CN110278214B - Method for realizing safe remote killing processing aiming at intelligent chip card - Google Patents

Method for realizing safe remote killing processing aiming at intelligent chip card Download PDF

Info

Publication number
CN110278214B
CN110278214B CN201910620824.1A CN201910620824A CN110278214B CN 110278214 B CN110278214 B CN 110278214B CN 201910620824 A CN201910620824 A CN 201910620824A CN 110278214 B CN110278214 B CN 110278214B
Authority
CN
China
Prior art keywords
authentication
chip card
session key
verification
intelligent chip
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910620824.1A
Other languages
Chinese (zh)
Other versions
CN110278214A (en
Inventor
邹翔
陈兵
梁皓
倪力舜
代乾坤
杨明慧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Third Research Institute of the Ministry of Public Security
Original Assignee
Third Research Institute of the Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Third Research Institute of the Ministry of Public Security filed Critical Third Research Institute of the Ministry of Public Security
Publication of CN110278214A publication Critical patent/CN110278214A/en
Application granted granted Critical
Publication of CN110278214B publication Critical patent/CN110278214B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K17/00Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
    • G06K17/0022Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisions for transferring data to distant stations, e.g. from a sensing device
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a method for realizing safe remote killing processing aiming at an intelligent chip card, which comprises a reading authentication mechanism between a special machine tool and the intelligent chip card, a reading authentication mechanism between an authentication system and the special machine tool, a writing authentication mechanism between the intelligent chip card and the authentication system, and an intelligent chip card data resetting and verifying mechanism. By adopting the method for realizing the safe remote killing processing aiming at the intelligent chip card, the identity authentication of the intelligent chip card can be realized, the cancelled intelligent chip card is identified and the remote killing safety channel is established under the condition of no special machine tool, so that the remote killing of the cancelled intelligent chip card with high safety and high reliability is realized, and the safety risk that the offline authentication of the intelligent chip card is inaccurate is effectively reduced.

Description

Method for realizing safe remote killing processing aiming at intelligent chip card
Technical Field
The invention relates to the field of identity authentication, in particular to the technical field of identity authentication of intelligent chip cards, and specifically relates to a method for realizing safe remote killing processing aiming at the intelligent chip cards.
Background
At present, the smart chip card is widely used in a plurality of fields such as finance, social security, traffic, public security and the like, such as financial IC cards, social security cards, traffic all-purpose cards, resident identification cards, chip seals and other business applications. The identity authentication of the existing intelligent chip card generally comprises an online authentication mode and an offline authentication mode, wherein the online authentication mode realizes the identity authentication of the intelligent chip card through an authentication service system of a server side, and the offline authentication mode realizes the identity authentication of the intelligent chip card through a special machine tool of a client side; the intelligent chip card logout method generally comprises the steps of injecting business application data in the intelligent chip card into an authentication system and issuing logout state information, wherein the business application data of the intelligent chip card is still kept in the card due to the fact that the intelligent chip card is not logged out under the conditions of loss and the like, and the problem that the intelligent chip card is actually logged out and the offline authentication is still effective exists.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a method for realizing safe remote killing processing on an intelligent chip card, which meets the requirements of accuracy, effectiveness and simple and convenient operation.
In order to achieve the above purpose, the method for implementing safe remote killing processing for the intelligent chip card of the present invention is as follows:
the method for realizing the safe remote killing processing aiming at the intelligent chip card is mainly characterized in that the method comprises the steps of realizing the identity authentication of the intelligent chip card and establishing the remote killing safe channel under the condition of special machines and tools, and specifically comprises the following steps:
(1-1) the special machine and the intelligent chip card complete bidirectional reading authentication, and a verification client reads the unique code of the intelligent chip card and the first 255 bytes of service application data;
(1-2) the authentication system and a special machine and tool negotiate a verification session key, and the verification client sends online authentication request information to the authentication system;
(1-3) the authentication system returns data to the verification client, and data integrity protection is performed through a verification session key;
and (1-4) the verification client sends a data resetting request and clears the security state and the read-write permission of the intelligent chip card.
Preferably, the step (1-1) specifically comprises the following steps:
(1-1.1) the special machine and the intelligent chip card complete bidirectional reading authentication through a reading authentication mechanism;
(1-1.2) the verification client reads the unique code and the first 255 bytes of service application data of the intelligent chip card, judges whether the first 255 bytes of service application data are reset data, and prompts that the intelligent chip card is cancelled and exits the step if the first 255 bytes of service application data are reset data; otherwise, continuing the step (1-2).
Preferably, the step (1-2) specifically comprises the following steps:
(1-2.1) the authentication system and the special machine complete reading bidirectional authentication and negotiate a verification session key;
(1-2.2) the verification client sends online authentication request information to the authentication system, and uses a verification session key for data integrity protection.
Preferably, the online authentication request information is a unique code UID of the smart chip card and a unique code SAMID of the special equipment.
Preferably, the steps (1-3) specifically include the following steps:
(1-3.1) the authentication system returns data to the verification client, and data integrity protection is performed through a verification session key;
(1-3.2) judging whether the state of the intelligent chip card is normal or not, if so, returning the service application data information of the intelligent chip card and exiting the step; otherwise, the authentication system and the intelligent chip card complete the write bidirectional authentication and negotiate to remotely kill the session key through a write authentication mechanism between the authentication system and the intelligent chip card.
Preferably, the steps (1-4) specifically include the following steps:
(1-4.1) the verification client sends a data resetting request to the authentication system, and data integrity protection is carried out by remotely killing the session key;
(1-4.2) the authentication system returns data to the verification client, and uses the remote kill session key for data integrity protection;
(1-4.3) the authentication client writes reset data into the smart chip card;
and (1-4.4) the verification client side clears the security state of the intelligent chip card and clears the read-write permission of the intelligent chip card.
The method for realizing the safe remote killing processing aiming at the intelligent chip card is mainly characterized by further comprising the step of realizing a reading authentication mechanism between an authentication system and a special machine under the condition of the special machine, and specifically comprises the following steps:
(2-1) the verification client and the special machine tool transmit the unique code of the special machine tool card, the random number taking instruction and the authentication code taking instruction, the special machine tool encrypts the random number Rc to obtain an authentication code Token1, and returns the authentication code Token to the verification client;
(2-2) the authentication system protects the master key, and encrypts a random number Rs and a dispersion factor synthesized by Rc' obtained by decryption through the authentication communication protection master key to obtain an authentication code Token 2;
(2-3) the dedicated appliance obtaining a session key SK to the authentication communication protection master key PMENC2 and obtaining a verification session key by encrypting the unique SAMID of the dedicated appliance using the session key SK;
the authentication system described in (2-4) generates an authentication communication protection master key PMENC2, obtains an authentication session key from the session key SK, and adds a unique SAMID of a specific tool and binding information of the authentication session key to the memory list.
Preferably, the step (2-1) specifically comprises the following steps:
(2-1.1) verifying that the client reads the unique code of the special machine tool card of the special machine tool;
(2-1.2) the verification client sends a random number fetching instruction to the special machine tool, and the special machine tool returns a random number Rc to the verification client;
(2-1.3) the verification client sends an authentication code fetching instruction to the special tool, and the special tool encrypts the random number Rc by using the distributed authentication communication protection master key to obtain an authentication code Token1, and returns the authentication code Token to the verification client.
Preferably, the step (2-2) specifically comprises the following steps:
(2-2.1) the verification client sending the special-purpose tool unique code SAMID and the authentication code Token1 to the authentication system;
(2-2.2) the certification system dispersedly generates a certification communication protection master key according to the unique code of the special tool, decrypts the certification code Token1 to obtain a random number Rc 'and generate a random number Rs, and encrypts a dispersion factor synthesized by the random number Rs and the Rc' through the certification communication protection master key to obtain a certification code Token 2;
(2-2.3) the certification system returns the unique code of the special machine tool and the certification code Token2 to the verification client, and the verification client sends the certification code Token2 to the special machine tool.
Preferably, the step (2-3) specifically comprises the following steps:
(2-3.1) the special tool decrypting authentication code Token2 obtains Rc 'and Rs' and returns the Rc 'and Rs' to the verification client;
(2-3.2) the verification client compares whether Rc and Rc' are consistent, if so, a command of calculating a verification session key is sent to the special machine tool; otherwise, exiting the step;
(2-3.3) the dedicated appliance obtains the session key SK by decentralizing the authentication communication protection master key PMENC2 using the random numbers Rc and Rs' as decentralization factors, and obtains the authentication session key by encrypting the dedicated appliance unique code SAMID using the session key SK, and returns the authentication client.
Preferably, the step (2-4) specifically comprises the following steps:
(2-4.1) the certification system dispersively generating the certification communication protection master key PMENC2 according to the unique code of the specific tool and dispersively generating the session key SK for the certification communication protection master key PMENC2 using the random numbers Rc' and Rs as dispersion factors;
the authentication system described in (2-4.2) encrypts the unique SAMID of the special equipment through the session key SK to obtain the verification session key, and adds the unique SAMID of the special equipment and the binding information of the verification session key to the memory list.
The method for realizing the safe remote killing processing aiming at the intelligent chip card is mainly characterized in that the method also comprises the step of realizing the identity authentication of the intelligent chip card and the establishment of the remote killing safe channel under the condition of no special equipment, and specifically comprises the following steps:
(3-1) the authentication system and the intelligent chip card negotiate a verification session key, and the verification client sends online authentication request information to the authentication system;
(3-2) the authentication system returns data to the verification client, uses the verification session key for data integrity protection, judges whether the state of the smart chip card is normal, and if so, returns the service application data information of the smart chip card and exits the step; otherwise, the authentication system and the intelligent chip card complete the write bidirectional authentication and negotiate to remotely kill the session key through a write authentication mechanism between the authentication system and the intelligent chip card;
and (3-3) sending a request for acquiring reset data to the authentication system by the verification client, performing data integrity protection by remotely killing the session key, and clearing the security state of the intelligent chip card.
Preferably, the step (3-1) specifically comprises the following steps:
(3-1.1) the authentication system and the intelligent chip card complete reading bidirectional authentication and negotiate a verification session key through a reading authentication mechanism between the authentication system and the intelligent chip card;
and (3-1.2) the verification client sends online authentication request information to the authentication system, and uses a verification session key for data integrity protection.
Preferably, the online authentication request information comprises a unique code of the intelligent chip card and a unique code of the special machine tool.
Preferably, the step (3-3) specifically comprises the following steps:
(3-3.1) the verification client sends a request for obtaining reset data to the authentication system, and data integrity protection is carried out by remotely killing the session key;
(3-3.2) the authentication system returns reset data to the verification client, and performs data integrity protection by remotely killing the session key;
(3-3.3) the authentication client writes reset data into the smart chip card;
and (3-3.4) the verification client side clears the security state of the intelligent chip card to finish clearing the read-write permission of the intelligent chip card.
The method for realizing the safe remote killing processing aiming at the intelligent chip card is mainly characterized by further comprising the step of realizing a reading authentication mechanism between an authentication system and a special machine under the condition that no special machine is provided, and the method specifically comprises the following steps:
(4-1) the verification client reads the unique code of the intelligent chip card, and the intelligent chip card sends a random number Rc to the verification client;
(4-2) the authentication system encrypts the synthetic data of the random numbers Rc and Rr to obtain a session key, encrypts the unique code of the intelligent chip card to obtain a verification session key, and adds the unique code of the intelligent chip card and the verification session key to the memory list;
and (4-3) the verification client and the smart chip card obtain a verification session key by reading the external authentication instruction and reading the internal authentication instruction.
Preferably, the step (4-1) specifically comprises the following steps:
(4-1.1) the verification client reads the unique code of the intelligent chip card and sends a random number fetching instruction to the intelligent chip card;
(4-1.2) the intelligent chip card returns the random number Rc to the authentication client;
(4-1.3) the verification client sends the unique code of the intelligent chip card and the random number Rc to the authentication system.
Preferably, the step (4-2) specifically comprises the following steps:
(4-2.1) the authentication system dispersedly generates a read authentication master key according to the unique code of the smart chip card, encrypts a random number Rc to obtain an authentication code Token1, generates a random number Rr, and returns the authentication code Token1 and the random number Rr to the verification client;
(4-2.2) the authentication system uses the read authentication master key to encrypt the synthetic data of the random numbers Rc and Rr to obtain the session key, uses the session key to encrypt the unique code of the smart chip card to obtain the authentication session key, adds the unique code of the smart chip card and the authentication session key to the memory list, and regularly removes the authentication session key to ensure that the authentication session key is overtime and invalid.
Preferably, the step (4-3) specifically comprises the following steps:
(4-3.1) the verification client sends a reading external authentication instruction containing an authentication code Token1 to the smart chip card;
(4-3.2) the smart chip card authenticates the authentication code Token1 and returns an external authentication result to the verification client;
(4-3.3) the verification client sends an internal authentication reading instruction to the smart chip card;
(4-3.4) the smart chip card encrypts the synthetic data of the random numbers Rc and Rr by using the read authentication master key to obtain a session key, encrypts the unique code of the smart chip card by using the session key to obtain a verification session key, and returns the verification session key to the verification client.
The method for realizing the safe remote killing processing aiming at the intelligent chip card is mainly characterized by further comprising the step of realizing the authentication mechanism writing between the intelligent chip card and the authentication system, and specifically comprises the following steps:
(5-1) reading the unique code of the smart chip card by the verification client, and sending the unique code of the smart chip card and the authentication code Token1 to the verification client by the smart chip card;
(5-2) the authentication system session key encrypts the unique code of the smart chip card to obtain the remote killing session key, and adds the unique code of the smart chip card and the binding information of the remote killing session key to the memory list;
and (5-3) the verification client and the intelligent chip card obtain the remote killing session key by writing an external authentication instruction and an internal authentication instruction.
Preferably, the step (5-1) specifically comprises the following steps:
(5-1.1) the authentication client reads the unique UID of the smart chip card;
(5-1.2) the verification client sends an authentication code fetching instruction to the smart chip card, the smart chip card generates a random number Rc, obtains an authentication code Token1 by encrypting the random number Rc through the verification session key, and returns the authentication code Token1 to the verification client;
(5-1.3) the verification client sends the unique code of the smart chip card and the authentication code Token1 to the authentication system.
Preferably, the step (5-2) specifically comprises the following steps:
(5-2.1) the authentication system obtains Rc 'by verifying the session key decryption authentication code Token1, dispersedly generates a write authentication master key according to the unique code of the smart chip card, and obtains the authentication code Token2 by encrypting the Rc' by using the write authentication master key;
(5-2.2) the authentication system generates a random number Rr, obtains an authentication code Token3 by writing an authentication master key encryption Rr, obtains a session key by synthesizing data dispersion according to Rc and Rr, obtains a remote kill session key by encrypting a smart chip card unique code through the session key, adds the smart chip card unique code and the remote kill session key binding information to a memory list, and removes the remote kill session key overtime and invalidity at regular time;
(5-2.3) the authentication system returns the authentication codes Token2 and Token3 to the verification client.
Preferably, the step (5-3) specifically comprises the following steps:
(5-3.1) the verification client sends a write external authentication command containing Token2 to the smart chip card;
(5-3.2) the smart chip card authentication Token2 and returning the external authentication result to the verification client, if the authentication Token2 fails, exiting, otherwise, the verification client sends an internal authentication writing instruction to the smart chip card;
(5-3.3) the smart chip card decrypts the authentication code Token3 to obtain Rr ', encrypts the resultant data of Rr' and Rc by writing the authentication master key to obtain the session key, encrypts the unique code of the smart chip card by the session key to obtain the remote session key, and returns the remote session key to the verification client.
The method for realizing the safe remote killing processing aiming at the intelligent chip card can realize the identity authentication of the intelligent chip card, identify the cancelled intelligent chip card and establish the remote killing safety channel under the condition of a special machine tool, and comprises a reading authentication mechanism between the special machine tool and the intelligent chip card, a reading authentication mechanism between an authentication system and the special machine tool, a writing authentication mechanism between the intelligent chip card and the authentication system and an intelligent chip card data resetting and verifying mechanism; and can realize the identity authentication of the intelligent chip card, recognize the intelligent chip card cancelled and establish the remote killing security channel under the condition of no special machines, including the read/write authentication mechanism between the intelligent chip card and the authentication system, the data reset and verification mechanism of the intelligent chip card, thereby realizing the remote killing of the intelligent chip card cancelled with high safety and high reliability, and effectively reducing the security risk of inaccurate offline authentication of the intelligent chip card.
Drawings
Fig. 1 is a schematic diagram of the identity authentication and remote killing security channel establishment mechanism of the smart chip card under the condition of a special machine of the method for realizing the secure remote killing processing of the smart chip card according to the present invention.
Fig. 2 is a schematic diagram of the authentication mechanism between the authentication system and the dedicated machine under the condition of having the dedicated machine according to the method for implementing the secure remote killing processing of the smart chip card of the present invention.
FIG. 3 is a schematic diagram of the identity authentication and remote killing security channel establishment mechanism of the smart chip card without special equipment according to the method for implementing the secure remote killing process of the smart chip card of the present invention.
Fig. 4 is a schematic diagram of the authentication mechanism between the smart chip card and the authentication system under the condition of no special equipment in the method for realizing the safe remote killing processing of the smart chip card according to the present invention.
FIG. 5 is a schematic diagram of a write authentication mechanism between the smart chip card and the authentication system according to the method of the present invention for implementing the secure remote killing process on the smart chip card.
Detailed Description
In order to more clearly describe the technical contents of the present invention, the following further description is given in conjunction with specific embodiments.
The invention relates to a method for realizing safe remote killing processing aiming at an intelligent chip card, which comprises the following steps:
the method comprises the steps of realizing the identity authentication of the intelligent chip card and the establishment of the remote killing security channel under the condition of special machines and tools, and specifically comprises the following steps:
(1-1) the special machine and the intelligent chip card complete bidirectional reading authentication, and a verification client reads the unique code of the intelligent chip card and the first 255 bytes of service application data;
(1-1.1) the special machine and the intelligent chip card complete bidirectional reading authentication through a reading authentication mechanism;
(1-1.2) the verification client reads the unique code and the first 255 bytes of service application data of the intelligent chip card, judges whether the first 255 bytes of service application data are reset data, and prompts that the intelligent chip card is cancelled and exits the step if the first 255 bytes of service application data are reset data; otherwise, continuing the step (1-2);
(1-2) the authentication system and a special machine and tool negotiate a verification session key, and the verification client sends online authentication request information to the authentication system;
(1-2.1) the authentication system and the special machine complete reading bidirectional authentication and negotiate a verification session key;
(1-2.2) the verification client sends online authentication request information to an authentication system, and uses a verification session key for data integrity protection;
(1-3) the authentication system returns data to the verification client, and data integrity protection is performed through a verification session key;
(1-3.1) the authentication system returns data to the verification client, and data integrity protection is performed through a verification session key;
(1-3.2) judging whether the state of the intelligent chip card is normal or not, if so, returning the service application data information of the intelligent chip card and exiting the step; otherwise, the authentication system and the intelligent chip card complete the write bidirectional authentication and negotiate to remotely kill the session key through a write authentication mechanism between the authentication system and the intelligent chip card;
(1-4) the verification client sends a data resetting request and clears the security state and the read-write permission of the intelligent chip card;
(1-4.1) the verification client sends a data resetting request to the authentication system, and data integrity protection is carried out by remotely killing the session key;
(1-4.2) the authentication system returns data to the verification client, and uses the remote kill session key for data integrity protection;
(1-4.3) the authentication client writes reset data into the smart chip card;
and (1-4.4) the verification client side clears the security state of the intelligent chip card and clears the read-write permission of the intelligent chip card.
Preferably, the online authentication request information is a unique code UID of the smart chip card and a unique code SAMID of the special equipment.
The method for realizing the safe remote killing processing aiming at the intelligent chip card is mainly characterized by further comprising the step of realizing a reading authentication mechanism between an authentication system and a special machine under the condition of the special machine, and specifically comprises the following steps:
(2-1) the verification client and the special machine tool transmit the unique code of the special machine tool card, the random number taking instruction and the authentication code taking instruction, the special machine tool encrypts the random number Rc to obtain an authentication code Token1, and returns the authentication code Token to the verification client;
(2-1.1) verifying that the client reads the unique code of the special machine tool card of the special machine tool;
(2-1.2) the verification client sends a random number fetching instruction to the special machine tool, and the special machine tool returns a random number Rc to the verification client;
(2-1.3) the verification client sends an authentication code fetching instruction to the special tool, and the special tool encrypts the random number Rc by using the authentication communication protection master key obtained in a dispersed manner to obtain an authentication code Token1 and returns the authentication code Token to the verification client;
(2-2) the authentication system protects the master key, and encrypts a random number Rs and a dispersion factor synthesized by Rc' obtained by decryption through the authentication communication protection master key to obtain an authentication code Token 2;
(2-2.1) the verification client sending the special-purpose tool unique code SAMID and the authentication code Token1 to the authentication system;
(2-2.2) the certification system dispersedly generates a certification communication protection master key according to the unique code of the special tool, decrypts the certification code Token1 to obtain a random number Rc 'and generate a random number Rs, and encrypts a dispersion factor synthesized by the random number Rs and the Rc' through the certification communication protection master key to obtain a certification code Token 2;
(2-2.3) the certification system returns the unique code of the special machine tool and a certification code Token2 to the verification client, and the verification client sends the certification code Token2 to the special machine tool;
(2-3) the dedicated appliance obtaining a session key SK to the authentication communication protection master key PMENC2 and obtaining a verification session key by encrypting the unique SAMID of the dedicated appliance using the session key SK;
(2-3.1) the special tool decrypting authentication code Token2 obtains Rc 'and Rs' and returns the Rc 'and Rs' to the verification client;
(2-3.2) the verification client compares whether Rc and Rc' are consistent, if so, a command of calculating a verification session key is sent to the special machine tool; otherwise, exiting the step;
(2-3.3) the dedicated tool obtains the session key SK in a distributed manner for the authentication communication protection master key PMENC2 using the random numbers Rc and Rs' as dispersion factors, and obtains the authentication session key by encrypting the unique SAMID of the dedicated tool using the session key SK, and returns the authentication client;
(2-4) the authentication system generates an authentication communication protection master key PMENC2, obtains a verification session key through a session key SK, and adds a unique SAMID of a special machine and binding information of the verification session key to a memory list;
(2-4.1) the certification system dispersively generating the certification communication protection master key PMENC2 according to the unique code of the specific tool and dispersively generating the session key SK for the certification communication protection master key PMENC2 using the random numbers Rc' and Rs as dispersion factors;
the authentication system described in (2-4.2) encrypts the unique SAMID of the special equipment through the session key SK to obtain the verification session key, and adds the unique SAMID of the special equipment and the binding information of the verification session key to the memory list.
The method for realizing the safe remote killing processing aiming at the intelligent chip card is mainly characterized in that the method also comprises the step of realizing the identity authentication of the intelligent chip card and the establishment of the remote killing safe channel under the condition of no special equipment, and specifically comprises the following steps:
(3-1) the authentication system and the intelligent chip card negotiate a verification session key, and the verification client sends online authentication request information to the authentication system;
(3-1.1) the authentication system and the intelligent chip card complete reading bidirectional authentication and negotiate a verification session key through a reading authentication mechanism between the authentication system and the intelligent chip card;
(3-1.2) the verification client sends online authentication request information to the authentication system, and uses a verification session key for data integrity protection;
(3-2) the authentication system returns data to the verification client, uses the verification session key for data integrity protection, judges whether the state of the smart chip card is normal, and if so, returns the service application data information of the smart chip card and exits the step; otherwise, the authentication system and the intelligent chip card complete the write bidirectional authentication and negotiate to remotely kill the session key through a write authentication mechanism between the authentication system and the intelligent chip card;
(3-3) the verification client sends a request for acquiring reset data to the authentication system, data integrity protection is carried out by remotely killing the session key, and the security state of the intelligent chip card is cleared;
(3-3.1) the verification client sends a request for obtaining reset data to the authentication system, and data integrity protection is carried out by remotely killing the session key;
(3-3.2) the authentication system returns reset data to the verification client, and performs data integrity protection by remotely killing the session key;
(3-3.3) the authentication client writes reset data into the smart chip card;
and (3-3.4) the verification client side clears the security state of the intelligent chip card to finish clearing the read-write permission of the intelligent chip card.
Preferably, the online authentication request information comprises a unique code of the intelligent chip card and a unique code of the special machine tool.
The method for realizing the safe remote killing processing aiming at the intelligent chip card is mainly characterized by further comprising the step of realizing a reading authentication mechanism between an authentication system and a special machine under the condition that no special machine is provided, and the method specifically comprises the following steps:
(4-1) the verification client reads the unique code of the intelligent chip card, and the intelligent chip card sends a random number Rc to the verification client;
(4-1.1) the verification client reads the unique code of the intelligent chip card and sends a random number fetching instruction to the intelligent chip card;
(4-1.2) the intelligent chip card returns the random number Rc to the authentication client;
(4-1.3) the verification client sends the unique code of the intelligent chip card and the random number Rc to the authentication system;
(4-2) the authentication system encrypts the synthetic data of the random numbers Rc and Rr to obtain a session key, encrypts the unique code of the intelligent chip card to obtain a verification session key, and adds the unique code of the intelligent chip card and the verification session key to the memory list;
(4-2.1) the authentication system dispersedly generates a read authentication master key according to the unique code of the smart chip card, encrypts a random number Rc to obtain an authentication code Token1, generates a random number Rr, and returns the authentication code Token1 and the random number Rr to the verification client;
(4-2.2) the authentication system uses the read authentication master key to encrypt the synthetic data of the random numbers Rc and Rr to obtain a session key, uses the session key to encrypt the unique code of the smart chip card to obtain a verification session key, adds the unique code of the smart chip card and the verification session key to the memory list, and regularly removes the verification session key to ensure that the verification session key is overtime and invalid;
and (4-3) the verification client and the smart chip card obtain a verification session key by reading the external authentication instruction and reading the internal authentication instruction.
(4-3.1) the verification client sends a reading external authentication instruction containing an authentication code Token1 to the smart chip card;
(4-3.2) the smart chip card authenticates the authentication code Token1 and returns an external authentication result to the verification client;
(4-3.3) the verification client sends an internal authentication reading instruction to the smart chip card;
(4-3.4) the smart chip card encrypts the synthetic data of the random numbers Rc and Rr by using the read authentication master key to obtain a session key, encrypts the unique code of the smart chip card by using the session key to obtain a verification session key, and returns the verification session key to the verification client.
The method for realizing the safe remote killing processing aiming at the intelligent chip card is mainly characterized by further comprising the step of realizing the authentication mechanism writing between the intelligent chip card and the authentication system, and specifically comprises the following steps:
(5-1) reading the unique code of the smart chip card by the verification client, and sending the unique code of the smart chip card and the authentication code Token1 to the verification client by the smart chip card;
(5-1.1) the authentication client reads the unique UID of the smart chip card;
(5-1.2) the verification client sends an authentication code fetching instruction to the smart chip card, the smart chip card generates a random number Rc, obtains an authentication code Token1 by encrypting the random number Rc through the verification session key, and returns the authentication code Token1 to the verification client;
(5-1.3) the verification client sends the unique code of the smart chip card and an authentication code Token1 to the authentication system;
(5-2) the authentication system session key encrypts the unique code of the smart chip card to obtain the remote killing session key, and adds the unique code of the smart chip card and the binding information of the remote killing session key to the memory list;
(5-2.1) the authentication system obtains Rc 'by verifying the session key decryption authentication code Token1, dispersedly generates a write authentication master key according to the unique code of the smart chip card, and obtains the authentication code Token2 by encrypting the Rc' by using the write authentication master key;
(5-2.2) the authentication system generates a random number Rr, obtains an authentication code Token3 by writing an authentication master key encryption Rr, obtains a session key by synthesizing data dispersion according to Rc and Rr, obtains a remote kill session key by encrypting a smart chip card unique code through the session key, adds the smart chip card unique code and the remote kill session key binding information to a memory list, and removes the remote kill session key overtime and invalidity at regular time;
(5-2.3) the authentication system returning the authentication codes Token2 and Token3 to the verification client;
and (5-3) the verification client and the intelligent chip card obtain the remote killing session key by writing an external authentication instruction and an internal authentication instruction.
(5-3.1) the verification client sends a write external authentication command containing Token2 to the smart chip card;
(5-3.2) the smart chip card authentication Token2 and returning the external authentication result to the verification client, if the authentication Token2 fails, exiting, otherwise, the verification client sends an internal authentication writing instruction to the smart chip card;
(5-3.3) the smart chip card decrypts the authentication code Token3 to obtain Rr ', encrypts the resultant data of Rr' and Rc by writing the authentication master key to obtain the session key, encrypts the unique code of the smart chip card by the session key to obtain the remote session key, and returns the remote session key to the verification client.
In the specific implementation manner of the present invention, the purpose is to provide a method for remotely deactivating an intelligent chip card, which can implement identity authentication of the intelligent chip card, identify a cancelled intelligent chip card and establish a remote deactivation security channel under the condition of having or not having a dedicated machine, and on the basis, implement data resetting and verification in the card of the cancelled intelligent chip card to complete remote deactivation, thereby solving the problem of accuracy and validity of offline authentication of the intelligent chip card.
In order to achieve the above object, the invention provides a safe and remote killing method for an intelligent chip card, comprising the following steps:
the intelligent chip card safety remote killing method is mainly characterized by comprising an intelligent chip card identity authentication and remote killing safety channel establishment mechanism under the condition of special equipment, an intelligent chip card identity authentication and remote killing safety channel mechanism under the condition of no special equipment and an intelligent chip card data resetting and verifying mechanism, wherein,
1. the identity authentication and remote killing security channel establishment mechanism of the smart chip card under the condition of special machines and tools is shown in figure 1:
the special machine tool and the intelligent chip card complete bidirectional reading authentication through a reading authentication mechanism between the special machine tool and the intelligent chip card;
the verification client reads the unique code of the intelligent chip card and the first 255 bytes of service application data, if the first 255 bytes of service application data are reset data, the verification client prompts that the intelligent chip card is cancelled and quitted, otherwise, the verification client continues;
the authentication system and the special machine complete reading bidirectional authentication and negotiate a verification session key through a reading authentication mechanism between the authentication system and the special machine;
the verification client sends an online authentication request to the authentication system, and uses a verification session key for data integrity protection;
the request information comprises a unique intelligent chip card code UID and a unique special equipment code SAMID;
the authentication system returns data to the verification client, uses the verification session key for data integrity protection, and returns the service application data information of the smart chip card and quits if the state of the smart chip card is normal;
if the state of the intelligent chip card is cancelled, the authentication system and the intelligent chip card complete the write bidirectional authentication and negotiate to remotely kill the session key through a write authentication mechanism between the authentication system and the intelligent chip card;
the verification client sends a data resetting request to the authentication system, and uses the remote killing session key for data integrity protection;
the authentication system returns data to the verification client and uses the remote kill session key for data integrity protection;
the verification client writes reset data into the intelligent chip card;
and verifying the safety state of the intelligent chip card cleared by the client, and finishing clearing the read-write permission of the intelligent chip card.
2. The authentication mechanism between the authentication system and the special-purpose tool is shown in fig. 2:
the verification client reads the unique code of the special machine tool card of the special machine tool;
the verification client sends a random number fetching instruction to the special machine tool, and the special machine tool returns a random number Rc to the verification client;
the verification client sends an authentication code obtaining instruction to the special machine tool, and the special machine tool encrypts the random number Rc by using the authentication communication protection master key obtained in a dispersed mode to obtain an authentication code Token1 and returns the authentication code Token to the verification client;
the verification client sends a unique code of the special tool and an authentication code Token1 to the authentication system;
the authentication system dispersedly generates an authentication communication protection master key according to the unique code of a special machine tool, decrypts the authentication code Token1 to obtain a random number Rc ', generates a random number Rs by the authentication system, and encrypts a dispersion factor synthesized by the random number Rs and the Rc' by using the authentication communication protection master key to obtain an authentication code Token 2;
the authentication system returns the unique code of the special machine tool and an authentication code Token2 to the verification client, and the verification client sends the authentication code Token2 to the special machine tool;
the special tool decrypts the authentication code Token2 to obtain Rc 'and Rs' and returns the Rc 'and Rs' to the verification client;
the verification client compares whether Rc and Rc' are consistent, if so, a command for calculating and verifying the session key is sent to the special machine tool, and if not, the special machine tool quits;
the special tool uses random numbers Rc and Rs' as dispersion factors, obtains a session key SK in a dispersion mode for the authentication communication protection master key PMENC2, obtains a verification session key by encrypting the unique SAMID of the special tool through the session key SK, and returns a verification client;
the authentication system dispersedly generates an authentication communication protection master key PMENC2 according to the unique code of a special tool, and dispersedly generates a session key SK for the authentication communication protection master key PMENC2 by using random numbers Rc' and Rs as dispersion factors;
the authentication system uses the session key SK to encrypt the unique SAMID of the special machine to obtain the verification session key, adds the unique SAMID of the special machine and the binding information of the verification session key to the memory list, and regularly clears the unique SAMID of the special machine and the binding information of the verification session key to ensure that the verification session key is invalid after time out.
3. The authentication mechanism is written between the smart chip card and the authentication system, as shown in fig. 5:
the authentication client reads the unique UID of the smart chip card;
the verification client sends an authentication code fetching instruction to the intelligent chip card, the intelligent chip card generates a random number Rc, the random number Rc is encrypted through a verification session key to obtain an authentication code Token1, and the authentication code Token1 is returned to the verification client;
the verification client sends the unique code of the smart chip card and an authentication code Token1 to the authentication system;
the authentication system decrypts the authentication code Token1 to obtain Rc 'by using the verification session key, dispersedly generates a write authentication master key according to the unique code of the smart chip card, and encrypts the Rc' by using the write authentication master key to obtain an authentication code Token 2;
the authentication system generates a random number Rr, encrypts the Rr by using a write authentication master key to obtain an authentication code Token3, synthesizes data according to the Rc and the Rr to obtain a session key in a dispersed manner, encrypts a unique code of the intelligent chip card by using the session key to obtain a remote session key, adds the unique code of the intelligent chip card and binding information of the remote session key to a memory list, and regularly removes the overtime invalid remote session key;
the authentication system returns the authentication codes Token2 and Token3 to the verification client;
the verification client sends a writing external authentication instruction containing Token2 to the smart chip card;
the intelligent chip card authenticates Token2 and returns an external authentication result to the verification client, if the authentication Token2 fails, the verification client quits, otherwise, the verification client sends an internal authentication writing instruction to the intelligent chip card;
the smart chip card decrypts the authentication code Token3 to obtain Rr ', encrypts the synthetic data of Rr' and Rc by using the write authentication master key to obtain a session key, encrypts the unique code of the smart chip card by using the session key to obtain a remote session key killing function, and returns the remote session key killing function to the verification client.
4. The identity authentication and remote killing security channel establishment mechanism of the smart chip card without special machines and tools is shown in fig. 4:
the authentication system and the intelligent chip card complete reading bidirectional authentication and negotiate a verification session key through a reading authentication mechanism between the authentication system and the intelligent chip card;
the verification client sends an online authentication request to the authentication system, and uses a verification session key for data integrity protection;
the request information comprises a unique code of the intelligent chip card and a unique code of the special machine tool.
The authentication system returns data to the verification client, uses the verification session key for data integrity protection, and returns the service application data information of the smart chip card and quits if the state of the smart chip card is normal; if the state is cancelled, the authentication system and the intelligent chip card complete the write bidirectional authentication and negotiate to remotely kill the session key through a write authentication mechanism between the authentication system and the intelligent chip card;
the verification client sends a request for acquiring reset data to the authentication system, and uses the remote killing session key for data integrity protection; the authentication system returns reset data to the verification client, and uses the remote killing session key for data integrity protection;
the verification client writes reset data into the intelligent chip card; and the security state of the intelligent chip card is cleared by the verification client, and the clearing of the read-write permission of the intelligent chip card is completed.
5. The read authentication mechanism between the smart chip card and the authentication system is shown in fig. 5:
the verification client reads the unique code of the intelligent chip card and sends a random number fetching instruction to the intelligent chip card;
the intelligent chip card generates and returns a random number Rc to the verification client;
the verification client sends the unique code and the random number Rc of the smart chip card to the authentication system;
the authentication system dispersedly generates a read authentication master key according to the unique code of the smart chip card, encrypts a random number Rc to obtain an authentication code Token1, generates a random number Rr, and returns the authentication code Token1 and the random number Rr to the verification client; at the same time, the user can select the desired position,
the authentication system uses the read authentication master key to encrypt the synthetic data of the random numbers Rc and Rr to obtain a session key, uses the session key to encrypt the unique code of the intelligent chip card to obtain a verification session key, adds the unique code of the intelligent chip card and the verification session key to a memory list, and regularly clears the unique code and the verification session key to ensure that the verification session key is invalid after time out;
the verification client sends a read external authentication instruction containing an authentication code Token1 to the smart chip card;
the intelligent chip card completes the authentication code Token1 and returns the read external authentication result to the verification client;
the verification client sends an internal authentication reading instruction to the intelligent chip card;
the intelligent chip card encrypts the synthetic data of the random numbers Rc and Rr by using the read authentication master key to obtain a session key, encrypts the unique code of the intelligent chip card by using the session key to obtain a verification session key, and returns the verification session key to the verification client.
In the intelligent chip card identity authentication and remote killing security channel establishment mechanism without special machines, the reset data content is 255 bytes full 0xFF data information, and the data information is respectively written into the first 255 bytes of the corresponding service application data file in the intelligent chip card file system; the service application data file comprises a text information file and an image information file; when the off-line authentication is carried out, the special machine tool reads the first 255 bytes of the corresponding service application data file in the intelligent chip card file system, and if the first 255 bytes are all 0xFF, the intelligent chip card is in a logout state.
The method for realizing the safe remote killing processing aiming at the intelligent chip card can realize the identity authentication of the intelligent chip card, identify the cancelled intelligent chip card and establish the remote killing safety channel under the condition of a special machine tool, and comprises a reading authentication mechanism between the special machine tool and the intelligent chip card, a reading authentication mechanism between an authentication system and the special machine tool, a writing authentication mechanism between the intelligent chip card and the authentication system and an intelligent chip card data resetting and verifying mechanism; and can realize the identity authentication of the intelligent chip card, recognize the intelligent chip card cancelled and establish the remote killing security channel under the condition of no special machines, including the read/write authentication mechanism between the intelligent chip card and the authentication system, the data reset and verification mechanism of the intelligent chip card, thereby realizing the remote killing of the intelligent chip card cancelled with high safety and high reliability, and effectively reducing the security risk of inaccurate offline authentication of the intelligent chip card.
In this specification, the invention has been described with reference to specific embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.

Claims (17)

1. A method for realizing safe remote killing processing aiming at an intelligent chip card is characterized by comprising the steps of realizing identity authentication of the intelligent chip card and establishing a remote killing safety channel under the condition of special machines, and specifically comprising the following steps:
(1-1) the special machine and the intelligent chip card complete bidirectional reading authentication, and a verification client reads the unique code of the intelligent chip card and the first 255 bytes of service application data;
(1-2) the authentication system and a special machine and tool negotiate a verification session key, and the verification client sends online authentication request information to the authentication system;
(1-3) the authentication system returns data to the verification client, and data integrity protection is performed through a verification session key;
(1-4) the verification client sends a data resetting request and clears the security state and the read-write permission of the intelligent chip card;
the step (1-1) specifically comprises the following steps:
(1-1.1) the special machine and the intelligent chip card complete bidirectional reading authentication through a reading authentication mechanism;
(1-1.2) the verification client reads the unique code and the first 255 bytes of service application data of the intelligent chip card, judges whether the first 255 bytes of service application data are reset data, and prompts that the intelligent chip card is cancelled and exits the step if the first 255 bytes of service application data are reset data; otherwise, continuing the step (1-2);
the step (1-2) specifically comprises the following steps:
(1-2.1) the authentication system and the special machine complete reading bidirectional authentication and negotiate a verification session key;
(1-2.2) the verification client sends online authentication request information to an authentication system, and uses a verification session key for data integrity protection;
the online authentication request information is an intelligent chip card unique code UID and a special machine unique code SAMID;
the step (1-3) specifically comprises the following steps:
(1-3.1) the authentication system returns data to the verification client, and data integrity protection is performed through a verification session key;
(1-3.2) judging whether the state of the intelligent chip card is normal or not, if so, returning the service application data information of the intelligent chip card and exiting the step; otherwise, the authentication system and the intelligent chip card complete the write bidirectional authentication and negotiate to remotely kill the session key through a write authentication mechanism between the authentication system and the intelligent chip card;
the step (1-4) specifically comprises the following steps:
(1-4.1) the verification client sends a data resetting request to the authentication system, and data integrity protection is carried out by remotely killing the session key;
(1-4.2) the authentication system returns data to the verification client, and uses the remote kill session key for data integrity protection;
(1-4.3) the authentication client writes reset data into the smart chip card;
and (1-4.4) the verification client side clears the security state of the intelligent chip card and clears the read-write permission of the intelligent chip card.
2. The method according to claim 1, further comprising a step of implementing a read authentication mechanism between the authentication system and the dedicated device, wherein the method specifically comprises the following steps:
(2-1) the verification client and the special machine tool transmit the unique code of the special machine tool card, the random number taking instruction and the authentication code taking instruction, the special machine tool encrypts the random number Rc to obtain an authentication code Token1, and returns the authentication code Token to the verification client;
(2-2) the authentication system protects the master key, and encrypts a random number Rs and a dispersion factor synthesized by Rc' obtained by decryption through the authentication communication protection master key to obtain an authentication code Token 2;
(2-3) the dedicated appliance obtaining a session key SK to the authentication communication protection master key PMENC2 and obtaining a verification session key by encrypting the unique SAMID of the dedicated appliance using the session key SK;
(2-4) the authentication system generates an authentication communication protection master key PMENC2, obtains a verification session key through a session key SK, and adds a unique SAMID of a special machine and binding information of the verification session key to a memory list;
the step (2-3) specifically comprises the following steps:
(2-3.1) the special tool decrypting authentication code Token2 obtains Rc 'and Rs' and returns the Rc 'and Rs' to the verification client;
(2-3.2) the verification client compares whether Rc and Rc' are consistent, if so, a command of calculating a verification session key is sent to the special machine tool; otherwise, exiting the step;
(2-3.3) the dedicated appliance obtains the session key SK by decentralizing the authentication communication protection master key PMENC2 using the random numbers Rc and Rs' as decentralization factors, and obtains the authentication session key by encrypting the dedicated appliance unique code SAMID using the session key SK, and returns the authentication client.
3. The method according to claim 2, wherein the step (2-1) comprises the following steps:
(2-1.1) verifying that the client reads the unique code of the special machine tool card of the special machine tool;
(2-1.2) the verification client sends a random number fetching instruction to the special machine tool, and the special machine tool returns a random number Rc to the verification client;
(2-1.3) the verification client sends an authentication code fetching instruction to the special tool, and the special tool encrypts the random number Rc by using the distributed authentication communication protection master key to obtain an authentication code Token1, and returns the authentication code Token to the verification client.
4. The method according to claim 2, wherein the step (2-2) comprises the following steps:
(2-2.1) the verification client sending the special-purpose tool unique code SAMID and the authentication code Token1 to the authentication system;
(2-2.2) the certification system dispersedly generates a certification communication protection master key according to the unique code of the special tool, decrypts the certification code Token1 to obtain a random number Rc 'and generate a random number Rs, and encrypts a dispersion factor synthesized by the random number Rs and the Rc' through the certification communication protection master key to obtain a certification code Token 2;
(2-2.3) the certification system returns the unique code of the special machine tool and the certification code Token2 to the verification client, and the verification client sends the certification code Token2 to the special machine tool.
5. The method according to claim 2, wherein the step (2-4) comprises the following steps:
(2-4.1) the certification system dispersively generating the certification communication protection master key PMENC2 according to the unique code of the specific tool and dispersively generating the session key SK for the certification communication protection master key PMENC2 using the random numbers Rc' and Rs as dispersion factors;
the authentication system described in (2-4.2) encrypts the unique SAMID of the special equipment through the session key SK to obtain the verification session key, and adds the unique SAMID of the special equipment and the binding information of the verification session key to the memory list.
6. The method according to claim 1, further comprising the step of establishing the identity authentication and remote security channel of the smart chip card without any special equipment, and specifically comprising the steps of:
(3-1) the authentication system and the intelligent chip card negotiate a verification session key, and the verification client sends online authentication request information to the authentication system;
(3-2) the authentication system returns data to the verification client, uses the verification session key for data integrity protection, judges whether the state of the smart chip card is normal, and if so, returns the service application data information of the smart chip card and exits the step; otherwise, the authentication system and the intelligent chip card complete the write bidirectional authentication and negotiate to remotely kill the session key through a write authentication mechanism between the authentication system and the intelligent chip card;
and (3-3) sending a request for acquiring reset data to the authentication system by the verification client, performing data integrity protection by remotely killing the session key, and clearing the security state of the intelligent chip card.
7. The method according to claim 6, wherein the step (3-1) comprises the following steps:
(3-1.1) the authentication system and the intelligent chip card complete reading bidirectional authentication and negotiate a verification session key through a reading authentication mechanism between the authentication system and the intelligent chip card;
and (3-1.2) the verification client sends online authentication request information to the authentication system, and uses a verification session key for data integrity protection.
8. The method according to claim 7, wherein the on-line authentication request message includes a unique code of the smart chip card and a unique code of the dedicated device.
9. The method according to claim 6, wherein the step (3-3) comprises the following steps:
(3-3.1) the verification client sends a request for obtaining reset data to the authentication system, and data integrity protection is carried out by remotely killing the session key;
(3-3.2) the authentication system returns reset data to the verification client, and performs data integrity protection by remotely killing the session key;
(3-3.3) the authentication client writes reset data into the smart chip card;
and (3-3.4) the verification client side clears the security state of the intelligent chip card to finish clearing the read-write permission of the intelligent chip card.
10. The method according to claim 6, further comprising a step of implementing a read authentication mechanism between the authentication system and the smart chip card without any special equipment, and specifically comprising the steps of:
(4-1) the verification client reads the unique code of the intelligent chip card, and the intelligent chip card sends a random number Rc to the verification client;
(4-2) the authentication system encrypts the synthetic data of the random numbers Rc and Rr to obtain a session key, encrypts the unique code of the intelligent chip card to obtain a verification session key, and adds the unique code of the intelligent chip card and the verification session key to the memory list;
and (4-3) the verification client and the smart chip card obtain a verification session key by reading the external authentication instruction and reading the internal authentication instruction.
11. The method according to claim 10, wherein the step (4-1) comprises the following steps:
(4-1.1) the verification client reads the unique code of the intelligent chip card and sends a random number fetching instruction to the intelligent chip card;
(4-1.2) the intelligent chip card returns the random number Rc to the authentication client;
(4-1.3) the verification client sends the unique code of the intelligent chip card and the random number Rc to the authentication system.
12. The method according to claim 10, wherein the step (4-2) comprises the following steps:
(4-2.1) the authentication system dispersedly generates a read authentication master key according to the unique code of the smart chip card, encrypts a random number Rc to obtain an authentication code Token1, generates a random number Rr, and returns the authentication code Token1 and the random number Rr to the verification client;
(4-2.2) the authentication system uses the read authentication master key to encrypt the synthetic data of the random numbers Rc and Rr to obtain the session key, uses the session key to encrypt the unique code of the smart chip card to obtain the authentication session key, adds the unique code of the smart chip card and the authentication session key to the memory list, and regularly removes the authentication session key to ensure that the authentication session key is overtime and invalid.
13. The method according to claim 10, wherein the step (4-3) comprises the following steps:
(4-3.1) the verification client sends a reading external authentication instruction containing an authentication code Token1 to the smart chip card;
(4-3.2) the smart chip card authenticates the authentication code Token1 and returns an external authentication result to the verification client;
(4-3.3) the verification client sends an internal authentication reading instruction to the smart chip card;
(4-3.4) the smart chip card encrypts the synthetic data of the random numbers Rc and Rr by using the read authentication master key to obtain a session key, encrypts the unique code of the smart chip card by using the session key to obtain a verification session key, and returns the verification session key to the verification client.
14. The method according to claim 1, wherein the method further comprises a step of implementing an authentication mechanism between the smart chip card and the authentication system, and specifically comprises the following steps:
(5-1) reading the unique code of the smart chip card by the verification client, and sending the unique code of the smart chip card and the authentication code Token1 to the verification client by the smart chip card;
(5-2) the authentication system session key encrypts the unique code of the smart chip card to obtain the remote killing session key, and adds the unique code of the smart chip card and the binding information of the remote killing session key to the memory list;
and (5-3) the verification client and the intelligent chip card obtain the remote killing session key by writing an external authentication instruction and an internal authentication instruction.
15. The method according to claim 14, wherein the step (5-1) comprises the following steps:
(5-1.1) the authentication client reads the unique UID of the smart chip card;
(5-1.2) the verification client sends an authentication code fetching instruction to the smart chip card, the smart chip card generates a random number Rc, obtains an authentication code Token1 by encrypting the random number Rc through the verification session key, and returns the authentication code Token1 to the verification client;
(5-1.3) the verification client sends the unique code of the smart chip card and the authentication code Token1 to the authentication system.
16. The method according to claim 14, wherein the step (5-2) comprises the following steps:
(5-2.1) the authentication system obtains Rc 'by verifying the session key decryption authentication code Token1, dispersedly generates a write authentication master key according to the unique code of the smart chip card, and obtains the authentication code Token2 by encrypting the Rc' by using the write authentication master key;
(5-2.2) the authentication system generates a random number Rr, obtains an authentication code Token3 by writing an authentication master key encryption Rr, obtains a session key by synthesizing data dispersion according to Rc and Rr, obtains a remote kill session key by encrypting a smart chip card unique code through the session key, adds the smart chip card unique code and the remote kill session key binding information to a memory list, and removes the remote kill session key overtime and invalidity at regular time;
(5-2.3) the authentication system returns the authentication codes Token2 and Token3 to the verification client.
17. The method according to claim 14, wherein the step (5-3) comprises the following steps:
(5-3.1) the verification client sends a write external authentication command containing Token2 to the smart chip card;
(5-3.2) the smart chip card authentication Token2 and returning the external authentication result to the verification client, if the authentication Token2 fails, exiting, otherwise, the verification client sends an internal authentication writing instruction to the smart chip card;
(5-3.3) the smart chip card decrypts the authentication code Token3 to obtain Rr ', encrypts the resultant data of Rr' and Rc by writing the authentication master key to obtain the session key, encrypts the unique code of the smart chip card by the session key to obtain the remote session key, and returns the remote session key to the verification client.
CN201910620824.1A 2019-04-02 2019-07-10 Method for realizing safe remote killing processing aiming at intelligent chip card Active CN110278214B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910261847.8A CN110049025A (en) 2019-04-02 2019-04-02 The method for realizing the distant processing of getting killed of safety for smart chip card
CN2019102618478 2019-04-02

Publications (2)

Publication Number Publication Date
CN110278214A CN110278214A (en) 2019-09-24
CN110278214B true CN110278214B (en) 2020-05-01

Family

ID=67275889

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201910261847.8A Pending CN110049025A (en) 2019-04-02 2019-04-02 The method for realizing the distant processing of getting killed of safety for smart chip card
CN201910620824.1A Active CN110278214B (en) 2019-04-02 2019-07-10 Method for realizing safe remote killing processing aiming at intelligent chip card

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201910261847.8A Pending CN110049025A (en) 2019-04-02 2019-04-02 The method for realizing the distant processing of getting killed of safety for smart chip card

Country Status (1)

Country Link
CN (2) CN110049025A (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771680A (en) * 2008-12-29 2010-07-07 中国移动通信集团公司 Method for writing data to smart card, system and remote writing-card terminal
CN202548899U (en) * 2012-03-12 2012-11-21 上海电信科技发展有限公司 Mobile one-card platform
CN102945379A (en) * 2012-06-27 2013-02-27 无锡北邮感知技术产业研究院有限公司 Offline type bidirectional authentication method for card reader and label in RFID (radio frequency identification device) system
CN103279775A (en) * 2013-05-03 2013-09-04 无锡昶达信息技术有限公司 RFID (Radio Frequency Identification) system capable of ensuring confidentiality and data integrity and implementation method thereof
WO2013134536A1 (en) * 2012-03-07 2013-09-12 Frequency, Inc. Systems, methods, apparatuses, and computer program products for facilitating interaction and interconnectivity in a live entertainment setting
CN104579673A (en) * 2014-03-06 2015-04-29 上海励识电子科技有限公司 Interactive authentication method between RFID card and card reader
CN105190638A (en) * 2013-03-14 2015-12-23 柯惠有限合伙公司 Rfid secure authentication
CN105636012A (en) * 2014-10-27 2016-06-01 中国移动通信集团公司 Writing card method, smart card, and writing card platform and system
CN106411522A (en) * 2015-08-03 2017-02-15 中兴通讯股份有限公司 Online authentication method based on intelligent card, the intelligent card and authentication server
CN108075894A (en) * 2016-11-17 2018-05-25 广州大白互联网科技有限公司 A kind of authentication on-line processing method and system
CN109413648A (en) * 2018-10-26 2019-03-01 国民技术股份有限公司 Access control method, terminal, smart card, background server and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CH705774B1 (en) * 2011-11-16 2016-12-15 Swisscom Ag Method, system, and card to authenticate a user through an application.

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771680A (en) * 2008-12-29 2010-07-07 中国移动通信集团公司 Method for writing data to smart card, system and remote writing-card terminal
WO2013134536A1 (en) * 2012-03-07 2013-09-12 Frequency, Inc. Systems, methods, apparatuses, and computer program products for facilitating interaction and interconnectivity in a live entertainment setting
CN202548899U (en) * 2012-03-12 2012-11-21 上海电信科技发展有限公司 Mobile one-card platform
CN102945379A (en) * 2012-06-27 2013-02-27 无锡北邮感知技术产业研究院有限公司 Offline type bidirectional authentication method for card reader and label in RFID (radio frequency identification device) system
CN105190638A (en) * 2013-03-14 2015-12-23 柯惠有限合伙公司 Rfid secure authentication
CN103279775A (en) * 2013-05-03 2013-09-04 无锡昶达信息技术有限公司 RFID (Radio Frequency Identification) system capable of ensuring confidentiality and data integrity and implementation method thereof
CN104579673A (en) * 2014-03-06 2015-04-29 上海励识电子科技有限公司 Interactive authentication method between RFID card and card reader
CN105636012A (en) * 2014-10-27 2016-06-01 中国移动通信集团公司 Writing card method, smart card, and writing card platform and system
CN106411522A (en) * 2015-08-03 2017-02-15 中兴通讯股份有限公司 Online authentication method based on intelligent card, the intelligent card and authentication server
CN108075894A (en) * 2016-11-17 2018-05-25 广州大白互联网科技有限公司 A kind of authentication on-line processing method and system
CN109413648A (en) * 2018-10-26 2019-03-01 国民技术股份有限公司 Access control method, terminal, smart card, background server and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"RFID通用数据交换平台建设研究";陈嘉懿,;《图书情报工作》;20141215;第58卷(第23期);97-109 *

Also Published As

Publication number Publication date
CN110278214A (en) 2019-09-24
CN110049025A (en) 2019-07-23

Similar Documents

Publication Publication Date Title
CN104217327B (en) A kind of financial IC card internet terminal and its method of commerce
CN106372531B (en) A kind of mandate obtains terminal attack warning message log approach and system
EP0440800A1 (en) Ic card for security attestation and ic card service system using said ic card
CN102333072B (en) Network banking trusted transaction system and method based on intelligent terminal
CN101739758B (en) Method for encrypting and decrypting smart card, system and reader-writer
CN101162535B (en) Method and system for realizing magnetic stripe card trading by IC card
CN103390124A (en) Device, system, and method of secure entry and handling of passwords
CN109120571B (en) System and method for authorized use of citizen personal data
CN106850638B (en) Access control method and system for vehicle-mounted equipment
CN104021332A (en) Method for performing identity authentication and file encryption and decryption based on fingerprint UsbKey
CN103345703A (en) Banking transaction authentication method and system based on image authentication
CN105608775B (en) A kind of method of authentication, terminal, access card and SAM card
CN103606223A (en) Card authentication method and device
CN108460597A (en) A kind of key management system and method
CN101883357A (en) Method, device and system for mutual authentication between terminal and intelligent card
CN113595714A (en) Contactless card with multiple rotating security keys
CN107395600B (en) Service data verification method, service platform and mobile terminal
CN117370960A (en) Data destruction method, system and equipment
CN110278214B (en) Method for realizing safe remote killing processing aiming at intelligent chip card
KR20150017374A (en) Method for Settlement by using IC Chip
CN104537298A (en) Authorizing method and device based on micro-processor card
CN106355404B (en) Debit credit transaction system and method with security vulnerability protection mechanism
EP3035270A1 (en) Card-based offline token generation
CN204613946U (en) A kind of safe USBHUB and SD/TF card reader equipment complex
CN105989489B (en) A kind of method and payment terminal of IC card networking certification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant