CN111275440B - Remote key downloading method and system - Google Patents
Remote key downloading method and system Download PDFInfo
- Publication number
- CN111275440B CN111275440B CN202010059662.1A CN202010059662A CN111275440B CN 111275440 B CN111275440 B CN 111275440B CN 202010059662 A CN202010059662 A CN 202010059662A CN 111275440 B CN111275440 B CN 111275440B
- Authority
- CN
- China
- Prior art keywords
- host
- atm
- keyboard
- bank host
- bank
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000012795 verification Methods 0.000 claims abstract description 26
- 230000004044 response Effects 0.000 claims description 24
- 238000004422 calculation algorithm Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000013478 data encryption standard Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000003860 storage Methods 0.000 description 3
- 230000006854 communication Effects 0.000 description 2
- 238000005336 cracking Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3825—Use of electronic signatures
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F19/00—Complete banking systems; Coded card-freed arrangements adapted for dispensing or receiving monies or the like and posting such transactions to existing accounts, e.g. automatic teller machines
- G07F19/20—Automatic teller machines [ATMs]
- G07F19/201—Accessories of ATMs
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/02—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by keys or other credit registering devices
Abstract
The application discloses a remote key downloading method, which comprises the following steps: exchanging bank host public key PK by bank host and ATM manufacturer Host Public key PK of ATM manufacturer SI And use the private key of ATM manufacturer to PK by ATM manufacturer Host Signing; public key PK for exchanging cipher keyboard by bank host and ATM cipher keyboard ATM Bank host public key PK Host The method comprises the steps of carrying out a first treatment on the surface of the Generating a master key MK by a bank host; use of PK by bank hosts ATM Encrypt MK while using bank host private key SK Host Signing the MK after encryption; the bank host sends the encrypted MK and the signature result to the password keyboard; the password keyboard receives the MK and the signature result after encryption, and the password keyboard firstly utilizes PK Host Checking signature on the signature result; after the signature verification is successful, the password keyboard utilizes the private key SK of the password keyboard ATM Decrypting the encrypted MK to obtain the MK plaintext and storing the MK plaintext.
Description
Technical Field
The present application relates to the field of financial security technologies, and in particular, to a remote key downloading method and system.
Background
The financial industry is sensitive to data, so that corresponding importance is attached to encryption of the data. The key encryption algorithm used in the current financial industry is the traditional DES encryption algorithm or RSA encryption algorithm. The traditional DES (fully called Data Encryption Standard) algorithm is a symmetric algorithm, encryption and decryption of the symmetric algorithm adopt the same key, both communication parties must obtain the key and keep the secret of the key, and the EDS encryption algorithm has the advantages of high operation speed, low security, easiness in cracking and easiness in leakage of the key. The RSA encryption algorithm is an asymmetric encryption algorithm. The RSA public key cryptosystem uses different encryption and decryption keys, and is a "computationally infeasible" cryptosystem in which the decryption key is derived from a known encryption key. In the public key cryptosystem, an encryption key (i.e., public key) PK is public information, and a decryption key (i.e., private key) SK is required to be kept secret. It typically generates a pair of RSA keys, one of which is a secret key, which is stored by the user; the other is a public key, which can be disclosed externally and even registered in a network server. To increase security, RSA keys are at least 500 bits long, and 1024 bits are generally recommended, which makes encryption computationally intensive. The RSA algorithm has the advantages of high security, difficult cracking and no leakage of private keys. However, the calculation speed is low, and the method is only suitable for information which is not updated frequently and has small data volume, and is not suitable for encrypting a large amount of information.
Therefore, in order to reduce the amount of computation, when transmitting information, a combination of the conventional encryption method and the public key encryption method is often adopted, that is, the information is encrypted by using the modified DES key, and then the session key and the information digest are encrypted by using the RSA key. After receiving the information, the opposite party decrypts the information by using different keys and can check the information abstract.
The information disclosed in this background section is only for enhancement of understanding of the general background of the application and should not be taken as an acknowledgement or any form of suggestion that this information forms the prior art already known to a person of ordinary skill in the art.
Disclosure of Invention
The application aims to provide a remote key downloading method which can realize a safe, convenient and fast remote key downloading mode.
Another object of the present application is a remote key download system.
In order to achieve the above object, the present application provides a remote key downloading method, comprising the steps of: exchanging bank host public key PK by bank host and ATM manufacturer Host Public key PK of ATM manufacturer SI And use the private key of ATM manufacturer to PK by ATM manufacturer Host Signing; public key PK for exchanging cipher keyboard by bank host and ATM cipher keyboard ATM Bank host public key PK Host The method comprises the steps of carrying out a first treatment on the surface of the Generating a master key MK by a bank host; use of PK by bank hosts ATM Encrypt MK while using bank host private key SK Host Signing the MK after encryption; the bank host sends the encrypted MK and the signature result to the password keyboard; in response to receiving the encrypted MK and the signature result, the password keyboard first uses the PK Host Checking signature on the signature result; after the signature verification is successful, the password keyboard utilizes the private key SK of the password keyboard ATM Decrypting the encrypted MK to obtain the MK plaintext and storing the MK plaintext.
In one embodiment of the present application, a remote key download method includesThe method comprises the following steps: downloading PK for a cryptographic keypad by an ATM vendor SI 、PK ATM SK ATM The method comprises the steps of carrying out a first treatment on the surface of the Using ATM vendor private key SK by ATM vendor SI For PK ATM And the keyboard serial number UIATM.
In one embodiment of the application, the public key PK of the cipher keyboard is exchanged by the bank host and the ATM cipher keyboard ATM Bank host public key PK Host The method specifically comprises the following steps: inquiring the ATM identification from the password keyboard by the bank host, wherein the ATM identification at least comprises a keyboard serial number UIATM; the password keyboard transmits a keyboard serial number UIATM to the bank host by the password keyboard and utilizes SK in response to receiving a query from the bank host SI A first signature result of signing the keyboard serial number UIATM; use of PK by bank hosts SI Checking the first signature result, and judging whether the keyboard serial number UIATM is in a keyboard identification list or not by a bank host; if the verification passes and the keyboard serial number UIATM is judged to be in the keyboard identification list, the bank host inquires PK from the password keyboard ATM The method comprises the steps of carrying out a first treatment on the surface of the The password keyboard transmits PK to the bank host computer in response to receiving the inquiry of the bank host computer ATM Using SK SI A second signature result of signing the PKATM; use of PK by bank hosts SI Checking the second signature result; if the verification passes, the bank host sends PK to the password keyboard Host Using SK SI For PK Host A third signature result of the signature is carried out; PK utilization by a password keyboard SI And checking the third signature result.
In one embodiment of the application, obtaining MK specifically includes the steps of: requesting a random number RATM from a password keyboard by a bank host; generating an RATM by a password keyboard in response to receiving a request of a bank host, and transmitting the generated RATM to the bank host; generating MK by bank host, encrypting MK by bank host using PKATM, and using private key SK of bank host Host Signing the MK after encryption; the bank host sends the encrypted MK, signature result and RATM to the cipher keyboard; responsive to receiving the MK after encryption and the signature result, the method comprisesPassword keyboard first utilizes PK Host Checking signature on the signature result; if the verification passes, judging whether the received RATM is the same as the transmitted RATM by a password keyboard; if the received RATM is determined to be the same as the transmitted RATM, the cryptographic keypad is used by the cryptographic keypad with the cryptographic keypad private key SK ATM And decrypting the encrypted MK to obtain MK plaintext.
The application also provides a remote key downloading system, which comprises: exchanging bank host public key PK for bank host and ATM manufacturer Host Public key PK of ATM manufacturer SI And use the private key of ATM manufacturer to PK by ATM manufacturer Host A unit for signing; public key PK for exchanging cipher keyboard with ATM cipher keyboard by bank host ATM Bank host public key PK Host Is a unit of (2); a unit for generating a master key MK by a bank host; for use of PK by bank hosts ATM Encrypt MK while using bank host private key SK Host A unit that signs MK after encryption; a unit for transmitting the encrypted MK and the signature result to the password keyboard by the bank host; for first utilizing PK by a cryptographic keyboard in response to receiving MK after encryption and a signature result Host A unit for checking signature of the signature result; after the signature verification is successful, the password keyboard utilizes the private key SK of the password keyboard ATM And decrypting the encrypted MK to obtain MK plaintext and storing the MK unit of the plaintext.
In one embodiment of the present application, a remote key download system includes: downloading PK for a cryptographic keypad by an ATM vendor SI 、PK ATM SK ATM Is a unit of (2); for use by an ATM vendor with an ATM vendor private key SK SI For PK ATM And a unit for signing the keyboard serial number UIATM.
Public key PK for exchanging cipher keyboard by bank host and ATM cipher keyboard ATM Bank host public key PK Host The method specifically comprises the following steps: inquiring the ATM identification from the password keyboard by the bank host, wherein the ATM identification at least comprises a keyboard serial number UIATM; in response to receiving a query from the bank host, transmitting a keyboard serial number UIATM to the bank host by the cryptographic keyboard toBy SK SI A first signature result of signing the keyboard serial number UIATM; use of PK by bank hosts SI Checking the first signature result, and judging whether the keyboard serial number UIATM is in a keyboard identification list or not by a bank host; if the verification passes and the keyboard serial number UIATM is judged to be in the keyboard identification list, the bank host inquires PK from the password keyboard ATM The method comprises the steps of carrying out a first treatment on the surface of the In response to receiving a query from a bank host, a PK is sent by a cryptographic keyboard to the bank host ATM Using SK SI A second signature result of signing the PKATM; use of PK by bank hosts SI Checking the second signature result; if the verification passes, the bank host sends PK to the password keyboard Host Using SK SI For PK Host A third signature result of the signature is carried out; PK utilization by a password keyboard SI And checking the third signature result.
In one embodiment of the application, obtaining MK specifically includes the steps of: requesting a random number RATM from a password keyboard by a bank host; generating an RATM by a password keyboard in response to receiving a request of a bank host, and transmitting the generated RATM to the bank host; generating MK by bank host, encrypting MK by bank host using PKATM, and using private key SK of bank host Host Signing the MK after encryption; the bank host sends the encrypted MK, signature result and RATM to the cipher keyboard; in response to receiving the encrypted MK and the signature result, the PK is first utilized by the cryptographic keyboard Host Checking signature on the signature result; if the verification passes, judging whether the received RATM is the same as the transmitted RATM by a password keyboard; if the received RATM is determined to be the same as the transmitted RATM, the cryptographic keypad is used by the cryptographic keypad with the cryptographic keypad private key SK ATM And decrypting the encrypted MK to obtain MK plaintext.
Compared with the prior art, the remote key downloading and system adopts the RKL process, the rest WK is generated and downloaded, the exchange of transaction information is the same as that of the traditional symmetric key management system, and the RKL process provides a more convenient, safe and reliable method for downloading the master key, which becomes a trend of development in the future.
Drawings
FIG. 1 is a flowchart of key download method steps according to an embodiment of the present application;
FIG. 2 is a schematic block diagram of a key download method according to an embodiment of the present application;
FIG. 3 is a two-party exchange public key flow according to an embodiment of the present application;
FIG. 4 is a password keyboard initialization flow according to an embodiment of the application;
fig. 5 is a flow chart of an ATM and host exchange key according to an embodiment of the present application.
Fig. 6 is a key download flow according to an embodiment of the present application.
Detailed Description
The following detailed description of embodiments of the application is, therefore, to be taken in conjunction with the accompanying drawings, and it is to be understood that the scope of the application is not limited to the specific embodiments.
Throughout the specification and claims, unless explicitly stated otherwise, the term "comprise" or variations thereof such as "comprises" or "comprising", etc. will be understood to include the stated element or component without excluding other elements or components.
Example 1
As shown in fig. 1, the present application provides a remote key downloading method, which includes the following steps: step 101: exchanging bank host public key PK by bank host and ATM manufacturer Host Public key PK of ATM manufacturer SI And use the private key of ATM manufacturer to PK by ATM manufacturer Host Signing; step 102: public key PK for exchanging cipher keyboard by bank host and ATM cipher keyboard ATM Bank host public key PK Host The method comprises the steps of carrying out a first treatment on the surface of the Step 103: generating a master key MK by a bank host; step 104: use of PK by bank hosts ATM Encrypt MK while using bank host private key SK Host Signing the MK after encryption; step 105: the bank host sends the encrypted MK and the signature result to the password keyboard; step 106: in response to receiving MK after encryption in combination with a signatureIf the password keyboard firstly utilizes PK Host Checking signature on the signature result; step 107: after the signature verification is successful, the password keyboard utilizes the private key SK of the password keyboard ATM Decrypting the encrypted MK to obtain the MK plaintext and storing the MK plaintext.
In one embodiment of the present application, the remote key download method comprises the steps of: downloading PK for a cryptographic keypad by an ATM vendor SI 、PK ATM SK ATM The method comprises the steps of carrying out a first treatment on the surface of the Using ATM vendor private key SK by ATM vendor SI For PK ATM And the keyboard serial number UIATM.
In one embodiment of the application, the public key PK of the cipher keyboard is exchanged by the bank host and the ATM cipher keyboard ATM Bank host public key PK Host The method specifically comprises the following steps: inquiring the ATM identification from the password keyboard by the bank host, wherein the ATM identification at least comprises a keyboard serial number UIATM; in response to receiving a query from the bank host, transmitting a keyboard serial number UIATM to the bank host by the cryptographic keyboard and utilizing SK SI A first signature result of signing the keyboard serial number UIATM; use of PK by bank hosts SI Checking the first signature result, and judging whether the keyboard serial number UIATM is in a keyboard identification list or not by a bank host; if the verification passes and the keyboard serial number UIATM is judged to be in the keyboard identification list, the bank host inquires PK from the password keyboard ATM The method comprises the steps of carrying out a first treatment on the surface of the In response to receiving a query from a bank host, a PK is sent by a cryptographic keyboard to the bank host ATM Using SK SI A second signature result of signing the PKATM; use of PK by bank hosts SI Checking the second signature result; if the verification passes, the bank host sends PK to the password keyboard Host Using SK SI For PK Host A third signature result of the signature is carried out; PK utilization by a password keyboard SI And checking the third signature result.
In one embodiment of the application, obtaining MK specifically includes the steps of: requesting a random number RATM from a password keyboard by a bank host; generating a RATM from a cryptographic keypad in response to receiving a request from a host computer of a bank, and generatingThe RATM of (1) is sent to a bank host; generating MK by bank host, encrypting MK by bank host using PKATM, and using private key SK of bank host Host Signing the MK after encryption; the bank host sends the encrypted MK, signature result and RATM to the cipher keyboard; in response to receiving the encrypted MK and the signature result, the PK is first utilized by the cryptographic keyboard Host Checking signature on the signature result; if the verification passes, judging whether the received RATM is the same as the transmitted RATM by a password keyboard; if the received RATM is determined to be the same as the transmitted RATM, the cryptographic keypad is used by the cryptographic keypad with the cryptographic keypad private key SK ATM And decrypting the encrypted MK to obtain MK plaintext.
Example 2
As shown in fig. 2, the application adopts the RKL procedure specifically as follows:
1) In the initial phase, each party has the following key pair:
a bank host: PK (PK) Host 、SK Host
ATM manufacturer: PK (PK) SI 、SK SI
ATM(EPP):PK ATM 、SK ATM
2) In the initial stage, the double-send exchange PK in the form of e-mail, paper envelope and the like Host 、PK SI By SK SI For PK Host Is a signature of (a).
3) In the ATM opening use stage, in order to download the 3DES/SM4 master key MK, the two parties exchange RSA public keys, namely: PK (PK) Host 、PK ATM 。
4) The host generates a 3DES key MK, firstly encrypts by a public key of the cipher keyboard, then signs by a private key, and finally sends MK ciphertext and a signature result to the cipher keyboard
5) After receiving the MK ciphertext and the signature result, the cipher keyboard firstly uses the public key of the host to check the signature, then uses the private key to decrypt the MK ciphertext to obtain the MK plaintext, and stores the MK.
The process is RKL process, the rest WK is generated and downloaded, the exchange of transaction information is the same as the traditional symmetric key management system, RKL provides a more convenient, safe and reliable method for downloading the master key, so that banks can update the master key conveniently, and the method will become a trend of development in the future.
It should be noted that there are two specific implementations of RKL: one is based on the Signature signaling protocol and the other is the authentication signaling protocol.
The application is further described below in connection with the RKL of the Signal protocol in the specific examples, but the application is not limited to these specific embodiments.
Specifically, the remote key downloading method according to the present application comprises the steps of:
1. project initial stage:
when the bank installs the ATM, the vendor needs to provide the public key of the ATM vendor, the vendor signs the public key of the bank with the private key, and the signature is returned to the bank together with the public key of the vendor (the communication process generally ensures the reliability of the information through a letter mode).
The bank host has the key: PK (PK) Host 、SK Host ;
ATM vendors have keys: PK (PK) SI 、SK SI ;
Exchanging bank host public key PK by bank host and ATM manufacturer Host Public key PK of ATM manufacturer SI The two parties exchange public key flows as shown in fig. 3.
2. The RSA key needs to be downloaded before the cipher keyboard leaves the factory:
downloading PK for a cryptographic keypad by an ATM vendor SI 、PK ATM SK ATM The method comprises the steps of carrying out a first treatment on the surface of the Using ATM vendor private key SK by ATM vendor SI For PK ATM And the keyboard serial number UIATM. As shown in fig. 5.
3. When the ATM is on, exchanging public keys with host hosts:
the ATM and host exchange key flow is shown in fig. 5, where the exchange public key is the basis for downloading the master key, and the ATM is installed at least once. The method is carried out according to the following procedures:
1) The host computer inquires the code keyboard of the ATM identification (the model and the serial number of the code keyboard)
WFS_CMD_PIN_EXPORT_RSA_ISSUER_SIGNED_ITEM, parameter values: WFS_PIN_EXPORT_EPP_ID
2) The cipher keyboard returns the cipher keyboard identification and signature (signed by the manufacturer private key), the host checks the signature by the manufacturer public key, and inquires the keyboard identification list, if the signature passes and the keyboard identification exists in the list, the next step is continued, otherwise, the host fails to exit.
3) The host computer inquires the public key of the cipher keyboard from the cipher keyboard
WFS_CMD_PIN_EXPORT_RSA_ISSUER_SIGNED_ITEM, parameter values: WFS_PIN_EXPORT_PUBLIC_KEY
4) The cipher keyboard returns the cipher keyboard public key and signature (signed by the manufacturer private key), the host checks the signature by the manufacturer public key, if the signature passes, the next step is continued, otherwise the host fails to exit.
5) The host transmits its public key and signature (signed by the manufacturer's private key) to the cryptographic keyboard, which verifies the signature by the manufacturer's public key, and if the signature passes, proceeds to the next step, otherwise, it fails to exit.
4. Downloading a master key:
the key download flow is shown in fig. 6. The method is carried out according to the following flow:
1) Host requests random number RATM from cipher keyboard
WFS_CMD_PIN_START_KEY_EXCHANGE
2) The cipher keyboard generates random number RATM and returns to the host
3) The host generates a master key Km, encrypts the master key Km by using a public key of the password keyboard to obtain a Cryptographic data, connects an IATM to obtain a keyVal, signs the keyVal by using a private key of the host to obtain a signData, and then sends the keyVal and the signData to the password keyboard together.
WFS_CMD_PIN_IMPORT_RSA_SIGNED_DES_KEY
4) The cipher keyboard firstly uses the public key of the host to check signature, then compares whether the random number is consistent with the generated random number, then uses the private key to decrypt the cryptotdata to obtain the plaintext Km of the master key, and stores the Km.
The input parameters are generated as follows:
let plantextdeskey= 11 22 33 44 55 66 77 88 aa bb cc dd ee ff 01 02, which is the master key MK1 plaintext to be downloaded
The above PlaintextDesKey is encrypted with the public key of the cryptographic keyboard to obtain 256 bytes of ciphertext keyValue. The public key of the cipher keyboard is obtained by calling exportRSAPublicKey.
The result keyValue (if a random number is used, an 8-byte random number is added in front of the random number) is signed by a private key of the simulation host computer, and 256-byte Signature is obtained.
Example 3
The application also provides a remote key downloading system, which comprises: a unit for exchanging a bank host public key PKHost and an ATM vendor public key PKSI by a bank host and an ATM vendor, and signing the PKHost by the ATM vendor by using an ATM vendor private key; a unit for exchanging a public key of a cryptographic keypad PKATM with a cryptographic keypad of the ATM by the host bank, and a public key of the host bank PKHost; a unit for generating a master key MK by a bank host; means for encrypting MK by the bank host using the PKATM, while signing the encrypted MK with a bank host private key SKHost; a unit for transmitting the encrypted MK and the signature result to the password keyboard by the bank host; a unit for first signing the signature result by the password keyboard using the PKHost in response to receiving the encrypted MK and the signature result; after the verification is successful, the encrypted MK is decrypted by the cipher keyboard by using the cipher keyboard private key SKATM to obtain MK plaintext, and the MK plaintext is stored.
In one embodiment of the present application, a remote key download system includes: a unit for downloading PKSI, PKATM and SKATM for the keypad by the ATM manufacturer; a unit for signing the PKATM and the keypad serial number UIATM by the ATM vendor using the ATM vendor private key SKSI.
In one embodiment of the present application, the bank host exchanges the public key of the password keypad PKATM with the password keypad of the ATM and the public key of the bank host PKHost specifically comprises the following steps: inquiring the ATM identification from the password keyboard by the bank host, wherein the ATM identification at least comprises a keyboard serial number UIATM; in response to receiving a query from a bank host, sending, by a cryptographic keypad, a keypad serial number UIATM to the bank host and a first signature result of signing the keypad serial number UIATM with SKSI; the bank host computer utilizes PKSI to check the first signature result, and judges whether the keyboard serial number UIATM is in the keyboard identification list; if the verification passes and the keyboard serial number UIATM is judged to be in the keyboard identification list, inquiring the PKATM from the password keyboard by the bank host; in response to receiving the inquiry of the bank host, sending the PKATM to the bank host by the password keyboard and a second signature result of signing the PKATM by using the SKSI; the bank host computer performs signature verification on the second signature result by using PKSI; if the verification passes, the bank host sends a PKHost to the password keyboard and a third signature result for signing the PKHost by using the SKSI; and verifying the third signature result by using the PKSI through a password keyboard.
In one embodiment of the application, obtaining MK specifically includes the steps of: requesting a random number RATM from a password keyboard by a bank host; generating an RATM by a password keyboard in response to receiving a request of a bank host, and transmitting the generated RATM to the bank host; generating MK by the bank host, encrypting MK by the bank host by using PKATM, and signing the encrypted MK by using a private key SKHost of the bank host; the bank host sends the encrypted MK, signature result and RATM to the cipher keyboard; in response to receiving the encrypted MK and the signature result, firstly, checking the signature result by using a PKHost through a password keyboard; if the verification passes, judging whether the received RATM is the same as the transmitted RATM by a password keyboard; if the received RATM is judged to be the same as the transmitted RATM, the encrypted MK is decrypted by the cipher keyboard by using the cipher keyboard private key SKATM to obtain MK plaintext.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing descriptions of specific exemplary embodiments of the present application are presented for purposes of illustration and description. It is not intended to limit the application to the precise form disclosed, and obviously many modifications and variations are possible in light of the above teaching. The exemplary embodiments were chosen and described in order to explain the specific principles of the application and its practical application to thereby enable one skilled in the art to make and utilize the application in various exemplary embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the application be defined by the claims and their equivalents.
Claims (2)
1. A remote key download method, characterized in that the remote key download method comprises the steps of:
exchanging bank host public key PK by bank host and ATM manufacturer Host Public key PK of ATM manufacturer SI And PK is encrypted by the ATM vendor using the ATM vendor private key Host Signing;
public key PK for exchanging cipher keyboard by bank host and ATM cipher keyboard ATM Bank host public key PK Host ;
Generating a master key MK by a bank host;
use of the PK by a Bank host ATM Encrypt the MK while using the bank host private key SK Host Signing the MK after encryption;
the bank host sends the encrypted MK and the signature result to the password keyboard;
the password keyboard receives the MK and the signature result after encryption, and the password keyboard firstly uses the PK Host Checking signature on the signature result;
after the signature verification is successful, the password keyboard utilizes the private key SK of the password keyboard ATM Decrypting the encrypted MK to obtain an MK plaintext and storing the MK plaintext;
the remote key downloading method comprises the following steps:
downloading PK for the cryptographic keypad by the ATM vendor SI 、PK ATM SK ATM ;
Using an ATM vendor private key SK by the ATM vendor SI For the PK ATM Signing with a keyboard serial number UIATM;
wherein, the bank host computer exchanges the public key PK of the cipher keyboard with the ATM cipher keyboard ATM Bank host public key PK Host The method specifically comprises the following steps:
querying, by the bank host, the cryptographic keypad for an ATM identification, wherein the ATM identification includes at least the keypad serial number uitm;
the password keyboard receives the inquiry of the bank host, and the password keyboard sends the keyboard serial number UIATM to the bank host and uses SK SI A first signature result of signing the keyboard serial number UIATM;
use of PK by the Bank host SI Checking the first signature result, and judging whether the keyboard serial number UIATM is in a keyboard identification list or not by the bank host;
if the verification passes and the keyboard serial number UIATM is judged to be in a keyboard identification list, the bank host inquires the PK from the password keyboard ATM ;
The password keyboard receives the inquiry of the host computer of the bank, and the password keyboard sends the PK to the host computer of the bank ATM Using SK SI For the PK ATM Performing a second signature result of the signature;
use of PK by the Bank host SI Checking the second signature result;
if the verification passes, the bank host sends the PK to the password keyboard Host Using SK SI For the PK Host A third signature result of the signature is carried out;
PK utilization by the password keyboard SI Checking the third signature result;
wherein, obtaining MK specifically includes the following steps:
requesting, by the bank host, a random number, RATM, from the cryptographic keypad;
the password keyboard receives the request of the bank host, generates the RATM by the password keyboard and sends the generated RATM to the bank host;
generating MK by the bank host, using the PK by the bank host ATM Encrypt the MK while using the bank host private key SK Host Signing the MK after encryption;
the bank host computer sends the encrypted MK, the signature result and the RATM to the password keyboard;
the password keyboard receives the MK and the signature result after encryption, and the password keyboard firstly uses the PK Host Checking signature on the signature result;
if the verification passes, the password keyboard judges whether the received RATM is the same as the transmitted RATM;
if the received RATM is determined to be the same as the transmitted RATM, then the cryptographic key is used by the cryptographic key using the cryptographic key private key SK ATM And decrypting the MK after encryption to obtain MK plaintext.
2. A remote key download system, the remote key download system comprising:
exchanging bank host public key PK for bank host and ATM manufacturer Host Public key PK of ATM manufacturer SI And use the private key of ATM manufacturer to PK by ATM manufacturer Host A unit for signing;
public key PK for exchanging cipher keyboard with ATM cipher keyboard by bank host ATM Bank host public key PK Host Is a unit of (2);
a unit for generating a master key MK by a bank host;
for use of the PK by a bank host ATM Encrypt the MK while using the bank host private key SK Host A unit that signs MK after encryption;
a unit for transmitting the encrypted MK and the signature result to the password keyboard by the bank host;
for first utilizing the PK by a cryptographic keyboard in response to receiving the encrypted MK and a signature result Host A unit for checking signature of the signature result;
after the signature verification is successful, the password keyboard utilizes the private key SK of the password keyboard ATM Decrypting the encrypted MK to obtain an MK plaintext and storing the MK plaintext;
wherein the remote key download system comprises:
downloading PK for the cryptographic keypad by ATM vendor SI 、PK ATM SK ATM Is a unit of (2);
for use by an ATM vendor with an ATM vendor private key SK SI For the PK ATM A unit for signing with a keyboard serial number UIATM;
wherein, the bank host computer exchanges the public key PK of the cipher keyboard with the ATM cipher keyboard ATM Bank host public key PK Host The method specifically comprises the following steps:
querying, by the bank host, the cryptographic keypad for an ATM identification, wherein the ATM identification includes at least the keypad serial number uitm;
transmitting the keyboard serial number UIATM to the bank host by the cryptographic keyboard and utilizing SK in response to receiving the inquiry from the bank host SI A first signature result of signing the keyboard serial number UIATM;
use of PK by the Bank host SI Checking the first signature result, and judging whether the keyboard serial number UIATM is in a keyboard identification list or not by the bank host;
if the verification passes and the keyboard serial number UIATM is judged to be in a keyboard identification list, the bank host inquires the PK from the password keyboard ATM ;
In response to receiving a query from the bank host, transmitting the PK to the bank host by the cryptographic keyboard ATM Using SK SI For the PK ATM Performing a second signature result of the signature;
use of PK by the Bank host SI Checking the second signature result;
if the verification passes, the bank host sends the PK to the password keyboard Host Using SK SI For the PK Host A third signature result of the signature is carried out;
PK utilization by the password keyboard SI Checking the third signature result;
wherein, obtaining MK specifically includes the following steps:
requesting, by the bank host, a random number, RATM, from the cryptographic keypad;
generating the RATM by the password keyboard in response to receiving a request of the bank host, and transmitting the generated RATM to the bank host;
generating MK by the bank host, using the PK by the bank host ATM Encrypt the MK while using the bank host private key SK Host Signing the MK after encryption;
the bank host computer sends the encrypted MK, the signature result and the RATM to the password keyboard;
in response to receiving the encrypted MK and a signature result, the PK is first utilized by the cryptographic keyboard Host Checking signature on the signature result;
if the verification passes, the password keyboard judges whether the received RATM is the same as the transmitted RATM;
if the received RATM is judged to be the same as the transmitted RATM, the encrypted MK is decrypted by the cipher keyboard by using a cipher keyboard private key SKATM to obtain MK plaintext.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010059662.1A CN111275440B (en) | 2020-01-19 | 2020-01-19 | Remote key downloading method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010059662.1A CN111275440B (en) | 2020-01-19 | 2020-01-19 | Remote key downloading method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111275440A CN111275440A (en) | 2020-06-12 |
| CN111275440B true CN111275440B (en) | 2023-11-10 |
Family
ID=70998842
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010059662.1A Active CN111275440B (en) | 2020-01-19 | 2020-01-19 | Remote key downloading method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111275440B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111859474A (en) * | 2020-06-17 | 2020-10-30 | 天津赢达信科技有限公司 | Browser dynamic password input method and device based on digital envelope |
| CN112446782A (en) * | 2020-11-26 | 2021-03-05 | 中电金融设备系统(深圳)有限公司 | Method for downloading initial key, computer equipment and storage medium |
| CN112968776B (en) * | 2021-02-02 | 2022-09-02 | 中钞科堡现金处理技术(北京)有限公司 | Method, storage medium and electronic device for remote key exchange |
| CN113486381A (en) * | 2021-07-27 | 2021-10-08 | 中国银行股份有限公司 | Method and device for transmitting information between WeChat bank and manufacturer server |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101930644A (en) * | 2009-06-25 | 2010-12-29 | 中国银联股份有限公司 | Method for safely downloading master key automatically in bank card payment system and system thereof |
| CN103716154A (en) * | 2013-03-15 | 2014-04-09 | 福建联迪商用设备有限公司 | Security downloading method and system of TMK |
| CN109547208A (en) * | 2018-11-16 | 2019-03-29 | 交通银行股份有限公司 | Electronic Finance equipment master key online distribution method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190034891A1 (en) * | 2016-06-03 | 2019-01-31 | Hitachi-Omron Terminal Solutions, Corp. | Automated transaction system, method for control thereof, and card reader |
-
2020
- 2020-01-19 CN CN202010059662.1A patent/CN111275440B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101930644A (en) * | 2009-06-25 | 2010-12-29 | 中国银联股份有限公司 | Method for safely downloading master key automatically in bank card payment system and system thereof |
| CN103716154A (en) * | 2013-03-15 | 2014-04-09 | 福建联迪商用设备有限公司 | Security downloading method and system of TMK |
| CN109547208A (en) * | 2018-11-16 | 2019-03-29 | 交通银行股份有限公司 | Electronic Finance equipment master key online distribution method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111275440A (en) | 2020-06-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10595201B2 (en) | Secure short message service (SMS) communications | |
| CN111275440B (en) | Remote key downloading method and system | |
| CN112260826B (en) | Method for secure credential provisioning | |
| CN109728909B (en) | Identity authentication method and system based on USBKey | |
| US8540146B2 (en) | Automated banking machine that operates responsive to data bearing records | |
| AU2014290143C1 (en) | Secure remote payment transaction processing | |
| USH2270H1 (en) | Open protocol for authentication and key establishment with privacy | |
| US8953790B2 (en) | Secure generation of a device root key in the field | |
| AU2019240671A1 (en) | Methods for secure cryptogram generation | |
| JP5136012B2 (en) | Data sending method | |
| WO2017004470A1 (en) | Mutual authentication of confidential communication | |
| CN113572601B (en) | VNC remote safety communication method based on national secret TLS | |
| CN112351037B (en) | Information processing method and device for secure communication | |
| EP2095288A1 (en) | Method for the secure storing of program state data in an electronic device | |
| CA2693347C (en) | Method and system for secure remote transfer of master key for automated teller banking machine | |
| WO2024031868A1 (en) | Attribute encryption-based device security authentication method and related apparatus thereof | |
| US20210392004A1 (en) | Apparatus and method for authenticating device based on certificate using physical unclonable function | |
| CN111740995B (en) | Authorization authentication method and related device | |
| US9224144B2 (en) | Securing communications with a pin pad | |
| EP3185504A1 (en) | Security management system for securing a communication between a remote server and an electronic device | |
| CN113114458A (en) | Encryption certificate generation method, decryption method, encryption certificate generation device, decryption device and encryption certificate system | |
| WO2000067447A1 (en) | Improvements in and relating to secure data transmission | |
| CN108985079A (en) | Data verification method and verifying system | |
| KR20180089952A (en) | Method and system for processing transaction of electronic cash |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |