WO2013097467A1 - 智能卡和应用终端访问智能卡的安全实现方法 - Google Patents
智能卡和应用终端访问智能卡的安全实现方法 Download PDFInfo
- Publication number
- WO2013097467A1 WO2013097467A1 PCT/CN2012/080202 CN2012080202W WO2013097467A1 WO 2013097467 A1 WO2013097467 A1 WO 2013097467A1 CN 2012080202 W CN2012080202 W CN 2012080202W WO 2013097467 A1 WO2013097467 A1 WO 2013097467A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- smart card
- interface
- security
- input
- card
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K19/00—Record carriers for use with machines and with at least a part designed to carry digital markings
- G06K19/06—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
- G06K19/067—Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
- G06K19/07—Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
- G06K19/077—Constructional details, e.g. mounting of circuits in the carrier
- G06K19/07749—Constructional details, e.g. mounting of circuits in the carrier the record carrier being capable of non-contact communication, e.g. constructional details of the antenna of a non-contact smart card
- G06K19/07766—Constructional details, e.g. mounting of circuits in the carrier the record carrier being capable of non-contact communication, e.g. constructional details of the antenna of a non-contact smart card comprising at least a second communication arrangement in addition to a first non-contact communication arrangement
- G06K19/07769—Constructional details, e.g. mounting of circuits in the carrier the record carrier being capable of non-contact communication, e.g. constructional details of the antenna of a non-contact smart card comprising at least a second communication arrangement in addition to a first non-contact communication arrangement the further communication means being a galvanic interface, e.g. hybrid or mixed smart cards having a contact and a non-contact interface
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K7/00—Methods or arrangements for sensing record carriers, e.g. for reading patterns
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K19/00—Record carriers for use with machines and with at least a part designed to carry digital markings
- G06K19/06—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
- G06K19/067—Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
- G06K19/07—Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
Definitions
- the present invention relates to the field of finance, and in particular to a secure implementation method for a smart card and an application terminal to access a smart card.
- Smart cards can store keys and perform encryption algorithms for maximum security on a cryptographic basis.
- P0S and other terminals, PCs and the Internet have become the basic transmission channels for banking services.
- the security of online payments requires multiple verifications: identification of identity, integrity of data, and confidentiality of data.
- USBKEY is widely used in online banking based on smart card technology. When the user logs in to the online banking system, insert USBKEY into the PC and enter the PIN code. The USBKEY is digitally signed by the private key stored in the key area, and then transmitted to the online banking system for verification. If the verification is passed, the relevant transaction can be performed. . Smart cards also play an important role in other areas.
- the waiter when the smart card is used as an access card in the hotel, when the guest registers the accommodation, the waiter will use the card writer to write the room number, password, guest ID number, date, amount and other information into the smart card. After the guest gets the smart card, The specified room can be opened.
- the data exchange between the smart card and the external world requires the assistance of the transaction terminal, the security of the terminal is reduced in the networked environment, and the terminal is weaker than the smart card in terms of anti-attack. This reduces the security of the smart card application and brings the risk of trading. If a smart card is used for P0S transactions, when the POS machine is attacked, the user may be at risk of losing the PIN. Another example is to use USBKEY to ensure transaction security when paying online, but the current user PIN Most of the code is input from the user's computer, so the hacker can still directly intercept the USBKEY PIN code through the Trojan horse program.
- the hacker After obtaining the PIN code, if the user does not take the USBKEY in time, the hacker can further obtain the false authentication through the intercepted PIN code, and there is a certain security risk.
- the smart card used as the access control system needs to write sensitive information through the card writer during initialization. When the card writer is attacked, it may also cause hidden dangers of customer information leakage. In addition to the fact that the terminal itself is vulnerable to attacks and insecurity, some illegal elements may also spoof the terminal to defraud the user's PIN code.
- a smart card with a keyboard and a display is disclosed.
- a smart card is disclosed in the international publication No. WO2009018683A1.
- the smart card mainly comprises a main chip, a keyboard, a display device, a communication interface, and a power supply.
- a CPU is provided in the main chip for implementing each predetermined function, including reading the data input by the card main body through the keyboard, displaying the prompt information through the display device, and the like.
- the card owner enters the card opening password on the keyboard of the smart card.
- the card After the password is correct, the card displays a prompt message, prompting the card owner to start using the smart card, and inputting the account password, the amount of consumption, etc., the smart card is built in from the card.
- the one-time key extracted from the key table is encrypted and transmitted to the ATM machine and transmitted to the background processing.
- the smart card of the invention must input the card opening instruction before use, which causes the user to input the password twice (opening card password and account password) when paying, which increases the inconvenience of the user.
- the present invention provides a smart card equipped with an input and output device, which solves the problem that the security of the smart card application in the prior art is low, and the device cannot be configured according to actual needs, and the use is inconvenient.
- the smart card with input and output devices including:
- At least one input device for connecting or disconnecting from the communication interface according to a user's selection; At least one output device for connecting or disconnecting from the communication interface according to a user's selection.
- the input device includes at least one of the following:
- the keyboard is a PIN pad.
- the output device includes at least one of the following:
- the communication interface includes at least one of the following:
- Serial peripheral interface SPI Serial peripheral interface SPI, USB interface, single-wire protocol SWP interface and multimedia card ⁇ C interface.
- the SPI is multiple, and the SPI is connected to the input device and the output device.
- the SWP interface is connected to a short-range wireless communication NFC device, and the NFC device is configured to communicate with the smart card.
- the USB interface is connected to a browsing device, and the browsing device is loaded with a browser, and the browser is configured to browse information in the smart card.
- the application security information includes transaction information and/or user personal information.
- the smart card further includes: an I S07816 interface and an I S014443 interface.
- an electronic transaction smart card including:
- An electronic transaction unit configured to communicate with a background pre-system through a user terminal connected to the smart card to implement an electronic transaction
- a storage unit configured to store data that needs to be stored during an electronic transaction process
- the interface end element is used to connect to the user terminal to implement data interaction with the user terminal.
- the method further includes:
- An input unit configured to implement data input and/or instruction input to the smart card.
- the method further includes:
- An output unit configured to output information of interaction with the user.
- the input unit includes:
- the interface unit includes:
- the electronic transaction unit includes an electronic transaction program conforming to the POS specification or the ATM specification.
- the communicating with the background pre-system specifically: transmitting data by using the I S08583 message format.
- the user terminal connected to the smart card comprises: a POS machine, an ATM machine, a computer, a mobile phone, a fixed telephone or a television set top box.
- a security implementation method for an application terminal to access a smart card including:
- a security module is provided in the smart card, and the security module includes a security access related key and a data encryption and decryption algorithm for implementing a security function; the security module further includes a flow program, and the flow program is used to implement secure access.
- a smart card accessing program, an input and output device, and a communication module are provided in the application terminal, where the smart card accessing program is used to provide an interface for interacting with the security module; and the input/output device is configured to implement interaction with the security module;
- the communication module is configured to implement data communication between the security module and the background of the application terminal.
- the security access includes: an electronic transaction.
- the security module is developed by using a mode of a WEB application.
- the smart card further includes a WEB server program for calling the security module;
- the smart card access program is a WEB browser.
- the smart card communicates with the application terminal by using an HTTP protocol.
- the communication module comprises: a wireless communication module or a wired communication module.
- the wireless communication module comprises a CDMA unit or a GPRS unit.
- the wired communication module includes a MODEM communication unit or an Ethernet communication unit.
- the input/output device comprises: one or any combination of a keyboard, a display, a printer, an IC card reader, a magnetic stripe card reader or a fingerprint scanner.
- the smart card equipped with the input and output devices of the technical solution of the present invention provides a secure channel for the input and output of the application transaction information, enhances the security of the smart card application, and reduces the complexity and security requirements of the terminal.
- the input and output devices of the smart card can be adjusted as needed to meet various application occasions and facilitate the use of the user.
- FIG. 1 is a schematic structural diagram of a smart card equipped with an input and output device according to an embodiment of the present invention
- FIG. 2 is a schematic structural diagram of another smart card equipped with an input and output device according to an embodiment of the present invention
- FIG. 3 is a schematic diagram of a step of a cardholder using a smart card to perform consumption on a POS machine in the prior art
- FIG. 4 is a schematic diagram of a connection between a POS machine and an ATM machine and a UnionPay information exchange system in the prior art
- FIG. 6 is a schematic diagram of an architecture of online payment in the prior art
- FIG. 7 is a schematic diagram of an electronic transaction system including a smart card in the present invention.
- FIG. 8 is a schematic structural diagram of a smart card according to the present invention.
- FIG. 9 is another schematic structural diagram of the smart card in the present invention.
- FIG. 10 is a schematic structural diagram of an application of the smart card in a plurality of user terminals according to the present invention
- FIG. 11 is a schematic flowchart of an implementation process of an electronic transaction in the prior art
- FIG. 12 is a schematic structural diagram of a device in an implementation method of an electronic transaction according to an embodiment of the present invention
- FIG. 14 is a schematic flowchart of an implementation process of an electronic transaction according to an embodiment of the present invention.
- FIG. 15 is a schematic diagram of a browser display interface according to an embodiment of the present invention.
- a smart card is provided with input and output devices.
- the security of the smart card application is enhanced, and the complexity and security requirements of the terminal are also reduced.
- the input and output devices of the embodiment are provided.
- the smart card 3100 includes: a plurality of communication interfaces, a communication interface 1 to a communication interface n, where n is used to indicate a plurality, for accessing the input device and the output device; at least one input device, the input device 1 to the input device n, For connecting or disconnecting from the communication interface according to the user's selection; at least one output device, the output device 1 to the output device n, for connecting or disconnecting with the communication interface according to the user's selection.
- FIG. 2 is a schematic diagram showing the structure of another smart card equipped with an input and output device according to an embodiment of the present invention.
- the multiple interfaces provided by the smart card 3200 in this embodiment may include: SPI (Seia I per interface interface) 3201, USB interface 3202, single-line protocol SWP interface 3203, and multimedia. Interface such as cassette C interface 3204.
- SPI Seia I per interface interface
- USB interface 3202 USB interface 3202
- single-line protocol SWP interface 3203 single-line protocol interface 3203
- multimedia. Interface such as cassette C interface 3204.
- the above SPI 3201 is multiple, and the SPI 3201 can be connected to the input device and the output device.
- the smart card 2200 can be connected to an external device such as a touch screen 2205, a keyboard 2206, a fingerprint scanner 3207, a contact type IC card reader, a contactless IC card reader, and a printer 3211 through the SPI interface 2201.
- the SPI interface 3201 adopts the master-slave mode, which has high data transmission efficiency and high speed.
- the smart card 3200 can transmit a large amount of data through the SPI interface 3201 and external devices, improving the efficiency of data transmission between the smart card 3200 and external devices.
- the required peripherals can be selected according to user needs, product positioning or application requirements, and various integrated circuits are provided for the user to select. If it is necessary to flexibly configure the above external devices during use, it is necessary to select different interface converters according to different devices, and connect the external devices to the SPI interface 3201 through different interface converters, thereby implementing each The external device communicates with the smart card 3200.
- the user can view the information through the touch screen 3205 provided by the smart card 3200, and select a corresponding function by using the touch screen to execute the specified application.
- the above smart card 3200 can also be equipped with a normal display without a touch function for displaying data such as personal information of the card holder.
- the smart card 3200 is provided with a keyboard 3206 that provides input for numbers, letters, or some functional options.
- the smart card 3200 can also be equipped with other keyboards, for example password keyboard.
- the PIN pad is a dedicated device with encryption processing function inside, which can safely store keys and complete functions such as message encryption and decryption and verification.
- the password keyboard may also have a display screen. The transaction amount is displayed on the display. When the cardholder inputs the password, the display screen of the password keyboard cannot display the plain text, only the star is displayed. No. The transmission of information between the PIN pad and the smart card takes place in cipher text. Since the smart card 3200 has a private display, this function can also be implemented, and thus the information of the transaction amount and the like can be displayed through the private display of the smart card 3200 instead of the display of the conventional PIN pad.
- the printer 3211 can select a printer such as a dot matrix type or a thermal paper recording type, and can print transaction vouchers such as characters and Chinese characters, personal data, and the like.
- a printer such as a dot matrix type or a thermal paper recording type
- transaction vouchers such as characters and Chinese characters, personal data, and the like.
- the smart card 3200 provides a new generation of smart card communication interface such as ⁇ C (Mul t i Media Card) interface 3204, which can also implement the functions of the above SPI interface 3201.
- ⁇ C Media t i Media Card
- smart card providers can provide smart cards with different peripherals for users to choose according to application requirements.
- the SWP (S ingl e Wire Protocol) interface 3203 provided by the above smart card can utilize the contact of the smart card to realize smart card and NFC (Near Near Field Communication) chip through voltage and current changes. Communication. Specifically, the smart card 200 can also be connected to the NFC chip through the SWP interface 3203 to form an NFC device 3213. The user can conveniently and intuitively communicate with other NFC devices to realize contactless transactions.
- NFC Near Near Field Communication
- the smart card 3200 of the embodiment may further include a high-speed USB interface 3202, and the USB interface 3202 may be connected to the browsing device 3212.
- the browsing device 3212 is loaded with a browser, and the browser is used to browse the smart card 3200.
- the smart card using the USB interface 3202 can be directly connected to the USB host device without the need for a smart card reader device.
- the amount of transmission provided by the USB interface can be counted, so it can transfer a large amount of data or implement streaming applications.
- a smart card can implement the TCP/IP protocol on a USB interface, and then carry the HTTP protocol over the TCP/IP protocol, making the browser device a private peripheral of the smart card through the HTTP protocol and the browser device.
- the user can use the smart card's private browser to replace the terminal browser to view the content of the transaction, or to browse data such as personal information on the card, which may include transaction information and user personal information.
- the smart card and the terminal of the present invention are used for transaction, the information interaction between the cardholder and the terminal can directly pass through the private external device of the smart card. Transfer to enhance data privacy and security.
- the above terminal may include an electronic device that interacts with the smart card, such as a POS machine, an ATM machine, a PC, and the like.
- the smart card may also include: a traditional contact smart card interface IS07816 interface 3209 and a contactless smart card interface IS014443 interface 3210.
- the smart card 3200 can be connected to the IC card reader 3208 via the SPI interface 3201.
- the IC card reader 3208 is a contact type IC card reader for receiving the insertion of the user IC card and transmitting data with the user IC card.
- the smart card 3200 can also be connected to a contactless IC card reader for identification and data exchange of contactless IC cards.
- the contact smart card interface and the contactless smart card interface may be an IS 07816 interface and an IS 014443 interface, wherein the IS 07816 interface is a traditional contact smart card interface, and the contact IC card must have an IS07816 interface and is in accordance with the IS07816 standard.
- the protocol communicates with the contact IC card interface device.
- the IS07816 international standard specifies the physical characteristics of the smart card, the size, location, function definition of the contact, the underlying data transmission protocol of the smart card, and the interface between the smart card and the outside world for information exchange.
- the steps of the terminal operating the smart card through the IS07816 interface include: inserting a smart card, connecting the smart card contact and activating; resetting the card, the terminal establishes communication between the smart card by means of resetting, responding; executing the transaction command according to the command format defined by the specification; and finally closing the contact , remove the card.
- the IS014443 interface is a traditional contactless smart card interface, and the contactless IC card must have an IS014443 interface.
- the contactless IC card interface device activates the operation smart card according to the signal interface and communication protocol defined by IS014443.
- the IS014443 standard specifies the physical characteristics of a contactless IC card, the RF energy and signal interface of a contactless IC card, and the transfer protocol of a contactless IC card.
- the smart card can provide one or both of the above two traditional smart card interfaces depending on its type. For example, the interface of the dual interface card provides the IS07816 interface, and the outside world can access the card through the contact; the non-contact part provides the IS014443 interface, and the terminal can access the smart card by radio frequency.
- the smart card with input and output device of the technical solution of the present invention can provide a reliable channel for the transmission of transaction information through a private input and output device, and constitute a safe human-machine interface, thereby providing higher security for the application of the smart card, and at the same time,
- the smart card of the invention does not need to modify the existing payment system, and can be connected to its private external device according to actual needs, thereby improving the practicability of the smart card and expanding the use range of the smart card.
- 3 is a flow chart of implementing a payment process on a POS machine by a cardholder using a smart card according to the prior art.
- the cashier selects the consumer transaction by pressing the corresponding number key on the function interface of the P0S machine.
- the electronic passbook application can be selected, see step s l.
- the terminal prompts the input amount, and the cashier inputs the consumption amount according to the prompt, see step s2.
- the cashier will be prompted to insert an IC card or swipe the card, and the cashier inserts the smart card into the IC card slot of the P0S machine.
- the terminal should detect whether the IC card has been inserted into the card reader. And prompt accordingly, see step s 3.
- the IC card After the IC card detects the IC card, select the electronic passbook application in the IC card to check the validity of the IC card, such as checking whether the card is in the blacklist stored in the terminal, whether the terminal supports the card issuer identifier, etc. S4. If the IC card check is invalid, error processing is performed, such as the terminal displaying the error message, or re-plugging the card, etc. If the code continues to be invalid, the transaction is launched, see step s5. If the IC card check is valid, the terminal prompts to enter the PIN, and the cardholder enters the user PIN code on the keyboard of the POS machine according to the prompt, see step s 6.
- the terminal After the cardholder enters the PIN, the terminal will use the Send Verification PIN command to the IC card to perform the verification operation by the IC card. See step s7. If the verification is incorrect, go to error handling step s5 to end or retry the transaction. If the transaction is successful, the process proceeds to step s8 to start the consumption process, and the terminal generates the MAC1 by means of the secure storage module SAM. The terminal sends the MAC1 generated by the SAM card to the IC card, which is verified by the IC card, see step s9. IC card verification After MAC1 is valid, the amount of consumption is deducted from the electronic passbook balance, and then MAC2 is generated and the consumption record is sent back to the terminal. See step s l O.
- the P0S terminal transmits the received MAC2 to the SAM card, and the SAM card verifies the validity of the MAC2, and the verification result is sent back to the terminal, and the terminal takes corresponding measures, such as the transaction successfully prints the list, and if the consumption fails, the consumption is performed. Wait for the operation, see step sll.
- the smart card to which the embodiment is applied may be provided with a PIN pad and an IC card reader.
- some sensitive data may be directly transmitted through the private peripheral of the smart card.
- the user inputs a PIN (Personal Identification Identity Number) on the keyboard of the terminal, and then transmits it to the IC card for verification. If the smart card of the embodiment is used, the user PIN does not need to be input through the keyboard of the terminal, nor does it need to be transmitted by the terminal, and is directly input by the user in the private keyboard of the smart card, thereby reducing the risk of PIN leakage.
- PIN Personal Identification Identity Number
- step s11 the terminal needs to use the SAM card on the other card reader for security verification, and the SAM card transmits the verification data to the user IC card through the terminal. If the smart card equipped with the PIN pad and the IC card reader of the embodiment is used, the SAM card is directly connected to the card reader of the smart card.
- the security authentication function can be implemented without transiting the terminal, which reduces the security risks of data transmission and increases transaction security.
- the smart card of the embodiment can be applied not only in the financial field but also in the online banking payment.
- the sensitive data such as the user PIN can be directly input through the private keyboard of the smart card, and the personal information can be directly displayed through the private display of the smart card without going through the keyboard on the PC. monitor.
- customer information can also be transmitted through the smart card's private external device, increasing the security of the information.
- smart cards can be equipped with different input and output devices according to application needs, which increases the security of information transmission and the confidentiality of personal data, which is convenient for users to use, and can also flexibly configure different externals. Equipment to meet the needs of different application areas.
- an electronic transaction smart card is also provided.
- Electronic trading terminals are ATM Autom ic Tel ler Machine automatic refusal machines, POS machines, online transactions, telephone transactions and mobile phone transactions.
- the receiving terminals are different, so the implementation manners and the back-end systems are also different, and the user's operation and use are also different, the complexity of the user, The difficulty is high, and the issuing organization is repeatedly constructed, and different acceptance terminals, different implementation methods, and different back-end systems are developed, which increases the transaction cost and limits the promotion of the business.
- FIG 4 shows a schematic diagram of the connection between the POS machine and the ATM machine respectively with the UnionPay information exchange system.
- the magnetic stripe card and the IC card special merchant point of sale terminal are also called the POS machine, which is the most important device for the merchant to accept the bank card.
- the electronic transaction system using the P0S machine includes a P0S machine 212, a P0S machine front system 213, and a UnionPay information exchange system 211.
- the POS machine 212 When using the POS machine for financial transactions, the POS machine 212 must be connected to the POS pre-system 213 by wired or wireless communication, and then connected to the UnionPay information exchange system 211 by the POS pre-system 213. Complete electronic trading.
- the UnionPay Information Exchange System 211 refers to the system in which UnionPay is responsible for the transfer, clearing and other functions of bank card inter-bank transaction information. All inter-bank transactions need to be completed through the exchange system.
- the P0S front-end system 213 functions as a gateway, which provides the network access service for the POS machine 212, and functions as a protocol conversion and a conversion of the text.
- the ATM 215 is a self-service terminal that combines a variety of different financial service functions.
- the user can complete financial services such as withdrawal, deposit, and inquiry through the ATM 215.
- the ATM 215 is generally connected to the ATM front-end system 214 by means of a private line dialing communication method.
- the ATM pre-system 214 is also called ATMP, the ATMP214 is connected to the ATM terminal 215, and the other end is connected to the UnionPay switching system 211, which provides the network access means and transaction communication service for the ATM 215, thereby realizing the transactions of withdrawal, transfer and the like.
- the P0S machine 212 and the ATM machine 215 are both connected to the UnionPay information exchange system 211 through the front-end system, there are two different front-end systems due to different terminal programs and different transaction functions.
- FIG. 5 is a schematic diagram of a system for payment by a mobile terminal.
- a user needs a smart card 225 before using the mobile terminal 222 for mobile payment, which can be directly connected to the mobile terminal 222 in the form of an SD card, a SIM card, etc., and the smart card 225 stores the user.
- Some bank card information which is equivalent to "carrying" the bank card into the mobile terminal 222, the smart card 225 and the mobile terminal 222 can cooperate to complete the payment.
- the payment information is first submitted to the merchant 224, and the merchant 224 will generate an electronic order to the mobile terminal 222, which will activate the payment program of the mobile terminal 222 and prompt
- the user selects the bank card available in the smart card 225, and then the mobile terminal 222 sends the order information and the bank card information to the mobile payment platform 223, and the mobile payment platform 223 connects to the UnionPay information exchange system 211 to complete the payment transaction.
- the mobile payment channel needs to introduce a financial smart card, which is quite different from the implementation of the P0S terminal and the ATM terminal, and there are also differences in the implementation of the background system.
- the mobile payment platform 223 used here is similar to the P0S pre-system, and functions as a data format conversion and network access. However, since the data interface sent by the mobile terminal 222 is different from the POS terminal, the mobile payment platform 223 cannot be combined with the P0S. Set to unify.
- Figure 6 shows a schematic diagram of the architecture of online payment. The channel structure and payment process of online payment are described below with reference to Figure 6.
- the user browses the merchant website 233 through the computer 232 to browse the product, confirms the purchase of the product, and then, the user inputs the card number through the payment gateway 234 of the acquirer; the payment gateway 234 sets the user card number.
- the routing server 235 then the user enters the authentication information through the security information input server 236, and the security information server 236 sends the related information to the routing server 235; subsequently, the routing server 235 organizes the authentication information into the IS08583 message format and transmits it to the UnionPay
- the information exchange system 211 performs transaction processing by the UnionPay information exchange system 211; after obtaining the response, the routing server 235 sends the payment response to the payment gateway 234 of the acquiring bank; finally, the payment gateway 234 returns the transaction response to the computer 232 to complete the payment. transaction.
- the architecture of online payment is completely different from the mobile payment and P0S payment architecture, which makes it difficult for the back-end system of online payment to be unified with the P0S front-end system.
- an embodiment of the present invention provides an electronic payment smart card, including:
- An electronic transaction unit configured to communicate with a front-end system through a user terminal connected to the smart card to implement electronic transactions; a storage unit for storing data to be stored in an electronic transaction process; and an interface end element for connecting the user terminal, To achieve data interaction with the user terminal.
- the electronic card 204 in the embodiment of the present invention is connected to the computer 203 by connecting to the computer, so that the front end system 202 of the bank can be connected through the computer network.
- the communication is carried out, thereby enabling the user to conduct electronic transactions with the UnionPay information exchange system 201.
- the smart card 204 can also be operated and read by the computer 203 as a human-machine interface.
- the manner in which the smart card 204 is connected to the computer 203 may be connected through the interface unit 2043.
- the smart card 04 in the embodiment of the present invention can be compatible with a plurality of user terminals. Therefore, the smart card can be simultaneously provided with the above multiple interfaces to adapt to applications of different user terminals.
- the electronic transaction unit 2041 is a core, and includes an electronic transaction program.
- the computer connected to the interface unit 2043 communicates with the front-end system 202 of the bank, so that the electronic transaction can be realized; in order to store the data that needs to be stored in the electronic transaction process or after the electronic transaction, the embodiment of the present invention
- a corresponding storage unit 2042 is also provided.
- the electronic transaction program in the embodiment of the present invention may specifically be a terminal program conforming to the P0S specification or the ATM specification, so that the bank may be provided with a corresponding front-end system to implement electronic transactions with the user.
- the smart card includes a terminal program conforming to the P0S specification or the ATM specification, so only the front-end system corresponding to the terminal program conforming to the P0S specification or the ATM specification needs to be provided at the bank end.
- the I S08583 message format can be used to transmit data.
- a separate input unit 2044 may be provided in the embodiment of the present invention for implementing data input and/or command input to the smart card 204.
- the input unit 2044 may be separately provided.
- the smart card 204 may be provided with a separate keyboard, thereby preventing a user device such as a computer from infecting a virus or other malicious program that can record the keyboard operation. The impact on the security of electronic transactions.
- an interface of the fingerprint scanner or the fingerprint scanner may also be provided.
- the smart card in the embodiment of the present invention may also be provided with an IC card reader or a magnetic strip. Card reader.
- the smart card in the embodiment of the present invention is used in conjunction with other user terminals in a manner similar to the use of a computer.
- the smart card can be connected to a mobile phone, a fixed telephone, or a television set top box through a corresponding adaptation interface.
- the device communicating with the front-end system 202 of the bank is connected to implement electronic transactions with the UnionPay information exchange system 201.
- the difference is that in order to match the connection with different devices, the smart card needs to have a variety of different interfaces.
- an output unit for outputting interaction information with the user may be further included.
- the specific output unit can be a display screen.
- the information interaction between the smart card and the user can be completed when the user terminal does not have an output function.
- the relevant information can be output through the display screen of the smart card itself.
- the smart card may include a terminal program conforming to the P0S specification or the ATM specification, that is, the electronic transaction program conforms to the P0S specification or the ATM specification; therefore, no matter what user terminal the user uses for electronic transactions, It is only necessary to have a front-end system corresponding to the terminal program conforming to the P0S specification or the ATM specification at the bank end. Therefore, it is not necessary to provide different front-end systems for a plurality of different electronic transaction modes as in the prior art, thereby reducing the operating cost of the issuer and facilitating the development of electronic transactions.
- the same operation mode can be adopted, thereby reducing the operation difficulty of the user.
- a security implementation method for an application terminal to access a smart card is also provided.
- the smart card plays a huge role in various safety-critical applications with its characteristics of safety, convenience, stability, etc., in various applications, the smart card is only used as a secure storage medium for data, and still has a large part.
- Data and business processing logic needs to be done on the application terminal. Taking electronic transactions as an example, smart cards only undertake core security functions such as key calculation and data verification in the process of electronic payment transactions. Most other application logics need to complete payment applications through the cooperation of terminals such as P0S machines, PCs or ATMs.
- the present invention provides a security implementation method for an application terminal to access a smart card to implement end-to-end security in a secure access process.
- the communication between the smart card and the terminal is implemented according to the APDU (Application Protocol Data Unit) interface specified in the IS07816-4 standard.
- the APDU has both a command format and a response format.
- the card In the current smart card field, the card is always in a "passive" position. It can only wait for the terminal to send an APDU to it. After receiving the APDU, the smart card executes the command and returns an APDU response.
- the smart card and the terminal in the prior art complete communication with each other through the APDU interface.
- the flow program of the applied electronic transaction is stored in the terminal.
- smart cards provide keys and sensitive data. All process procedures are controlled by the terminal, and only need to interact with the smart card when the electronic transaction application runs to read and write and related operations involving some safety critical data stored in the smart card.
- the data of the smart card is transmitted to the back-end system of the bank through the terminal. Since the processing link is added between the smart card and the background, the security risk of the transaction is increased, and the complexity of the system is improved.
- the smart card in the prior art only serves as a secure storage medium for data, and most of the data and service processing logic still needs to be performed on the terminal outside the card.
- smart cards only undertake core security functions such as key calculation and data verification in the process of electronic payment transactions.
- Most other application logics need to complete the payment application through the cooperation of terminals such as P0S machines and ATMs. Therefore, sensitive data still has a hidden danger when it is processed on the P0S terminal and on the computer, and data security between the smart card and the backend system cannot be guaranteed.
- the embodiment of the present invention provides a security implementation method for an application terminal to access a smart card, which specifically includes:
- a security module is provided in the smart card, and the security module includes a security access related key and a data encryption and decryption algorithm for implementing the security function; the security module further includes a process program, and the process program is used to implement application logic and data processing for secure access. ;
- a smart card accessing program, an input and output device, and a communication module are provided in the application terminal, where the smart card accessing program is used to provide an interface for interacting with the security module; and the input/output device is configured to implement interaction with the security module;
- the communication module is configured to implement data communication between the security module and the application terminal in the background
- a security module 510 is provided in the smart card 501.
- the security module 510 includes an electronic transaction related key, and a data encryption and decryption algorithm for implementing a security function.
- the security module further includes a flow program 511.
- the flow program 511 is used to implement processing of application logic and data in an electronic transaction process.
- PSAM Purchasing Security y Acces s Modul e
- the transaction-related key is stored in the PSAM card
- the P0S machine uses PSAM's built-in data encryption and decryption algorithm to implement data encryption, decryption, signature and verification. security function.
- the security module included in the embodiment of the present invention is different from the prior art, and the security module 510 includes key and sensitive data 512 related to the electronic transaction, and the data encryption and decryption algorithm for implementing the security function.
- the application logic and data processing in the electronic transaction process can also be realized through the flow program included therein. In this way, the processing of application logic and data that needs to be performed in the application terminal in the prior art is implemented in the energy card. Therefore, the problem that the risk of electronic transactions is high due to the low security of the application terminal is avoided in the prior art.
- the application terminal 502 is further provided with a smart card accessing program 521, an input and output device 522, and a communication module 523;
- the interface provided by the smart card accessing program to interact with the security module may be implemented by using a WEB browser, and of course, corresponding to the smart card, the smart card is further configured to be used for calling The WEB server program of the security module 51 0. Since the browser is a common application of the user's application terminal, the smart card can be used together with various application terminals, which facilitates the use of the user in different application scenarios, thereby facilitating the popularization and development of electronic transactions.
- the security module 51 0 is developed by using the mode of the WEB application. Therefore, in the electronic transaction process, the user can conveniently develop the security module 51 through the HTTP interface, or the user can go through the page jump in the browser, and the application flow program 51 1 performs electronic transaction.
- the developer when developing various programs required for electronic transactions in the security module 51 0, similar to the process of developing a standard web page, the developer can use some webpage editing software to write the required electronic transactions. Interface interaction, business logic, device control, and data transfer functions for various programs.
- the application terminal 502 and the smart card 501 communicate through the HTTP protocol, access the homepages of various programs required for the electronic transaction, and perform the corresponding web interface operation according to the execution. , to achieve business logic.
- the various program developers required for electronic trading need to write the HTML page content, as shown in Figure 13.
- the HTML file structure, the developer is in ⁇ ) (1 > to implement the specific content of the application.
- the smart card 501 and the application terminal 502 in the embodiment of the present invention may pass The HTTP protocol communicates.
- the input and output device 522 is further configured to implement interaction with the security module.
- the input and output device 522 may include: a keyboard, a display, a printer, an IC card reader, and a magnetic stripe card.
- a card reader or a fingerprint scanner One or any combination of a card reader or a fingerprint scanner.
- the input/output device may be operated by a malware recording keyboard.
- a dedicated input/output device may be provided for the smart card, thereby making the electronic
- the display device can utilize a display of the application terminal, such as a display of a computer or a display screen of a mobile phone.
- a communication module 523 is further included, which is used to implement data communication between the security module and the background of the bank.
- the data communication between the smart card 501 and the corresponding system in the bank end background is realized by the communication module 523 of the application terminal 502.
- the smart card 501 can not have a communication module itself, and only needs to use the communication module in the existing application terminal.
- such a design also enables the effective control of the size of the smart card and the cost of the smart card.
- the communication module 523 in the embodiment of the present invention may specifically be a wireless communication module or a wired communication module.
- the wireless communication module may be a CDMA unit or a GPRS unit; the wired communication module may be a MODEM communication unit or an Ethernet communication unit.
- the smart card can utilize a wireless communication module in the mobile phone or a wired communication module in the computer, so that the smart card can be applied to various application scenarios.
- the embodiment of the present invention describes an electronic transaction implementation method in the embodiment of the present invention by using a POS terminal and a smart card, and an electronic card held by the user.
- the communication between the POS terminal and the smart card and the user IC card completely completes the payment application through the request and response of the HTML page.
- the POS machine terminal detects the smart card and initializes it
- the POS terminal operator inputs the webpage path of the smart card in the browser, and the terminal browser sends a page request to the smart card according to the webpage path.
- the smart card receives the request from the browser, parses and processes the HTML command, and returns an HTML response to the browser of the P0S terminal.
- the P0S machine terminal browser receives the HTML response of the smart card and presents it to the user, and continues to interact with the smart card through the HTTP protocol according to the user's operation, thereby realizing complete electronic The process of trading.
- the browser finds the user card according to the webpage path, and requests the data of the user card through the HTML protocol.
- 15 is a schematic diagram of an example page obtained by a POS browser from a smart card.
- identification in order to improve security, it is also possible to migrate an application originally implemented in the terminal to a smart card.
- the method of the present invention can be applied, and the background data storage processing module in the system is transferred to the smart card.
- smart cards can also be introduced to implement the application logic, and the method of the present invention is applied to improve security performance.
- a security module is provided in the smart card, an electronic transaction related key is provided through the security module, and a data encryption and decryption algorithm is implemented for implementing the security function;
- the process program can realize the application logic and data processing in the electronic transaction process; therefore, in the process of implementing the electronic transaction, the electronic transaction can be completed through the interface of the smart card accessing program of the application terminal and interacting with the security module.
- the security-related data in the electronic transaction process is avoided from running on the user's application terminal, which improves the security of the electronic transaction.
- the application terminal may be a device that can implement background communication with the application terminal, such as a mobile phone, a POS, an ATM, a PC, etc., as long as the Web browser can be run on the mobile terminal.
- the security access is not limited to the implementation of the electronic transaction, and may also be used to implement an application scenario that requires secure access, such as an access control system.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Computer Hardware Design (AREA)
- Business, Economics & Management (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Artificial Intelligence (AREA)
- Computer Networks & Wireless Communication (AREA)
- Accounting & Taxation (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Cash Registers Or Receiving Machines (AREA)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
RU2013153742/08A RU2013153742A (ru) | 2011-12-26 | 2012-08-16 | Смарт-карта и метод реализации защиты доступа к смарт-карте через терминал приложений |
Applications Claiming Priority (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011104436552A CN102521779A (zh) | 2011-12-26 | 2011-12-26 | 电子交易智能卡及电子交易系统 |
CN2011104450070A CN102542226A (zh) | 2011-12-26 | 2011-12-26 | 一种应用终端访问智能卡的安全访问实现方法 |
CN201110445007.0 | 2011-12-26 | ||
CN201110443655.2 | 2011-12-26 | ||
CN201210034476.8 | 2012-02-15 | ||
CN2012100344768A CN102609750A (zh) | 2012-02-15 | 2012-02-15 | 一种配有输入和输出设备的智能卡 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013097467A1 true WO2013097467A1 (zh) | 2013-07-04 |
Family
ID=48696318
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2012/080202 WO2013097467A1 (zh) | 2011-12-26 | 2012-08-16 | 智能卡和应用终端访问智能卡的安全实现方法 |
Country Status (2)
Country | Link |
---|---|
RU (1) | RU2013153742A (zh) |
WO (1) | WO2013097467A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106934309A (zh) * | 2017-02-15 | 2017-07-07 | 广州中大微电子有限公司 | 一种嵌入安全模组的接触式ic卡的读卡器 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101882233A (zh) * | 2010-06-02 | 2010-11-10 | 方亚南 | 一种多功能芯片卡 |
CN102129592A (zh) * | 2011-04-13 | 2011-07-20 | 胡建国 | 接触式智能卡 |
-
2012
- 2012-08-16 RU RU2013153742/08A patent/RU2013153742A/ru unknown
- 2012-08-16 WO PCT/CN2012/080202 patent/WO2013097467A1/zh active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101882233A (zh) * | 2010-06-02 | 2010-11-10 | 方亚南 | 一种多功能芯片卡 |
CN102129592A (zh) * | 2011-04-13 | 2011-07-20 | 胡建国 | 接触式智能卡 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106934309A (zh) * | 2017-02-15 | 2017-07-07 | 广州中大微电子有限公司 | 一种嵌入安全模组的接触式ic卡的读卡器 |
Also Published As
Publication number | Publication date |
---|---|
RU2013153742A (ru) | 2015-06-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11734985B2 (en) | Contextual tapping engine | |
US20120317628A1 (en) | Systems and methods for authorizing a transaction | |
JP5988583B2 (ja) | 電子取引を実行するための、ディスプレイとアプリケーションとを含むポータブルオブジェクト | |
JP7483688B2 (ja) | 非接触カードの暗号化認証のためのシステムおよび方法 | |
JP6498192B2 (ja) | オンライン取引の検証ステップを安全にするための方法 | |
CN101324942A (zh) | 利用包含ic卡的身份证进行交易的支付系统及方法 | |
CN102609750A (zh) | 一种配有输入和输出设备的智能卡 | |
JP2016076262A (ja) | インターネット接続及び対応の端末を介した商業サイトにおける製品又はサービスの決済方法 | |
CN111476574A (zh) | 一种新型安全性ic卡和认证系统及方法 | |
US9659291B2 (en) | Method for processing a payment | |
RU2644132C2 (ru) | Способ, система и устройство для проверки достоверности процесса транзакции | |
CN202003376U (zh) | 一种配有独占输入输出设备的智能卡 | |
CN109313782A (zh) | 预批准金融交易提供系统及其方法 | |
EP4020360A1 (en) | Secure contactless credential exchange | |
TWI529640B (zh) | Action payment method and action payment equipment | |
WO2013097467A1 (zh) | 智能卡和应用终端访问智能卡的安全实现方法 | |
WO2005024743A1 (en) | Granting access to a system based on the use of a card having stored user data thereon | |
KR101113555B1 (ko) | 메모리 카드의 사용 인증방법 및 시스템과 이를 위한 기록매체 | |
KR101065424B1 (ko) | 브이오아이피 단말을 이용한 지불결제 제공 방법 및 시스템 | |
TWM502910U (zh) | 行動支付設備 | |
KR101041120B1 (ko) | 브이오아이피 단말을 통한 조회납부 방법 및 시스템과 이를위한 브이오아이피 단말 및 기록매체 | |
KR20090073063A (ko) | 제휴 아이씨 카드를 이용한 비대면 금융거래 시스템 | |
KR20090002279U (ko) | 전자송금 전용 단말 | |
KR20090002281U (ko) | 전자송금 기능을 구비한 가맹점 단말 | |
KR20090000149U (ko) | 전자송금 전용 단말 및 이를 위한 기록매체 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12862025 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2013153742 Country of ref document: RU Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 12862025 Country of ref document: EP Kind code of ref document: A1 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 12862025 Country of ref document: EP Kind code of ref document: A1 |