the first encrypted information group can be obtained after the first target information is encrypted by using the UID as a key, and because the UIDs of different read-write devices are different, the obtained first encrypted information group is also different, which can further improve the security of the information.
Step 2: and decrypting the first encrypted information group by taking the UID as a key to obtain the first target information, and storing the first target information.
Specifically, when the first target information is stored, the first target information may be stored in a Flash area, an encryption chip, or a PSAM card of the read/write device, or may be stored in the RAM. When the first target information is stored in the RAM, the first target information is lost after the read-write equipment is powered off, so that a decoding worker can be prevented from decoding the first target information after obtaining the read-write equipment, and the safety of the information can be improved.
It should be noted that, when the read-write device decrypts the first encrypted information group by using the UID as a key, the read-write device may use a decryption algorithm corresponding to the encryption algorithm used by the server for encryption, so as to ensure that the first target information is obtained from the first encrypted information group.
The decryption can be understood as a process of converting the encrypted ciphertext into the plaintext by adopting a specified mode. Corresponding to the decryption process is an encryption process.
Therefore, in this embodiment, the read-write device obtains the first target information from the server in the form of the ciphertext, and the first encrypted information obtained by taking the UID as the key is different for different read-write devices, so that the security of the information in the transmission process can be improved.
In order to further improve the security when processing the data area of the electronic medium, in a specific implementation of the embodiment shown in fig. 2, the method may further include: after passing the authentication of the electronic medium, the data area of the electronic medium is processed with the above Kd as a key.
Specifically, the data area of the electronic medium may be processed with Kd as a key after passing authentication of the electronic medium and after passing authentication of the electronic medium.
More specifically, when the data area of the electronic medium is processed with Kd as a key, the method may include: the user Data1 in the electronic medium is read, the Data1 is decrypted with the Kd as a key, the decrypted user Data1 is obtained, and the Data1 is processed. May also include: after DATA1 is processed, the processed DATA1 is encrypted with Kd as a key to obtain DATA2, DATA2 is transmitted to the electronic medium, which receives DATA2 and stores DATA 2.
Among them, the user Data1 of the electronic medium Data area may be Data after being encrypted with Kd as a key. The processing of DATA1 may include adding, subtracting, etc. the DATA 1.
As an example, it is known that a read-write device reads user data 754 from a data area of an electronic medium, decrypts 754 with Kd as a key to obtain 236, processes 236 according to a user operation, and if the processing procedure is to subtract 1 from 236, it may obtain processed user data 235. The read-write device can encrypt 235 with Kd as a key, and if 671 is obtained, the 671 is sent to the electronic medium, and the electronic medium receives 671 and stores 671 in its own data area.
It can be seen that, in this embodiment, the read-write device may process the data area in the electronic medium with Kd as the key, and the data in the data area in the corresponding electronic medium is also the data encrypted with Kd as the key. Thus, even if the cracker wants to break the data area of the electronic medium, the cracker cannot obtain Kd, so that it is difficult to break the user data in the data area, and the safety of the user data in the electronic medium can be improved.
The present application will be described in detail with reference to specific examples.
The known electronic medium is an MF1 card, and the structure of the MF1 card can be as shown in fig. 4. In fig. 4, the card has 16 sectors, each sector having 3 data blocks and 1 key block. Wherein the 0 th sector 0 th block stores a medium identification KID of the electronic medium. The key block of each sector stores therein an authentication key Ku2, Ku2 consisting of 2 keys (KeyA, KeyB). Therefore, the key KU stored in the reader/writer device includes 16 groups, i.e., one group KU for each sector id, and each group KU includes KEYA and KEYB. Meanwhile, 16 × 3 KD's are stored in the read-write device, that is, each data block identifier corresponds to one KD. The sector identifier may be a sector sequence number, and the data block identifier may be a data block sequence number.
When the card is authenticated by the read-write equipment, a corresponding certain group is determined from the KU array according to the sector serial number required to be authenticated, the determined KU is encrypted by using KID as a key and adopting a preset encryption algorithm, so that an authentication key Ku1 corresponding to the sector is obtained, the authentication key Ku1 comprises the sector key KeyA or KeyB, Ku1 is sent to the card, the card authentication is passed (namely the card confirms that Ku2 stored in the card is the same as Ku 1), and then a confirmation message is sent to the read-write equipment, and the read-write equipment confirms that the card passes the authentication.
When the read-write equipment authenticates the card, a corresponding certain group can be determined from KD according to the data block serial number required to be processed, KID is used as a key to encrypt the determined KD to obtain Kd, the Kd is used as the key to encrypt the KID to obtain KID1, Kid2 is read from the specified data block in the card, and the first authentication on the electronic medium is determined to pass when the Kid1 is determined to be the same as the Kid 2. And encrypting the TID by taking Kd as a key to obtain Tid1, reading Tid2 from a specified data block in the card, and determining that the second authentication of the electronic medium is passed when determining that the Tid1 is the same as the Tid 2.
When the electronic medium is authenticated on the read-write device and subsequent data processing is performed, the interaction process between the read-write device and the electronic medium may be as shown in fig. 5. Step S501, the read-write device reads the medium identifier KID of the electronic medium, and encrypts the key KU stored in the read-write device by using the KID as a key to obtain the authentication key KU 1. In step S502, the reader/writer apparatus transmits Ku1 to the electronic medium. In step S503, the electronic medium compares the authentication key Ku2 stored in the electronic medium with Ku1, and sends a confirmation message to the reader/writer device when Ku2 is the same as Ku1, and sends a negative confirmation message to the reader/writer device when Ku2 is different from Ku 1. And the read-write equipment determines to pass the authentication of the electronic medium according to the received confirmation message. Step S504, the read-write device encrypts the first data KD stored by itself with KD as a key to obtain KD, encrypts the KID with KD as a key to obtain identification data KID1, and reads the identification data KID2 stored in the electronic medium. In step S505, when Kid1 is the same as Kid2, it is determined that the first authentication on the electronic medium is passed. And the read-write equipment encrypts the TID stored by the read-write equipment by taking Kd as a key to obtain characteristic data Tid1, reads the characteristic data Tid2 stored in the electronic medium, and confirms that the second authentication on the electronic medium is passed when Tid1 is the same as Tid 2. In step S506, the data area of the electronic medium is processed with Kd as a key.
Fig. 6 is a schematic structural diagram of an authentication apparatus for an electronic medium according to an embodiment of the present application, which is applied to a read/write device, and corresponds to the embodiment of the method shown in fig. 1, where the apparatus includes:
a first obtaining module 601, configured to obtain a media identifier KID of an electronic medium to be authenticated;
a first encryption module 602, configured to encrypt a key KU stored in the first encryption module with the KID as a key, to obtain an authentication key KU 1;
a sending module 603 configured to send the Ku1 to the electronic medium;
a receiving module 604, configured to receive a confirmation message sent by the electronic medium, and determine that the electronic medium passes authentication, where the confirmation message is: a message generated by the electronic medium when its own stored authentication key Ku2 is identical to the Ku 1.
On the basis of the embodiment shown in fig. 6, the present application also provides the embodiment shown in fig. 7, and the embodiment shown in fig. 7 is an improvement of the embodiment shown in fig. 6, and the unmodified part is the same as the embodiment shown in fig. 6. The embodiment shown in fig. 7 corresponds to the embodiment of the method shown in fig. 2. The apparatus may further include:
a second encryption module 605, configured to encrypt the first data KD stored in the electronic medium for authentication with the KID as a key after the electronic medium is authenticated, so as to obtain an encryption key KD;
a determining module 606 for determining a target field;
a third encryption module 607, configured to encrypt the target field with the Kd as a key, to obtain authentication data Ke 1;
a reading module 608 for reading authentication data Ke2 from the electronic medium;
a verification module 609, configured to obtain an authentication result for the electronic medium according to the Ke1 and the Ke 2.
In a specific implementation manner of the embodiment shown in fig. 7, the determining module 606 is specifically configured to determine the KID as a target field; or,
in particular for determining the second data TID stored by itself for authentication as the target field.
In a specific implementation manner of the embodiment shown in fig. 7, the verification module 609 may include:
a first judging sub-module (not shown in the figure) for judging whether the Ke1 is the same as Ke2 when the target field is the KID;
a first encryption submodule (not shown in the figure) for encrypting the TID with the Kd as a key when the Ke1 is the same as Ke2 to obtain feature data TID 1;
a first reading submodule (not shown in the figure) for reading characteristic data Tid2 from the electronic medium;
a first verification sub-module (not shown) for determining that the electronic medium is authenticated when the Tid1 is the same as the Tid 2.
In a specific implementation manner of the embodiment shown in fig. 7, the verification module 609 may include:
a second judging sub-module (not shown in the figure) for judging whether the Ke1 is the same as Ke2 when the target field is the TID;
a second encryption submodule (not shown in the figure) for encrypting the KID with the Kd as a key when the Ke1 and Ke2 are the same, to obtain identification data KID 1;
a second reading submodule (not shown in the drawings) for reading the identification data Kid2 from the electronic medium;
and a second verification sub-module (not shown) for determining that the electronic medium is authenticated when the Kid1 is the same as Kid 2.
In one specific implementation of the embodiment shown in fig. 7, the KU may be stored in its own random access memory RAM; and/or, the KD may be stored in its RAM; and/or the TID may be stored in the RAM of itself.
In a specific implementation of the embodiment shown in fig. 7, the apparatus may further include: a second obtaining module and a decryption module; (not shown in the figure)
A second obtaining module, configured to obtain a first encrypted information group from a server, where the first encrypted information group is: the server encrypts first target information stored by the server by taking the device identifier UID of the read-write device as a secret key to obtain an encrypted information group;
and the decryption module is used for decrypting the first encrypted information group by taking the UID as a key to obtain the first target information, and storing the first target information, wherein the first target information comprises at least one of the KU, the KD and the TID.
In a specific implementation of the embodiment shown in fig. 7, the apparatus may further include:
and the processing module (not shown in the figure) is used for processing the data area of the electronic medium by taking the Kd as a key after the electronic medium is authenticated.
Since the device embodiment is obtained based on the method embodiment and has the same technical effect as the method, the technical effect of the device embodiment is not described herein again. For the apparatus embodiment, since it is substantially similar to the method embodiment, it is described relatively simply, and reference may be made to some descriptions of the method embodiment for relevant points.
Fig. 8 is an authentication system for an electronic medium according to an embodiment of the present application, where the system includes: a read-write device 801 and an electronic medium 802, the read-write device in this embodiment may include the read-write device in the embodiment shown in fig. 1.
The read-write device 801 is configured to obtain a medium identifier KID of the electronic medium 802 to be authenticated; encrypting a key KU stored by the KID serving as a key to obtain an authentication key Ku 1; sending the Ku1 to the electronic medium 802; receiving a confirmation message sent by the electronic medium 802, and determining that the electronic medium 802 passes the authentication;
the electronic medium 802 is configured to receive the Ku1 sent by the reader/writer device 801, generate a confirmation message when an authentication key Ku2 stored in the electronic medium is the same as the Ku1, and send the confirmation message to the reader/writer device 801.
The medium identifier may be a number for identifying the electronic medium.
Specifically, when obtaining the KID, the reader/writer 801 may directly read the KID of the electronic medium 802 to be authenticated. More specifically, the read-write device may first send a read instruction for the KID to the electronic medium 802 to be authenticated, when the electronic medium 802 receives the read instruction sent by the read-write device, the KID stored in the read-write device is sent to the read-write device 801, and the read-write device 801 receives the KID sent by the electronic medium 802.
It should be noted that the electronic medium in this embodiment may adopt cards such as an MF1 card, a CPU card, and a PSAM card, and when the read-write device performs an interactive operation with the electronic medium, the read-write device may call an APDU instruction or a TPDU instruction to complete an interactive process. In the subsequent steps of this embodiment, the interactive process between the read-write device and the electronic medium may also be completed by using an APDU instruction or a TPDU instruction.
In this embodiment, in order to improve the security of the authentication process, the KU may be a secret key that is obtained by the read-write device from a server for managing the read-write device when the read-write device is powered on and stored in the KU. In the storage, the KU may be stored in a random access memory RAM of the read/write device itself. In this embodiment, the read/write device obtains the KU from the server at power-up and loses it in its RAM at power-down. Therefore, even if a decoding person steals the read-write equipment, the KU cannot be obtained from the read-write equipment, and further the authentication key cannot be obtained, so that the security of the authentication process can be improved.
As another specific embodiment, the KU may be a default key stored in the read-write device, or may be a key obtained from the server and stored in the server. The KU may be stored in a flash memory area of the read-write device, or in an encryption chip, or in a PSAM card. It should be noted that the data stored in the Flash area, the encryption chip, and the PSAM card are not lost after power is turned off, so that the read-write device does not need to repeatedly obtain KU after obtaining KU from the server and storing it.
It can be understood that the read-write device in this embodiment does not directly store the authentication key of the electronic medium, so that a cracking person can be prevented from cracking the authentication key from the obtained read-write device.
When the read-write device 801 encrypts the key KU stored in itself by using the KID as the key, the encryption algorithms such as shift, exclusive or and the like may be adopted, and the encryption algorithms such as DES, 3DES (Triple DES, Triple data encryption standard), AES and the like may also be adopted, which is not specifically limited in this application.
In this embodiment, the KU may be the same for different electronic media. It can be understood that, in this embodiment, since the media identifications KID corresponding to different electronic media are different, even if the KU stored in the read-write device itself is the same, the obtained authentication keys are different, and it can be ensured that the authentication keys corresponding to different electronic media are different.
It should be noted that the KU may be different for different operators that use the read/write device to provide services for the user. For example, the KU used may be different between an operator for providing access service and an operator for providing subway service.
In addition, since the electronic media may include multiple sectors or multiple directories, each of which may be used to provide different kinds of services, different sectors or directories may be accessible to a user, and different sectors or directories may correspond to different authentication keys. Correspondingly, KU may be a set of multiple keys. Therefore, when encrypting the KU stored in the reader/writer device 801 with the KID as the key, the reader/writer device 801 may determine the first identifier of the electronic medium to be authenticated, determine the target key corresponding to the first identifier from the KU stored in the reader/writer device, and encrypt the target key with the KID as the key to obtain the authentication key KU 1. The first identifier may be a sector identifier or a directory identifier, and the KU is a set of keys corresponding to the first identifier.
Specifically, the read-write device may also receive a negative-acknowledgement message sent by the electronic device, and determine that the electronic medium fails to be authenticated, i.e., that the authentication fails. Wherein the negative acknowledgement message is: the electronic medium generates a message when Ku2 is different from Ku 1.
Further, the electronic medium may be pre-filled with a certification key Ku2, Ku2 being: and the key obtained by encrypting the key KU by taking the medium identification KID of the electronic medium as a key. When the electronic medium is an electronic product issued in cooperation with the reader/writer, Ku2 in the electronic medium is the same as Ku1 obtained by the reader/writer, and at this time, the reader/writer can pass authentication of the electronic medium.
If the electronic medium is forged, as a decipherer is difficult to decipher the KU from the read-write equipment, the internal authentication key of the electronic medium is difficult to copy, and when Ku2 is different from Ku1, the read-write equipment refuses to pass the authentication of the electronic medium, so that the read-write authority of the electronic medium cannot be obtained, and the safety of user data in the electronic medium is ensured.
As a specific implementation, the authentication process provided by this embodiment may allow the electronic medium to fail authentication for a preset number of times within a preset time duration. And if the authentication failure times of the electronic medium exceed the preset number of times within the preset time length, refusing to authenticate the electronic medium.
As can be seen from the above, in the authentication system for electronic media provided in this embodiment, the read-write device may obtain a media identifier KID of the electronic media to be authenticated, and encrypt the key KU stored in the read-write device by using the KID as a key to obtain an authentication key KU 1; the Ku1 is transmitted to the electronic medium, and the electronic medium is authenticated by receiving a confirmation message transmitted by the electronic medium, wherein the confirmation message is generated when the authentication key Ku2 stored by the electronic medium is the same as Ku 1. The authentication key used for authentication is not stored in the read-write equipment, but after the medium identifier of the electronic medium is acquired, the key stored by the electronic medium is encrypted by taking the medium identifier as the key, so that the authentication key is obtained, and thus, the authentication keys obtained for different electronic media are different. Therefore, by adopting the electronic medium authentication method provided by the embodiment, the authentication key does not need to be stored in the read-write device, and the authentication keys obtained for each electronic medium are different, so that the security of the authentication process can be improved.
Meanwhile, the embodiment does not need to increase any hardware cost, and the read-write equipment does not need to use a PSAM card or an encryption chip, so that the hardware cost can be reduced.
In order to further verify the identity of the electronic medium and improve the security of the electronic medium during the use process, in a specific implementation manner of the embodiment shown in fig. 8, the read-write device 801 may further be configured to:
after the electronic medium is authenticated, encrypting first data KD for identity verification stored in the electronic medium by taking the KID as a key to obtain an encryption key Kd; determining a target field, and encrypting the target field by taking the Kd as a key to obtain authentication data Ke 1; reading authentication data Ke2 from the electronic medium; authentication data for the electronic media is obtained in accordance with the Ke1 and Ke 2.
In this embodiment, in order to improve the security of the authentication process, the KD may be data obtained by the read-write device from a server for managing the read-write device when the read-write device is powered on and stored in the read-write device. In the storage process, the read-write device can store the KD in its own RAM. In this embodiment, at power-up, the reader/writer device obtains KD from the server, and at power-down, KD in the RAM of the reader/writer device is lost. Therefore, even if a decoding person steals the read-write equipment, the KD cannot be obtained from the read-write equipment, and further the encryption key cannot be obtained, so that the safety of the authentication key can be improved.
As another specific embodiment, the KD may be default data stored in itself, or may be data stored in itself after being obtained from the server. The KD can be stored in a Flash area of the read-write equipment, or an encryption chip, or a PSAM card. Since the data stored in the storage area is not lost after power-off, the read-write device does not need to repeatedly obtain KD after obtaining KD from the server and storing it.
When the KID is used as the key to encrypt the first data KD stored in the device, encryption algorithms such as shift, exclusive or and the like may be adopted, and encryption algorithms such as DES, 3DES, AES and the like may also be adopted, which is not specifically limited in this application.
In this embodiment, the KD may be the same for different electronic media. It can be understood that, in this embodiment, since the media identifications KID corresponding to different electronic media are different, even if KD stored by the read-write device itself is the same, the obtained encryption keys KD are different, and it can be ensured that the encryption keys corresponding to different electronic media are different.
It should be noted that the KD may be different for different operators. For example, an operator for providing access service and an operator for providing subway service, KD used may be different.
In addition, since the electronic media may include multiple sectors or directories, a user may access different sectors or directories, which may correspond to different encryption keys Kd. Correspondingly, KD may be a set of multiple first data. Therefore, when encrypting KD with the KID, the read-write device may determine a first identifier of the electronic medium to be authenticated, determine target first data corresponding to the first identifier from the KD, and encrypt the target first data with the KID as a key to obtain an encryption key KD. The first identifier may be a sector identifier or a directory identifier, and KD is a set of first data corresponding to the first identifier.
Specifically, when determining the target field, the KID may be determined as the target field, or the second data TID stored in the KID for performing identity authentication may be determined as the target field.
The KID may be a signature code assigned to each operator by a manufacturer's key issuing system, and different operators may correspond to different KIDs.
In order to improve the security of the authentication process, the TID may be data that is obtained from the server by the read-write device when the read-write device is powered on and is stored in the read-write device. At the time of storing, the TID may be stored in its RAM. In this embodiment, at power up, the read-write device obtains the TID from the server, and at power down, the TID in the RAM of the read-write device will be lost. Therefore, even if the decoding personnel steal the read-write equipment, the TID cannot be obtained from the read-write equipment, and further the authentication data cannot be obtained, so that the safety of the authentication data can be improved.
As another specific embodiment, the TID may be default data stored in the server, or may be data stored in the server after being obtained from the server. The TID may be stored in a Flash area (Flash area) of the read/write device, or in an encryption chip, or in a PSAM card. Because the data stored in the storage area cannot be lost after power failure, the read-write equipment does not need to repeatedly obtain the TID after obtaining the TID from the server and storing the TID.
When the Kd is used as a key to encrypt the target field, encryption algorithms such as shift, exclusive or and the like may be used, and encryption algorithms such as DES, 3DES, AES and the like may also be used, which is not specifically limited in this application.
It should be noted that after passing authentication of the electronic medium, the read-write authority of the electronic medium can be obtained, so that data information can be read from the electronic medium.
In this embodiment, the electronic medium may include a key area and a data area. The key area is used for storing authentication keys, and the data area is used for storing user data. The Ke2 may be stored in the data area. The read-write apparatus can read Ke2 from the data area when reading Ke2 from the electronic medium.
Further, the electronic medium may be pre-populated with authentication data Ke2, Ke2 being: and encrypting the target field by taking Kd as a key, wherein the Kd is the key obtained by encrypting the first data KD for identity authentication by taking the medium identification KID of the electronic medium as the key. When the electronic medium is an electronic product issued in cooperation with the read-write device, the Ke2 obtained from the electronic medium is the same as the Ke1 obtained from the read-write device, and at this time, the read-write device can pass the authentication of the electronic medium.
Specifically, the APDU command or the TPDU command may be called to read the authentication data Ke2 from the electronic medium.
Specifically, the obtaining of the authentication result for the electronic medium according to the Ke1 and the Ke2 may include: determining that the authentication of the electronic medium is passed when the Ke1 is the same as the Ke 2; when the Ke1 is different from the Ke2, it is determined that the authentication of the electronic medium is not passed.
In this embodiment, when the cracking person wants to forge the electronic medium, since the cracking person is hard to crack KD from the read-write device, that is, hard to obtain KD, it is hard to copy the authentication data for the electronic medium, and when Ke2 is different from Ke1, the read-write device rejects passing the authentication for the electronic medium, and further rejects performing other processing operations on the data area of the electronic medium, thereby ensuring the security of the user data in the electronic medium.
In summary, in the present embodiment, after passing authentication of the electronic medium, the read-write apparatus encrypts the first data KD with KID as a key to obtain an encryption key KD, encrypts the target field with KD as a key to obtain the authentication data Ke1, and reads the authentication data Ke2 from the electronic medium to obtain an authentication result for the electronic medium according to Ke2 and Ke 1. The authentication key is not directly stored in the read-write device, but is obtained after the target field is encrypted by using Kd as a key after the encryption key Kd is obtained. Therefore, by adopting the electronic medium authentication method provided by the embodiment, the authentication data does not need to be stored in the read-write device, and the authentication data obtained for each electronic medium is different, so that the electronic medium can be further authenticated, and the safety of the electronic medium in the using process is improved.
In order to further improve the accuracy of the identity authentication, in a specific implementation manner of the embodiment shown in fig. 8, the read-write device 801 may specifically be configured to:
when the target field is the KID, when the Ke1 is the same as the Ke2, encrypting the TID by taking the Kd as a key to obtain characteristic data Tid 1; reading characteristic data Tid2 from the electronic medium; when the Tid1 is the same as the Tid2, it is determined that the authentication of the electronic medium is passed.
When the Ke1 is the same as the Ke2, it indicates that the read-write device has passed the first authentication of the electronic medium at this time, and a subsequent second authentication may be performed. When the Ke1 is different from the Ke2, the read-write equipment directly determines that the electronic medium fails to be authenticated, and refuses to perform other processing operations on the data area of the electronic medium.
When the read-write device 801 encrypts the TID using Kd as the key, it may use encryption algorithms such as shift, exclusive or, etc., or may use encryption algorithms such as DES, 3DES, AES, etc., which is not specifically limited in this application.
In this embodiment, the Tid2 may be stored in the data area of the electronic medium. When reading Tid2 from the electronic medium, the read-write device can read Tid2 from the data area.
Further, the electronic medium may be pre-loaded with characteristic data Tid2, Tid2 being: and D is data obtained by encrypting the TID by taking Kd as a key, and Kd is a key obtained by encrypting first data KD for identity verification by taking the medium identifier KID of the electronic medium as a key. When the electronic medium is an electronic product issued in cooperation with the read-write device, the Tid2 obtained from the electronic medium is the same as the Tid1 obtained from the read-write device, and the read-write device can pass the second authentication of the electronic medium.
Specifically, the read-write device 801 may call an APDU command or a TPDU command to read the feature key Tid2 from the electronic medium.
When Tid1 is the same as Tid2, the read-write device 801 determines that the electronic medium is authenticated, and then may further perform other processing operations on the data area of the electronic medium. When the Tid1 is different from the Tid2, the read-write device 801 determines that the electronic medium fails to be authenticated, and refuses to perform other processing operations on the data area of the electronic medium.
In this embodiment, the cracker cannot obtain Kd, and thus cannot obtain the feature data. When the Tid2 is different from the Tid1, the read-write equipment refuses to pass the authentication of the electronic medium, and further refuses to perform other processing operations on the data area of the electronic medium, so that the safety of user data in the electronic medium can be improved.
It can be seen that, in this embodiment, KD may be encrypted with KID as a key to obtain KD, KID may be encrypted with KD as a key to obtain authentication data Ke1, Ke1 may be compared with Ke2 read from the electronic medium, if Ke1 is the same as Ke2, TID may be further encrypted with KD as a key to obtain TID1, TID1 may be compared with TID2 read from the electronic medium, and when TID1 is the same as TID2, it may be determined that authentication of the electronic medium is passed. In other words, in the embodiment, when the electronic medium is authenticated, two times of authentication are performed, and since the authentication data and the feature data obtained in the two times of authentication processes are not stored in the read-write device and are different for different electronic media, the embodiment can improve the accuracy of the authentication of the electronic medium, and further improve the security of the user data in the electronic medium.
In order to further improve the accuracy of the identity authentication, in a specific implementation manner of the embodiment shown in fig. 8, the read-write device 801 may specifically be configured to:
when the target field is the TID, when the Ke1 is the same as the Ke2, encrypting the KID by using the Kd as a key to obtain identification data KID 1; reading identification data Kid2 from the electronic medium; when the Kid1 is the same as Kid2, it is determined that the electronic medium passed authentication.
When the Ke1 is the same as the Ke2, it is explained that the subsequent second authentication can be performed by the first authentication of the electronic medium. When the Ke1 is different from the Ke2, the read-write apparatus 801 directly determines that the authentication of the electronic medium is not passed, and refuses to perform other processing operations on the data area of the electronic medium.
When the KID is encrypted by using Kd as the key, the read-write device 801 may use encryption algorithms such as shift, exclusive or and the like, and may also use encryption algorithms such as DES, 3DES, AES and the like, which is not specifically limited in this application.
In this embodiment, the Kid2 can be stored in the data area of the electronic medium. The read/write device 801 can read Kid2 from the data area when reading Kid2 from the electronic medium.
Further, the electronic medium 802 may be pre-loaded with identification data Kid2, Kid 2: and the Kd is the key obtained after encrypting the first data KD for identity authentication by taking the medium identification KID of the electronic medium as the key. When the electronic medium is an electronic product issued in cooperation with the read-write device, the Kid2 obtained from the electronic medium is the same as the Kid1 obtained from the read-write device, and the read-write device can pass the second authentication of the electronic medium.
Specifically, the read-write apparatus 801 may call an APDU command or a TPDU command to read the identification data Kid2 from the electronic medium.
When Kid1 is the same as Kid2, the reader 801 determines that the electronic medium is authenticated, and then may perform other processing operations on the data area of the electronic medium. When the Kid1 is different from the Kid2, the read-write device 801 determines that the electronic medium is not authenticated and refuses to perform other processing operations on the data area of the electronic medium.
In this embodiment, the cracker cannot obtain Kd, and thus cannot obtain the identification key. When the Kid2 is different from the Kid1, the read-write device 801 refuses to pass the authentication of the electronic medium, and further refuses to perform other processing operations on the data area of the electronic medium, so that the security of the user data in the electronic medium can be improved.
It can be seen that the read-write apparatus in this embodiment may encrypt KD with KID as a key to obtain KD, encrypt TID with KD as a key to obtain authentication data Ke1, compare Ke1 with Ke2 read from the electronic medium, further encrypt KID with KD as a key if Ke1 is the same as Ke2 to obtain KID1, compare KID1 with KID2 read from the electronic medium, and determine that authentication of the electronic medium is passed when KID1 is the same as KID 2. In other words, in the embodiment, when the electronic medium is authenticated, two times of authentication are performed, and since the authentication data and the identification data obtained in the two times of authentication processes are not stored in the read-write device and are different for different electronic media, the embodiment can improve the accuracy of the authentication of the electronic medium, and further improve the security of the user data in the electronic medium.
On the basis of the embodiment shown in fig. 8, the present application also provides the embodiment shown in fig. 9, and the embodiment shown in fig. 9 is an improvement of the embodiment shown in fig. 8, and the unmodified part is the same as the embodiment shown in fig. 8. The system may further comprise: a server 803;
the server 803 is configured to encrypt the first target information stored in the server with the device key UID of the read-write device 801 as a key to obtain a first encrypted information group; wherein the first target information comprises at least one of the KU, the KD and the TID;
the read-write device 801 is further configured to obtain the first encrypted information group from the server, decrypt the first encrypted information group with the UID as a key, obtain the first target information, and store the first target information.
Specifically, when the first encrypted information group is obtained from the server 803, an obtaining request for obtaining the first encrypted information group may be sent to the server 803, and after receiving the obtaining request, the server sends the first encrypted information group to the read-write device. When the read-write device 801 is powered on, an acquisition request for acquiring the first encrypted information group may be sent to the server 803, and after receiving the acquisition request, the server 803 may send the first encrypted information group to the read-write device. Therefore, when the read-write equipment is powered off, the first target information stored in the read-write equipment is lost, and when the read-write equipment is powered on, the first encrypted information group is obtained from the server, so that the read-write equipment can not store the first target information when the read-write equipment is powered off, and the safety of the electronic medium authentication process is improved.
Further, the server 803 may obtain the UID of the read-write device in advance, and encrypt the first target information stored in the server with the UID as a key to obtain the first encrypted information group. In this embodiment, when the server transmits the first target information to the read-write device, the first target information is not transmitted in a plaintext form, but is transmitted in a ciphertext form, so that the security of the first target information is improved.
It should be noted that, when the server encrypts the first target information stored in the server by using the UID as a key, the server may use encryption algorithms such as shift, xor, and the like, and may also use encryption algorithms such as DES, 3DES, AES, and the like, which is not specifically limited in this application.
It can be understood that, since the UIDs of different read-write devices are different, the obtained first encrypted information group is also different, which can further improve the security of information.
Specifically, when the first target information is stored, the first target information may be stored in a Flash area, an encryption chip, or a PSAM card of the read/write device, or may be stored in the RAM. When the first target information is stored in the RAM, the first target information is lost after the read-write equipment is powered off, so that a decoding worker can be prevented from decoding the first target information after obtaining the read-write equipment, and the safety of the information can be improved.
It should be noted that, when the read-write device decrypts the first encrypted information group by using the UID as a key, the read-write device may use a decryption algorithm corresponding to the encryption algorithm used by the server for encryption, so as to ensure that the first target information is obtained from the first encrypted information group.
Therefore, in this embodiment, the read-write device obtains the first target information in the form of a ciphertext when obtaining the first target information from the server, and the first encrypted information obtained by taking the UID as a key is different for different read-write devices, so that the security of the information in the transmission process can be improved.
In a specific implementation manner of the embodiment shown in fig. 9, the server 803 is further configured to obtain a second encrypted information group from a key issuing system, decrypt the second encrypted information group with its own device identification YID as a key, obtain the first target information, and store the first target information; wherein the second encryption information group is: and the key issuing system encrypts the first target information by using the YID as a key to obtain an encrypted information group.
Specifically, when the second encrypted information group is obtained from the key issuing system, the server may first send an obtaining request for obtaining the second encrypted information group, and the key issuing system may send the second encrypted information group to the server after receiving the obtaining request. It is possible that the server may obtain the second set of encrypted information via a real-time network or via mail or an encrypted envelope, for example.
When encrypting the first target information using YID as a key, the key issuing system may use an encryption algorithm such as shift, exclusive or, etc., may use an encryption algorithm such as DES, 3DES, AES, etc., or may use an algorithm such as RSA, ECC, SM2, etc.
When the server decrypts the second encrypted information group by using the YID as the key, the server may decrypt the second encrypted information group by using a decryption algorithm corresponding to the encryption algorithm used by the key issuing system, so that it is possible to ensure that the first target information is obtained from the second encrypted information group.
Further, the key issuing system may obtain the YID of the server in advance. The YID may be a network card number of the server or a hard disk number of the server, and is used to identify the server.
As can be seen, in this embodiment, the server 803 obtains the first target information from the key issuing system in a ciphertext form, which can improve the security of the first target information during transmission.
In a specific implementation manner of the embodiment shown in fig. 9, the second encryption information group may include:
when the first target information comprises the TID, information D1 obtained by encrypting the TID by taking the YID as a key;
when the first target information comprises the KU, information D2 obtained by encrypting a first information string C1 by using the YID as a key, wherein the C1 is an information string obtained by encrypting the KU by using the TID as a key;
and when the first target information comprises the KD, encrypting a second information string C2 by using the YID as a key D3, wherein the C2 is the information string obtained by encrypting the KD by using the TID as a key.
The D1, D2 and D3 are expressed by the following formulas:
D1=Encrypt(YID,TID);
D2=Encrypt(YID,Encrypt(TID,KU)),C1=Encrypt(TID,KU);
D3=Encrypt(YID,Encrypt(TID,KD));
wherein Encrypt (X1, X2) represents the result of encrypting X2 with X1 as the key.
The server 803 may be specifically configured to:
when the first target information comprises the TID, decrypting the D1 by taking the YID as a key to obtain and store the TID;
when the first target information comprises the KU, decrypting the D2 with the YID as a key to obtain the C1, decrypting the C1 with the TID as a key to obtain and store the KU;
when the first target information comprises the KD, decrypting the D3 by taking the YID as a key to obtain the C2, decrypting the C2 by taking the TID as a key to obtain and store the KD.
The TID, KU and KD obtaining process is expressed by a formula as follows:
TID=Decrypt(YID,D1)=Decrypt(YID,Encrypt(YID,TID));
C1=Decrypt(YID,D2)=Decrypt(YID,Encrypt(YID,Encrypt(TID,KU)))=Encrypt(TID,KU);
KU=Decrypt(TID,C1)=Decrypt(TID,Encrypt(TID,KU));
C2=Decrypt(YID,D3)=Decrypt(YID,Encrypt(YID,Encrypt(TID,KD)))=Encrypt(TID,KD);
KD=Decrypt(TID,C2)=Decrypt(TID,Encrypt(TID,KD))。
here, Encrypt (X1, X2) indicates a result obtained by encrypting X2 with X1 as a key, and Decrypt (Y1, Y2) indicates a result obtained by decrypting Y2 with Y1 as a key.
It can be seen that in the present embodiment, the second encryption information set transmitted between the server and the key issuing system is encrypted by an asymmetric encryption algorithm, and the adopted keys include YID and TID. The security of the information encrypted by the asymmetric encryption algorithm is higher, so that the security of the server when obtaining the first target information can be improved.
In a specific implementation of the embodiment shown in fig. 9, the system may further include: the issuing device 804.
The issuing device 804 is configured to encrypt second target information stored in the issuing device with the KID as a key to obtain a third encrypted information group, and send the third encrypted information group to the electronic medium 802; wherein the second target information includes at least one of the KU, the KD and the TID, and the third encrypted information set includes: at least one of Ku2, Kid2 and Tid 2.
Wherein Ku2 is: an authentication key obtained after encrypting the KU with the KID as a key; the Kid2 is: an identification key obtained after encrypting the KID with the Kd as a key; the Kd is: an encryption key obtained after encrypting the KD by taking the KID as a key; the Tid2 is as follows: and a characteristic key obtained after encrypting the TID by taking the Kd as a key.
The electronic medium 802 is configured to receive the third encrypted information group sent by the issuing apparatus 804, and store the third encrypted information group.
The Ku2, Kid2, Kd and Tid2 are expressed by the following formula:
Ku2=Encrypt(YID,KU);
Kid2=Encrypt(Kd,KID),Kd=Encrypt(KID,KD);
Tid2=Encrypt(Kd,TID);
wherein Encrypt (X1, X2) represents the result of encrypting X2 with X1 as the key
Specifically, the issuing device 804 may be specifically configured to determine an initial authentication key of the electronic medium, send the initial authentication key to the electronic medium, receive a confirmation message sent by the electronic medium, and determine that the initial authentication of the electronic medium is passed;
the electronic medium 802 may be specifically configured to receive an initial authentication key sent by the issuing device, generate a confirmation message when the initial authentication key stored in the electronic medium is the same as the received initial authentication key, and send the confirmation message to the issuing device.
It is understood that, when the electronic medium is initially authenticated, the issuing device may obtain the authentication key modification right and the read-write right for the electronic medium, and may fill the third encrypted information group into the electronic medium. Specifically, the electronic medium may store Ku2 in the key area and Kid2 and Tid2 in the data area when storing the third encryption information set.
In the present system, the second target information may be identical to the first target information, so that the authentication process of the electronic medium issued by the issuing device by the read/write device can be ensured to be performed smoothly.
It can be seen that, in the present embodiment, the issuing device may transmit the third encryption information set to the electronic medium, and the electronic medium receives and stores the third encryption information set, and since the third encryption information set may include at least one of Ku2, Kid2, Tid2, the present embodiment can implement the filling of the electronic medium key information.
In a specific implementation manner of the embodiment shown in fig. 9, the issuing device 804 is further configured to obtain a fourth encrypted information group from the key issuing system, decrypt the fourth encrypted information group with its own device identification FID as a key, obtain the second target information, and store the second target information; wherein the fourth encryption information group is: and the key issuing system encrypts the second target information by using the FID as a key to obtain an encrypted information group.
The FID is information for identifying an issuing device, and may be a factory number of the CPU. The FIDs of different distribution devices are different. The key issuing system may read the FID from the CPU in the issuing apparatus.
Specifically, when the issuing apparatus obtains the fourth encrypted information group from the key issuing system, an obtaining request for obtaining the fourth encrypted information group may be sent to the key issuing system, and the key issuing system may send the fourth encrypted information group to the issuing apparatus after receiving the obtaining request.
In this embodiment, the key issuing system sends the second target information to the issuing apparatus not in the clear but after encrypting the second target information using the FID of the issuing apparatus as a key, thereby preventing information leakage during transmission.
The key issuing system is configured to send first target information to the server and second target information to the issuing apparatus. The key issuing system may obtain the first object information and the second object information from the database.
It is understood that the fourth encrypted information group can be obtained by encrypting the second target information with the FID as the key, and since the FIDs of different issuing apparatuses are different, the obtained fourth encrypted information group is also different, which can further improve the security of the information.
It should be noted that, when encrypting the second encryption information group with the FID as the key, the key issuing system may use encryption algorithms such as shift, exclusive or, and the like, and may also use encryption algorithms such as DES, 3DES, AES, and the like, which is not limited in this application.
When the issuing device decrypts the fourth encrypted information group using the UID as the key, the decrypting device may decrypt the fourth encrypted information group using a decryption algorithm corresponding to the encryption algorithm used by the key issuing system when encrypting the fourth encrypted information group, so that it is possible to ensure that the second target information is obtained from the fourth encrypted information group.
It can be seen that, in the present embodiment, the second target information obtained by the issuing device from the key issuing system is obtained in the form of a ciphertext, and the fourth encrypted information obtained by using the FID as the key is different for different issuing devices, which can improve the security of the information during transmission.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, they are described in a relatively simple manner, and reference may be made to some descriptions of method embodiments for relevant points.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (27)

1. An authentication method of an electronic medium, which is applied to a read-write device, the method comprising:
obtaining a medium identification KID of the electronic medium to be authenticated;
encrypting a key KU stored by the KID serving as a key to obtain an authentication key Ku 1;
sending the Ku1 to the electronic medium;
receiving a confirmation message sent by the electronic medium, and determining that the electronic medium passes the authentication, wherein the confirmation message is as follows: a message generated by the electronic medium when its own stored authentication key Ku2 is identical to the Ku 1.
2. The method of claim 1, wherein after passing authentication of the electronic medium, the method further comprises:
encrypting first data KD which is stored by the KID and used for identity authentication by taking the KID as a key to obtain an encryption key Kd;
determining a target field, and encrypting the target field by taking the Kd as a key to obtain authentication data Ke 1;
reading authentication data Ke2 from the electronic medium;
according to the Ke1 and Ke2, an authentication result for the electronic medium is obtained.
3. The method of claim 2, wherein the step of determining the target field comprises:
determining the KID as a target field; or,
and determining a second data TID stored by the self for identity verification as a target field.
4. The method of claim 3, wherein when the target field is the KID, the step of obtaining an authentication result for the electronic medium according to the Ke1 and Ke2 comprises:
determining whether the Ke1 and Ke2 are the same;
if yes, encrypting the TID by taking the Kd as a key to obtain characteristic data Tid 1;
reading characteristic data Tid2 from the electronic medium;
when the Tid1 is the same as the Tid2, it is determined that the authentication of the electronic medium is passed.
5. The method of claim 3, wherein when the target field is the TID, the obtaining an authentication result for the electronic medium according to the Ke1 and Ke2 comprises:
determining whether the Ke1 and Ke2 are the same;
if yes, encrypting the KID by taking the Kd as a key to obtain identification data KID 1;
reading identification data Kid2 from the electronic medium;
when the Kid1 is the same as Kid2, it is determined that the electronic medium passed authentication.
6. The method according to any one of claims 3 to 5,
the KU is stored in a random access memory RAM of the KU; and/or the presence of a gas in the gas,
the KD is stored in the RAM of the KD; and/or the presence of a gas in the gas,
the TID is stored in the RAM of itself.
7. The method of claim 6, wherein first target information is obtained and stored, the first target information comprising at least one of the KU, the KD, and the TID:
obtaining a first encryption information group from a server, wherein the first encryption information group is as follows: the server encrypts first target information stored by the server by taking the device identifier UID of the read-write device as a secret key to obtain an encrypted information group;
and decrypting the first encrypted information group by taking the UID as a key to obtain the first target information, and storing the first target information.
8. The method according to any one of claims 1 to 5 and 7, further comprising:
and processing the data area of the electronic medium by using the Kd as a key after the electronic medium is authenticated.
9. An authentication apparatus for electronic media, applied to a read-write device, the apparatus comprising:
the first obtaining module is used for obtaining a medium identifier KID of the electronic medium to be authenticated;
the first encryption module is used for encrypting a key KU stored by the first encryption module by taking the KID as a key to obtain an authentication key Ku 1;
a sending module to send the Ku1 to the electronic medium;
a receiving module, configured to receive a confirmation message sent by the electronic medium, and determine that the electronic medium passes authentication, where the confirmation message is: a message generated by the electronic medium when its own stored authentication key Ku2 is identical to the Ku 1.
10. The apparatus of claim 9, further comprising:
the second encryption module is used for encrypting the first data KD for identity verification stored in the electronic medium by taking the KID as a key after the electronic medium is authenticated to obtain an encryption key Kd;
a determination module for determining a target field;
the third encryption module is used for encrypting the target field by taking the Kd as a key to obtain identity authentication data Ke 1;
a reading module for reading authentication data Ke2 from the electronic medium;
and the verification module is used for obtaining an identity verification result for the electronic medium according to the Ke1 and the Ke 2.
11. The apparatus of claim 10, wherein the determination module,
in particular for determining the KID as a target field; or
In particular for determining the second data TID stored by itself for authentication as the target field.
12. The apparatus of claim 11, wherein the authentication module comprises:
a first judging submodule, configured to judge whether Ke1 is the same as Ke2 when the target field is the KID;
a first encryption submodule, configured to encrypt the TID with the Kd as a key when the Ke1 is the same as Ke2, and obtain feature data TID 1;
a first reading submodule for reading characteristic data Tid2 from the electronic medium;
a first verification sub-module for determining that the electronic medium is authenticated when the Tid1 is the same as the Tid 2.
13. The apparatus of claim 11, wherein the authentication module comprises:
a second determining submodule, configured to determine whether Ke1 is the same as Ke2 when the target field is the TID;
a second encryption sub-module, configured to encrypt the KID with the Kd as a key when the Ke1 is the same as Ke2, to obtain identification data KID 1;
a second reading submodule, configured to read identification data Kid2 from the electronic medium;
a second verification sub-module for determining that the electronic medium passes authentication when the Kid1 is the same as Kid 2.
14. The apparatus according to any one of claims 11 to 13,
the KU is stored in a random access memory RAM of the KU; and/or the presence of a gas in the gas,
the KD is stored in the RAM of the KD; and/or the presence of a gas in the gas,
the TID is stored in the RAM of itself.
15. The apparatus of claim 14, further comprising: a second obtaining module and a decryption module;
a second obtaining module, configured to obtain a first encrypted information group from a server, where the first encrypted information group is: the server encrypts first target information stored by the server by taking the device identifier UID of the read-write device as a secret key to obtain an encrypted information group;
and the decryption module is used for decrypting the first encrypted information group by taking the UID as a key to obtain the first target information, and storing the first target information, wherein the first target information comprises at least one of the KU, the KD and the TID.
16. The apparatus of any one of claims 9 to 13, 15, further comprising:
and the processing module is used for processing the data area of the electronic medium by taking the Kd as a key after the electronic medium is authenticated.
17. An authentication system for electronic media, the system comprising: read-write equipment and electronic media;
the read-write equipment is used for obtaining a medium identifier KID of the electronic medium to be authenticated; encrypting a key KU stored by the KID serving as a key to obtain an authentication key Ku 1; sending the Ku1 to the electronic medium; receiving a confirmation message sent by the electronic medium, and determining that the electronic medium passes the authentication;
the electronic medium is configured to receive the Ku1 sent by the read-write device, generate a confirmation message when an authentication key Ku2 stored in the electronic medium is the same as the Ku1, and send the confirmation message to the read-write device.
18. The system of claim 17, wherein the read-write device is further configured to:
after the electronic medium is authenticated, encrypting first data KD for identity verification stored in the electronic medium by taking the KID as a key to obtain an encryption key Kd; determining a target field, and encrypting the target field by taking the Kd as a key to obtain authentication data Ke 1; reading authentication data Ke2 from the electronic medium; according to the Ke1 and Ke2, an authentication result for the electronic medium is obtained.
19. The system of claim 18, wherein the reader device is specifically configured to determine the KID as a target field; or, determining a second data TID stored in the device for identity authentication as a target field.
20. The system of claim 19, wherein the read-write device is specifically configured to:
when the target field is the KID, when the Ke1 is the same as the Ke2, encrypting the TID by taking the Kd as a key to obtain characteristic data Tid 1; reading characteristic data Tid2 from the electronic medium; when the Tid1 is the same as the Tid2, it is determined that the authentication of the electronic medium is passed.
21. The system of claim 19, wherein the read-write device is specifically configured to:
when the target field is the TID, when the Ke1 is the same as the Ke2, encrypting the KID by using the Kd as a key to obtain identification data KID 1; reading identification data Kid2 from the electronic medium; when the Kid1 is the same as Kid2, it is determined that the electronic medium passed authentication.
22. The system according to any one of claims 17 to 21,
the KU is stored in a random access memory RAM of the KU; and/or the presence of a gas in the gas,
the KD is stored in the RAM of the KD; and/or the presence of a gas in the gas,
the TID is stored in the RAM of itself.
23. The system of claim 22, further comprising: a server;
the server is used for encrypting the first target information stored by the server by taking the device key UID of the read-write device as a key to obtain a first encrypted information group; wherein the first target information comprises at least one of the KU, the KD and the TID;
the read-write equipment is further configured to obtain the first encrypted information group from the server, decrypt the first encrypted information group with the UID as a key, obtain the first target information, and store the first target information.
24. The system of claim 23,
the server is further configured to obtain a second encrypted information group from a key issuing system, decrypt the second encrypted information group with a device identifier YID of the server as a key, obtain the first target information, and store the first target information; wherein the second encryption information group is: and the key issuing system encrypts the first target information by using the YID as a key to obtain an encrypted information group.
25. The system of claim 24,
the second encryption information group includes:
when the first target information comprises the TID, information D1 obtained by encrypting the TID by taking the YID as a key;
when the first target information comprises the KU, information D2 obtained by encrypting a first information string C1 by using the YID as a key, wherein the C1 is an information string obtained by encrypting the KU by using the TID as a key;
when the first target information includes the KD, information D3 obtained by encrypting a second information string C2 with the YID as a key, wherein C2 is an information string obtained by encrypting the KD with the TID as a key;
the server is specifically configured to:
when the first target information comprises the TID, decrypting the D1 by taking the YID as a key to obtain and store the TID;
when the first target information comprises the KU, decrypting the D2 with the YID as a key to obtain the C1, decrypting the C1 with the TID as a key to obtain and store the KU;
when the first target information comprises the KD, decrypting the D3 by taking the YID as a key to obtain the C2, decrypting the C2 by taking the TID as a key to obtain and store the KD.
26. The system of claim 24, further comprising: an issuing device;
the issuing equipment is used for encrypting second target information stored by the issuing equipment by taking the KID as a key to obtain a third encrypted information group and sending the third encrypted information group to the electronic medium; wherein the second target information includes at least one of the KU, the KD and the TID, and the third encrypted information set includes: at least one of the Ku2, the Kid2, the Tid 2; the Ku2 is: an authentication key obtained after encrypting the KU with the KID as a key; the Kid2 is: an identification key obtained after encrypting the KID with the Kd as a key; the Kd is: an encryption key obtained after encrypting the KD by taking the KID as a key; the Tid2 is as follows: a characteristic key obtained after encrypting the TID by taking the Kd as a key;
and the electronic medium is used for receiving the third encryption information group sent by the issuing equipment and storing the third encryption information group.
27. The system of claim 26,
the issuing device is further configured to obtain the fourth encrypted information group from the key issuing system, decrypt the fourth encrypted information group with a device identifier FID of the issuing device as a key, obtain the second target information, and store the second target information; wherein the fourth encryption information group is: and the key issuing system encrypts the second target information by using the FID as a key to obtain an encrypted information group.
CN201710153745.5A 2017-03-15 2017-03-15 A kind of authentication method of electronic media, apparatus and system Pending CN108632036A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710153745.5A CN108632036A (en) 2017-03-15 2017-03-15 A kind of authentication method of electronic media, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710153745.5A CN108632036A (en) 2017-03-15 2017-03-15 A kind of authentication method of electronic media, apparatus and system

Publications (1)

Publication Number Publication Date
CN108632036A true CN108632036A (en) 2018-10-09

Family

ID=63686614

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710153745.5A Pending CN108632036A (en) 2017-03-15 2017-03-15 A kind of authentication method of electronic media, apparatus and system

Country Status (1)

Country Link
CN (1) CN108632036A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020087867A1 (en) * 2000-11-28 2002-07-04 Oberle Robert R. RF ID card
CN1508698A (en) * 2002-12-18 2004-06-30 �Ҵ���˾ Data storage apparatus, information processing apparatus and data-storage processing method
CN101552667A (en) * 2007-05-24 2009-10-07 冯振周 Method for synchronously realizing encryption and authentication
CN101739758A (en) * 2008-11-18 2010-06-16 中兴通讯股份有限公司 Method for encrypting and decrypting smart card, system and reader-writer
CN103383726A (en) * 2012-05-03 2013-11-06 中兴通讯股份有限公司 Method and reader device for realizing security encryption
KR101677803B1 (en) * 2014-09-30 2016-11-21 한국정보통신주식회사 Card reader, terminal and method for processing payment information thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020087867A1 (en) * 2000-11-28 2002-07-04 Oberle Robert R. RF ID card
CN1508698A (en) * 2002-12-18 2004-06-30 �Ҵ���˾ Data storage apparatus, information processing apparatus and data-storage processing method
CN101552667A (en) * 2007-05-24 2009-10-07 冯振周 Method for synchronously realizing encryption and authentication
CN101739758A (en) * 2008-11-18 2010-06-16 中兴通讯股份有限公司 Method for encrypting and decrypting smart card, system and reader-writer
CN103383726A (en) * 2012-05-03 2013-11-06 中兴通讯股份有限公司 Method and reader device for realizing security encryption
KR101677803B1 (en) * 2014-09-30 2016-11-21 한국정보통신주식회사 Card reader, terminal and method for processing payment information thereof

Similar Documents

Publication Publication Date Title
US12113792B2 (en) Authenticator centralization and protection including selection of authenticator type based on authentication policy
CN110519260B (en) Information processing method and information processing device
CN201181472Y (en) Hardware key device and movable memory system
TW201904231A (en) Progressive key encryption algorithm
JP2012044670A (en) User authentication method based on utilization of biometric identification techniques, and related architecture
JPWO2007094165A1 (en) Identification system and program, and identification method
KR101809974B1 (en) A system for security certification generating authentication key combinating multi-user element and a method thereof
KR20200028880A (en) Multiple security authentication system and method between blockchain-based mobile terminals and IoT devices
CN106789024B (en) A kind of remote de-locking method, device and system
CN101841418A (en) Handheld multiple role electronic authenticator and service system thereof
CN105653986A (en) Micro SD card-based data protection method and device
CN113316784A (en) Secure authentication based on identity data stored in contactless card
JP2023548827A (en) Secure verification of medical conditions using contactless cards
CN111709747B (en) Intelligent terminal authentication method and system
US20230252451A1 (en) Contactless card with multiple rotating security keys
CN114667713A (en) Security authentication based on passport data stored in contactless card
CN110098925A (en) Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system
KR101809976B1 (en) A method for security certification generating authentication key combinating multi-user element
JP2000011113A (en) Method for transferring recording medium and system for issuing same medium and constituting part of same system
US8234501B2 (en) System and method of controlling access to a device
US20100014673A1 (en) Radio frequency identification (rfid) authentication apparatus having authentication function and method thereof
CN102098391B (en) Communication terminal and communication information processing method thereof
JP6167667B2 (en) Authentication system, authentication method, authentication program, and authentication apparatus
KR20200013494A (en) System and Method for Identification Based on Finanace Card Possessed by User
CN110086627B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20181009