WO2007143932A1 - Usb digital authentication control method and atm and pos terminal applied to thereof - Google Patents

Usb digital authentication control method and atm and pos terminal applied to thereof Download PDF

Info

Publication number
WO2007143932A1
WO2007143932A1 PCT/CN2007/001820 CN2007001820W WO2007143932A1 WO 2007143932 A1 WO2007143932 A1 WO 2007143932A1 CN 2007001820 W CN2007001820 W CN 2007001820W WO 2007143932 A1 WO2007143932 A1 WO 2007143932A1
Authority
WO
WIPO (PCT)
Prior art keywords
usb
controller
key
password
usb interface
Prior art date
Application number
PCT/CN2007/001820
Other languages
French (fr)
Chinese (zh)
Inventor
Nian Chen
Original Assignee
Nian Chen
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN 200620042711 external-priority patent/CN200962244Y/en
Priority claimed from CN 200620042855 external-priority patent/CN200979724Y/en
Application filed by Nian Chen filed Critical Nian Chen
Publication of WO2007143932A1 publication Critical patent/WO2007143932A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A USB digital authentication control method includes the steps: an interface circuit sends a signal to a controller of a work host after a USB Key is inserted into a USB interface by an owner; the controller sends a series of random plaintext to the USB Key to request encryption; the USB Key generates a cryptograph after encrypting the random plaintext and sends the cryptograph and a digital certification to the controller; the controller finds a CA authentication center through the Internet according to the digital certification to authenticate and extract a corresponding common key, decrypts the cryptograph using the common key to generate the decrypted plaintext and compares the decrypted plaintext with the random plaintext; when the comparison result is same, the controller acquires the related information of a bank account associated with the digital certification by a bank system host to operate for the owner. AN ATM and a POS terminal are disclosed. Due to an application of using the combination of the USB interface structure and the digital certification, the USB Key can manage all of the bank account, acquire a good conveniency and security.

Description

USB数字认证控制方法及应用该方法的自动柜员机及 P0S机终端 技术领域  USB digital authentication control method and automatic teller machine and P0S machine terminal using the same
本发明涉及数字认证领域, 尤其涉及一种利用 USB接口的数字认证控制方 法。 本发明还涉及应用上述方法的一种带 USB接口的 P0S机终端及带 USB接口 的自动柜员机。 背景技术  The present invention relates to the field of digital authentication, and more particularly to a digital authentication control method using a USB interface. The invention also relates to a P0S machine terminal with a USB interface and an ATM with a USB interface using the above method. Background technique
目前,诸如银行 P0S机终端、 自动柜员机等工作主机一般由控制器、读卡器、 硬件加密卡、 通讯卡 (网卡或 MODEM卡) 、 显示屏、 键盘和外壳等主要部件组 成。 银行卡一般是磁条卡, 磁条中一般带有卡号和防伪信息。 银行卡用户在使 用银行卡时的身份验证过程是,用户先把银行卡的磁条在 P0S机读卡器中划过, 然后根据 P0S机的提示, 在键盘上输入个人密码。 P0S机首先将卡号信息发送 到控制器, 同时将密码送到硬件加密卡中进行加密, 接着将加密后的密码也送 到控制器, 控制器把卡号和加密过的密码通过通讯卡送到银行系统的主机, 由 银行系统主机进行卡号和密码匹配性验证, 通过匹配性认证以后才允许用户进 行消费等操作。 银行卡中还有一类芯片卡, 它和磁条卡的不同之处在于为了支 持离线交易,它在卡内保存了一部分的交易信息。芯片卡在使用时可以刷磁条, 其过程和上述的完全相同。 也可以刷芯片, 这通常需要把芯片卡中带芯片的一 端插入到读卡器中去。  At present, work hosts such as bank P0S machine terminals and ATMs are generally composed of main components such as a controller, a card reader, a hardware encryption card, a communication card (network card or MODEM card), a display screen, a keyboard, and a casing. The bank card is generally a magnetic stripe card, and the magnetic strip usually has a card number and anti-counterfeiting information. The authentication process of the bank card user when using the bank card is that the user first scrolls the magnetic strip of the bank card in the P0S machine card reader, and then inputs the personal password on the keyboard according to the prompt of the P0S machine. The P0S machine first sends the card number information to the controller, and sends the password to the hardware encryption card for encryption, and then sends the encrypted password to the controller. The controller sends the card number and the encrypted password to the bank through the communication card. The host of the system is authenticated by the bank system host for card number and password matching, and the user is allowed to perform operations such as consumption after matching authentication. There is also a type of chip card in the bank card, which differs from the magnetic stripe card in that it maintains a portion of the transaction information in the card in order to support offline transactions. The chip card can be used to brush the magnetic strip, and the process is exactly the same as described above. It is also possible to brush the chip, which usually requires inserting one end of the chip card with the chip into the card reader.
随着网上银行业务的不断发展, 越来越多的用户依赖网上银行进行转账和 支付交易。 由于互联网络的开放性, 在网上使用卡号和密码的风险越来越大, 用户的卡号和密码被窃取并导致重大经济损失的情况经常发生。 为了保证网上 银行交易的安全性, 各银行普遍推出数字证书作为在网上对用户进行身份验证 的手段。 数字证书是建立在不对称加密算法基础上的身份认定方法。 不对称加密算 法的基础是一对公钥和私钥,它们是在 USB Key中产生的,私钥永远保存在 USB Key中, 不会输出到 USB Key之外, 而公钥则由 USB Key传输到 CA认证中心, 由 CA认证中心制作成数字证书在网上公示, 并且输入到 USB Key 中供查询。 公钥和私钥均能够对信息进行加密, 而且互为逆运算。 在进行认证的过程中, 控制主机会向持有者提供一段信息, 要求持有者对该信息以私钥加密。 在获得 经私钥加密的信息以后, 控制主机会向 CA 认证中心査询持有者的公钥, 并用 公钥对加密过的信息进行解密, 并将解密后的信息与原始信息进行比对, 如果 一致则可以认定持有者的身份。 With the continuous development of online banking, more and more users rely on online banking for transfer and payment transactions. Due to the openness of the Internet, the risk of using card numbers and passwords on the Internet is increasing, and the situation in which the user's card number and password are stolen and causes significant economic losses often occurs. In order to ensure the security of online banking transactions, banks generally introduce digital certificates as a means of authenticating users online. The digital certificate is an identity recognition method based on an asymmetric encryption algorithm. The basis of the asymmetric encryption algorithm is a pair of public and private keys, which are generated in the USB Key. The private key is always stored in the USB Key, and is not output to the USB Key, and the public key is transmitted by the USB Key. To the CA Certification Center, a digital certificate produced by the CA Certification Center is posted on the Internet and entered into the USB Key for inquiry. Both the public key and the private key can encrypt the information and inverse each other. In the process of authentication, the control host provides the holder with a piece of information asking the holder to encrypt the information with a private key. After obtaining the information encrypted by the private key, the control host queries the CA certificate authority for the public key of the holder, decrypts the encrypted information with the public key, and compares the decrypted information with the original information. If they are consistent, the identity of the holder can be determined.
首先网上银行用户必须亲自到银行柜面缴验身份证件, 领取私钥载体, 并 申请银行卡和数字证书关联。 私钥的载体较常用的有光盘、 硬盘和 USB Key等 等, 其中装载有用户的私钥和符合 X. 509格式的有关公钥的信息: 由于现在木 马等间谍软件泛滥, 大多数 PC 机都处于非常不安全的状态, 存储在硬盘中的 私钥非常容易被人盗取, 从而直接威胁到用户的资金安全。 而用光盘或一般的 U 盘来存储私钥也是不安全的, 因为装载在其中的私钥必须被读取到硬盘中, 才能进行加密计算,这个过程很容易造成私钥泄密。目前最好的载体为 USB Key。 USB Key的外形就像一个 U盘, 其内部除了一定的存储空间以外, 还有计算芯 片。 运用私钥进行加密的工作全部在 USB Key内部完成, 私钥不会泄密。  First, online banking users must personally go to the bank counter to verify their identity documents, collect the private key carrier, and apply for a bank card and digital certificate. The private key carrier is commonly used in CD-ROM, hard disk and USB Key, etc., which is loaded with the user's private key and information related to the public key in X.509 format: Due to the proliferation of spyware such as Trojans, most PCs are In a very insecure state, the private key stored on the hard disk is very easy to be stolen, which directly threatens the user's funds security. It is also insecure to use a CD or a general USB flash drive to store the private key, because the private key loaded in it must be read into the hard disk for encryption calculation. This process can easily cause the private key to be compromised. The best carrier at present is the USB Key. The shape of the USB Key is like a USB flash drive. In addition to a certain amount of storage space, there is also a computing chip. The work of encrypting with the private key is all done inside the USB Key, and the private key is not compromised.
网上银行的便利性必将吸引大量的用户开始使用 USB Key , 在用户已经拥 有 USB Key , 并且将 USB Key和银行卡相关联的情况下, 直接使用 USB Key在 银行 P0S机上进行操作, 就成为一件顺理成章的事情。 ' 发明内容  The convenience of online banking will surely attract a large number of users to start using the USB Key. When the user already has a USB Key and associates the USB Key with the bank card, directly using the USB Key to operate on the bank POS machine becomes a It’s a logical thing. ' Invention content
有鉴于现有技术的上述缺陷, 本发明所要解决的技术问题是提供一种的数 字认证控制方法。  In view of the above drawbacks of the prior art, the technical problem to be solved by the present invention is to provide a digital authentication control method.
本发明的又一目的在于提供一种带 USB接口的、 应用本发明的方法的自动 柜员机。  It is still another object of the present invention to provide an automated teller machine with a USB interface that applies the method of the present invention.
本发明的再一目的在于提供一种带 USB接口的、 应用本发明的方法的 P0S 机终端。 It is still another object of the present invention to provide a POS with a USB interface to which the method of the present invention is applied Machine terminal.
为实现上述目的, 本发明提供了一种 USB数字认证控制方法, 是一种利用 数字证书控制工作主机的方法,所述工作主机通过 USB接口实现与外界 USB Key 的通讯连接, 所述控制方法包括以下步骤:  In order to achieve the above object, the present invention provides a USB digital authentication control method, which is a method for controlling a working host by using a digital certificate, and the working host realizes a communication connection with an external USB Key through a USB interface, and the control method includes The following steps:
步骤一, 外界的所述 USB Key被持有者插入所述工作主机的所述 USB接口, 所述 USB接口的接口电路发送一信号至所述工作主机的控制器;  Step 1 , the external USB key is inserted into the USB interface of the working host by the holder, and the interface circuit of the USB interface sends a signal to the controller of the working host;
步骤二,所述控制器发出一串随机明文,通过所述 USB接口至所述 USB Key , 请求加密;  Step 2: The controller sends a string of random plaintext, and requests encryption by using the USB interface to the USB key.
步骤三, 所述 USB Key对所述随机明文加密后生成密文, 并将所述密文和 X. 509格式的数字证书通过所述接口电路发送至所述控制器;  Step 3: The USB Key encrypts the random plaintext to generate a ciphertext, and sends the ciphertext and the digital certificate in the X.509 format to the controller through the interface circuit.
步骤四, 所述控制器根据所述数字证书, 通过互联网络找到对应的 CA认证 中心, 验证并提取对应的公钥;  Step 4: The controller finds a corresponding CA authentication center through the internetwork according to the digital certificate, and verifies and extracts a corresponding public key.
步骤五, 所述控制器利用所述公钥对所述密文进行解密生成解密明文, 并 将所述解密明文与所述随机明文进行比对;  Step 5: The controller decrypts the ciphertext by using the public key to generate a decrypted plaintext, and compares the decrypted plaintext with the random plaintext;
步骤六, 当所述解密明文与所述随机明文的比对结果为一致时, 进入步骤 七;  Step 6: When the comparison result of the decrypted plaintext and the random plaintext is consistent, proceed to step VII;
当所述解密明文与所述随机明文的比对结果不一致时, 所述控制器将拒绝 接受所述持有者发出的进一步指令;  When the comparison result of the decrypted plaintext and the random plaintext is inconsistent, the controller will refuse to accept further instructions issued by the holder;
步骤七, 所述控制器通过与所述工作主机通讯连接的银行系统主机取得所 述持有者通过所述数字证书关联的银行账号相关信息, 供所述持有者操作。  Step 7: The controller obtains, by the bank system host that is in communication with the working host, the bank account related information associated with the digital certificate by the holder for the holder to operate.
较佳地, 所述步骤六中, 当所述解密明文与所述随机明文的比对结果为一 致时, 进入以下步骤:  Preferably, in the step 6, when the comparison result of the decrypted plaintext and the random plaintext is consistent, the following steps are performed:
首先, 所述控制器会通过一键盘向所述持有者提示输入密码;  First, the controller prompts the holder to input a password through a keyboard;
其次, 所述密码通过所述键盘输入并直接进入一硬件加密卡加密; 然后, 所述控制器将加密后的所述密码通过所述 USB接口输入到所述 USB KEY中, 与存储在所述 USB KEY中的密码进行比对; 当所述密码比对结果为一致时, 进入步骤七; Secondly, the password is input through the keyboard and directly enters a hardware encryption card to encrypt; then, the controller inputs the encrypted password into the USB KEY through the USB interface, and stores the password in the The passwords in the USB KEY are compared; When the password comparison result is consistent, proceed to step VII;
当所述密码比对结果不一致时, 所述控制器将拒绝接受所述持有者发出的 进一步指令。  When the password comparison result is inconsistent, the controller will refuse to accept further instructions from the holder.
较佳地, 所述工作主机为自动柜员机或 P0S机终端。  Preferably, the working host is an automatic teller machine or a POS machine terminal.
本发明还提供了一种应用本发明的数字认证方法的自动柜员机, 包括与银 行系统主机通讯连接的自动柜员机主机; 一用于输入密码的键盘;  The invention also provides an automatic teller machine applying the digital authentication method of the invention, comprising an automatic teller machine host communicatively connected with a bank system host; a keyboard for inputting a password;
还包括一与所述 USB Key通讯连接的 USB接口, 所述 USB接口通过 USB接 口电路与所述自动柜员机主机电连接, 以实现所述自动柜员机与所述 USB Key 间的通讯连接;  The USB interface is also connected to the USB key, and the USB interface is electrically connected to the ATM through a USB interface circuit to implement a communication connection between the ATM and the USB Key.
所述自动柜员机主机通过所述 USB接口与所述 USB Key的通讯连接取得装 载在所述 USB Key中的数字证书, 然后通过互联网络到所述 CA认证中心验证 所述数字证书; 同时所述自动柜员机主机通过所述键盘接受密码并验证所述密 码; 在所述数字证书及所述密码均通过验证时, 所述自动柜员机许可所述 USB Key持有者对其银行账户进行交易。  The ATM machine obtains a digital certificate loaded in the USB Key through a communication connection between the USB interface and the USB Key, and then verifies the digital certificate through the Internet to the CA certification center; The teller machine host accepts the password through the keyboard and verifies the password; when the digital certificate and the password are verified, the ATM permits the USB Key holder to conduct a transaction on its bank account.
本发明的自动柜员机由于带 USB接口, 在使用 USB Key中装载的数字证书 进行自动柜员机操作时, 用户只将 USB Key插入自动柜员机的 USB接口中, 然 后根据提示输入密码, 满足双因素认证的要求, 然后选择与数字证书相关联的 银行卡或银行账户, 进行自己所希望的交易。 使用 USB Key进行自动柜员机操 作的不同之处是一个 USB Key可以关联无数个账号和银行卡,可以实现一个 USB Key管理所有的银行账户。 使本发明的带 USB接口的自动柜员机具有良好的便 利性和安全性。  The automatic teller machine of the present invention has a USB interface. When using the digital certificate loaded in the USB Key for the ATM operation, the user only inserts the USB Key into the USB interface of the automatic teller machine, and then enters a password according to the prompt to meet the requirements of the two-factor authentication. , then select the bank card or bank account associated with the digital certificate to make the transaction you want. The difference between using the USB Key for ATM operation is that a USB Key can be associated with an unlimited number of accounts and bank cards, enabling a USB Key to manage all bank accounts. The automatic teller machine with USB interface of the present invention has good convenience and safety.
本发明还提供了一种应用本发明的数字认证方法的 P0S机终端, 包括与银 行系统主机通讯连接的控制器; 一用于输入密码的键盘;  The present invention also provides a POS machine terminal to which the digital authentication method of the present invention is applied, comprising a controller communicatively coupled to a bank system host; a keyboard for inputting a password;
还包括一与所述 USB Key通讯连接的 USB接口, 所述 USB接口通过 USB接 口电路与所述控制器电连接, 以实现所述银行 P0S机终端与所述 USB Key间的 通讯连接;  The USB interface is further connected to the USB key, and the USB interface is electrically connected to the controller through a USB interface circuit to implement a communication connection between the bank POS terminal and the USB Key;
所述银行 P0S机终端通过所述 USB接口与所述 USB Key的通讯连接取得装 载在所述 USB Key中的数字证书, 然后通过互联网络到所述 CA认证中心验证 所述数字证书; 同时所述银行 P0S机终端通过所述键盘接受密码并验证所述密 码; 在所述数字证书和所述密码均通过验证时, 所述银行 P0S机终端许可所述 USB Key持有者对其银行账户进行交易。 The bank POS terminal obtains the communication connection with the USB Key through the USB interface a digital certificate carried in the USB Key, and then verifying the digital certificate through the internetwork to the CA certificate authority; and the bank POS terminal accepts a password through the keyboard and verifies the password; When the certificate and the password are both verified, the bank POS terminal permits the USB Key holder to conduct a transaction on its bank account.
本发明的银行 P0S机终端由于带有 USB接口, 在使用 USB Key中装载的数 字证书进行 P0S机终端上操作时, 用户只将 USB Key插入 P0S机终端上的 USB 接口中, 接着根据终端提示输入密码, 满足双因素认证的要求, 然后选择与数 字证书相关联的银行卡或银行账户, 进行自己所希望的交易。 使用 USB Key进 行 P0S机操作的不同之处是一个 USB Key可以关联无数个账号和银行卡, 可以 实现一个 USB Key管理所有的银行账户的消费, 使本发明的带 USB接口的银行 P0S机终端具有良好的便利性和安全性。  The bank POS terminal of the present invention has a USB interface. When the digital certificate loaded in the USB Key is used for the operation on the POS terminal, the user only inserts the USB Key into the USB interface on the POS terminal, and then inputs according to the prompt of the terminal. The password, which meets the requirements for two-factor authentication, then selects the bank card or bank account associated with the digital certificate to conduct the desired transaction. The difference between using the USB Key for P0S operation is that a USB Key can be associated with countless accounts and bank cards, and a USB Key can be used to manage the consumption of all bank accounts, so that the bank POS terminal with USB interface of the present invention has Good convenience and safety.
以下将结合附图对本发明的构思、 具体结构及产生的技术效果作进一步说 明, 以充分地了解本发明的目的、 特征和效果。 附图说明  The concept, the specific structure, and the technical effects produced by the present invention will be further described in conjunction with the accompanying drawings in order to fully understand the objects, features and effects of the invention. DRAWINGS
图 1所示为应用本发明的方法的银行 P0S机终端的结构示意图。  Fig. 1 is a block diagram showing the structure of a bank POS terminal to which the method of the present invention is applied.
图 2所示为应用本发明的方法的自动柜员机的结构示意图。 具体实施方式  2 is a schematic view showing the structure of an automatic teller machine to which the method of the present invention is applied. detailed description
如图 1所示, 本发明的银行 P0S机终端通过数字证书来进行付款人的身份 验证。 用户可以通过装载有数字证书的 USB Key在带 USB接口的 P0S机终端上 进行消费、 预授权、 预授权完成等一系列操作。  As shown in Fig. 1, the bank POS terminal of the present invention performs the identity verification of the payer by means of a digital certificate. The user can perform a series of operations such as consumption, pre-authorization, and pre-authorization completion on the P0S terminal with USB interface through the USB Key loaded with the digital certificate.
以下结合附图所示说明本发明的银行 P0S机终端的结构、 使用方法及有益 效果。 本发明的带 USB接口的银行 P0S机终端包括: 与银行系统主机通讯连接的 控制器 用于输入密码 键盘; 该键盘通过一硬件加密卡与控制器信号连接。 还包括一与 USB Key通讯连接的 USB接口, 所述 USB接口通过 USB接口电路与 所述控制器电连接, 以实现所述银行 P0S机终端与所述 USB Key间的通讯连接。 以下通过带 USB接口的银行 P0S机终端的应用步骤说明本发明的方法的具 体应用: The structure, use method and beneficial effects of the bank POS terminal of the present invention will be described below with reference to the accompanying drawings. The bank POS terminal with USB interface of the invention comprises: a controller connected to the bank system host for inputting a PIN pad; the keyboard is connected with the controller signal through a hardware encryption card. The USB interface is also connected to the USB Key, and the USB interface is electrically connected to the controller through a USB interface circuit to implement a communication connection between the bank POS terminal and the USB Key. The specific application of the method of the present invention is described below by the application steps of the bank POS terminal with a USB interface:
(一) 当 P0S机终端用户使用 USB Key插入 USB接口, 要求进行身份认证 时, USB接口的接口电路会发送一个信号给 P0S机的控制器, 告知有人要求认 证;  (1) When the terminal user of the P0S machine inserts the USB interface into the USB interface and requires identity authentication, the interface circuit of the USB interface sends a signal to the controller of the P0S machine to inform someone to request authentication;
(二) 控制器会通过 USB接口发送一串明文要求用户的 USB Key加密; (2) The controller sends a string of plaintext via the USB interface to request the user's USB Key encryption;
(三) USB Key对明文进行加密以后, 将密文和 X. 509格式的数字证书通 过接口电路, 发送给控制器; (3) After encrypting the plaintext by the USB Key, the ciphertext and the digital certificate in the X.509 format are sent to the controller through the interface circuit;
(四)控制器根据 X. 509格式的数字证书, 通过互联网络找到相关的 CA认 证中心, 验证并提取公钥;  (4) The controller finds the relevant CA certification center through the Internet according to the digital certificate in the X.509 format, and verifies and extracts the public key;
(五) 控制器利用公钥对密文进行解密, 并与原始明文进行比对;  (5) The controller decrypts the ciphertext by using the public key and compares it with the original plaintext;
(六) 如果明文和解密后的密文不一致, 控制器就可以确认 USB Key是伪 造的, 不属于数字证书中所载明的持有者, 控制器将拒绝该用户继续操作; (6) If the plaintext and the decrypted ciphertext are inconsistent, the controller can confirm that the USB Key is forged and does not belong to the holder contained in the digital certificate, and the controller will refuse the user to continue the operation;
(七) 如果明文和解密后的密文一致, 控制器就可以确认 USB Key不是伪 造的, 确实属于数字证书中所载明的持有者; (vii) If the plaintext and the decrypted ciphertext are identical, the controller can confirm that the USB Key is not forged and indeed belongs to the holder contained in the digital certificate;
(八) 控制器会通过键盘向持有者提示输入密码;  (8) The controller will prompt the holder to enter the password through the keyboard;
(九) 在用户通过键盘输入密码以后, 密码直接进入硬件加密卡加密; (十) 控制器将加密过的密码通过 USB接口输入到 USB KEY中, 与存储在 (9) After the user enters the password through the keyboard, the password directly enters the hardware encryption card to encrypt; (10) The controller inputs the encrypted password into the USB KEY through the USB interface, and stores it in
USB KEY中的的密码进行比对; The passwords in the USB KEY are compared;
(十一) 如果密码一致, 则可以确认当前持有 USB Key的人就是数字证书 的持有者, 不是盗用 USB Key的其他人;  (11) If the passwords are the same, you can confirm that the person who currently holds the USB Key is the holder of the digital certificate, not the other person who steals the USB Key;
(十二) 控制器就会通过银行系统主机取得持有者通过数字证书关联的银 行账号相关信息, 供用户操作;  (12) The controller will obtain the bank account related information related to the holder through the digital certificate through the bank system host for the user to operate;
(十三)如果密码不一致, 则可以确认当前 USB Key的用户系盗用 USB Key , 控制器会拒绝其访问 USB Key持有者的账户。  (13) If the passwords are inconsistent, you can confirm that the current USB Key user is stealing the USB Key, and the controller will refuse to access the USB Key holder's account.
如图 2所示为应用本发明的方法的自动柜员机, 通过数字证书来进行存取 款人的身份验证。 银行用户可以通过装载有数字证书的 USB Key在带 USB接口 的自动柜员机进行存取款、 转账、 支付等操作。 As shown in FIG. 2, the automatic teller machine applying the method of the present invention performs the identity verification of the depositor through the digital certificate. Bank users can use USB key with USB certificate loaded with digital certificate The ATM performs deposit, withdrawal, transfer, payment and other operations.
以下结合图中所示说明本发明的自动柜员机的结构、使用方法及有益效果。 本发明的带 USB接口的自动柜员机, 包括: 与银行系统主机通讯连接的自 动柜员机主机; 一用于输入密码的键盘; 该键盘通过一硬件加密卡与控制器信 号连接。 还包括一与 USB Key通讯连接的 USB接口, 所述 USB接口通过 USB接 口电路与所述自动柜员机主机电连接, 以实现所述自动柜员机与所述 USB Key 间的通讯连接。  The structure, method of use, and advantageous effects of the automatic teller machine of the present invention will be described below in conjunction with the drawings. The automatic teller machine with USB interface of the present invention comprises: an automatic teller machine host communicatively connected with the bank system host; a keyboard for inputting a password; the keyboard is connected to the controller signal through a hardware encryption card. The USB interface is further connected to the USB key through a USB interface circuit to electrically connect the ATM to the USB Key.
以下通过带 USB接口的自动柜员机的应用步骤说明本发明的方法的具体应 用:  The specific application of the method of the present invention is illustrated below by the application steps of an automated teller machine with a USB interface:
(一) 当自动柜员机用户使用 USB Key插入 USB接口, 要求进行身份认证 时, USB 接口的接口电路会发送一个信号给自动柜员机的自动柜员机主机, 告 知有人要求认证;  (1) When the ATM user inserts the USB interface into the USB interface and requires identity authentication, the interface circuit of the USB interface sends a signal to the ATM of the ATM to inform someone that authentication is required;
(二) 自动柜员机主机会通过 USB接口发送一串明文要求持有者的 USB Key 加密;  (2) The ATM machine will send a string of plain text to the holder's USB Key encryption via the USB interface;
(三) USB Key对明文进行加密以后, 将密文和 X. 509格式的数字证书通过 接口电路, 发送给自动柜员机主机;  (3) After encrypting the plaintext by the USB Key, the ciphertext and the digital certificate in the X.509 format are sent to the automatic teller machine through the interface circuit;
(四) 自动柜员机主机根据 X. 509 格式的数字证书, 通过互联网络找到相 关的 CA认证中心, 验证并提取公钥;  (4) The ATM machine finds the relevant CA certificate center through the Internet based on the digital certificate in the X.509 format, and verifies and extracts the public key;
(五) 自动柜员机主机利用公钥对密文进行解密, 并与原始明文进行比对; (5) The ATM machine uses the public key to decrypt the ciphertext and compare it with the original plaintext;
(六) 如果明文和解密后的密文不一致, 自动柜员机主机就可以确认 USB Key 是伪造的, 不属于数字证书中所载明的持有者, 自动柜员机主机将拒绝该 用户访问; (6) If the plaintext and the decrypted ciphertext are inconsistent, the ATM machine can confirm that the USB Key is forged, not the holder contained in the digital certificate, and the ATM host will reject the user access;
(七) 如果明文和解密后的密文一致, 自动柜员机主机就可以确认 USB Key 不是伪造的, 确实属于数字证书中所载明的持有者;  (vii) If the plaintext and the decrypted ciphertext are identical, the ATM machine can confirm that the USB Key is not forged, and indeed belongs to the holder contained in the digital certificate;
(八) 自动柜员机主机会通过键盘向持有者提示输入密码;  (8) The ATM machine will prompt the holder to enter the password through the keyboard;
(九) 在持有者通过键盘输入密码以后, 密码直接进入硬件加密卡加密; (十) 自动柜员机主机将加密过的密码通过 USB接口, 发送到 USB KEY中 进行比对; (9) After the holder enters the password through the keyboard, the password directly enters the hardware encryption card to encrypt; (10) The ATM machine sends the encrypted password to the USB KEY through the USB interface. Make comparisons;
(十一) 如果密码一致, 则可以确认当前持有 USB Key 的人就是数字证书 的持有者, 不是盗用 USB Key的其他人;  (11) If the passwords are the same, you can confirm that the person who currently holds the USB Key is the holder of the digital certificate, not the other person who steals the USB Key;
(十二) 自动柜员机主机就会通过银行系统主机取得持有者通过数字证书 关联的银行账号相关信息, 供用户操作;  (12) The ATM machine host will obtain the bank account related information associated with the holder through the digital certificate through the bank system host for the user to operate;
(十三)如果密码不一致, 则可以确认当前 USB Key的用户系盗用 USB Key , 自动柜员机主机会拒绝其访问 USB Key持有者的账户。  (13) If the passwords are inconsistent, you can confirm that the current USB Key user is stealing the USB Key, and the ATM machine will refuse to access the USB Key holder's account.
综上所述, 本说明书中所述的只是本发明的几种较佳具体实施例, 以上实 施例仅用以说明本发明的技术方案而非限制。 凡本技术领域中技术人员依本发 明的构思在现有技术的基础上通过逻辑分析、 推理或者有限的实验可以得到的 技术方案, 皆应在本发明的权利要求保护范围之内。  In the above description, the present invention has been described in terms of several preferred embodiments of the present invention. The above embodiments are merely illustrative of the technical solutions of the present invention. Any technical solution that can be obtained by a person skilled in the art based on the prior art based on the prior art by logic analysis, reasoning or limited experimentation should be within the scope of the claims of the present invention.

Claims

权 利 要 求 书 Claim
1、 一种 USB数字认证控制方法, 是一种利用数字证书控制工作主机的方法, 所述工作主机通过 USB接口实现与外界 USB Key的通讯连接, 所述控制方法 包括 下步骤: A USB digital authentication control method is a method for controlling a working host by using a digital certificate, wherein the working host realizes a communication connection with an external USB Key through a USB interface, and the control method includes the following steps:
步骤一, 外界的所述 USB Key被持有者插入所述工作主机的所述 USB接 口, 所述 USB接口的接口电路发送一信号至所述工作主机的控制器;  Step 1: The external USB key is inserted into the USB interface of the working host by the holder, and the interface circuit of the USB interface sends a signal to the controller of the working host;
步骤二, 所述控制器发出一串随机明文, 通过所述 USB接口至所述 USB Key , 请求加密;  Step 2: The controller sends a string of random plaintext, and requests encryption by using the USB interface to the USB key.
步骤三, 所述 USB Key对所述随机明文加密后生成密文, 并将所述密文 和 X. 509格式的数字证书通过所述接口电路发送至所述控制器;  Step 3: The USB Key encrypts the random plaintext to generate a ciphertext, and sends the ciphertext and the digital certificate in the X.509 format to the controller through the interface circuit.
步骤四, 所述控制器根据所述数字证书, 通过互联网络找到对应的 CA认 证中心, 验证并提取对应的公钥;  Step 4: The controller finds a corresponding CA authentication center through the internetwork according to the digital certificate, and verifies and extracts a corresponding public key.
步骤五, 所述控制器利用所述公钥对所述密文进行解密生成解密明文, 并将所述解密明文与所述随机明文进行比对;  Step 5: The controller decrypts the ciphertext by using the public key to generate a decrypted plaintext, and compares the decrypted plaintext with the random plaintext;
步骤六, 当所述解密明文与所述随机明文的比对结果为一致时, 进入步 骤七;  Step 6: When the comparison result of the decrypted plaintext and the random plaintext is consistent, proceed to step VII;
当所述解密明文与所述随机明文的比对结果不一致时, 所述控制器将拒 绝接受所述持有者发出的进一步指令;  When the comparison result of the decrypted plaintext and the random plaintext is inconsistent, the controller will refuse to accept further instructions issued by the holder;
步骤七,所述控制器通过与所述工作主机通讯连接的银行系统主机取得所 述持有者通过所述数字证书关联的银行账号相关信息, 供所述持有者操作。  Step 7: The controller obtains, by the bank system host that is in communication with the working host, the bank account related information associated with the digital certificate by the holder for the holder to operate.
2、 如权利要求 1所述的 USB数字认证控制方法, 其特征在于: 所述步骤六 中, 当所述解密明文与所述随机明文的比对结果为一致时, 进入以下步骤: 首先, 所述控制器会通过一键盘向所述持有者提示输入密码;  2. The USB digital authentication control method according to claim 1, wherein: in the step 6, when the comparison result of the decrypted plaintext and the random plaintext is consistent, the following steps are performed: First, the The controller prompts the holder to input a password through a keyboard;
其次, 所述密码通过所述键盘输入并直接进入一硬件加密卡加密; 然后,所述控制器将加密后的所述密码通过所述 USB接口输入到所述 USB KEY中, 与存储在所述 USB KEY中的密码进行比对; Second, the password is input through the keyboard and directly enters a hardware encryption card to encrypt; then, the controller inputs the encrypted password to the USB through the USB interface. In the KEY, the password stored in the USB KEY is compared;
当所述密码比对结果为一致时, 进入步骤七;  When the password comparison result is consistent, proceed to step VII;
当所述密码比对结果不一致时, 所述控制器将拒绝接受所述持有者发出 的进一步指令。  When the password comparison result is inconsistent, the controller will refuse to accept further instructions from the holder.
3、 如权利要求 1或 2所述的 USB数字认证控制方法, 其特征在于: 所述工 作主机为自动柜员机或 P0S机终端。  The USB digital authentication control method according to claim 1 or 2, wherein the working host is an automatic teller machine or a POS machine terminal.
4、 一种应用权利要求 1至 3任一所述方法的自动柜员机, 包括与银行系统 主机通讯连接的自动柜员机主机; 一用于输入密码的键盘; 其特征在于: 4. An automated teller machine applying the method of any one of claims 1 to 3 , comprising an automated teller machine host communicatively coupled to a bank system host; a keyboard for entering a password; characterized by:
还包括一与所述 USB Key通讯连接的 USB接口, 所述 USB接口通过 USB接 口电路与所述自动柜员机主机电连接, 以实现所述自动柜员机与所述 USB Key 间的通讯连接;  The USB interface is also connected to the USB key, and the USB interface is electrically connected to the ATM through a USB interface circuit to implement a communication connection between the ATM and the USB Key.
所述自动柜员机主机通过所述 USB接口与所述 USB Key的通讯连接取得装 载在所述 USB Key中的数字证书, 然后通过互联网络到所述 CA认证中心验证 所述数字证书; 同时所述自动柜员机主机通过所述键盘接受密码并验证所述密 码; 在所述数字证书及所述密码均通过验证时, 所述自动柜员机许可所述 USB Key持有者对其银行账户进行交易。  The ATM machine obtains a digital certificate loaded in the USB Key through a communication connection between the USB interface and the USB Key, and then verifies the digital certificate through the Internet to the CA certification center; The teller machine host accepts the password through the keyboard and verifies the password; when the digital certificate and the password are verified, the ATM permits the USB Key holder to conduct a transaction on its bank account.
5、 一种应用权利要求 1至 3任一 ^述方法的 P0S机终端, 包括与银行系统 主机通讯连接的控制器; 一用于输入密码的键盘; 其特征在于:  5. A POS terminal for applying the method of any one of claims 1 to 3, comprising: a controller communicatively coupled to the bank system host; a keyboard for entering a password; characterized by:
还包括一与所述 USB Key通讯连接的 USB接口, 所述 USB接口通过 USB接 口电路与所述控制器电连接, 以实现所述银行 P0S机终端与所述 USB Key间的 通讯连接;  The USB interface is further connected to the USB key, and the USB interface is electrically connected to the controller through a USB interface circuit to implement a communication connection between the bank POS terminal and the USB Key;
所述银行 P0S机终端通过所述 USB接口与所述 USB Key的通讯连接取得装 载在所述 USB Key中的数字证书, 然后通过互联网络到所述 CA认证中心验证 所述数字证书; 同时所述银行 P0S机终端通过所述键盘接受密码并验证所述密 码; 在所述数字证书和所述密码均通'过验证时, 所述银行 P0S机终端许可所述 USB Key持有者对其银行账户进行交易。  The bank POS terminal obtains a digital certificate loaded in the USB Key through a communication connection between the USB interface and the USB Key, and then verifies the digital certificate through the internetwork to the CA certification center; The bank POS terminal accepts the password through the keyboard and verifies the password; when the digital certificate and the password pass the verification, the bank POS terminal grants the USB Key holder to its bank account Trading.
PCT/CN2007/001820 2006-06-12 2007-06-08 Usb digital authentication control method and atm and pos terminal applied to thereof WO2007143932A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN200620042711.6 2006-06-12
CN 200620042711 CN200962244Y (en) 2006-06-12 2006-06-12 Automatic ATM with the USB interface
CN 200620042855 CN200979724Y (en) 2006-06-19 2006-06-19 A bank-union POS machine terminal with USB interface
CN200620042855.1 2006-06-19

Publications (1)

Publication Number Publication Date
WO2007143932A1 true WO2007143932A1 (en) 2007-12-21

Family

ID=38831414

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/001820 WO2007143932A1 (en) 2006-06-12 2007-06-08 Usb digital authentication control method and atm and pos terminal applied to thereof

Country Status (1)

Country Link
WO (1) WO2007143932A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103971240A (en) * 2013-01-30 2014-08-06 裘羽 Method for dependable network payment
CN106326790A (en) * 2015-06-30 2017-01-11 国民技术股份有限公司 Account verification device and method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1427351A (en) * 2001-12-17 2003-07-02 北京兆日科技有限责任公司 User's identity authentication method of dynamic electron cipher equipment and its resources sharing system
US20040133775A1 (en) * 2003-01-07 2004-07-08 Callas Jonathan D. System and method for secure electronic communication in a partially keyless environment
CN1556449A (en) * 2004-01-08 2004-12-22 中国工商银行 Device and method for proceeding encryption and identification of network bank data
CN2667807Y (en) * 2004-01-08 2004-12-29 中国工商银行 Network bank with device for encrypting and idetificating utilizing USB key
US6912284B1 (en) * 1983-06-13 2005-06-28 The United States Of America As Represented By The National Security Agency Self-Authenticating cryptographic apparatus
US20060010325A1 (en) * 2004-07-09 2006-01-12 Devon It, Inc. Security system for computer transactions

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6912284B1 (en) * 1983-06-13 2005-06-28 The United States Of America As Represented By The National Security Agency Self-Authenticating cryptographic apparatus
CN1427351A (en) * 2001-12-17 2003-07-02 北京兆日科技有限责任公司 User's identity authentication method of dynamic electron cipher equipment and its resources sharing system
US20040133775A1 (en) * 2003-01-07 2004-07-08 Callas Jonathan D. System and method for secure electronic communication in a partially keyless environment
CN1556449A (en) * 2004-01-08 2004-12-22 中国工商银行 Device and method for proceeding encryption and identification of network bank data
CN2667807Y (en) * 2004-01-08 2004-12-29 中国工商银行 Network bank with device for encrypting and idetificating utilizing USB key
US20060010325A1 (en) * 2004-07-09 2006-01-12 Devon It, Inc. Security system for computer transactions

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103971240A (en) * 2013-01-30 2014-08-06 裘羽 Method for dependable network payment
CN106326790A (en) * 2015-06-30 2017-01-11 国民技术股份有限公司 Account verification device and method
CN106326790B (en) * 2015-06-30 2024-03-01 国民技术股份有限公司 Account verification device and method

Similar Documents

Publication Publication Date Title
US7558965B2 (en) Entity authentication in electronic communications by providing verification status of device
US6908030B2 (en) One-time credit card number generator and single round-trip authentication
CA2417901C (en) Entity authentication in electronic communications by providing verification status of device
US6760841B1 (en) Methods and apparatus for securely conducting and authenticating transactions over unsecured communication channels
EP2158717B1 (en) Remote authentication and transaction signatures
US8737623B2 (en) Systems and methods for remotely loading encryption keys in a card reader systems
US20060123465A1 (en) Method and system of authentication on an open network
US20050246290A1 (en) Method and system for secure authenticated payment on a computer network
US8132244B2 (en) Mobile smartcard based authentication
KR20080075956A (en) A user authentication device and method using biometrics information
CN114175078A (en) System and method for providing online and hybrid card interaction
WO2007121631A1 (en) System and method of electronic bank safety certification based on cpk
US20120095919A1 (en) Systems and methods for authenticating aspects of an online transaction using a secure peripheral device having a message display and/or user input
Hosseini et al. Enhancement of security with the help of real time authentication and one time password in e-commerce transactions
JP2003044436A (en) Authentication processing method, information processor, and computer program
WO2022042745A1 (en) Key management method and apparatus
Prinslin et al. Secure online transaction with user authentication
CN200979724Y (en) A bank-union POS machine terminal with USB interface
WO2007143932A1 (en) Usb digital authentication control method and atm and pos terminal applied to thereof
JP6971204B2 (en) Financial trading equipment
CN110505063B (en) Method and system for ensuring security of financial payment
KR100862960B1 (en) Method for multiple registration of an OTP authentication device
Sharma et al. Analysis of QKD multifactor authentication in online banking systems
GB2373616A (en) Remote cardholder verification process
CN200962244Y (en) Automatic ATM with the USB interface

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07721393

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07721393

Country of ref document: EP

Kind code of ref document: A1