200805191 九、發明說明: 【發明所屬之技術領域】 本發明係有關一種晶片金融卡之發卡方法,特別是一種 具公開金鑰基礎建設(Public Key Infrastn^ture,PKI)功能之晶片金 融卡發卡方法。 【先前技術】 公開金输基礎建設(Public Key Infrastructure,PKI)是 運用公開金鑰及憑證進行網路交易或傳輸,以提高安全性並 確認對方身分之機制。基本上,它必須雙方均同意相互信任 其憑證機構及所簽發憑證,並藉此進行身份核驗、數位簽章 等相關應用’以提供資料完整性(Integrity)、資料來源鑑別 (Authentication )、資料隱密性(〇〇11^(1611如出丫)、不可否認 性(Non-Repudiation)等安全保證。 在舊制的磁條金融卡容易遭到側錄以及偽造的情況下, 國内已經積極規劃將磁條金融卡轉換為晶片金融卡(非PKI 晶片卡),而提高了金融交易的安全等級,不過並不能運作在 普遍被認為安全度最完整的PKI環境。 國内因為電子簽章法的實行,使得網路銀行以及證券下單也都採 用了 PKI的架構,透過發行電子憑證,對於使用者而言可以滿足資料 完整性、資料保密性、資料不可否認性等安全度。而在實際的運作情 土兄上’使用者的憑證金鑰自憑證註冊系統(Registrati〇n Auth〇rity,) 申請後’憑證與金鑰必須存放在自己的憑證載具上。雖然在ρκι的架 構下可以享有PKI的優點,但是憑證與金鑰是存放在載具上,故載具 是否能安全存取是相當重要的考量。 5 200805191 現今最常見的載具有,硬碟/磁片、USBPKIToken、RSAPKI晶 片卡及JAVA PKI晶片卡,其中硬碟/磁片具有被重製或破壞的高危 險;而PKI晶片卡的安全度最高,但其價錢卻也較昂貴,故在現今載 具的選擇上實為成本與安全性考量的拉鋸戰。 【發明内容】 為了解決上述問題,本發明目的之一係提供一種含有公200805191 IX. Description of the Invention: [Technical Field] The present invention relates to a method for issuing a financial card for a wafer, and more particularly to a method for issuing a financial card for a wafer with a Public Key Infrast (PKI) function . [Prior Art] Public Key Infrastructure (PKI) is a mechanism for using the public key and credentials for online transactions or transmissions to improve security and confirm the identity of the other party. Basically, it must both agree to mutually trust its vouchers and the issued vouchers, and use this to conduct identity verification, digital signatures and other related applications to provide data integrity (Integrity), data source authentication (Authentication), data hiding Security (〇〇11^(1611), Non-Repudiation, etc.) In the case that the old magnetic stripe financial card is vulnerable to side recording and forgery, the country has actively planned The magnetic stripe financial card is converted into a chip financial card (non-PKI chip card), which improves the security level of financial transactions, but it cannot operate in the PKI environment which is generally considered to be the most complete security. Domestic implementation of the electronic signature law In order to make online banking and securities orders also adopt the PKI structure, through the issuance of electronic certificates, users can satisfy the security of data integrity, data confidentiality and data non-repudiation.情土兄 on the 'user's voucher key from the voucher registration system (Registrati〇n Auth〇rity,) after the application, the voucher and key must be saved On the own voucher vehicle. Although the advantages of PKI can be enjoyed under the structure of ρκι, the voucher and key are stored on the vehicle, so it is very important to consider whether the vehicle can be accessed safely. 5 200805191 Common carriers, hard disk/magnetic disk, USBPKIToken, RSAPKI chip card and JAVA PKI chip card, in which the hard disk/magnetic disk has a high risk of being remade or destroyed; and the PKI chip card has the highest safety, but its price However, it is also expensive, so it is a cost-and-security consideration of the tug-of-war in the choice of today's vehicles. [Invention] In order to solve the above problems, one of the objects of the present invention is to provide a public
開金鑰基礎建設功能之晶片金融卡發卡方法,讓所有支援 ㈣觀標準㈣域力哺密及級料算的w卡,也能 具備有PKI卡片的特性。 本發明目的之一係提供一 之晶片金融卡發卡方法,於一 片金融卡具有智慧卡之優點, 卡片本身交易之安全。 種含有公開金鍮基礎建設功能 般晶片金融卡置入憑證,使晶 不僅可降低卡片成本,更加強 本發明目的之^一传接根 A . 之曰Μ今k 含有公開金鑰基礎建設功能 之曰日片金蝻卡發卡方法,利 ^ ^ Η . _ 用日日片金融卡中之憑證,可針對The chip financial card issuance method for the key infrastructure function, so that all the support (4) view standard (4) domain power feeding and level calculation w card can also have the characteristics of PKI card. One of the objects of the present invention is to provide a method for issuing a financial card for a wafer, which has the advantage of a smart card and the security of the transaction of the card itself. A kind of wafer financial card placement voucher containing the public key infrastructure, so that the crystal can not only reduce the cost of the card, but also strengthen the purpose of the invention. The current k contains the public key infrastructure function.曰日片金蝻卡卡卡,利^^ Η . _ With the voucher in the Japanese financial card, you can
電子父易内谷做簽驗章加解密作業,以 安全性及隱密性。 〜 升、' 路父易本身的 為了達到上述目的,本黎 礎建設功能之晶片金融卡^ 7施例之具有公開金输基 之-晶片初始化㈣,包.於進彳了 1片金融卡 相對應之複數個私密金輪儲存區;存區塊及其 數個私密金输;根據私密 ,於—a日片m;產生複 憑證儲存區塊中;及儲#^產生複數個憑證;儲存憑證於 中私密金鑰係受一使用者密於私密金鑰儲存區塊’其 6 200805191 【實施方式】 其詳細說明如下’所述較佳實施例僅做—說明非用以限 定本發明。 第1圖所μ本發明—實施狀晶片金融卡發卡方法济 程圖。於本實施例中’此發卡方法__發卡單位 l 金融卡進彳卜初聽程斜,其係包括下❹驟:步驟^, 將-晶片金融卡的-晶片·的記鍾或 個憑證儲存區塊及其相對應之複數個私密金輪儲The e-father Yi Neigu does the signing and decryption operations for security and privacy. ~ 升, 'Lu Fuyi itself in order to achieve the above purpose, the Philippine construction function of the chip financial card ^ 7 example of the open gold input base - wafer initialization (four), package. Into a financial card phase Corresponding to a plurality of private gold wheel storage areas; storage blocks and a plurality of private gold inputs; according to privacy, in the -a day m; generating a complex voucher storage block; and storing #^ generating a plurality of voucher; storing the voucher in The private key is bound to a private key storage block by a user. [6 200805191 [Embodiment] The following detailed description of the preferred embodiment is merely illustrative of the invention. Fig. 1 is a perspective view of a method for issuing a financial card for a wafer. In the present embodiment, 'this card issuing method __ card issuing unit l financial card enters the beginning of the listening process, which includes the following steps: step ^, the - chip financial card - wafer clock or a voucher storage Block and its corresponding multiple private gold storage
-規劃步驟可由气述晶片金融卡的發卡單位執行;步驟 s〇2 ’寫人-基本資料於晶#金融卡的存ς件 中;步驟S03,於-計算機上思體或储存構件 個私密金鑰並產生其對應之複數個憑證 請求訊息,並藉由一網際網路傳送憑證請“息至一 請系统’::實施例中’網際網路可為:或J 無線網際網路’而憑證請求槽之格式可以 疋 步Γ042Γ請系統錢到憑證請求訊息後,產=數 個憑證’並利用網際網路回傳至晶片金融卡中。1中 係放置於晶片金融卡之憑_存區塊, 存區塊係受-制者密碼賴,4,且私密金鑰儲 一人a ^曰任何人若欲存取卡片 ===輸入使用者密碼,密碼•認過後才可 瑪錯誤次數超過發卡單位限定二:縣:使用者密 無法再使:;以及步驟s°5 ’利用發卡單對 基本資料做簽章作業以形成-;章值, 辨識卡中之資料是否被竄改。㈣_後如電子交易時 7 200805191 接續上述說明,於本實施例中,晶片金融卡係符合is〇 又軚準,且寫入卡片之基本資料係包括一使用者基本資料 及t卡單位基本資料,這些寫入的基本資料係方便其後將此 =片應用於電子交易時辨識使用者身分之用。而製備這些私 金錄之方去可以是利用一應用程式介面傳入相關參數後產 生。 其於一實施例中,憑證申請系統可區分為一憑證註冊中心及一憑證 管理中,心,當憑證註冊中心接收到憑證請求訊息後,進行相關 理並連接至憑證管理_心,以進行憑證申請作業,憑證管 理:心再將產生之憑證回傳並儲存至晶片金融卡中。其中,所 ^奢的憑證包括-加密㈣證及—簽糊憑證以提供制者於交 日守對貝料進行加密及驗章之用。於_實施例中,更包含將發卡單位之 -公開金鑰憑證放人⑼絲针,以方便其後㈣軸讀合 單位之速度。 下 第2圖所示為依據本發明上—實_之晶片金融卡發卡方法製造 之晶片金融卡之驗證步驟流程圖。如圖所示,具ρκι功能之晶片金= 卡之驗證轉,祕-㈣者在_終端計算機±之—網聽式介面^ 行一電Ϊ交糾,包括:步驟SU使用者插入晶片金融卡於Ϊ 端計异機上之讀卡設備;步驟S12於終端計算機上讀出晶片金融內 之加密用憑證及基本資料,針對基本資料產生的—摘要值與^立 值,並透過網際網路傳送摘要值·章值至—顧程式端;m 應用程式端接收賴要健簽章錢,確認域帛驗之發卡· 步驟S14應雖式端利用發卡單位之公開金鑰憑證驗證簽章值早、,立类 過網際網路傳送驗證結果至終端計算機;步驟S15使用者由網、y、 介面中得知驗證結果後,提出一交易要求;步驟S16使用者於網 式介面中輸入使用者密碼;步驟S17由晶片金融卡中讀出 沾王 密金鑰及簽章用憑證於終端計算機中,利用簽章用私密金= 求之訊息產生-簽章值,並將簽章值傳送至應用程式端;步驟^應 200805191 用程式端接收到簽章值後,對簽章值進行驗章作業,並進行交易,爾 後回傳交易結果至網頁程式介面;以及步驟S19結束交易。 < 接續上續說明,於本實施例中,在步驟S17中更包括利用發卡單 位之公開金鑰憑證對交易請求訊息及簽章值加密,而於步驟S18中應 用程式端須先利用發卡單位之私密金鑰解密再做驗章動作,如此做法 可確保只有發卡單位可以開啟交易請求之内容。 於一實施例中,網際網路可為一有線網際網路,使用者可由電腦 進行電子交易、網路銀行或是證券下單等操作時使用晶片金融卡中的 憑證做身分認證。或者,制者可由—無_路於鱗電子交易時做 f分證認。本發鴨憑·合於^金融卡巾,可讓制者進行網路 父易日守,提升網路交易本身的安全性與隱密性。 根據上述,本發明特徵之一係發卡單位於晶片金融卡初 始化時將憑證相關區塊規劃完成,並將憑證相關蚊及資料 置入晶片金融卡中。具憑證的晶片金融卡可讓現行具有 FXML電子交胃、網路騎及證券下料㈣交胃之發卡單 位增加一種憑證載具之選擇。又,由於上述步驟中使用者之 加密憑證已傳送至應祕式端,故在f料傳輸時皆可使用各 自的憑證金鑰簽章或加密,以保護資料完整性、交易安全性 及資料的不可否認性。 綜合上述」本發明係提供一種含有ρκι功能之晶片金融 卡發卡方法,讓所有支援ISO 7816標準但不支援pKI運曾的 晶片卡,也能具備有PKI卡片的特性。且,於一般 卡置入憑證’使晶片金融卡具有智慧卡之優點,不僅可降低 卡片成本’更加強卡片本身交易之安全。再者,利用晶片金 融卡中之憑證,可針對電子交易内容做^、驗章及加解密之 操作,以提升網路交易本身的安全性及隱密性。不僅如此, 200805191 可免除安裝軟 於客戶端使用者無須安裝卡片相關驅動程式 體之不便。 :上所述之實施例僅係為說明本發明之技術思想及特 目的在使熟習此項技藝之人士能夠瞭解本 實施,當不能以之限定本發明之專利範圍,即大凡依 二=神所作之均等變化或修,’仍應涵蓋在本 Φ 【圖式簡單說明】 第1圖所示為根據本發明-實補之晶片金融卡發卡方法流程圖。 第2圖所示為根據本發明一實施例之晶片金融卡發 晶片金融卡卡片驗證流程圖。 彳 【主要元件符號說明】 S01 規劃憑證與私密金鑰之儲存區塊 S02 產生私密金鑰及其憑證請求檔,以提出申請憑證請 求訊息 S03 連接至一憑證申請系統以申請憑證 S04 儲存憑證至晶片金融卡中 S05 對晶片金融卡内之部份資料形成一簽章值,並儲存 此簽章值於卡片内 S11 使用者插入晶片金融卡 S12 讀出晶片金融卡内之加密用憑證及基本資料,並產 生的一摘要值與一簽章值,並傳送至應用程式端 200805191 513 確認加密用憑證之發卡單位 514 利用發卡單位之公開金鑰憑證驗證簽章值 515 使用者由網頁程式介面中得知驗證結果後,提出一 交易要求 516 使用者輸入使用者密碼 517 利用簽章用私密金鑰對交易要求之訊息產生一簽章 值,並將簽章值傳送至應用程式端 518 對簽章值進行驗章作業,並進行交易 519 結束交易- the planning step can be performed by the card issuing unit of the defensive wafer financial card; step s 〇 2 'write person - basic data in the crystal # financial card storage; step S03, on the computer body or storage component private gold The key and the corresponding plurality of credential request messages are generated, and the voucher is transmitted through an internet connection, and the "internet can be: or J wireless internet" in the embodiment: The format of the request slot can be stepped into the chip financial card after step 042, requesting the system money to the voucher request message, and returning to the chip financial card by using the Internet. The middle of the request is placed on the chip financial card. , the storage block is subject to the system password, 4, and the private key is stored by one person a ^ 曰 anyone who wants to access the card === enter the user password, password • after the recognition, the number of errors is more than the card issuer Limit 2: County: User secret can no longer make:; and step s°5 'Use the card issuer to do the signature work on the basic data to form -; chapter value, whether the information in the identification card has been tampered with. (4) _ later as electronic At the time of trading 7 200805191 continue the above instructions, In this embodiment, the financial card of the chip conforms to the standard and the standard data of the card is included in the basic data of the user and the basic data of the t card unit. The basic data written is convenient for the latter. The slice is used to identify the user's identity during the electronic transaction, and the preparation of the private record can be generated by using an application interface to pass relevant parameters. In an embodiment, the voucher application system can be divided into In a voucher registration center and a voucher management, the heart, when the voucher registration center receives the voucher request message, conducts related information and connects to the voucher management_heart to perform the voucher application operation, and the voucher management: the heart will generate the voucher back Passed and stored in the chip financial card. Among them, the voucher of the luxury includes the -encryption (four) certificate and the certificate of the receipt to provide the system for encrypting and verifying the bedding material on the date of payment. In the embodiment The method further includes placing the public key certificate of the issuing unit (9) the needle to facilitate the speed of the subsequent (four) axis reading unit. Figure 2 below shows the wafer finance according to the present invention. The flow chart of the verification procedure of the wafer financial card manufactured by the card issuing method. As shown in the figure, the wafer gold with the function of ρκι = the verification of the card, the secret - (four) in the terminal computer ± the network interface type ^ electric The corrective operation includes: step SU user inserts the chip financial card into the card reading device on the computer; and step S12 reads the encryption certificate and basic data in the chip finance on the terminal computer, and generates the basic data. The digest value and the value of the divisor, and the digest value and the chapter value are transmitted to the terminal through the Internet; the application end receives the money of the certificate, and confirms the issuance of the domain verification. Step S14 should be utilized. The public key certificate verification certificate value of the card issuing unit is early, and the verification result is transmitted to the terminal computer through the Internet; in step S15, after the user knows the verification result from the network, y, interface, a transaction request is made; The S16 user inputs the user password in the network interface; in step S17, the Dang Wang key and the signature voucher are read from the wafer financial card in the terminal computer, and the signature is generated by using the private key = request message - The value of the chapter, and the signature value is transmitted to the application side; step ^ should be 200805191 After receiving the signature value, the program will perform the inspection operation on the signature value, and then conduct the transaction, and then return the transaction result to the web application interface. And the step S19 ends the transaction. <Continuously, in the embodiment, in step S17, the transaction request message and the signature value are encrypted by using the public key certificate of the card issuing unit, and the application terminal must first use the card issuing unit in step S18. The private key decryption and then the check action, this way to ensure that only the card issuer can open the content of the transaction request. In one embodiment, the Internet can be a wired Internet network, and the user can use the credentials in the chip financial card for identity authentication when the computer performs electronic transactions, online banking, or securities ordering. Alternatively, the maker can make a sub-certification when the electronic transaction is not in the squad. The hairpin is based on the financial card towel, which allows the system to conduct online parenting and improve the security and privacy of the online transaction itself. According to the above, one of the features of the present invention is that the card issuing unit completes the voucher related block planning when the wafer financial card is initialized, and places the voucher related mosquito and the data into the wafer financial card. The voucher-based chip financial card allows the current card-issuing unit with FXML electronic stomach, online riding and securities cutting (4) to add a voucher vehicle. Moreover, since the user's encrypted voucher has been transmitted to the secret terminal in the above steps, the respective voucher key signature or encryption can be used in the f material transmission to protect data integrity, transaction security and data. Non-repudiation. In summary, the present invention provides a wafer financial card issuing method including a ρκι function, and all wafer cards supporting the ISO 7816 standard but not supporting the pKI transport can also have the characteristics of a PKI card. Moreover, placing a voucher on a general card enables the chip financial card to have the advantage of a smart card, which not only reduces the cost of the card, but also enhances the security of the transaction of the card itself. Furthermore, by using the voucher in the wafer financial card, the operation, verification, encryption and decryption operations of the electronic transaction content can be performed to improve the security and privacy of the network transaction itself. Not only that, 200805191 eliminates the inconvenience of installing software for client users without having to install card-related drivers. The embodiments described above are merely illustrative of the technical idea and the specific purpose of the present invention, and those skilled in the art can understand the present invention, and the scope of the patent of the present invention cannot be limited thereto. Equal change or repair, 'still should be covered in this Φ [Simplified description of the drawing] Figure 1 shows the flow chart of the method of issuing the financial card of the wafer according to the present invention. Figure 2 is a flow chart showing the verification of the wafer financial card issuing chip financial card according to an embodiment of the present invention.彳[Main component symbol description] S01 Planning voucher and private key storage block S02 generates a private key and its voucher request file to submit a request voucher request message S03 to a voucher application system to apply for a voucher S04 to store the voucher to the chip In the financial card, S05 forms a signature value for part of the data in the chip financial card, and stores the signature value in the card. The user inserts the chip financial card S12 into the chip, and reads the encryption certificate and basic information in the chip financial card. And generating a summary value and a signature value, and transmitting to the application terminal 200805191 513. The card issuing unit 514 for confirming the encryption certificate uses the public key certificate of the card issuing unit to verify the signature value 515. The user is informed by the webpage program interface. After verifying the result, a transaction request 516 is made for the user to input the user password 517. The signature is generated by the signature with the private key to generate a signature value for the transaction request message, and the signature value is transmitted to the application terminal 518 for the signature value. Checking the assignment and trading 519 Ending the transaction
1111