CN112101048A - Device and method for processing identity identification information - Google Patents

Device and method for processing identity identification information Download PDF

Info

Publication number
CN112101048A
CN112101048A CN201910528362.0A CN201910528362A CN112101048A CN 112101048 A CN112101048 A CN 112101048A CN 201910528362 A CN201910528362 A CN 201910528362A CN 112101048 A CN112101048 A CN 112101048A
Authority
CN
China
Prior art keywords
information
key
processed
module
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910528362.0A
Other languages
Chinese (zh)
Inventor
沈国华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Zhejiang Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Zhejiang Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Zhejiang Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201910528362.0A priority Critical patent/CN112101048A/en
Publication of CN112101048A publication Critical patent/CN112101048A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/10Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
    • G06K7/10009Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves
    • G06K7/10257Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves arrangements for protecting the interrogation against piracy attacks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/77Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards

Abstract

The invention discloses a device and a method for processing identity recognition information, wherein the device comprises: the acquisition module is used for acquiring information to be processed containing the identity identification information read by the identity card reading equipment; the encryption processing module is used for carrying out summary operation processing on the information to be processed according to a preset summary algorithm to obtain summary information; the abstract operation treatment comprises salt doping treatment; encrypting the digest information by using the key stored in the key storage module to obtain signature data; and the sending module is used for sending the signature data and the information to be processed to the verification terminal so that the verification terminal can provide the received signature data and the information to be processed to the service system for verification. The method improves the abstract algorithm, adds salt doping treatment in the abstract operation to form a customized abstract algorithm, so that the abstract algorithm is not easy to obtain and crack, and the data security is enhanced; the protection signature is formed by firstly abstracting and then encrypting, so that the data is guaranteed not to be tampered in the transmission process.

Description

Device and method for processing identity identification information
Technical Field
The invention relates to the technical field of information processing, in particular to a device and a method for processing identity recognition information.
Background
At present, in order to improve the security, more and more service scenes implement a user real-name system, the identity card information of a user is read and verified by accessing an identity card reader, and the service is allowed to be transacted if the verification is successful. For example, a telecommunications carrier, when transacting a business involving property rights through various entities, requires a user to present his or her identity card and authenticate at an identity card reader.
The existing identity card verification scheme mainly comprises two solutions for a mobile terminal and a PC terminal. Fig. 3 shows an interaction flow diagram of the technical solutions of the mobile terminal and the PC terminal. In the PC side mode, the identity card reader is provided with a PC side access driving program, usually a dynamic link library file, a user installs the identity card reader in a computer, the system develops an OCX (object type extension component) control of an IE (Internet Explorer) side, a driving method of the dynamic link library file is called in the control to obtain identity card information, the system accesses the OCX control through javascript codes to obtain read identity card information, and then the identity card information is sent to a back-end server to handle services. In the mobile terminal mode, the identity card reader supports a Bluetooth transmission protocol, the mobile terminal can be connected with the identity card reader through Bluetooth, the mobile terminal develops a tool kit based on Android and IOS and is used for Bluetooth connection and data transmission, after the identity card reader reads identity card information, the identity card reader transmits the identity card information to the APP of the mobile terminal through Bluetooth, and then the identity card reader sends a rear-end server to handle services.
However, the inventor finds out in the process of implementing the invention that: from the whole identification card identification process, the system has the risk of interception and tampering in the interaction with the identification card reader and the data read from the identification card reader, which mainly shows that: in the PC terminal mode, the OCX control installed aiming at the IE can be decompiled, secondary development is carried out after a source code is obtained, and the source of data can be tampered, namely the data source is tampered from an identity card reader to be manually input; under the mobile terminal mode, the developer of the mobile terminal can develop an independent Bluetooth data packet to monitor the APP, intercept and capture Bluetooth data and tamper with the Bluetooth data, so that the data read from the ID card reader to the APP is not original ID card data. Therefore, a protection mechanism for protecting data read by the identity card reader is lacked in the prior art, the data are easy to tamper in the transmission process, and the safety is low.
Disclosure of Invention
In view of the above, the present invention has been made to provide an apparatus and a method for processing identification information that overcome the above problems or at least partially solve the above problems.
According to an aspect of the present invention, there is provided an apparatus for processing identification information, including: the system comprises an acquisition module, a secret key storage module, an encryption processing module and a sending module;
the acquisition module is used for acquiring information to be processed containing the identity identification information read by the identity card reading equipment;
the encryption processing module is used for carrying out summary operation processing on the information to be processed according to a preset summary algorithm to obtain summary information; wherein, the summary operation treatment comprises salt doping treatment; encrypting the digest information by using the key stored in the key storage module to obtain signature data;
and the sending module is used for sending the signature data and the information to be processed to the verification terminal so that the verification terminal can provide the received signature data and the information to be processed to the service system for verification.
Optionally, the apparatus further comprises:
the verification module is used for decrypting the signature data submitted by the service system according to the calling request of the service system; performing summary operation processing on the to-be-processed information submitted by the service system according to a preset summary algorithm to obtain summary information to be verified; and comparing the decrypted signature data with the summary information to be verified to obtain a verification result.
Optionally, the apparatus further comprises: a key updating module and a key management module;
the key updating module is used for detecting whether the key stored in the key storage module is expired; if yes, sending a prompt message of key expiration to the verification terminal so that the verification terminal can request the key management module to update the key according to the serial number of the identity card reading equipment and send the updated key fed back by the key management module to the key storage module;
the key storage module is further to: and receiving and storing the updated key sent by the verification terminal.
Optionally, the information to be processed further includes a serial number of the identification card reading device.
Optionally, the key storage module is integrated in a key chip, and the key chip has a unique chip serial number;
the information to be processed further includes: chip serial number of the key chip.
Optionally, the salt doping treatment specifically comprises: and carrying out salt doping treatment based on the chip serial number of the key chip.
According to another aspect of the present invention, a system for processing identification information is provided, wherein the system comprises the above-mentioned device for processing identification information, a verification terminal and a service system;
the verification terminal is used for initiating an identity information verification request to the service system according to the received signature data and the information to be processed;
and the service system is used for finishing the authentication processing of the identity information according to the received identity information authentication request.
According to another aspect of the present invention, there is provided a method for processing identification information, wherein the method includes:
acquiring information to be processed containing identity identification information read by identity card reading equipment;
performing abstract operation processing on information to be processed according to a preset abstract algorithm to obtain abstract information; wherein, the summary operation treatment comprises salt doping treatment;
encrypting the digest information by using the stored key to obtain signature data;
and sending the signature data and the information to be processed to a verification terminal so that the verification terminal can provide the received signature data and the information to be processed to a service system for verification.
According to still another aspect of the present invention, there is provided an electronic apparatus including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the processing method of the identification information.
According to still another aspect of the present invention, there is provided a computer storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the processing method of identification information as described above.
According to the device and the method for processing the identity recognition information, the device comprises the following steps: the acquisition module is used for acquiring information to be processed containing the identity identification information read by the identity card reading equipment; the encryption processing module is used for carrying out summary operation processing on the information to be processed according to a preset summary algorithm to obtain summary information; the abstract operation treatment comprises salt doping treatment; encrypting the digest information by using the key stored in the key storage module to obtain signature data; and the sending module is used for sending the signature data and the information to be processed to the verification terminal so that the verification terminal can provide the received signature data and the information to be processed to the service system for verification. The method improves the abstract algorithm, adds salt doping treatment in the abstract operation to form a customized abstract algorithm, so that the abstract algorithm is not easy to obtain and crack, and the data security is enhanced; the protection signature is formed by firstly abstracting and then encrypting, so that the data is guaranteed not to be tampered in the transmission process.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 illustrates a functional block diagram of an apparatus for processing identification information according to one embodiment of the present invention;
FIG. 2 illustrates a functional block diagram of an apparatus for processing identification information according to another embodiment of the present invention;
FIG. 3 is a schematic diagram showing the interaction flow of the technical solutions of the mobile terminal and the PC terminal;
FIG. 4 shows a timing diagram of key updates in an embodiment of the invention;
fig. 5 shows a sequence diagram of identification information processing in an embodiment of the present invention;
FIG. 6 shows an architectural diagram of one embodiment of the present invention;
FIG. 7 is a flow diagram illustrating a method of processing identification information according to one embodiment of the invention;
fig. 8 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Fig. 1 is a functional block diagram of an apparatus for processing identification information according to an embodiment of the present invention, as shown in fig. 1, the apparatus including: the device comprises an acquisition module 11, an encryption processing module 12, a sending module 13 and a key storage module 14.
The acquisition module 11 is configured to acquire information to be processed including identification information read by an identification card reading device;
the encryption processing module 12 is configured to perform digest operation processing on the information to be processed according to a preset digest algorithm to obtain digest information; wherein, the summary operation treatment comprises salt doping treatment; encrypting the digest information by using the key stored in the key storage module to obtain signature data;
and the sending module 13 is configured to send the signature data and the to-be-processed information to the verification terminal, so that the verification terminal provides the received signature data and the to-be-processed information to the service system for verification.
Aiming at the problem that the identity card information is easy to be tampered in the reading process, on the basis of keeping the existing application architecture unchanged, the device for processing the identity identification information is designed, can be arranged in the identity card reading equipment, and certainly can be independently integrated into one equipment, and the invention is not limited to this.
The identity card reading device can be a second-generation identity card reader, and is an SAM (identity card reader) module identity card data reading device which is provided by the public security department in a unified mode. The acquisition module 11 acquires the identification information read by the identification card reading device as information to be processed. In specific implementation, in order to improve the security of data, the information to be processed may further include other fixed and unchangeable information, for example, a serial number corresponding to the identification card reading device.
The encryption processing module 12 encrypts the information to be processed, and the encryption processing mainly includes two processing procedures: firstly, abstract operation processing, in the embodiment, an improved abstract algorithm is adopted to perform abstract operation on information to be processed, namely salt doping processing is added in the abstract operation processing, certain fixed and unchangeable factors are added in the information to be processed, and the fixed and unchangeable factors and the information to be processed containing identity identification information are subjected to abstract processing, so that the security of the obtained abstract information is higher; secondly, the digest encryption processing is performed, and the digest information is encrypted by using the key stored in the key storage module 14 to form a security protection signature, so that the security of the data is further improved.
The sending module 13 sends the signature data and the information to be processed to a verification terminal, as shown in fig. 3, the verification terminal may be a PC terminal or a mobile terminal, the verification terminal submits the information to be processed and the signature data to a background system, and the background system verifies the received information to be processed and the signature data.
According to the identification information processing device provided by the embodiment, to-be-processed information including identification information read by identification card reading equipment is collected, then salt adding abstract operation processing is carried out on the to-be-processed information, the abstract information is encrypted to form signature data, and finally the signature data and the to-be-processed information are provided for a verification terminal to be verified. According to the method, the abstract algorithm is improved, namely salt doping treatment is added in the abstract operation to form a customized abstract algorithm, so that the abstract algorithm is not easy to obtain and crack, the safety of data is enhanced, and secondly, a safety protection signature is formed by firstly abstracting and then encrypting to ensure that the data is not tampered in the transmission process.
Fig. 2 is a functional block diagram of an apparatus for processing identification information according to another embodiment of the present invention, as shown in fig. 2, the apparatus including: the system comprises an acquisition module 21, an encryption processing module 22, a sending module 23, a verification module 24, a key chip 25, a key updating module 26 and a key management module 27.
It should be noted that the modules of the apparatus may be integrated into the id card reading device, or the modules of the apparatus may be integrated into one device separately. Of course, the present invention is not limited thereto.
The acquisition module 21 is configured to acquire information to be processed including identification information read by the identification card reading device. The acquisition module 21 acquires the identification information read by the identification card reading device as the information to be processed. Preferably, the information to be processed further includes a serial number corresponding to the identification card reading device. The identity card reading device can be a second-generation identity card reader, and is an SAM (identity card reader) module identity card data reading device which is provided by the public security department in a unified way. Then, the serial number corresponding to the identification card reading device specifically refers to: a unique Serial Number (SN) of the SAM _ a module (identification card decoding module).
The encryption processing module 22 is configured to perform digest operation processing on the information to be processed according to a preset digest algorithm to obtain digest information; encrypting the digest information by using a key stored in the key chip to obtain signature data; wherein, the summary operation treatment comprises salt doping treatment. That is, the encryption process includes the following two processes:
firstly, performing abstract operation on to-be-processed information by adopting an improved abstract algorithm, namely performing salt doping treatment in the abstract operation treatment, and adding certain fixed and unchangeable factors into the to-be-processed information to perform abstract treatment on the fixed and unchangeable factors and the to-be-processed information containing identity identification information; the device of the invention comprises a key chip 25, which is a fixed and unchanging factor and can therefore be introduced into the encryption process. Specifically, the chip serial number of the key chip is used as one of the information to be processed, that is, the encryption processing module 22 is further configured to perform digest operation on the identification information read by the identification card reading device, the serial number corresponding to the identification card reading device, and the chip serial number of the key chip, and add salt doping processing based on the chip serial number of the key chip in the digest operation. Optionally, the SM3 algorithm (domestic hash algorithm) is improved, and salt doping processing based on the chip serial number is added to the digest operation processing corresponding to the SM3 algorithm.
Secondly, the digest information is encrypted by using the key stored in the key chip 25 to form a security protection signature, so that the security of the data is further improved. For the way of encrypting the digest information by using the key, if only the conventional digest algorithm is used for encryption, a falsifier can still simulate the digest information if he knows the algorithm, and therefore, the key for encrypting the digest information is stored in the key chip 25.
Preferably, in order to further improve the security of encryption, the key may also be updated at regular time, and the specific implementation manner is as follows:
the key renewal module 26 detects whether the key stored in the key chip is expired; if yes, sending a prompt message of key expiration to the verification terminal, so that the verification terminal requests the key management module 27 in the application layer to update the key according to the serial number of the identification card reading device, and sending the updated key fed back by the key management module 27 to the key chip 25. The key chip 25 receives and stores the updated key sent by the verification terminal.
The secret key refers to a secret key of the identification card reading device, the secret key management module 27 in the application layer is used for managing the secret key of the identification card reading device, and further, the secret key management module 27 also manages a corresponding relation among a serial number of the identification card reading device, a chip serial number of a secret key chip and the secret key of the identification card reading device. The device will synchronize the initial password of the identification card reading device, the serial number of the key chip, and the serial number of the identification card reading device to the key management module 27 prior to use. And the key management module synchronizes the corresponding relation among the updated key, the serial number of the key chip and the serial number of the ID card reading device every time the key is updated. Preferably, the key management module 27 is added in the application layer.
Preferably, in order to ensure the security of the key, the key management module 27 encrypts the updated key with the corresponding expired key after generating the updated key, and feeds back the encrypted updated key to the verification terminal. Accordingly, after receiving the encrypted updated key sent by the terminal, the key chip 25 performs decryption processing, and then stores the updated key obtained by the decryption processing. It should be noted that the validity period of the key may be manually set according to actual needs, for example, the validity period of the key is set to 3 days, and the security can be further improved by periodically updating the key.
In this embodiment, the default initial password of the id card reading device is expired, and when the device is used for the first time, the initial password in the key management module 27 is expired, and the device can be used only after being updated.
Fig. 4 shows a time sequence diagram of key update in the embodiment of the present invention, as shown in fig. 4, when the verification terminal connects to the id card reader for the first time (corresponding to the case where the device is integrated in the id card reader, hereinafter referred to as a device), the key stored in the key chip 25 is read, and the stored key is determined to be an initial key, and then the verification terminal is notified of a modified key, or, in the case of non-first connection, whether the stored key is expired, and if so, the verification terminal is notified of the modified key; the verification terminal requests the latest key from the key management module 27 according to the serial number of the identity card reader, the key management module 27 reads the expired key to generate a new key, and the expired key is used for encrypting the new key; the key management module 27 returns the encrypted string containing the new key to the verification terminal, which provides the encrypted string to the device, which decrypts it and then stores the new key in the key chip 25. And finally, the verification terminal informs the key management module of finishing updating.
In addition to encrypting the digest information by using the key updated at regular time, the digest information may be encrypted by using an encryption algorithm in order to further improve data security. Specifically, the encryption processing module 22 is further configured to: the key stored in the key chip 25 is read, and the digest information is encrypted using the key and a predetermined encryption algorithm. For example, the digest information is encrypted using the SM4 symmetric encryption algorithm (SM4_ ECB mode encryption) and the key stored in the key chip 25.
The sending module 23 is configured to send the signature data and the to-be-processed information to the verification terminal, so that the verification terminal provides the received signature data and the to-be-processed information to the service system for verification.
The verification module 24 is configured to decrypt the signature data submitted by the service system according to the call request of the service system; performing summary operation processing on the to-be-processed information submitted by the service system according to a preset summary algorithm to obtain summary information to be verified; and comparing the decrypted signature data with the summary information to be verified to obtain a verification result.
After receiving the signature data and the to-be-processed information provided by the verification terminal, the service system invokes the verification service provided by the device to perform verification, that is, the signature data and the to-be-processed information are transmitted to the verification module 24, the verification module 24 performs digest operation on the to-be-processed information according to the improved digest algorithm to obtain the to-be-verified digest information, and the digest operation is consistent with the digest operation performed in the encryption processing module 21. Meanwhile, the signature data is decrypted, specifically, according to a serial number corresponding to the id card reading device included in the information to be processed submitted by the service system, a corresponding key is found from the key management module 27, and the signature data is decrypted by using the key. And then, comparing the signature data obtained by decryption with the summary information to be verified to determine whether the signature data and the summary information are consistent. Thus, the process from collecting to verifying the identification information is completed.
Theoretically, the signature data obtained by decryption and the signature data obtained by encryption by the encryption processing module 22 are identical, and the signature data obtained by decryption and the digest information to be verified are identical. However, if the signature data and the information to be processed are tampered during transmission, the decrypted signature data and the digest information to be verified may not be consistent. The method and the device ensure that the data is not tampered in the transmission process by performing the mode of firstly abstracting and then encrypting the data and combining the secondary verification of a data user.
In summary, according to the apparatus provided in this embodiment, the hash mechanism of the secret SM3 algorithm is adjusted to make the secret SM3 algorithm become a customized digest algorithm, which is not easy to be decrypted by external access, thereby enhancing the security of data; secondly, on the basis of transmitting original data without encryption, by adding a security encryption chip and a key management module, combining high security algorithms such as an abstract and a symmetric encryption in a state secret SM, forming a security protection signature by first abstracting and then encrypting, and combining secondary verification of a data user, the data is guaranteed not to be falsified in the transmission process, the possibility of counterfeiting user identity information is zero, and the authenticity and reliability of user data are guaranteed.
Fig. 5 shows a timing diagram of processing identification information in an embodiment of the present invention, as shown in fig. 5, a verification terminal initiates an identification card reading request, a device reads identification card data (identification information), and performs digest operation on data to be processed by using an improved digest algorithm, where the data to be processed includes the identification card data and may also include a serial number of the identification card reading device or a chip serial number of a key chip; then, the digest information generated by encrypting the key in the key chip is used, and the equipment returns the encrypted signature and the data to be processed to the verification terminal; the check terminal provides plaintext data to be processed and an encrypted signature to a service system background; and the background of the service system calls a verification service, the data to be processed is abstracted by using the same improved abstract algorithm, the encrypted signature is decrypted at the same time, and the abstract information obtained by decryption is compared with the abstract information obtained by abstract operation processing.
The specific processing procedure of the present invention for identification information is illustrated below, in which the SM3 algorithm (domestic hash algorithm) is modified to add salt doping processing based on the chip serial number of the key chip to SM 3.
Firstly, abstract operation processing is carried out, and the process specifically comprises the following steps:
acquisition information D1 ═ ID card information ID _ Data + SAM _ A module SN + key chip SN
The Length L1 of the 64-bit hybrid is Length (D1+ key chip SN), where salt doping based on the key chip SN is performed.
Converting D1 into binary format, packing the binary into 512K which is an integral multiple of 512, putting the redundant part and L1 at the end, packing into K +1 group, filling 0 between L1 and the original data to obtain the following K +1 group data:
0101001100110011 … (total 512 bits) … 110011000011 (group 1)
0101001100110011 … (total 512 bits) … 110011000011 (group 2)
0101001100110011 … (total 512 bits) … 110011000011 (group 3)
0011 … (448 bits total) … 11000011 … (64 bits, length information) … 1100 (group K + 1)
The data is thus divided into K +1 groups, set as b (0), b (1) … … b (K), and iteratively compressed using the following algorithm: IV (K) ═ CF (IV (K-1), b (K-1)), after K iterations, digest information H1 is obtained: h1 ═ iv (k).
Secondly, the digest information H1 is encrypted by using an SM4 symmetric encryption algorithm (SM4_ ECB mode encryption) and an encryption key sk issued by a key management module (i.e., stored in a key chip) to generate a signature S1, where S1 is SM4_ ECB (H1, sk)
Thirdly, the signature S1+ ID card information ID1+ SAM _ A module serial number sn1 form service data C1, and the service data C1 is sent to a PC or a mobile phone terminal through a USB or Bluetooth interface and is transmitted to a service system.
Fourthly, after the background of the business system receives the relevant data, calling a verification module to decrypt the data and verify the abstract, wherein the verification is passed and the data is not tampered, and if the verification is not passed, business handling is forbidden, and the verification process is as follows: the service system calls the check service provided by the device, inputs the module string number sn1, the ID card information ID1 and the signature data S1, firstly finds out a corresponding key according to the sn1, then decrypts the signature S1 by using the key to obtain plaintext abstract information H2 (in principle, H2 and H1 have the same value), then calculates a new abstract H3 according to the same algorithm for the ID card information ID1 plus the equipment string number sn1 plus the security chip serial number, and then compares whether the two abstracts H2 and H3 are consistent, if so, the data is reliable, otherwise, the data is rejected.
Fig. 6 is a schematic architecture diagram illustrating an embodiment of the present invention, and as shown in fig. 6, the embodiment adds the apparatus of the present invention to an original architecture as an anti-tampering apparatus, where the anti-tampering apparatus includes, in addition to the functional modules in the above embodiments, other auxiliary functional modules, and the present invention is not limited thereto.
As shown in fig. 6, the identity card reader is provided with an SAM _ a module, and after reading the identity card data, the identity card reader transmits the data to the tamper-proof device for encryption, and the tamper-proof device includes a key management sub-device in an application layer, that is, the key management module in the above embodiment, and an encryption processing sub-device, which includes the acquisition module, the encryption processing module, the transmission module, the key update module, and the key chip in the above embodiment. The key management sub-device and the encryption processing sub-device are matched with each other to complete key updating. After the data is processed by the encryption processing sub-device, the data equivalently carries the anti-counterfeiting code, the data is output from the device and transmitted to the service system, and the service system performs reverse verification through the anti-tampering device. The tamper-proof device also comprises a secret key reading-proof module, a data verification function module, an equipment management module and a log management module. Of course, this is merely one embodiment of the present invention and aspects of the present invention are not limited in this respect.
Fig. 7 is a flowchart illustrating a method for processing identification information according to an embodiment of the present invention, where, as shown in fig. 7, the method includes:
step S701, collecting information to be processed including the identification information read by the identification card reading device.
Step S702, abstract operation processing is carried out on the information to be processed according to a preset abstract algorithm to obtain abstract information, wherein the abstract operation processing comprises salt doping processing.
And step S703, encrypting the digest information by using the stored key to obtain signature data.
Step S704, sending the signature data and the to-be-processed information to the verification terminal, so that the verification terminal provides the received signature data and the to-be-processed information to the service system for verification.
Optionally, the verifying by the service system specifically includes: calling a preset verification service by the service system, decrypting the signature data submitted by the service system by the verification service, and performing summary operation processing on the to-be-processed information submitted by the service system according to the preset summary algorithm to obtain the summary information to be verified; and comparing the decrypted signature data with the summary information to be verified to obtain a verification result.
Optionally, the method further comprises: detecting whether the stored key is expired; if yes, sending a prompt message of key expiration to the verification terminal so that the verification terminal can request a key management platform in the application layer to update the key according to the serial number of the identity card reading equipment; and receiving an updated key fed back by the key management platform sent by the verification terminal, and storing the updated key.
Optionally, the information to be processed further includes a serial number of the identification card reading device.
Optionally, the key is stored in a key chip, and the key chip has a unique chip serial number, and the information to be processed further includes: chip serial number of the key chip.
Optionally, the salt doping treatment specifically comprises: and carrying out salt doping treatment based on the chip serial number of the key chip.
The detailed implementation of each step in the above method embodiment may refer to the description in the apparatus embodiment, and is not described herein again.
The embodiment of the application provides a non-volatile computer storage medium, wherein at least one executable instruction is stored in the computer storage medium, and the computer executable instruction can execute the processing method of the identification information in any method embodiment.
Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the electronic device.
As shown in fig. 8, the electronic device may include: a processor (processor)802, a Communications Interface 804, a memory 806, and a communication bus 808.
Wherein:
the processor 802, communication interface 804, and memory 806 communicate with one another via a communication bus 808.
A communication interface 804 for communicating with network elements of other devices, such as clients or other servers.
The processor 802 is configured to execute the program 810, and may specifically perform relevant steps in the above-described embodiment of the method for processing identification information.
In particular, the program 810 may include program code comprising computer operating instructions.
The processor 802 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement embodiments of the present invention. The electronic device comprises one or more processors, which can be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
The memory 806 stores a program 810. The memory 806 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 810 may be specifically configured to cause the processor 802 to perform the following operations: acquiring information to be processed containing identity identification information read by identity card reading equipment; performing abstract operation processing on information to be processed according to a preset abstract algorithm to obtain abstract information; wherein, the summary operation treatment comprises salt doping treatment; encrypting the digest information by using the stored key to obtain signature data; and sending the signature data and the information to be processed to a verification terminal so that the verification terminal can provide the received signature data and the information to be processed to a service system for verification.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components in an electronic device according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

Claims (10)

1. An apparatus for processing identification information, comprising: the system comprises an acquisition module, a secret key storage module, an encryption processing module and a sending module;
the acquisition module is used for acquiring information to be processed containing the identity identification information read by the identity card reading equipment;
the encryption processing module is used for carrying out summary operation processing on the information to be processed according to a preset summary algorithm to obtain summary information; wherein, the summary operation treatment comprises salt doping treatment; encrypting the digest information by using a secret key stored in a secret key storage module to obtain signature data;
and the sending module is used for sending the signature data and the information to be processed to the verification terminal so that the verification terminal can provide the received signature data and the information to be processed to the service system for verification.
2. The apparatus of claim 1, wherein the apparatus further comprises:
the verification module is used for decrypting the signature data submitted by the service system according to the calling request of the service system; performing abstract operation processing on the to-be-processed information submitted by the service system according to the preset abstract algorithm to obtain abstract information to be verified; and comparing the decrypted signature data with the summary information to be verified to obtain a verification result.
3. The apparatus of claim 1, wherein the apparatus further comprises: a key updating module and a key management module;
the key updating module is used for detecting whether the key stored in the key storage module is expired; if yes, sending prompt information of key expiration to a verification terminal so that the verification terminal can request the key management module to update the key according to the serial number of the identity card reading equipment and send the updated key fed back by the key management module to the key storage module;
the key storage module is further to: and receiving and storing the updated key sent by the verification terminal.
4. The apparatus of any of claims 1-3, wherein the information to be processed further comprises a serial number of the identification card reading device.
5. The apparatus of claim 3, wherein the key storage module is integrated in a key chip, the key chip having a unique chip serial number;
the information to be processed further includes: chip serial number of the key chip.
6. The device according to claim 5, wherein the salt doping treatment is in particular: and carrying out salt doping treatment based on the chip serial number of the key chip.
7. A system for processing identification information, wherein the system comprises the identification information processing device of any one of claims 1-6, a verification terminal and a service system;
the verification terminal is used for initiating an identity information verification request to the service system according to the received signature data and the information to be processed;
and the service system is used for finishing the identity information verification processing according to the received identity information verification request.
8. A method for processing identification information, wherein the method comprises:
acquiring information to be processed containing identity identification information read by identity card reading equipment;
performing abstract operation processing on the information to be processed according to a preset abstract algorithm to obtain abstract information; wherein, the summary operation treatment comprises salt doping treatment;
encrypting the digest information by using the stored key to obtain signature data;
and sending the signature data and the information to be processed to a verification terminal so that the verification terminal can provide the received signature data and the information to be processed to a service system for verification.
9. An electronic device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the corresponding operation of the method according to claim 8.
10. A computer storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the method of claim 8.
CN201910528362.0A 2019-06-18 2019-06-18 Device and method for processing identity identification information Pending CN112101048A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910528362.0A CN112101048A (en) 2019-06-18 2019-06-18 Device and method for processing identity identification information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910528362.0A CN112101048A (en) 2019-06-18 2019-06-18 Device and method for processing identity identification information

Publications (1)

Publication Number Publication Date
CN112101048A true CN112101048A (en) 2020-12-18

Family

ID=73749004

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910528362.0A Pending CN112101048A (en) 2019-06-18 2019-06-18 Device and method for processing identity identification information

Country Status (1)

Country Link
CN (1) CN112101048A (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104883260A (en) * 2015-06-11 2015-09-02 深圳市易普森科技有限公司 Certificate information processing and verification methods, processing terminal, and verification server
CN105893821A (en) * 2016-03-30 2016-08-24 贵州大学 Method for encrypting USB flash disk with fingerprint authentication

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104883260A (en) * 2015-06-11 2015-09-02 深圳市易普森科技有限公司 Certificate information processing and verification methods, processing terminal, and verification server
CN105893821A (en) * 2016-03-30 2016-08-24 贵州大学 Method for encrypting USB flash disk with fingerprint authentication

Similar Documents

Publication Publication Date Title
CN110519260B (en) Information processing method and information processing device
CN101272237B (en) Method and system for automatically generating and filling login information
US9148415B2 (en) Method and system for accessing e-book data
CN113572715B (en) Data transmission method and system based on block chain
CN110070363B (en) Account management method and verification method in block chain network and terminal equipment
CN110995446B (en) Evidence verification method, device, server and storage medium
CN110096894B (en) Data anonymous sharing system and method based on block chain
CN103546289A (en) USB (universal serial bus) Key based secure data transmission method and system
CN112165382B (en) Software authorization method and device, authorization server side and terminal equipment
CN111538784A (en) Block chain-based digital asset transaction method and device and storage medium
CN112653556B (en) TOKEN-based micro-service security authentication method, device and storage medium
CN107637016B (en) Authentication device, authentication system, authentication method, and recording medium
CN111342964B (en) Single sign-on method, device and system
CN110620776B (en) Data transfer information transmission method and device
CN112149068A (en) Access-based authorization verification method, information generation method and device, and server
CN114143312A (en) Block chain-based edge computing terminal authentication method, system and equipment
CN107918739B (en) Data protection method and device and storage medium
CN113676332B (en) Two-dimensional code authentication method, communication device and storage medium
CN113051622B (en) Index construction method, device, equipment and storage medium
CN112732676B (en) Block chain-based data migration method, device, equipment and storage medium
CN114531246A (en) Data downloading method and device
CN113572717B (en) Communication connection establishment method, washing and protecting equipment and server
CN112101048A (en) Device and method for processing identity identification information
CN109936522B (en) Equipment authentication method and equipment authentication system
CN113158218A (en) Data encryption method and device and data decryption method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201218