CN116827691A - Method and system for data transmission - Google Patents
Method and system for data transmission Download PDFInfo
- Publication number
- CN116827691A CN116827691A CN202311093434.6A CN202311093434A CN116827691A CN 116827691 A CN116827691 A CN 116827691A CN 202311093434 A CN202311093434 A CN 202311093434A CN 116827691 A CN116827691 A CN 116827691A
- Authority
- CN
- China
- Prior art keywords
- public key
- card
- identity information
- security domain
- transmission data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 103
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000012795 verification Methods 0.000 claims abstract description 77
- 238000000354 decomposition reaction Methods 0.000 claims description 2
- 230000003993 interaction Effects 0.000 abstract description 10
- 230000001960 triggered effect Effects 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Abstract
The application relates to the technical field of secure channel protocols, and discloses a method for data transmission, which comprises the following steps: and under the condition that the first identity information sent by the entity outside the card is received, the security domain verifies the first identity information by using the verified first public key. And under the condition that the verification of the first identity information is passed, the security domain sends second identity information to an entity outside the card, and the entity outside the card is triggered to verify the second identity information by using a second public key which passes the verification. And under the condition that the first transmission data sent by the entity outside the card is received, the security domain verifies the integrity of the first transmission data. Thus, the security of information interaction between the entity outside the card and the security domain can be enhanced through multiple verification. The application also discloses a system for data transmission.
Description
Technical Field
The present application relates to the field of secure channel protocols, and for example, to a method and a system for data transmission.
Background
At present, a secure channel protocol is required to be used for communication between an external entity of a card and a secure domain, but as the secure channel protocol is widely applied, requirements for security and data integrity of information interaction between the external entity of the card and the secure domain are gradually increased. Therefore, the security of information interaction between the entity outside the card and the security domain needs to be enhanced.
It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the application and thus may include information that does not form the prior art that is already known to those of ordinary skill in the art.
Disclosure of Invention
The following presents a simplified summary in order to provide a basic understanding of some aspects of the disclosed embodiments. This summary is not an extensive overview, and is intended to neither identify key/critical elements nor delineate the scope of such embodiments, but is intended as a prelude to the more detailed description that follows.
The embodiment of the disclosure provides a method and a system for data transmission, so that the security of information interaction between an entity outside a card and a security domain can be enhanced.
In some embodiments, the method for data transmission is applied to a security domain, the method comprising: under the condition that first identity information sent by an entity outside the card is received, verifying the first identity information by using a first public key passing verification; sending second identity information to an entity outside the card under the condition that the first identity information passes verification, triggering the entity outside the card to verify the second identity information by using a second public key passing verification, and feeding back first transmission data under the condition that the verification passes; under the condition that first transmission data sent by an entity outside the card is received, verifying the integrity of the first transmission data; and under the condition that the first transmission data is complete, sending second transmission data corresponding to the first transmission data to an entity outside the card.
In some embodiments, the authenticated first public key is obtained by: under the condition that a first public key sent by an external entity of the card is received, carrying out digital signature on the first public key, obtaining and sending the first public key after digital signature to the external entity of the card, and triggering the external entity of the card to verify the first public key after digital signature; storing the first public key in case of receiving the first authentication information; the first verification information is sent by an entity outside the card under the condition that the first public key after digital signature passes verification.
In some embodiments, the first transmission data includes a third signature and first original data, verifying the integrity of the first transmission data includes: performing hash operation on the first original data to obtain a first message digest; performing signing decomposition on the third signature by using the second public key to obtain a second message digest; determining that the first transmission data is complete under the condition that the first message digest and the second message digest are the same; and/or, in the event that the first message digest and the second message digest are different, determining that the first transmission data is tampered with.
In some embodiments, sending second transmission data corresponding to the first transmission data to an off-card entity includes: acquiring second original data corresponding to the first original data; performing hash operation on the second original data to obtain a third message digest; signing the third message digest to obtain a fourth signature; and transmitting the fourth signature and the second original data to an entity outside the card.
In some embodiments, sending the second identity information to the off-card entity includes: acquiring a second random number; signing the second random number to obtain a second random number with a second signature; the second random number with the second signature is sent to the off-card entity.
In some embodiments, the method for data transmission is applied to an off-card entity, and the method includes: the method comprises the steps of sending first identity information to a security domain, triggering the security domain to verify the first identity information by using a first public key which passes verification, and feeding back second identity information under the condition that the first identity information passes verification; verifying the second identity information by using the verified second public key; under the condition that the second identity information passes verification, sending the first transmission data to the security domain, and triggering the security domain to verify the integrity of the first transmission data; and feeding back second transmission data corresponding to the first transmission data under the condition that the first transmission data is complete.
In some embodiments, the second public key is obtained by: under the condition that a second public key sent by the security domain is received, carrying out digital signature on the second public key, obtaining and sending the second public key after digital signature to the security domain, and triggering the security domain to verify the second public key after digital signature; storing the second public key in case the second authentication information is received; wherein the second authentication information is sent by the security domain if the second public key after the digital signature passes the authentication.
In some embodiments, sending the first transmission data to the security domain comprises: acquiring first original data; performing hash operation on the first original data to obtain a second message digest; signing the second message digest to obtain a third signature; the third signature and the first original data are sent to the security domain.
In some embodiments, sending the first identity information to the security domain includes: acquiring a first random number; signing the first random number to obtain a first random number with a first signature; a first random number with a first signature is sent to the security domain.
In some embodiments, a system for data transmission, comprises: an off-card entity configured to send first identity information to a security domain; under the condition that the second identity information is received, verifying the second identity information by using a second public key which passes verification, and under the condition that the second identity information passes verification, sending first transmission data to a security domain; a security domain configured to verify the first identity information using the verified first public key; and sending the second identity information to the entity outside the card under the condition that the first identity information passes verification; under the condition that first transmission data sent by an entity outside the card is received, verifying the integrity of the first transmission data; and under the condition that the first transmission data is complete, sending second transmission data corresponding to the first transmission data to an entity outside the card.
The method and the system for data transmission provided by the embodiment of the disclosure can realize the following technical effects: the first identity information of the entity outside the card is verified by using the verified first public key, and the entity outside the card is triggered to verify the second identity information of the security domain by using the verified second public key. And simultaneously verifying the integrity of the first transmission data sent by the entity outside the card. Thus, the security of information interaction between the entity outside the card and the security domain can be enhanced through multiple verification.
The foregoing general description and the following description are exemplary and explanatory only and are not restrictive of the application.
Drawings
One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements, and in which like reference numerals refer to similar elements, and in which:
FIG. 1 is a schematic diagram of a method for data transmission provided by an embodiment of the present disclosure;
FIG. 2 is a method for obtaining a verified first public key provided by an embodiment of the present disclosure;
FIG. 3 is a method for verifying a digitally signed first public key provided by an embodiment of the present disclosure;
FIG. 4 is a schematic diagram of another method for data transmission provided by an embodiment of the present disclosure;
FIG. 5 is a method for obtaining a second public key provided by an embodiment of the present disclosure;
fig. 6 is a schematic diagram of a system for data transmission provided by an embodiment of the present disclosure.
Detailed Description
So that the manner in which the features and techniques of the disclosed embodiments can be understood in more detail, a more particular description of the embodiments of the disclosure, briefly summarized below, may be had by reference to the appended drawings, which are not intended to be limiting of the embodiments of the disclosure. In the following description of the technology, for purposes of explanation, numerous details are set forth in order to provide a thorough understanding of the disclosed embodiments. However, one or more embodiments may still be practiced without these details. In other instances, well-known structures and devices may be shown simplified in order to simplify the drawing.
The terms first, second and the like in the description and in the claims of the embodiments of the disclosure and in the above-described figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate in order to describe embodiments of the present disclosure. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion.
The term "plurality" means two or more, unless otherwise indicated.
In the embodiment of the present disclosure, the character "/" indicates that the front and rear objects are an or relationship. For example, A/B represents: a or B.
The term "and/or" is an associative relationship that describes an object, meaning that there may be three relationships. For example, a and/or B, represent: a or B, or, A and B.
The term "corresponding" may refer to an association or binding relationship, and the correspondence between a and B refers to an association or binding relationship between a and B.
In order to enhance the security of information interaction between the card external entity and the security domain, the method for data transmission provided by the embodiment of the present disclosure verifies the first identity information of the card external entity by using the verified first public key, and triggers the card external entity to verify the second identity information of the security domain by using the verified second public key. And simultaneously verifying the integrity of the first transmission data sent by the entity outside the card. Thus, the security of information interaction between the entity outside the card and the security domain can be enhanced through multiple verification.
As shown in conjunction with fig. 1, an embodiment of the present disclosure provides a method for data transmission, applied to a security domain, the method including:
in step S101, when receiving the first identity information sent by the entity outside the card, the security domain verifies the first identity information by using the verified first public key.
Step S102, the security domain sends second identity information to the entity outside the card when the first identity information passes verification, triggers the entity outside the card to verify the second identity information by using the verified second public key, and feeds back the first transmission data when the verification passes.
Step S103, under the condition that the first transmission data sent by the entity outside the card is received, the security domain verifies the integrity of the first transmission data.
Step S104, under the condition that the first transmission data is complete, the security domain sends second transmission data corresponding to the first transmission data to the entity outside the card.
By adopting the method for data transmission provided by the embodiment of the disclosure, the first identity information of the entity outside the card is verified by using the verified first public key, and the entity outside the card is triggered to verify the second identity information of the security domain by using the verified second public key. And simultaneously verifying the integrity of the first transmission data sent by the entity outside the card. Thus, the security of information interaction between the entity outside the card and the security domain can be enhanced through multiple verification.
The security domain is a plurality of interfaces for managing the same security requirements on the firewall device. The administrator classifies the interfaces with the same security requirements and divides the interfaces into different security domains, so that unified management of security control strategies can be realized.
The off-card entity is, for example, a card reader device.
The first public key is a public key generated for an external entity of the card through an SM2 asymmetric encryption algorithm, and a first private key corresponding to the first public key is also stored in the external entity of the card. The second public key is a public key generated for the security domain through an SM2 asymmetric encryption algorithm, and a second private key corresponding to the second public key is also stored in the security domain. The first public key, the first private key, the second public key and the second private key are all generated through an SM2 asymmetric encryption algorithm.
The first identity information is a first random number with a first signature. The first random number with the first signature is obtained by signing the first random number by an external entity of the card by using a first private key.
The second identity information is a second random number with a second signature, wherein the second random number with the second signature is obtained by the security domain signing the second random number with a second private key.
Optionally, the security domain sends the second identity information to an off-card entity, including: the security domain obtains a second random number. The security domain signs the second random number to obtain a second random number with a second signature; the security domain sends the second random number with the second signature to the off-card entity.
Optionally, the first identity information is a first random number with a first signature, and the security domain verifies the first identity information by using a first public key passing verification, including: the security domain signs the first random number by using the first public key to obtain a first random number with a second signature verification result, and determines that the first identity information passes verification under the condition that the second signature verification result is identical to the first signature. Or determining that the first identity information verification fails under the condition that the second signature verification result is different from the first signature.
Optionally, the second identity information is a second random number with a second signature, and the verifying the second identity information by the entity outside the card using the verified second public key includes: and the entity outside the card signs the second random number by using the second public key to obtain a second signature verification result. And under the condition that the second signature verification result is the same as the second signature, determining that the second identity information passes verification. Or if the second signature verification result is different from the second signature, determining that the second identity information verification fails.
Optionally, in the case that the security domain fails to verify the first identity information, the method further includes: no information is sent to the off-card entity. And/or, in case of receiving the message sent by the off-card entity, do nothing.
Optionally, the secure domain obtains the authenticated first public key by: under the condition that the first public key sent by the entity outside the card is received, the security domain carries out digital signature on the first public key, obtains and sends the first public key after digital signature to the entity outside the card, and triggers the entity outside the card to verify the first public key after digital signature. The security domain stores the first public key upon receiving the first authentication information. The first verification information is sent by an entity outside the card under the condition that the first public key after digital signature passes verification.
As shown in conjunction with fig. 2, an embodiment of the present disclosure provides a method for obtaining a verified first public key, including:
in step S201, the off-card entity sends the first public key to the security domain.
Step S202, the security domain performs digital signature on the first public key to obtain the first public key after digital signature.
In step S203, the security domain sends the digitally signed first public key to the entity outside the card.
In step S204, the entity outside the card verifies the digitally signed first public key.
In step S205, the entity outside the card sends the first verification information to the security domain if the first public key after the digital signature passes the verification.
In step S206, the secure domain stores the first public key.
By adopting the method for acquiring the first public key passing verification provided by the embodiment of the disclosure, the security of the first public key can be improved by repeatedly verifying the first public key by using the security domain and the entity outside the card.
Further, the security domain digitally signing the first public key, comprising: the security domain digitally signs the first public key with the second private key.
Further, the off-card entity verifies the digitally signed first public key by: and the entity outside the card performs signature verification on the first public key by using the received second public key to obtain a first digital signature verification result. And determining that the first public key passes verification under the condition that the first digital signature verification result is the same as the digital signature of the first public key. Or determining that the first public key verification fails when the first digital signature verification result is different from the digital signature of the first public key.
As shown in conjunction with fig. 3, an embodiment of the present disclosure provides a method for verifying a first public key after a digital signature, comprising:
in step S301, the entity outside the card performs signature verification on the first public key by using the second public key, so as to obtain a first digital signature verification result.
In step S303, the off-card entity determines whether the first digital signature verification result is the same as the digital signature of the first public key. If so, step S303 is performed. Otherwise, step S304 is performed.
In step S303, the off-card entity determines that the first public key verification is passed.
In step S304, the off-card entity determines that the first public key verification fails.
By adopting the method for verifying the first public key after digital signature, which is provided by the embodiment of the disclosure, the first public key is verified by utilizing the second public key to obtain a first digital signature verification result, and then whether the first digital signature verification result is the same as the digital signature of the first public key is determined, and whether the first public key passes the verification is further determined, so that the first public key is verified.
Optionally, in case the first public key fails to authenticate, the off-card entity does nothing, so that the security domain will not receive the first authentication information and thus will not store the first public key.
Optionally, the first transmission data includes a third signature and first original data, and the security domain verifies the integrity of the first transmission data, including: the security domain performs hash operation on the first original data to obtain a first message digest. And the security domain signs the third signature by using the second public key to obtain a second message digest. In the event that the first message digest and the second message digest are the same, the security domain determines that the first transmission data is complete. And/or, in the event that the first message digest and the second message digest are different, the security domain determines that the first transmission data is tampered with.
Optionally, the security domain sends second transmission data corresponding to the first transmission data to an entity outside the card, including: the security domain obtains second original data corresponding to the first original data. The security domain performs hash operation on the second original data to obtain a third message digest. The security domain signs the third message digest to obtain a fourth signature. The security domain sends the fourth signature and the second original data to the off-card entity.
As shown in connection with fig. 4, an embodiment of the present disclosure provides a method for data transmission, applied to an off-card entity, the method including:
in step S401, the entity outside the card sends the first identity information to the security domain, triggers the security domain to verify the first identity information by using the verified first public key, and feeds back the second identity information if the first identity information passes the verification.
In step S402, the entity outside the card verifies the second identity information by using the verified second public key.
Step S403, under the condition that the second identity information verification is passed, the entity outside the card sends first transmission data to the security domain, and the security domain is triggered to verify the integrity of the first transmission data; and feeding back second transmission data corresponding to the first transmission data under the condition that the first transmission data is complete.
By adopting the method for data transmission provided by the embodiment of the disclosure, the first identity information of the entity outside the card is verified by using the verified first public key, and the entity outside the card is triggered to verify the second identity information of the security domain by using the verified second public key. And simultaneously verifying the integrity of the first transmission data sent by the entity outside the card. Thus, the security of information interaction between the entity outside the card and the security domain can be enhanced through multiple verification.
Optionally, the method for data transmission further comprises: the off-card entity is also configured to send a secure channel setup request to the security domain. The security domain generates a random number in case of a secure channel establishment request. The security domain creates a new session key using its internal sequence counter and static key, and encrypts the newly created session key using SM4 to obtain an encrypted value. Finally, the security domain transmits this encrypted value to the off-card entity along with the random number, the secure channel protocol identifier, the sequence counter, and other data. The secure channel request includes an SCP version number, a secure channel encryption algorithm, a secure channel MAC key, and a secure channel counter. The SCP version number is used to specify the security channel protocol version used. The secure channel encryption algorithm is used to encrypt data in the secure channel. The secure channel MAC algorithm is used to integrity protect data in the secure channel. The secure channel MAC key is used to generate and verify the MAC value. The secure channel counter is used to prevent replay attacks.
Optionally, the off-card entity obtains the second public key by: under the condition that a second public key sent by the security domain is received, the entity outside the card carries out digital signature on the second public key, the second public key after digital signature is obtained and sent to the security domain, and the security domain is triggered to verify the second public key after digital signature; the entity outside the card stores a second public key under the condition of receiving second verification information; wherein the second authentication information is sent by the security domain if the second public key after the digital signature passes the authentication.
As shown in conjunction with fig. 5, an embodiment of the present disclosure provides a method for obtaining a second public key, including:
in step S501, the security domain sends the second public key to the off-card entity.
In step S502, the entity outside the card digitally signs the second public key to obtain the digitally signed second public key.
In step S503, the entity outside the card sends the digitally signed second public key to the security domain.
In step S504, the security domain verifies the digitally signed second public key.
In step S505, the security domain sends the second verification information to the entity outside the card if the second public key after the digital signature passes the verification.
In step S506, the off-card entity stores the second public key.
By adopting the method for acquiring the second public key, which is provided by the embodiment of the disclosure, the security of the second public key can be improved by repeatedly verifying the second public key by using the security domain and the entity outside the card.
Further, the off-card entity digitally signing the second public key, comprising: the off-card entity digitally signs the second public key with the first private key.
Further, the security domain verifies the digitally signed second public key by: and the security domain performs signature verification on the second public key by using the received first public key to obtain a second digital signature verification result. And determining that the second public key passes verification under the condition that the second digital signature verification result is the same as the digital signature of the second public key. Or determining that the second public key verification fails when the second digital signature verification result is different from the digital signature of the second public key.
Optionally, in case the second public key verification fails, the security domain does nothing. So that the off-card entity will not receive the second authentication information and thus will not store the second public key.
Optionally, the off-card entity sends the first transmission data to the security domain, including: first raw data is acquired. And carrying out hash operation on the first original data to obtain a second message digest. And signing the second message digest to obtain a third signature. The third signature and the first original data are sent to the security domain.
Optionally, the off-card entity sends the first identity information to the security domain, including: a first random number is obtained. The first random number is signed to obtain the first random number with the first signature. A first random number with a first signature is sent to the security domain.
As shown in connection with fig. 6, an embodiment of the present disclosure provides a system 600 for data transmission, comprising an off-card entity 601 and a security domain 602. The off-card entity is configured to send first identity information to the security domain; and under the condition that the second identity information is received, verifying the second identity information by using the verified second public key, and under the condition that the second identity information is verified, sending the first transmission data to the security domain. The security domain is configured to verify the first identity information using the verified first public key; and sending the second identity information to the entity outside the card under the condition that the first identity information passes verification; under the condition that first transmission data sent by an entity outside the card is received, verifying the integrity of the first transmission data; and under the condition that the first transmission data is complete, sending second transmission data corresponding to the first transmission data to an entity outside the card.
By adopting the system for data transmission provided by the embodiment of the disclosure, the first identity information of the entity outside the card is verified by using the verified first public key, and the entity outside the card is triggered to verify the second identity information of the security domain by using the verified second public key. And simultaneously verifying the integrity of the first transmission data sent by the entity outside the card. Thus, the security of information interaction between the entity outside the card and the security domain can be enhanced through multiple verification.
Embodiments of the present disclosure may be embodied in a software product stored on a storage medium, including one or more instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of a method according to embodiments of the present disclosure. And the aforementioned storage medium may be a non-transitory storage medium including: a plurality of media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or a transitory storage medium.
The above description and the drawings illustrate embodiments of the disclosure sufficiently to enable those skilled in the art to practice them. Other embodiments may involve structural, logical, electrical, process, and other changes. The embodiments represent only possible variations. Individual components and functions are optional unless explicitly required, and the sequence of operations may vary. Portions and features of some embodiments may be included in, or substituted for, those of others. Moreover, the terminology used in the present application is for the purpose of describing embodiments only and is not intended to limit the claims. As used in the description of the embodiments and the claims, the singular forms "a," "an," and "the" (the) are intended to include the plural forms as well, unless the context clearly indicates otherwise. Similarly, the term "and/or" as used in this disclosure is meant to encompass any and all possible combinations of one or more of the associated listed. Furthermore, when used in the present disclosure, the terms "comprises," "comprising," and/or variations thereof, mean that the recited features, integers, steps, operations, elements, and/or components are present, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. Without further limitation, an element defined by the phrase "comprising one …" does not exclude the presence of other like elements in a process, method or apparatus comprising such elements. In this context, each embodiment may be described with emphasis on the differences from the other embodiments, and the same similar parts between the various embodiments may be referred to each other. For the methods, products, etc. disclosed in the embodiments, if they correspond to the method sections disclosed in the embodiments, the description of the method sections may be referred to for relevance.
Those of skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. The skilled artisan may use different methods for each particular application to achieve the described functionality, but such implementation should not be considered to be beyond the scope of the embodiments of the present disclosure. It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the embodiments disclosed herein, the disclosed methods, articles of manufacture (including but not limited to devices, apparatuses, etc.) may be practiced in other ways. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the units may be merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form. The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to implement the present embodiment. In addition, each functional unit in the embodiments of the present disclosure may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. In the description corresponding to the flowcharts and block diagrams in the figures, operations or steps corresponding to different blocks may also occur in different orders than that disclosed in the description, and sometimes no specific order exists between different operations or steps. For example, two consecutive operations or steps may actually be performed substantially in parallel, they may sometimes be performed in reverse order, which may be dependent on the functions involved. Each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Claims (10)
1. A method for data transmission, applied to a security domain, the method comprising:
under the condition that first identity information sent by an entity outside the card is received, verifying the first identity information by using a first public key passing verification;
sending second identity information to an entity outside the card under the condition that the first identity information passes verification, triggering the entity outside the card to verify the second identity information by using a second public key passing verification, and feeding back first transmission data under the condition that the verification passes;
under the condition that first transmission data sent by an entity outside the card is received, verifying the integrity of the first transmission data;
and under the condition that the first transmission data is complete, sending second transmission data corresponding to the first transmission data to an entity outside the card.
2. The method of claim 1, wherein the verified first public key is obtained by:
under the condition that a first public key sent by an external entity of the card is received, carrying out digital signature on the first public key, obtaining and sending the first public key after digital signature to the external entity of the card, and triggering the external entity of the card to verify the first public key after digital signature;
storing the first public key in case of receiving the first authentication information; the first verification information is sent by an entity outside the card under the condition that the first public key after digital signature passes verification.
3. The method of claim 1, wherein the first transmission data includes a third signature and first original data, and verifying the integrity of the first transmission data comprises:
performing hash operation on the first original data to obtain a first message digest;
performing signing decomposition on the third signature by using the second public key to obtain a second message digest;
determining that the first transmission data is complete under the condition that the first message digest and the second message digest are the same; and/or the number of the groups of groups,
in the event that the first message digest and the second message digest are different, it is determined that the first transmission data is tampered with.
4. A method according to claim 3, wherein transmitting second transmission data corresponding to the first transmission data to the off-card entity comprises:
acquiring second original data corresponding to the first original data;
performing hash operation on the second original data to obtain a third message digest;
signing the third message digest to obtain a fourth signature;
and transmitting the fourth signature and the second original data to an entity outside the card.
5. The method of claim 1, wherein sending the second identity information to the off-card entity comprises:
acquiring a second random number;
signing the second random number to obtain a second random number with a second signature;
the second random number with the second signature is sent to the off-card entity.
6. A method for data transmission, applied to an off-card entity, the method comprising:
the method comprises the steps of sending first identity information to a security domain, triggering the security domain to verify the first identity information by using a first public key which passes verification, and feeding back second identity information under the condition that the first identity information passes verification;
verifying the second identity information by using the verified second public key;
under the condition that the second identity information passes verification, sending the first transmission data to the security domain, and triggering the security domain to verify the integrity of the first transmission data; and feeding back second transmission data corresponding to the first transmission data under the condition that the first transmission data is complete.
7. The method of claim 6, wherein the second public key is obtained by:
under the condition that a second public key sent by the security domain is received, carrying out digital signature on the second public key, obtaining and sending the second public key after digital signature to the security domain, and triggering the security domain to verify the second public key after digital signature;
storing the second public key in case the second authentication information is received; wherein the second authentication information is sent by the security domain if the second public key after the digital signature passes the authentication.
8. The method of claim 6, wherein sending the first transmission data to the security domain comprises:
acquiring first original data;
performing hash operation on the first original data to obtain a second message digest;
signing the second message digest to obtain a third signature;
the third signature and the first original data are sent to the security domain.
9. The method of claim 6, wherein transmitting the first identity information to the security domain comprises:
acquiring a first random number;
signing the first random number to obtain a first random number with a first signature;
a first random number with a first signature is sent to the security domain.
10. A system for data transmission, comprising:
an off-card entity configured to send first identity information to a security domain; under the condition that the second identity information is received, verifying the second identity information by using a second public key which passes verification, and under the condition that the second identity information passes verification, sending first transmission data to a security domain;
a security domain configured to verify the first identity information using the verified first public key; and sending the second identity information to the entity outside the card under the condition that the first identity information passes verification; under the condition that first transmission data sent by an entity outside the card is received, verifying the integrity of the first transmission data; and under the condition that the first transmission data is complete, sending second transmission data corresponding to the first transmission data to an entity outside the card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311093434.6A CN116827691B (en) | 2023-08-29 | 2023-08-29 | Method and system for data transmission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311093434.6A CN116827691B (en) | 2023-08-29 | 2023-08-29 | Method and system for data transmission |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116827691A true CN116827691A (en) | 2023-09-29 |
| CN116827691B CN116827691B (en) | 2024-02-02 |
Family
ID=88122484
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311093434.6A Active CN116827691B (en) | 2023-08-29 | 2023-08-29 | Method and system for data transmission |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116827691B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020040936A1 (en) * | 1998-10-27 | 2002-04-11 | David C. Wentker | Delegated management of smart card applications |
| CN103634796A (en) * | 2013-12-06 | 2014-03-12 | 北京航空航天大学 | Space information network roaming and trusted security access method |
| US20160006729A1 (en) * | 2014-07-03 | 2016-01-07 | Apple Inc. | Methods and apparatus for establishing a secure communication channel |
| CN106293529A (en) * | 2016-08-08 | 2017-01-04 | 北京数码视讯支付技术有限公司 | Method, device and the smart card of a kind of smart cards for storage data |
| CN109417545A (en) * | 2016-06-24 | 2019-03-01 | 奥兰治 | For downloading the technology of network insertion profile |
| CN112351037A (en) * | 2020-11-06 | 2021-02-09 | 支付宝(杭州)信息技术有限公司 | Information processing method and device for secure communication |
-
2023
- 2023-08-29 CN CN202311093434.6A patent/CN116827691B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020040936A1 (en) * | 1998-10-27 | 2002-04-11 | David C. Wentker | Delegated management of smart card applications |
| CN103634796A (en) * | 2013-12-06 | 2014-03-12 | 北京航空航天大学 | Space information network roaming and trusted security access method |
| US20160006729A1 (en) * | 2014-07-03 | 2016-01-07 | Apple Inc. | Methods and apparatus for establishing a secure communication channel |
| CN109417545A (en) * | 2016-06-24 | 2019-03-01 | 奥兰治 | For downloading the technology of network insertion profile |
| CN106293529A (en) * | 2016-08-08 | 2017-01-04 | 北京数码视讯支付技术有限公司 | Method, device and the smart card of a kind of smart cards for storage data |
| CN112351037A (en) * | 2020-11-06 | 2021-02-09 | 支付宝(杭州)信息技术有限公司 | Information processing method and device for secure communication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116827691B (en) | 2024-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110324143B (en) | Data transmission method, electronic device and storage medium | |
| CN107770159B (en) | Vehicle accident data recording method and related device and readable storage medium | |
| US20220191012A1 (en) | Methods For Splitting and Recovering Key, Program Product, Storage Medium, and System | |
| EP3289723B1 (en) | Encryption system, encryption key wallet and method | |
| CN106452764B (en) | Method for automatically updating identification private key and password system | |
| CN110177124B (en) | Identity authentication method based on block chain and related equipment | |
| CN109981562B (en) | Software development kit authorization method and device | |
| US20100098246A1 (en) | Smart card based encryption key and password generation and management | |
| CN103546289A (en) | USB (universal serial bus) Key based secure data transmission method and system | |
| CN110598429B (en) | Data encryption storage and reading method, terminal equipment and storage medium | |
| WO2024012517A1 (en) | End-to-end data transmission method, and device and medium | |
| EP2827529A1 (en) | Method, device, and system for identity authentication | |
| CN103592927A (en) | Method for binding product server and service function through license | |
| CN114218548B (en) | Identity verification certificate generation method, authentication method, device, equipment and medium | |
| CN106789963B (en) | Asymmetric white-box password encryption method, device and equipment | |
| CN108418679B (en) | Method and device for processing secret key under multiple data centers and electronic equipment | |
| CN112948896A (en) | Signature information verification method and information signature method | |
| CN113542187A (en) | File uploading and downloading method and device, computer device and medium | |
| CN116827691B (en) | Method and system for data transmission | |
| CN113434837B (en) | Method and device for equipment identity authentication and smart home system | |
| WO2022091544A1 (en) | Information verification device, electronic control device, and information verification method | |
| CN114553566A (en) | Data encryption method, device, equipment and storage medium | |
| CN114338091A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN109936522B (en) | Equipment authentication method and equipment authentication system | |
| CN115114648A (en) | Data processing method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |