WO2009039771A1 - Mobile payment terminal and payment method based on pki technology - Google Patents

Mobile payment terminal and payment method based on pki technology Download PDF

Info

Publication number
WO2009039771A1
WO2009039771A1 PCT/CN2008/072402 CN2008072402W WO2009039771A1 WO 2009039771 A1 WO2009039771 A1 WO 2009039771A1 CN 2008072402 W CN2008072402 W CN 2008072402W WO 2009039771 A1 WO2009039771 A1 WO 2009039771A1
Authority
WO
WIPO (PCT)
Prior art keywords
smart card
terminal
digital certificate
mobile
card reader
Prior art date
Application number
PCT/CN2008/072402
Other languages
French (fr)
Chinese (zh)
Inventor
Guilin Peng
Xiaohan Yuan
Yong Min
Mingming Ge
Original Assignee
China Unionpay Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co., Ltd. filed Critical China Unionpay Co., Ltd.
Publication of WO2009039771A1 publication Critical patent/WO2009039771A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3226Use of secure elements separate from M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3227Aspects of commerce using mobile devices [M-devices] using secure elements embedded in M-devices

Definitions

  • the present invention relates to the application technology of digital certificates, and in particular to a mobile payment terminal and payment method based on the technology.
  • Mobile payment also known as mobile payment, is a payment service that bundles a mobile phone number with a bank card number.
  • the mobile payment service is mainly based on the identity authentication mechanism of the static payment password, and is carried out by means of short message and WAP (Wireless Application Protocol).
  • the identity authentication mechanism based on the static payment password refers to an authentication mechanism that allows the user to perform payment after the banking system authenticates the static information such as the login password and payment password of the mobile phone user.
  • the business of static passwords is convenient and easy to use.
  • this identity authentication mechanism has the following problems: If the user does not apply for mobile payment service, important information such as the bank card number and payment password of the user is leaked or stolen.
  • the acquirer Since the acquirer does not have a bank card, it is not possible to withdraw money from the refused or self-service terminal; if the acquirer uses online banking, since the current online banking is very strict with the user, only the card number and the payment password cannot be paid; In this case, the acquirer will use the obtained card number and payment password to apply for registration of the mobile payment service, and then use the mobile phone to implement payment operations such as transfer or consumption. Therefore, the identity authentication mechanism based on the static payment password is less secure. In recent years, a large number of cardholder funds have been stolen by others.
  • mobile payment mainly adopts SMS and WAP.
  • SMS payment mode the payment content (including the payment password) is completely plain text and is easily stolen during the transmission process.
  • WAP mode although the transmission technology is used on the transmission channel of the mobile phone to the banking system, it is required. After the WAP gateway decrypts and implements the protocol conversion, there is also a security problem in this link, so it is impossible to encrypt the end-to-end (mobile phone - I-line system).
  • the current mobile payment service has risks in the identity authentication mechanism and information transmission mechanism. Hidden dangers. With the continuous development of mobile payment services, these deficiencies may pose potential business risks.
  • the technical problem to be solved by the present invention is to provide a mobile payment terminal and a payment method based on PKI technology, so as to solve the problem that the current mobile payment service has potential risks in the identity authentication mechanism and the information transmission mechanism.
  • the present invention discloses the following technical solutions:
  • a mobile payment terminal includes:
  • a smart card reader for reading and writing and clearing smart cards
  • a terminal chip for adding a control function, configured to control the smart card reader to access the smart card; and a data interface, configured to provide data communication between the terminal chip and the external device.
  • the data interface includes a data line interface, and/or an infrared interface, and/or a Bluetooth interface, and/or a remote wireless interface.
  • the terminal further includes: a terminal kit installed on the external device to provide the terminal control and communication function, and adding, downloading, deleting and applying functions of the digital certificate in the kit.
  • the terminal When the smart card is external, the terminal further includes: a slot for providing a connection between the smart card and the smart card reader/writer.
  • the smart card can store multiple digital certificates.
  • a method for downloading a digital certificate to the mobile terminal includes:
  • the mobile terminal initiates a download request and sends it to the server through an external device; the terminal chip controls the smart card reader to write the digital certificate to the smart card.
  • the method further comprises: requesting the user to input the smart card access password and verifying.
  • the manner in which the mobile terminal initiates the download request comprises: directly initiating at the mobile terminal, and the terminal chip sends the download request to the external device through the data interface; or triggering the download function provided by the terminal kit installed in the external device to initiate.
  • a method for downloading a digital certificate to the mobile terminal includes: The mobile terminal initiates a download request by using a WAP mode;
  • the terminal chip sends the request to the server through the remote wireless interface, and receives the digital certificate returned by the server;
  • the terminal chip controls the smart card reader to write the digital certificate to the smart card.
  • the method further comprises: requesting the user to input the smart card access password and verifying.
  • a method for applying a digital certificate in the above mobile terminal comprising:
  • the mobile terminal initiates a certificate application request by using a WAP method
  • the terminal chip controls the smart card reader to access the smart card, and the smart card uses the digital certificate to sign and encrypt the transaction data;
  • the terminal chip sends the encrypted data to the server through a remote wireless interface to establish a payment channel of the mobile terminal.
  • the smart card reader further includes: requesting the user to input the smart card access password and verifying.
  • a method for applying a digital certificate in the above mobile terminal comprising:
  • the user initiates a certificate application request through the external device, and the external device sends the request to the terminal chip through the data interface;
  • the terminal chip controls the smart card reader to access the smart card, and the smart card uses the digital certificate to sign and encrypt the transaction data;
  • the terminal chip sends the encrypted data to the server through an external device to establish an online payment channel.
  • the smart card reader further includes: requesting the user to input the smart card access password and verifying.
  • a method for deleting a digital certificate from the mobile terminal includes:
  • the terminal chip controls the smart card reader to remove the digital certificate from the smart card.
  • the method further includes: requesting the user to input the smart card access password and verifying.
  • PKI Public Key Infrastructure
  • the method further includes: requesting the user to input the smart card access password and verifying.
  • the following technical effects are disclosed:
  • the embodiment of the present invention provides a secure mobile payment terminal based on PKI (Public Key Infrastructure) technology, by adding a smart card in the terminal. And adding a control function to the smart card in the terminal chip, the digital certificate can be downloaded into the smart card. Based on this, the user can use the mobile terminal to complete secure mobile payment.
  • PKI Public Key Infrastructure
  • a digital certificate-based mobile payment security verification mechanism can be established to comprehensively improve the security of mobile payment, avoiding the misappropriation of cardholder funds due to insufficient static password verification mechanism; on the other hand, the security of transaction data can be established.
  • the transmission mechanism avoids the payment of data by the cardholder in clear text, and ensures the security of the cardholder's funds.
  • USB KEY is a smart storage device, which can be used for storing the online banking certificate, and can be digitally Signature and signature verification operations
  • USB KEY technology has been widely adopted to ensure payment security.
  • USB KEY has high security
  • some cardholders also use static passwords, file certificates and other security-level methods because of the high cost and restrictions on network application.
  • make online payments In addition, the USB KEY is not a must-have item, and it is not convenient for the card holder to carry it. After adopting the invention, since the mobile terminal is a device carried by the card holder, and does not require additional application fees and costs, it is more convenient and practical than the USB KEY.
  • FIG. 1 is a rear view of a secure payment mobile phone based on PKI technology according to an embodiment of the present invention
  • FIG. 2 is a logical structural diagram of the secure payment mobile phone shown in FIG.
  • FIG. 3 is a flowchart of downloading a digital certificate to a secure payment mobile phone in an online mode according to an embodiment of the present invention
  • FIG. 4 is a flowchart of downloading a digital certificate to a secure payment mobile phone in a wireless mode according to an embodiment of the present invention
  • FIG. 5 is a flowchart of performing mobile payment according to an embodiment of the present invention.
  • PKI is the abbreviation of "Public Key Infrastructure", which means “public key infrastructure”. It is a versatile security infrastructure realized by the principle and technology of asymmetric cryptography. PKI uses the digital certificate to identify the identity of the key holder. Through the standardized management of the key, the organization establishes and maintains a trustworthy system environment for the organization, transparently providing identity authentication, data confidentiality and integrity to the application system. Non-repudiation and other necessary security guarantees to meet the security needs of various application systems. Simply put, PKI is a system that provides public key encryption and digital signature services, in order to automatically manage keys and certificates, and to ensure the confidentiality, authenticity, integrity and non-repudiation of digital information transmission on the Internet. PKI technology is the core of information security technology and the key and basic technology of e-commerce. The basic technologies of PKI include encryption, digital signatures, data integrity mechanisms, digital envelopes, dual digital signatures, and more.
  • the embodiment of the invention provides a secure mobile payment terminal based on PKI technology.
  • the digital certificate can be downloaded to the mobile terminal, and a digital certificate-based mobile payment security verification mechanism is established.
  • the user can use the mobile terminal to complete secure mobile payment; on the other hand, when connecting the external device using a data line or an interface such as infrared or Bluetooth, the user can also use the mobile terminal instead of the USB KEY to realize secure online payment. .
  • FIG. 1 it is a rear view (removing the back cover and the battery) of the secure payment mobile phone based on the PKI technology according to the embodiment of the present invention.
  • the secure payment mobile phone adds a smart IC card 1, an IC card slot 2, a contact IC card reader (not shown), and the like, and has the following functions:
  • the smart IC card 1 is a type of IC card (integrated circuit card), which is a CPU card in which a microprocessor chip CPU, a storage unit (including a random access memory RAM, a program memory ROM, and a user data memory EEPROM) and a solidification are integrated.
  • the smart IC card 1 is equivalent to an independent single chip microcomputer system.
  • the size of the IC card is equivalent to the size of the SIM card, and is a security chip independent of the SIM card.
  • the digital certificate is stored in the EEPROM storage area, and the digital signature and data encryption algorithm are built in the chip operating system COS, and the application process of using the digital certificate for signature encryption in the payment process is completed in the smart IC card 1. Therefore, the data read from the mobile phone is the data encrypted by the signature, and the security is higher.
  • the smart IC card 1 can store multiple digital certificates, depending on the EEPROM capacity. Depending on the amount.
  • the IC card slot 2 is placed in a position juxtaposed with the SIM card slot to provide insertion or removal of the smart IC card 1.
  • the contact IC card reader can read and write the smart IC card 1 through a plurality of metal contacts located in the slot.
  • the smart IC card 1 is installed in the mobile phone by inserting the IC card slot 2, and the smart IC card 1 can also be moved to other mobile terminals having similar functions.
  • the smart IC card 1 can also be solidified in the mobile phone, but this method lacks flexibility.
  • the mobile phone shown in FIG. 1 adds a control program of the IC card reader/writer in the operating system of the mobile phone chip (the mobile phone core hardware, the non-SIM card or the smart IC card 1 storing the certificate in this embodiment).
  • the mobile phone chip can access the smart card 1 by controlling the IC card reader through the mobile phone operating system.
  • the mobile phone shown in FIG. 1 communicates with an external device through the data interface 3, and the data interface 3 refers to a data line interface or a wireless interface such as infrared or Bluetooth.
  • the phone also has a built-in remote wireless application module for data exchange between the mobile phone and the remote server.
  • the phone is also equipped with a PC kit, and a CD is attached to the phone.
  • the content on the CD is the PC kit.
  • the PC Suite is a software that connects and synchronizes the phone to the computer. It is installed on a computer connected to the phone to help manage the phone.
  • foreign trade machines such as Nokia, Samsung, Sony Ericsson, etc.
  • the smart IC card 1 since the smart IC card 1 is added to the mobile phone, the corresponding control function is also added in the PC suite.
  • the mobile phone When the mobile phone is connected to the computer through a data line or an interface such as infrared or Bluetooth, the new one in the PC suite can be used. Certificate download, delete or apply features.
  • FIG. 2 it is a logical structural diagram of the secure payment mobile phone shown in FIG. 1, illustrating the logical relationship between various components of the mobile phone.
  • the mobile phone chip 5 with the control function is added to control the IC card reader/writer 4 to access the smart IC card 1, and the IC card reader/writer 4 performs operations such as reading, writing, and erasing the smart IC card 1.
  • the mobile phone chip 5 is connected to the USB interface of the external computer through the data line interface 3, or is connected to the infrared and Bluetooth interfaces of the external computer through the infrared and Bluetooth interface 3 for data exchange.
  • the WAP mode the hand
  • the machine chip 5 realizes connection communication with the remote wireless server through the wireless application module 6. Based on the secure payment handset described above, the digital certificate application process implemented by the mobile phone will be described below.
  • the embodiment of the present invention provides two ways to download a digital certificate into a mobile phone, which is an online mode and a wireless mode, respectively.
  • the mobile phone In the online mode, first connect the mobile phone to the computer through the data cable or infrared, Bluetooth, etc., and then download the digital certificate to the smart IC card in the mobile phone through the relevant online banking page.
  • Mobile users can choose to download the certificate through the mobile app, or they can initiate a certificate download on the PC through the PC Suite.
  • the mobile phone application refers to a corresponding download menu provided in the operation interface after adding a smart IC card in the mobile phone, and the user selects to initiate a download request. The detailed steps are as follows:
  • Step 301 The user initiates a digital certificate download request directly on the mobile phone through the mobile phone application, or connects the mobile phone to the computer through a data line or infrared, Bluetooth, etc., and then applies for downloading the certificate through the certificate download function in the mobile phone PC suite on the computer end;
  • Step 302 If the request is initiated by the mobile phone application, the mobile phone chip sends the certificate download request to the computer through a data line or an interface such as infrared or Bluetooth; if the PC suite is used to initiate the request, the step is omitted;
  • Step 303 the mobile phone suite program in the computer applies for downloading the digital certificate through the online banking web page;
  • Step 304 the mobile phone suite program in the computer receives the digital certificate issued by the server;
  • Step 305 the mobile phone suite program in the computer passes the digital certificate through the data. Line or infrared, Bluetooth and other interfaces are sent back to the phone;
  • Step 306 the mobile phone chip sends a write request to the smart IC card through the IC card reader/writer; Step 307, the IC card reader/writer requests the user to input the IC card access password;
  • Step 308 the user inputs an access password
  • Step 309 the IC card operating system verifies that the access password is correct, and writes the digital certificate into the special certificate storage area.
  • step 307 is a preferred step of the embodiment, that is, the mobile phone user needs to set a password to protect the access to the smart IC card, and only the correct password can be input to complete the certificate download.
  • the user accesses the 4 page through the WAP mode, and then downloads the digital certificate to the mobile phone through the over-the-air download.
  • the detailed steps are as follows:
  • Step 401 The user logs in to the bank WAP page through the mobile phone to apply for downloading the digital certificate; Step 402, the mobile phone chip sends the certificate download request to the remote bank host through the wireless application module;
  • Step 403 the bank host returns the required digital certificate to the mobile phone
  • Step 404 the mobile phone chip sends a write request to the IC card through the IC card reader/writer;
  • the IC card reader/writer requests the user to input an IC card access password
  • Step 406 The user inputs an access password.
  • Step 407 the IC card operating system verifies that the access password is correct, and writes the digital certificate into the special certificate storage area.
  • Asymmetric encryption uses not the same key for encryption and decryption, and usually requires two keys: a public key and a private key.
  • the public key and the private key are a pair, the private key is saved by the encrypting party, and the public key is disclosed to all users.
  • This way of publicizing the public key solves the security problem in the key exchange process. If the data is encrypted with a private key, it can only be decrypted with the corresponding public key. When the encrypting party uses its own private key for data encryption, it is equivalent to digital signature on the data.
  • the decrypting party decrypts the data with the public key. Since the private key is only encrypted, if the decrypting party can decrypt it normally, it indicates that the data must be encrypted. Side, the encryption party can't deny it, and it guarantees that the data is not faked and not modified during the transmission.
  • the smart IC card in the process of downloading the digital certificate, the smart IC card will obtain the only cardholder private key owned by the cardholder and obtain the server public key; then, in the process of applying the digital certificate, the use of the digital certificate
  • the cardholder private key is used to sign the transaction data, and then the server public key is used for encrypted transmission.
  • the server After the server receives the encrypted data, it first decrypts the transmitted data by using the server private key, and then uses the cardholder's public key to check the transaction data (including the process of verifying the identity of the other party and the process of verifying the integrity of the data). , thus confirming the identity of the cardholder and ensuring the security of data transmission.
  • the cardholder private key and the cardholder public key are a pair of asymmetric keys, and the server private key and the server public key are another pair of asymmetric keys.
  • the cardholder performs mobile payment through the WAP method.
  • the cardholder enters an access password in the secure payment handset, the mobile phone chip accesses the smart IC card, uses the cardholder private key to sign the transaction data, and then encrypts the transmission using the server public key.
  • the detailed steps are as follows:
  • Step 501 The user logs in to the bank WAP page through the mobile phone, inputs the identity and transaction information to be submitted, and selects the user certificate;
  • Step 502 The mobile phone chip notifies the IC card reader/writer of the certificate application request
  • the IC card reader/writer requires the user to input an IC card access password
  • Step 504 the user inputs an access password.
  • Step 505 The IC card reader/writer submits the certificate application request and the access password to the smart IC card.
  • Step 507 the IC card reader/writer returns the signature encrypted data to the mobile phone chip
  • Step 508 The mobile phone chip submits the signed transaction data to the remote banking host through the wireless application module.
  • Step 509 the bank host returns a transaction response, establishes an encrypted channel, and continues subsequent data communication.
  • the security of the mobile payment is comprehensively improved, and the cardholder funds are prevented from being stolen by others due to insufficient static password verification mechanism.
  • a secure transmission mechanism for transaction data is established, which avoids the transmission of cardholder transaction data in clear text and protects the cardholder's funds security.
  • the secure payment mobile phone can replace the USB KEY and become the identity token for the cardholder to complete the online payment.
  • the cardholder first connects the phone to the computer via a data cable or an interface such as infrared or Bluetooth, and enables a control switch that allows the application to access the smart IC card.
  • the mobile PC Suite automatically reads the application data encrypted by the digital certificate and the cardholder's private key from the mobile smart IC card; after the secure connection is established, the server
  • the process of performing encrypted communication is the same as the traditional USB KEY. The detailed steps are as follows:
  • Step 601 the user connects the computer to the mobile phone through a data line or infrared, Bluetooth, etc., and Log in to the online banking web page on the computer, enter the identity and transaction information to be submitted, and select the mobile digital certificate;
  • Step 602 The mobile phone PC suite in the computer submits a certificate application request to the mobile phone chip through the data interface;
  • Step 603 The mobile phone chip notifies the IC card reader/writer of the certificate application request
  • the IC card reader/writer requires the user to input the smart IC card access password through the mobile phone interface or the PC suite;
  • Step 605 the user inputs an access password.
  • Step 606 the IC card reader/writer submits the digital certificate application request and the access password to the smart IC card chip;
  • Step 607 the smart IC card verifies that the access password is correct, and uses the digital certificate to sign and encrypt the data to be submitted, and returns it to the IC card reader/writer;
  • Step 608 the IC card reader/writer returns the encrypted data to the mobile phone chip
  • Step 609 the mobile phone chip returns the encrypted data to the computer through the data interface
  • Step 610 The computer submits the signed transaction data to the online banking host through the Internet;
  • Step 611 the bank host returns a transaction response, establishes an encrypted channel, and continues subsequent data communication.
  • USB KEY technology has been widely adopted to ensure payment security. Although most cardholders have realized that USB KEY has high security, some cardholders also use static passwords, file certificates and other security-level methods because of the high cost and restrictions on network application. Make online payments. Moreover, the USB KEY is not a must-have item, and it is not convenient for the card holder to carry it. After adopting the invention, since the mobile terminal such as a mobile phone is a device carried by the card holder, and does not require additional application cost and cost, it is more convenient and practical than the USB KEY.
  • the cardholder can delete the digital certificate and private key stored in the smart card chip through the mobile phone application or PC suite.
  • the correct cardholder password is entered before deletion. Proceed as follows:
  • Step 701 the user selects to delete the digital certificate through the mobile phone application, or on the computer through the mobile phone PC suite;
  • Step 702 the mobile phone chip sends a delete request to the IC card reader/writer; if it is through the mobile phone PC
  • the suite initiates a delete request, and the PC suite program sends the request to the mobile phone chip through the mobile data interface;
  • Step 703 the IC card reader/writer requires the user to input an IC card access password
  • Step 704 the user inputs an access password.
  • Step 705 The IC card reader/writer submits the deletion certificate request and the access password to the smart IC card chip, and the IC card determines that the access password is correct, and deletes the designated digital certificate.

Abstract

A mobile payment terminal and a payment method based on the PKI technology, it resolves the problem that a hidden trouble risk takes place in the identity authentication mechanism and the information transfer mechanism for the current gathering payment service. The mobile payment terminal includes: an intelligent card (1), for storing and applying a digital certificate; an intelligent card read and write equipment (4), for performing a reading, writing and canceling operation to the intelligent card (1); a terminal chip (5) adding a control function, for controlling the intelligent card reader (4) to access the intelligent card (1); a data interface (3), for providing the data communication between the terminal chip (5) and a peripheral equipment. A user using the mobile payment terminal can download the digital certificate into the intelligent card, and achieve the complete mobile payment. And when the mobile payment terminal communicates with the peripheral equipment through the interface such as a data bus or infrared, blue tooth and so on, the user can use the mobile payment terminal to achieve the network payment instead of the USB KEY.

Description

一种基于 PKI技术的移动支付终端及支付方法  Mobile payment terminal and payment method based on PKI technology
本申请要求于 2007 年 9 月 20 日提交中国专利局、 申请号为 200710046313.0、发明名称为"一种基于 ΡΚΙ技术的移动支付终端及支付方法" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。  This application claims priority to Chinese Patent Application No. 200710046313.0, entitled "Mobile payment terminal based on ΡΚΙ technology and payment method", filed on September 20, 2007, the entire contents of which are hereby incorporated by reference. Combined in this application.
技术领域 Technical field
本发明涉及数字证书的应用技术,特别是涉及一种基于 ΡΚΙ技术的移动支 付终端及支付方法。  The present invention relates to the application technology of digital certificates, and in particular to a mobile payment terminal and payment method based on the technology.
背景技术 Background technique
随着手机等移动终端的普及,一种基于手机的新型支付业 ——手机支付 业务出现并迅速发展。手机支付也称为移动支付,是将手机号码与银行卡号捆 绑实现的支付业务。 目前,手机支付业务主要基于静态支付密码的身份认证机 制, 通过短信和 WAP ( Wireless Application Protocol, 无线应用协议) 两种方 式开展。  With the popularization of mobile terminals such as mobile phones, a new mobile payment-based mobile payment service has emerged and developed rapidly. Mobile payment, also known as mobile payment, is a payment service that bundles a mobile phone number with a bank card number. At present, the mobile payment service is mainly based on the identity authentication mechanism of the static payment password, and is carried out by means of short message and WAP (Wireless Application Protocol).
所述基于静态支付密码的身份认证机制 ,是指银行系统通过对手机用户的 登录密码、支付密码等静态信息的认证后, 即允许用户进行支付的一种认证机 制。 通过静态密码开展业务有着方便、 易用的特点, 但是, 这种身份认证机制 存在如下问题: 如果用户并没有申请手机支付业务,但是该用户的银行卡卡号 和支付密码等重要信息被泄漏或窃取, 由于获取人没有银行卡, 所以无法到拒 面或自助终端取款; 如果该获取人使用网上银行, 由于目前的网上银行对用户 审核十分严格, 仅有卡号和支付密码也无法完成支付; 在这种情况下, 获取人 就会利用获取的卡号和支付密码申请注册手机支付业务,然后利用手机实现转 账或消费等支付操作。 因此,这种基于静态支付密码的身份认证机制安全强度 较低 , 近年来已出现了大量持卡人资金被他人盗用的事件。  The identity authentication mechanism based on the static payment password refers to an authentication mechanism that allows the user to perform payment after the banking system authenticates the static information such as the login password and payment password of the mobile phone user. The business of static passwords is convenient and easy to use. However, this identity authentication mechanism has the following problems: If the user does not apply for mobile payment service, important information such as the bank card number and payment password of the user is leaked or stolen. Since the acquirer does not have a bank card, it is not possible to withdraw money from the refused or self-service terminal; if the acquirer uses online banking, since the current online banking is very strict with the user, only the card number and the payment password cannot be paid; In this case, the acquirer will use the obtained card number and payment password to apply for registration of the mobile payment service, and then use the mobile phone to implement payment operations such as transfer or consumption. Therefore, the identity authentication mechanism based on the static payment password is less secure. In recent years, a large number of cardholder funds have been stolen by others.
而且, 在支付信息的传输方式上, 手机支付主要采取短信和 WAP两种方 式。 在短信支付方式下, 支付内容(包括支付密码)完全为明文, 极易在传输 过程中被盗取; 而在 WAP方式下, 虽然在手机到银行系统的传输信道上采用 加密技术传输, 但是需要经过 WAP网关解密并实现协议转换, 而这个环节也 存在安全问题, 所以也无法做到端到端 (手机—— I艮行系统) 的加密。  Moreover, in the transmission mode of payment information, mobile payment mainly adopts SMS and WAP. In the SMS payment mode, the payment content (including the payment password) is completely plain text and is easily stolen during the transmission process. In the WAP mode, although the transmission technology is used on the transmission channel of the mobile phone to the banking system, it is required. After the WAP gateway decrypts and implements the protocol conversion, there is also a security problem in this link, so it is impossible to encrypt the end-to-end (mobile phone - I-line system).
因此,目前的手机支付业务在身份认证机制及信息传输机制上都存在风险 隐患。 随着移动支付业务的不断发展, 这些不足有可能造成潜在的业务风险。 Therefore, the current mobile payment service has risks in the identity authentication mechanism and information transmission mechanism. Hidden dangers. With the continuous development of mobile payment services, these deficiencies may pose potential business risks.
发明内容 Summary of the invention
本发明所要解决的技术问题是提供一种基于 PKI技术的移动支付终端及 支付方法,以解决目前的手机支付业务在身份认证机制及信息传输机制上都存 在风险隐患的问题。  The technical problem to be solved by the present invention is to provide a mobile payment terminal and a payment method based on PKI technology, so as to solve the problem that the current mobile payment service has potential risks in the identity authentication mechanism and the information transmission mechanism.
为解决上述技术问题,根据本发明提供的具体实施例,本发明公开了以下 技术方案:  In order to solve the above technical problems, according to a specific embodiment provided by the present invention, the present invention discloses the following technical solutions:
一种移动支付终端, 包括:  A mobile payment terminal includes:
智能卡, 用于数字证书存储和应用;  Smart card for digital certificate storage and application;
智能卡读写器, 用于对智能卡进行读写和清除操作;  A smart card reader for reading and writing and clearing smart cards;
增加控制功能的终端芯片, 用于控制所述智能卡读写器访问智能卡; 数据接口 , 用于提供所述终端芯片与外部设备之间的数据通讯。  a terminal chip for adding a control function, configured to control the smart card reader to access the smart card; and a data interface, configured to provide data communication between the terminal chip and the external device.
其中, 所述数据接口包括数据线接口、 和 /或红外接口、 和 /或蓝牙接口、 和 /或远程无线接口。  The data interface includes a data line interface, and/or an infrared interface, and/or a Bluetooth interface, and/or a remote wireless interface.
所述终端还包括:安装在外部设备以提供所述终端控制与通信功能的终端 套件, 该套件中增加数字证书的下载、 删除及应用功能。  The terminal further includes: a terminal kit installed on the external device to provide the terminal control and communication function, and adding, downloading, deleting and applying functions of the digital certificate in the kit.
当所述智能卡外置时, 所述终端还包括: 插槽, 用于提供智能卡与智能卡 读写器的连接。  When the smart card is external, the terminal further includes: a slot for providing a connection between the smart card and the smart card reader/writer.
其中, 所述智能卡中可存放多张数字证书。  Wherein, the smart card can store multiple digital certificates.
一种将数字证书下载到上述移动终端的方法, 包括:  A method for downloading a digital certificate to the mobile terminal includes:
移动终端发起下载请求, 并通过外部设备发送到服务端; 终端芯片控制智能卡读写器将数字证书写入智能卡。  The mobile terminal initiates a download request and sends it to the server through an external device; the terminal chip controls the smart card reader to write the digital certificate to the smart card.
优选的, 智能卡读写器将数字证书写入智能卡之前, 还包括: 请求用户输 入智能卡访问口令并进行验证。  Preferably, before the smart card reader writes the digital certificate to the smart card, the method further comprises: requesting the user to input the smart card access password and verifying.
优选的, 所述移动终端发起下载请求的方式包括: 直接在移动终端发起, 终端芯片通过数据接口将下载请求发送到外部设备; 或者,触发安装在外部设 备的终端套件提供的下载功能发起。  Preferably, the manner in which the mobile terminal initiates the download request comprises: directly initiating at the mobile terminal, and the terminal chip sends the download request to the external device through the data interface; or triggering the download function provided by the terminal kit installed in the external device to initiate.
一种将数字证书下载到上述移动终端的方法, 包括: 移动终端通过 WAP方式发起下载请求; A method for downloading a digital certificate to the mobile terminal includes: The mobile terminal initiates a download request by using a WAP mode;
终端芯片通过远程无线接口向服务端发送所述请求 ,并接收服务端返回的 数字证书;  The terminal chip sends the request to the server through the remote wireless interface, and receives the digital certificate returned by the server;
终端芯片控制智能卡读写器将数字证书写入智能卡。  The terminal chip controls the smart card reader to write the digital certificate to the smart card.
优选的, 智能卡读写器将数字证书写入智能卡之前, 还包括: 请求用户输 入智能卡访问口令并进行验证。  Preferably, before the smart card reader writes the digital certificate to the smart card, the method further comprises: requesting the user to input the smart card access password and verifying.
一种应用上述移动终端中的数字证书的方法, 包括:  A method for applying a digital certificate in the above mobile terminal, comprising:
移动终端通过 WAP方式发起证书应用请求;  The mobile terminal initiates a certificate application request by using a WAP method;
终端芯片控制智能卡读写器访问智能卡,智能卡利用数字证书对交易数据 进行签名加密;  The terminal chip controls the smart card reader to access the smart card, and the smart card uses the digital certificate to sign and encrypt the transaction data;
终端芯片通过远程无线接口将所述加密数据发送给服务端 ,建立移动终端 支付通道。  The terminal chip sends the encrypted data to the server through a remote wireless interface to establish a payment channel of the mobile terminal.
优选的, 智能卡读写器在访问智能卡之前, 还包括: 请求用户输入智能卡 访问口令并进行验证。  Preferably, before the smart card reader accesses the smart card, the smart card reader further includes: requesting the user to input the smart card access password and verifying.
一种应用上述移动终端中的数字证书的方法, 包括:  A method for applying a digital certificate in the above mobile terminal, comprising:
用户通过外部设备发起证书应用请求,外部设备通过数据接口将所述请求 发送给终端芯片;  The user initiates a certificate application request through the external device, and the external device sends the request to the terminal chip through the data interface;
终端芯片控制智能卡读写器访问智能卡,智能卡利用数字证书对交易数据 进行签名加密;  The terminal chip controls the smart card reader to access the smart card, and the smart card uses the digital certificate to sign and encrypt the transaction data;
终端芯片将所述加密数据通过外部设备发送到服务端, 建立网上支付通 道。  The terminal chip sends the encrypted data to the server through an external device to establish an online payment channel.
优选的, 智能卡读写器在访问智能卡之前, 还包括: 请求用户输入智能卡 访问口令并进行验证。  Preferably, before the smart card reader accesses the smart card, the smart card reader further includes: requesting the user to input the smart card access password and verifying.
一种将数字证书从上述移动终端中删除的方法, 包括:  A method for deleting a digital certificate from the mobile terminal includes:
直接在移动终端发起删除请求,或者触发安装在外部设备的终端套件提供 的删除功能;  Initiating a delete request directly at the mobile terminal or triggering a delete function provided by a terminal kit installed on the external device;
终端芯片控制智能卡读写器将数字证书从智能卡中删除。  The terminal chip controls the smart card reader to remove the digital certificate from the smart card.
优选的, 智能卡读写器将数字证书从智能卡中删除之前, 还包括: 请求用 户输入智能卡访问口令并进行验证。 根据本发明提供的具体实施例, 本发明公开了以下技术效果: 本发明实施例提供了一种基于 PKI ( Public Key Infrastructure,公钥基础设 施)技术的安全移动支付终端, 通过在终端内增加智能卡, 并在终端芯片中增 加对所述智能卡的控制功能, 可以将数字证书下载到智能卡内。 在此基础上, 用户可以利用移动终端来完成安全的移动支付。一方面,可建立基于数字证书 的移动支付安全验证机制,全面提高移动支付的安全性,避免因静态密码验证 机制不足导致的持卡人资金被他人盗用; 另一方面,可建立交易数据的安全传 输机制, 避免通过明文传输持卡人支付数据, 保障持卡人资金安全。 Preferably, before the smart card reader removes the digital certificate from the smart card, the method further includes: requesting the user to input the smart card access password and verifying. According to a specific embodiment of the present invention, the following technical effects are disclosed: The embodiment of the present invention provides a secure mobile payment terminal based on PKI (Public Key Infrastructure) technology, by adding a smart card in the terminal. And adding a control function to the smart card in the terminal chip, the digital certificate can be downloaded into the smart card. Based on this, the user can use the mobile terminal to complete secure mobile payment. On the one hand, a digital certificate-based mobile payment security verification mechanism can be established to comprehensively improve the security of mobile payment, avoiding the misappropriation of cardholder funds due to insufficient static password verification mechanism; on the other hand, the security of transaction data can be established. The transmission mechanism avoids the payment of data by the cardholder in clear text, and ensures the security of the cardholder's funds.
而且, 当所述移动支付终端通过数据线或红外、蓝牙等接口连接外部设备 时, 用户还可以使用所述移动终端替代 USB KEY (是一种智能存储设备, 可 用于存放网银证书,可进行数字签名和签名验证的运算)实现安全的网上支付。 在网上支付业务中, 目前已广泛采用了 USB KEY技术来保障支付安全。 尽管 大多数持卡人已经认识到 USB KEY具有较高的安全性, 但由于费用较高、 网 点申请等问题的限制,部分持卡人还使用静态密码、文件证书等安全级别相对 较低的方式进行网上支付。 此外, USB KEY并非随身必备的物品, 持卡人携 带不够方便。 采取本发明后, 由于移动终端是持卡人随身携带的设备, 且不需 要额外的申请费用和成本, 因此比 USB KEY更为方便、 实用。  Moreover, when the mobile payment terminal is connected to the external device through a data line or an interface such as infrared or Bluetooth, the user can also use the mobile terminal instead of the USB KEY (it is a smart storage device, which can be used for storing the online banking certificate, and can be digitally Signature and signature verification operations) enable secure online payments. In the online payment service, USB KEY technology has been widely adopted to ensure payment security. Although most cardholders have realized that USB KEY has high security, some cardholders also use static passwords, file certificates and other security-level methods because of the high cost and restrictions on network application. Make online payments. In addition, the USB KEY is not a must-have item, and it is not convenient for the card holder to carry it. After adopting the invention, since the mobile terminal is a device carried by the card holder, and does not require additional application fees and costs, it is more convenient and practical than the USB KEY.
附图说明 DRAWINGS
图 1是本发明实施例所述基于 PKI技术的安全支付手机的背面外观图; 图 2是图 1所示安全支付手机的逻辑结构图;  1 is a rear view of a secure payment mobile phone based on PKI technology according to an embodiment of the present invention; FIG. 2 is a logical structural diagram of the secure payment mobile phone shown in FIG.
图 3 是本发明实施例所述联机方式下将数字证书下载到安全支付手机的 流程图;  3 is a flowchart of downloading a digital certificate to a secure payment mobile phone in an online mode according to an embodiment of the present invention;
图 4是本发明实施例所述无线方式下将数字证书下载到安全支付手机的 流程图;  4 is a flowchart of downloading a digital certificate to a secure payment mobile phone in a wireless mode according to an embodiment of the present invention;
图 5是本发明实施例所述进行手机支付的流程图;  FIG. 5 is a flowchart of performing mobile payment according to an embodiment of the present invention; FIG.
具体实施方式 detailed description
为使本发明的上述目的、特征和优点能够更加明显易懂, 下面结合附图和 具体实施方式对本发明作进一步详细的说明。 In order to make the above objects, features and advantages of the present invention more apparent, the following DETAILED DESCRIPTION OF THE INVENTION The present invention will be further described in detail.
PKI是" Public Key Infrastructure"的缩写, 意为 "公钥基础设施" , 是一种用 非对称密码算法原理和技术实现的、 具有通用性的安全基础设施。 PKI利用数 字证书标识密钥持有人的身份,通过对密钥的规范化管理, 为组织机构建立和 维护一个可信赖的系统环境,透明地为应用系统提供身份认证、数据保密性和 完整性、抗抵赖等各种必要的安全保障, 满足各种应用系统的安全需求。 简单 的说, PKI是提供公钥加密和数字签名服务的系统, 目的是为了自动管理密钥 和证书,保证网上数字信息传输的机密性、真实性、完整性和不可否认性。 PKI 技术是信息安全技术的核心, 也是电子商务的关键和基础技术。 PKI的基础技 术包括加密、 数字签名、 数据完整性机制、 数字信封、 双重数字签名等。  PKI is the abbreviation of "Public Key Infrastructure", which means "public key infrastructure". It is a versatile security infrastructure realized by the principle and technology of asymmetric cryptography. PKI uses the digital certificate to identify the identity of the key holder. Through the standardized management of the key, the organization establishes and maintains a trustworthy system environment for the organization, transparently providing identity authentication, data confidentiality and integrity to the application system. Non-repudiation and other necessary security guarantees to meet the security needs of various application systems. Simply put, PKI is a system that provides public key encryption and digital signature services, in order to automatically manage keys and certificates, and to ensure the confidentiality, authenticity, integrity and non-repudiation of digital information transmission on the Internet. PKI technology is the core of information security technology and the key and basic technology of e-commerce. The basic technologies of PKI include encryption, digital signatures, data integrity mechanisms, digital envelopes, dual digital signatures, and more.
本发明实施例提供了一种基于 PKI技术的安全移动支付终端,通过将 PKI 技术引入移动终端,可以将数字证书下载到移动终端中, 并建立基于数字证书 的移动支付安全验证机制。一方面, 用户可以利用移动终端来完成安全的移动 支付; 另一方面, 当使用数据线或红外、 蓝牙等接口连接外部设备时, 用户还 可以使用所述移动终端替代 USB KEY实现安全的网上支付。  The embodiment of the invention provides a secure mobile payment terminal based on PKI technology. By introducing the PKI technology into the mobile terminal, the digital certificate can be downloaded to the mobile terminal, and a digital certificate-based mobile payment security verification mechanism is established. On the one hand, the user can use the mobile terminal to complete secure mobile payment; on the other hand, when connecting the external device using a data line or an interface such as infrared or Bluetooth, the user can also use the mobile terminal instead of the USB KEY to realize secure online payment. .
下面将以手机为例, 说明所述基于 PKI技术的移动支付终端及支付方法。 参照图 1 ,是本发明实施例所述基于 PKI技术的安全支付手机的背面外观 图(去除后盖和电池)。 所述安全支付手机相对于普通手机, 增加了智能 IC卡 1、 IC卡插槽 2、 接触式 IC卡读写器(图中未示出)等部件, 分别具有如下功 能:  The following is a mobile phone as an example to illustrate the mobile payment terminal and payment method based on the PKI technology. Referring to FIG. 1 , it is a rear view (removing the back cover and the battery) of the secure payment mobile phone based on the PKI technology according to the embodiment of the present invention. Compared with the ordinary mobile phone, the secure payment mobile phone adds a smart IC card 1, an IC card slot 2, a contact IC card reader (not shown), and the like, and has the following functions:
智能 IC卡 1是 IC卡(集成电路卡 ) 的一种, 是一块 CPU卡, 卡内集成 了微处理器芯片 CPU、存储单元 (包括随机存储器 RAM、 程序存储器 ROM和 用户数据存储器 EEPROM)以及固化在 ROM 中的芯片操作系统 COS(Chip Operating System)。智能 IC卡 1相当于一个独立的单片机系统,本发明实施例 中 IC卡的大小相当于 SIM卡大小, 是一块独立于 SIM卡的安全芯片。 智能 IC卡 1中, 数字证书存储在 EEPROM存储区中, 芯片操作系统 COS中内置 了数字签名、数据加密算法,在支付过程中使用数字证书进行签名加密的应用 过程均在智能 IC卡 1内完成,所以从手机读取的数据均是签名加密后的数据, 安全性更高。 优选的, 智能 IC卡 1中可以存放多张数字证书, 视 EEPROM容 量而定。 The smart IC card 1 is a type of IC card (integrated circuit card), which is a CPU card in which a microprocessor chip CPU, a storage unit (including a random access memory RAM, a program memory ROM, and a user data memory EEPROM) and a solidification are integrated. The chip operating system COS (Chip Operating System) in the ROM. The smart IC card 1 is equivalent to an independent single chip microcomputer system. In the embodiment of the present invention, the size of the IC card is equivalent to the size of the SIM card, and is a security chip independent of the SIM card. In the smart IC card 1, the digital certificate is stored in the EEPROM storage area, and the digital signature and data encryption algorithm are built in the chip operating system COS, and the application process of using the digital certificate for signature encryption in the payment process is completed in the smart IC card 1. Therefore, the data read from the mobile phone is the data encrypted by the signature, and the security is higher. Preferably, the smart IC card 1 can store multiple digital certificates, depending on the EEPROM capacity. Depending on the amount.
IC卡插槽 2设置在与 SIM卡插槽并列的位置,提供智能 IC卡 1的插入或 取出。接触式 IC卡读写器通过位于插槽中的若干金属触点,可以对智能 IC卡 1进行读写等操作。  The IC card slot 2 is placed in a position juxtaposed with the SIM card slot to provide insertion or removal of the smart IC card 1. The contact IC card reader can read and write the smart IC card 1 through a plurality of metal contacts located in the slot.
本发明实施例通过设置 IC卡插槽 2, 将所述智能 IC卡 1以插卡方式加装 在手机中, 还可以将该智能 IC卡 1移动到其他具有类似功能的移动终端中使 用。 当然, 也可以将智能 IC卡 1固化在手机中, 但这种方式缺乏灵活性。  In the embodiment of the present invention, the smart IC card 1 is installed in the mobile phone by inserting the IC card slot 2, and the smart IC card 1 can also be moved to other mobile terminals having similar functions. Of course, the smart IC card 1 can also be solidified in the mobile phone, but this method lacks flexibility.
图 1所示手机除增加上述部件外, 在手机芯片(手机核心硬件, 非 SIM卡 或本实施例中存储证书的智能 IC卡 1)的操作系统中增加了 IC卡读写器的控制 程序, 来实现数字证书的读写、 清除等功能, 手机芯片可以通过手机操作系统 控制 IC卡读写器, 从而访问智能 IC卡 1。  In addition to the above components, the mobile phone shown in FIG. 1 adds a control program of the IC card reader/writer in the operating system of the mobile phone chip (the mobile phone core hardware, the non-SIM card or the smart IC card 1 storing the certificate in this embodiment). To realize the functions of reading, writing, and clearing digital certificates, the mobile phone chip can access the smart card 1 by controlling the IC card reader through the mobile phone operating system.
与普通手机相同, 图 1所示手机通过数据接口 3与外部设备通讯, 所述数 据接口 3指数据线接口或红外、 蓝牙等无线接口。 此外, 目前多数手机能够支 持 WAP功能, 所以该手机还内置了远程无线应用模块, 用于实现手机与远程 服务器之间的数据交换。  Like the ordinary mobile phone, the mobile phone shown in FIG. 1 communicates with an external device through the data interface 3, and the data interface 3 refers to a data line interface or a wireless interface such as infrared or Bluetooth. In addition, most mobile phones currently support WAP functions, so the phone also has a built-in remote wireless application module for data exchange between the mobile phone and the remote server.
通常, 手机还配有 PC套件, 在买手机的时候附带一张光盘, 光盘里的内 容就是 PC套件。 PC套件是手机与电脑连接、 同步的安装软件, 安装于与手 机连接的电脑上, 可以帮助管理手机。 通常外贸机 (如诺基亚、 三星、 索爱等 等)一般都带有 PC套件, 它可以把手机资源备份到电脑上面, 例如: 可以把手 机上的电话薄复制到电脑上, 也可以把短信以及用手机照的图片上传到电脑 上, 还可以把电脑上的资源下载到手机上, 如歌曲、 视频文件以及图片等。  Usually, the phone is also equipped with a PC kit, and a CD is attached to the phone. The content on the CD is the PC kit. The PC Suite is a software that connects and synchronizes the phone to the computer. It is installed on a computer connected to the phone to help manage the phone. Usually foreign trade machines (such as Nokia, Samsung, Sony Ericsson, etc.) usually have a PC kit, which can back up the mobile phone resources to the computer. For example: You can copy the phone book on your mobile phone to your computer, or you can use SMS and The picture of the mobile phone is uploaded to the computer, and the resources on the computer can also be downloaded to the mobile phone, such as songs, video files and pictures.
本发明实施例由于在手机中增加了智能 IC卡 1 ,所以 PC套件中也增加了 相应的控制功能, 当手机通过数据线或红外、 蓝牙等接口连接电脑时, 可以使 用 PC套件中新增的证书下载、 删除或应用功能。  In the embodiment of the present invention, since the smart IC card 1 is added to the mobile phone, the corresponding control function is also added in the PC suite. When the mobile phone is connected to the computer through a data line or an interface such as infrared or Bluetooth, the new one in the PC suite can be used. Certificate download, delete or apply features.
参照图 2, 是图 1所示安全支付手机的逻辑结构图, 说明了手机各个部件 之间的逻辑关系。 增加了控制功能的手机芯片 5控制 IC卡读写器 4访问智能 IC卡 1 , IC卡读写器 4对智能 IC卡 1进行读写、 清除等操作。 手机芯片 5通 过数据线接口 3与外部电脑的 USB接口相连接, 或者通过红外、 蓝牙接口 3 与外部电脑的红外、 蓝牙接口相连接, 进行数据交换。 而在 WAP方式下, 手 机芯片 5通过无线应用模块 6, 实现与远程无线服务器的连接通讯。 基于以上介绍的安全支付手机,下面将说明利用该手机实现的数字证书应 用过程。 Referring to FIG. 2, it is a logical structural diagram of the secure payment mobile phone shown in FIG. 1, illustrating the logical relationship between various components of the mobile phone. The mobile phone chip 5 with the control function is added to control the IC card reader/writer 4 to access the smart IC card 1, and the IC card reader/writer 4 performs operations such as reading, writing, and erasing the smart IC card 1. The mobile phone chip 5 is connected to the USB interface of the external computer through the data line interface 3, or is connected to the infrared and Bluetooth interfaces of the external computer through the infrared and Bluetooth interface 3 for data exchange. And in the WAP mode, the hand The machine chip 5 realizes connection communication with the remote wireless server through the wireless application module 6. Based on the secure payment handset described above, the digital certificate application process implemented by the mobile phone will be described below.
1、 将数字证书下载到手机的过程  1. The process of downloading a digital certificate to a mobile phone
本发明实施例提供了两种方式可以将数字证书下载到手机中,分别是联机 方式和无线方式。  The embodiment of the present invention provides two ways to download a digital certificate into a mobile phone, which is an online mode and a wireless mode, respectively.
( 1 )联机方式, 参照图 3  (1) online mode, refer to Figure 3
在联机方式下, 首先通过数据线或红外、 蓝牙等方式将手机连接到电脑, 然后通过相关网银页面下载数字证书到手机中的智能 IC卡中。 手机用户既可 以通过手机应用选择下载证书, 也可以通过 PC套件在电脑端发起证书下载。 其中, 所述手机应用是指手机中增加智能 IC卡后, 在操作界面中提供的相应 下载菜单, 用户选择即可发起下载请求。 详细步骤如下:  In the online mode, first connect the mobile phone to the computer through the data cable or infrared, Bluetooth, etc., and then download the digital certificate to the smart IC card in the mobile phone through the relevant online banking page. Mobile users can choose to download the certificate through the mobile app, or they can initiate a certificate download on the PC through the PC Suite. The mobile phone application refers to a corresponding download menu provided in the operation interface after adding a smart IC card in the mobile phone, and the user selects to initiate a download request. The detailed steps are as follows:
步骤 301, 用户通过手机应用直接在手机发起数字证书下载请求, 或者将 手机通过数据线或红外、 蓝牙等方式连接到电脑后, 在电脑端通过手机 PC套 件中的证书下载功能申请下载证书;  Step 301: The user initiates a digital certificate download request directly on the mobile phone through the mobile phone application, or connects the mobile phone to the computer through a data line or infrared, Bluetooth, etc., and then applies for downloading the certificate through the certificate download function in the mobile phone PC suite on the computer end;
步骤 302, 如果是通过手机应用发起请求, 则手机芯片将证书下载请求通 过数据线或红外、 蓝牙等接口发送至电脑; 如果使用 PC套件发起, 则省略此 步骤;  Step 302: If the request is initiated by the mobile phone application, the mobile phone chip sends the certificate download request to the computer through a data line or an interface such as infrared or Bluetooth; if the PC suite is used to initiate the request, the step is omitted;
步骤 303, 电脑中的手机套件程序通过网银 Web页面申请下载数字证书; 步骤 304, 电脑中的手机套件程序接收到服务端发放的数字证书; 步骤 305, 电脑中的手机套件程序将数字证书通过数据线或红外、 蓝牙等 接口发送回手机;  Step 303, the mobile phone suite program in the computer applies for downloading the digital certificate through the online banking web page; Step 304, the mobile phone suite program in the computer receives the digital certificate issued by the server; Step 305, the mobile phone suite program in the computer passes the digital certificate through the data. Line or infrared, Bluetooth and other interfaces are sent back to the phone;
步骤 306, 手机芯片通过 IC卡读写器向智能 IC卡发出写入请求; 步骤 307, IC卡读写器请求用户输入 IC卡访问口令;  Step 306, the mobile phone chip sends a write request to the smart IC card through the IC card reader/writer; Step 307, the IC card reader/writer requests the user to input the IC card access password;
步骤 308, 用户输入访问口令;  Step 308, the user inputs an access password;
步骤 309, IC卡操作系统验证访问口令正确,将数字证书写入专门的证书 存储区内。  Step 309, the IC card operating system verifies that the access password is correct, and writes the digital certificate into the special certificate storage area.
上述步骤中, 步骤 307是本实施例的优选步骤, 即手机用户需设置密码来 保护对智能 IC卡的访问 , 只有输入正确的密码才能完成证书下载。 ( 2 )无线方式, 参照图 4 In the above steps, step 307 is a preferred step of the embodiment, that is, the mobile phone user needs to set a password to protect the access to the smart IC card, and only the correct password can be input to complete the certificate download. (2) wireless mode, refer to Figure 4
在无线方式下, 用户通过 WAP方式访问 4艮行页面, 再通过空中下载的方 式将数字证书下载到手机中。 详细步骤如下:  In the wireless mode, the user accesses the 4 page through the WAP mode, and then downloads the digital certificate to the mobile phone through the over-the-air download. The detailed steps are as follows:
步骤 401, 用户通过手机上网登录银行 WAP页面, 申请下载数字证书; 步骤 402, 手机芯片将证书下载请求通过无线应用模块发送至远端银行主 机;  Step 401: The user logs in to the bank WAP page through the mobile phone to apply for downloading the digital certificate; Step 402, the mobile phone chip sends the certificate download request to the remote bank host through the wireless application module;
步骤 403, 银行主机将所需数字证书返回手机;  Step 403, the bank host returns the required digital certificate to the mobile phone;
步骤 404, 手机芯片通过 IC卡读写器向 IC卡发出写入请求;  Step 404, the mobile phone chip sends a write request to the IC card through the IC card reader/writer;
优选步骤 405 , IC卡读写器请求用户输入 IC卡访问口令;  Preferably, in step 405, the IC card reader/writer requests the user to input an IC card access password;
步骤 406, 用户输入访问口令;  Step 406: The user inputs an access password.
步骤 407, IC卡操作系统验证访问口令正确,将数字证书写入专门的证书 存储区内。  Step 407, the IC card operating system verifies that the access password is correct, and writes the digital certificate into the special certificate storage area.
2、 应用数字证书的过程  2. The process of applying digital certificates
在 PKI技术中,应用数字证书的过程采用非对称加密的公钥体系来进行加 密。非对称式加密的加密和解密所使用的不是同一个密钥,通常需要两个密钥: 公钥和私钥。 公钥与私钥是一对, 私钥由加密方保存, 公钥向所有用户公开, 这种公开公钥的方式解决了密钥交换过程中的安全问题。如果用私有密钥对数 据进行加密, 那么只有用对应的公开密钥才能解密。 当加密方使用自己的私钥 进行数据加密, 相当于在数据上做数字签名, 解密方用公钥解密数据, 由于私 钥只有加密方才有, 如果解密方能够正常解密, 则表明数据一定来自加密方, 加密方不能否认, 并且保证了数据并非假冒和没有在传输过程中被修改。  In PKI technology, the process of applying digital certificates uses an asymmetrically encrypted public key system for encryption. Asymmetric encryption uses not the same key for encryption and decryption, and usually requires two keys: a public key and a private key. The public key and the private key are a pair, the private key is saved by the encrypting party, and the public key is disclosed to all users. This way of publicizing the public key solves the security problem in the key exchange process. If the data is encrypted with a private key, it can only be decrypted with the corresponding public key. When the encrypting party uses its own private key for data encryption, it is equivalent to digital signature on the data. The decrypting party decrypts the data with the public key. Since the private key is only encrypted, if the decrypting party can decrypt it normally, it indicates that the data must be encrypted. Side, the encryption party can't deny it, and it guarantees that the data is not faked and not modified during the transmission.
基于以上原理, 在上述下载数字证书的过程中, 智能 IC卡会得到唯一的 只有持卡人拥有的持卡人私钥, 并得到服务端公钥; 然后在应用数字证书的过 程中, 利用所述持卡人私钥对交易数据进行签名,再利用所述服务端公钥进行 加密传输。当服务端收到加密数据后,先利用服务端私钥对传输数据进行解密, 然后再利用持卡人公钥对交易数据进行验签 (包括验证对方身份的过程和验证 数据完整性的过程), 从而确认持卡人身份, 并保证数据传输的安全性。 其中, 持卡人私钥和持卡人公钥是一对非对称密钥 ,服务端私钥和服务端公钥是另一 对非对称密钥。 ( 1 )移动支付, 参照图 5 Based on the above principle, in the process of downloading the digital certificate, the smart IC card will obtain the only cardholder private key owned by the cardholder and obtain the server public key; then, in the process of applying the digital certificate, the use of the digital certificate The cardholder private key is used to sign the transaction data, and then the server public key is used for encrypted transmission. After the server receives the encrypted data, it first decrypts the transmitted data by using the server private key, and then uses the cardholder's public key to check the transaction data (including the process of verifying the identity of the other party and the process of verifying the integrity of the data). , thus confirming the identity of the cardholder and ensuring the security of data transmission. The cardholder private key and the cardholder public key are a pair of asymmetric keys, and the server private key and the server public key are another pair of asymmetric keys. (1) Mobile payment, see Figure 5
在移动支付业务中, 持卡人通过 WAP方式进行手机支付。 当需要使用数 字证书时,持卡人在安全支付手机中输入访问口令,手机芯片访问智能 IC卡, 使用持卡人私钥对交易数据进行签名, 然后使用服务端公钥加密传输。详细步 骤如下:  In the mobile payment service, the cardholder performs mobile payment through the WAP method. When a digital certificate is required, the cardholder enters an access password in the secure payment handset, the mobile phone chip accesses the smart IC card, uses the cardholder private key to sign the transaction data, and then encrypts the transmission using the server public key. The detailed steps are as follows:
步骤 501, 用户通过手机上网登录银行 WAP页面, 输入需提交的身份及 交易信息, 并选择用户证书;  Step 501: The user logs in to the bank WAP page through the mobile phone, inputs the identity and transaction information to be submitted, and selects the user certificate;
步骤 502, 手机芯片将证书应用请求通知 IC卡读写器;  Step 502: The mobile phone chip notifies the IC card reader/writer of the certificate application request;
优选步骤 503 , IC卡读写器要求用户输入 IC卡访问口令;  Preferably, in step 503, the IC card reader/writer requires the user to input an IC card access password;
步骤 504, 用户输入访问口令;  Step 504, the user inputs an access password.
步骤 505 , IC卡读写器将证书应用请求和访问口令提交给智能 IC卡; 步骤 506, 智能 IC卡验证访问口令正确, 利用数字证书对需提交的数据 进行签名和加密处理后, 返回给 IC卡读写器;  Step 505: The IC card reader/writer submits the certificate application request and the access password to the smart IC card. Step 506: The smart IC card verifies that the access password is correct, and uses the digital certificate to sign and encrypt the data to be submitted, and then returns to the IC. Card reader/writer
步骤 507, IC卡读写器将所述签名加密数据返回手机芯片;  Step 507, the IC card reader/writer returns the signature encrypted data to the mobile phone chip;
步骤 508, 手机芯片将签名加密后的交易数据通过无线应用模块提交远程 银行主机;  Step 508: The mobile phone chip submits the signed transaction data to the remote banking host through the wireless application module.
步骤 509, 银行主机返回交易应答, 建立加密通道, 继续后续数据通信。 上述移动支付过程中, 由于建立了基于数字证书的移动支付安全验证机 制, 因此全面提高了移动支付的安全性,避免了因静态密码验证机制不足导致 的持卡人资金被他人盗用。 而且, 还建立了交易数据的安全传输机制, 能够避 免通过明文传输持卡人交易数据, 保障持卡人资金安全。  Step 509, the bank host returns a transaction response, establishes an encrypted channel, and continues subsequent data communication. In the above mobile payment process, since the digital certificate-based mobile payment security verification mechanism is established, the security of the mobile payment is comprehensively improved, and the cardholder funds are prevented from being stolen by others due to insufficient static password verification mechanism. Moreover, a secure transmission mechanism for transaction data is established, which avoids the transmission of cardholder transaction data in clear text and protects the cardholder's funds security.
( 2 ) 网上支付, 参照图 6  (2) Online payment, see Figure 6
在网上支付业务中, 安全支付手机可以替代 USB KEY, 成为持卡人完成 网上支付的身份令牌。持卡人首先通过数据线或红外、蓝牙等接口将手机连接 到电脑, 同时启用允许应用程序访问智能 IC卡的控制开关。 在持卡人与服务 端建立基于数字证书的连接时, 手机 PC套件自动从手机智能 IC卡中读取利 用数字证书和持卡人私钥加密的应用数据; 在安全连接建立后, 与服务端进行 加密通信的过程与传统的 USB KEY一样。 详细步骤如下:  In the online payment service, the secure payment mobile phone can replace the USB KEY and become the identity token for the cardholder to complete the online payment. The cardholder first connects the phone to the computer via a data cable or an interface such as infrared or Bluetooth, and enables a control switch that allows the application to access the smart IC card. When the cardholder establishes a digital certificate-based connection with the server, the mobile PC Suite automatically reads the application data encrypted by the digital certificate and the cardholder's private key from the mobile smart IC card; after the secure connection is established, the server The process of performing encrypted communication is the same as the traditional USB KEY. The detailed steps are as follows:
步骤 601 , 用户通过数据线或红外、 蓝牙等方式将电脑与手机连接, 并在 电脑上登录网上银行 Web页面, 输入需提交的身份及交易信息后, 选择手机 数字证书; Step 601, the user connects the computer to the mobile phone through a data line or infrared, Bluetooth, etc., and Log in to the online banking web page on the computer, enter the identity and transaction information to be submitted, and select the mobile digital certificate;
步骤 602, 电脑中的手机 PC套件通过数据接口向手机芯片提交证书应用 请求;  Step 602: The mobile phone PC suite in the computer submits a certificate application request to the mobile phone chip through the data interface;
步骤 603 , 手机芯片将证书应用请求通知 IC卡读写器;  Step 603: The mobile phone chip notifies the IC card reader/writer of the certificate application request;
优选步骤 604, IC卡读写器要求用户通过手机界面或 PC套件输入智能 IC 卡访问口令;  Preferably, in step 604, the IC card reader/writer requires the user to input the smart IC card access password through the mobile phone interface or the PC suite;
步骤 605, 用户输入访问口令;  Step 605, the user inputs an access password.
步骤 606, IC卡读写器将数字证书应用请求和访问口令提交给智能 IC卡 芯片;  Step 606, the IC card reader/writer submits the digital certificate application request and the access password to the smart IC card chip;
步骤 607, 智能 IC卡验证访问口令正确, 利用数字证书对需提交的数据 进行签名和加密, 返回给 IC卡读写器;  Step 607, the smart IC card verifies that the access password is correct, and uses the digital certificate to sign and encrypt the data to be submitted, and returns it to the IC card reader/writer;
步骤 608, IC卡读写器将所述加密数据返回手机芯片;  Step 608, the IC card reader/writer returns the encrypted data to the mobile phone chip;
步骤 609, 手机芯片将加密数据通过数据接口返回电脑;  Step 609, the mobile phone chip returns the encrypted data to the computer through the data interface;
步骤 610, 电脑将签名加密后的交易数据通过互联网提交给网上银行主 机;  Step 610: The computer submits the signed transaction data to the online banking host through the Internet;
步骤 611, 银行主机返回交易应答, 建立加密通道, 继续后续数据通信。 在网上支付业务中, 目前已广泛采用了 USB KEY技术来保障支付安全。 尽管大多数持卡人已经认识到 USB KEY具有较高的安全性,但由于费用较高、 网点申请等问题的限制 ,部分持卡人还使用静态密码、文件证书等安全级别相 对较低的方式进行网上支付。 而且, USB KEY并非随身必备的物品, 持卡人 携带不够方便。采取本发明后,由于手机等移动终端是持卡人随身携带的设备, 且不需要额外的申请费用和成本, 因此比 USB KEY更为方便、 实用。  Step 611, the bank host returns a transaction response, establishes an encrypted channel, and continues subsequent data communication. In the online payment service, USB KEY technology has been widely adopted to ensure payment security. Although most cardholders have realized that USB KEY has high security, some cardholders also use static passwords, file certificates and other security-level methods because of the high cost and restrictions on network application. Make online payments. Moreover, the USB KEY is not a must-have item, and it is not convenient for the card holder to carry it. After adopting the invention, since the mobile terminal such as a mobile phone is a device carried by the card holder, and does not require additional application cost and cost, it is more convenient and practical than the USB KEY.
3、 将数字证书从手机中删除的过程, 参照图 7  3. The process of deleting the digital certificate from the mobile phone, refer to Figure 7
持卡人可以通过手机应用或 PC套件来删除智能卡芯片中存储的数字证书 和私钥。 优选的, 删除前需输入正确的持卡人口令。 步骤如下:  The cardholder can delete the digital certificate and private key stored in the smart card chip through the mobile phone application or PC suite. Preferably, the correct cardholder password is entered before deletion. Proceed as follows:
步骤 701, 用户通过手机应用, 或在电脑通过手机 PC套件选择删除数字 证书;  Step 701, the user selects to delete the digital certificate through the mobile phone application, or on the computer through the mobile phone PC suite;
步骤 702, 手机芯片将删除请求发送至 IC卡读写器; 如果是通过手机 PC 套件发起删除请求, 则 PC套件程序将所述请求通过手机数据接口发送到手机 芯片; Step 702, the mobile phone chip sends a delete request to the IC card reader/writer; if it is through the mobile phone PC The suite initiates a delete request, and the PC suite program sends the request to the mobile phone chip through the mobile data interface;
步骤 703, IC卡读写器要求用户输入 IC卡访问口令;  Step 703, the IC card reader/writer requires the user to input an IC card access password;
步骤 704, 用户输入访问口令;  Step 704, the user inputs an access password.
步骤 705, IC卡读写器将删除证书请求和访问口令提交至智能 IC卡芯片, IC卡判断访问口令正确, 删除指定的数字证书。  Step 705: The IC card reader/writer submits the deletion certificate request and the access password to the smart IC card chip, and the IC card determines that the access password is correct, and deletes the designated digital certificate.
图 1、 图 2所示的移动支付终端中未伴述的部分可以参见图 3 -图 7所示 流程的相关部分, 为了篇幅考虑, 在此不再详述。  The parts not shown in the mobile payment terminal shown in FIG. 1 and FIG. 2 can be referred to the relevant parts of the process shown in FIG. 3 to FIG. 7. For the sake of space consideration, details are not described herein again.
以上对本发明所提供的一种基于 PKI技术的移动支付终端及支付方法,进 述, 以上实施例的说明只是用于帮助理解本发明的方法及其核心思想; 同时, 对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围 上均会有改变之处。 综上所述, 本说明书内容不应理解为对本发明的限制。  The mobile payment terminal and the payment method based on the PKI technology provided by the present invention are described above. The description of the above embodiments is only for helping to understand the method and core idea of the present invention; and, for a person of ordinary skill in the art According to the idea of the present invention, there will be changes in the specific embodiments and application scopes. In summary, the content of the specification should not be construed as limiting the invention.

Claims

权 利 要 求 Rights request
1、 一种移动支付终端, 其特征在于, 包括:  A mobile payment terminal, comprising:
智能卡, 用于数字证书存储和应用;  Smart card for digital certificate storage and application;
智能卡读写器, 用于对智能卡进行读写和清除操作;  A smart card reader for reading and writing and clearing smart cards;
增加控制功能的终端芯片, 用于控制所述智能卡读写器访问智能卡; 数据接口 , 用于提供所述终端芯片与外部设备之间的数据通讯。  a terminal chip for adding a control function, configured to control the smart card reader to access the smart card; and a data interface, configured to provide data communication between the terminal chip and the external device.
2、 根据权利要求 1所述的移动支付终端, 其特征在于: 所述数据接口包 括数据线接口、 和 /或红外接口、 和 /或蓝牙接口、 和 /或远程无线接口。  2. The mobile payment terminal of claim 1, wherein: the data interface comprises a data line interface, and/or an infrared interface, and/or a Bluetooth interface, and/or a remote wireless interface.
3、 根据权利要求 1所述的移动支付终端, 其特征在于, 还包括: 安装在 外部设备以提供所述终端控制与通信功能的终端套件,该套件中增加数字证书 的下载、 删除及应用功能。  3. The mobile payment terminal according to claim 1, further comprising: a terminal kit installed on the external device to provide the terminal control and communication function, wherein the package adds, deletes, and applies the digital certificate. .
4、 根据权利要求 1所述的移动支付终端, 其特征在于, 当所述智能卡外 置时, 所述终端还包括: 插槽, 用于提供智能卡与智能卡读写器的连接。  The mobile payment terminal according to claim 1, wherein when the smart card is externally, the terminal further comprises: a slot, configured to provide a connection between the smart card and the smart card reader/writer.
5、 根据权利要求 1所述的移动支付终端, 其特征在于: 所述智能卡中可 存放多张数字证书。  5. The mobile payment terminal according to claim 1, wherein: the plurality of digital certificates can be stored in the smart card.
6、 一种将数字证书下载到权利要求 1所述的移动终端的方法, 其特征在 于, 包括:  A method for downloading a digital certificate to the mobile terminal of claim 1, characterized in that it comprises:
移动终端发起下载请求, 并通过外部设备发送到服务端; 终端芯片控制智能卡读写器将数字证书写入智能卡。  The mobile terminal initiates a download request and sends it to the server through an external device; the terminal chip controls the smart card reader to write the digital certificate to the smart card.
7、 根据权利要求 6所述的下载方法, 其特征在于, 智能卡读写器将数字 证书写入智能卡之前, 还包括: 请求用户输入智能卡访问口令并进行验证。  7. The downloading method according to claim 6, wherein before the smart card reader writes the digital certificate to the smart card, the method further comprises: requesting the user to input the smart card access password and verifying.
8、 根据权利要求 6所述的下载方法, 其特征在于, 所述移动终端发起下 载请求的方式包括: 直接在移动终端发起, 终端芯片通过数据接口将下载请求 发送到外部设备;或者,触发安装在外部设备的终端套件提供的下载功能发起。  The downloading method according to claim 6, wherein the method for the mobile terminal to initiate a download request comprises: directly initiating at the mobile terminal, and the terminal chip sends the download request to the external device through the data interface; or triggering the installation The download function provided in the terminal kit of the external device is initiated.
9、 一种将数字证书下载到权利要求 1所述的移动终端的方法, 其特征在 于, 包括:  A method for downloading a digital certificate to the mobile terminal of claim 1, characterized in that it comprises:
移动终端通过 WAP方式发起下载请求;  The mobile terminal initiates a download request by using a WAP method;
终端芯片通过远程无线接口向服务端发送所述请求,并接收服务端返回的 数字证书; The terminal chip sends the request to the server through the remote wireless interface, and receives the request returned by the server. Digital certificate
终端芯片控制智能卡读写器将数字证书写入智能卡。  The terminal chip controls the smart card reader to write the digital certificate to the smart card.
10、根据权利要求 9所述的下载方法, 其特征在于, 智能卡读写器将数字 证书写入智能卡之前, 还包括: 请求用户输入智能卡访问口令并进行验证。  The downloading method according to claim 9, wherein before the smart card reader writes the digital certificate to the smart card, the method further comprises: requesting the user to input the smart card access password and verifying.
11、一种应用权利要求 1所述移动终端中的数字证书的方法,其特征在于, 包括:  A method for applying a digital certificate in a mobile terminal according to claim 1, characterized in that it comprises:
移动终端通过 WAP方式发起证书应用请求;  The mobile terminal initiates a certificate application request by using a WAP method;
终端芯片控制智能卡读写器访问智能卡,智能卡利用数字证书对交易数据 进行签名加密;  The terminal chip controls the smart card reader to access the smart card, and the smart card uses the digital certificate to sign and encrypt the transaction data;
终端芯片通过远程无线接口将所述加密数据发送给服务端,建立移动终端 支付通道。  The terminal chip sends the encrypted data to the server through a remote wireless interface to establish a payment channel of the mobile terminal.
12、 根据权利要求 11所述应用数字证书的方法, 其特征在于, 智能卡读 写器在访问智能卡之前, 还包括: 请求用户输入智能卡访问口令并进行验证。  The method for applying a digital certificate according to claim 11, wherein the smart card reader further comprises: requesting the user to input the smart card access password and verifying before accessing the smart card.
13、一种应用权利要求 1所述移动终端中的数字证书的方法,其特征在于, 包括:  A method for applying a digital certificate in a mobile terminal according to claim 1, characterized in that it comprises:
用户通过外部设备发起证书应用请求,外部设备通过数据接口将所述请求 发送给终端芯片;  The user initiates a certificate application request through the external device, and the external device sends the request to the terminal chip through the data interface;
终端芯片控制智能卡读写器访问智能卡,智能卡利用数字证书对交易数据 进行签名加密;  The terminal chip controls the smart card reader to access the smart card, and the smart card uses the digital certificate to sign and encrypt the transaction data;
终端芯片将所述加密数据通过外部设备发送到服务端, 建立网上支付通 道。  The terminal chip sends the encrypted data to the server through an external device to establish an online payment channel.
14、 根据权利要求 13所述应用数字证书的方法, 其特征在于, 智能卡读 写器在访问智能卡之前, 还包括: 请求用户输入智能卡访问口令并进行验证。  The method for applying a digital certificate according to claim 13, wherein the smart card reader further comprises: requesting the user to input the smart card access password and verifying before accessing the smart card.
15、一种将数字证书从权利要求 1所述的移动终端中删除的方法,其特征 在于, 包括:  A method for deleting a digital certificate from the mobile terminal of claim 1, comprising:
直接在移动终端发起删除请求,或者触发安装在外部设备的终端套件提供 的删除功能;  Initiating a delete request directly at the mobile terminal or triggering a delete function provided by a terminal kit installed on the external device;
终端芯片控制智能卡读写器将数字证书从智能卡中删除。  The terminal chip controls the smart card reader to remove the digital certificate from the smart card.
16、 根据权利要求 15所述的删除方法, 其特征在于, 智能卡读写器将数 字证书从智能卡中删除之前,还包括: 请求用户输入智能卡访问口令并进行验 证。 16. The deletion method according to claim 15, wherein the smart card reader/writer will count Before the word certificate is deleted from the smart card, it also includes: Asking the user to enter the smart card access password and verify it.
PCT/CN2008/072402 2007-09-20 2008-09-18 Mobile payment terminal and payment method based on pki technology WO2009039771A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710046313.0 2007-09-20
CN200710046313A CN101394615B (en) 2007-09-20 2007-09-20 Mobile payment terminal and payment method based on PKI technique

Publications (1)

Publication Number Publication Date
WO2009039771A1 true WO2009039771A1 (en) 2009-04-02

Family

ID=40494639

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072402 WO2009039771A1 (en) 2007-09-20 2008-09-18 Mobile payment terminal and payment method based on pki technology

Country Status (2)

Country Link
CN (1) CN101394615B (en)
WO (1) WO2009039771A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104050105A (en) * 2013-03-11 2014-09-17 魏如隆 Confidential and sensitive information encryption, calculation and storage device
CN108921561A (en) * 2018-08-27 2018-11-30 河南芯盾网安科技发展有限公司 A kind of digital thermal wallet based on hardware encryption

Families Citing this family (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102300211A (en) * 2010-06-22 2011-12-28 国民技术股份有限公司 Mobile terminal having intelligent key function and smart key system and method
CN101938520B (en) * 2010-09-07 2015-01-28 中兴通讯股份有限公司 Mobile terminal signature-based remote payment system and method
CN102404115A (en) * 2010-09-16 2012-04-04 林新格 Method for realizing bidirectional safety certification of mobile phone and server in WAP (Wireless Application Protocol) mobile phone banking system by using SD (Secure Digital Memory) card and system thereof
CN101957958A (en) * 2010-09-19 2011-01-26 中兴通讯股份有限公司 Method and mobile phone terminal for realizing network payment
CN102075524B (en) * 2010-12-28 2013-04-17 广东楚天龙智能卡有限公司 Method for starting digital media interactive service through intelligent card
CN102547681B (en) * 2010-12-31 2015-03-25 国民技术股份有限公司 Intelligent key device and identity authentication method
CN102118394A (en) * 2011-01-24 2011-07-06 郑州信大捷安信息技术有限公司 Safety authentication method for remote payment through internet banking based on dual-interface safety intelligent card
CN102685073B (en) * 2011-03-11 2016-04-27 中国移动通信集团公司 Safe payment method and mobile terminal
CN102769846A (en) * 2011-05-04 2012-11-07 中国银联股份有限公司 User terminal and payment system
CN102238193A (en) * 2011-08-09 2011-11-09 深圳市德卡科技有限公司 Data authentication method and system using same
CN102387255B (en) * 2011-10-25 2014-07-23 北京中清怡和科技有限公司 Method and device for utilizing intelligent card to process third-party expanded service data
CN103108323B (en) * 2011-11-11 2017-08-11 中兴通讯股份有限公司 Safety operation execution system and execution method
CN103107881B (en) * 2011-11-11 2017-02-08 中兴通讯股份有限公司 Access method, device and system of smart card
CN102768744B (en) * 2012-05-11 2016-03-16 福建联迪商用设备有限公司 A kind of remote safe payment method and system
CN102693480B (en) * 2012-05-11 2015-06-17 福建联迪商用设备有限公司 Mobile terminal with read card function and mobile terminal payment method
CN102831519A (en) * 2012-07-27 2012-12-19 郑州信大捷安信息技术股份有限公司 Security intelligent cryptosystem for Apple mobile devices and internet-banking transaction method thereof
CN103577740A (en) * 2012-08-02 2014-02-12 中国移动通信集团公司 Method and intelligent mobile terminal for implementing safety communication
CN102779303A (en) * 2012-08-07 2012-11-14 上海方付通商务服务有限公司 Wireless payment system and method on basis of mobile phone
CN104871189B (en) * 2012-08-21 2018-11-23 西班牙洲际银行 The method and system of mobile contactless ticketing service/payment is realized by mobile phone application
CN103701762B (en) * 2012-09-28 2017-04-19 中国银联股份有限公司 Security information interaction system, equipment and method
CN103778535B (en) * 2012-10-25 2017-08-25 中国银联股份有限公司 Handle the apparatus and method of the data access request from mobile terminal
CN103118058B (en) * 2012-11-09 2016-03-23 福建联迪商用设备有限公司 A kind of method that PC external member transparent transmission and buffer memory are downloaded
CN103023642B (en) * 2012-11-22 2016-02-24 中兴通讯股份有限公司 A kind of mobile terminal and digital certificate functionality implementation method thereof
CN103873241B (en) * 2012-12-11 2017-06-23 中国银联股份有限公司 safety shield, digital certificate management system and method
CN103368743A (en) * 2013-07-08 2013-10-23 深圳市文鼎创数据科技有限公司 Multifunctional intelligent card and identity authentication method and operation method of multifunctional intelligent card
CN103345686A (en) * 2013-07-16 2013-10-09 北京旋极信息技术股份有限公司 Mobile payment equipment
CN103413220A (en) * 2013-08-08 2013-11-27 天地融科技股份有限公司 Information output method and device and information processing method and system
CN103580870A (en) * 2013-11-07 2014-02-12 李宾 Mobile phone identity authentication terminal
CN103905443A (en) * 2014-03-31 2014-07-02 北京握奇数据系统有限公司 Verification device and system and registering and verification method
CN105023154A (en) * 2014-04-21 2015-11-04 航天信息股份有限公司 Electronic paying method and apparatus based on multifunctional financial IC cards
CN104281945A (en) * 2014-09-16 2015-01-14 马洁韵 Mobile safety payment system and safety payment method
CN105046485A (en) * 2014-11-17 2015-11-11 中兴通讯股份有限公司 Method for payment transaction via mobile terminal, service provider, and system for payment transaction via mobile terminal
CN104680374A (en) * 2014-12-23 2015-06-03 东莞职业技术学院 PKI (Public Key Infrastructure) security system-based UIM (User Identifier Module) card intelligent terminal payment method
WO2017076277A1 (en) * 2015-11-03 2017-05-11 国民技术股份有限公司 Communication card e-bank key and functioning method thereof
CN106570697B (en) * 2016-10-31 2020-01-10 北京小米移动软件有限公司 Mobile terminal payment verification method and device and security authentication tool
JP7158830B2 (en) * 2017-06-08 2022-10-24 キヤノン株式会社 Information processing device, control method for information processing device, and program
CN110008682B (en) * 2019-03-31 2020-12-29 西安邮电大学 Method for updating data in different types of storage media based on PKI
CN111970120B (en) * 2020-07-27 2024-03-26 山东华芯半导体有限公司 Implementation method of encryption card security application mechanism based on OPENSSL
CN114650140A (en) * 2020-12-21 2022-06-21 国民科技(深圳)有限公司 Mobile terminal, server, and method of executing electronic signature

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1745519A (en) * 2002-12-07 2006-03-08 健康乐园株式会社 Mobile communication terminal having ic card settlement function
KR20070092783A (en) * 2006-03-09 2007-09-14 주식회사 아이캐시 System and method for the credit card payment via a personal digital-communication device by using an integrated circuit card
FR2898423A1 (en) * 2006-03-07 2007-09-14 Jean Marc Liotier Certified electronic signature generating device e.g. chip card, configuring method for e.g. computer, involves updating certificate to user upon reception of denomination and number by certificate producer so as to be used with device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1516508A (en) * 2003-01-08 2004-07-28 ��� Digital certificate storage and its new application method
CN100438409C (en) * 2006-06-22 2008-11-26 北京飞天诚信科技有限公司 Intelligent card with financial-transaction message processing ability and its method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1745519A (en) * 2002-12-07 2006-03-08 健康乐园株式会社 Mobile communication terminal having ic card settlement function
FR2898423A1 (en) * 2006-03-07 2007-09-14 Jean Marc Liotier Certified electronic signature generating device e.g. chip card, configuring method for e.g. computer, involves updating certificate to user upon reception of denomination and number by certificate producer so as to be used with device
KR20070092783A (en) * 2006-03-09 2007-09-14 주식회사 아이캐시 System and method for the credit card payment via a personal digital-communication device by using an integrated circuit card

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104050105A (en) * 2013-03-11 2014-09-17 魏如隆 Confidential and sensitive information encryption, calculation and storage device
CN108921561A (en) * 2018-08-27 2018-11-30 河南芯盾网安科技发展有限公司 A kind of digital thermal wallet based on hardware encryption
CN108921561B (en) * 2018-08-27 2023-11-21 河南芯盾网安科技发展有限公司 Digital hot wallet based on hardware encryption

Also Published As

Publication number Publication date
CN101394615B (en) 2012-10-17
CN101394615A (en) 2009-03-25

Similar Documents

Publication Publication Date Title
WO2009039771A1 (en) Mobile payment terminal and payment method based on pki technology
CN101916388B (en) Smart SD card and method for using same for mobile payment
EP1688859B1 (en) Application authentification system
KR100791432B1 (en) Providing a user device with a set of access codes
EP2158716B1 (en) Binding content licenses to portable storage devices
EP2634703B1 (en) Removable storage device, and data processing system and method based on the device
EP2218029B1 (en) Mobile smartcard based authentication
WO2020192698A1 (en) Data secure backup and secure recovery methods, and electronic device
KR20160024185A (en) Management system and method of crytocurrency using secure element
WO2012031433A1 (en) System and method for remote payment based on mobile terminal
US20070288387A1 (en) Method and apparatus for effecting the return of a rights management object
WO2006111626A2 (en) Method and device for accessing a sim card housed in a mobile terminal
KR100411448B1 (en) public-key infrastructure based digital certificate methods of issuing and system thereof
CA2914956C (en) System and method for encryption
JP2006099509A (en) Information management device and method, and program
EP2308014A1 (en) Trusted service manager (tsm) architectures and methods
JP2017537421A (en) How to secure payment tokens
CN103812649B (en) Method and system for safety access control of machine-card interface, and handset terminal
EP1862948A1 (en) IC card with OTP client
WO2022078367A1 (en) Payment secret key encryption and decryption method, payment authentication method, and terminal device
US20040243815A1 (en) System and method of distributing and controlling rights of digital content
WO2008080431A1 (en) System and method for obtaining content rights objects and secure module adapted to implement it
CN112862481A (en) Block chain digital asset key management method and system based on SIM card
US7240079B2 (en) Method and arrangement for securing a digital data file having financial value, terminal operating in the arrangement, and software application employing the method
JP2001076059A (en) Settlement system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08800896

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08800896

Country of ref document: EP

Kind code of ref document: A1