CN109450647B - Method and system for safely producing and detecting dynamic token - Google Patents

Method and system for safely producing and detecting dynamic token Download PDF

Info

Publication number
CN109450647B
CN109450647B CN201811547353.8A CN201811547353A CN109450647B CN 109450647 B CN109450647 B CN 109450647B CN 201811547353 A CN201811547353 A CN 201811547353A CN 109450647 B CN109450647 B CN 109450647B
Authority
CN
China
Prior art keywords
seed
production tool
dynamic token
ciphertext
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811547353.8A
Other languages
Chinese (zh)
Other versions
CN109450647A (en
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN201811547353.8A priority Critical patent/CN109450647B/en
Publication of CN109450647A publication Critical patent/CN109450647A/en
Application granted granted Critical
Publication of CN109450647B publication Critical patent/CN109450647B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a method and a system for safely producing and detecting a dynamic token, wherein the method comprises the following steps: the production tool searches for a ciphertext seed corresponding to the device identifier of the dynamic token and sends the first ciphertext seed to the hardware security device; the hardware safety equipment decrypts the ciphertext seed to obtain a plaintext seed, sends the plaintext seed to the production tool, and then the production tool writes the plaintext seed into the dynamic token; the process of detecting the dynamic token: the production tool searches for a ciphertext seed corresponding to the equipment identifier of the dynamic token and receives a first one-time password generated by the dynamic token, and sends the first ciphertext seed and the first one-time password to the hardware security equipment; the hardware safety equipment decrypts the received first ciphertext seed to obtain a plaintext seed, generates a second one-time password according to the plaintext seed, compares the first one-time password with the second one-time password to obtain a detection result, and then sends the detection result to a production tool.

Description

Method and system for safely producing and detecting dynamic token
Technical Field
The invention relates to the field of information security, in particular to a method and a system for safely producing and detecting a dynamic token.
Background
In the prior art, the process of factory testing of dynamic tokens, i.e. generation and verification of one-time passwords, is operated in a server. And decrypting the seed data through the server, calculating a dynamic password value according to the seed data, comparing the dynamic password value with the dynamic password value in the token, and returning a verification result. This way of operation does not guarantee a secure environment for sensitive data during the production and detection of dynamic tokens.
Disclosure of Invention
In order to solve the technical problems, the invention provides a method and a system for safely producing and detecting a dynamic token. The invention provides a method for safely producing and detecting a dynamic token, which comprises a process of burning the dynamic token and a process of detecting the dynamic token, wherein the process of burning the dynamic token comprises the following steps:
step A0, the production tool executes the operation of grabbing the dynamic token and placing the dynamic token in a readable position;
step A1, the production tool searches a first ciphertext seed corresponding to the device identifier of the dynamic token;
step A2, the production tool sends the first ciphertext seed to the hardware security module device;
step A3, the hardware security module equipment decrypts the first ciphertext seed to obtain a plaintext seed, and sends the plaintext seed to a production tool;
step A4, the production tool writes the plaintext seed into the dynamic token;
the process of detecting a dynamic token comprises the steps of:
step B1, the production tool searches a first ciphertext seed corresponding to the equipment identification of the dynamic token and receives a first one-time password generated by the dynamic token;
step B2, the production tool sends the first ciphertext seed and the first one-time password to the hardware security module device;
step B3, the hardware security module equipment decrypts the received first ciphertext seed to obtain a plaintext seed;
step B4, the hardware security module device generates a second one-time password according to the plaintext seed;
step B5, the hardware security module device compares the first one-time password with the second one-time password to obtain a detection result;
step B6, the hardware safety module device sends the detection result to the production tool;
step B7, the production tool places the dynamic token at the specified position according to the detection result.
The device identification is a token serial number.
Step a1 specifically includes:
step A1-1, the production tool sends an instruction for reading the device identifier to the dynamic token;
step A1-2, the dynamic token sends the device identification of the dynamic token to the production tool;
step A1-3, the production tool receives the device identification;
step A1-4, the production tool searches a first ciphertext seed corresponding to the equipment identifier according to the equipment identifier;
step B1 specifically includes:
step B1-1, the production tool sends an instruction for reading the device identifier to the dynamic token;
step B1-2, the dynamic token sends the device identifier to the production tool;
step B1-3, the production tool searches a first ciphertext seed corresponding to the equipment identifier according to the received equipment identifier;
step B1-4, the production tool sends an instruction for reading the one-time password to the dynamic token;
step B1-5, the dynamic token generates a first one-time password according to the instruction;
step B1-6, the dynamic token sends the first one-time-password to the production tool.
Step a4 is followed by:
step A5, the dynamic token sends the programming result to the production tool;
step A6, the production tool displays the programming result;
step B6 is followed by:
step B7, the production tool displays the test result.
B7 specifically includes that when the detection result is successful, the production tool places the dynamic token at a first designated position; and when the detection result is failure, the production tool places the dynamic token at a second appointed position.
Step B7 specifically includes: and the production tool judges the placement position of the dynamic token according to the detection result, judges whether the placement position can place the dynamic token, places the dynamic token at the placement position if the placement position can place the dynamic token, and prompts to empty the placement position if the placement position can not be placed.
Step B1 further includes the production tool obtaining the current time of the dynamic token and the start time of the dynamic token;
step B1 is followed by step C: the production tool determines whether the timeliness of the dynamic token is valid based on the current time and the start time, if so, step B2 is performed, and if not, the production tool indicates a failure.
The production tool judges whether the timeliness of the dynamic token is effective according to the current time and the starting time, and the method specifically comprises the following steps:
step C1-1, the production tool subtracts the starting time from the current time to obtain a first time difference value;
step C1-2, the production tool subtracts the current time from the acquired global positioning time to obtain a second time difference value;
step C1-3, the manufacturing tool divides the second time difference by the first time difference to obtain a first result;
step C1-4, the manufacturing tool determines whether the first result is less than a predetermined value.
Step B2 specifically includes the production tool sending the first ciphertext seed, the first one-time password, and the current time of the dynamic token to the hardware security module device;
step B4 is specifically that the hardware security module device generates a second one-time password according to the plaintext seed and the current time of the dynamic token.
Step B4 specifically includes: the hardware security module device generates a second disposable cipher group according to the plaintext seeds and the current time of the hardware security module device;
step B5 is to compare whether the first one-time password is the same as one of the second one-time passwords by the hardware security module device to obtain a comparison result, and use the comparison result as the detection result.
Step B7 is specifically that the production tool shows that the detection result is successful;
step B7 is followed by: the production tool sends an instruction to close the port to the one-time password token.
Sending the plaintext seed to the production tool in step a3 is replaced with:
step D1, the hardware safety module device sends a request for generating random number to the production tool;
step D2, the production tool generates a first random number and sends the first random number to the hardware security module device,
d3, encrypting the plaintext seed by the hardware security module device by using the first random number and a predetermined algorithm to obtain a second ciphertext seed, and sending the second ciphertext seed to the production tool;
and D4, the production tool decrypts the second ciphertext seed by using the first random number to obtain a plaintext seed.
Sending the plaintext seed to the production tool in step a3 is replaced with:
step D1', the hardware security module device sending a request for generating a random number to the production tool;
step D2', the production tool sending a request to generate a random number to the dynamic token;
step D3', the dynamic token generating a second random number and sending the second random number to the production tool;
step D4', the production tool sends the second random number to the hardware security module device;
step D5', the hardware security module device encrypts the plaintext seed by using a second random number according to a preset algorithm to obtain a third ciphertext seed, and sends the third ciphertext seed to the production tool;
step D6', the production tool sends the third ciphertext seed to the dynamic token;
step a4 is replaced with: and the dynamic token decrypts the third ciphertext seed by using the second random number to obtain a plaintext seed and stores the plaintext seed.
Step a4 is replaced with the following steps: step E1, the production tool sends a request for generating a random number to the dynamic token;
step E2, the dynamic token generates a third random number and sends the third random number to the production tool;
step E3, the production tool encrypts the received plaintext seed by using the third random number to obtain a fourth ciphertext seed, and sends the fourth ciphertext seed to the dynamic token;
and step E4, the dynamic token decrypts the received fourth ciphertext seed by using the third random number and stores the fourth ciphertext seed.
Steps A1-A4 were replaced with the following steps:
step A1', the production tool sends a request for obtaining the device identification and generating the random number to the dynamic token;
step A2', the dynamic token generates a fourth random number and sends the fourth random number and the device identification to the production tool;
step A3', the production tool searches the first ciphertext seed corresponding to the token ID;
step A4', the production tool sends the first ciphertext seed and the fourth random number to the hardware security module device;
step A5', the hardware security module device decrypts the first ciphertext seed to obtain a plaintext seed, encrypts the plaintext seed by using a fourth random number to obtain a fifth ciphertext seed, and sends the fifth ciphertext seed to the production tool;
step A6', the production tool sends the fifth ciphertext seed to the dynamic token;
and step A7', the dynamic token decrypts the fifth ciphertext seed by using the fourth random number to obtain a plaintext seed, and stores the plaintext seed.
The invention also provides a system for the safe production and detection of the dynamic token, which comprises a production tool device and a hardware safety module device, wherein the production tool device comprises:
the grabbing and placing module is used for executing the operation of grabbing the dynamic token; and further for placing the dynamic token in a readable location; the dynamic token is also used for placing the dynamic token at a specified position according to the detection result;
the searching module is used for searching a first ciphertext seed corresponding to the equipment identifier of the dynamic token;
the first receiving module is used for receiving a first one-time password generated by the dynamic token; the device is also used for receiving a plaintext seed sent by the hardware security module device; the hardware security module device is also used for receiving a detection result sent by the hardware security module device;
the first sending module is used for sending the first ciphertext seed to the hardware security module device; the hardware security module device is also used for sending the first ciphertext seed and the first one-time password to the hardware security module device;
the writing module is used for writing the plaintext seed received by the first receiving module into the dynamic token;
the hardware security module apparatus includes:
the second receiving module is used for receiving the first ciphertext seed sent by the production tool device; the system is also used for receiving a first one-time password sent by the production tool;
the second decryption module is used for decrypting the first ciphertext seed to obtain a plaintext seed;
the second generation module is used for generating a second one-time password according to the plaintext seeds;
the comparison module is used for comparing the first one-time password with the second one-time password to obtain a detection result;
the second sending module is used for sending the plaintext seeds to the production tool device; and the comparison module is also used for sending the detection result obtained by the comparison module to the production tool device.
The device identification is a token serial number.
The first sending module is further used for sending an instruction for reading the equipment identifier to the dynamic token; the dynamic token is also used for sending an instruction for reading the one-time password to the dynamic token;
the first receiving module is further used for receiving the device identifier sent by the dynamic token;
the searching module is specifically configured to search for the first ciphertext seed corresponding to the device identifier according to the device identifier.
The production tool device also comprises a display module used for displaying the detection result received by the first receiving module.
The grabbing and placing module is further used for placing the dynamic token to a first specified position when the detection result is successful; and when the detection result is failure, the production tool places the dynamic token at a second appointed position.
The production tool device also comprises a first judgment module used for judging the placement position of the dynamic token according to the detection result and judging whether the placement position can place the dynamic token;
the grabbing and placing module is specifically used for placing the dynamic token at the placing position when the first judging module judges that the placing position can be used for placing the dynamic token;
the production tool device also comprises a prompt module used for prompting to empty the placing position when the first judgment module judges that the placing position can not place the dynamic token.
The production tool device also comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring the current time of the dynamic token and the starting time of the dynamic token;
the production tool device also comprises a second judging module for judging whether the timeliness of the dynamic token is effective or not according to the current time and the starting time;
the first sending module is specifically configured to send the first ciphertext seed and the first one-time password to the hardware security module device when the second determining module determines that the timeliness of the dynamic token is valid;
the production tool device further comprises a display module for displaying the detection failure when the second judging module judges that the timeliness of the dynamic token is invalid.
The production tool also comprises a calculation module, a first time difference value is obtained by subtracting the starting time from the current time, a second time difference value is obtained by subtracting the current time from the acquired global positioning time, and the first result is obtained by dividing the first time difference value by the second time difference value;
the second judging module is specifically configured to judge whether the first result is smaller than a preset value to judge whether the time effectiveness of the dynamic token is valid.
The first sending module is specifically used for sending the first ciphertext seed, the first one-time password and the current time of the dynamic token to the hardware security module device;
the first generating module is specifically configured to generate a second one-time password according to the plaintext seed and the current time of the dynamic token.
The first generating module is specifically used for generating a second one-time cipher group according to the plaintext seeds and the current time of the hardware safety module device;
the comparison module is specifically used for comparing whether the first one-time password is the same as one-time password in the second one-time password group or not to obtain a comparison result, and the comparison result is used as a detection result.
The display module displays that the detection result is successful;
the first sending module is also used for sending a command of closing the port to the one-time password token when the display module displays that the detection result is successful.
The second sending module is further used for sending a request for generating the random number to the production tool device;
the production tool apparatus further comprises a first generation module for generating a first random number;
the first sending module is also used for sending the first random number to the hardware security module device;
the hardware security module device also comprises a second encryption module which is used for encrypting the plaintext seeds by using the first random number and a preset algorithm to obtain second ciphertext seeds and sending the second ciphertext seeds to the production tool device;
the production tool device also comprises a first decryption module which is used for decrypting the second ciphertext seed by using the first random number to obtain a plaintext seed.
The second sending module is further used for sending a request for generating the random number to the generating tool device; the third ciphertext seed is sent to the production tool device;
the first receiving module is used for receiving the request for generating the random number sent by the second sending module; the second random number is also used for receiving the dynamic token;
a first sending module, configured to send a request for generating a random number to a dynamic token; the second random number is also used for sending the dynamic token to the hardware security module device; the third ciphertext seed is sent to the dynamic token;
the hardware security module device also comprises a second encryption module which is used for encrypting the plaintext seeds by using a second random number according to a preset algorithm to obtain third ciphertext seeds;
the write module is replaced with: the dynamic token is used for decrypting the third ciphertext seed by using the second random number to obtain a plaintext seed and storing the plaintext seed;
the dynamic token is also used to generate a second random number.
The system further comprises: a dynamic token for generating a third random number and for sending the third random number to the production tool device; the second random number is used for decrypting the received fourth ciphertext seed and storing the decrypted fourth ciphertext seed;
the production tool apparatus further comprises: the first encryption module is used for encrypting the received plaintext seeds to obtain fourth ciphertext seeds;
the first sending module is also used for sending a request for generating the random number to the dynamic token; and the fourth ciphertext seed is sent to the dynamic token.
The first sending module is used for sending a request for acquiring the equipment identifier and the random number to the dynamic token; the hardware security module device is also used for sending the first ciphertext seed and the fourth random number to the hardware security module device; the fifth ciphertext seed is sent to the dynamic token;
the system further comprises a dynamic token for generating a fourth random number and for sending the fourth random number and the device identification to the production tool apparatus; the fourth random number is used for decrypting the fifth ciphertext seed to obtain a plaintext seed, and the plaintext seed is stored;
the searching module is used for searching a first ciphertext seed corresponding to the token identifier;
the second decryption module is used for decrypting the first ciphertext seed to obtain a plaintext seed;
the hardware security module device also comprises a second encryption module which is used for encrypting the plaintext seeds by using a fourth random number to obtain fifth ciphertext seeds;
and the second sending module is also used for sending the fifth ciphertext seed to the production tool device. The invention has the beneficial effects that: the invention provides a method and a system for safely producing and detecting a dynamic token, which relate to that decryption operation and verification operation of sensitive data are carried out in hardware security module equipment, so that data transmission and storage are safer in the production and detection processes of the dynamic token.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without any creative work.
Fig. 1-1 is a flowchart of a process of burning an OTP token according to a method for secure production and detection of the OTP token provided in embodiment 1 of the present invention;
fig. 1-2 are process flow diagrams of detecting an OTP token according to a method for secure production and detection of an OTP token provided in embodiment 1 of the present invention;
fig. 2 is a flowchart of a process of burning an OTP token according to a method for securely producing and detecting the OTP token provided in embodiment 2 of the present invention;
fig. 3 is a process flow diagram of detecting an OTP token according to a method for securely producing and detecting the OTP token provided in embodiment 2 of the present invention;
fig. 4 is a flow chart of verifying whether the timeliness of the OTP token is valid or not by the production tool in the method for securely producing and detecting the OTP token according to embodiment 2 of the present invention;
FIG. 5 is a flowchart illustrating alternative steps 308 '-311' of steps 308-311 in a method for secure production and detection of an OTP token according to embodiment 2 of the present invention;
fig. 6 is a structural diagram of a system for secure production and detection of an OTP token according to embodiment 3 of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
The present embodiment provides a method for secure production and detection of an OTP token (dynamic token), which includes a process of programming the OTP token and a process of detecting the OTP token, as shown in fig. 1-1, where the process of programming the OTP token includes the following steps:
step A0, the production tool executes the operation of grabbing the OTP token and placing the OTP token in a readable position;
step A1, the production tool searches a first ciphertext seed corresponding to the device identifier of the OTP token;
in this example, the device identification may be a token serial number.
Step A2, the production tool sends the first ciphertext seed to the HSM device (hardware security module device);
in this example, the HSM device may be an encryption machine.
Step A3, the HSM equipment decrypts the first ciphertext seed to obtain a plaintext seed; step A4, sending the plaintext seeds to a production tool;
step A5, the production tool writes the plaintext seed into the OTP token;
as shown in fig. 1-2, the process of detecting an OTP token includes the following steps:
step B1, the production tool searches a first ciphertext seed corresponding to the device identification of the OTP token and receives a first one-time password generated by the OTP token;
step B2, the production tool sends the first ciphertext seed and the first one-time password to the HSM device;
step B3, the HSM equipment decrypts the received first ciphertext seed to obtain a plaintext seed;
step B4, the HSM equipment generates a second one-time password according to the plaintext seeds;
step B5, the HSM equipment compares the first one-time password with the second one-time password to obtain a detection result;
step B6, the HSM equipment sends the detection result to the production tool;
step B7, the production tool places the OTP token at a designated location according to the detection result.
In this implementation, step a1 specifically includes:
step A1-1, the production tool sends an instruction for reading the device identifier to the OTP token;
step A1-2, the OTP token sends the device identification of the OTP token to the production tool;
step A1-3, the production tool receives the device identification;
step A1-4, the production tool searches a first ciphertext seed corresponding to the equipment identifier according to the equipment identifier;
step B1 specifically includes:
step B1-1, the production tool sends an instruction for reading the device identifier to the OTP token;
step B1-2, the OTP token sends the device identifier to the production tool;
step B1-3, the production tool searches a first ciphertext seed corresponding to the equipment identifier according to the received equipment identifier;
step B1-4, the production tool sends an instruction for reading the one-time password to the OTP token;
step B1-5, the OTP token generates a first one-time password according to the instruction;
step B1-6, the OTP token sends the first one-time-password to the production tool.
In this embodiment, step a5 is followed by:
step A6, the OTP token sends the programming result to the production tool;
step A7, the production tool displays the programming result;
step B6 is followed by:
step B7, the production tool displays the test result.
In this embodiment, B7 specifically includes that, when the detection result is successful, the production tool places the OTP token at the first designated location; when the detection result is failure, the production tool places the OTP token at a second designated position.
In this embodiment, step B7 specifically includes: and the production tool judges the placing position of the OTP token according to the detection result, judges whether the OTP token can be placed in the placing position or not, places the OTP token in the placing position if the OTP token can be placed in the placing position, and prompts to empty the placing position if the OTP token can not be placed in the placing position.
In this embodiment, step B1 further includes the production tool obtaining the current time of the OTP token and the start time of the OTP token;
step B1 is followed by step C: the production tool determines whether the timeliness of the OTP token is valid based on the current time and the start time, if so, step B2 is executed, and if not, the production tool displays a detection failure.
In this embodiment, the determining, by the production tool, whether the timeliness of the OTP token is valid according to the current time and the start time specifically includes:
step C1-1, the production tool subtracts the starting time from the current time to obtain a first time difference value;
step C1-2, the production tool subtracts the current time from the acquired global positioning time to obtain a second time difference value;
step C1-3, the manufacturing tool divides the second time difference by the first time difference to obtain a first result;
step C1-4, the manufacturing tool determines whether the first result is less than a predetermined value.
In this embodiment, step B2 specifically includes the production tool sending the first ciphertext seed, the first one-time password, and the current time of the OTP token to the HSM device;
step B4 is specifically that the HSM device generates a second one-time password according to the plaintext seed and the current time of the OTP token.
In this embodiment, step B4 specifically includes: the HSM equipment generates a second one-time cipher group according to the plaintext seeds and the current time of the HSM equipment;
step B5 is to compare whether the first one-time password is the same as one of the second one-time passwords by the HSM device to obtain a comparison result, and use the comparison result as the detection result.
In this embodiment, step B7 is specifically that the production tool shows that the detection result is successful;
step B7 is followed by: the production tool sends an instruction to close the port to the one-time password token.
In this embodiment, the sending of the plaintext seed to the production tool in step a3 may be replaced by:
step D1, the HSM device sends a request for generating random numbers to the production tool;
step D2, the production tool generates a first random number and sends the first random number to the HSM device,
d3, the HSM device encrypts the plaintext seed by using the first random number and a preset algorithm to obtain a second ciphertext seed, and sends the second ciphertext seed to the production tool;
and D5, the production tool decrypts the second ciphertext seed by using the first random number to obtain a plaintext seed.
In this embodiment, the sending of the plaintext seed to the production tool in steps A3-A4 may be replaced by:
step D1', the HSM device sending a request to generate a random number to the production tool;
step D2', the production tool sending a request to generate a random number to the OTP token;
step D3', the OTP token generates a second random number and sends the second random number to the production tool;
step D4', the production tool sends the second random number to the HSM device;
step D5', the HSM device encrypts the plaintext seed by using a second random number according to a preset algorithm to obtain a third ciphertext seed, and sends the third ciphertext seed to the production tool;
step D6', the production tool sends the third ciphertext seed to the OTP token;
step a5 is replaced with: and the OTP token decrypts the third ciphertext seed by using the second random number to obtain a plaintext seed and stores the plaintext seed.
In the present embodiment, step a5 may be replaced by the following steps:
step E1, the production tool sends a request to generate a random number to the OTP token;
step E2, the OTP token generates a third random number and sends the third random number to the production tool;
step E3, the production tool encrypts the received plaintext seed by using the third random number to obtain a fourth ciphertext seed, and sends the fourth ciphertext seed to the OTP token;
and step E4, the OTP token decrypts the received fourth ciphertext seed by using the third random number and stores the fourth ciphertext seed.
In this embodiment, steps A1-A5 may be replaced with the following steps:
step a 1', the production tool sending a request to the OTP token to obtain the device identification and generate the random number;
step A2', the OTP token generates a fourth random number and sends the fourth random number and the device identifier to the production tool;
step A3', the production tool searches the first ciphertext seed corresponding to the token ID;
step A4', the production tool sends the first ciphertext seed and the fourth random number to the HSM device;
step A5', the HSM device decrypts the first ciphertext seed to obtain a plaintext seed, encrypts the plaintext seed by using a fourth random number to obtain a fifth ciphertext seed, and sends the fifth ciphertext seed to a production tool;
step A6', the production tool sends the fifth ciphertext seed to the OTP token;
and step A7', the OTP token decrypts the fifth ciphertext seed by using the fourth random number to obtain a plaintext seed, and stores the plaintext seed.
Example 2
The embodiment provides a method for the secure production and detection of an OTP token, which includes a process of burning an OTP token and a process of detecting the OTP token, wherein, as shown in fig. 2, the process of burning the OTP token includes the following steps:
step 201, the production tool sends a command for reading a token serial number to the OTP token;
specifically, the instruction for reading the token serial number is as follows: 0x 86022525.
In this implementation, the token serial number may also be an identifier of other devices that can uniquely identify the identity of the OTP token.
Specifically, the OTP token is a time-type OTP token.
In this embodiment, step 201 may further include step 200: and the production tool executes the operation of grabbing the OTP token and places the grabbed OTP token in a readable position.
In particular, the production tool may comprise a robot or suction cup device for placing the OTP token in a reading position after it has been gripped.
Step 202, the OTP token sends a token serial number to a production tool;
the token serial number of the OTP token is unique. Specifically, the token sequence number is: 2600827800001.
step 203, the production tool searches a cipher text seed corresponding to the token serial number in the cipher text seed file according to the received token serial number;
specifically, the searched ciphertext seeds are: 327C27407E2D916A1A9D455BD79F8E4737F5B99 ADCBAA242740E3BD2DFF37C09
Step 204, the production tool sends the searched cipher text seed data corresponding to the token serial number to the HSM device (a hardware security module, which may be an encryption machine);
step 205, the HSM device decrypts the ciphertext seed data according to a key and a decryption algorithm stored in the HSM device, so as to obtain a plaintext seed;
specifically, the HSM device, according to its own stored key: 11111111111111111111111111111111 and SM4 algorithm, decrypting the ciphertext seed data to obtain a plaintext seed: 613B236B80E75EA1267A7E8CBACA0ABA809CD326
Step 206, the HSM device sends the plaintext seed data to the production tool;
in this embodiment, step 206 may also be replaced by the following steps:
step 206' -1, the HSM device sends a request to generate a random number to the production tool;
specifically, the request for generating the random number is 0x 0006474501000000.
At step 206' -2, the production tool generates and sends a random number to the HSM device,
step 206' -3, the HSM device encrypts the plaintext seeds by using a random number and a predetermined algorithm to obtain ciphertext seeds, and sends the ciphertext seeds to the production tool;
specifically, the first random number is 0x31, the predetermined algorithm may be an exclusive or algorithm,
the ciphertext seeds obtained after encryption are as follows:
500A125AB1D66F90174B4FBD8BFB3B8BB1ADE217。
in step 206' -4, the production tool decrypts the ciphertext seed using the random number to obtain a plaintext seed.
In step 207, the production tool writes the plaintext seed as the seed to the OTP token.
In this embodiment, step 206 may also be replaced by the following steps:
step D1', the HSM device sending a request to generate a random number to the production tool;
step D2', the production tool sending a request to the OTP token to generate a random number;
step D3', the OTP token generating and sending a random number to the production tool;
step D4', the production tool sending a random number to the HSM device;
step D5', the HSM device encrypts the plaintext seeds by using random numbers according to a preset algorithm to obtain new ciphertext seeds, and sends the new ciphertext seeds to the production tool;
step D6', the production tool sending the new ciphertext seed to the OTP token;
step 207 is replaced with: and the OTP token decrypts the new ciphertext seed by using a random number to obtain a plaintext seed and stores the plaintext seed.
In this embodiment, step 207 may also be replaced by the following steps:
step 207' -1, the production tool sends a request to generate a random number to the OTP token;
specifically, the request for generating the random number is 0x 86021010.
Step 207' -2, the OTP token generates a random number and sends the random number to the production tool;
step 207' -3, the production tool encrypts the received plaintext seeds by using random numbers to obtain ciphertext seeds, and sends the ciphertext seeds to the OTP token;
specifically, the second random number is: 0x 81; the predetermined algorithm may be: an exclusive or algorithm;
the ciphertext seeds obtained after encryption are as follows:
E0BAA2EA0166DF20A7FBFF0D3B4B8B3B011D52A7。
in step 207' -4, the OTP token secrets the received ciphertext seed with a random number to obtain a plaintext seed and stores the plaintext seed.
Step 208, the OTP token sends the programming result to the production tool;
specifically, the programming result is success or failure of programming the seed.
Specifically, if the programming result is successful, returning data AA02AAAA to the production tool; if the programming fails, data AA03001313 is returned to the production tool.
In step 209, the production tool displays the programming results.
In particular, the production tool indicates success or failure of programming the seed.
Specifically, the production tool shows: either the programming was successful or the programming failed.
In step 209, if the production tool shows a burn-in seed failure, the production tool also shows the reason of the burn-in failure, such as a non-power-on failure, a power failure, and so on.
After this step, the production tool is further used for placing the OTP token at a specified position according to the programming result.
Specifically, if the production tool displays a successful programming result, the OTP token is placed to a specified first position by using a manipulator or a sucker device of the production tool, and if the production tool displays a failed programming result, the OTP token is placed to a specified second position.
Specifically, the production tool further includes a sensor, and is specifically configured to determine, by the sensor, whether the OTP token can be placed in the first location or the second location before the OTP token is placed in the specified first location or the second location, and if so, place the OTP token in the first location or the second location, and if not, prompt to clear the first location or the second location.
In this embodiment, steps 201-207 may be replaced with the following steps 01-07:
step 01, the production tool sends a request for acquiring the equipment identifier and the random number to the OTP token;
step 02, the OTP token generates a fourth random number and sends the fourth random number and the device identifier to the production tool;
step 03, the production tool searches for a first ciphertext seed corresponding to the token identifier;
step 04, the production tool sends the first ciphertext seed and the fourth random number to the HSM device;
step 05, the HSM device decrypts the first ciphertext seed to obtain a plaintext seed, encrypts the plaintext seed by using the fourth random number to obtain a fifth ciphertext seed, and sends the fifth ciphertext seed to the production tool;
step 06, the production tool sends the fifth ciphertext seed to the OTP token;
and step 07, the OTP token decrypts the fifth ciphertext seed by using the fourth random number to obtain the plaintext seed, and stores the plaintext seed.
As shown in fig. 3, the process of detecting an OTP token includes the following steps:
step 301, the production tool sends a command for reading a token serial number to the OTP token;
specifically, the OTP token is a time-type OTP token.
Specifically, the instruction for reading the token serial number is as follows: 0x 86022525.
Step 302, the OTP token sends the token serial number of the OTP token to a production tool;
step 303, the production tool searches a cipher text seed corresponding to the token serial number in the cipher text seed file according to the received token serial number;
specifically, the ciphertext seed is: 327C27407E2D916A1A9D455BD79F8E4737F5B99ADC BAA242740E3BD2DFF37C 09.
In this step, the ciphertext seed may also be stored in the database.
Step 304, the production tool sends an instruction for reading the OTP value to the OTP token;
specifically, the instruction for reading the OTP value is: 0x 8603420042.
Step 305, the OTP token receives an instruction to read the OTP value and generates a first OTP value;
specifically, the OTP token is calculated according to the current time of the token and the seed using a preset algorithm to generate a first OTP value.
In this step, the OTP token is calculated according to the current time 2018-07-1314: 11:11 of the token and the seed 613B236B80E75EA1267A7E8CBACA0ABA809CD326 using a preset SHA1 algorithm to generate a first OTP value: 630842.
the OTP token sends the generated first OTP value, the current time of the token and the start time of the token to the production tool, step 306.
Specifically, the starting time of the token refers to the time for burning the seed for the OTP token.
For example, in this step, the time for the OTP token to write the seed is: 2018-07-1310:10:11.
Step 307, the production tool verifies whether the time validity of the OTP token is valid, if so, step 308 is performed, and if not, step 314 is performed.
Specifically, in this step, the production tool verifies the timeliness of the OTP token according to the current time when the token is received, the start time of the token, and the acquired GPS time, as shown in fig. 4, the specific steps are as follows:
307-1, the production tool subtracts the starting time of the token from the current time of the token to obtain a first time difference value;
307-2, the production tool subtracts the current time of the token from the acquired GPS time to obtain a second time difference value;
307-3, the production tool divides the second time difference by the first time difference to obtain a first result;
in step 307-4, the manufacturing tool determines whether the first result is less than a predetermined value, if yes, go to step 308, and if no, go to step 314.
Specifically, in this step, the production tool determines whether the first result is smaller than a preset value, if so, the timeliness of the token is valid, step 308 is executed, if not, the timeliness of the token is invalid, the detection result of the token is a detection failure, and step 314 is executed.
Specifically, in the present embodiment, the preset value is 0.3 seconds.
Step 308, the production tool sends the first OTP value, the current time of the token and the searched ciphertext seed corresponding to the token sequence number to the HSM device;
specifically, the production tool sends the first OTP value 630842, the current time of the token 2018-07-1314: 11:11 and the found ciphertext seed 327C27407E2D916A1A9D455BD79F8E4737F5B99ADCB AA242740E3BD2DFF37C09 to the HSM device.
Step 309, the HSM device decrypts according to a preset algorithm and the ciphertext seed to obtain a plaintext seed;
specifically, the HSM device decrypts the ciphertext seed 327C27407E2D916A1A9D455BD79F8E4737F5B99 ADCBAA242740E3BD2DFF37C09 by using SM4 algorithm, and obtains the plaintext seed 613B236B80E75EA1267A7E8CBACA0ABA809CD 326.
Step 310, the HSM device generates a second OTP value according to the plaintext seed and the current time of the token by using a preset algorithm;
in this step, the HSM device uses the same preset algorithm as the one used by the token to generate the first OTP value in step 305.
Specifically, in this step, the HSM device generates a second OTP value according to the plaintext seed 613B236B80E75EA1267A7E8CBACA0ABA809CD326 and the token current time 2018-07-1314: 11:11 using the SHA1 algorithm: 630842.
in step 311, the HSM device determines whether the first OTP value and the second OTP value are the same, if so, performs step 312, and if not, performs step 313;
step 312, the HSM device sends the token detection result of successful detection to the production tool, and executes step 314;
specifically, the token detection result of successful detection is as follows: the detection is successful.
Step 313, the HSM device sends the token detection result of the detection failure to the production tool, and executes step 314;
specifically, the detection result of the token with failed detection is as follows: the detection fails.
At step 314, the production tool displays the received token detection results.
When the production tool displays that the received token is successfully detected in step 314, step 314 is followed by: the production tool sends an instruction to the OTP token to close the port.
When the production tool displays the received token as a failed detection result in step 314, step 314 further comprises: the production tool displays the reasons of detection failure, such as excessive time drift, non-communication failure or power failure.
In this embodiment, the execution sequence of steps 301 to 303 and 304 to 305 may be interchanged.
In the process of detecting the OTP token in this embodiment, when the HSM device is provided with a timer, as shown in fig. 5, the steps 308-311 can be replaced by the following steps 308 '-311':
step 308', the production tool sends the first OTP value and the searched ciphertext seed corresponding to the token serial number to the HSM device;
309', the HSM equipment decrypts according to a preset algorithm and the ciphertext seed to obtain a plaintext seed;
step 310', the HSM device generates a second OTP value set according to the plaintext seed and the current time of the HSM device by using a preset algorithm;
in this step, the HSM device uses the same preset algorithm as the one used by the token to generate the first OTP value in step 305.
In this step, specifically, the HSM device calculates the time forward and backward at predetermined time intervals by using the current time of the HSM device as a reference time, respectively, to obtain a set of time factors, and the HSM device calculates a set of obtained time factors according to the plaintext seed by using a preset algorithm to generate the second OTP value group.
Preferably, the predetermined time interval is 60 seconds.
For example, according to the current time of the HSM device as a reference time, the time is calculated forward and backward at predetermined time intervals of 10 seconds, respectively, and a set of time factors is obtained: 1531462211, 1531462271, 1531462331.
The HSM device uses SHA1 algorithm to calculate from the plaintext seed 613B236B80E75EA1267A7E8CBACA0ABA809CD326 the above set of time factors to generate a second set of OTP values: 038399, 630842, 720090.
In step 311', the HSM device determines whether the first OTP value is the same as one of the second set of OTP values, and if so, performs step 312, and if not, performs step 313.
In this embodiment, step 310 'may be preceded by determining, by the HSM device, whether the current time of the HSM device is consistent with the GSM time, and if so, executing step 310', and if not, calibrating the current time of the HSM device according to the GSM time.
Example 3
As shown in fig. 6, the present embodiment provides a system 600 for secure production and detection of OTP tokens, which includes a production tool apparatus 601 and an HSM apparatus 602, where the production tool apparatus 601 includes:
a grab and place module 6011 configured to execute an operation of grabbing the OTP token; and also for placing the OTP token in a readable location; the OTP token is also used for placing the OTP token at a specified position according to the detection result;
a searching module 6012, configured to search for a first ciphertext seed corresponding to the device identifier of the OTP token;
a first receiving module 6013, configured to receive a first one-time password generated by the OTP token; also used for receiving the plaintext seed sent by the HSM device 602; is also used for receiving the detection result sent by the HSM device 602;
a first sending module 6014, configured to send the first ciphertext seed to the HSM device 602; the HSM equipment is also used for sending the first ciphertext seed and the first one-time password to the HSM equipment;
a writing module 6015, configured to write the plaintext seed received by the first receiving module 6013 into the OTP token;
the HSM device 602 includes:
a second receiving module 6021, configured to receive the first ciphertext seed sent by the production tool apparatus 601; the system is also used for receiving a first one-time password sent by the production tool;
the second decryption module 6022 is configured to decrypt the first ciphertext seed to obtain a plaintext seed;
a second generating module 6023, configured to generate a second one-time password according to the plaintext seed;
a comparison module 6024, configured to compare the first one-time password with the second one-time password to obtain a detection result;
a second sending module 6025, configured to send the plaintext seed to the production tool apparatus 601; and is further configured to send the detection result obtained by the comparison module 6024 to the production tool apparatus 601.
In this embodiment, the device identification is a token serial number.
In this embodiment, the first sending module 6014 is further configured to send an instruction to read the device identifier to the OTP token; the OTP token is also used for sending an instruction for reading the one-time password to the OTP token;
the first receiving module 6013 is further configured to receive a device identifier sent by the OTP token;
the searching module 6012 is specifically configured to search, according to the device identifier, a first ciphertext seed corresponding to the device identifier.
In this embodiment, the production tool apparatus 601 further includes a display module, configured to display the detection result received by the first receiving module 6013.
In this embodiment, the grabbing and placing module 6011 is further configured to, when the detection result is successful, place the OTP token at a first specified location; and when the detection result is failure, the production tool places the OTP token at a second appointed position.
In this embodiment, the production tool apparatus 601 further includes a first determining module, configured to determine a placement position of the OTP token according to the detection result, and further configured to determine whether the OTP token can be placed in the placement position;
the grabbing and placing module 6011 is specifically configured to, when the first determining module determines that the OTP token can be placed in the placing position, place the OTP token in the placing position;
the production tool device 601 further comprises a prompting module for prompting to empty the placing position when the first judging module judges that the placing position can not place the OTP token.
In this embodiment, the production tool apparatus 601 further includes an obtaining module, configured to obtain a current time of the OTP token and a starting time of the OTP token;
the production tool device 601 further comprises a first judging module, configured to judge whether the timeliness of the OTP token is valid according to the current time and the start time;
the first sending module 6014 is specifically configured to, when the first determining module determines that the timeliness of the OTP token is valid, send the first ciphertext seed and the first one-time password to the HSM device;
the production tool apparatus 601 further comprises a display module for displaying the detection failure when the first judgment module judges that the OTP token is invalid for time effectiveness.
In this embodiment, the production tool further includes a calculation module, configured to subtract the start time from the current time to obtain a first time difference value, subtract the current time from the obtained global positioning time to obtain a second time difference value, and divide the first time difference value by the second time difference value to obtain a first result;
the first judging module is specifically configured to judge whether the first result is smaller than a preset value to judge whether the time efficiency of the OTP token is valid.
In this embodiment, the first sending module 6014 is specifically configured to send the first ciphertext seed, the first one-time password, and the current time of the OTP token to the HSM device;
the first generating module is specifically configured to generate a second one-time password according to the plaintext seed and the current time of the OTP token.
In this embodiment, the first generating module is specifically configured to generate the second one-time password group according to the plaintext seed, the current time of the HSM device 602;
the comparison module 6024 is specifically configured to compare whether the first one-time password is the same as one-time password in the second one-time password group, obtain a comparison result, and use the comparison result as a detection result.
In this embodiment, the display module displays that the detection result is successful;
the first sending module 6014 is further configured to send a port closing instruction to the one-time password token when the display module displays that the detection result is successful.
In this embodiment, the second sending module 6025 is further configured to send a request for generating a random number to the production tool apparatus 601;
the production tool apparatus 601 further comprises a first generation module for generating a first random number;
the first sending module 6014 is further configured to send the first random number to the HSM device 602;
the HSM device 602 further includes a second encryption module, configured to encrypt the plaintext seed using the first random number and a predetermined algorithm to obtain a second ciphertext seed, and send the second ciphertext seed to the production tool device 601;
the production tool apparatus 601 further includes a first decryption module, configured to decrypt the second ciphertext seed using the first random number to obtain a plaintext seed.
In this embodiment, the second sending module 6025 is further configured to send a request for generating a random number to the generation tool apparatus; and is further configured to send the third ciphertext seed to the production tool apparatus 601;
a first receiving module 6013, configured to receive the request for generating the random number sent by the second sending module 6025; the second random number is also used for receiving the OTP token;
a first sending module 6014, configured to send a request to generate a random number to the OTP token; also for sending the second random number sent by the OTP token to the HSM device 602; the third ciphertext seed is sent to the OTP token;
the HSM device 602 further includes a second encryption module, configured to encrypt the plaintext seed by using a second random number according to a preset algorithm to obtain a third ciphertext seed;
the write module 6015 is replaced with: the OTP token is used for decrypting the third ciphertext seed by using a second random number to obtain a plaintext seed and storing the plaintext seed;
the OTP token is also used to generate a second random number.
In this embodiment, the system 700 further includes: an OTP token for generating a third random number and for sending the third random number to the production tool apparatus 601; the second random number is used for decrypting the received fourth ciphertext seed and storing the decrypted fourth ciphertext seed;
the production tool apparatus 601 further comprises: the first encryption module is used for encrypting the received plaintext seeds to obtain fourth ciphertext seeds;
a first sending module 6014, configured to send a request to generate a random number to the OTP token; and is further configured to send the fourth ciphertext seed to the OTP token.
In this embodiment, a first sending module 6014 is configured to send a request for obtaining a device identifier and a random number to the OTP token; and is further configured to send the first ciphertext seed and the fourth random number to the HSM device 602; the OTP token is also used for sending the fifth ciphertext seed to the OTP token;
the system further comprises an OTP token for generating a fourth random number and for sending the fourth random number and the device identification to the production tool apparatus 601; the fourth random number is used for decrypting the fifth ciphertext seed to obtain a plaintext seed, and the plaintext seed is stored;
a searching module 6012, configured to search for a first ciphertext seed corresponding to the token identifier;
the second decryption module 6022 is configured to decrypt the first ciphertext seed to obtain a plaintext seed;
the HSM device 602 further includes a second encryption module, configured to encrypt the plaintext seed by using a fourth random number to obtain a fifth ciphertext seed;
the second sending module 6025 is further configured to send the fifth ciphertext seed to the production tool apparatus 601.
The above description is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (24)

1. A method for the secure production and detection of dynamic tokens, the method comprising a process for burning dynamic tokens and a process for detecting dynamic tokens, the process for burning dynamic tokens comprising the steps of:
step A0, the production tool executes the operation of grabbing the dynamic token and placing the dynamic token in a readable position;
step A1, the production tool searches a first ciphertext seed corresponding to the device identifier of the dynamic token;
step A2, the production tool sends the first ciphertext seed to a hardware security module device;
step A3, the hardware security module device decrypts the first ciphertext seed according to a key and a decryption algorithm stored in the hardware security module device to obtain a plaintext seed, and sends the plaintext seed to the production tool;
step A4, the production tool writing a plaintext seed into the dynamic token;
the process of detecting a dynamic token comprises the steps of:
step B1, the production tool searches a first ciphertext seed corresponding to the device identifier of the dynamic token and receives a first one-time password generated by the dynamic token through calculation according to the current time of the dynamic token by using a preset algorithm, the current time of the dynamic token and the starting time of the dynamic token; wherein the starting time of the dynamic token is the time for the dynamic token to write a seed;
step B2, the production tool sends the first ciphertext seed, the first one-time password and the current time of the dynamic token to a hardware security module device;
step B3, the hardware security module device decrypts the received first ciphertext seed to obtain a plaintext seed;
step B4, the hardware security module device uses the preset algorithm to generate a second one-time password according to the plaintext seed and the current time of the dynamic token;
step B5, the hardware security module device compares the first one-time password with the second one-time password to obtain a detection result;
step B6, the hardware security module device sends the detection result to the production tool;
step B7, the production tool places the dynamic token at a designated position according to the detection result;
said step B1 further comprises said production tool obtaining a current time of said dynamic token and a start time of said dynamic token;
the step B1 is further followed by the step C: the production tool judges whether the timeliness of the dynamic token is effective or not according to the current time and the starting time, if so, the step B2 is executed, and if not, the production tool displays that the detection fails;
wherein, the production tool judges whether the timeliness of the dynamic token is valid according to the current time and the start time, and specifically includes:
step C1-1, the production tool subtracting the starting time from the current time to obtain a first time difference value;
step C1-2, the production tool subtracts the current time from the acquired global positioning time to obtain a second time difference value;
step C1-3, the manufacturing tool dividing the second time difference by the first time difference to obtain a first result;
step C1-4, the production tool determines whether the first result is less than a predetermined value.
2. The method of claim 1, wherein the device identification is a token serial number.
3. The method according to claim 1, wherein the step a1 specifically comprises:
step A1-1, the production tool sending an instruction to the dynamic token to read a device identification;
step A1-2, the dynamic token sending the device identification of the dynamic token to the production tool;
step A1-3, the production tool receiving the device identification;
step A1-4, the production tool searches a first ciphertext seed corresponding to the equipment identifier according to the equipment identifier;
the step B1 specifically includes:
step B1-1, the production tool sending an instruction to read the device identification to the dynamic token;
step B1-2, the dynamic token sending the device identification to the production tool;
step B1-3, the production tool searches a first ciphertext seed corresponding to the equipment identifier according to the received equipment identifier;
step B1-4, the production tool sending an instruction to read the one-time password to the dynamic token;
step B1-5, the dynamic token generates a first one-time password according to the instruction;
step B1-6, the dynamic token sends the first one-time-password to the production tool.
4. The method of claim 1, wherein said step a4 is further followed by:
step A5, the dynamic token sends the burning result to the production tool;
step A6, the production tool displaying the programming result;
the step B6 further includes:
and step B7, displaying the detection result by the production tool.
5. The method of claim 1,
b7 specifically includes, when the detection result is successful, the production tool placing the dynamic token in a first designated location; and when the detection result is failure, the production tool places the dynamic token at a second appointed position.
6. The method of claim 1,
the step B7 specifically includes: and the production tool judges the placement position of the dynamic token according to the detection result, judges whether the placement position can place the dynamic token, places the dynamic token at the placement position if the placement position can place the dynamic token, and prompts to empty the placement position if the placement position can not place the dynamic token.
7. The method according to claim 1, wherein the step B4 specifically comprises: the hardware security module device takes the current time of the hardware security module device as reference time, respectively calculates the time forwards or backwards at preset time intervals to obtain a group of time factors, and calculates according to the plaintext seeds and the group of time factors by using the preset algorithm to generate a second disposable cipher group;
step B5 is specifically that the hardware security module device compares whether the first one-time password is the same as one of the second one-time passwords, obtains a comparison result, and takes the comparison result as a detection result.
8. The method of claim 5, wherein step B7 specifies that the production tool indicates that the test result is successful;
the step B7 further includes: the production tool sends a port closing instruction to the one-time password token.
9. The method of claim 1, wherein the sending of the plaintext seed to the production tool in step a3 is replaced with:
step D1, the hardware security module device sends a request for generating random numbers to the production tool;
step D2, the production tool generates a first random number and sends the first random number to the hardware security module device,
step D3, the hardware security module device encrypts a plaintext seed by using the first random number and a predetermined algorithm to obtain a second ciphertext seed, and sends the second ciphertext seed to the production tool;
and D4, the production tool decrypts the second ciphertext seed by using the first random number to obtain a plaintext seed.
10. The method of claim 1, wherein the sending of the plaintext seed to the production tool in step a3 is replaced with:
step D1', the hardware security module device sending a request to the production tool to generate a random number;
step D2', the production tool sending a request to generate a random number to the dynamic token;
step D3', the dynamic token generating a second random number and sending the second random number to the production tool;
step D4', the production tool sending the second random number to the hardware security module device;
step D5', the hardware security module device encrypts the plaintext seed by using the second random number according to a preset algorithm to obtain a third ciphertext seed, and sends the third ciphertext seed to the production tool;
step D6', the production tool sending the third ciphertext seed to the dynamic token;
the step a4 is replaced by: and the dynamic token decrypts the third ciphertext seed by using the second random number to obtain a plaintext seed and stores the plaintext seed.
11. The method of claim 1, wherein said step a4 is replaced by the steps of: step E1, the production tool sending a request to generate a random number to the dynamic token;
step E2, the dynamic token generates a third random number and sends the third random number to the production tool;
step E3, the production tool encrypts the received plaintext seed by using a third random number to obtain a fourth ciphertext seed, and sends the fourth ciphertext seed to the dynamic token;
and step E4, the dynamic token decrypts the received fourth ciphertext seed by using the third random number and stores the fourth ciphertext seed.
12. The method of claim 1, wherein the steps a1-a4 are replaced by the steps of:
step A1', the production tool sends a request for obtaining the device identification and generating the random number to the dynamic token;
a step a 2', in which the dynamic token generates a fourth random number and sends the fourth random number and the device identifier to the production tool;
step A3', the production tool searching a first ciphertext seed corresponding to the device identifier;
step a 4', the production tool sending the first ciphertext seed and the fourth random number to the hardware security module apparatus;
step a 5', the hardware security module device decrypts the first ciphertext seed to obtain a plaintext seed, encrypts the plaintext seed by using the fourth random number to obtain a fifth ciphertext seed, and sends the fifth ciphertext seed to the production tool;
step a 6', the production tool sending the fifth ciphertext seed to the dynamic token;
and step a 7', the dynamic token decrypts the fifth ciphertext seed by using the fourth random number to obtain the plaintext seed, and stores the plaintext seed.
13. A system for secure production and detection of dynamic tokens, the system comprising a production tool means and a hardware security module means, the production tool means comprising:
the grabbing and placing module is used for executing the operation of grabbing the dynamic token; and further for placing the dynamic token in a readable location; the dynamic token is also used for placing the dynamic token at a specified position according to the detection result;
the searching module is used for searching a first ciphertext seed corresponding to the equipment identifier of the dynamic token;
the first receiving module is used for receiving a first one-time password generated by calculating the dynamic token according to the current time of the dynamic token by using a preset algorithm, the current time of the dynamic token and the starting time of the dynamic token; the hardware security module device is also used for receiving a plaintext seed sent by the hardware security module device; the hardware security module device is also used for receiving a detection result sent by the hardware security module device; wherein the starting time of the dynamic token is the time for the dynamic token to write a seed;
the first sending module is used for sending the first ciphertext seed to the hardware security module device; the first one-time password and the current time of the dynamic token are sent to the hardware security module equipment;
the writing module is used for writing the plaintext seed received by the first receiving module into the dynamic token;
the hardware security module apparatus includes:
the second receiving module is used for receiving the first ciphertext seed sent by the production tool device; the first one-time password is also used for receiving the first one-time password sent by the production tool;
the second decryption module is used for decrypting the first ciphertext seed to obtain the plaintext seed;
the first generation module is used for generating a second one-time password according to the plaintext seed and the current time of the dynamic token by using the preset algorithm;
the comparison module is used for comparing the first one-time password with the second one-time password to obtain the detection result;
a second sending module, configured to send the plaintext seed to the production tool device; the comparison module is also used for comparing the detection result obtained by the comparison module with the detection result obtained by the comparison module;
the production tool device further comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring the current time of the dynamic token and the starting time of the dynamic token;
the production tool device also comprises a second judging module for judging whether the timeliness of the dynamic token is effective or not according to the current time and the starting time;
the first sending module is specifically configured to send the first ciphertext seed and the first one-time password to the hardware security module device when the second determining module determines that the timeliness of the dynamic token is valid;
the production tool device further comprises a display module, which is used for displaying detection failure when the second judging module judges that the timeliness of the dynamic token is invalid;
the production tool further comprises a calculation module, configured to subtract the starting time from the current time to obtain a first time difference value, subtract the current time from the obtained global positioning time to obtain a second time difference value, and divide the first time difference value by the second time difference value to obtain a first result;
the second judging module is specifically configured to judge whether the first result is smaller than a preset value to judge whether the timeliness of the dynamic token is valid.
14. The system of claim 13, wherein the device identification is a token serial number.
15. The system of claim 13,
the first sending module is further configured to send an instruction for reading a device identifier to the dynamic token; the dynamic token is also used for sending an instruction for reading the one-time password to the dynamic token;
the first receiving module is further configured to receive a device identifier sent by the dynamic token;
the searching module is specifically configured to search for a first ciphertext seed corresponding to the device identifier according to the device identifier.
16. The system of claim 13, wherein the production tool device further comprises a display module for displaying the detection results received by the first receiving module.
17. The system of claim 13, wherein the grab and place module is further configured to place the dynamic token in a first designated location when the detection result is successful; and when the detection result is failure, the production tool places the dynamic token at a second appointed position.
18. The system of claim 13, wherein the production tool device further comprises a first determining module, configured to determine a placement position of the dynamic token according to the detection result, and further configured to determine whether the placement position can place the dynamic token;
the grabbing and placing module is specifically configured to place the dynamic token at the placing position when the first determining module determines that the dynamic token can be placed at the placing position;
the production tool device further comprises a prompting module used for prompting to clear the placing position when the first judging module judges that the placing position cannot place the dynamic token.
19. The system according to claim 13, wherein the first generating module is specifically configured to calculate forward or backward time at predetermined time intervals by using the current time of the hardware security module device as a reference time, respectively, to obtain a set of time factors, and calculate to generate a second one-time cipher suite according to the plaintext seed and the set of time factors by using the preset algorithm;
the comparison module is specifically configured to compare whether the first one-time password is the same as one-time password in the second one-time password group, obtain a comparison result, and use the comparison result as a detection result.
20. The system of claim 16, wherein the display module displays that the detection result is successful;
and the first sending module is also used for sending a port closing instruction to the disposable password token when the display module displays that the detection result is successful.
21. The system of claim 13,
the second sending module is further configured to send a request for generating a random number to the production tool device;
the production tool apparatus further comprises a first generation module for generating a first random number;
the first sending module is further configured to send the first random number to a hardware security module device;
the hardware security module device also comprises a second encryption module, which is used for encrypting a plaintext seed by using the first random number and a preset algorithm to obtain a second ciphertext seed and sending the second ciphertext seed to the production tool device;
the production tool device further comprises a first decryption module, which is used for decrypting the second ciphertext seed by using the first random number to obtain the plaintext seed.
22. The system of claim 13,
the second sending module is further configured to send a request for generating a random number to the production tool device; and further configured to send a third ciphertext seed to the production tool apparatus;
the first receiving module is configured to receive the request for generating the random number sent by the second sending module; the second random number is also used for receiving the second random number sent by the dynamic token;
the first sending module is configured to send the request for generating the random number to the dynamic token; the second random number is also used for sending the second random number sent by the dynamic token to a hardware security module device; the third ciphertext seed is sent to the dynamic token;
the hardware security module device also comprises a second encryption module, which is used for encrypting the plaintext seed by using the second random number according to a preset algorithm to obtain a third ciphertext seed;
the write module is replaced by: the dynamic token is used for decrypting the third ciphertext seed by using the second random number to obtain a plaintext seed and storing the plaintext seed;
the dynamic token is also used to generate the second random number.
23. The system of claim 13,
the system further comprises: the dynamic token is configured to generate a third random number and further configured to send the third random number to the production tool device; the second random number is used for decrypting the received second ciphertext seed and storing the decrypted second ciphertext seed;
the production tool apparatus further comprises: the first encryption module is used for encrypting the received plaintext seeds to obtain fourth ciphertext seeds;
the first sending module is further configured to send a request for generating a random number to the dynamic token; and is further configured to send the fourth ciphertext seed to the dynamic token.
24. The system of claim 13,
the first sending module is configured to send a request for acquiring a device identifier and a random number to the dynamic token; the hardware security module device is also used for sending the first ciphertext seed and the fourth random number to the hardware security module device; the dynamic token is also used for sending a fifth ciphertext seed to the dynamic token;
the system further comprises the dynamic token configured to generate a fourth random number and further configured to send the fourth random number and the device identifier to the production tool apparatus; the plaintext seed is obtained after the fifth ciphertext seed is decrypted by using the fourth random number, and the plaintext seed is stored;
the searching module is used for searching a first ciphertext seed corresponding to the equipment identifier;
the second decryption module is used for decrypting the first ciphertext seed to obtain a plaintext seed;
the hardware security module device further comprises a second encryption module, configured to encrypt the plaintext seed using the fourth random number to obtain the fifth ciphertext seed;
the second sending module is further configured to send the fifth ciphertext seed to the production tool device.
CN201811547353.8A 2018-12-18 2018-12-18 Method and system for safely producing and detecting dynamic token Active CN109450647B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811547353.8A CN109450647B (en) 2018-12-18 2018-12-18 Method and system for safely producing and detecting dynamic token

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811547353.8A CN109450647B (en) 2018-12-18 2018-12-18 Method and system for safely producing and detecting dynamic token

Publications (2)

Publication Number Publication Date
CN109450647A CN109450647A (en) 2019-03-08
CN109450647B true CN109450647B (en) 2022-04-29

Family

ID=65559474

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811547353.8A Active CN109450647B (en) 2018-12-18 2018-12-18 Method and system for safely producing and detecting dynamic token

Country Status (1)

Country Link
CN (1) CN109450647B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882678A (en) * 2012-07-02 2013-01-16 飞天诚信科技股份有限公司 Method and system for programming seeds in non-contact manner
WO2013023478A1 (en) * 2011-08-17 2013-02-21 东信和平科技股份有限公司 Sim module based usbkey encryption/decryption system and encryption/decryption method
CN103457739A (en) * 2013-09-06 2013-12-18 北京握奇智能科技有限公司 Method and device for acquiring dynamic token parameters
CN103647645A (en) * 2013-11-05 2014-03-19 北京宏基恒信科技有限责任公司 Method, system and equipment for dynamic password authentication of multiple authentication servers
CN103746801A (en) * 2014-01-21 2014-04-23 北京智控美信信息技术有限公司 Method for protecting dynamic password seed key on smart phone or tablet personal computer
CN104660410A (en) * 2014-05-23 2015-05-27 北京集联网络技术有限公司 Token parameter filling equipment, filling data processing equipment and filling method
CN104796264A (en) * 2015-05-05 2015-07-22 苏州海博智能系统有限公司 Seed key update method based on non-contact manner, dynamic token and system
CN105812395A (en) * 2016-05-24 2016-07-27 飞天诚信科技股份有限公司 NFC dynamic token and method for programming seed secret key in NFC dynamic token
CN106100830A (en) * 2016-05-24 2016-11-09 飞天诚信科技股份有限公司 A kind of method and apparatus writing seed key in NFC dynamic token
CN106209375A (en) * 2016-06-28 2016-12-07 国信安泰(武汉)科技有限公司 A kind of method utilizing digital certificate to carry out seed key of dynamic token injection and renewal
WO2018201991A1 (en) * 2017-05-03 2018-11-08 腾讯科技(深圳)有限公司 Data processing method, system, apparatus, storage medium, and device

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013023478A1 (en) * 2011-08-17 2013-02-21 东信和平科技股份有限公司 Sim module based usbkey encryption/decryption system and encryption/decryption method
CN102882678A (en) * 2012-07-02 2013-01-16 飞天诚信科技股份有限公司 Method and system for programming seeds in non-contact manner
CN103457739A (en) * 2013-09-06 2013-12-18 北京握奇智能科技有限公司 Method and device for acquiring dynamic token parameters
CN103647645A (en) * 2013-11-05 2014-03-19 北京宏基恒信科技有限责任公司 Method, system and equipment for dynamic password authentication of multiple authentication servers
CN103746801A (en) * 2014-01-21 2014-04-23 北京智控美信信息技术有限公司 Method for protecting dynamic password seed key on smart phone or tablet personal computer
CN104660410A (en) * 2014-05-23 2015-05-27 北京集联网络技术有限公司 Token parameter filling equipment, filling data processing equipment and filling method
CN104796264A (en) * 2015-05-05 2015-07-22 苏州海博智能系统有限公司 Seed key update method based on non-contact manner, dynamic token and system
CN105812395A (en) * 2016-05-24 2016-07-27 飞天诚信科技股份有限公司 NFC dynamic token and method for programming seed secret key in NFC dynamic token
CN106100830A (en) * 2016-05-24 2016-11-09 飞天诚信科技股份有限公司 A kind of method and apparatus writing seed key in NFC dynamic token
CN106209375A (en) * 2016-06-28 2016-12-07 国信安泰(武汉)科技有限公司 A kind of method utilizing digital certificate to carry out seed key of dynamic token injection and renewal
WO2018201991A1 (en) * 2017-05-03 2018-11-08 腾讯科技(深圳)有限公司 Data processing method, system, apparatus, storage medium, and device

Also Published As

Publication number Publication date
CN109450647A (en) 2019-03-08

Similar Documents

Publication Publication Date Title
US20170308738A1 (en) Face recognition method, device and computer readable storage medium
US9218473B2 (en) Creation and authentication of biometric information
JP7058665B2 (en) Methods and devices for user authentication based on feature information
EP2720167A1 (en) Method and system for smart card chip personalization
EP3220573A1 (en) Method and system for controlling encryption of information and analyzing information as well as terminal
RU2015124196A (en) METHOD AND DEVICE FOR UNLOCKING THE SCREEN AND TERMINAL
US10547451B2 (en) Method and device for authentication
CN109144552A (en) A kind of boot firmware method for refreshing and device
JP2015139014A (en) Information processing program, information processing device, and information processing method
RU2015108340A (en) METHOD, DEVICE AND VERIFICATION SYSTEM FOR PROTECTION FROM FALKS
CN102790678A (en) Authentication method and system
CN111901117A (en) Safety authentication method and system based on JTAG interface
CN107483177B (en) Method and system for verifying authenticity of encrypted data of encryption equipment
CN109450647B (en) Method and system for safely producing and detecting dynamic token
US11146409B2 (en) Process for challenge response authentication of a secure element (SE) in a micro controller unit
EP3480718A1 (en) System and method for facilitating authentication via a shortrange wireless token
CN109286501A (en) Authentication method and encryption equipment for encryption equipment
US9756044B2 (en) Establishment of communication connection between mobile device and secure element
CN116318687B (en) Data dynamic encryption method based on bidirectional mapping matrix
KR20130012136A (en) Information generation system and method therefor
US11308190B2 (en) Biometric template handling
CN111510416A (en) Data information transmission method, electronic device and readable storage medium
WO2019086969A1 (en) Condition monitoring device and method for secure communication
CN110502360B (en) Self-checking method for advanced encryption standard coprocessor
US10152593B2 (en) Method and device for identifying pirated dongle

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant