CN1523513A - IC card on-line applications adding method - Google Patents

IC card on-line applications adding method Download PDF

Info

Publication number
CN1523513A
CN1523513A CNA031509096A CN03150909A CN1523513A CN 1523513 A CN1523513 A CN 1523513A CN A031509096 A CNA031509096 A CN A031509096A CN 03150909 A CN03150909 A CN 03150909A CN 1523513 A CN1523513 A CN 1523513A
Authority
CN
China
Prior art keywords
application
card
data
key
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA031509096A
Other languages
Chinese (zh)
Inventor
庄昱�
庄昱垚
张翔
李澜涛
掌晓愚
刘功哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
GEER SOFTWARE CO Ltd SHANGHAI
Original Assignee
GEER SOFTWARE CO Ltd SHANGHAI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by GEER SOFTWARE CO Ltd SHANGHAI filed Critical GEER SOFTWARE CO Ltd SHANGHAI
Priority to CNA031509096A priority Critical patent/CN1523513A/en
Publication of CN1523513A publication Critical patent/CN1523513A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention is a method for adding IC card on-line application, which belongs to computer and information safety technology field. The method is: it uses on-line adding application system, it uses multi-application safety sharing mechanism and encrypted text+ MAC data safe updating method, encrypts the relative data through SSL or VPN mode by mechanism providing added service through communication protocol, and uses the encrypted data in public network to remote client end, the uses can adds the new application on the remote end. The invention has following characters: it solves the card reclaiming problem through on-line and distribution mode, the user can select to add application freely, and it assures the safety of instruction content through encrypted + MAC mode.

Description

The online application method of adding of IC-card
Technical field
What the present invention relates to is a kind of method of relevant IC-card application safety, and the online application method of adding of particularly a kind of IC-card belongs to computing machine and field of information security technology.
Background technology
According to document retrieval, under existing technical conditions, if on issued user's IC-card, use interpolation, be merely able to take the mode that subscriber card is reclaimed, set up the required file system of new application and import the new association key of using on the card that reclaims, that newly uses appends.Adopt way of recycling if application is appended, then workload is very big, and return period is long, does not find and the identical or similar bibliographical information of theme of the present invention as yet in the literature search.
Summary of the invention
The objective of the invention is to overcome deficiency of the prior art, provide a kind of IC-card online application method of adding, its workload is reduced, the present invention does not exist card to reclaim link, therefore feasibility is good, and the user is appending that Terminal Server Client just can easily newly be used.
The present invention is achieved by the following technical solutions, the inventive method is as follows: adopt the online application system of appending, by being provided, online application appends the mechanism of service, utilize many application safeties shared mechanism and ciphertext+MAC data security update method, encrypt by the related data that SSL (or VPN) mode is appended application, and using public network that data encrypted is delivered to Terminal Server Client, the user is appending that Terminal Server Client just can newly be used easily.
● many application safeties shared mechanism
Many application safeties are shared the safety that adopts " fire wall " mechanism of application to guarantee application and are created and independent shared, concrete mechanism is: the establishing stage of using, application master control key (ACK) is subjected to the protection of card master control key (CCK), promptly uses and creates necessary mandate through card issuing side (mechanism of grasp CCK); Exist in case use master control key, use the protection that key is used master control key (ACK), have only application provider's (grasping the mechanism of ACK) to upgrade and revise key in using and information, card issuing side can't change application message; Because the ACK difference of different application providers, therefore, other application provider can't change application message, and ACK has realized " fire wall " between the different application, has guaranteed that the safety of multi-application card sheet different application is shared.
● ciphertext+MAC data security update method
Ciphertext+MAC is a kind of technology that guarantees data security and upgrade.On IC-card, writing of data and key all has relevant key to protect.Specific implementation is:
1, the plaintext of data importing side's data (can be key or the data that will write) that will write uses the corresponding protection secret key encryption, obtains ciphertext;
2, on IC-card, produce a random number, pass to data importing side;
3, data importing side uses association key is formed data such as random number, instruction head and ciphertext by certain data composition mode MAC of data computation;
4, data importing side sends ciphertext and MAC into IC-card, and IC-card goes out MAC with association key to correlation data calculation, and the MAC that imports into data importing side compares the legitimacy of verification msg importing side;
5, after checking MAC passed through, IC-card used association key to be decrypted ciphertext, obtained expressly finishing the importing of data.
● the online application system of appending
System adopts the B/S framework, customer end adopted standard I E browser, and link encryption can adopt the SSL mode, also can adopt link encryption or VPN mode, and the secret key encryption service adopts the application server mode to provide.
Figure A0315090900051
Server end is appended in online application: storage, managing keys externally provide the most basic interface of cipher key operation.It directly is not placed on the Internet, but is positioned at the back of application server.
Application server: provide the required application service of client (to derive such as key, functions such as cipher key calculation), it is positioned over the back of SSL gateway, after receiving the application request that client sends here, append server end with the online application in the LAN (Local Area Network) and carry out communication, obtain returning to the hair fastener client by the communications protocol response again behind the result.
Figure A0315090900053
Remote cipher key service client: be responsible for IC-card is read and write, comprise writing key, write PIN, PIN release, the operation of IC-cards such as PIN refitting.
IC-card read-write control: be responsible for the read-write card
Figure A0315090900055
Application server client control: be responsible for carrying out communication (this communication is based upon on SSL or the VPN, to guarantee safety) with application server
On the basis of above technology, the inventive method realization flow is as follows:
(1) online application is appended the server end startup and is used the service of appending;
(2) user's handset user card is come and is supported online application to append the client of function, subscriber card is inserted in the IC-card read-write control of client;
(3) user selects the application that will add;
(4) client is appended the server end communication by communications protocol and online application, sets up the file system of new application need on subscriber card;
(5) client is appended the server end communication by communications protocol and online application, and the new application association key of this subscriber card is write in the subscriber card, finishes appending of new application.
The present invention has substantive distinguishing features and marked improvement, the present invention has following characteristics: adopt online, distribution mode to append to solve card and reclaim a difficult problem, the user can independently select to append application, as long as operation system support, even can independently select deletion to use by the user, guarantee transmission security by SSL and VPN encrypted tunnel, guarantee content safety by the hair fastener instruction of adopting ciphertext+MAC mode.
Embodiment
Be a description of using online application method of adding to realize using the application example that appends below.
Because IC-card can be realized many application on a card, become a problem but how used easily just to append on the hair card at one.Native system has well solved this problem by online mode.Total system comprises that online application appends server end, application server and client three parts.At first append server end and start the service of appending of using by online application.User's handset user card is come and is supported online application to append the client of function, subscriber card is inserted in the IC-card read-write control of client.After the application of selecting to add the user, client is appended the server end communication by application server and online application, on subscriber card, set up the file system of new application need and the new application association key of this subscriber card is write in the subscriber card, finish appending of new application.
The inventive method is short return period, and feasibility is good, and the user is appending that Terminal Server Client just can easily newly be used.

Claims (5)

1, the online application method of adding of a kind of IC-card, it is characterized in that, method is as follows: adopt the online application system of appending, utilize many application safeties shared mechanism and ciphertext+MAC data security update method, by being provided by communications protocol, online application appends the mechanism of service, encrypt by the related data that SSL or VPN mode are appended application, and use public network that data encrypted is delivered to Terminal Server Client, the user is appending that Terminal Server Client is newly used easily.
2, the online application method of adding of IC-card according to claim 1 is characterized in that, described many application safeties shared mechanism is specific as follows:
Many application safeties are shared the safety that adopts application firewall mechanism to guarantee application and are created and independent shared; concrete mechanism is: the establishing stage of using; the application master control key is subjected to the protection of card master control key; promptly use and create necessary mandate through card issuing side; in case using master control key exists; use the protection that key is used master control key, have only application provider to upgrade and revise key in using and information, card issuing side can't change application message.
3, the online application method of adding of IC-card according to claim 1, it is characterized in that, the described online application system of appending, adopt the B/S framework, customer end adopted standard I E browser, link encryption adopts the SSL mode or adopts link encryption or VPN mode, and the secret key encryption service adopts the application server mode to provide, and is specific as follows:
1. server end is appended in online application: storage, managing keys, the most basic interface of cipher key operation externally is provided, and it is positioned at the back of application server;
2. application server: provide client required application service, it is positioned over the back of SSL gateway, after receiving the application request that client sends here, append server end with the online application in the LAN (Local Area Network) and carry out communication, obtain returning to the hair fastener client by the communications protocol response again behind the result;
3. remote cipher key service client: be responsible for IC-card is read and write, comprise writing key, write PIN, the PIN release, IC-cards such as PIN refitting are operated;
4. IC-card is read and write control: be responsible for the read-write card;
5. application server client control: be responsible for and application server carries out communication.
4, the online application method of adding of IC-card according to claim 1 is characterized in that, described ciphertext+MAC data security update method is specific as follows:
(1) data importing side's data that will write, plaintext use the corresponding protection secret key encryption, obtain ciphertext;
(2) on IC-card, produce a random number, pass to data importing side;
(3) data importing side uses association key is formed random number, instruction head and these data of ciphertext by certain data composition mode MAC of data computation;
(4) data importing side sends ciphertext and MAC into IC-card, and IC-card goes out MAC with association key to correlation data calculation, and the MAC that imports into data importing side compares the legitimacy of verification msg importing side;
(5) after checking MAC passed through, IC-card used association key to be decrypted ciphertext, obtained expressly finishing the importing of data.
5, according to claim 1 or the online application method of adding of 2 or 3 or 4 described IC-cards, it is characterized in that its method flow is as follows:
(1) online application is appended the server end startup and is used the service of appending;
(2) user's handset user card is come and is supported online application to append the client of function, subscriber card is inserted in the IC-card read-write control of client;
(3) user selects the application that will add;
(4) client is appended the server end communication by communications protocol and online application, sets up the file system of new application need on subscriber card;
(5) client is appended the server end communication by communications protocol and online application, and the new application association key of this subscriber card is write in the subscriber card, finishes appending of new application.
CNA031509096A 2003-09-11 2003-09-11 IC card on-line applications adding method Pending CN1523513A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA031509096A CN1523513A (en) 2003-09-11 2003-09-11 IC card on-line applications adding method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA031509096A CN1523513A (en) 2003-09-11 2003-09-11 IC card on-line applications adding method

Publications (1)

Publication Number Publication Date
CN1523513A true CN1523513A (en) 2004-08-25

Family

ID=34286808

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA031509096A Pending CN1523513A (en) 2003-09-11 2003-09-11 IC card on-line applications adding method

Country Status (1)

Country Link
CN (1) CN1523513A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101719228B (en) * 2009-11-25 2012-07-04 北京握奇数据系统有限公司 Method and device for data management of intelligent card
CN102902553A (en) * 2012-08-23 2013-01-30 福建富士通信息软件有限公司 Remote card issuing method of mobile phone payment card based on JAVA card
CN104484693A (en) * 2014-12-29 2015-04-01 东信和平科技股份有限公司 CPU card issuing system and method based on SM1 cryptographic algorithm
CN105516181A (en) * 2015-12-29 2016-04-20 邵军利 Security apparatus management system and method
CN106157028A (en) * 2015-04-15 2016-11-23 航天信息股份有限公司 A kind of financial IC card based on credible platform repeatedly card sending system and method
CN110968882A (en) * 2019-12-04 2020-04-07 楚天龙股份有限公司 IC card remote operation system and method

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101719228B (en) * 2009-11-25 2012-07-04 北京握奇数据系统有限公司 Method and device for data management of intelligent card
CN102902553A (en) * 2012-08-23 2013-01-30 福建富士通信息软件有限公司 Remote card issuing method of mobile phone payment card based on JAVA card
CN102902553B (en) * 2012-08-23 2015-09-30 福建富士通信息软件有限公司 Based on the long-range hair fastener method of the mobile phone payment card of JAVA card
CN104484693A (en) * 2014-12-29 2015-04-01 东信和平科技股份有限公司 CPU card issuing system and method based on SM1 cryptographic algorithm
CN106157028A (en) * 2015-04-15 2016-11-23 航天信息股份有限公司 A kind of financial IC card based on credible platform repeatedly card sending system and method
CN105516181A (en) * 2015-12-29 2016-04-20 邵军利 Security apparatus management system and method
CN110968882A (en) * 2019-12-04 2020-04-07 楚天龙股份有限公司 IC card remote operation system and method

Similar Documents

Publication Publication Date Title
Itani et al. Energy-efficient incremental integrity for securing storage in mobile cloud computing
CN103051600B (en) document access control method and system
CN113364760A (en) Data encryption processing method and device, computer equipment and storage medium
CN105027493B (en) Safety moving application connection bus
US6931532B1 (en) Selective data encryption using style sheet processing
US6978367B1 (en) Selective data encryption using style sheet processing for decryption by a client proxy
US6367010B1 (en) Method for generating secure symmetric encryption and decryption
CN103314551B (en) Method and apparatus for content guiding network creation and management differentiation security framework
CN1302634C (en) Network connection system
CN114218592A (en) Sensitive data encryption and decryption method and device, computer equipment and storage medium
CN1522516A (en) Secure header information for multi-content e-mail
US20090287831A1 (en) Application distribution control system, application distribution control method, information processing apparatus, and client terminal
CN1439207A (en) A platform and method for establishing provable identities while maintaining privacy
CN102025710A (en) Multi-application intelligent card and intelligent card multi-application management system and method
CN110134930A (en) Electronic contract management method, device, computer equipment and storage medium
CN110768790A (en) Data security authorization access method, device, equipment and storage medium
EP1897325B1 (en) Secure data communications in web services
US20040193885A1 (en) Vault controller context manager and methods of operation for securely maintaining state information between successive browser connections in an electronic business system
JP2013115522A (en) Link access control method, program, and system
CN115085934A (en) Contract management method based on block chain and combined key and related equipment
CN101212301A (en) Authentication device and method
CN1523513A (en) IC card on-line applications adding method
CN1194498C (en) Content safe monitoring system based on digital label and its method
CN113783690A (en) Tender inviting method and device based on authentication
CN113434824B (en) Software service authorization management method, device, equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication