CN114786160B - NFC label key management system - Google Patents

NFC label key management system Download PDF

Info

Publication number
CN114786160B
CN114786160B CN202210380656.5A CN202210380656A CN114786160B CN 114786160 B CN114786160 B CN 114786160B CN 202210380656 A CN202210380656 A CN 202210380656A CN 114786160 B CN114786160 B CN 114786160B
Authority
CN
China
Prior art keywords
key
backup
encryption
production
encryption machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210380656.5A
Other languages
Chinese (zh)
Other versions
CN114786160A (en
Inventor
季有为
李晓飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xindian Zhilian Beijing Technology Co ltd
Original Assignee
Xindian Zhilian Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xindian Zhilian Beijing Technology Co ltd filed Critical Xindian Zhilian Beijing Technology Co ltd
Priority to CN202210380656.5A priority Critical patent/CN114786160B/en
Publication of CN114786160A publication Critical patent/CN114786160A/en
Application granted granted Critical
Publication of CN114786160B publication Critical patent/CN114786160B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/67Risk-dependent, e.g. selecting a security level depending on risk profiles

Abstract

The embodiment of the invention relates to an NFC label key management system, which comprises: root key encryption machine, production encryption machine group and authentication encryption machine group. The root key encryption machine is used for generating a unique primary key and distributing corresponding secondary keys for the production encryption machine group and the verification encryption machine group based on the primary key, the production encryption machine group distributes a one-signed one-encrypted tertiary key for each NFC label based on the secondary key, and the verification encryption machine group can verify each NFC label based on the secondary key. The key management system created by the system can reduce the counterfeiting probability of the NFC label and enhance the anti-counterfeiting performance.

Description

NFC label key management system
Technical Field
The invention relates to the technical field of data processing, in particular to an NFC label key management system.
Background
The use of Radio Frequency Identification (RFID) as an anti-counterfeit label is a common anti-counterfeit means for goods. However, the conventional anti-counterfeiting scheme is limited by the technology that the RFID tag adopts plaintext storage, and cannot completely solve the problem that the RFID tag is copied due to data leakage of the RFID tag, and once the copied RFID tag is put on the market, the conventional anti-counterfeiting scheme cannot correctly identify the authenticity of the commodity.
To solve this problem, we improve the tag technology used in the conventional anti-counterfeit scheme, and replace the RFID tag with a Near Field Communication (NFC) tag as an anti-counterfeit tag for goods. The NFC tag is obviously different from the RFID tag in that the NFC tag has a key loading function and a key-based data encryption and decryption function, on one hand, the function can enable data stored on the tag to exist in a ciphertext form and not to be easily read, and on the other hand, a verification mechanism of data operation authority can be established between the NFC tag and NFC tag operation equipment, so that the safety protection level of the data is further improved. The improved anti-counterfeiting scheme adopting the NFC label has the advantages of higher security level, smaller label counterfeiting probability and stronger anti-counterfeiting performance. However, it is also necessary to add a management system capable of performing key generation and key verification on the NFC tag in an improved anti-counterfeiting scheme.
Disclosure of Invention
The object of the present invention is to provide an NFC tag key management system, which includes: root key encryption machine, production encryption machine group and authentication encryption machine group. The root key encryption machine is used for generating a unique primary key and distributing corresponding secondary keys for a production encryption machine group and a verification encryption machine group based on the primary key, the production encryption machine group distributes a one-signed one-encrypted tertiary key for each NFC label based on the secondary key so as to realize a required label key production function, and the verification encryption machine group can verify each NFC label based on the secondary key so as to realize a required label key verification function. The system of the invention is added into an anti-counterfeiting system based on the NFC label, a key production and key verification system of the anti-counterfeiting system can be established, the security level of the anti-counterfeiting system is improved, the counterfeiting probability of a system label is reduced, and the anti-counterfeiting performance of the system is enhanced.
In order to achieve the above object, an embodiment of the present invention provides an NFC tag key management system, where the system includes: a root key encryption machine, a production encryption machine group and a verification encryption machine group;
the root key encryption machine is respectively connected with the production encryption machine group and the authentication encryption machine group; the root key encryption machine is used for producing and processing a primary key to obtain and store a corresponding primary key; the root key encryption machine is also used for carrying out secondary key decentralized processing on the primary key to obtain a corresponding secondary key and sending the secondary key to the production encryption machine group and the counterfeit verification encryption machine group;
the production encryption machine group comprises a production encryption machine, a production backup encryption machine and a production task distribution terminal; the production encryption machine is respectively connected with the root key encryption machine and the production backup encryption machine; the production encryption machine is used for loading and backing up a first secondary key; the production task allocation terminal is respectively connected with the production encryption machine and the production backup encryption machine and is also connected with label production equipment outside the system; the production task allocation terminal is used for receiving the first label UID data sent by the label production equipment, calling the production encryption machine or the production backup encryption machine to carry out label three-level key production processing according to the first label UID data to obtain a corresponding three-level key, and sending the three-level key back to the label production equipment;
the counterfeit checking encryption cluster comprises a counterfeit checking encryption machine, a counterfeit checking backup encryption machine and a counterfeit checking task distribution terminal; the fake-proof encryptor is respectively connected with the root key encryptor and the fake-proof backup encryptor; the pseudo-verification encryption machine is used for carrying out second-level key loading and backup processing; the counterfeit checking task distribution terminal is respectively connected with the counterfeit checking encryption machine and the counterfeit checking backup encryption machine and is also connected with a label counterfeit checking device outside the system; the fake-verifying task allocation terminal is used for receiving a random number application instruction sent by the label fake-verifying equipment, calling the fake-verifying encryption machine or the fake-verifying backup encryption machine to generate and process a random number to obtain a corresponding application random number, and sending the application random number back to the label fake-verifying equipment; the counterfeit checking task distribution terminal is further used for receiving the first plaintext data, the first encrypted data and the second label UID data sent by the label counterfeit checking equipment, calling the counterfeit checking encryption machine or the counterfeit checking backup encryption machine to perform label three-level key counterfeit checking according to the first plaintext data, the first encrypted data and the second label UID data to obtain a corresponding counterfeit checking result, and sending the counterfeit checking result back to the label counterfeit checking equipment.
Preferably, the tag production equipment is connected with the NFC tag; the tag production equipment is used for sending a UID acquisition instruction to the NFC tag and taking instruction return data sent back by the NFC tag as the first tag UID data; sending the UID data of the first label to the production task distribution terminal, and receiving the tertiary key sent back by the production task distribution terminal; writing the tertiary key into the NFC tag;
the tag authentication device is connected with the NFC tag; the label authentication device is used for sending the UID acquisition instruction to the NFC label and taking instruction return data sent back by the NFC label as second label UID data; sending the random number application instruction to the counterfeit checking task allocation terminal, and receiving the application random number sent back by the counterfeit checking task allocation terminal as the first plaintext data; sending an internal authentication instruction carrying the first plaintext data to the NFC tag, and taking instruction return data sent back by the NFC tag as the first encrypted data; sending the first plain text data, the first encrypted data and the second label UID data to the counterfeit verification task distribution terminal, and receiving the counterfeit verification result sent back by the counterfeit verification task distribution terminal; and displaying the false proof result.
Preferably, the root key encryption machine is specifically configured to receive a plurality of seed codes through a plurality of encryption keyboards of the encryption machine during the primary key production process; forming a seed code list by the obtained plurality of seed codes and storing the seed code list; combining all the seed codes according to a set seed code combination rule to obtain a corresponding seed code combination sequence; taking the seed coding combination sequence as the primary key and storing the primary key; and export the primary key to the key fob for backup.
Preferably, the root key encryption machine is specifically configured to obtain a first dispersion factor when performing the secondary key dispersion processing on the primary key; performing byte negation on the first dispersion factor to obtain a corresponding first negation factor; byte splicing is carried out on the first dispersion factor and the first negation factor according to a splicing mode of the first dispersion factor and the first negation factor to generate a corresponding second dispersion factor; encrypting the second dispersion factor by using the primary key based on a preset first encryption and decryption algorithm, and taking an encryption result as a corresponding secondary key; the first encryption and decryption algorithm is specifically a cryptographic SM4 algorithm.
Preferably, the production encryption machine is also connected with an administrator encryption key; the production encryption machine is specifically configured to receive the secondary key sent by the root key encryption machine during the first secondary key loading and backup processing; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, a random number is locally generated and recorded as a first random number; encrypting the first random number by using the loaded secondary key based on a preset second encryption and decryption algorithm to generate a corresponding first encrypted random number; and a corresponding first backup data group is formed by the first random number, the first encrypted random number and the secondary key; calling the administrator encryption key to encrypt the first backup data group to generate corresponding first backup encrypted data; sending the first backup encrypted data to the corresponding production backup encryption machine; receiving a first backup result sent back by the production backup encryption machine; if the first backup result is that the backup is successful, the first secondary key is loaded and the backup processing is successful; the second encryption and decryption algorithm is specifically a cryptographic SM1 algorithm.
Further, the production backup encryption machine is also connected with the administrator encryption key; the production backup encryption machine is used for receiving the first backup encryption data sent by the production encryption machine; the administrator encryption key is called to decrypt the first backup encrypted data to obtain a corresponding first backup data group; extracting the first random number, the first encrypted random number and the secondary key from the first backup data group; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, decrypting the first encrypted random number by using the loaded secondary key based on the second encryption and decryption algorithm to generate a corresponding first decrypted random number; identifying whether the first decryption random number is matched with the first random number, if so, setting the first backup result as a successful backup, and if not, setting the first backup result as a failed backup and performing key failure processing on the locally loaded secondary key; and sending the first backup result to the production encryption machine.
Preferably, the production task allocation terminal is specifically configured to determine whether the production encryption machine is currently in error and whether the current task flow is saturated when the authentication encryption machine or the authentication backup encryption machine is called to perform random number generation processing; if the fact that the production encryption machine does not report errors currently and the current task flow is not saturated is confirmed, calling the production encryption machine to generate random numbers to obtain the application random numbers; and if the current error report of the production encryption machine is confirmed or the current task flow is saturated, calling the production backup encryption machine to generate random numbers to obtain the application random numbers.
Preferably, the production task allocation terminal is specifically configured to determine whether the production encryption machine is currently in error and whether the current task flow is saturated when the production encryption machine is called or the production backup encryption machine performs label three-level key production processing according to the first label UID data; if the fact that the production encryption machine does not report errors currently and the current task flow is not saturated is confirmed, the first label UID data is sent to the production encryption machine; if the production encryption machine is confirmed to have error reporting currently or the current task flow is saturated, the first label UID data is sent to the production backup encryption machine; receiving the tertiary key sent back by the production encryption machine or the production backup encryption machine;
the production encryption machine or the production backup encryption machine is also used for receiving the first label UID data sent by the production task distribution terminal; based on a preset second encryption and decryption algorithm, the first label UID data is encrypted by using the locally loaded secondary key to generate a corresponding tertiary key; and the third-level key is sent back to the production task allocation terminal; the second encryption and decryption algorithm is specifically a cryptographic SM1 algorithm.
Preferably, the counterfeit verification encryption machine is also connected with an administrator encryption key; the fake verification encryption machine is specifically used for receiving the secondary key sent by the root key encryption machine during the loading and backup processing of the second secondary key; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, a random number is locally generated and recorded as a second random number; based on a preset second encryption and decryption algorithm, the loaded secondary key is used for encrypting the second random number to generate a corresponding second encrypted random number; and a corresponding second backup data group is formed by the second random number, the second encrypted random number and the secondary key; calling the administrator encryption key to encrypt the second backup data group to generate corresponding second backup encrypted data; sending the second backup encrypted data to the corresponding verification backup encryption machine; receiving a second backup result sent back by the verification backup encryption machine; if the second backup result is that the backup is successful, the second secondary key loading and the backup processing are successful; the second encryption and decryption algorithm is specifically a cryptographic SM1 algorithm.
Further, the counterfeit verification backup encryption machine is also connected with the administrator encryption key; the fake-verification backup encryption machine is used for receiving the second backup encryption data sent by the fake-verification encryption machine; the administrator encryption key is called to decrypt the second backup encrypted data to obtain a corresponding second backup data group; extracting the second random number, the second encrypted random number and the secondary key from the second backup data group; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, decrypting the second encrypted random number by using the loaded secondary key based on the second encryption and decryption algorithm to generate a corresponding second decrypted random number; identifying whether the second decryption random number is matched with the second random number, if so, setting the second backup result as a successful backup, and if not, setting the second backup result as a failed backup and performing key failure processing on the locally loaded secondary key; and sending the second backup result to the authentication encryptor.
Preferably, the counterfeit verification task allocation terminal is specifically configured to determine whether the counterfeit verification encryption machine is currently reporting an error and whether the current task flow is saturated when the counterfeit verification encryption machine or the counterfeit verification backup encryption machine is called to perform tag three-level key counterfeit verification processing according to the first plaintext data, the first encrypted data, and the second tag UID data; if the fake verification encryption machine is confirmed not to report errors currently and the current task flow is not saturated, the first plain text data, the first encryption data and the second label UID data are sent to the fake verification encryption machine; if the current error report of the counterfeit checking encryption machine is confirmed or the current task flow is saturated, the first plain text data, the first encryption data and the second label UID data are sent to the counterfeit checking backup encryption machine; receiving the counterfeit verification result sent back by the production encryption machine or the production backup encryption machine;
the fake-verifying encryption machine or the fake-verifying backup encryption machine is further used for receiving the first plaintext data, the first encrypted data and the second label UID data sent by the fake-verifying task distribution terminal; based on a preset second encryption and decryption algorithm, the second label UID data is encrypted by using the locally loaded secondary key to generate a corresponding first process key; decrypting the first encrypted data by using the first process key based on a preset third encryption and decryption algorithm to obtain corresponding second plaintext data; whether the second plaintext data is matched with the first plaintext data or not is identified, if so, the counterfeit checking result is set as counterfeit checking success, and if not, the counterfeit checking result is set as counterfeit checking failure; and the fake verification result is sent back to the fake verification task allocation terminal; the second encryption and decryption algorithm is specifically a country cipher SM1 algorithm, and the third encryption and decryption algorithm is specifically a country cipher SM7 algorithm.
An embodiment of the present invention provides an NFC tag key management system, including: a root key encryption machine, a production encryption machine group and a verification encryption machine group. The root key encryption machine is used for generating a unique primary key and distributing corresponding secondary keys for a production encryption machine group and a verification encryption machine group based on the primary key, the production encryption machine group distributes a one-signed one-encrypted tertiary key for each NFC label based on the secondary key so as to realize a required label key production function, and the verification encryption machine group can verify each NFC label based on the secondary key so as to realize a required label key verification function. The system is added into an anti-counterfeiting system based on the NFC label, a key production and key counterfeit verification system is established for the anti-counterfeiting system, the security level of the anti-counterfeiting system is improved, the counterfeit probability of the system label is reduced, and the anti-counterfeiting performance of the system is enhanced.
Drawings
Fig. 1 is a schematic structural diagram of an NFC tag key management system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Fig. 1 is a schematic structural diagram of an NFC tag key management system according to an embodiment of the present invention, and as shown in fig. 1, the NFC tag key management system 1 includes: a root key encryption machine 11, a production encryption machine group 12 and a verification encryption machine group 13.
Root key encryption machine 11
The root key encryption machine 11 is respectively connected with a production encryption machine group 12 and a verification encryption machine group 13; the root key encryption machine 11 is used for the first-level key production processing to obtain and store a corresponding first-level key; the root key encryption machine 11 is also used for performing secondary key decentralized processing on the primary key to obtain a corresponding secondary key, and sending the secondary key to the production encryption machine group 12 and the authentication encryption machine group 13.
Here, the root key encryptor 11 is configured to generate a unique root key, that is, a primary key, and distribute corresponding secondary keys for the production encryption cluster 12 and the authentication encryption cluster 13 connected thereto.
It should be noted that, in practical application, the production encryption cluster 12 and the authentication encryption cluster 13 are in a one-to-one correspondence relationship, and the two used secondary keys are the same; one root key encryption machine 11 can be butted with a plurality of pairs of production and counterfeit verification machine groups (a production encryption machine group 12 and a counterfeit verification encryption machine group 13), wherein the secondary keys of the production encryption machine group 12 and the counterfeit verification machine group 13 in each pair of production and counterfeit verification machine groups are the same, but the secondary keys of each pair of production and counterfeit verification machine groups are different under the conventional condition. Conventionally, the root key encryptor 11 is deployed at the headquarters of the manufacturer, and the deployment of each production + counterfeit detection cluster depends on the situation, if the root key encryptor is deployed according to the region, at least one group of production + counterfeit detection cluster is deployed in each designated area, and if the root key encryptor is deployed according to the product series, at least one group of production + counterfeit detection cluster is set up for each product series. For example, it is known that the key management scheme of the manufacturer a is managed according to regions, then the root key encryptor 11 is placed in the headquarters as the manufacturer root key opportunity, and in addition, corresponding region production + counterfeit detection clusters are deployed in different regions, and for the purpose of regional control, the secondary keys of the region production + counterfeit detection clusters are different; for another example, it is known that the key management scheme of the manufacturer B is managed according to product series, and then the root key encryptor 11 is placed in the headquarters as the manufacturer root key, and in addition, corresponding product series production + counterfeit checking machine groups are set up for different product series, and the secondary keys of the different product series production + counterfeit checking machine groups are not different.
In a specific implementation manner of the embodiment of the present invention, the root key encryptor 11 is specifically configured to receive a plurality of seed codes through a plurality of encryption keyboards of the encryptor during the primary key production process; and a seed code list is formed by the obtained seed codes and is stored; combining all seed codes according to a set seed code combination rule to obtain a corresponding seed code combination sequence; taking the seed coding combination sequence as a primary key and storing the primary key; and export the primary key to the key fob for backup.
Here, any encryptor in the embodiment of the present invention is an encryption terminal device with a keyboard input port, and the keyboard input port of each encryptor is an encryption keyboard input interface; the root key encryption device 11 may have a plurality of encryption keyboard input interfaces and interface with a plurality of encryption keyboards. When generating the primary key, a plurality of persons input a set of fixed-length codes composed of numbers and/or characters on different encryption keyboards to form corresponding seed codes, and the root key encryptor 11 splices the seed codes according to a set seed code combination rule to form a seed code combination sequence so as to obtain the primary key.
It should be noted that the seed coding combination rule may have a plurality of implementation rules, one implementation manner is to perform sequential seed coding splicing according to the corresponding keyboard identifier, another implementation manner is to perform seed coding splicing according to the sequence of the corresponding keyboard identifier with odd numbers in front and even numbers in back from large to small, and yet another implementation manner is to perform seed coding splicing according to a set splicing manner, perform primary encryption on the spliced coding sequence, and use the encrypted coding sequence as a seed coding combination sequence; in addition, the seed coding combination rule can be defined by the specific implementation party, and is not described herein.
It should be noted that, the root key encryption machine 11 uses the key fob to backup the primary key of its own machine, and presets the same transmission key as the key fob locally before backup and agrees on the encryption/decryption algorithm (denoted as transmission key encryption/decryption algorithm) corresponding to the transmission key. In another specific implementation manner of the embodiment of the present invention, the root key encryption machine 11 is specifically configured to, when exporting a primary key to a key fob for backup, send a random number fetching instruction to the key fob, and use instruction return data sent back by the key fob as a key fob random number; based on the appointed encryption and decryption algorithm of the transmission key, the local transmission key is used for encrypting the random number of the key fob to obtain corresponding encrypted data of the key fob; sending the authentication instruction carrying the encrypted data of the key fob to the key fob, and receiving an instruction sent back by the key fob to return to the state; if the instruction return state is the instruction success state, based on the agreed transmission key encryption and decryption algorithm, the local primary key is encrypted by using the transmission key to generate corresponding primary key encrypted data; sending a key backup instruction carrying primary key encryption data to the key fob and receiving an instruction sent back by the key fob to return to a state; and if the instruction return state is the instruction success state, the key card backup processing is considered to be successful.
Further, the operation steps at the key card end are as follows: the key fob is used for receiving a random number fetching instruction sent by the root key encryption machine 11, performing random number generation processing locally, and sending back the obtained key fob random number serving as instruction return data to the root key encryption machine 11; receiving an authentication instruction sent by the root key encryption machine 11, and extracting key fob encrypted data from the authentication instruction; based on the appointed encryption and decryption algorithm of the transmission key, the local transmission key is used for decrypting the encrypted data of the key fob to obtain decrypted data of the key fob; when the key fob decrypted data is matched with the key fob random number, setting the instruction return state as an instruction success state, sending the instruction success state back to the root key encryption machine 11, and locally setting the upper computer verification state as a pass state; receiving a key backup instruction sent by the root key encryption machine 11, and extracting primary key encryption data from the key backup instruction when the upper computer verifies that the state is a pass state; based on the agreed encryption and decryption algorithm of the transmission key, the local transmission key is used for decrypting the primary key encrypted data to obtain a corresponding primary key; storing the primary key into a local key storage area by adopting a storage mode of disorder scrambling codes; and after the storage is successful, setting the instruction return state as an instruction success state and sending the instruction success state back to the root key encryption machine 11.
Note that, when the local primary key data is destroyed, the root key encryptor 11 also uses the key fob to recover the local primary key. Similar to the backup preparation, the root key encryptor 11 ensures that the same transmission key as the key fob is preset locally and that the encryption/decryption algorithm corresponding to the transmission key (transmission key encryption/decryption algorithm) is agreed upon before recovering the key. In another specific implementation manner of the embodiment of the present invention, the root key encryption machine 11 is specifically configured to, when recovering the primary key of the local machine by using the key fob, send a random number fetching instruction to the key fob, and use instruction return data sent back by the key fob as a key fob random number; based on the appointed encryption and decryption algorithm of the transmission key, the local transmission key is used for encrypting the random number of the key fob to obtain corresponding encrypted data of the key fob; sending the authentication instruction carrying the encrypted data of the key fob to the key fob, and receiving an instruction sent back by the key fob to return to the state; if the instruction return state is the instruction success state, sending a key derivation instruction to the key fob, and taking the instruction return data of the key fob as derivation encrypted data; based on the agreed encryption and decryption algorithm of the transmission key, the local transmission key is used for decrypting the derived encrypted data to generate a corresponding primary key; and local key loading is performed on the primary key.
Further, the operation steps at the key card end are as follows: the key fob is used for receiving a random number fetching instruction sent by the root key encryption machine 11, performing random number generation processing locally, and sending back the obtained key fob random number serving as instruction return data to the root key encryption machine 11; receiving an authentication instruction sent by the root key encryption machine 11, and extracting key fob encrypted data from the authentication instruction; based on the appointed encryption and decryption algorithm of the transmission key, the local transmission key is used for decrypting the encrypted data of the key fob to obtain decrypted data of the key fob; when the key fob decrypted data is matched with the key fob random number, setting the instruction return state as an instruction success state, sending the instruction success state back to the root key encryption machine 11, and locally setting the upper computer verification state as a pass state; receiving a key derivation instruction sent by the root key encryption machine 11, and reading a primary key from a local key storage area when the upper computer verifies that the state is a pass state; and based on the agreed encryption and decryption algorithm of the transmission key, the local transmission key is used for encrypting the primary key, and the encrypted result is used as instruction return data and is sent back to the root key encryption machine 11.
In another specific implementation manner of the embodiment of the present invention, the root key encryptor 11 is specifically configured to obtain a first dispersion factor when performing secondary key dispersion processing on the primary key; performing byte negation on the first dispersion factor to obtain a corresponding first negation factor; performing byte splicing on the first dispersion factor and the first negation factor according to a splicing mode of the first dispersion factor and the first negation factor to generate a corresponding second dispersion factor; encrypting the second dispersion factor by using a first-level key based on a preset first encryption and decryption algorithm, and taking an encryption result as a corresponding second-level key; the first encryption and decryption algorithm mentioned in the embodiment of the present invention is specifically a cryptographic SM4 algorithm.
Here, in the embodiment of the present invention, each production plus counterfeit verification machine group (the production crypto group 12+ the counterfeit verification crypto group 13) corresponds to one first dispersion factor, and in specific implementation, a region unique code or a product series unique code may be used to assign values to the first dispersion factors, which aims to make the first dispersion factors corresponding to each production plus counterfeit verification machine group different, so as to ensure that the second secret keys corresponding to each production plus counterfeit verification machine group are different.
(II) production crypto cluster 12
The production encryption cluster 12 comprises a production encryption machine 121, a production backup encryption machine 122 and a production task distribution terminal 123;
the production encryptor 121 is connected to the root key encryptor 11 and the production backup encryptor 122, respectively; the production encryption engine 121 is configured to perform first secondary key loading and backup processing;
the production task allocation terminal 123 is respectively connected with the production encryption machine 121 and the production backup encryption machine 122, and is also connected with the label production equipment 2 outside the system; the production task allocation terminal 123 is configured to receive the first tag UID data sent by the tag production device 2, call the production encryptor 121 or the production backup encryptor 122 to perform tag tertiary key production processing according to the first tag UID data to obtain a corresponding tertiary key, and send the tertiary key back to the tag production device 2.
Further, on the label producing apparatus 2 side outside the system: the label production equipment 2 is connected with the NFC label 4; the tag production equipment 2 is used for sending a UID acquisition instruction to the NFC tag 4 and taking instruction return data sent back by the NFC tag 4 as first tag UID data; the first label UID data is sent to the production task allocation terminal 123, and a tertiary key sent back by the production task allocation terminal 123 is received; and writes the tertiary key to the NFC tag 4.
Here, the production encryption cluster 12 actually performs a one-to-one encryption three-level key distribution calculation for the NFC tag in the area where the cluster is located or under the product family, that is, performs production key preparation for each NFC tag. The production encryption cluster 12 may include one or more production encryptors 121, and one production encryptor 121 may correspond to one or more production backup encryptors 122. The host hot standby mechanism is adopted in the production encryption cluster 12: the host is the production encryption engine 121, and one or more production backup encryption engines 122 corresponding to the production encryption engines 121 are the hot standby engines of the current host. Each host not only needs to be responsible for loading the secondary key of the host, but also needs to be responsible for initiating the backup operation of the secondary key of all the hot standby machines of the host. The production task allocation terminal 123 in the production encryption cluster 12 is configured to interface the tag production device 2 related to NFC tag production, and select a corresponding host or hot standby according to an error state or a flow saturation state of the host to perform NFC tag production key preparation, that is, perform three-level key dispersion calculation for one tag and one secret during the key production process of the tag production device 2 on the NFC tag 4.
In another specific implementation manner of the embodiment of the present invention, the production encryption engine 121 is further connected to an administrator encryption key; the production encryption machine 121 is specifically configured to receive the secondary key sent by the root key encryption machine 11 during the first secondary key loading and backup processing; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, a random number is locally generated and recorded as a first random number; encrypting the first random number by using the loaded secondary key based on a preset second encryption and decryption algorithm to generate a corresponding first encrypted random number; a corresponding first backup data group is formed by the first random number, the first encrypted random number and the secondary key; calling an administrator encryption key to encrypt the first backup data group to generate corresponding first backup encrypted data; and sends the first backup encrypted data to the corresponding production backup encryptor 122; and receives the first backup result sent back by the production backup encryptor 122; if the first backup result is that the backup is successful, the first secondary key is loaded and the backup processing is successful; the second encryption and decryption algorithm mentioned in the embodiment of the present invention is specifically a cryptographic SM1 algorithm.
Further, the production backup encryption engine 122 is also connected with an administrator encryption key; the production backup encryption machine 122 is configured to receive the first backup encrypted data sent by the production encryption machine 121; calling an administrator encryption key to decrypt the first backup encrypted data to obtain a corresponding first backup data group; extracting a first random number, a first encrypted random number and a secondary key from the first backup data group; local key loading operation is carried out on the secondary key; if the local key loading operation is successful, the loaded secondary key is used for decrypting the first encrypted random number based on the second encryption and decryption algorithm to generate a corresponding first decrypted random number; whether the first decryption random number is matched with the first random number is identified, if so, the first backup result is set as a successful backup, and if not, the first backup result is set as a failed backup and the secondary key loaded locally is subjected to key failure treatment; and sends the first backup result to production encryptor 121.
Here, the administrator encryption key may be connected to the production encryptor 121 and the production backup encryptor 122 via a Universal Serial Bus (USB) interface; the production encryption device 121 and the production backup encryption device 122 can also be connected through a network device with a USB interface. The administrator encryption key may use various algorithms to implement the encryption/decryption operation of the input data, which is not described herein. In the embodiment of the present invention, the first random number and the first encrypted random number are added to the first backup data group in which the production backup encryption machine 121 starts the production backup encryption machine 122 to perform key backup, so that after the production backup encryption machine 122 completes the secondary key loading, the correctness of the loaded key is checked by using the prior matching plaintext + ciphertext pair (the first random number + the first encrypted random number), and if the first decrypted random number is matched with the first random number, the loaded key is correct.
In another specific implementation manner of the embodiment of the present invention, the production task allocation terminal 123 is specifically configured to determine whether the production encryption machine 121 is currently in error and whether the current task flow is saturated when the production encryption machine 121 or the production backup encryption machine 122 is called to perform tag three-level key production processing according to the first tag UID data; if the production encryption machine 121 does not report an error currently and the current task flow is not saturated, sending the first tag UID data to the production encryption machine 121; if the production encryption machine 121 is confirmed to have error reporting currently or the current task flow is saturated, sending the first tag UID data to the production backup encryption machine 122; and receives the tertiary key sent back by either production encryptor 121 or production backup encryptor 122.
Further, the production encryption device 121 or the production backup encryption device 122 is further configured to receive the first tag UID data sent by the production task allocation terminal 123; encrypting the first label UID data by using a locally loaded secondary key based on a preset second encryption and decryption algorithm to generate a corresponding tertiary key; and sends the tertiary key back to the production task assignment terminal 123.
Here, the production task allocation terminal 123 in the production encryption cluster 12 selects the corresponding host or hot standby machine to perform NFC tag production key preparation, that is, perform three-level key dispersion calculation for one signature and one secret, according to the error state or the flow saturation state of the host, in the key production process of the tag production device 2 on the NFC tag 4; after the host or the hot standby is selected, the production task assigning terminal 123 sends the first tag UID data for one-to-one encryption to the corresponding production encryptor 121 or production backup encryptor 122, and the production encryptor 121 or production backup encryptor 122 performs the three-level key distribution calculation based on the first tag UID data and returns the calculation result to the production task assigning terminal 123 as the key production data of the current NFC tag, that is, the corresponding three-level key.
(III) test pseudo encryption cluster 13
The authentication encryption cluster 13 comprises an authentication encryption machine 131, an authentication backup encryption machine 132 and an authentication task distribution terminal 133;
the authentication encryptor 131 is respectively connected with the root key encryptor 11 and the authentication backup encryptor 132; the verification encryption machine 131 is used for performing second-level key loading and backup processing;
the counterfeit checking task allocation terminal 133 is respectively connected with the counterfeit checking encryption machine 131 and the counterfeit checking backup encryption machine 132, and is also connected with the label counterfeit checking device 3 outside the system; the counterfeit checking task allocation terminal 133 is configured to receive a random number application instruction sent by the tag counterfeit checking device 3, call the counterfeit checking encryption machine 131 or the counterfeit checking backup encryption machine 132 to perform random number generation processing to obtain a corresponding application random number, and send the application random number back to the tag counterfeit checking device 3; the counterfeit verification task allocation terminal 133 is further configured to receive the first plaintext data, the first encrypted data, and the second tag UID data sent by the tag counterfeit verification device 3, call the counterfeit verification encryptor 131 or the counterfeit verification backup encryptor 132 to perform tag three-level key counterfeit verification processing according to the first plaintext data, the first encrypted data, and the second tag UID data to obtain a corresponding counterfeit verification result, and send the counterfeit verification result back to the tag counterfeit verification device 3.
Further, the tag authentication device 3 is connected with the NFC tag 4; the tag authentication device 3 is used for sending a UID acquisition instruction to the NFC tag 4 and taking instruction return data sent back by the NFC tag 4 as second tag UID data; sending the random number application instruction to the counterfeit detection task allocation terminal 133, and receiving an application random number sent back by the counterfeit detection task allocation terminal 133 as the first plaintext data; sending an internal authentication instruction carrying first plaintext data to the NFC tag 4, and taking instruction return data sent back by the NFC tag 4 as first encrypted data; the first plaintext data, the first encrypted data and the second tag UID data are sent to the counterfeit verification task allocation terminal 133, and a counterfeit verification result sent back by the counterfeit verification task allocation terminal 133 is received; and displaying the result of the verification. Further, when the NFC tag 4 receives the internal authentication instruction, extracting first plaintext data from the instruction; based on a predicted third encryption and decryption algorithm, the first plaintext data is encrypted by using a local three-level key to generate corresponding first encrypted data, and the first encrypted data is returned to the label verification device 3; the third encryption and decryption algorithm mentioned in the embodiment of the present invention is specifically a cryptographic SM7 algorithm.
Here, for the convenience of understanding, first, a brief description is given of a tag authentication process of the NFC tag 4 by the tag authentication device 3, where the tag authentication process is: the tag authentication device 3 applies a random number as an encrypted plaintext, namely first plaintext data, to the authentication encryption cluster 13, sends the plaintext to the NFC tag 4 through an internal authentication instruction, encrypts the plaintext based on a tag three-level key (corresponding to the UID data of the tag) to obtain a corresponding ciphertext, namely first encrypted data, and sends the plaintext, the ciphertext and the tag UID data to the authentication encryption cluster 13, and the authentication encryption cluster performs three-level key dispersion based on the tag UID data, verifies the plaintext and the ciphertext using a dispersed key, and returns a verification result. Therefore, the authentication encryption cluster 13 actually provides the key authentication function for the NFC tag 4 in the area where the cluster is located or under the product series through the tag authentication device 3. The authentication encryption cluster 13 may include one or more authentication encryptors 131, and one authentication encryptor 131 may correspond to one or more authentication backup encryptors 132. Similarly to the production cryptographic cluster 12, the authentication cryptographic cluster 13 also adopts a host hot standby mechanism: the host computer verifies the encryptors 131, and one or more verified backup encryptors 132 corresponding to each verified encryptor 131 are hot standby machines of the current host computer. Each host not only needs to be responsible for loading the secondary key of the host, but also needs to be responsible for initiating the backup operation of the secondary key of all the hot standby machines of the host. The counterfeit verification task allocation terminal 133 in the counterfeit verification encryption cluster 13 is configured to interface the tag counterfeit verification device 3 related to NFC tag counterfeit verification, and select a corresponding host or hot standby machine according to an error state or a flow saturation state of the host to execute a random number application operation of the tag counterfeit verification device and data verification calculation of the NFC tag in the process of verifying the NFC tag 4 by the tag counterfeit verification device 3.
In another specific implementation manner of the embodiment of the present invention, the authentication encryptor 131 is further connected to an administrator encryption key; the verification encryption machine 131 is specifically configured to receive the secondary key sent by the root key encryption machine 11 during the second secondary key loading and backup processing; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, a random number is locally generated and recorded as a second random number; encrypting the second random number by using the loaded secondary key based on a preset second encryption and decryption algorithm to generate a corresponding second encrypted random number; and a second backup data group corresponding to the second random number, the second encrypted random number and the second-level key is formed; calling an administrator encryption key to encrypt the second backup data group to generate corresponding second backup encrypted data; and sends the second backup encrypted data to the corresponding authentication backup encryptor 132; and receives the second backup result sent back by the counterfeit-checking backup encryption machine 132; and if the second backup result is that the backup is successful, the second secondary key loading and backup processing are successful.
Further, the counterfeit-checking backup encryption machine 132 is also connected with the administrator encryption key; the authentication backup encryption machine 132 is used for receiving the second backup encryption data sent by the authentication encryption machine 131; the administrator encryption key is called to decrypt the second backup encrypted data to obtain a corresponding second backup data group; extracting a second random number, a second encrypted random number and a secondary key from the second backup data group; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, the loaded secondary key is used for decrypting the second encrypted random number based on a second encryption and decryption algorithm to generate a corresponding second decrypted random number; whether the second decryption random number is matched with the second random number is identified, if so, the second backup result is set as a successful backup, and if not, the second backup result is set as a failed backup and the secondary key loaded locally is subjected to key failure treatment; and sends the second backup result to authentication encryptor 131.
Here, the administrator encryption key may be connected to the authentication encryptor 131 and the authentication backup encryptor 132 through USB interfaces; the authentication encryptor 131 and the authentication backup encryptor 132 can also be connected through a network device with a USB interface. The administrator encryption key may use various algorithms to implement the encryption/decryption operation of the input data, which is not described herein. The embodiment of the present invention is to add a second random number and a second encrypted random number to the second backup data set of the authentication and counterfeiting encryptor 131 starting the authentication and counterfeiting backup encryptor 132 to perform key backup, so that after the authentication and counterfeiting backup encryptor 132 completes the loading of the secondary key, the correctness of the loaded key is checked by using a priori matching plaintext + ciphertext pair (the second random number + the second encrypted random number), and if the second decrypted random number is matched with the second random number, it is determined that the loaded key is correct.
In another specific implementation manner of the embodiment of the present invention, the production task allocation terminal 133 is specifically configured to determine whether the production encryption machine 131 reports an error currently and whether the current task flow is saturated when the verification encryption machine 131 or the verification backup encryption machine 132 is called to perform random number generation processing; if the production encryption machine 131 is confirmed not to report errors currently and the current task flow is not saturated, calling the production encryption machine 131 to perform random number generation processing to obtain the application random number; if the production encryption machine 131 is confirmed to have error reporting currently or the current task flow is saturated, the production backup encryption machine 132 is called to perform random number generation processing to obtain an application random number.
Here, the authentication task allocation terminal 133 in the authentication cryptographic cluster 13 selects the corresponding host or hot standby machine according to the error state or the traffic saturation state of the host to execute the random number application operation of the tag authentication device in the tag authentication process of the tag authentication device 3 on the NFC tag 4.
In another specific implementation manner of the embodiment of the present invention, the verification task allocation terminal 133 is specifically configured to determine whether the verification encryptor 131 reports an error currently and whether the current task traffic is saturated when the verification encryptor 131 or the verification backup encryptor 132 performs tag three-level key verification processing according to the first plaintext data, the first encrypted data, and the second tag UID data; if the counterfeit verification encryptor 131 does not report an error currently and the current task flow is not saturated, sending the first plaintext data, the first encrypted data and the second tag UID data to the counterfeit verification encryptor 131; if the verification encryptor 131 is confirmed to have error reporting currently or the current task flow is saturated, the first plaintext data, the first encrypted data and the second tag UID data are sent to the verification backup encryptor 132; and receives the verification result sent back by the production encryption engine 121 or the production backup encryption engine 122.
Further, the counterfeit verification encryptor 131 or the counterfeit verification backup encryptor 132 is further configured to receive the first plaintext data, the first encrypted data, and the second tag UID data sent by the counterfeit verification task allocation terminal 133; encrypting the second label UID data by using a locally loaded secondary key based on a preset second encryption and decryption algorithm to generate a corresponding first process key; decrypting the first encrypted data by using the first process key based on a preset third encryption and decryption algorithm to obtain corresponding second plaintext data; whether the second plaintext data is matched with the first plaintext data or not is identified, if so, the counterfeit checking result is set as the counterfeit checking success, and if not, the counterfeit checking result is set as the counterfeit checking failure; and sends back the verification result to the verification task assignment terminal 133.
Here, the counterfeit checking task allocation terminal 133 in the counterfeit checking encryption cluster 13 selects the corresponding host or hot standby machine to execute the NFC tag key counterfeit checking operation according to the error state or the flow saturation state of the host in the process of the tag counterfeit checking of the NFC tag 4 by the tag counterfeit checking device 3; after the host or the hot standby is selected, the authentication task assignment terminal 133 transmits the second tag UID data of the current NFC tag to the corresponding authentication encryptor 131 or the authentication backup encryptor 132. The verification encryptor 131 or the verification backup encryptor 132 firstly disperses a first process key corresponding to the current NFC tag tertiary key based on the second tag UID data; here, if the current NFC tag is a legal tag, the tertiary key on the current NFC tag must be consistent with the first process key, that is, the result of decrypting the first encrypted data (the second plaintext data) using the first process key must be consistent with the first plaintext data; therefore, the verification encryptor 131 or the verification backup encryptor 132 sends back the verification result, which is a successful verification, to the verification task assigning terminal 133 when the second plaintext data matches the first plaintext data. As can be seen from the foregoing, the counterfeit verification task allocation terminal 133 sends the counterfeit verification result, specifically, the counterfeit verification result that is successful in counterfeit verification, to the tag counterfeit verification device 3, and the tag counterfeit verification device 3 displays the counterfeit verification result.
An embodiment of the present invention provides an NFC tag key management system, including: root key encryption machine, production encryption machine group and authentication encryption machine group. The root key encryption machine is used for generating a unique primary key and distributing corresponding secondary keys for a production encryption machine group and a verification encryption machine group based on the primary key, the production encryption machine group distributes a one-signed one-encrypted tertiary key for each NFC label based on the secondary key so as to realize a required label key production function, and the verification encryption machine group can verify each NFC label based on the secondary key so as to realize a required label key verification function. The system is added into an anti-counterfeiting system based on the NFC label, a key production and key counterfeit verification system is established for the anti-counterfeiting system, the security level of the anti-counterfeiting system is improved, the counterfeit probability of the system label is reduced, and the anti-counterfeiting performance of the system is enhanced.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the components and steps of the various examples have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied in hardware, a software module executed by a processor, or a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (11)

1. An NFC tag key management system, the system comprising: a root key encryption machine, a production encryption machine group and a verification encryption machine group;
the root key encryption machine is respectively connected with the production encryption machine group and the authentication encryption machine group; the root key encryption machine is used for producing and processing a primary key to obtain and store a corresponding primary key; the root key encryption machine is also used for performing secondary key decentralized processing on the primary key to obtain a corresponding secondary key and sending the secondary key to the production encryption machine group and the authentication encryption machine group;
the production encryption machine group comprises a production encryption machine, a production backup encryption machine and a production task distribution terminal; the production encryption machine is respectively connected with the root key encryption machine and the production backup encryption machine; the production encryption machine is used for loading and backing up a first secondary key; the production task allocation terminal is respectively connected with the production encryption machine and the production backup encryption machine and is also connected with label production equipment outside the system; the production task allocation terminal is used for receiving the first label UID data sent by the label production equipment, calling the production encryption machine or the production backup encryption machine to carry out label three-level key production processing according to the first label UID data to obtain a corresponding three-level key, and sending the three-level key back to the label production equipment;
the counterfeit checking encryption cluster comprises a counterfeit checking encryption machine, a counterfeit checking backup encryption machine and a counterfeit checking task distribution terminal; the fake-proof encryptor is respectively connected with the root key encryptor and the fake-proof backup encryptor; the pseudo-verification encryption machine is used for carrying out second-level key loading and backup processing; the counterfeit checking task distribution terminal is respectively connected with the counterfeit checking encryption machine and the counterfeit checking backup encryption machine and is also connected with a label counterfeit checking device outside the system; the counterfeit checking task allocation terminal is used for receiving a random number application instruction sent by the label counterfeit checking equipment, calling the counterfeit checking encryption machine or the counterfeit checking backup encryption machine to perform random number generation processing to obtain a corresponding application random number, and sending the application random number back to the label counterfeit checking equipment; the counterfeit checking task distribution terminal is further used for receiving the first plaintext data, the first encrypted data and the second label UID data sent by the label counterfeit checking equipment, calling the counterfeit checking encryption machine or the counterfeit checking backup encryption machine to perform label three-level key counterfeit checking according to the first plaintext data, the first encrypted data and the second label UID data to obtain a corresponding counterfeit checking result, and sending the counterfeit checking result back to the label counterfeit checking equipment.
2. The NFC tag key management system of claim 1,
the label production equipment is connected with the NFC label; the tag production equipment is used for sending a UID acquisition instruction to the NFC tag and taking instruction return data sent back by the NFC tag as the first tag UID data; sending the UID data of the first label to the production task distribution terminal, and receiving the tertiary key sent back by the production task distribution terminal; writing the tertiary key into the NFC label;
the tag authentication device is connected with the NFC tag; the tag authentication device is used for sending the UID acquisition instruction to the NFC tag and taking instruction return data sent back by the NFC tag as second tag UID data; sending the random number application instruction to the counterfeit checking task allocation terminal, and receiving the application random number sent back by the counterfeit checking task allocation terminal as the first plaintext data; sending an internal authentication instruction carrying the first plaintext data to the NFC tag, and taking instruction return data sent back by the NFC tag as the first encrypted data; sending the first plain text data, the first encrypted data and the second label UID data to the counterfeit verification task distribution terminal, and receiving the counterfeit verification result sent back by the counterfeit verification task distribution terminal; and displaying the false proof result.
3. The NFC tag key management system of claim 1,
the root key encryption machine is specifically used for receiving a plurality of seed codes through a plurality of encryption keyboards of the encryption machine during the primary key production processing; forming a seed code list by the obtained plurality of seed codes and storing the seed code list; combining all the seed codes according to a set seed code combination rule to obtain a corresponding seed code combination sequence; taking the seed coding combination sequence as the primary key and storing the primary key; and export the primary key to the key fob for backup.
4. The NFC tag key management system of claim 1,
the root key encryption machine is specifically configured to obtain a first dispersion factor when performing secondary key dispersion processing on the primary key; performing byte negation on the first dispersion factor to obtain a corresponding first negation factor; performing byte splicing on the first dispersion factor and the first negation factor according to a splicing mode of the first dispersion factor and the first negation factor to generate a corresponding second dispersion factor; encrypting the second dispersion factor by using the primary key based on a preset first encryption and decryption algorithm, and taking an encryption result as a corresponding secondary key; the first encryption and decryption algorithm is specifically a cryptographic SM4 algorithm.
5. The NFC tag key management system of claim 1,
the production encryption machine is also connected with an administrator encryption key;
the production encryption machine is specifically configured to receive the secondary key sent by the root key encryption machine during the first secondary key loading and backup processing; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, a random number is locally generated and recorded as a first random number; encrypting the first random number by using the loaded secondary key based on a preset second encryption and decryption algorithm to generate a corresponding first encrypted random number; and a corresponding first backup data group is formed by the first random number, the first encrypted random number and the secondary key; the administrator encryption key is called to encrypt the first backup data group to generate corresponding first backup encrypted data; sending the first backup encrypted data to the corresponding production backup encryption machine; receiving a first backup result sent back by the production backup encryption machine; if the first backup result is that the backup is successful, the first secondary key is loaded and the backup processing is successful; the second encryption and decryption algorithm is specifically a cryptographic SM1 algorithm.
6. The NFC tag key management system of claim 5,
the production backup encryption machine is also connected with the administrator encryption key;
the production backup encryption machine is used for receiving the first backup encryption data sent by the production encryption machine; the administrator encryption key is called to decrypt the first backup encrypted data to obtain a corresponding first backup data group; extracting the first random number, the first encrypted random number and the secondary key from the first backup data group; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, decrypting the first encrypted random number by using the loaded secondary key based on the second encryption and decryption algorithm to generate a corresponding first decrypted random number; identifying whether the first decryption random number is matched with the first random number, if so, setting the first backup result as a successful backup, and if not, setting the first backup result as a failed backup and performing key failure processing on the locally loaded secondary key; and sending the first backup result to the production encryption machine.
7. The NFC tag key management system of claim 1,
the production task allocation terminal is specifically used for confirming whether the production encryption machine is currently in error report and whether the current task flow is saturated or not when the authentication encryption machine or the authentication backup encryption machine is called to generate random numbers; if the fact that the production encryption machine does not report errors currently and the current task flow is not saturated is confirmed, calling the production encryption machine to generate random numbers to obtain the application random numbers; and if the current error report of the production encryption machine is confirmed or the current task flow is saturated, calling the production backup encryption machine to generate random numbers to obtain the application random numbers.
8. The NFC tag key management system of claim 1,
the production task allocation terminal is specifically configured to confirm whether the production encryption machine is currently reported in error and whether the current task flow is saturated when the production encryption machine is called or the production backup encryption machine performs label three-level key production processing according to the first label U ID data; if the fact that the production encryption machine does not report errors currently and the current task flow is not saturated is confirmed, the first label UID data is sent to the production encryption machine; if the fact that the error report exists in the production encryption machine at present or the current task flow is saturated is confirmed, the first label UID data is sent to the production backup encryption machine; receiving the tertiary key sent back by the production encryption machine or the production backup encryption machine;
the production encryption machine or the production backup encryption machine is also used for receiving the first label UID data sent by the production task distribution terminal; based on a preset second encryption and decryption algorithm, the first label UID data is encrypted by using the locally loaded secondary key to generate a corresponding tertiary key; and the third-level key is sent back to the production task allocation terminal; the second encryption and decryption algorithm is specifically a cryptographic SM1 algorithm.
9. The NFC tag key management system of claim 1,
the counterfeit verification encryption machine is also connected with an administrator encryption key;
the fake verification encryption machine is specifically used for receiving the secondary key sent by the root key encryption machine during the loading and backup processing of the second secondary key; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, a random number is locally generated and recorded as a second random number; based on a preset second encryption and decryption algorithm, the loaded secondary key is used for encrypting the second random number to generate a corresponding second encrypted random number; and a corresponding second backup data group is formed by the second random number, the second encrypted random number and the secondary key; calling the administrator encryption key to encrypt the second backup data group to generate corresponding second backup encrypted data; sending the second backup encrypted data to the corresponding verification backup encryption machine; receiving a second backup result sent back by the fake-proof backup encryption machine; if the second backup result is that the backup is successful, the second secondary key loading and the backup processing are successful; the second encryption and decryption algorithm is specifically a cryptographic SM1 algorithm.
10. The NFC tag key management system of claim 9,
the verification backup encryption machine is also connected with the administrator encryption key;
the fake-verifying backup encryption machine is used for receiving the second backup encrypted data sent by the fake-verifying encryption machine; the administrator encryption key is called to decrypt the second backup encrypted data to obtain a corresponding second backup data group; extracting the second random number, the second encrypted random number and the secondary key from the second backup data group; and carrying out local key loading operation on the secondary key; if the local key loading operation is successful, decrypting the second encrypted random number by using the loaded secondary key based on the second encryption and decryption algorithm to generate a corresponding second decrypted random number; identifying whether the second decryption random number is matched with the second random number, if so, setting the second backup result as a successful backup, and if not, setting the second backup result as a failed backup and performing key failure processing on the locally loaded secondary key; and sending the second backup result to the authentication encryptor.
11. The NFC tag key management system of claim 1,
the counterfeit checking task allocation terminal is specifically used for confirming whether the counterfeit checking encryptor reports an error currently and whether the current task flow is saturated or not when the counterfeit checking encryptor or the counterfeit checking backup encryptor is called to perform tag three-level key counterfeit checking processing according to the first plaintext data, the first encrypted data and the second tag UID data; if the fake verification encryption machine is confirmed not to report errors currently and the current task flow is not saturated, the first plain text data, the first encryption data and the second label UID data are sent to the fake verification encryption machine; if the current error report of the counterfeit checking encryption machine is confirmed or the current task flow is saturated, the first plain text data, the first encryption data and the second label UID data are sent to the counterfeit checking backup encryption machine; receiving the counterfeit verification result sent back by the production encryption machine or the production backup encryption machine;
the fake-verification encryption machine or the fake-verification backup encryption machine is also used for receiving the first plaintext data, the first encrypted data and the second label UID data sent by the fake-verification task allocation terminal; based on a preset second encryption and decryption algorithm, the second label UID data is encrypted by using the locally loaded secondary key to generate a corresponding first process key; decrypting the first encrypted data by using the first process key based on a preset third encryption and decryption algorithm to obtain corresponding second plaintext data; whether the second plaintext data is matched with the first plaintext data or not is identified, if so, the counterfeit checking result is set as counterfeit checking success, and if not, the counterfeit checking result is set as counterfeit checking failure; and the counterfeit checking result is sent back to the counterfeit checking task allocation terminal; the second encryption and decryption algorithm is specifically a national cipher SM1 algorithm, and the third encryption and decryption algorithm is specifically a national cipher SM7 algorithm.
CN202210380656.5A 2022-04-12 2022-04-12 NFC label key management system Active CN114786160B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210380656.5A CN114786160B (en) 2022-04-12 2022-04-12 NFC label key management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210380656.5A CN114786160B (en) 2022-04-12 2022-04-12 NFC label key management system

Publications (2)

Publication Number Publication Date
CN114786160A CN114786160A (en) 2022-07-22
CN114786160B true CN114786160B (en) 2022-11-11

Family

ID=82429466

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210380656.5A Active CN114786160B (en) 2022-04-12 2022-04-12 NFC label key management system

Country Status (1)

Country Link
CN (1) CN114786160B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115630966B (en) * 2022-08-18 2023-07-25 芯电智联(北京)科技有限公司 Processing method for cross-region channeling check based on NFC anti-counterfeiting label
CN116669025B (en) * 2023-07-26 2023-10-13 长沙盈芯半导体科技有限公司 Safety anti-counterfeiting method and system for ultrahigh frequency RFID chip

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109120395A (en) * 2018-06-08 2019-01-01 中国银联股份有限公司 Label data generation method, label and the data processing based on NFC label
CN112270001A (en) * 2020-10-22 2021-01-26 苏州浪潮智能科技有限公司 Key management method, device, server, medium and system
CN113792561A (en) * 2021-09-13 2021-12-14 芯电智联(北京)科技有限公司 NFC electronic tag verification method and terminal

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3101607A1 (en) * 2015-06-02 2016-12-07 Orange NFC-ENABLED DEVICES FOR & xA;PERFORMING SECURE CONTACTLESS TRANSACTIONS AND USING HCE
CN113627958B (en) * 2021-08-25 2023-09-26 芯电智联(北京)科技有限公司 NFC anti-counterfeiting tracing method and server
CN114140132B (en) * 2021-11-24 2022-07-29 芯电智联(北京)科技有限公司 Anti-counterfeiting tracing system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109120395A (en) * 2018-06-08 2019-01-01 中国银联股份有限公司 Label data generation method, label and the data processing based on NFC label
CN112270001A (en) * 2020-10-22 2021-01-26 苏州浪潮智能科技有限公司 Key management method, device, server, medium and system
CN113792561A (en) * 2021-09-13 2021-12-14 芯电智联(北京)科技有限公司 NFC electronic tag verification method and terminal

Also Published As

Publication number Publication date
CN114786160A (en) 2022-07-22

Similar Documents

Publication Publication Date Title
US4850017A (en) Controlled use of cryptographic keys via generating station established control values
EP0539727B1 (en) Cryptographic facility environment backup/restore and replication in a public key cryptosystem
CN114786160B (en) NFC label key management system
US20140235207A1 (en) Method for cryptographically verifiable identification of a physical unit in a public, wireless telecommunications network
CN106953732B (en) Key management system and method for chip card
CN109918888B (en) Anti-quantum certificate issuing method and issuing system based on public key pool
CN111970114B (en) File encryption method, system, server and storage medium
CN102385710A (en) Method and system for verifying fact or fiction
WO2024012517A1 (en) End-to-end data transmission method, and device and medium
CN102542645B (en) A kind of entrance guard authentication method and Verification System
CN103592927A (en) Method for binding product server and service function through license
CN103460260A (en) Method for operating a cash box with customer-specific keys
CN112417502B (en) Distributed instant messaging system and method based on block chain and decentralized deployment
CN110098925A (en) Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system
CN102571341B (en) A kind of Verification System based on dynamic image and authentication method
CN104883260B (en) Certificate information processing and verification method, processing terminal and authentication server
CN116861461A (en) Data processing method, system, device, storage medium and electronic equipment
CN103281188A (en) Method and system for backing up private key in electronic signature token
CN113489710B (en) File sharing method, device, equipment and storage medium
CN115664659A (en) Method, device, equipment and medium for supervising blockchain transaction data
CN108574578A (en) A kind of black box data protection system and method
CN114297673A (en) Password verification method, solid state disk and upper computer
CN114499875A (en) Service data processing method and device, computer equipment and storage medium
CN107343276A (en) A kind of guard method of the SIM card lock data of terminal and system
CN101661573A (en) Method for producing electronic seal and method for using electronic seal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant