CN114786160A - NFC label key management system - Google Patents

NFC label key management system Download PDF

Info

Publication number
CN114786160A
CN114786160A CN202210380656.5A CN202210380656A CN114786160A CN 114786160 A CN114786160 A CN 114786160A CN 202210380656 A CN202210380656 A CN 202210380656A CN 114786160 A CN114786160 A CN 114786160A
Authority
CN
China
Prior art keywords
key
backup
encryption
production
encryption machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210380656.5A
Other languages
Chinese (zh)
Other versions
CN114786160B (en
Inventor
季有为
李晓飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xindian Zhilian Beijing Technology Co ltd
Original Assignee
Xindian Zhilian Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xindian Zhilian Beijing Technology Co ltd filed Critical Xindian Zhilian Beijing Technology Co ltd
Priority to CN202210380656.5A priority Critical patent/CN114786160B/en
Publication of CN114786160A publication Critical patent/CN114786160A/en
Application granted granted Critical
Publication of CN114786160B publication Critical patent/CN114786160B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/67Risk-dependent, e.g. selecting a security level depending on risk profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • General Factory Administration (AREA)
  • Lock And Its Accessories (AREA)

Abstract

The embodiment of the invention relates to an NFC label key management system, which comprises: a root key encryption machine, a production encryption machine group and a verification encryption machine group. The root key encryption machine is used for generating a unique primary key and distributing corresponding secondary keys for the production encryption machine group and the verification encryption machine group based on the primary key, the production encryption machine group distributes a one-signed one-encrypted tertiary key for each NFC label based on the secondary key, and the verification encryption machine group can verify each NFC label based on the secondary key. The key management system created by the system can reduce the counterfeiting probability of the NFC label and enhance the anti-counterfeiting performance.

Description

NFC label key management system
Technical Field
The invention relates to the technical field of data processing, in particular to an NFC label key management system.
Background
The use of Radio Frequency Identification (RFID) as an anti-counterfeit label is a common anti-counterfeit means for goods. However, the conventional anti-counterfeiting scheme is limited by the technology that the RFID tag adopts plaintext storage, so that the problem that the RFID tag is imitated due to data leakage of the RFID tag cannot be thoroughly solved, and once the imitated RFID tag is put on the market, the conventional anti-counterfeiting scheme cannot correctly identify the authenticity of the commodity.
To solve this problem, we improve the label technology used in the conventional anti-counterfeit scheme, and replace the RFID label with a Near Field Communication (NFC) label as the anti-counterfeit label for the goods. The NFC tag is obviously different from the RFID tag in that the NFC tag has a key loading function and a key-based data encryption and decryption function, on one hand, the function can enable data stored on the tag to exist in a ciphertext form and not to be read easily, and on the other hand, a verification mechanism of data operation authority can be established between the NFC tag and NFC tag operation equipment, so that the safety protection level of the data is further improved. The improved anti-counterfeiting scheme adopting the NFC label has the advantages of higher security level, lower label counterfeiting probability and higher anti-counterfeiting performance. However, it is also necessary to add a management system capable of performing key generation and key verification on the NFC tag in an improved anti-counterfeiting scheme.
Disclosure of Invention
The object of the present invention is to provide an NFC tag key management system, which includes: root key encryption machine, production encryption machine group and authentication encryption machine group. The root key encryption machine is used for generating a unique primary key and distributing corresponding secondary keys for a production encryption machine group and a verification encryption machine group based on the primary key, the production encryption machine group distributes a one-signed one-encrypted tertiary key for each NFC label based on the secondary key so as to realize a required label key production function, and the verification encryption machine group can verify each NFC label based on the secondary key so as to realize a required label key verification function. The system of the invention is added into an anti-counterfeiting system based on the NFC label, a key production and key verification system of the anti-counterfeiting system can be established, the security level of the anti-counterfeiting system is improved, the counterfeiting probability of a system label is reduced, and the anti-counterfeiting performance of the system is enhanced.
In order to achieve the above object, an embodiment of the present invention provides an NFC tag key management system, where the system includes: a root key encryption machine, a production encryption machine group and a verification encryption machine group;
the root key encryption machine is respectively connected with the production encryption machine group and the authentication encryption machine group; the root key encryption machine is used for producing and processing a primary key to obtain and store a corresponding primary key; the root key encryption machine is also used for carrying out secondary key decentralized processing on the primary key to obtain a corresponding secondary key and sending the secondary key to the production encryption machine group and the counterfeit verification encryption machine group;
the production encryption machine group comprises a production encryption machine, a production backup encryption machine and a production task distribution terminal; the production encryption machine is respectively connected with the root key encryption machine and the production backup encryption machine; the production encryption machine is used for loading and backing up a first secondary key; the production task allocation terminal is respectively connected with the production encryption machine and the production backup encryption machine and is also connected with label production equipment outside the system; the production task allocation terminal is used for receiving the first label UID data sent by the label production equipment, calling the production encryption machine or the production backup encryption machine to carry out label three-level key production processing according to the first label UID data to obtain a corresponding three-level key, and sending the three-level key back to the label production equipment;
the counterfeit checking encryption cluster comprises a counterfeit checking encryption machine, a counterfeit checking backup encryption machine and a counterfeit checking task distribution terminal; the fake-proof encryptor is respectively connected with the root key encryptor and the fake-proof backup encryptor; the pseudo-verification encryption machine is used for carrying out second-level key loading and backup processing; the counterfeit checking task distribution terminal is respectively connected with the counterfeit checking encryption machine and the counterfeit checking backup encryption machine and is also connected with a label counterfeit checking device outside the system; the fake-verifying task allocation terminal is used for receiving a random number application instruction sent by the label fake-verifying equipment, calling the fake-verifying encryption machine or the fake-verifying backup encryption machine to generate and process a random number to obtain a corresponding application random number, and sending the application random number back to the label fake-verifying equipment; the counterfeit checking task distribution terminal is further used for receiving the first plaintext data, the first encrypted data and the second label UID data sent by the label counterfeit checking device, calling the counterfeit checking encryption machine or the counterfeit checking backup encryption machine to perform label three-level key counterfeit checking according to the first plaintext data, the first encrypted data and the second label UID data to obtain a corresponding counterfeit checking result, and sending the counterfeit checking result back to the label counterfeit checking device.
Preferably, the tag production equipment is connected with the NFC tag; the tag production equipment is used for sending a UID acquisition instruction to the NFC tag and taking instruction return data sent back by the NFC tag as the first tag UID data; sending the first label UID data to the production task allocation terminal, and receiving the tertiary key sent back by the production task allocation terminal; writing the tertiary key into the NFC label;
the tag authentication device is connected with the NFC tag; the label authentication device is used for sending the UID acquisition instruction to the NFC label and taking instruction return data sent back by the NFC label as second label UID data; sending the random number application instruction to the counterfeit checking task allocation terminal, and receiving the application random number sent back by the counterfeit checking task allocation terminal as the first plaintext data; sending an internal authentication instruction carrying the first plaintext data to the NFC tag, and taking instruction return data sent back by the NFC tag as the first encrypted data; sending the first plain text data, the first encrypted data and the second label UID data to the counterfeit verification task distribution terminal, and receiving a counterfeit verification result sent back by the counterfeit verification task distribution terminal; and displaying the verification result.
Preferably, the root key encryption machine is specifically configured to receive a plurality of seed codes through a plurality of encryption keyboards of the encryption machine during the primary key production process; forming a seed code list by the obtained plurality of seed codes and storing the seed code list; combining all the seed codes according to a set seed code combination rule to obtain a corresponding seed code combination sequence; taking the seed coding combination sequence as the primary key and storing the primary key; and export the primary key to the key fob for backup.
Preferably, the root key encryption unit is specifically configured to obtain a first dispersion factor when performing the secondary key dispersion processing on the primary key; performing byte negation on the first dispersion factor to obtain a corresponding first negation factor; byte splicing is carried out on the first dispersion factor and the first negation factor according to a splicing mode of the first dispersion factor and the first negation factor to generate a corresponding second dispersion factor; encrypting the second dispersion factor by using the primary key based on a preset first encryption and decryption algorithm, and taking an encryption result as a corresponding secondary key; the first encryption and decryption algorithm is specifically a cryptographic SM4 algorithm.
Preferably, the production encryption machine is also connected with an administrator encryption key; the production encryption machine is specifically configured to receive the secondary key sent by the root key encryption machine during the first secondary key loading and backup processing; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, a random number is locally generated and recorded as a first random number; encrypting the first random number by using the loaded secondary key based on a preset second encryption and decryption algorithm to generate a corresponding first encrypted random number; and a corresponding first backup data set is formed by the first random number, the first encrypted random number and the secondary key; the administrator encryption key is called to encrypt the first backup data group to generate corresponding first backup encrypted data; sending the first backup encrypted data to the corresponding production backup encryption machine; receiving a first backup result sent back by the production backup encryption machine; if the first backup result is that the backup is successful, the first secondary key is loaded and the backup processing is successful; the second encryption and decryption algorithm is specifically a cryptographic SM1 algorithm.
Further, the production backup encryption machine is also connected with the administrator encryption key; the production backup encryption machine is used for receiving the first backup encryption data sent by the production encryption machine; the administrator encryption key is called to decrypt the first backup encrypted data to obtain a corresponding first backup data group; extracting the first random number, the first encrypted random number and the secondary key from the first backup data group; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, decrypting the first encrypted random number by using the loaded secondary key based on the second encryption and decryption algorithm to generate a corresponding first decrypted random number; identifying whether the first decryption random number is matched with the first random number, if so, setting the first backup result as a successful backup, and if not, setting the first backup result as a failed backup and carrying out key failure processing on the locally loaded secondary key; and sending the first backup result to the production encryption machine.
Preferably, the production task allocation terminal is specifically configured to determine whether the production encryption machine is currently in error and whether the current task flow is saturated when the authentication encryption machine or the authentication backup encryption machine is called to perform random number generation processing; if the production encryption machine is confirmed not to report errors currently and the current task flow is not saturated, calling the production encryption machine to generate random numbers to obtain the application random numbers; and if the current error report of the production encryption machine is confirmed or the current task flow is saturated, calling the production backup encryption machine to generate random numbers to obtain the application random numbers.
Preferably, the production task allocation terminal is specifically configured to determine whether the production encryption machine is currently in error and whether the current task flow is saturated when the production encryption machine is called or the production backup encryption machine performs label three-level key production processing according to the first label UID data; if the production encryption machine does not report errors currently and the current task flow is not saturated, sending the UID data of the first label to the production encryption machine; if the fact that the error report exists in the production encryption machine at present or the current task flow is saturated is confirmed, the first label UID data is sent to the production backup encryption machine; receiving the tertiary key sent back by the production encryption machine or the production backup encryption machine;
the production encryption machine or the production backup encryption machine is also used for receiving the first label UID data sent by the production task distribution terminal; based on a preset second encryption and decryption algorithm, the first label UID data is encrypted by using the locally loaded secondary key to generate a corresponding tertiary key; and the three-level key is sent back to the production task allocation terminal; the second encryption and decryption algorithm is specifically a cryptographic SM1 algorithm.
Preferably, the counterfeit verification encryption machine is also connected with an administrator encryption key; the pseudo-verification encryptor is specifically configured to receive the secondary key sent by the root key encryptor during the second secondary key loading and backup processing; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, a random number is locally generated and recorded as a second random number; based on a preset second encryption and decryption algorithm, the loaded secondary key is used for encrypting the second random number to generate a corresponding second encrypted random number; and a corresponding second backup data group is formed by the second random number, the second encrypted random number and the secondary key; the administrator encryption key is called to encrypt the second backup data group to generate corresponding second backup encrypted data; sending the second backup encrypted data to the corresponding verification backup encryption machine; receiving a second backup result sent back by the fake-proof backup encryption machine; if the second backup result is that the backup is successful, the second secondary key loading and the backup processing are successful; the second encryption and decryption algorithm is specifically a cryptographic SM1 algorithm.
Further, the verification backup encryption machine is also connected with the administrator encryption key; the fake-verification backup encryption machine is used for receiving the second backup encryption data sent by the fake-verification encryption machine; the administrator encryption key is called to decrypt the second backup encrypted data to obtain a corresponding second backup data group; extracting the second random number, the second encrypted random number and the secondary key from the second backup data group; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, decrypting the second encrypted random number by using the loaded secondary key based on the second encryption and decryption algorithm to generate a corresponding second decrypted random number; whether the second decryption random number is matched with the 1 st random number is identified, if so, the second backup result is set as a successful backup, and if not, the second backup result is set as a failed backup and the secondary key loaded locally is subjected to key failure treatment; and sending the second backup result to the authentication encryptor.
Preferably, the counterfeit verification task allocation terminal is specifically configured to determine whether the counterfeit verification encryption machine is currently in error and whether the current task flow is saturated when the counterfeit verification encryption machine is called to perform tag three-level key counterfeit verification processing according to the first plaintext data, the first encrypted data, and the second tag UID data; if the false proof encryption machine does not report errors currently and the current task flow is not saturated, the first plain text data, the first encryption data and the second label UID data are sent to the false proof encryption machine; if the counterfeit verification encryption machine is confirmed to have error reporting currently or the current task flow is saturated, the first plain text data, the first encryption data and the second label UID data are sent to the counterfeit verification backup encryption machine; receiving the counterfeit verification result sent back by the production encryption machine or the production backup encryption machine;
the fake-verification encryption machine or the fake-verification backup encryption machine is also used for receiving the first plaintext data, the first encrypted data and the second label UID data sent by the fake-verification task allocation terminal; encrypting the second label UID data by using the locally loaded secondary key based on a preset second encryption and decryption algorithm to generate a corresponding first process key; decrypting the first encrypted data by using the first process key based on a preset third encryption and decryption algorithm to obtain corresponding second plaintext data; whether the second plaintext data is matched with the first plaintext data or not is identified, if the second plaintext data is matched with the first plaintext data, the counterfeit checking result is set as counterfeit checking success, and if the second plaintext data is not matched with the first plaintext data, the counterfeit checking result is set as counterfeit checking failure; and the fake verification result is sent back to the fake verification task allocation terminal; the second encryption and decryption algorithm is specifically a national secret SM1 algorithm, and the third encryption and decryption algorithm is specifically a national secret SM7 algorithm.
An embodiment of the present invention provides an NFC tag key management system, including: a root key encryption machine, a production encryption machine group and a verification encryption machine group. The root key encryption machine is used for generating a unique primary key and distributing corresponding secondary keys for a production encryption machine group and a verification encryption machine group based on the primary key, the production encryption machine group distributes a one-signed one-encrypted tertiary key for each NFC label based on the secondary key so as to realize a required label key production function, and the verification encryption machine group can verify each NFC label based on the secondary key so as to realize a required label key verification function. The system is added into an anti-counterfeiting system based on the NFC label, a key production and key counterfeit checking system is established for the anti-counterfeiting system, the security level of the anti-counterfeiting system is improved, the counterfeit probability of the system label is reduced, and the anti-counterfeiting performance of the system is enhanced.
Drawings
Fig. 1 is a schematic structural diagram of an NFC tag key management system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Fig. 1 is a schematic structural diagram of an NFC tag key management system according to an embodiment of the present invention, and as shown in fig. 1, the NFC tag key management system 1 includes: a root key encryption machine 11, a production encryption machine group 12 and a verification encryption machine group 13.
Root key encryption machine 11
The root key encryption machine 11 is respectively connected with a production encryption machine group 12 and a verification encryption machine group 13; the root key encryption machine 11 is used for the first-level key production processing to obtain and store a corresponding first-level key; the root key encryption machine 11 is further configured to perform a second-level key distribution process on the first-level key to obtain a corresponding second-level key, and send the second-level key to the production encryption machine group 12 and the verification encryption machine group 13.
Here, the root key encryptor 11 is configured to generate a unique root key, that is, a primary key, and distribute corresponding secondary keys for the production encryption cluster 12 and the authentication encryption cluster 13 connected thereto.
It should be noted that, in practical application, the production encryption cluster 12 and the authentication encryption cluster 13 are in a one-to-one correspondence relationship, and the two used secondary keys are the same; one root key encryption machine 11 can be connected with a plurality of pairs of production plus counterfeit verification machine groups (production encryption machine group 12+ counterfeit verification encryption machine group 13), wherein the secondary keys of the production encryption machine group 12 and the counterfeit verification machine group 13 in each pair of production plus counterfeit verification machine groups are the same, but the secondary keys of each pair of production plus counterfeit verification machine groups are different under the conventional condition. Conventionally, the root key encryptors 11 are deployed at the headquarters of the manufacturer, and the deployment of each production + counterfeit detection cluster depends on the situation, if the production + counterfeit detection cluster is deployed according to the area, at least one production + counterfeit detection cluster is deployed in each designated area, and if the production + counterfeit detection cluster is deployed according to the product series, at least one production + counterfeit detection cluster is set up for each product series. For example, it is known that the key management scheme of the manufacturer a is managed according to regions, then the root key encryptor 11 is placed in the headquarters as the manufacturer root key opportunity, and in addition, corresponding region production + counterfeit detection clusters are deployed in different regions, and for the purpose of regional control, the secondary keys of the region production + counterfeit detection clusters are different; for another example, it is known that the key management scheme of manufacturer B is managed according to product series, and then the root key encryptor 11 is placed in headquarters as a manufacturer root key, and a corresponding product series production + counterfeit verification machine group is set up for different product series, and the secondary keys of different product series production + counterfeit verification machine groups are not different.
In a specific implementation manner of the embodiment of the present invention, the root key encryptor 11 is specifically configured to receive a plurality of seed codes through a plurality of encryption keyboards of the encryptor during the primary key production process; forming a seed code list by the obtained multiple seed codes and storing the seed code list; combining all seed codes according to a set seed code combination rule to obtain a corresponding seed code combination sequence; and the seed coding combination sequence is used as a primary key and stored; and export the primary key to the key fob for backup.
Here, any encryptor in the embodiment of the present invention is an encryption terminal device with a keyboard input port, and the keyboard input port of each encryptor is an encryption keyboard input interface; the root key encryption device 11 may have a plurality of encryption keyboard input interfaces and interface with a plurality of encryption keyboards. When generating the primary key, a plurality of persons input a set of fixed-length codes composed of numbers and/or characters on different encryption keyboards to form corresponding seed codes, and the root key encryptor 11 splices the seed codes according to a set seed code combination rule to form a seed code combination sequence so as to obtain the primary key.
It should be noted that the seed coding combination rule may have a plurality of implementation rules, one implementation manner is to perform sequential seed coding splicing according to the corresponding keyboard identifier, another implementation manner is to perform seed coding splicing according to the sequence of the corresponding keyboard identifier with odd numbers in front and even numbers in back from large to small, and yet another implementation manner is to perform seed coding splicing according to a set splicing manner, perform primary encryption on the spliced coding sequence, and use the encrypted coding sequence as a seed coding combination sequence; in addition, the seed coding combination rule can be defined by the specific implementation party, and is not described herein.
It should be noted that, the root key encryption device 11 uses the key fob to backup the primary key of its own device, and presets the same transmission key as the key fob locally before backup and agrees with the encryption/decryption algorithm (denoted as transmission key encryption/decryption algorithm) corresponding to the transmission key. In another specific implementation manner of the embodiment of the present invention, the root key encryption machine 11 is specifically configured to, when exporting a primary key to a key fob for backup, send a random number fetching instruction to the key fob, and use instruction return data sent back by the key fob as a key fob random number; based on the appointed encryption and decryption algorithm of the transmission key, the local transmission key is used for encrypting the random number of the key fob to obtain corresponding encrypted data of the key fob; sending the authentication instruction carrying the encrypted data of the key fob to the key fob, and receiving an instruction sent back by the key fob to return to the state; if the instruction return state is the instruction success state, based on an agreed transmission key encryption and decryption algorithm, encrypting the local primary key by using the transmission key to generate corresponding primary key encryption data; sending a key backup instruction carrying primary key encryption data to the key fob and receiving an instruction sent back by the key fob to return to a state; and if the instruction return state is the instruction success state, the key fob backup processing is successful.
Further, the operation steps at the key card end are as follows: the key fob is used for receiving a random number fetching instruction sent by the root key encryption machine 11, performing random number generation processing locally, and sending back the obtained key fob random number serving as instruction return data to the root key encryption machine 11; receiving an authentication instruction sent by the root key encryption machine 11, and extracting key fob encrypted data from the authentication instruction; based on the appointed encryption and decryption algorithm of the transmission key, the local transmission key is used for decrypting the encrypted data of the key fob to obtain decrypted data of the key fob; when the decryption data of the key fob is matched with the random number of the key fob, setting the instruction return state as an instruction success state, sending the instruction success state back to the root key encryption machine 11, and locally setting the upper computer verification state as a pass state; receiving a key backup instruction sent by the root key encryption machine 11, and extracting primary key encryption data from the key backup instruction when the upper computer verifies that the state is a pass state; based on an agreed encryption and decryption algorithm of the transmission key, the local transmission key is used for decrypting the primary key encrypted data to obtain a corresponding primary key; storing the primary key into a local key storage area by adopting a disordered scrambling storage mode; after the storage is successful, the instruction return state is set as an instruction success state and is sent back to the root key encryption unit 11.
Note that, when the local primary key data is destroyed, the root key encryptor 11 also uses the key fob to recover the local primary key. Similar to the preparation for backup, the root key encryptor 11 ensures that the same transmission key as the key fob is preset locally and that the encryption/decryption algorithm corresponding to the transmission key (transmission key encryption/decryption algorithm) is agreed upon before recovering the key. In another specific implementation manner of the embodiment of the present invention, the root key encryption machine 11 is specifically configured to, when recovering the primary key of the local machine by using the key fob, send a random number fetching instruction to the key fob, and use instruction return data sent back by the key fob as a key fob random number; based on the appointed encryption and decryption algorithm of the transmission key, the local transmission key is used for encrypting the random number of the key fob to obtain corresponding encrypted data of the key fob; sending the authentication instruction carrying the encrypted data of the key fob to the key fob, and receiving an instruction sent back by the key fob to return to the state; if the instruction return state is the instruction success state, sending a key derivation instruction to the key fob, and taking the instruction return data of the key fob as derivation encrypted data; based on the agreed encryption and decryption algorithm of the transmission key, the local transmission key is used for decrypting the derived encrypted data to generate a corresponding primary key; and local key loading is performed on the primary key.
Further, the operation steps at the key card end are as follows: the key fob is used for receiving a random number fetching instruction sent by the root key encryption machine 11, performing random number generation processing locally, and sending back the obtained key fob random number serving as instruction return data to the root key encryption machine 11; receiving an authentication instruction sent by the root key encryption machine 11, and extracting key fob encrypted data from the authentication instruction; based on the appointed encryption and decryption algorithm of the transmission key, the local transmission key is used for decrypting the encrypted data of the key fob to obtain decrypted data of the key fob; when the decryption data of the key fob is matched with the random number of the key fob, setting the instruction return state as an instruction success state, sending the instruction success state back to the root key encryption machine 11, and locally setting the upper computer verification state as a pass state; receiving a key derivation instruction sent by the root key encryption machine 11, and reading a primary key from a local key storage area when the upper computer verifies that the state is a pass state; and based on the agreed encryption and decryption algorithm of the transmission key, the local transmission key is used for encrypting the primary key, and the encrypted result is used as instruction return data and sent back to the root key encryption machine 11.
In another specific implementation manner of the embodiment of the present invention, the root key encryptor 11 is specifically configured to obtain a first dispersion factor when performing secondary key dispersion processing on the primary key; performing byte negation on the first dispersion factor to obtain a corresponding first negation factor; performing byte splicing on the first dispersion factor and the first negation factor according to a splicing mode of the first dispersion factor and the first negation factor to generate a corresponding second dispersion factor; encrypting the second dispersion factor by using a first-level key based on a preset first encryption and decryption algorithm, and taking an encryption result as a corresponding second-level key; the first encryption and decryption algorithm mentioned in the embodiment of the present invention is specifically a cryptographic SM4 algorithm.
Here, in the embodiment of the present invention, each of the production + counterfeit verification clusters (the production crypto cluster 12+ counterfeit verification crypto cluster 13) corresponds to a first dispersion factor, and in specific implementation, a region unique code or a product series unique code may be used to assign values to the first dispersion factors, which aims to make the first dispersion factors corresponding to each of the production + counterfeit verification clusters different, so as to ensure that the second-level keys corresponding to each of the production + counterfeit verification clusters are different.
(II) production crypto cluster 12
The production encryption cluster 12 includes a production encryption machine 121, a production backup encryption machine 122, and a production task allocation terminal 123;
the production encryptor 121 is connected to the root key encryptor 11 and the production backup encryptor 122, respectively; the production encryption machine 121 is configured to perform first secondary key loading and backup processing;
the production task allocation terminal 123 is respectively connected with the production encryption machine 121 and the production backup encryption machine 122, and is also connected with the label production equipment 2 outside the system; the production task allocation terminal 123 is configured to receive the first tag UID data sent by the tag production device 2, call the production encryption machine 121 or the production backup encryption machine 122 to perform tag tertiary key production processing according to the first tag UID data to obtain a corresponding tertiary key, and send the tertiary key back to the tag production device 2.
Further, on the label producing apparatus 2 side outside the system: the label production equipment 2 is connected with the NFC label 4; the tag production equipment 2 is used for sending a UID acquisition instruction to the NFC tag 4 and taking instruction return data sent back by the NFC tag 4 as first tag UID data; the first label UID data is sent to the production task allocation terminal 123, and a tertiary key sent back by the production task allocation terminal 123 is received; and writes the tertiary key to NFC tag 4.
Here, the production encryption cluster 12 actually performs a one-to-one encryption three-level key distribution calculation for the NFC tag in the area where the cluster is located or under the product family, that is, performs production key preparation for each NFC tag. The production encryption cluster 12 may include one or more production encryptors 121, and one production encryptor 121 may correspond to one or more production backup encryptors 122. The host hot standby mechanism is adopted in the production encryption cluster 12: the host is the production encryption engine 121, and one or more production backup encryption engines 122 corresponding to the production encryption engines 121 are the hot standby engines of the current host. Each host not only needs to be responsible for loading the secondary key of the host, but also needs to be responsible for initiating the backup operation of the secondary key of all the hot standby machines of the host. The production task allocation terminal 123 in the production encryption cluster 12 is configured to interface the tag production device 2 related to NFC tag production, and select a corresponding host or hot standby according to an error state or a flow saturation state of the host to perform NFC tag production key preparation, that is, perform three-level key distribution calculation for one tag and one secret during the key production process of the NFC tag 4 by the tag production device 2.
In another specific implementation manner of the embodiment of the present invention, the production encryption engine 121 is further connected to an administrator encryption key; the production encryption machine 121 is specifically configured to receive the secondary key sent by the root key encryption machine 11 during the first secondary key loading and backup processing; local key loading operation is carried out on the secondary key; if the local key loading operation is successful, a random number is locally generated and recorded as a first random number; encrypting the first random number by using the loaded secondary key based on a preset second encryption and decryption algorithm to generate a corresponding first encrypted random number; a corresponding first backup data group is formed by the first random number, the first encrypted random number and the secondary key; the administrator encryption key is called to encrypt the first backup data group to generate corresponding first backup encrypted data; and sends the first backup encrypted data to the corresponding production backup encryptor 122; and receives the first backup result sent back by the production backup encryptor 122; if the first backup result is that the backup is successful, the first secondary key is loaded and the backup processing is successful; the second encryption and decryption algorithm mentioned in the embodiment of the present invention is specifically a cryptographic SM1 algorithm.
Further, the production backup encryption engine 122 is also connected with an administrator encryption key; the production backup encryption machine 122 is configured to receive the first backup encrypted data sent by the production encryption machine 121; the administrator encryption key is called to decrypt the first backup encrypted data to obtain a corresponding first backup data group; extracting a first random number, a first encrypted random number and a secondary key from the first backup data group; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, the loaded secondary key is used for decrypting the first encrypted random number based on the second encryption and decryption algorithm to generate a corresponding first decrypted random number; whether the first decryption random number is matched with the first random number is identified, if so, the first backup result is set as a successful backup, and if not, the first backup result is set as a failed backup and the secondary key loaded locally is subjected to key failure treatment; and sends the first backup result to production encryptor 121.
Here, the administrator encryption key may be connected to the production encryptor 121 and the production backup encryptor 122 via a Universal Serial Bus (USB) interface; the production encryption device 121 and the production backup encryption device 122 may be connected via a network device having a USB interface. The administrator encryption key may use various algorithms to implement the encryption/decryption operation of the input data, which is not described herein. In the embodiment of the present invention, the first random number and the first encrypted random number are added to the first backup data group in which the production backup encryption machine 121 starts the production backup encryption machine 122 to perform key backup, so that after the production backup encryption machine 122 completes the secondary key loading, the correctness of the loaded key is checked by using the prior matching plaintext + ciphertext pair (the first random number + the first encrypted random number), and if the first decrypted random number is matched with the first random number, the loaded key is correct.
In another specific implementation manner of the embodiment of the present invention, the production task allocation terminal 123 is specifically configured to determine whether the production encryption machine 121 is currently in error and whether the current task flow is saturated when the production encryption machine 121 or the production backup encryption machine 122 is called to perform tag three-level key production processing according to the first tag UID data; if the production encryption machine 121 does not report an error currently and the current task flow is not saturated, sending the first tag UID data to the production encryption machine 121; if the production encryption machine 121 is confirmed to have error reporting currently or the current task flow is saturated, sending the first tag UID data to the production backup encryption machine 122; and receives the tertiary key sent back by either production encryption engine 121 or production backup encryption engine 122.
Further, the production encryption device 121 or the production backup encryption device 122 is further configured to receive the first tag UID data sent by the production task allocation terminal 123; encrypting the first label UID data by using a locally loaded secondary key based on a preset second encryption and decryption algorithm to generate a corresponding tertiary key; and sends the tertiary key back to the production job assignment terminal 123.
Here, in the process of key generation for the NFC tag 4 by the tag generation device 2, the production task allocation terminal 123 in the production encryption cluster 12 selects a corresponding host or hot standby according to the error state or the flow saturation state of the host to perform NFC tag generation key preparation, that is, perform three-level key decentralized calculation with one tag and one secret; after the host or the hot standby is selected, the production task assigning terminal 123 sends the first tag UID data for one-to-one encryption to the corresponding production encryptor 121 or production backup encryptor 122, and the production encryptor 121 or production backup encryptor 122 performs the three-level key distribution calculation based on the first tag UID data and returns the calculation result to the production task assigning terminal 123 as the key production data of the current NFC tag, that is, the corresponding three-level key.
(III) test pseudo encryption cluster 13
The authentication encryption cluster 13 comprises an authentication encryption machine 131, an authentication backup encryption machine 132 and an authentication task distribution terminal 133;
the fake-proof encryptor 131 is respectively connected with the root key encryptor 11 and the fake-proof backup encryptor 132; the verification encryption machine 131 is used for performing second-level key loading and backup processing;
the counterfeit checking task allocation terminal 133 is respectively connected with the counterfeit checking encryption machine 131 and the counterfeit checking backup encryption machine 132, and is also connected with the label counterfeit checking device 3 outside the system; the counterfeit checking task allocation terminal 133 is configured to receive a random number application instruction sent by the tag counterfeit checking device 3, call the counterfeit checking encryption machine 131 or the counterfeit checking backup encryption machine 132 to perform random number generation processing to obtain a corresponding application random number, and send the application random number back to the tag counterfeit checking device 3; the counterfeit verification task allocation terminal 133 is further configured to receive the first plaintext data, the first encrypted data, and the second tag UID data sent by the tag counterfeit verification device 3, call the counterfeit verification encryptor 131 or the counterfeit verification backup encryptor 132 to perform tag three-level key counterfeit verification processing according to the first plaintext data, the first encrypted data, and the second tag UID data to obtain a corresponding counterfeit verification result, and send the counterfeit verification result back to the tag counterfeit verification device 3.
Further, the tag authentication device 3 is connected with the NFC tag 4; the tag authentication device 3 is used for sending a UID acquisition instruction to the NFC tag 4 and taking instruction return data sent back by the NFC tag 4 as second tag UID data; sending the random number application instruction to the counterfeit detection task allocation terminal 133, and receiving an application random number sent back by the counterfeit detection task allocation terminal 133 as the first plaintext data; sending an internal authentication instruction carrying first plaintext data to the NFC tag 4, and taking instruction return data sent back by the NFC tag 4 as first encrypted data; the first plaintext data, the first encrypted data and the second tag UID data are sent to the counterfeit verification task allocation terminal 133, and a counterfeit verification result sent back by the counterfeit verification task allocation terminal 133 is received; and displaying the result of the verification. Further, when the NFC tag 4 receives the internal authentication instruction, extracting first plaintext data from the instruction; based on a predicted third encryption and decryption algorithm, the first plaintext data is encrypted by using a local three-level key to generate corresponding first encrypted data, and the first encrypted data is returned to the label authentication device 3; the third encryption and decryption algorithm mentioned in the embodiment of the present invention is specifically a cryptographic SM7 algorithm.
Here, for the convenience of understanding, first, a brief description is given of a tag authentication process of the NFC tag 4 by the tag authentication device 3, where the tag authentication process is: the tag counterfeit checking device 3 applies a random number as an encrypted plaintext, namely first plaintext data, to the counterfeit checking encryption cluster 13, sends the plaintext to the NFC tag 4 through an internal authentication instruction, encrypts the plaintext based on a tag tertiary key (corresponding to label UID data) to obtain a corresponding ciphertext, namely first encrypted data, and then sends the plaintext, the ciphertext and the tag UID data to the counterfeit checking encryption cluster 13, and the counterfeit checking encryption cluster performs tertiary key dispersion based on the tag UID data, checks the plaintext and the ciphertext by using a dispersed key and returns a check result. Therefore, the authentication encryption cluster 13 actually provides the key authentication function for the NFC tag 4 in the area where the cluster is located or under the product series through the tag authentication device 3. The counterfeit verification cryptographic cluster 13 may include one or more counterfeit verification cryptographic engines 131, and one counterfeit verification cryptographic engine 131 may correspond to one or more counterfeit verification backup cryptographic engines 132. Similarly to the production encryption cluster 12, the host hot standby mechanism is also adopted in the authentication encryption cluster 13: the host computer verifies the encryptors 131, and one or more of the verification backup encryptors 132 corresponding to each verification encryptor 131 are the hot standby machines of the current host computer. Each host not only needs to be responsible for loading the secondary key of the host, but also needs to be responsible for initiating the backup operation of the secondary key of all the hot standby machines of the host. The counterfeit verification task allocation terminal 133 in the counterfeit verification encryption cluster 13 is configured to interface the tag counterfeit verification device 3 related to NFC tag counterfeit verification, and select a corresponding host or hot standby machine according to an error state or a flow saturation state of the host to execute a random number application operation of the tag counterfeit verification device and data verification calculation of the NFC tag in the process of verifying the NFC tag 4 by the tag counterfeit verification device 3.
In another specific implementation manner of the embodiment of the present invention, the authentication encryptor 131 is further connected to an administrator encryption key; the verification encryption machine 131 is specifically configured to receive the secondary key sent by the root key encryption machine 11 during the second secondary key loading and backup processing; local key loading operation is carried out on the secondary key; if the local key loading operation is successful, a random number is locally generated and recorded as a second random number; encrypting the second random number by using the loaded secondary key based on a preset second encryption and decryption algorithm to generate a corresponding second encrypted random number; and a second backup data group corresponding to the second random number, the second encrypted random number and the second-level key is formed; the administrator encryption key is called to encrypt the second backup data group to generate corresponding second backup encrypted data; and sends the second backup encrypted data to the corresponding authentication backup encryptor 132; and receives the second backup result sent back by the verification backup encryption machine 132; and if the second backup result is that the backup is successful, the second secondary key loading and backup processing are successful.
Further, the counterfeit-checking backup encryption machine 132 is also connected with the administrator encryption key; the authentication backup encryption machine 132 is used for receiving the second backup encrypted data sent by the authentication encryption machine 131; the administrator encryption key is called to decrypt the second backup encrypted data to obtain a corresponding second backup data group; extracting a second random number, a second encrypted random number and a secondary key from the second backup data group; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, the loaded secondary key is used for decrypting the second encrypted random number based on a second encryption and decryption algorithm to generate a corresponding second decrypted random number; whether the second decryption random number is matched with the 1 st random number is identified, if so, the second backup result is set as a successful backup, and if not, the second backup result is set as a failed backup and the secondary key loaded locally is subjected to key failure treatment; and sends the second backup result to authentication encryptor 131.
Here, the administrator encryption key may be connected to the authentication encryptor 131 and the authentication backup encryptor 132 through USB interfaces; the authentication encryption machine 131 and the authentication backup encryption machine 132 can also be connected through a network device with a USB interface. The administrator encryption key may use various algorithms to implement the encryption/decryption operation of the input data, which is not described herein. In the embodiment of the present invention, the second random number and the second encrypted random number are added to the second backup data group in which the authentication encryptor 131 starts the authentication backup encryptor 132 to perform key backup, so that after the authentication backup encryptor 132 completes the second-level key loading, the correctness of the loaded key is checked by using the prior matching plaintext + ciphertext pair (the second random number + the second encrypted random number), and if the second decrypted random number is matched with the second random number, the loaded key is correct.
In another specific implementation manner of the embodiment of the present invention, the production task allocation terminal 133 is specifically configured to determine whether the production encryption machine 131 reports an error currently and whether the current task flow is saturated when the verification encryption machine 131 or the verification backup encryption machine 132 is called to perform random number generation processing; if the production encryption machine 131 is confirmed not to report errors currently and the current task flow is not saturated, calling the production encryption machine 131 to perform random number generation processing to obtain the application random number; if the production encryption machine 131 is confirmed to have error reporting currently or the current task flow is saturated, the production backup encryption machine 132 is called to perform random number generation processing to obtain an application random number.
Here, the authentication task allocation terminal 133 in the authentication cryptographic cluster 13 selects the corresponding host or hot standby machine according to the error state or the traffic saturation state of the host to execute the random number application operation of the tag authentication device in the tag authentication process of the tag authentication device 3 on the NFC tag 4.
In another specific implementation manner of the embodiment of the present invention, the verification task allocation terminal 133 is specifically configured to determine whether the verification encryptor 131 reports an error currently and whether the current task flow is saturated when the verification encryptor 131 or the verification backup encryptor 132 performs tag three-level key verification processing according to the first plaintext data, the first encrypted data, and the second tag UID data; if the verification encryptor 131 is confirmed not to report an error currently and the current task flow is not saturated, sending the first plaintext data, the first encrypted data and the second tag UID data to the verification encryptor 131; if the verification encryptor 131 is confirmed to have error reporting currently or the current task flow is saturated, the first plaintext data, the first encrypted data and the second tag UID data are sent to the verification backup encryptor 132; and receives the verification result sent back by the production encryption engine 121 or the production backup encryption engine 122.
Further, the authentication encryptor 131 or the authentication backup encryptor 132 is further configured to receive the first plaintext data, the first encrypted data, and the second tag UID data sent by the authentication task allocation terminal 133; encrypting the second label UID data by using a locally loaded secondary key based on a preset second encryption and decryption algorithm to generate a corresponding first process key; decrypting the first encrypted data by using a first process key based on a preset third encryption and decryption algorithm to obtain corresponding second plaintext data; whether the second plaintext data is matched with the first plaintext data or not is identified, if so, the counterfeit checking result is set as the counterfeit checking success, and if not, the counterfeit checking result is set as the counterfeit checking failure; and sends back the verification result to the verification task assignment terminal 133.
Here, the authentication task allocation terminal 133 in the authentication crypto cluster 13 selects the corresponding host or hot standby machine to execute the NFC tag key authentication operation according to the error state or the traffic saturation state of the host in the tag authentication process of the tag authentication device 3 on the NFC tag 4; after the host or the hot standby is selected, the authentication task assignment terminal 133 transmits the second tag UID data of the current NFC tag to the corresponding authentication encryptor 131 or the authentication backup encryptor 132. The verification encryptor 131 or the verification backup encryptor 132 firstly disperses a first process key corresponding to the current NFC tag tertiary key based on the second tag UID data; here, if the current NFC tag is a legal tag, the tertiary key on the current NFC tag must be consistent with the first process key, that is, the result of decrypting the first encrypted data (the second plaintext data) using the first process key must be consistent with the first plaintext data; therefore, the verification encryptor 131 or the verification backup encryptor 132 will send back the verification result, which is the verification success, to the verification task assigning terminal 133 when the second plaintext data matches the first plaintext data. As can be seen from the foregoing, the counterfeit verification task allocation terminal 133 sends the counterfeit verification result, specifically, the counterfeit verification result is successful in verification, to the tag counterfeit verification device 3, and the tag counterfeit verification device 3 displays the counterfeit verification result.
An embodiment of the present invention provides an NFC tag key management system, where the system includes: a root key encryption machine, a production encryption machine group and a verification encryption machine group. The root key encryption machine is used for generating a unique primary key and distributing corresponding secondary keys for a production encryption machine group and a verification encryption machine group based on the primary key, the production encryption machine group distributes a one-signed one-encrypted tertiary key for each NFC label based on the secondary key so as to realize a required label key production function, and the verification encryption machine group can verify each NFC label based on the secondary key so as to realize a required label key verification function. The system is added into an anti-counterfeiting system based on the NFC label, a key production and key counterfeit verification system is established for the anti-counterfeiting system, the security level of the anti-counterfeiting system is improved, the counterfeit probability of the system label is reduced, and the anti-counterfeiting performance of the system is enhanced.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied in hardware, a software module executed by a processor, or a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (11)

1. An NFC tag key management system, the system comprising: a root key encryption machine, a production encryption machine group and a verification encryption machine group;
the root key encryption machine is respectively connected with the production encryption machine group and the authentication encryption machine group; the root key encryption machine is used for producing and processing a primary key to obtain and store a corresponding primary key; the root key encryption machine is also used for performing secondary key decentralized processing on the primary key to obtain a corresponding secondary key and sending the secondary key to the production encryption machine group and the authentication encryption machine group;
the production encryption machine group comprises a production encryption machine, a production backup encryption machine and a production task distribution terminal; the production encryption machine is respectively connected with the root key encryption machine and the production backup encryption machine; the production encryption machine is used for loading and backing up a first secondary key; the production task allocation terminal is respectively connected with the production encryption machine and the production backup encryption machine and is also connected with label production equipment outside the system; the production task distribution terminal is used for receiving first label UID data sent by the label production equipment, calling the production encryption machine or the production backup encryption machine to carry out label three-level key production processing according to the first label UID data to obtain a corresponding three-level key, and sending the three-level key back to the label production equipment;
the counterfeit checking encryption cluster comprises a counterfeit checking encryption machine, a counterfeit checking backup encryption machine and a counterfeit checking task distribution terminal; the fake-verifying encryptor is respectively connected with the root key encryptor and the fake-verifying backup encryptor; the pseudo-verification encryption machine is used for carrying out second-level key loading and backup processing; the counterfeit checking task distribution terminal is respectively connected with the counterfeit checking encryption machine and the counterfeit checking backup encryption machine and is also connected with a label counterfeit checking device outside the system; the fake-verifying task allocation terminal is used for receiving a random number application instruction sent by the label fake-verifying equipment, calling the fake-verifying encryption machine or the fake-verifying backup encryption machine to generate and process a random number to obtain a corresponding application random number, and sending the application random number back to the label fake-verifying equipment; the counterfeit checking task distribution terminal is further used for receiving the first plaintext data, the first encrypted data and the second label UID data sent by the label counterfeit checking equipment, calling the counterfeit checking encryption machine or the counterfeit checking backup encryption machine to perform label three-level key counterfeit checking according to the first plaintext data, the first encrypted data and the second label UID data to obtain a corresponding counterfeit checking result, and sending the counterfeit checking result back to the label counterfeit checking equipment.
2. The NFC tag key management system of claim 1,
the tag production equipment is connected with the NFC tag; the tag production equipment is used for sending a UID acquisition instruction to the NFC tag and taking instruction return data sent back by the NFC tag as the first tag UID data; sending the first label UID data to the production task allocation terminal, and receiving the tertiary key sent back by the production task allocation terminal; writing the tertiary key into the NFC label;
the tag authentication device is connected with the NFC tag; the tag authentication device is used for sending the UID acquisition instruction to the NFC tag and taking instruction return data sent back by the NFC tag as second tag UID data; sending the random number application instruction to the counterfeit checking task allocation terminal, and receiving the application random number sent back by the counterfeit checking task allocation terminal as the first plaintext data; sending an internal authentication instruction carrying the first plaintext data to the NFC tag, and taking instruction return data sent back by the NFC tag as the first encrypted data; sending the first plain text data, the first encrypted data and the second label UID data to the counterfeit verification task distribution terminal, and receiving a counterfeit verification result sent back by the counterfeit verification task distribution terminal; and displaying the verification result.
3. The NFC tag key management system of claim 1,
the root key encryption machine is specifically used for receiving a plurality of seed codes through a plurality of encryption keyboards of the encryption machine during the primary key production processing; forming a seed code list by the obtained seed codes and storing the seed code list; combining all the seed codes according to a set seed code combination rule to obtain a corresponding seed code combination sequence; taking the seed coding combination sequence as the primary key and storing the primary key; and export the primary key to the key fob for backup.
4. The NFC tag key management system of claim 1,
the root key encryption machine is specifically configured to obtain a first dispersion factor when performing secondary key dispersion processing on the primary key; performing byte negation on the first dispersion factor to obtain a corresponding first negation factor; byte splicing is carried out on the first dispersion factor and the first negation factor according to a splicing mode of the first dispersion factor and the first negation factor to generate a corresponding second dispersion factor; encrypting the second dispersion factor by using the primary key based on a preset first encryption and decryption algorithm, and taking an encryption result as a corresponding secondary key; the first encryption and decryption algorithm is specifically a cryptographic SM4 algorithm.
5. The NFC tag key management system of claim 1,
the production encryption machine is also connected with an administrator encryption key;
the production encryption machine is specifically configured to receive the secondary key sent by the root key encryption machine during the first secondary key loading and backup processing; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, a random number is locally generated and recorded as a first random number; based on a preset second encryption and decryption algorithm, the loaded secondary key is used for encrypting the first random number to generate a corresponding first encrypted random number; and a corresponding first backup data set is formed by the first random number, the first encrypted random number and the secondary key; calling the administrator encryption key to encrypt the first backup data group to generate corresponding first backup encrypted data; sending the first backup encrypted data to the corresponding production backup encryption machine; receiving a first backup result sent back by the production backup encryption machine; if the first backup result is that the backup is successful, the first secondary key is loaded and the backup processing is successful; the second encryption and decryption algorithm is specifically a cryptographic SM1 algorithm.
6. The NFC tag key management system of claim 5,
the production backup encryption machine is also connected with the administrator encryption key;
the production backup encryption machine is used for receiving the first backup encryption data sent by the production encryption machine; the administrator encryption key is called to decrypt the first backup encrypted data to obtain a corresponding first backup data group; extracting the first random number, the first encrypted random number and the secondary key from the first backup data group; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, decrypting the first encrypted random number by using the loaded secondary key based on the second encryption and decryption algorithm to generate a corresponding first decrypted random number; identifying whether the first decryption random number is matched with the first random number, if so, setting the first backup result as a successful backup, and if not, setting the first backup result as a failed backup and carrying out key failure processing on the locally loaded secondary key; and sending the first backup result to the production encryption machine.
7. The NFC tag key management system of claim 1,
the production task allocation terminal is specifically used for confirming whether the production encryption machine is currently in error report and whether the current task flow is saturated or not when the authentication encryption machine or the authentication backup encryption machine is called to generate random numbers; if the production encryption machine is confirmed not to report errors currently and the current task flow is not saturated, calling the production encryption machine to generate random numbers to obtain the application random numbers; and if the current error report of the production encryption machine is confirmed or the current task flow is saturated, calling the production backup encryption machine to generate random numbers to obtain the application random numbers.
8. The NFC tag key management system of claim 1,
the production task allocation terminal is specifically used for confirming whether the production encryption machine is currently reported in error and whether the current task flow is saturated or not when the production encryption machine is called or the production backup encryption machine carries out label three-level key production processing according to the first label UID data; if the production encryption machine does not report errors currently and the current task flow is not saturated, sending the UID data of the first label to the production encryption machine; if the fact that the error report exists in the production encryption machine at present or the current task flow is saturated is confirmed, the first label UID data is sent to the production backup encryption machine; receiving the tertiary key sent back by the production encryption machine or the production backup encryption machine;
the production encryption machine or the production backup encryption machine is also used for receiving the first label UID data sent by the production task distribution terminal; based on a preset second encryption and decryption algorithm, the first label UID data is encrypted by using the locally loaded secondary key to generate a corresponding tertiary key; and the third-level key is sent back to the production task allocation terminal; the second encryption and decryption algorithm is specifically a cryptographic SM1 algorithm.
9. The NFC tag key management system of claim 1,
the counterfeit verification encryption machine is also connected with an administrator encryption key;
the fake verification encryption machine is specifically used for receiving the secondary key sent by the root key encryption machine during the loading and backup processing of the second secondary key; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, a random number is locally generated and recorded as a second random number; based on a preset second encryption and decryption algorithm, the loaded secondary key is used for encrypting the second random number to generate a corresponding second encrypted random number; and a corresponding second backup data group is formed by the second random number, the second encrypted random number and the secondary key; the administrator encryption key is called to encrypt the second backup data group to generate corresponding second backup encrypted data; sending the second backup encrypted data to the corresponding verification backup encryption machine; receiving a second backup result sent back by the fake-proof backup encryption machine; if the second backup result is that the backup is successful, the second secondary key loading and the backup processing are successful; the second encryption and decryption algorithm is specifically a cryptographic SM1 algorithm.
10. The NFC tag key management system of claim 9,
the fake-verifying backup encryption machine is also connected with the administrator encryption key;
the fake-verification backup encryption machine is used for receiving the second backup encryption data sent by the fake-verification encryption machine; the administrator encryption key is called to decrypt the second backup encrypted data to obtain a corresponding second backup data group; extracting the second random number, the second encrypted random number and the secondary key from the second backup data group; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, decrypting the second encrypted random number by using the loaded secondary key based on the second encryption and decryption algorithm to generate a corresponding second decrypted random number; identifying whether the second decryption random number is matched with the 1 st random number, if so, setting the second backup result as a successful backup, and if not, setting the second backup result as a failed backup and performing key failure processing on the locally loaded secondary key; and sending the second backup result to the authentication encryptor.
11. The NFC tag key management system of claim 1,
the counterfeit checking task allocation terminal is specifically used for confirming whether the counterfeit checking encryption machine reports errors at present and whether the current task flow is saturated or not when the counterfeit checking encryption machine is called or the counterfeit checking backup encryption machine carries out label three-level key counterfeit checking according to the first plaintext data, the first encrypted data and the second label UID data; if the fake verification encryption machine is confirmed not to report errors currently and the current task flow is not saturated, the first plain text data, the first encryption data and the second label UID data are sent to the fake verification encryption machine; if the current error report of the counterfeit checking encryption machine is confirmed or the current task flow is saturated, the first plain text data, the first encryption data and the second label UID data are sent to the counterfeit checking backup encryption machine; receiving the verification result sent back by the production encryption machine or the production backup encryption machine;
the fake-verifying encryption machine or the fake-verifying backup encryption machine is further used for receiving the first plaintext data, the first encrypted data and the second label UID data sent by the fake-verifying task distribution terminal; encrypting the second label UID data by using the locally loaded secondary key based on a preset second encryption and decryption algorithm to generate a corresponding first process key; decrypting the first encrypted data by using the first process key based on a preset third encryption and decryption algorithm to obtain corresponding second plaintext data; whether the second plaintext data is matched with the first plaintext data or not is identified, if so, the counterfeit checking result is set as counterfeit checking success, and if not, the counterfeit checking result is set as counterfeit checking failure; and the counterfeit checking result is sent back to the counterfeit checking task allocation terminal; the second encryption and decryption algorithm is specifically a national secret SM1 algorithm, and the third encryption and decryption algorithm is specifically a national secret SM7 algorithm.
CN202210380656.5A 2022-04-12 2022-04-12 NFC label key management system Active CN114786160B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210380656.5A CN114786160B (en) 2022-04-12 2022-04-12 NFC label key management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210380656.5A CN114786160B (en) 2022-04-12 2022-04-12 NFC label key management system

Publications (2)

Publication Number Publication Date
CN114786160A true CN114786160A (en) 2022-07-22
CN114786160B CN114786160B (en) 2022-11-11

Family

ID=82429466

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210380656.5A Active CN114786160B (en) 2022-04-12 2022-04-12 NFC label key management system

Country Status (1)

Country Link
CN (1) CN114786160B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115630966A (en) * 2022-08-18 2023-01-20 芯电智联(北京)科技有限公司 Method for cross-region channel conflict inspection based on NFC (near field communication) anti-counterfeit label
CN116669025A (en) * 2023-07-26 2023-08-29 长沙盈芯半导体科技有限公司 Safety anti-counterfeiting method and system for ultrahigh frequency RFID chip

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016193227A1 (en) * 2015-06-02 2016-12-08 Orange Nfc-enabled devices for performing secure contactless transactions and using hce
CN109120395A (en) * 2018-06-08 2019-01-01 中国银联股份有限公司 Label data generation method, label and the data processing based on NFC label
CN112270001A (en) * 2020-10-22 2021-01-26 苏州浪潮智能科技有限公司 Key management method, device, server, medium and system
CN113627958A (en) * 2021-08-25 2021-11-09 芯电智联(北京)科技有限公司 NFC anti-counterfeiting tracing method and server
CN113792561A (en) * 2021-09-13 2021-12-14 芯电智联(北京)科技有限公司 NFC electronic tag verification method and terminal
CN114140132A (en) * 2021-11-24 2022-03-04 芯电智联(北京)科技有限公司 Anti-counterfeiting traceability system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016193227A1 (en) * 2015-06-02 2016-12-08 Orange Nfc-enabled devices for performing secure contactless transactions and using hce
CN109120395A (en) * 2018-06-08 2019-01-01 中国银联股份有限公司 Label data generation method, label and the data processing based on NFC label
CN112270001A (en) * 2020-10-22 2021-01-26 苏州浪潮智能科技有限公司 Key management method, device, server, medium and system
CN113627958A (en) * 2021-08-25 2021-11-09 芯电智联(北京)科技有限公司 NFC anti-counterfeiting tracing method and server
CN113792561A (en) * 2021-09-13 2021-12-14 芯电智联(北京)科技有限公司 NFC electronic tag verification method and terminal
CN114140132A (en) * 2021-11-24 2022-03-04 芯电智联(北京)科技有限公司 Anti-counterfeiting traceability system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115630966A (en) * 2022-08-18 2023-01-20 芯电智联(北京)科技有限公司 Method for cross-region channel conflict inspection based on NFC (near field communication) anti-counterfeit label
CN116669025A (en) * 2023-07-26 2023-08-29 长沙盈芯半导体科技有限公司 Safety anti-counterfeiting method and system for ultrahigh frequency RFID chip
CN116669025B (en) * 2023-07-26 2023-10-13 长沙盈芯半导体科技有限公司 Safety anti-counterfeiting method and system for ultrahigh frequency RFID chip

Also Published As

Publication number Publication date
CN114786160B (en) 2022-11-11

Similar Documents

Publication Publication Date Title
CN114786160B (en) NFC label key management system
US20140235207A1 (en) Method for cryptographically verifiable identification of a physical unit in a public, wireless telecommunications network
CA2071771A1 (en) Cryptographic facility environment backup/restore and replication in a public key cryptosystem
CN106953732B (en) Key management system and method for chip card
CN109918888B (en) Anti-quantum certificate issuing method and issuing system based on public key pool
WO2018133674A1 (en) Method of verifying and feeding back bank payment permission authentication information
CN103269271A (en) Method and system for back-upping private key in electronic signature token
CN102385710A (en) Method and system for verifying fact or fiction
CN114499875A (en) Service data processing method and device, computer equipment and storage medium
CN115001775B (en) Data processing method, device, electronic equipment and computer readable storage medium
CN102542645B (en) A kind of entrance guard authentication method and Verification System
CN115664659A (en) Method, device, equipment and medium for supervising blockchain transaction data
CN113489710A (en) File sharing method, device, equipment and storage medium
CN103460260A (en) Method for operating a cash box with customer-specific keys
CN102571341B (en) A kind of Verification System based on dynamic image and authentication method
CN110098925A (en) Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system
CN108574578A (en) A kind of black box data protection system and method
CN104883260B (en) Certificate information processing and verification method, processing terminal and authentication server
CN103281188A (en) Method and system for backing up private key in electronic signature token
CN101661573A (en) Method for producing electronic seal and method for using electronic seal
CN114297673A (en) Password verification method, solid state disk and upper computer
CN107343276A (en) A kind of guard method of the SIM card lock data of terminal and system
CN110113152A (en) Based on unsymmetrical key pond to and digital signature quantum communications service station cryptographic key negotiation method and system
CN112968776B (en) Method, storage medium and electronic device for remote key exchange
CN116827691B (en) Method and system for data transmission

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant