CN116206376A - Information protection method, system, device, terminal and storage medium - Google Patents
Information protection method, system, device, terminal and storage medium Download PDFInfo
- Publication number
- CN116206376A CN116206376A CN202111446397.3A CN202111446397A CN116206376A CN 116206376 A CN116206376 A CN 116206376A CN 202111446397 A CN202111446397 A CN 202111446397A CN 116206376 A CN116206376 A CN 116206376A
- Authority
- CN
- China
- Prior art keywords
- card
- identity
- information management
- identifier
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07B—TICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
- G07B11/00—Apparatus for validating or cancelling issued tickets
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Abstract
The embodiment of the application provides an information protection method, an information protection system, an information protection device, an information protection terminal and an information protection storage medium, wherein in the method, under the condition that first information management equipment passes identity authentication, a card purchasing request is sent to second information management equipment according to card purchasing application information, and a ticket identifier generated by the second information management equipment is obtained; calculating to obtain an initial key according to the identity identifier and a first formula, and calculating a unique identity identifier and a service key of the IC card according to the identity identifier, the ticket identifier and the root key; writing the initial key, the ticket card identifier, the unique identity and the service key into the IC card; by establishing a secondary information management mechanism, the information and identity authentication transmitted between the IC card and the terminal and the server are encrypted, so that the information safety of the automatic ticket selling and checking system is ensured, the counterfeiting and cloning of the IC card are prevented, the property loss is reduced, the data leakage is also prevented, and the privacy of a user is protected.
Description
Technical Field
The present disclosure relates to the field of information security, and in particular, to an information protection method, system, device, terminal, and storage medium.
Background
Urban rail transit networks are increasingly complex but more intelligent, and various payment methods are presented by automatic fare collection systems (Automatic Fare Collection, AFC), including: integrated circuit Card (IC Card), payment device, micro-letter, short-range wireless communication technology (Near Field Communication, NFC), and the like. Compared with the common payment modes of payment treasures, weChat and NFC young people, the IC card still has a large number of middle-aged and elderly people who are not good at mobile phone payment.
However, the existing IC card has difficulty in securing its own security due to limited cost. The common IC card security problems mainly comprise two aspects of ticket security and data security, wherein the ticket security is that the ticket is forged, cloned or tampered, and the data security is mainly embodied in that important information is attacked, destroyed or revealed.
The security problem of the IC card causes a great deal of property and economic loss, so that the privacy of users is threatened, and therefore, the information security problem of an automatic ticket vending and checking system in the rail transit needs to be guaranteed.
Disclosure of Invention
The embodiment of the application discloses an information protection method, a system, a device, a terminal and a storage medium, wherein a secondary information management mechanism is established to encrypt information and identity authentication transmitted between an IC card and the terminal as well as between the IC card and the server, so that the information safety of an automatic ticket selling and checking system is ensured, the counterfeiting and cloning of the IC card are prevented, the property loss is reduced, the data leakage is also prevented, and the privacy of a user is protected.
In a first aspect, an embodiment of the present application provides an information protection method, where the method is applied to a first information management device, including:
under the condition that the first information management equipment passes identity authentication, sending a card purchasing request to second information management equipment according to card purchasing application information, and acquiring a ticket card identifier generated by the second information management equipment;
calculating to obtain an initial key according to the identity identifier and a first formula, and calculating a unique identity identifier and a service key of the IC card according to the identity identifier, the ticket identifier and the root key;
and writing the initial key, the ticket card identifier, the unique identity and the service key into the IC card.
In one possible design, in the case that the first information management device passes identity authentication, sending a card purchase request to the second information management device according to card purchase application information, and before obtaining the ticket identifier generated by the second information management device, the method further includes:
the identity identification and registration information of the first information management equipment are sent to the second information management equipment;
and acquiring first encryption information generated by the second information management equipment according to the identity identifier and the registration information, wherein the first encryption information comprises the identity identifier, a first formula and a root key of the first information management equipment.
The first information management equipment has unique identity identifiers, the second information management equipment can perform service interaction with the first information management equipment without repeated registration, identity authentication can be completed by directly sending the identity identifiers, each first information management equipment has unique identity identifiers, the service of each first information management equipment is ensured to be independently processed, systematic errors caused by confusion with data of other first information management equipment are avoided, the correctness of the data is protected, and the correct operation of the system is ensured.
In one possible design, after the calculating according to the identity identifier and the first formula to obtain the initial key, calculating a unique identity identifier and a service key of the IC card according to the identity identifier, the ticket identifier and the root key, and writing the initial key, the ticket identifier, the unique identity identifier and the service key into the IC card, the method further includes:
when the IC card swiping and entering the station is detected, the identity information of the IC card is read, wherein the identity information comprises an identity key, the service key, the unique identity mark and the balance of the ticket face of the IC card;
carrying out identity authentication on the IC card according to the identity key and the first formula, carrying out service authentication on the IC card according to the service key after the identity authentication is passed, verifying whether the IC card meets the inbound condition according to the first card writing amount after the service authentication is qualified, and recording the inbound information of the IC card after the inbound condition is met;
When detecting that the IC card swipes out of the station, reading the unique identity of the IC card and the first card writing amount, searching for the station entering information according to the unique identity, and calculating the consumption amount according to the station entering information;
detecting whether the balance of the IC card system is legal or not according to the consumption amount and the balance check code, under the condition that the balance of the system is legal, modifying the ticket surface balance of the IC card according to the consumption amount, opening an entrance guard after the modification is successful, recording outbound information, calculating the current second card writing amount of the IC card, and sending the second card writing amount to the second information management equipment.
The multiple authentication mainly prevents illegal users from using cloned or imitated IC cards, reduces economic loss of users, and also protects the security of data and prevents the data from being revealed.
In one possible design, the calculating according to the identity identifier and the first formula to obtain the initial key, and calculating according to the identity identifier, the ticket identifier and the root key to calculate the unique identity identifier and the service key of the IC card includes:
the initial key is obtained according to the identity identifier and a first formula, wherein the first formula is as follows:
Wherein a is 00 、a 01 、a 10 、a 11 Is the weight parameter of the first formula, b 0i 、b 1i Is the initial key, substitutes the identity identifier as a second element y of the first formula into the first formula to calculate the b 0i And said b 1i ;
Calculating a unique identity identifier and a service key of the IC card according to the identity identifier, the ticket identifier and the root key, wherein the unique identity identifier is obtained by combining the identity identifier, the ticket identifier and a check code, the check code is generated by a password hash function, and the generation formula is as follows:
e i =H 1 (ID i c i ||K 0 )
wherein, ID i Is said identity identifier c i Is the ticket identifier, e i Is the check code, H 1 Is a cryptographic hash function with an output length of a first length, K 0 Is the root key;
the formula for calculating the service key is as follows:
P i =H 2 (K 0 ||ID i c i )
wherein P is i Is the service key, H 2 Is a cryptographic hash function that outputs a second length.
In one possible design, the authenticating the IC card according to the identity key and the first formula includes:
substituting the ticket identifier as a first element x of the first formula, substituting the identity identifier as a second element y of the first formula into the first formula to calculate the value of the first formula;
Wherein K is i Is the identity key, judges the value of the first formula and K i Whether or not they are equal;
if the identity authentication is equal, the identity authentication passes, otherwise, the identity authentication fails, and failure information is prompted.
The first information management device handles K calculated in the IC card i The process of firstly decrypting and then comparing with the value of the first formula to confirm the identity has higher safety, and even if other people attack the IC card to obtain the identity key but do not know the encryption and decryption protocol between the IC card and the first information management equipment, the identity key cannot be used, so that the data cannot be revealed.
In one possible design, the balance check code is calculated as follows:
e=H 3 (m 2 ||K 0 )
wherein e is a balance check code, m 2 Is the system balance of the IC card, H 3 Is a cryptographic hash function that outputs a third length.
In a second aspect, an embodiment of the present application provides an information protection method, where the method is applied to a second information management device, including:
receiving an identity identifier and registration information of a first information management device sent by the first information management device, verifying the validity of the identity identifier, and generating an identity identifier of the first information management device according to the identity identifier and registration information after the identity identifier is legal;
Selecting a corresponding asymmetric binary polynomial according to the identity identifier, and encrypting and transmitting the identity identifier, the asymmetric binary polynomial and a root key to the first information management device, wherein the root key is a unique identity key of the second information management device;
and receiving a card purchasing request of the first information management equipment, generating a ticket card identifier according to the card purchasing request, recording the ticket card identifier, and sending the ticket card identifier to the first information management equipment.
All data transmitted between the first information management device and the second information management device are encrypted, only the two data are known to the decryption rule, the data security is ensured, the data leakage is avoided, the ticket card identifier is generated by the second information management device for conveniently managing the IC card, the service processing burden of the first information management device is relieved, resources are fully utilized, and the system information processing efficiency is improved.
In one possible design, after the receiving the card purchase request of the first information management device, generating a ticket identifier according to the card purchase request, recording the ticket identifier, and transmitting the ticket identifier to the first information management device, the method further includes:
Receiving an initial card writing amount and a check code sent by the first information management equipment, confirming the identity of the IC card according to the check code, updating the balance of the IC card system according to the initial card writing amount after the identity authentication is passed, and sending confirmation information to the first information management equipment after the updating is completed;
and receiving the second card-writing amount sent by the first information management equipment, and modifying the system balance of the IC card according to the second card-writing amount.
The change of the system money is carried out in the second information management equipment, so that the business burden of the first information management equipment is reduced, the resources of the second information management equipment are fully utilized, the information security is ensured by the encrypted transmission of the data, and the data leakage is prevented.
In a third aspect, an embodiment of the present application provides an information protection method, where the method is applied to an IC card, and includes:
receiving an initial key, a ticket identifier, a unique identity of the IC card and a service key written by first information management equipment;
calculating an identity key of the IC card according to the initial key and the ticket identifier;
before the service is carried out, the identity key is sent to the first information management equipment for identity verification, after the identity verification is successful, the service key and required parameters are sent to the first information management equipment according to service requirements, and the service comprises recharging, inbound and outbound.
In one possible design, calculating the identity key of the IC card from the initial key and the ticket identifier includes:
obtaining coefficient b in initial key 0i 、b 1i And then, the identity key of the IC card is calculated by combining the ticket card identifier, wherein the calculation formula is as follows:
K i =f i (c i )=b 0i +b 1i c i
wherein K is i Is the identity key, c i Is the ticket identifier.
The identity key is temporary data in the IC card, and can be recalculated only when identity authentication is needed, and the identity key can be destroyed after the use is completed. Even if the IC card is attacked, the IC card identity key cannot be directly obtained, so that the IC card is prevented from cloning or fraudulent use, and the information security is protected.
In a fourth aspect, an embodiment of the present application provides an information protection system, including: a first information management device, a second information management device, an IC card,
the first information management device is used for sending a card purchasing request to the second information management device according to card purchasing application information under the condition that the first information management device passes identity authentication, and acquiring a ticket identifier generated by the second information management device; calculating to obtain an initial key according to an identity identifier and a first formula, calculating a unique identity identifier and a service key of an IC card according to the identity identifier, the ticket identifier and a root key, and writing the initial key, the ticket identifier, the unique identity identifier and the service key into the IC card;
The second information management device is used for receiving the identity identifier and the registration information of the first information management device, which are sent by the first information management device, verifying the validity of the identity identifier, and generating an identity identifier of the first information management device according to the identity identifier and the registration information after the identity identifier is legal; selecting a corresponding asymmetric binary polynomial according to the identity identifier, and encrypting and transmitting the identity identifier, the asymmetric binary polynomial and a root key to the first information management device, wherein the root key is a unique identity key of the second information management device; receiving a card purchasing request of the first information management equipment, generating a ticket card identifier according to the card purchasing request, recording the ticket card identifier, and sending the ticket card identifier to the first information management equipment;
the IC card is used for receiving the initial key written by the first information management equipment, the ticket identifier, the unique identity of the IC card and the service key; calculating an identity key of the IC card according to the initial key and the ticket identifier; before the service is carried out, the identity key is sent to the first information management equipment for identity verification, after the identity verification is successful, the service key and required parameters are sent to the first information management equipment according to service requirements, and the service comprises recharging, inbound and outbound.
In a fifth aspect, an embodiment of the present application provides an apparatus for protecting information, including:
the first sending unit is used for sending a card purchasing request to the second information management equipment according to card purchasing application information under the condition that the first information management equipment passes identity authentication;
an acquisition unit configured to acquire a ticket identifier generated by the second information management apparatus;
the first calculation unit is used for calculating and obtaining an initial key according to the identity identifier and a first formula, and calculating a unique identity identifier and a service key of the IC card according to the identity identifier, the ticket card identifier and the root key;
and the writing unit is used for writing the initial key, the ticket card identifier, the unique identity and the service key into the IC card.
In one possible design, the first sending unit is further configured to send, to the second information management device, an identity and registration information of the first information management device;
the obtaining unit is further configured to obtain first encryption information generated by the second information management device according to the identity identifier and the registration information, where the first encryption information includes the identity identifier, the first formula, and the root key of the first information management device.
In one possible design, the information protection device further includes:
the reading unit is used for reading the identity information of the IC card when the IC card is detected to be in station by swiping the card, wherein the identity information comprises an identity key, the service key, the unique identity mark and the balance of the ticket face of the IC card;
the authentication recording unit is used for carrying out identity authentication on the IC card according to the identity key and the first formula, carrying out service authentication on the IC card according to the service key after the identity authentication is passed, verifying whether the IC card meets the inbound condition according to the first card writing amount after the service authentication is qualified, and recording the inbound information of the IC card after the inbound condition is met;
the charging unit is used for reading the unique identity mark of the IC card and the first card writing amount when detecting that the IC card swipes the card to be out of the station, searching for the station entering information according to the unique identity mark, and calculating the consumption amount according to the station entering information;
and the deduction updating unit is used for detecting whether the system balance of the IC card is legal or not according to the consumption amount and the balance check code, modifying the ticket surface balance of the IC card according to the consumption amount under the condition that the system balance is legal, opening an entrance guard after the modification is successful, recording outbound information, calculating the second write card amount of the current IC card, and transmitting the second write card amount to the second information management equipment.
In one possible design, the first computing unit is specifically configured to:
the initial key is obtained according to the identity identifier and a first formula, wherein the first formula is as follows:
wherein a is 00 、a 01 、a 10 、a 11 Is the weight parameter of the first formula, b 0i 、b 1i Is the initial key, substitutes the identity identifier as a second element y of the first formula into the first formula to calculate the b 0i And said b 1i ;
Calculating a unique identity identifier and a service key of the IC card according to the identity identifier, the ticket identifier and the root key, wherein the unique identity identifier is obtained by combining the identity identifier, the ticket identifier and a check code, the check code is generated by a password hash function, and the generation formula is as follows:
e i =H 1 (ID i c i ||K 0 )
wherein, ID i Is said identity identifier c i Is the ticket identifier, e i Is the check code, H 1 Is a cryptographic hash function with an output length of a first length, K 0 Is the root key;
the formula for calculating the service key is as follows:
P i =H 2 (K 0 ||ID i c i )
wherein P is i Is the service key, H 2 Is a cryptographic hash function that outputs a second length.
In one possible design, the authentication recording unit is specifically configured to:
substituting the ticket identifier as a first element x of the first formula, substituting the identity identifier as a second element y of the first formula into the first formula to calculate the value of the first formula;
Wherein K is i Is the identity key, judges the value of the first formula and K i Whether or not they are equal;
if the identity authentication is equal, the identity authentication passes, otherwise, the identity authentication fails, and failure information is prompted.
In a sixth aspect, an embodiment of the present application provides an apparatus for protecting information, including:
the registration authentication unit is used for receiving the identity identifier and registration information of the first information management equipment, which are sent by the first information management equipment, verifying the validity of the identity identifier, and generating an identity identifier of the first information management equipment according to the identity identifier and registration information after the identity identifier is legal;
a second sending unit, configured to select a corresponding asymmetric binary polynomial according to the identifier, and send the identifier, the asymmetric binary polynomial, and a root key to the first information management device in an encrypted manner, where the root key is a unique identifier key of the second information management device;
and the card purchasing unit is used for receiving a card purchasing request of the first information management equipment, generating a ticket card identifier according to the card purchasing request, recording the ticket card identifier and sending the ticket card identifier to the first information management equipment.
In one possible design, the apparatus for protecting information further includes:
an authentication updating unit, configured to receive an initial card writing amount and a check code sent by the first information management device, confirm the identity of the IC card according to the check code, update the balance of the IC card system according to the initial card writing amount after the identity authentication is passed, and send confirmation information to the first information management device after the update is completed;
and the balance modification unit is used for receiving the second card-writing amount sent by the first information management equipment and modifying the system balance of the IC card according to the second card-writing amount.
In a seventh aspect, an embodiment of the present application provides an apparatus for protecting information, including:
the receiving and writing unit is used for receiving the initial key, the ticket identifier, the unique identity of the IC card and the service key written by the first information management equipment;
a second calculation unit configured to calculate an identity key of the IC card based on the initial key and the ticket identifier;
and the service unit is used for transmitting the identity key to the first information management equipment for identity verification before the service is carried out, and transmitting the service key and required parameters to the first information management equipment according to service requirements after the identity verification is successful, wherein the service comprises recharging, inbound and outbound.
In one possible design, the second computing unit is specifically configured to:
obtaining coefficient b in initial key 0i 、b 1i Calculating the identity key of the IC card by combining the ticket identifier, and calculating a public keyThe formula is as follows:
K i =f i (c i )=b 0i +b 1i c i
wherein K is i Is the identity key, c i Is the ticket identifier.
In an eighth aspect, an embodiment of the present application provides an information protection system, including: a first information management device, a second information management device, an IC card,
the first information management device is used for sending a card purchasing request to the second information management device according to card purchasing application information under the condition that the first information management device passes identity authentication, and acquiring a ticket identifier generated by the second information management device; calculating to obtain an initial key according to an identity identifier and a first formula, calculating a unique identity identifier and a service key of an IC card according to the identity identifier, the ticket identifier and a root key, and writing the initial key, the ticket identifier, the unique identity identifier and the service key into the IC card;
the second information management device is used for receiving the identity identifier and the registration information of the first information management device, which are sent by the first information management device, verifying the validity of the identity identifier, and generating an identity identifier of the first information management device according to the identity identifier and the registration information after the identity identifier is legal; selecting a corresponding asymmetric binary polynomial according to the identity identifier, and encrypting and transmitting the identity identifier, the asymmetric binary polynomial and a root key to the first information management device, wherein the root key is a unique identity key of the second information management device; receiving a card purchasing request of the first information management equipment, generating a ticket card identifier according to the card purchasing request, recording the ticket card identifier, and sending the ticket card identifier to the first information management equipment;
The IC card is used for receiving the initial key written by the first information management equipment, the ticket identifier, the unique identity of the IC card and the service key; calculating an identity key of the IC card according to the initial key and the ticket identifier; before the service is carried out, the identity key is sent to the first information management equipment for identity verification, after the identity verification is successful, the service key and required parameters are sent to the first information management equipment according to service requirements, and the service comprises recharging, inbound and outbound.
In a ninth aspect, an embodiment of the present application provides a terminal, which is characterized by including an input device, an output device, a processor, and a memory, where the input device, the output device, the processor, and the memory are connected to each other, and the memory is configured to store a computer program, where the computer program includes program instructions, and the processor is configured to invoke the program instructions to execute the steps of the method described above.
In a tenth aspect, embodiments of the present application provide a computer readable storage medium, wherein the computer storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to perform the steps of the above-described method.
In the embodiment of the application, the information security is ensured by adopting a secondary information management mechanism, and under the condition that the first information management equipment passes through the identity authentication of the second information management equipment, a card purchasing request is sent to the second information management equipment according to card purchasing application information, and after the second information management equipment processes the card purchasing application, the first information management equipment acquires a ticket card identifier generated by the second information management equipment; the second information management equipment calculates and obtains an initial key according to the identity identifier and the first formula, and calculates a unique identity identifier and a service key of the IC card according to the identity identifier, the ticket card identifier and the root key; writing the initial key, ticket identifier, unique identity, service key into IC card; the IC card receives an initial key, a ticket identifier, a unique identity of the IC card and a service key written by the first information management equipment; the IC card calculates the identity key of the IC card according to the initial key and the ticket identifier; before the business is carried out, the IC card sends the identity key to the first information management equipment for identity verification, and after the identity verification is successful, the business key and required parameters are sent to the first information management equipment according to business requirements, wherein the business comprises recharging, inbound and outbound. Thus, the two-layer information management mechanism, the identity key and the service key realize strict identity authentication and data encryption of the IC card, ensure information security and reduce property loss and other related problems caused by counterfeiting, cloning and data leakage of the IC card.
Drawings
In order to more clearly describe the technical solutions in the embodiments or the background of the present application, the following will briefly describe the drawings that are required to be used in the embodiments or the background of the present application.
Fig. 1a is a schematic flow chart of a first information protection method according to an embodiment of the present application;
fig. 1b is a schematic diagram of a second flow of an information protection method according to an embodiment of the present application;
fig. 2a is a schematic third flow chart of an information protection method according to an embodiment of the present application;
fig. 2b is a fourth flowchart of an information protection method according to an embodiment of the present application;
fig. 3 is a fifth flowchart of an information protection method according to an embodiment of the present application;
fig. 4a is a schematic diagram of identity authentication provided in an embodiment of the present application;
fig. 4b is a schematic diagram of data encryption and service processing provided in an embodiment of the present application;
fig. 5a is a schematic first structural diagram of an apparatus for protecting information according to an embodiment of the present application;
fig. 5b is a second schematic structural diagram of an apparatus for protecting information according to an embodiment of the present application;
fig. 5c is a schematic third structural diagram of an apparatus for protecting information according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a terminal according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the present application will be further described with reference to the accompanying drawings.
The terms "first" and "second" and the like in the description, claims and drawings of the present application are used for distinguishing between different objects and not for describing a particular sequential order. Furthermore, the terms "comprising," "including," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion. Such as a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to the list of steps or elements but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly understand that the embodiments described herein may be combined with other embodiments.
In the present application, "at least one (item)" means one or more, "a plurality" means two or more, and "at least two (items)" means two or three or more, and/or "for describing an association relationship of an association object, three kinds of relationships may exist, for example," a and/or B "may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of (a) or a similar expression thereof means any combination of these items. For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c".
It should be understood that, although the steps in the flowcharts in the embodiments of the present application are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the figures may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily occurring in sequence, but may be performed alternately or alternately with other steps or at least a portion of the other steps or stages.
The words "if", as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
It should be noted that, in this document, step numbers such as S201 and S202 are adopted, and the purpose of the present invention is to more clearly and briefly describe the corresponding content, and not to constitute a substantial limitation on the sequence, and those skilled in the art may execute S202 before S201 in the implementation, which are all within the scope of protection of the present application.
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
In the following description, suffixes such as "module", "component", or "unit" for representing elements are used only for facilitating the description of the present application, and are not of specific significance per se. Thus, "module," "component," or "unit" may be used in combination.
The terminal may be implemented in various forms. For example, terminals described in the present application may include smart terminals such as cell phones, tablet computers, notebook computers, palm computers, personal digital assistants (Personal Digital Assistant, PDA), portable media players (Portable Media Player, PMP), navigation devices, wearable devices, smart bracelets, pedometers, and stationary terminals such as digital TVs, desktop computers, and the like.
The following description will be given taking a personal computer (personal computer, PC) as an example, and those skilled in the art will understand that the configuration according to the embodiment of the present application can be applied to a mobile type terminal in addition to elements particularly used for a stationary purpose.
The embodiment of the application provides an information protection method, an information protection system, an information protection device, an information protection terminal and a storage medium, and for the purpose of describing a scheme of the application more clearly, the embodiment of the application is described below with reference to drawings in the embodiment of the application.
Urban rail transit networks are increasingly complex but more intelligent, and various payment methods are presented by automatic fare collection systems (Automatic Fare Collection, AFC), including: integrated circuit Card (IC Card), payment device, micro-letter, short-range wireless communication technology (Near Field Communication, NFC), and the like. Compared with the common payment modes of payment treasures, weChat and NFC young people, the IC card still has a large number of middle-aged and elderly people who are not good at mobile phone payment.
However, the existing IC card has difficulty in securing its own security due to limited cost. The common IC card security problems mainly comprise two aspects of ticket security and data security, wherein the ticket security is that the ticket is forged, cloned or tampered, and the data security is mainly embodied in that important information is attacked, destroyed or revealed.
The security problem of the IC card causes a great deal of property and economic loss, so that the privacy of users is threatened, and therefore, the information security problem of an automatic ticket vending and checking system in the rail transit needs to be guaranteed.
Aiming at the problems, the embodiment of the application provides an information protection method, which realizes effective identity authentication and data encryption of an IC card by utilizing a secondary information management mechanism and a double secret key, ensures information security and reduces property loss and other related problems caused by counterfeiting, cloning and data leakage of the IC card.
Referring to fig. 1a, a first flowchart of an information protection method according to an embodiment of the present application is provided, where the information protection method is applied to a first information management device, and the method includes, but is not limited to, the following steps.
S101, under the condition that the first information management equipment passes identity authentication, the first information management equipment sends a card purchasing request to the second information management equipment according to card purchasing application information, and a ticket identifier generated by the second information management equipment is obtained.
The first information management device includes station systems of each station, operation centers of each line, intermediate stations of operation lines of each station operation system, or a single operation line, and the second information management device includes servers with large-scale data processing capability, such as a cloud service center and a local server. The second information management apparatus manages the first information management apparatus, a single second information management apparatus may manage a plurality of first information management apparatuses, a single second information management apparatus may be managed by a plurality of first information management apparatuses, and in one ticketing system, there may be a plurality of first information management apparatuses, a plurality of second information management apparatuses. The ticket identifier is the unique identity standard identifier c of the IC card i 。
Specifically, after the first information management device receives a card purchase request of a user or receives card purchase information input by a salesman, the first information management device needs to send the card purchase request to the second information management device, but before sending the card purchase request, identity authentication information needs to be sent to the second information management device, if the first information management device is registered in the second information management device before, only the identity identifier ID of the first information management device needs to be sent i The second information management device receives the ID i And then, carrying out identity authentication, if the corresponding identity identifier exists, transmitting a card purchasing request to the second information management equipment by the first information management equipment after the identity authentication passes, processing the card purchasing request by the second information management equipment, generating a ticket card identifier and transmitting the ticket card identifier to the first information management equipment. After the ticket identifier is obtained, the first information management deviceThe preparation continues to step S102. If the second information management device does not have the corresponding identity identifier, the identity authentication fails, an error is prompted, and the first information management device does not send a card purchasing application and can process the corresponding error.
After the first information management device obtains the ticket identifier, the first information management device continues to execute step S102, where step S102 is as follows:
s102: the first information management device calculates and obtains an initial key according to the identity identifier and the first formula, and calculates a unique identity identifier and a service key of the IC card according to the identity identifier, the ticket identifier and the root key.
The initial key is data used by the IC card to calculate an identity key, the unique identity is an identity used by the IC card when the IC card performs service, and the service key is a key which is transmitted to the first information management device for verification each time the IC card performs service and can perform service after verification is successful.
Specifically, the first information management device substitutes the identity identifier into the first formula to obtain the initial key, then calculates the unique identity identifier and the service key of the IC card by using the identity identifier, the ticket identifier and the root key, calculates the same parameters used by the unique identity identifier and the service key, but the calculation formulas are different, the calculation process has no time sequence limitation, and the calculation process can be set according to specific requirements.
Optionally, the calculating according to the identity identifier and the first formula to obtain the initial key, and calculating according to the identity identifier, the ticket identifier and the root key to calculate the unique identity identifier and the service key of the IC card includes:
the initial key is obtained by calculation according to the identity identifier and a first formula, wherein the first formula is as follows:
wherein a is 00 、a 01 、a 10 、a 11 Is the weight parameter of the first formula, b 0i 、b 1i Is the initial key, which will be the bodySubstituting the share identifier as a second element y of the first formula into the first formula to calculate the b 0i And b is as described above 1i ;
Calculating a unique identity and a service key of the IC card according to the identity identifier, the ticket identifier and the root key, wherein the unique identity is obtained by combining the identity identifier, the ticket identifier and a check code, the check code is generated by a password hash function, and the generation formula is as follows:
e i =H 1 (ID i c i ||K 0 )
Wherein, ID i Is the identity identifier, c i Is the ticket identifier, e i Is the check code, H 1 Is a cryptographic hash function with an output length of a first length, K 0 Is the root key, and "||" indicates the arrangement order;
the formula for calculating the service key is as follows:
P i =H 2 (K 0 ||ID i c i )
wherein P is i Is the service key, H 2 Is a cryptographic hash function that outputs a second length.
Specifically, the identity identifier ID i Substituting the y value as the first formula into the first formula for calculation, and combining the same kind of terms to obtain the initial key b 0i 、b 1i The unique identity is obtained by combining an identity identifier, a ticket identifier and a check code, the identity identifier and the ticket identifier are existing in the first information management equipment, the check code must be obtained, and the calculation formula of the check code needs an ID as above i 、c i 、K 0 These three data are passed into the cryptographic hash function H 1 To obtain the service key also requires an ID i 、c i 、K 0 These three parameters are passed into the cryptographic hash function H 2 Obtained by H 1 And H 2 Are all cipher hash functions but have different cipher digits, the designer can choose according to specific needs, and ID i 、c i 、K 0 These three parameters are transmittedThe difference in delivery order and combination also results in a difference in check code and service key, and the arrangement adopted in this scheme is only an example of one possible way.
S103: the first information management apparatus writes the initial key, the ticket identifier, the unique identification, and the service key into the IC card.
Specifically, after executing step S102, the first information management apparatus obtains all information that the IC card can perform the service, but at this time, the IC card is still a blank card, and the first information management apparatus needs to write the initial key, the ticket identifier, the unique identity, the service key into the IC card, and the newly purchased IC card can be used.
After the IC card can be normally used, a user is required to finish the first money recharging, the first information management equipment receives the information of the recharging money m, then generates the initial card-writing money according to the recharging money, sends the initial card-writing money and the check code to the second information management equipment, and after the confirmation information of the second information management equipment is received, the first information management equipment modifies the ticket balance of the IC card according to the recharging money.
The recharging of the IC card can be performed by a user inputting recharging amount into a corresponding machine, or by a station manager inputting recharging amount into a station system.
In the first aspect, the second information management device performs identity authentication on the first information management device, and service can be performed after authentication is passed, so that the problem that the illegal first information management device can access the data of the second information management device is avoided, and information security is ensured. In the second aspect, the ticket identifier is generated in the first information management device, so that the second information management device can manage the IC card conveniently, and the management range of the first information management device is expanded. In the third aspect, the first information management device only encrypts some necessary data and writes the encrypted necessary data into the IC card, so that the problem that a large amount of user data is leaked after the IC card is attacked is avoided, even if an illegal user acquires the data, the illegal user cannot use the encrypted necessary data without knowing encryption rules, and the security of the data is greatly enhanced.
In the case that the first information management device does not pass the identity authentication, that is, the first information management device has not been registered in the second information management device before, the following steps are performed according to a second flowchart of an information protection method provided in fig. 1b for an embodiment of the present application:
s104: the first information management device sends the identity and registration information of the first information management device to the second information management device.
The identification means data, such as ID, of the first information management device capable of uniquely identifying the first information management device, and the registration information includes information such as name, address, role, number of devices, serial number of devices, and the like of the first information management device.
Specifically, since the first information management device is not registered in the second information management device, in order to ensure that the service is performed normally, it is necessary to send the identity and registration information of itself to the second information management device, and step S105 is performed after the sending is completed.
S105: the first information management device obtains first encryption information generated by the second information management device according to the identity and the registration information, wherein the first encryption information comprises an identity identifier, a first formula and a root key of the first information management device.
The identifier is an identifier capable of uniquely identifying the first information management apparatus, i.e., the above-mentioned identifier ID i The first formula is an asymmetric binary polynomial selected by the second information management equipment according to the identity, and the root key K 0 The IC card is secured and the unique identity key of the second information management device is also used.
Specifically, after the first information management device is successfully registered in the second information management device, first encryption information generated by the second information management device according to the identity identifier and the registration information is obtained, wherein the first encryption information comprises the identity identifier, the first formula and the root key of the first information management device.
Thus, the first information management equipment has unique identity identifiers, the second information management equipment does not need to repeatedly register after service interaction, identity authentication can be completed by directly sending the identity identifiers, each first information management equipment has unique identity identifiers, the service of each first information management equipment is ensured to be independently processed, systematic errors caused by confusion with data of other first information management equipment are avoided, the correctness of the data is protected, and the correct operation of the system is ensured.
After the step S103 in fig. 1a or 1b is completed, all necessary information required for the IC card to perform the service has been written into the IC card, which can be used normally, and the related service is performed.
The process of entering the IC card through the card may refer to step S106 in fig. 1b, and step S106 is as follows:
s106: when the first information management equipment detects that the IC card swipes and enters the station, the identity information of the IC card is read, wherein the identity information comprises an identity key, a service key, a unique identity mark and the ticket balance of the IC card.
Note that, the balance m of the ticket face of the IC card 1 Is the balance in the IC card, the identity key K i Is a key calculated in the IC card for verifying the identity of the IC card.
Specifically, when the first information management device detects that the IC card swipes into the station, the first information management device reads the identity information of the IC card, where the identity information includes the data of an identity key, a service key, a unique identity identifier, and a ticket balance of the IC card. The IC card identity is read to carry out identity authentication and business operation on the IC card, and the business authentication is carried out only after the identity authentication is passed, so that the IC card is prevented from being used and the property loss of a customer is reduced.
S107: the first information management equipment performs identity authentication on the IC card according to the identity key and the first formula, performs service authentication on the IC card according to the service key after the identity authentication is passed, verifies whether the IC card meets the inbound condition according to the first card writing amount after the service authentication is qualified, and records the inbound information of the IC card after the inbound condition is met.
Wherein the first card amount a 1 =m 1 ||m 2 ||H 1 (m 2 ||K 0 ) First write card goldThe amount comprises a system balance, an IC card ticket face balance and a balance verification code e=H 1 (m 2 ||K 0 ) A=m in the initial credit card amount 1 ||m 2 ||H 1 (m||K 0 ),m 1 Is the balance of the ticket face of the IC card, and m 2 The balance of the system is the sum of the recharging amount, and the written card amount is defined to be m time-consuming when the IC buckle is not used at the initial time 1 =m 2 =m; after using IC card fee, when m 1 =m 2 When the situation is normal; when m is 1 <m 2 When the payment is off-line deduction; when m is 1 >m 2 When the IC card is in a safe state, the IC card needs to be frozen in time, so that larger loss is prevented.
Specifically, the first information management device judges whether the identity key value is equal to the value of the first formula according to the acquired identity key of the IC card to judge whether the identity authentication is qualified or not, if the identity authentication is qualified, otherwise, the identity authentication is failed, the service authentication is qualified after the identity authentication is passed, if the corresponding service key exists in the first information management device, the service authentication is qualified, whether the incoming condition is met or not is verified according to the first writing card amount after the service authentication is qualified, mainly for verifying whether the ticket surface balance of the IC card and the system amount can meet the writing card amount specification, the corresponding processing is not carried out according to the error, and when the ticket surface balance of the IC card is 0, the user is reminded of recharging, and after the two aspects are verified, the first information management device records the incoming information of the IC card including incoming time, place and balance.
The multiple authentication mainly prevents illegal users from using cloned or imitated IC cards, reduces economic loss of users, and also protects the security of data and prevents the data from being revealed.
Optionally, the authenticating the IC card according to the identity key and the first formula includes:
substituting the ticket identifier as a first element x of the first formula and the identity identifier as a second element y of the first formula into the first formula to calculate the value of the first formula;
wherein K is i Is the identity key, judges the value of the first formula and K i Whether or not they are equal;
if the identity authentication is equal, the identity authentication passes, otherwise, the identity authentication fails, and failure information is prompted.
Specifically, the ticket identifier c i As x-value, the identity identifier ID i Substituting y value into the first formula to calculate the value of the first formula, and then substituting K into the first formula i Comparing the values with the value of the first formula, if the values are equal, passing the identity authentication, otherwise, failing the identity authentication, and prompting failure information.
The first information management apparatus thus manages K calculated in the IC card i The process of firstly decrypting and then comparing with the value of the first formula to confirm the identity has higher safety, and even if other people attack the IC card to obtain the identity key but do not know the encryption and decryption protocol between the IC card and the first information management equipment, the identity key cannot be used, so that the data cannot be revealed.
S108: when the first information management equipment detects that the IC card swipes the card and goes out of the station, the unique identity of the IC card and the first card writing amount are read, the station entering information is searched according to the unique identity, and the consumption amount is calculated according to the station entering information.
Specifically, because identity and service authentication are already performed during the inbound, the first information management device does not need repeated authentication when detecting that the IC card swipes the card and goes out of the station, only the unique identity of the IC card is required to be read, and then the inbound information of the IC card and the station charging standard of the current outbound station and the system are searched according to the unique identity to calculate the consumption amount.
The authentication is not needed to be repeated, the flow is reduced, the use of users is convenient, and the time is saved.
S109: the first information management equipment detects whether the system balance of the IC card is legal or not according to the consumption amount and the balance check code, and under the condition that the system balance is legal, the balance of the ticket face of the IC card is modified according to the consumption amount, after the modification is successful, the entrance guard is opened, the outbound information is recorded, the second card writing amount of the current IC card is calculated, and the second card writing amount is sent to the second information management equipment.
It should be noted that, the second card amount is the same as the first card amount, but the values are different, the balance check code mainly has a verification function, and the balance verification service is allowed to be executed after the balance check code is obtained.
Specifically, the first information management device judges whether the system balance of the IC card is enough to pay the consumption amount according to the consumption amount and the balance check code, if the system balance is enough, the first information management device modifies the ticket surface balance of the IC card according to the consumption amount, opens the gate after the modification is successful, records the current outbound information, and also recalculates the card writing amount, updates the new ticket surface balance of the IC card, the system balance and the balance check code to the card writing amount to obtain a second card writing amount, and then sends the second card writing amount to the second information management device.
Optionally, the balance check code is calculated as follows:
e=H 3 (m 2 ||K 0 )
wherein e is a balance check code, m 2 Is the system balance of the IC card, H 3 Is a cryptographic hash function of a third length, here H 3 And H 1 、H 2 Are all cryptographic hash functions, and the first length, the second length and the third length may be set to different values or the same value according to different needs.
Specifically, the balance verification code is obtained by transmitting the system balance and the root key into the password hash function, the balance verification code is obtained, the data security is further ensured, and the possibility of data leakage is reduced through multiple verification.
Through the dual key authentication of the identity key and the service key, the authentication process is more strict and accurate, the information security is protected, all transmitted data are encrypted, the data leakage is avoided, and the property loss caused by the data leakage is reduced.
Referring to fig. 2a, a third flow chart of an information protection method according to an embodiment of the present application is provided, where the information protection method is applied to a second information management device, and the method includes, but is not limited to, the following steps.
S201, the second information management device receives the identity mark and the registration information of the first information management device, which are sent by the first information management device, verifies the validity of the identity mark, and generates an identity mark of the first information management device according to the identity mark and the registration information after the identity mark is legal.
Specifically, the second information management device receives the identity identifier and the registration information of the first information management device, which are sent by the first information management device, verifies the validity of the identity identifier, wherein the verification of the validity of the identity identifier is to verify whether the identity identifier accords with the agreement of the first information management device and the second information management device about the identity identifier before, and if the identity identifier accords with the agreement, the agreement is legal, otherwise, the identity identifier is illegal. For example, the first information management device and the second information management device agree on an ID of the first information management device, if the identity identifier transmitted by the first information management device is the name of the first information management device, the identity identifier does not agree with the agreement, and the identity identifier is not legal.
After verifying the identity is legal, the second information management device generates the identity identifier of the first information management device according to the identity and the registration information, the generation rule is various, the identity identifier and the registration information can be directly arranged in sequence to obtain a serial number which is the identity identifier, and the serial numbers in the identity identifier and the registration information can be transmitted into a password hash function together to obtain the identity identifier with the required digits.
S202, the second information management device selects a corresponding asymmetric binary polynomial according to the identity identifier, and encrypts and sends the identity identifier, the asymmetric binary polynomial and a root key to the first information management device, wherein the root key is a unique identity key of the second information management device.
Specifically, the second information management device selects an asymmetric binary polynomial for the second information management device according to the identity identifier, wherein the asymmetric binary polynomial is randomly generated, and a is as described above 00 、a 01 、a 10 、a 11 Is a weight parameter of the first formula, in other words a 00 、a 01 、a 10 、a 11 The second information management device encrypts and transmits the identity identifier, the asymmetric binary polynomial and the root key to the first information management device after obtaining the corresponding asymmetric binary polynomial, wherein the root key is the unique identity identification key of the second information management device.
All data transmitted between the first information management device and the second information management device are encrypted, and only the first information management device and the second information management device know decryption rules, so that the safety of the data is ensured, and the data leakage is avoided.
And S203, the second information management device receives the card purchasing request of the first information management device, generates a ticket identifier according to the card purchasing request, records the ticket identifier, and sends the ticket identifier to the first information management device.
Specifically, the second information management device receives the card purchasing request of the first information management device, generates the ticket identifier according to the card purchasing request, and generates the ticket identifier in a similar manner to the manner of generating the identity identifier.
After the ticket identifier is generated, the second information management device records the generated ticket identifier for facilitating subsequent identity authentication and management of the IC card, and after the ticket identifier is recorded, the ticket identifier is sent to the first information management device.
The ticket identifier is generated by the second information management device for the convenience of managing the IC card, reducing the business processing burden of the first information management device, fully utilizing resources and improving the efficiency of system information processing.
After the identity registration and authentication of the first information management device and the IC card are completed, the second information management device may execute the corresponding service according to the service request, and the specific execution process may refer to fig. 2b for a fourth flowchart of an information protection method provided in the embodiment of the present application, and after step S203, step S204 may be executed, where the details of step S204 are as follows:
s204: the second information management equipment receives the initial card writing amount and the check code sent by the first information management equipment, confirms the identity of the IC card according to the check code, updates the balance of the IC card system according to the initial card writing amount after the identity authentication is passed, and sends confirmation information to the first information management equipment after the updating is completed.
The format of the initial card amount is not different from the first card amount and the second card amount, and is different from the change of the balance value, and the initial card amount is generally the charging amount of the recording IC card.
Specifically, the second information management device receives the initial card writing amount and the check code sent by the first information management device, firstly combines the check code with the identity identifier of the current first information management device and the ticket identifier of the IC card according to a contracted format and checks whether the check code can be matched with the existing unique identity identifier, if so, the IC card identity authentication is qualified, the second information management device updates the balance of the IC card system according to the initial card writing amount, and sends confirmation information to the first information management device after updating is completed; if the IC card identity authentication is not matched, the IC card identity authentication is not qualified, and error information is sent to the first information management equipment.
The recharging process is completed in the second information management device, so that on one hand, the information processing burden of the first information management device is reduced, on the other hand, the second information management device is convenient to manage the first information management device and the IC card, the first information management device and the IC card can be strictly monitored, the risk that the IC card can be still used after being counterfeited is avoided, and the system safety is guaranteed.
S205: the second information management device receives the second write card amount sent by the first information management device, and modifies the system balance of the IC card according to the second write card amount.
The second credit card amount is mainly an amount change due to deduction.
Specifically, the second information management device receives the second card-writing amount sent by the first information management device, reads the verification code in the second card-writing amount to verify whether balance modification can be performed, reads the new system balance in the second card-writing amount after verification is passed, modifies the original system balance into the new system balance, and sends confirmation information to the first information management device after modification is completed.
The change of the system money is carried out in the second information management equipment, so that the business burden of the first information management equipment is reduced, the resources of the second information management equipment are fully utilized, the information security is ensured by the encrypted transmission of the data, and the data leakage is prevented.
Referring to fig. 3, a fifth flowchart of an information protection method according to an embodiment of the present application is provided, where the information protection method is applied to an IC card, and the method includes, but is not limited to, the following steps.
S301: the IC card receives the initial key, ticket identifier, unique ID of the IC card and service key written by the first information management device.
Specifically, the IC card receives the initial key, ticket identifier, unique identity of the IC card, and service key written by the first information management device.
The IC card receives and writes the data, so that the subsequent identity authentication and service can be realized, the authentication process is more complicated due to various identity authentication parameters, the data leakage is prevented, and the information safety is ensured.
S302: the IC card calculates an identity key of the IC card based on the initial key and the ticket identifier.
Specifically, the IC card calculates an identity key of the IC card according to two coefficients of the initial key, and the process of calculating the identity key is performed on the IC card alone.
Optionally, calculating the identity key of the IC card according to the initial key and the ticket flag Fu Ji includes:
obtaining coefficient b in initial key 0i 、b 1i And then the identity key of the IC card is calculated by combining the ticket card mark Fu Ji, and the calculation formula is as follows:
K i =f i (c i )=b 0i +b 1i c i
Wherein K is i Is the identity key, c i Is the ticket identifier described above.
Specifically, coefficient b in the initial key is to be calculated 0i 、b 1i Substituting the identity key calculation formula f i (c i ) The value obtained is the identity key K i 。
The identity key is temporary data in the IC card, and can be recalculated only when identity authentication is needed, and the identity key can be destroyed after the use is completed. Even if the IC card is attacked, the IC card identity key cannot be directly obtained, so that the IC card is prevented from cloning or fraudulent use, and the information security is protected.
S303: before the IC card performs service, the identity key is sent to the first information management equipment for identity verification, after the identity verification is successful, the service key and required parameters are sent to the first information management equipment according to service requirements, and the service comprises recharging, inbound and outbound.
Specifically, when each service is to be performed, the IC card sends the identity key to the first information management device to perform identity verification, after the identity verification is successful, the service key is sent to perform service verification according to the requirement, and parameters such as the identity key, the service key, the ticket identifier, the unique identity identifier and the IC card ticket balance are sent according to the requirement after the service verification is passed, and when the service is out, the identity key and the service key are not needed to be sent because the service authentication is completed by the incoming station, but the unique identity identifier is needed to be sent, and when the service is recharged, the identity key, the service key, the ticket identifier and the IC card ticket balance are needed to be sent.
In order to facilitate better implementing the foregoing solutions of the embodiments of the present application, the present application further provides an information protection system, including: a first information management device, a second information management device, and an IC card.
The first information management device is used for sending a card purchasing request to the second information management device according to card purchasing application information under the condition that the first information management device passes identity authentication, and acquiring a ticket identifier generated by the second information management device; calculating to obtain an initial key according to an identity identifier and a first formula, calculating a unique identity identifier and a service key of an IC card according to the identity identifier, the ticket identifier and a root key, and writing the initial key, the ticket identifier, the unique identity identifier and the service key into the IC card;
the second information management device is used for receiving the identity identifier and the registration information of the first information management device, which are sent by the first information management device, verifying the validity of the identity identifier, and generating an identity identifier of the first information management device according to the identity identifier and the registration information after the identity identifier is legal; selecting a corresponding asymmetric binary polynomial according to the identity identifier, and encrypting and transmitting the identity identifier, the asymmetric binary polynomial and a root key to the first information management device, wherein the root key is a unique identity key of the second information management device; receiving a card purchasing request of the first information management device, generating a ticket identifier according to the card purchasing request, recording the ticket identifier, and sending the ticket identifier to the first information management device;
The IC card is used for receiving the initial key, the ticket identifier, the unique identity of the IC card and the service key written by the first information management equipment; calculating an identity key of the IC card based on the initial key and the ticket flag Fu Ji; before the business is carried out, the identity key is sent to the first information management equipment for identity verification, after the identity verification is successful, the business key and required parameters are sent to the first information management equipment according to business requirements, and the business comprises recharging, inbound and outbound.
It should be noted that all data transmitted in the system are encrypted, and encryption and decryption rules can only be known by the first information management device, the second information management device and the IC card, so that the encryption and transmission of the data ensures information security and avoids data leakage.
In order to better illustrate the workflow of the information protection system, please refer to fig. 4a for an identity authentication schematic diagram provided in an embodiment of the present application and fig. 4b for a data encryption and service processing schematic diagram provided in an embodiment of the present application, where a primary information management device is a first information management device listed in an embodiment of the present application, and a secondary information management device is a second information management device listed in an embodiment of the present application.
All data in the system is encrypted and requires identity authentication before proceeding with the service. As shown in fig. 4a, the primary information management device that has not been registered transmits an ID and registration information to the secondary information management device to determine whether the ID is legal, and if the ID is legal, the secondary information management device transmits an asymmetric binary polynomial f (x, y) and an identity identifier to the primary information management device, a root key is transmitted to the primary information management device in fig. 4 b. The three data of the asymmetric binary polynomial f (x, y), the identity identifier and the root key can be sent together after the first-level information management equipment is registered, the service key can also be sent independently before the IC card performs all services, and the independent data can be selected to be sent together or independently according to the requirement.
If the primary information management device is registered in the secondary information management device, the identity identifier is only required to be sent to the secondary information management device during identity authentication. After the latter level information management equipment and the second level information management equipment are registered, business interaction can be carried out, as shown in fig. 4b, after the first level information management equipment receives a card purchasing application, the card purchasing application and an identity identifier thereof are sent to the second level information management equipment for processing, the second level information management equipment verifies the identity of the first level information management equipment according to the received identity identifier, after the identity verification passes, a ticket card identifier is generated according to the card purchasing application, then the ticket card identifier is recorded, the ticket card identifier is sent to a first level information management center, the first level information management equipment generates information such as a unique identity identifier and a business key of an IC card according to the received ticket card identifier, the information is written into the IC card, the IC card receives writing information, and the IC card is activated after writing is completed, so that business operation can be carried out.
If the IC card is to be recharged, a passenger or station service personnel inputs the recharging amount m, the primary information management equipment receives the recharging amount, generates a check code and a card writing amount according to the recharging amount and sends the check code and the card writing amount to the secondary information management equipment, the secondary information management equipment verifies the validity of the service according to the data sent by the primary information management equipment, after the validity is verified, the balance of the IC card system is modified according to the card writing amount, and after the modification is successful, confirmation information is sent to the primary information management equipment, and the primary information management equipment modifies the balance of the IC card and is recharged successfully.
After the recharging is successful, the passengers can take the bus by using the IC card, when the passengers swipe the card to enter the bus, the first-level information management equipment detects the card to enter the bus by using the IC card, reads corresponding information, judges whether the identity and the balance of the IC card are legal or not, records the information of entering the bus if the identity and the balance are legal, and prohibits the passengers from entering the bus and prompts the error reason if the identity and the balance are legal. When a passenger swipes a card to go out, the primary information management equipment detects the card to go out, reads the unique identity of the IC card, finds the current IC inbound information according to the unique identity, calculates the consumption amount according to the inbound information, judges whether the system balance is enough to pay the consumption amount or not, and sends updated card writing amount to the secondary information management equipment, the secondary information management equipment updates the system balance according to the card writing amount, sends confirmation information to the primary information management equipment after updating is successful, and the primary information management equipment deducts the IC card ticket face balance according to the consumption amount, opens an entrance guard after the deduction is successful, and the passenger goes out.
If the system balance is not enough to pay the consumption amount, prompting the user to recharge without opening the access control, and opening the access control to allow the user to go out after the system balance of the IC card meets the consumption amount.
In order to facilitate better implementation of the above-described schemes of the embodiments of the present application, the present application also provides an apparatus for implementing the above-described schemes.
Referring to fig. 5a, a first structural diagram of an apparatus for information protection according to an embodiment of the present application, an apparatus 50 for memory optimization as shown in fig. 5a may include: a first transmitting unit 501, an acquiring unit 502, a first calculating unit 503, and a writing unit 504. The information protection device 50 may be used to perform the relevant description of the method embodiments described above. Wherein, the liquid crystal display device comprises a liquid crystal display device,
a first sending unit 501, configured to send a card purchasing request to a second information management device according to card purchasing application information when the first information management device passes identity authentication;
an obtaining unit 502, configured to obtain a ticket identifier generated by the second information management apparatus;
a first calculating unit 503, configured to calculate and obtain an initial key according to an identity identifier and a first formula, and calculate a unique identity identifier and a service key of an IC card according to the identity identifier, the ticket identifier and a root key;
A writing unit 504 for writing the initial key, the ticket identifier, the unique identification, and the service key into the IC card.
In one possible design, the first sending unit 501 is further configured to send, to the second information management device, an identity and registration information of the first information management device;
the obtaining unit 502 is further configured to obtain first encryption information generated by the second information management device according to the identity and the registration information, where the first encryption information includes an identity identifier, a first formula, and a root key of the first information management device.
In one possible design, the apparatus for protecting information further includes:
a reading unit 505, configured to read identity information of the IC card when detecting that the IC card swipes into the station, where the identity information includes an identity key, the service key, the unique identity identifier, and a ticket balance of the IC card;
an authentication recording unit 506, configured to perform identity authentication on the IC card according to the identity key and the first formula, perform service authentication on the IC card according to the service key after the identity authentication passes, and verify whether the IC card meets an inbound condition according to a first card writing amount after the service authentication is qualified, and record inbound information of the IC card after the inbound condition is met;
A charging unit 507, configured to read the unique identity of the IC card and the first card amount when detecting that the IC card swipes out of the station, search for inbound information according to the unique identity, and calculate a consumption amount according to the inbound information;
and the deduction updating unit 508 is configured to detect whether the system balance of the IC card is legal according to the consumption amount and the balance check code, and in case that the system balance is legal, modify the ticket balance of the IC card according to the consumption amount, open the gate after the modification is successful, record outbound information, calculate a second write card amount of the current IC card, and send the second write card amount to the second information management device.
In one possible design, the first computing unit 503 is specifically configured to:
the initial key is obtained by calculation according to the identity identifier and a first formula, wherein the first formula is as follows:
wherein a is 00 、a 01 、a 10 、a 11 Is the weight parameter of the first formula, b 0i 、b 1i Is the initial key, and the identity identifier is substituted into the first formula as the second element y of the first formula to calculate the b 0i And b is as described above 1i ;
Calculating a unique identity and a service key of the IC card according to the identity identifier, the ticket identifier and the root key, wherein the unique identity is obtained by combining the identity identifier, the ticket identifier and a check code, the check code is generated by a password hash function, and the generation formula is as follows:
e i =H 1 (ID i c i ||K 0 )
Wherein, ID i Is the identity identifier, c i Is the ticket identifier, e i Is the check code, H 1 Is a cryptographic hash function with an output length of a first length, K 0 Is the root key described above;
the formula for calculating the service key is as follows:
P i =H 2 (K 0 ||ID i c i )
wherein P is i Is the service key, H 2 Is a cryptographic hash function that outputs a second length.
In one possible design, the authentication recording unit 506 is specifically configured to:
substituting the ticket identifier as a first element x of the first formula and the identity identifier as a second element y of the first formula into the first formula to calculate the value of the first formula;
wherein K is i Is the identity key, judges the value of the first formula and K i Whether or not they are equal;
if the identity authentication is equal, the identity authentication passes, otherwise, the identity authentication fails, and failure information is prompted.
Referring to fig. 5b, a second structure diagram of an apparatus for information protection according to an embodiment of the present application, a memory optimization apparatus 51 shown in fig. 5b may include: a registration authentication unit 511, a second transmission unit 512, and a card purchase unit 513. The information protection means 51 may be used to perform the relevant description in the method embodiments described above. Wherein, the liquid crystal display device comprises a liquid crystal display device,
A registration authentication unit 511 configured to receive an identity and registration information of the first information management device sent by the first information management device, verify validity of the identity, and generate an identity identifier of the first information management device according to the identity and registration information after the identity is legal;
a second transmitting unit 512, configured to select a corresponding asymmetric binary polynomial according to the identifier, and encrypt and transmit the identifier, the asymmetric binary polynomial, and a root key to the first information management device, where the root key is a unique identifier key of the second information management device;
a card purchasing unit 513 for receiving a card purchasing request from the first information management device, generating a ticket identifier according to the card purchasing request, recording the ticket identifier, and transmitting the ticket identifier to the first information management device.
In one possible design, the apparatus for protecting information further includes:
an authentication updating unit 514, configured to receive an initial card writing amount and a check code sent by the first information management device, confirm the identity of the IC card according to the check code, update the balance of the IC card system according to the initial card writing amount after the identity authentication is passed, and send confirmation information to the first information management device after the update is completed;
A balance modifying unit 515, configured to receive the second write card amount sent by the first information management device, and modify the system balance of the IC card according to the second write card amount.
Referring to fig. 5c, a third structure diagram of an apparatus for protecting information according to an embodiment of the present application, a memory optimizing apparatus 52 shown in fig. 5c may include: a receiving writing unit 521, a second calculating unit 522, a service unit 523. The information protection means 52 may be used to perform the relevant description in the method embodiments described above. Wherein, the liquid crystal display device comprises a liquid crystal display device,
a receiving and writing unit 521, configured to receive an initial key, a ticket identifier, a unique identity of the IC card, and a service key written by the first information management device;
a second calculating unit 522 for calculating an identity key of the IC card based on the initial key and the ticket flag Fu Ji;
and the service unit 523 is configured to send the identity key to the first information management device for identity verification before performing a service, and send the service key and required parameters to the first information management device according to a service requirement after the identity verification is successful, where the service includes recharging, inbound and outbound.
In one possible design, the second computing unit 522 is specifically configured to:
obtaining coefficient b in initial key 0i 、b 1i And calculating the above by combining the ticket mark Fu JiThe identity key of the IC card is calculated as follows:
K i =f i (c i )=b 0i +b 1i c i
wherein K is i Is the identity key, c i Is the ticket identifier described above.
It should be noted that, the functions of each functional unit in the information protection devices 50, 51, 52 described in the embodiments of the present application may be specifically implemented according to the method in the method embodiment described above, which is not described herein again.
Fig. 6 is a schematic structural diagram of a terminal provided in an embodiment of the present application, where the terminal 60 may have a relatively large difference due to different configurations or capabilities, and may include one or more central processing units (central processing units, CPU) 602 (e.g., one or more processors) and a memory 608, one or more storage media 607 (e.g., one or more mass storage devices) storing application programs 606 or data 605. Wherein the memory 608 and storage medium 607 may be transitory or persistent. The program stored on the storage medium 607 may include one or more modules (not shown), each of which may include a series of instruction operations in the electronic device. Still further, the central processor 602 may be configured to communicate with the storage medium 607 to execute a series of instruction operations in the storage medium 607 on the terminal 60. The terminal 60 may be a software running device provided herein.
The terminal 60 may also include one or more power supplies 603, one or more wired or wireless network interfaces 609, one or more input-output interfaces 610, and/or one or more operating systems 604, such as Windows ServerTM, mac OS XTM, unixTM, linuxTM, freeBSDTM, etc.
The steps performed by the software running device in the above embodiments may be based on the terminal structure shown in fig. 6. Specifically, the cpu 602 may implement the functions of each unit in fig. 5a, 5b, and 5 c.
Embodiments of the present application also provide a computer-readable storage medium. All or part of the flow of the above method embodiments may be implemented by a computer program to instruct related hardware, where the program may be stored in the above computer storage medium, and when the program is executed, the program may include the flow of each method embodiment as described above. The computer-readable storage medium includes: a read-only memory (ROM) or a random access memory (random access memory, RAM), a magnetic disk or an optical disk, or the like.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product described above includes one or more computer instructions. When the above-described computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted across a computer-readable storage medium. The computer readable storage media may be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that contains an integration of one or more available media. The above-mentioned usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
In summary, in the embodiment of the present application, by adopting a secondary information management mechanism, information security is ensured, and under the condition that a first information management device passes identity authentication of a second information management device, a card purchasing request is sent to the second information management device according to card purchasing application information, and after the second information management device processes a card purchasing application, the first information management device obtains a ticket identifier generated by the second information management device; the second information management equipment calculates and obtains an initial key according to the identity identifier and the first formula, and calculates a unique identity identifier and a service key of the IC card according to the identity identifier, the ticket card identifier and the root key; writing the initial key, ticket identifier, unique identity, service key into IC card; the IC card receives an initial key, a ticket identifier, a unique identity of the IC card and a service key written by the first information management equipment; the IC card calculates the identity key of the IC card according to the initial key and the ticket identifier; before the business is carried out, the IC card sends the identity key to the first information management equipment for identity verification, and after the identity verification is successful, the business key and required parameters are sent to the first information management equipment according to business requirements, wherein the business comprises recharging, inbound and outbound. Thus, the two-layer information management mechanism, the identity key and the service key realize effective identity authentication and data encryption of the IC card, ensure information security and reduce property loss and other related problems caused by counterfeiting, cloning and data leakage of the IC card.
The steps in the method of the embodiment of the application can be sequentially adjusted, combined and deleted according to actual needs.
The modules in the device of the embodiment of the application can be combined, divided and deleted according to actual needs.
In summary, the above embodiments are only for illustrating the technical solution of the present application, and are not limited thereto; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.
Claims (14)
1. An information protection method, characterized in that the method is applied to a first information management apparatus, comprising:
under the condition that the first information management equipment passes identity authentication, sending a card purchasing request to second information management equipment according to card purchasing application information, and acquiring a ticket card identifier generated by the second information management equipment;
calculating to obtain an initial key according to the identity identifier and a first formula, and calculating a unique identity identifier and a service key of the IC card according to the identity identifier, the ticket identifier and the root key;
And writing the initial key, the ticket card identifier, the unique identity and the service key into the IC card.
2. The method according to claim 1, wherein in the case where the first information management apparatus passes the identity authentication, the method further comprises, before transmitting a card purchase request to the second information management apparatus according to card purchase application information and acquiring the ticket identifier generated by the second information management apparatus:
the identity identification and registration information of the first information management equipment are sent to the second information management equipment;
and acquiring first encryption information generated by the second information management equipment according to the identity identifier and the registration information, wherein the first encryption information comprises the identity identifier, a first formula and a root key of the first information management equipment.
3. The method according to claim 1 or 2, characterized in that after said writing of said initial key, said ticket identifier, said unique identification, said service key to said IC card, the method further comprises:
when the IC card swiping and entering the station is detected, the identity information of the IC card is read, wherein the identity information comprises an identity key, the service key, the unique identity mark and the balance of the ticket face of the IC card;
Carrying out identity authentication on the IC card according to the identity key and the first formula, carrying out service authentication on the IC card according to the service key after the identity authentication is passed, verifying whether the IC card meets the inbound condition according to the first card writing amount after the service authentication is qualified, and recording the inbound information of the IC card after the inbound condition is met;
when detecting that the IC card swipes out of the station, reading the unique identity of the IC card and the first card writing amount, searching for the station entering information according to the unique identity, and calculating the consumption amount according to the station entering information;
detecting whether the balance of the IC card system is legal or not according to the consumption amount and the balance check code, under the condition that the balance of the system is legal, modifying the ticket surface balance of the IC card according to the consumption amount, opening an entrance guard after the modification is successful, recording outbound information, calculating the current second card writing amount of the IC card, and sending the second card writing amount to the second information management equipment.
4. A method according to any one of claims 3, wherein said calculating based on the identity identifier and the first formula to obtain an initial key, and based on the identity identifier, the ticket identifier and the root key to calculate a unique identity and a service key of the IC card comprises:
The initial key is obtained according to the identity identifier and a first formula, wherein the first formula is as follows:
wherein a is 00 、a 01 、a 10 、a 11 Is the weight parameter of the first formula, b 0i 、b 1i Is the initial key, substitutes the identity identifier as a second element y of the first formula into the first formula to calculate the b 0i And said b 1i ;
Calculating a unique identity identifier and a service key of the IC card according to the identity identifier, the ticket identifier and the root key, wherein the unique identity identifier is obtained by combining the identity identifier, the ticket identifier and a check code, the check code is generated by a password hash function, and the generation formula is as follows:
e i =H 1 (ID i c i ||K 0 )
wherein, ID i Is said identity identifier c i Is the ticket markSymbol e i Is the check code, H 1 Is a cryptographic hash function with an output length of a first length, K 0 Is the root key;
the formula for calculating the service key is as follows:
P i =H 2 (K 0 ||ID i c i )
wherein P is i Is the service key, H 2 Is a cryptographic hash function that outputs a second length.
5. The method of claim 4, wherein the authenticating the IC card according to the identity key and the first formula comprises:
substituting the ticket identifier as a first element x of the first formula, substituting the identity identifier as a second element y of the first formula into the first formula to calculate the value of the first formula;
Wherein K is i Is the identity key, judges the value of the first formula and K i Whether or not they are equal;
if the identity authentication is equal, the identity authentication passes, otherwise, the identity authentication fails, and failure information is prompted.
6. The method according to claim 4 or 5, wherein the balance check code is calculated as follows:
e=H 3 (m 2 ||K 0 )
wherein e is a balance check code, m 2 Is the system balance of the IC card, H 3 Is a cryptographic hash function that outputs a third length.
7. An information protection method, characterized in that the method is applied to a second information management apparatus, comprising:
receiving an identity identifier and registration information of a first information management device sent by the first information management device, verifying the validity of the identity identifier, and generating an identity identifier of the first information management device according to the identity identifier and registration information after the identity identifier is legal;
selecting a corresponding asymmetric binary polynomial according to the identity identifier, and encrypting and transmitting the identity identifier, the asymmetric binary polynomial and a root key to the first information management device, wherein the root key is a unique identity key of the second information management device;
and receiving a card purchasing request of the first information management equipment, generating a ticket card identifier according to the card purchasing request, recording the ticket card identifier, and sending the ticket card identifier to the first information management equipment.
8. The method of claim 7, wherein after the receiving the card purchase request of the first information management apparatus, generating a ticket identifier according to the card purchase request, recording the ticket identifier, and transmitting the ticket identifier to the first information management apparatus, the method further comprises:
receiving an initial card writing amount and a check code sent by the first information management equipment, confirming the identity of the IC card according to the check code, updating the balance of the IC card system according to the initial card writing amount after the identity authentication is passed, and sending confirmation information to the first information management equipment after the updating is completed;
and receiving the second card-writing amount sent by the first information management equipment, and modifying the system balance of the IC card according to the second card-writing amount.
9. An information protection method, characterized in that the method is applied to an IC card, comprising:
receiving an initial key, a ticket identifier, a unique identity of the IC card and a service key written by first information management equipment;
calculating an identity key of the IC card according to the initial key and the ticket identifier;
before the service is carried out, the identity key is sent to the first information management equipment for identity verification, after the identity verification is successful, the service key and required parameters are sent to the first information management equipment according to service requirements, and the service comprises recharging, inbound and outbound.
10. The method of claim 9, wherein said calculating an identity key of the IC card from the initial key and the ticket identifier comprises:
obtaining coefficient b in initial key 0i 、b 1i And then, the identity key of the IC card is calculated by combining the ticket card identifier, wherein the calculation formula is as follows:
K i =f i (c i )=b 0i +b 1i c i
wherein K is i Is the identity key, c i Is the ticket identifier.
11. An information protection system, comprising: a first information management device, a second information management device, an IC card,
the first information management device is used for sending a card purchasing request to the second information management device according to card purchasing application information under the condition that the first information management device passes identity authentication, and acquiring a ticket identifier generated by the second information management device; calculating to obtain an initial key according to an identity identifier and a first formula, calculating a unique identity identifier and a service key of an IC card according to the identity identifier, the ticket identifier and a root key, and writing the initial key, the ticket identifier, the unique identity identifier and the service key into the IC card;
the second information management device is used for receiving the identity identifier and the registration information of the first information management device, which are sent by the first information management device, verifying the validity of the identity identifier, and generating an identity identifier of the first information management device according to the identity identifier and the registration information after the identity identifier is legal; selecting a corresponding asymmetric binary polynomial according to the identity identifier, and encrypting and transmitting the identity identifier, the asymmetric binary polynomial and a root key to the first information management device, wherein the root key is a unique identity key of the second information management device; receiving a card purchasing request of the first information management equipment, generating a ticket card identifier according to the card purchasing request, recording the ticket card identifier, and sending the ticket card identifier to the first information management equipment;
The IC card is used for receiving the initial key written by the first information management equipment, the ticket identifier, the unique identity of the IC card and the service key; calculating an identity key of the IC card according to the initial key and the ticket identifier; before the service is carried out, the identity key is sent to the first information management equipment for identity verification, after the identity verification is successful, the service key and required parameters are sent to the first information management equipment according to service requirements, and the service comprises recharging, inbound and outbound.
12. An apparatus for information protection, comprising:
the first sending unit is used for sending a card purchasing request to the second information management equipment according to card purchasing application information under the condition that the first information management equipment passes identity authentication;
an acquisition unit configured to acquire a ticket identifier generated by the second information management apparatus;
the first calculation unit is used for calculating and obtaining an initial key according to the identity identifier and a first formula, and calculating a unique identity identifier and a service key of the IC card according to the identity identifier, the ticket card identifier and the root key;
and the writing unit is used for writing the initial key, the ticket card identifier, the unique identity and the service key into the IC card.
13. A terminal comprising an input device, an output device, a processor and a memory, the input device, the output device, the processor and the memory being interconnected, wherein the memory is adapted to store a computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of any of claims 1-10.
14. A computer readable storage medium, characterized in that the computer storage medium stores a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the method of any of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111446397.3A CN116206376A (en) | 2021-11-30 | 2021-11-30 | Information protection method, system, device, terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111446397.3A CN116206376A (en) | 2021-11-30 | 2021-11-30 | Information protection method, system, device, terminal and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116206376A true CN116206376A (en) | 2023-06-02 |
Family
ID=86506419
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111446397.3A Pending CN116206376A (en) | 2021-11-30 | 2021-11-30 | Information protection method, system, device, terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116206376A (en) |
-
2021
- 2021-11-30 CN CN202111446397.3A patent/CN116206376A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9864987B2 (en) | Account provisioning authentication | |
| CN109074582B (en) | System and method for generating sub-tokens using a master token | |
| US11170379B2 (en) | Peer forward authorization of digital requests | |
| RU2711464C2 (en) | Multiple-device transaction verification | |
| US8898088B2 (en) | In-card access control and monotonic counters for offline payment processing system | |
| US20130246281A1 (en) | Service providing system and unit device | |
| US9020858B2 (en) | Presence-of-card code for offline payment processing system | |
| CN105684346B (en) | Ensure the method for air communication safety between mobile application and gateway | |
| CN104715187B (en) | Method and apparatus for the node in certification electronic communication system | |
| RU2537795C2 (en) | Trusted remote attestation agent (traa) | |
| US8959034B2 (en) | Transaction signature for offline payment processing system | |
| CA2418050C (en) | Linking public key of device to information during manufacture | |
| US6983368B2 (en) | Linking public key of device to information during manufacture | |
| US20120246075A1 (en) | Secure electronic payment methods | |
| CN106465112A (en) | Offline authentication | |
| CN114819961A (en) | Method and system for provisioning payment credentials for mobile devices | |
| EP2690840B1 (en) | Internet based security information interaction apparatus and method | |
| US20140172741A1 (en) | Method and system for security information interaction based on internet | |
| CN104145297A (en) | Hub and spokes pin verification | |
| CN110290134A (en) | A kind of identity identifying method, device, storage medium and processor | |
| KR102574524B1 (en) | Remote transaction system, method and point of sale terminal | |
| US20160300220A1 (en) | System and method for enabling a secure transaction between users | |
| WO2013130912A2 (en) | In-card access control and monotonic counters for offline payment processing system | |
| US11379618B2 (en) | Secure sensitive personal information dependent transactions | |
| CN116206376A (en) | Information protection method, system, device, terminal and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |