WO2014139408A1 - Procédé et système pour télécharger en aval de manière sécurisée une clé maître de terminal (tmk) - Google Patents

Procédé et système pour télécharger en aval de manière sécurisée une clé maître de terminal (tmk) Download PDF

Info

Publication number
WO2014139408A1
WO2014139408A1 PCT/CN2014/073220 CN2014073220W WO2014139408A1 WO 2014139408 A1 WO2014139408 A1 WO 2014139408A1 CN 2014073220 W CN2014073220 W CN 2014073220W WO 2014139408 A1 WO2014139408 A1 WO 2014139408A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
terminal
random number
authentication
module
Prior art date
Application number
PCT/CN2014/073220
Other languages
English (en)
Chinese (zh)
Inventor
孟陆强
苏文龙
彭建忠
Original Assignee
福建联迪商用设备有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN2013100843972A external-priority patent/CN103237004A/zh
Priority claimed from CN2013100846735A external-priority patent/CN103220271A/zh
Priority claimed from CN2013100846716A external-priority patent/CN103220270A/zh
Priority claimed from CN2013100846538A external-priority patent/CN103237005A/zh
Application filed by 福建联迪商用设备有限公司 filed Critical 福建联迪商用设备有限公司
Publication of WO2014139408A1 publication Critical patent/WO2014139408A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]

Definitions

  • the present invention relates to the field of electronic payment, and in particular, to a method and system for securely downloading a terminal master key TMK.
  • Bank card (BANK Card) is becoming more and more popular as a payment instrument.
  • the usual bank card payment system includes a point of sale terminal (Point Of Sale, POS), POS Acquiring System (POSP), PIN PAD and Hardware Encryption (Hardware and Security) Module, HSM).
  • the POS terminal can accept the bank card information, has the communication function, and accepts the instructions of the teller to complete the financial transaction information and the related information exchange device; the POS acquiring system performs centralized management on the POS terminal, including parameter downloading, key downloading, accepting, Processing or forwarding the transaction request of the POS terminal, and sending back the transaction result information to the POS terminal, which is a centralized management and transaction processing system; the password keyboard (PIN) PAD) is a security device that securely stores keys related to various financial transactions and encrypts PINs.
  • the hardware encryption machine (HSM) is a peripheral hardware device that encrypts transmitted data and is used for encryption of PINs. Decrypt, verify the correctness of the message and file source, and store the key.
  • Personal identification number (Personal Identification Number, PIN), which is the personal information, is the data information identifying the legality of the cardholder's identity in online transactions. It is not allowed to appear in plain text in any part of the computer and network system; terminal master key (Terminal) Master Key, TMK), when the POS terminal works, the master key for encrypting the work key is encrypted and stored in the system database; the POS terminal is widely used in bank card payment occasions, such as vendor shopping, hotel accommodation, etc. The lack of modern means of payment has been integrated into the various situations of people's lives. Bank cards, especially debit cards, generally have a PIN set by the cardholder.
  • the POS terminal In the process of payment, the POS terminal not only sends the track information of the bank card, but also the cardholder to input the PIN for the card issuing bank to verify.
  • the legality of the cardholder’s identity ensures the security of the payment of the bank card and protects the property of the cardholder.
  • it In order to prevent the PIN from being leaked or cracked, it is required to securely encrypt the PIN from the terminal to the issuing bank during the entire information exchange process. It is not allowed to appear in the clear text in any part of the computer network system, so the input PIN is currently accepted.
  • the POS terminal requires a key management system.
  • TMK terminal master key
  • WK work key
  • TMK encrypts WK.
  • Each POS terminal has a unique TMK, which must be secure, ensure that it can only be written to the device and participate in calculations, and cannot be read.
  • TMK is a key root key. If TMK is intercepted, the work key is easier. Being cracked will seriously threaten the security of bank card payments. Therefore, whether the TMK can be safely downloaded to the POS terminal becomes the key to the security of the entire POS terminal.
  • the download of the terminal master key must be controlled in the security room of the management center to manually download the terminal master key.
  • the maintenance center has a large workload; after the equipment leaves the factory, it needs to be transported to the security center of the management center to download the key to be deployed to the merchant, and the transportation cost increases; in order to concentrate the download of the key, a large amount of manpower and working time are required, and the maintenance cost is large. , long maintenance period and other issues.
  • a method for securely downloading a terminal master key TMK includes the steps of: S1, a process in which a KMS system transmits a public key Pu to a POS terminal; and S2, a process in which the POS terminal encrypts the transmission key TK by using the public key Pu and uploads it to the KMS system.
  • Step S3 the POS terminal downloads the process of the master key TMK encrypted by the transmission key TK from the KMS system; wherein the specific steps of the step S1 include: S11, the KMS system calls the hardware encryption machine to generate the public key Pu And the private key Pr; S12, the operation terminal and the KMS system perform mutual authentication through the CA center; S13, after the authentication is passed, the KMS system sends the public key Pu to the POS terminal through the operation terminal and stores it in the password keyboard; Step S2 specifically includes: S21.
  • the POS terminal invokes the cryptographic keyboard to generate a symmetric transmission key TK, where the transmission key TK includes a transmission encryption key TEK and a transmission authentication key AUK; S22, and the POS terminal invokes the cryptographic keyboard to use the public key Pu.
  • the transmission key TK includes a transmission encryption key TEK and a transmission authentication key AUK; S22, and the POS terminal invokes the cryptographic keyboard to use the public key Pu.
  • the encrypted transmission key TK generates a transmission key ciphertext Ctk_Pu;
  • S23 the operation terminal transmits the transmission key ciphertext Ctk_Pu and the terminal serial number SN to the KMS
  • the S24 and the KMS system store the terminal serial number SN and the transmission key ciphertext Ctk_Pu in the KMS database in association with each other;
  • the step S3 specifically includes: S31, the POS terminal sets the terminal serial number SN And downloading the master key application to send to the KMS system;
  • S32 the KMS system receives the terminal serial number SN sent by the POS terminal After downloading the master key request, querying the transmission key ciphertext Ctk_Pu corresponding to the terminal serial number SN;
  • S33 the KMS system calls the hardware encryption machine to decrypt the transmission key ciphertext Ctk_Pu using the private key Pr to obtain the transmission key TK;
  • S34 After obtaining the transmission key TK, the KMS system calls the hardware encryption machine to
  • the KMS system calls the hardware encryption machine to use the transmission encryption key TEK to encrypt the terminal master key TMK to generate the master.
  • the key ciphertext Ctmk_tk and the master key ciphertext Ctmk_tk are sent to the POS terminal; S36, the POS terminal invokes the cryptographic keyboard to decrypt the master key ciphertext Ctmk_tk using the transport encryption key TEK to obtain the terminal master key TMK and the terminal master key TMK is stored in the PIN pad.
  • a terminal master key TMK security download system includes a hardware encryption machine, a POS terminal, an operation terminal, a CA center, and a KMS system; the POS terminal includes a TK generation module, a first TK upload module, and a master key download request module.
  • the CA center includes a CA authentication module; the public and private key issuing module is used to invoke a hardware encryption machine to generate a public key Pu.
  • the CA authentication module is used for the operation terminal and the KMS system to perform mutual authentication through the CA center;
  • the public and private key issuance module is configured to send the public key Pu to the POS terminal through the operation terminal and store it in the operation terminal after the authentication is passed.
  • the TK generating module is configured to invoke a cryptographic keyboard to generate a symmetric transmission key TK, the transmission key TK includes a transmission encryption key TEK and a transmission authentication key AUK; and the first TK uploading module is used to invoke a cryptographic keyboard.
  • the encrypted transport key TK generates a transport key ciphertext Ctk_Pu;
  • the second TK upload module is configured to send the transport key ciphertext Ctk_Pu and the terminal serial number SN to the KMS
  • the TK receiving module is configured to store the terminal serial number SN and the transport key ciphertext Ctk_Pu in the KMS database in association;
  • the master key download request module is configured to use the terminal serial number SN And downloading the master key request to send to the KMS system;
  • the request response module is used when the KMS system receives the terminal serial number SN sent by the POS terminal And after downloading the master key application, querying the transmission key ciphertext Ctk_Pu corresponding to the terminal serial number SN;
  • the request response module is configured to invoke the hardware encryption machine to decrypt the transmission key ciphertext Ctk_Pu using the private key Pr to obtain the transmission key TK;
  • the authentication A module and the two-way authentication B module are used to invoke the hardware encryption
  • the machine uses the transport encryption key TEK to encrypt the terminal master key TMK to generate the master key ciphertext Ctmk_tk and sends the master key ciphertext Ctmk_tk to the POS terminal; the TMK receiving module is used to invoke the cryptographic keyboard to decrypt the primary key using the transport encryption key TEK.
  • the key ciphertext Ctmk_tk obtains the terminal master key TMK and stores the terminal master key TMK in the PIN pad.
  • the invention has the beneficial effects that the present invention uploads the transmission key TK through the POS terminal, encrypts the terminal master key TMK by the TK, and downloads it to the PIN terminal of the POS terminal, thereby realizing the POS terminal remote download terminal master key TMK.
  • the POS terminal is prevented from being distributed to the merchant by centrally downloading the master key, thereby reducing the logistics cost and the centralized download and maintenance cost.
  • collecting and uploading TK through the operation terminal improves the time efficiency of TK collection and uploading, and also strengthens the process control of TK collection and uploading, which effectively ensures the legality of uploading TK.
  • the identity authentication between the operation terminal and the KMS system is performed through the CA center, thereby ensuring that both sides of the data transmission are legal, thereby effectively preventing the pseudo terminal from stealing the terminal master key TMK.
  • FIG. 1 is a structural block diagram of a terminal master key TMK secure download system according to an embodiment of the present invention
  • FIG. 2 is a structural block diagram of the two-way authentication A module of FIG. 1;
  • FIG. 3 is a structural block diagram of the bidirectional authentication B module of FIG. 1;
  • FIG. 4 is a flowchart of a method for securely downloading a terminal master key TMK according to an embodiment of the present invention
  • FIG. 5 is a specific flow chart of step S1 in Figure 4.
  • FIG. 6 is a specific flow chart of step S2 in Figure 4.
  • FIG. 7 is a detailed flow chart of step S3 of Figure 4.
  • 10 POS terminal; 20: operation terminal; 30: KMS system; 40: CA center; 50: hardware encryption machine; 101: TK generation module; 102: first TK upload module; 103: master key download request module; 104: TMK receiving module; 105: two-way authentication A module; 201: a second TK uploading module; 301: public and private key issuing module; 302: TK receiving module; 303: request response module; 304: two-way authentication B module; 305: TMK sending module; 401: CA authentication module; 1051: first random number generating unit; 1052: first data transceiving unit; 1053: first encrypting and decrypting unit; 1054: first judging unit; 3041: second random number generating unit; 3042: second data transceiving unit; 3043: second encrypting and decrypting unit; 3044: second judging unit.
  • AUK Authentication Key Abbreviation, the authentication key, used for mutual authentication between PINPAD and the key management system KMS;
  • CA Center The so-called CA (Certificate Authority) Center, which uses PKI (Public Key) Infrastructure) Public Key Infrastructure Technology, which provides network identity authentication services, is responsible for issuing and managing digital certificates, and is an authoritative and impartial third-party trust organization that acts like a company that issues documents in real life.
  • PKI Public Key
  • HSM High Security Machine, high security device, which is a hardware encryption machine in this system
  • KMS system Key Management System, key management system for managing terminal master key TMK;
  • MAK short for Mac Key, which is the MAC calculation key.
  • MTMS full name Material Tracking Management System, material traceability management system, mainly used in factory production;
  • PIK short name of Pin Key, that is, Pin encryption key, which is a kind of work key
  • PINPAD password keyboard
  • PK Short for Protect Key, the protection key, negotiated with the customer to determine the 24-byte symmetric key.
  • MTMS/TCS Encrypted transmission of TK with KMS;
  • POS Short for Point Of Sale, which is the sales terminal
  • SNpinpad the serial number of the PIN pad. When PINPAD is built-in, it is the same as the serial number SNpos of the POS terminal.
  • SN the serial number of the POS terminal
  • TEK Transmission Encrypt The abbreviation of Key, that is, transmission encryption key, 24-byte symmetric key, used for encrypted transmission of TMK between PINPAD and key management system KMS;
  • TK Transmission The abbreviation of Key, that is, the transmission key.
  • the transport key is composed of a transport encryption key TEK and a mutual authentication key AUK;
  • TMS Terminal Management System Abbreviation, that is, terminal management system, used to complete POS terminal information management, software and parameter configuration, remote download, terminal operation status information collection management, remote diagnosis and other functions;
  • TMK Terminal Master
  • the abbreviation of Key that is, the terminal master key, is used for encrypted transmission of the work key between the POS terminal and the payment acquiring system;
  • Security room A room with a high security level for storing servers. This room requires authentication before it can enter.
  • Smart IC card It is a CPU card.
  • the integrated circuit in the card includes a central processing unit CPU, a programmable read-only memory EEPROM, a random access memory RAM, and an in-card operating system COS (Chip) which is solidified in a read-only memory ROM. Operating System), the data in the card is divided into external reading and internal processing.
  • Symmetric key Both parties that send and receive data must use the same key to encrypt and decrypt the plaintext.
  • Symmetric key encryption algorithms mainly include: DES, 3DES, IDEA, FEAL, BLOWFISH, and so on.
  • Asymmetric Key An asymmetric encryption algorithm requires two keys: a public key (Private key) and a private key (Public key) Key). The public key and the private key are a pair. If the data is encrypted with the public key, only the corresponding private key can be used for decryption; if the data is encrypted with the private key, only the corresponding public key can be used. Decrypt. Because encryption and decryption use two different keys, this algorithm is called an asymmetric encryption algorithm.
  • the basic process of asymmetric information exchange for asymmetric encryption is: Party A generates a pair of keys and exposes one of them as a public key to other parties; Party B, which obtains the public key, uses the key to perform confidential information.
  • Party A After encryption, it will be sent to Party A; Party A will decrypt the encrypted information with another private key saved by Party A.
  • Party A may use Party B's public key to encrypt the confidential information and then send it to Party B; Party B then uses its own private key to decrypt the encrypted information.
  • the main algorithms are RSA, Elgamal, backpack algorithm, Rabin, D-H, ECC (elliptic curve encryption algorithm).
  • RSA An asymmetric key algorithm.
  • the RSA public key encryption algorithm was in 1977 by Ron Rivest, Adi Shamirh Developed by Len Adleman (Massachusetts Institute of Technology, USA).
  • the RSA is named after the name of the three of them.
  • RSA It is currently the most influential public key encryption algorithm, it can resist all the password attacks known so far, and has been recommended by ISO as the public key data encryption standard.
  • RSA The algorithm is based on a very simple theory of numbers: it is easy to multiply two large prime numbers.
  • the RSA algorithm is the first algorithm that can be used for both encryption and digital signatures, and is easy to understand and operate.
  • RSA It is the most widely studied public key algorithm. It has been tested by various attacks for more than 30 years from the present to the present, and it is gradually accepted as one of the best public key solutions.
  • TDES Triple-DES DES is a symmetric encryption algorithm with a key of 8 bytes. TDES is based on DES The encryption algorithm whose key is 16 bytes or 24 bytes. TDES/3DES is the abbreviation of English TripleDES (ie triple data encryption standard), DES is English Data Acronym for Encryption Standard. DES is a symmetric key encryption algorithm, that is, the encryption algorithm with the same data encryption key and decryption key. DES by IBM The company was developed and made public in the 1970s and subsequently adopted by the US government and recognized by the US National Bureau of Standards and the American National Standards Institute (ANSI). TDES/3DES is DES A pattern of encryption algorithms that uses three 64-bit keys to encrypt data three times. Is a safer variant of DES.
  • the present invention adopts a new master key downloading scheme, and randomly generates a TK (Transmission) through a POS terminal. Key, transport key), save the generated TK in the PIN terminal of the POS terminal, and transfer the TK to the KMS (Key Management) through various transmission modes required in various application scenarios.
  • the KMS system uses the TK to encrypt the terminal master key TMK, and sends the encrypted terminal master key ciphertext to the POS terminal, and the POS terminal receives the TK to the master key.
  • the text is decrypted to obtain the terminal master key TMK, and the terminal master key TMK is saved in the password keyboard.
  • the terminal master key TMK is encrypted by TK, so that the TMK can be remotely transmitted, and the secure download of the TMK is facilitated.
  • the TK generated by the POS terminal is collected by the operation terminal, and the operation terminal is responsible for transmitting the TK to the KMS system.
  • the TK can be conveniently collected by the operation terminal (such as one-key acquisition, etc.) and TK acquisition. Permission management.
  • the terminal master key there may be aft of the terminal master key through the pseudo operation terminal when uploading the TK and downloading the terminal master key TMK.
  • TMK therefore, requires a terminal master key TMK secure download scheme that can authenticate the delivery of two-way identity when transmitting the TK or TMK.
  • the terminal master key TMK security download system includes a hardware encryption machine 50, a POS terminal 10, an operation terminal 20, a CA center 40, and a KMS system 20;
  • the POS terminal 10 includes a TK generation module 101, a first TK upload module 102,
  • the operation terminal 20 includes a second TK uploading module 201
  • the KMS system 30 includes a public-private key issuing module 301, a TK receiving module 302,
  • the CA center 40 includes a CA authentication module 401.
  • the public key issuing module 301 is configured to invoke the hardware encryptor 50 to generate the public key Pu and the private key Pr;
  • the CA authentication module 401 is configured to perform bidirectional authentication by the CA terminal 30 and the KMS system 30 through the CA center 40;
  • the public key issuing module 301 is configured to send the public key Pu to the POS terminal 10 through the operation terminal 20 and store it in the PIN pad after the authentication is passed;
  • the TK generating module 101 is configured to invoke a cryptographic keyboard to generate a symmetric transmission key TK, where the transmission key TK includes a transmission encryption key TEK and a transmission authentication key AUK;
  • the first TK uploading module 102 is configured to invoke a cryptographic keyboard to encrypt the transmission key TK using the public key Pu. Generating a transmission key ciphertext Ctk_Pu;
  • the second TK uploading module 201 is configured to send the transport key ciphertext Ctk_Pu and the terminal serial number SN to the KMS system;
  • the TK receiving module 302 is configured to store the terminal serial number SN and the transport key ciphertext Ctk_Pu in the KMS database in association with each other;
  • the master key download request module 103 is configured to send the terminal serial number SN and the download master key request to the KMS system 30;
  • the request response module 303 is configured to receive the terminal serial number SN sent by the POS terminal 10 when the KMS system 30 receives the SN And after downloading the master key application, query the transmission key ciphertext Ctk_Pu corresponding to the terminal serial number SN;
  • the request response module 303 is configured to invoke the hardware encryption machine 50 to decrypt the transmission key ciphertext Ctk_Pu using the private key Pr to obtain the transmission key TK;
  • the two-way authentication A module 105 and the two-way authentication B module 304 are used to invoke the hardware encryption machine 50 to perform mutual authentication with the POS terminal 10 using the authentication key AUK after the KMS system 30 obtains the transmission key TK;
  • the TMK sending module 305 is configured to, when the two-way authentication is passed, invoke the hardware encryption machine 50 to use the transmission encryption key TEK to encrypt the terminal master key TMK to generate the master key ciphertext Ctmk_tk and send the master key ciphertext Ctmk_tk to the POS terminal 10;
  • the TMK receiving module 104 is configured to call the cryptographic keyboard to decrypt the master key ciphertext Ctmk_tk using the transport encryption key TEK to obtain the terminal master key TMK and store the terminal master key TMK in the PIN pad.
  • the operation terminal 20 further includes an operator card and an administrator card;
  • the CA authentication module 401 is further configured to generate an operator card certificate and an administrator card certificate, and is configured to store the operator card certificate in the operator card and store the administrator card certificate in the management card;
  • the operator card and the administrator card are used when the operation terminal 20 reads the operator card and the administrator card inserted in the operation terminal, and passes the CAC 40 to legalize the operator certificate and the administrator certificate. Authorization operates the operation terminal 20.
  • the operation card is restricted by the operator card and the administrator, so that only the operator holding the operator card can collect the transmission key TK of the POS terminal 10 under the authorization of the administrator, thereby ensuring the transmission density.
  • the key TK will not be collected arbitrarily, effectively guaranteeing the true validity of the uploaded TK.
  • the operation terminal 20 further includes a packaging module, where the packaging module is configured to package the received transmission key ciphertext Ctk_Pu and the terminal serial number SN and use an operator card to sign;
  • the KMS system 30 further includes a verification module, and the verification module is configured to verify the signature of the packaging module when receiving the transmission key ciphertext Ctk_Pu and the terminal serial number SN transmitted by the TK collection unit. Legitimacy, and for storing the terminal sequence number SN and the transport key ciphertext Ctk_Pu in the SN-Key_KMS database when the check is legal.
  • the packet transmission module packs and signs the collected transmission key ciphertext Ctk_Pu and the terminal serial number SN, and can trace back to which operator operation the TK information is generated, so it can be judged according to the validity of verifying the signature. Whether the uploaded transmission key ciphertext Ctk_Pu and the terminal serial number SN are legal, strengthens the collection and transmission management of the transmission key TK, and prevents the pseudo terminal from uploading the pseudo transmission key TK.
  • FIG. 2 is a structural block diagram of the bidirectional authentication A module of FIG. 1
  • FIG. 3 is a structural block diagram of the bidirectional authentication B module of FIG. 1
  • the two-way authentication A module 105 includes a first random number generating unit 1051, a first data transceiving unit 1052, a first encryption and decryption unit 1053, and a first judging unit 1054
  • the bidirectional authentication B module 304 includes a second random number generating unit. 3041.
  • the first random number generating unit 1051 is configured to generate a first random number Rnd1; the first data transceiving unit 1052 is configured to send the generated first random number Rnd1 to the KMS system 30; and the second data transceiving unit 3042 is configured to receive the first random number The number Rnd1; the second random number generating unit 3041 is configured to generate a random number second Rnd2 when receiving the first random number Rnd1; the second encryption and decryption unit 3043 is configured to invoke hardware encryption when receiving the first random number Rnd1
  • the machine 50 encrypts the first random number Rnd1 by using the transmission authentication key AUK to obtain the first random number ciphertext Crnd1; the second data transceiving unit 3042 is configured to send the first random number ciphertext Crnd1 and the second random number Rnd2 to the POS terminal 10. ;
  • the first encryption/decryption unit 1053 is configured to decrypt the received first random number ciphertext Crnd1 using the transmission authentication key AUK to obtain the third random number Rnd1' when receiving the first random number ciphertext Crnd1 and the second random number Rnd2.
  • the first determining unit 1054 is configured to determine whether the third random number Rnd1' is consistent with the first random number Rnd1;
  • the first encryption and decryption unit 1053 is configured to generate a second random number ciphertext by using the transmission authentication key AUK to encrypt the second random number Rnd2 when the first determining unit determines that the third random number Rnd1' is consistent with the first random number Rnd1. Crnd2; the first data transceiver unit 1052 is configured to send the second random number ciphertext Crnd2 to the KMS system 30;
  • the second encryption/decryption unit 3043 is configured to, when receiving the second random number ciphertext Crnd2, invoke the hardware encryption machine 50 to decrypt the received second random number ciphertext Crnd2 using the transmission authentication key AUK to obtain the fourth random number Rnd2',
  • the second determining unit 3044 is configured to determine whether the fourth random number Rnd2' is consistent with the second random number Rnd2, and when determining that the fourth random number Rnd2' is consistent with the second random number Rnd2, confirm that the KMS system 30 and the POS terminal 10 are The two-way authentication passed.
  • FIG. 4 is a flowchart of a method for securely downloading a terminal master key TMK according to an embodiment of the present invention. The method includes the following steps:
  • the POS terminal downloads the process of the master key TMK encrypted by the transmission key TK from the KMS system.
  • step S1 specifically includes the following steps:
  • the KMS system calls the hardware encryption machine to generate the public key Pu and the private key Pr;
  • the operation terminal and the KMS system perform mutual authentication through the CA center;
  • the KMS system After the authentication is passed, the KMS system sends the public key Pu to the POS terminal through the operation terminal and stores it in the password keyboard.
  • step S2 specifically includes the following steps:
  • the POS terminal invokes the cryptographic keyboard to generate a symmetric transmission key TK, and the transmission key TK includes a transmission encryption key TEK and a transmission authentication key AUK;
  • the POS terminal invokes the cryptographic keyboard to generate the transmission key ciphertext Ctk_Pu using the public key Pu encryption transmission key TK;
  • the operation terminal sends the transmission key ciphertext Ctk_Pu and the terminal serial number SN to the KMS system.
  • the KMS system stores the terminal serial number SN and the transmission key ciphertext Ctk_Pu in the KMS database in association with each other;
  • step S3 specifically includes the following steps:
  • the POS terminal sends the terminal serial number SN and the download master key request to the KMS system.
  • the KMS system receives the terminal serial number SN sent by the POS terminal. And after downloading the master key application, query the transmission key ciphertext Ctk_Pu corresponding to the terminal serial number SN;
  • the KMS system calls the hardware encryption machine to decrypt the transmission key ciphertext Ctk_Pu using the private key Pr to obtain the transmission key TK;
  • the SMS and the KMS system call the hardware encryption machine to perform mutual authentication with the POS terminal by using the authentication key AUK;
  • the KMS system invokes the hardware encryption machine to generate the master key ciphertext Ctmk_tk by using the transport encryption key TEK to encrypt the terminal master key TMK and send the master key ciphertext Ctmk_tk to the POS terminal;
  • the POS terminal invokes the cryptographic keyboard to decrypt the master key ciphertext Ctmk_tk using the transport encryption key TEK to obtain the terminal master key TMK and store the terminal master key TMK in the PIN pad.
  • the operation terminal and the KMS system perform mutual authentication through the CA center; after the authentication is passed, the KMS system sends the public key Pu to the POS terminal through the operation terminal and stores it in the password keyboard.
  • the KMS system sends the public key Pu and KMS identification information to the CA center.
  • the CA center uses the root certificate corresponding private key to sign the public key Pu and KMS system identification information, generates a digital certificate Crt_kms and sends the Crt_kms to the KMS system, and the KMS system stores The Crt_kms;
  • the KMS system sends the digital certificate Crt_kms to the operation terminal;
  • the operation terminal verifies the legality of the work certificate Crt_kms by using the root certificate HsmRCRT pre-installed on the burning chip.
  • the operation terminal sends the transmission key ciphertext Ctk_Pu and the terminal serial number SN to the KMS.
  • the system also includes the steps of authorizing the operator card and the administrator card to operate the operation terminal, including:
  • the operation terminal reads the operator card and the administrator card inserted in the operation terminal, and authenticates the operator certificate and the administrator certificate through the CA center, and allows the operation terminal to operate after the authentication is passed.
  • the operation terminal sends the transmission key ciphertext Ctk_Pu and the terminal serial number SN to the KMS system.
  • the method further includes:
  • the POS terminal sends the transmission key ciphertext Ctk_Pu and the terminal serial number SN to the operation terminal;
  • the operation terminal packages the received transmission key ciphertext Ctk_Pu and the terminal serial number SN and signs with the operator card, and sends the signed transmission key ciphertext Ctk_Pu and the terminal serial number SN to the KMS system;
  • the KMS system stores the terminal serial number SN and the transport key ciphertext Ctk_Pu in association with the KMS. "In the database” also includes:
  • the KMS system first checks the validity of the signature when receiving the transmission key ciphertext Ctk_Pu and the terminal sequence number SN. If it is legal, the terminal sequence number SN and the transmission key ciphertext Ctk_Pu are stored in association with the SN-Key_KMS database.
  • the “KMS system obtains the transmission key TK and then invokes the hardware encryption machine to use the authentication key AUK to perform mutual authentication with the POS terminal”, and specifically includes:
  • the POS terminal generates a first random number Rnd1 and sends the first random number Rnd1 to the KMS system;
  • the KMS system After receiving the first random number Rnd1, the KMS system generates a random number second Rnd2, and calls the hardware encryptor to encrypt the first random number Rnd1 by using the authentication key AUK to obtain the first random number ciphertext Crnd1, and the first random number ciphertext Crnd1 and the first Two random numbers Rnd2 are sent to the POS terminal;
  • the POS terminal decrypts the received first random number ciphertext Crnd1 using the authentication key AUK to obtain a third random number Rnd1', and determines whether the third random number Rnd1' is consistent with the first random number Rnd1:
  • the POS terminal encrypts the second random number Rnd2 using the authentication key AUK to generate the second random number ciphertext Crnd2, and sends the second random number ciphertext Crnd2 to the KMS system. ;
  • the KMS system calls the hardware encryptor to decrypt the received second random number ciphertext Crnd2 using the authentication key AUK to obtain the fourth random number Rnd2', and determines whether the fourth random number Rnd2' is consistent with the second random number Rnd2;
  • the original Chiha value of TK is calculated when the transmission key TK is generated, and the Chia value of TK is first checked each time the TK is stored, transmitted, or used, and TK can be used when the check is passed.
  • TK By verifying the Chia value of TK, it is possible to prevent the storage device from being abnormal and causing the stored data to be incorrect, and to determine whether the key is correct.
  • the invention has the beneficial effects that the present invention uploads the transmission key TK through the POS terminal, encrypts the terminal master key TMK by the TK, and downloads it to the PIN terminal of the POS terminal, thereby realizing the POS terminal remote download terminal master key TMK.
  • the POS terminal is prevented from being distributed to the merchant by centrally downloading the master key, thereby reducing the logistics cost and the centralized download and maintenance cost.
  • collecting and uploading TK through the operation terminal improves the time efficiency of TK collection and uploading, and also strengthens the process control of TK collection and uploading, which effectively ensures the legality of uploading TK.
  • the master key TMK of the present invention is generated by the KMS system, thus facilitating subsequent maintenance and management of the master key TMK by the KMS system. Further, when the POS terminal uploads the TK and the next, the identity authentication between the operation terminal and the KMS system is performed through the CA center, thereby ensuring that both sides of the data transmission are legal, thereby effectively preventing the pseudo terminal from stealing the terminal master key TMK.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Accounting & Taxation (AREA)
  • Signal Processing (AREA)
  • Strategic Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Finance (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Cash Registers Or Receiving Machines (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Computer And Data Communications (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Control Of Vending Devices And Auxiliary Devices For Vending Devices (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention porte sur un procédé et un système pour télécharger en aval de manière sécurisée une clé maître de terminal (TMK). Le procédé comprend les étapes suivantes : un système KMS réalisant une authentification d'identité avec un terminal d'opération par utilisation d'un centre CA, et après que l'authentification est réussie, envoyant une clé privée (Pu) d'une paire de clés publiques à un terminal POS par utilisation du terminal d'opération ; le terminal POS générant une TK, et émettant la TK au système KMS par utilisation du terminal d'opération ; et le système KMS réalisant une authentification d'identité avec le terminal POS par utilisation d'une clé d'authentification (AUK) dans la TK, et après que l'authentification est réussie, chiffrant la TMK et envoyant la TMK chiffrée au terminal POS. La présente invention possède les avantages suivants : par téléchargement en amont d'une TK et après qu'une TMK est chiffrée par utilisation de la TK, un terminal POS télécharge en aval à distance la TMK ; l'efficacité temporelle du téléchargement en aval de TK est améliorée par utilisation d'un terminal d'opération pour télécharger en amont la TK ; et l'émission sécurisée de la TK est renforcée par réalisation d'une authentification d'identité, par le centre CA, sur le terminal d'opération et le système KMS.
PCT/CN2014/073220 2013-03-15 2014-03-11 Procédé et système pour télécharger en aval de manière sécurisée une clé maître de terminal (tmk) WO2014139408A1 (fr)

Applications Claiming Priority (10)

Application Number Priority Date Filing Date Title
CN201310084673.5 2013-03-15
CN201310084671.6 2013-03-15
CN2013100843972A CN103237004A (zh) 2013-03-15 2013-03-15 密钥下载方法、管理方法、下载管理方法及装置和系统
CN2013100846735A CN103220271A (zh) 2013-03-15 2013-03-15 密钥下载方法、管理方法、下载管理方法及装置和系统
CN201310084397.2 2013-03-15
CN201310084653.8 2013-03-15
CN2013100846716A CN103220270A (zh) 2013-03-15 2013-03-15 密钥下载方法、管理方法、下载管理方法及装置和系统
CN2013100846538A CN103237005A (zh) 2013-03-15 2013-03-15 密钥管理方法及系统
CN201310740308.5A CN103729941B (zh) 2013-03-15 2013-12-27 一种终端主密钥tmk安全下载方法及系统
CN201310740308.5 2013-12-27

Publications (1)

Publication Number Publication Date
WO2014139408A1 true WO2014139408A1 (fr) 2014-09-18

Family

ID=50363015

Family Applications (5)

Application Number Title Priority Date Filing Date
PCT/CN2014/073205 WO2014139403A1 (fr) 2013-03-15 2014-03-11 Procédé et système pour un téléchargement sécurisé de clés maîtresses d'un terminal
PCT/CN2014/073225 WO2014139412A1 (fr) 2013-03-15 2014-03-11 Méthode et système de téléchargement descendant sécurisé de clé principale de terminal (tmk)
PCT/CN2014/073224 WO2014139411A1 (fr) 2013-03-15 2014-03-11 Procédé et système de téléchargement sécurisé de clé principale de terminal (tmk)
PCT/CN2014/073220 WO2014139408A1 (fr) 2013-03-15 2014-03-11 Procédé et système pour télécharger en aval de manière sécurisée une clé maître de terminal (tmk)
PCT/CN2014/073215 WO2014139406A1 (fr) 2013-03-15 2014-03-11 Procédé et système de téléchargement sûr de clé principale de terminal (tmk)

Family Applications Before (3)

Application Number Title Priority Date Filing Date
PCT/CN2014/073205 WO2014139403A1 (fr) 2013-03-15 2014-03-11 Procédé et système pour un téléchargement sécurisé de clés maîtresses d'un terminal
PCT/CN2014/073225 WO2014139412A1 (fr) 2013-03-15 2014-03-11 Méthode et système de téléchargement descendant sécurisé de clé principale de terminal (tmk)
PCT/CN2014/073224 WO2014139411A1 (fr) 2013-03-15 2014-03-11 Procédé et système de téléchargement sécurisé de clé principale de terminal (tmk)

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/073215 WO2014139406A1 (fr) 2013-03-15 2014-03-11 Procédé et système de téléchargement sûr de clé principale de terminal (tmk)

Country Status (2)

Country Link
CN (28) CN103729942B (fr)
WO (5) WO2014139403A1 (fr)

Families Citing this family (114)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103729942B (zh) * 2013-03-15 2016-01-13 福建联迪商用设备有限公司 将传输密钥从终端服务器传输到密钥服务器的方法及系统
CN105281896B (zh) * 2014-07-17 2018-11-27 深圳华智融科技股份有限公司 一种基于椭圆曲线算法的密钥pos机激活方法及系统
CN104270346B (zh) * 2014-09-12 2017-10-13 北京天行网安信息技术有限责任公司 双向认证的方法、装置和系统
CN110458551A (zh) * 2014-11-07 2019-11-15 天地融科技股份有限公司 数据交互系统
CN104363090A (zh) * 2014-11-19 2015-02-18 成都卫士通信息产业股份有限公司 一种增强银行终端设备安全性的密钥分发装置和方法
CN105681263B (zh) * 2014-11-20 2019-02-12 广东华大互联网股份有限公司 一种智能卡密钥远程应用方法及应用系统
CN104486323B (zh) * 2014-12-10 2017-10-31 福建联迪商用设备有限公司 一种pos终端安全受控的联网激活方法及装置
CN104410641B (zh) * 2014-12-10 2017-12-08 福建联迪商用设备有限公司 一种pos终端安全受控的联网激活方法及装置
US9485250B2 (en) * 2015-01-30 2016-11-01 Ncr Corporation Authority trusted secure system component
CN105989472A (zh) * 2015-03-06 2016-10-05 华立科技股份有限公司 电能计量系统的无线移动配置,无线支付配置及其方法,以及公用商品无线支付配置
CN106204034B (zh) * 2015-04-29 2019-07-23 中国电信股份有限公司 应用内支付的双向认证方法和系统
CN105117665B (zh) * 2015-07-16 2017-10-31 福建联迪商用设备有限公司 一种终端产品模式与开发模式安全切换的方法及系统
CN105184121A (zh) * 2015-09-02 2015-12-23 上海繁易电子科技有限公司 一种通过远程服务器的硬件授权系统和方法
CN106559218A (zh) * 2015-09-29 2017-04-05 中国电力科学研究院 一种智能变电站计量数据的安全采集方法
CN105243542B (zh) * 2015-11-13 2021-07-02 咪付(广西)网络技术有限公司 一种动态电子凭证认证的方法
CN105260884A (zh) * 2015-11-18 2016-01-20 北京微智全景信息技术有限公司 Pos机密钥分发方法及装置
CN105530241B (zh) * 2015-12-07 2018-12-28 咪付(广西)网络技术有限公司 移动智能终端与pos终端的认证方法
CN105574722A (zh) * 2015-12-11 2016-05-11 福建新大陆支付技术有限公司 基于授权ic卡的支付终端远程联机授权方法
CN105930718A (zh) * 2015-12-29 2016-09-07 中国银联股份有限公司 一种销售点终端模式切换方法及装置
CN105656669B (zh) * 2015-12-31 2019-01-01 福建联迪商用设备有限公司 电子设备的远程修复方法、设备、被修复设备和系统
CN105681032B (zh) 2016-01-08 2017-09-12 腾讯科技(深圳)有限公司 密钥存储方法、密钥管理方法及装置
CN105743654A (zh) * 2016-02-02 2016-07-06 上海动联信息技术股份有限公司 一种pos机密钥远程下载的服务系统以及密钥下载方法
CN105790934B (zh) * 2016-03-04 2019-03-15 中国银联股份有限公司 一种自适应的pos终端配置方法以其配置权转让方法
CN107294722A (zh) * 2016-03-31 2017-10-24 阿里巴巴集团控股有限公司 一种终端身份认证方法、装置及系统
CN105978856B (zh) * 2016-04-18 2019-01-25 随行付支付有限公司 一种pos机密钥下载方法、装置及系统
CN106059771A (zh) * 2016-05-06 2016-10-26 上海动联信息技术股份有限公司 一种智能pos机密钥管理系统及方法
CN106097608B (zh) * 2016-06-06 2018-07-27 福建联迪商用设备有限公司 远程密钥下载方法及系统、收单机构和目标pos终端
CN106127461A (zh) * 2016-06-16 2016-11-16 中国银联股份有限公司 双向验证移动支付方法及系统
CN107563712A (zh) * 2016-06-30 2018-01-09 中兴通讯股份有限公司 一种移动终端打卡方法、装置、设备及系统
CN106027247A (zh) * 2016-07-29 2016-10-12 宁夏丝路通网络支付有限公司北京分公司 Pos密钥远程下发方法
CN106100854A (zh) * 2016-08-16 2016-11-09 黄朝 基于权威主体的终端设备的逆向认证方法及系统
CN107800538B (zh) * 2016-09-01 2021-01-29 中电长城(长沙)信息技术有限公司 一种自助设备远程密钥分发方法
US11018860B2 (en) 2016-10-28 2021-05-25 Microsoft Technology Licensing, Llc Highly available and reliable secret distribution infrastructure
CN106571915A (zh) * 2016-11-15 2017-04-19 中国银联股份有限公司 一种终端主密钥的设置方法和装置
CN106603496B (zh) * 2016-11-18 2019-05-21 新智数字科技有限公司 一种数据传输的保护方法、智能卡、服务器及通信系统
CN106656488B (zh) * 2016-12-07 2020-04-03 百富计算机技术(深圳)有限公司 一种pos终端的密钥下载方法和装置
CN106712939A (zh) * 2016-12-27 2017-05-24 百富计算机技术(深圳)有限公司 密钥离线传输方法和装置
US10432730B1 (en) 2017-01-25 2019-10-01 United States Of America As Represented By The Secretary Of The Air Force Apparatus and method for bus protection
CN106953731B (zh) * 2017-02-17 2020-05-12 福建魔方电子科技有限公司 一种终端管理员的认证方法及系统
WO2018165920A1 (fr) * 2017-03-15 2018-09-20 深圳大趋智能科技有限公司 Procédé et appareil de vérification de sécurité pour machine de point de vente (pos)
US10296477B2 (en) 2017-03-30 2019-05-21 United States of America as represented by the Secretary of the AirForce Data bus logger
CN106997533B (zh) * 2017-04-01 2020-10-13 福建实达电脑设备有限公司 一种pos终端产品安全生产授权管理系统及方法
CN107094138B (zh) * 2017-04-11 2019-09-13 郑州信大捷安信息技术股份有限公司 一种智能家居安全通信系统及通信方法
CN107070925A (zh) * 2017-04-18 2017-08-18 上海赛付网络科技有限公司 一种终端应用与后台服务通讯报文防篡改的方法
CN107104795B (zh) * 2017-04-25 2020-09-04 上海汇尔通信息技术有限公司 Rsa密钥对和证书的注入方法、架构及系统
CN107360652A (zh) * 2017-05-31 2017-11-17 江苏普世祥光电技术有限公司 一种广场景观灯的控制方法
CN107301437A (zh) * 2017-05-31 2017-10-27 江苏普世祥光电技术有限公司 一种广场景观灯的控制系统
CN107358441B (zh) * 2017-06-26 2020-12-18 北京明华联盟科技有限公司 支付验证的方法、系统及移动设备和安全认证设备
CN107637014B (zh) * 2017-08-02 2020-11-24 福建联迪商用设备有限公司 可配置的pos机密钥对生成方法、存储介质
CN107666420B (zh) * 2017-08-30 2020-12-15 宁波梦居智能科技有限公司 一种智能家居网关生产控制和身份鉴别的方法
CN107392591B (zh) * 2017-08-31 2020-02-07 恒宝股份有限公司 行业卡的在线充值方法、系统及蓝牙读写装置
CN107888379A (zh) * 2017-10-25 2018-04-06 百富计算机技术(深圳)有限公司 一种安全连接的方法、pos终端及密码键盘
CN107995985B (zh) * 2017-10-27 2020-05-05 福建联迪商用设备有限公司 金融支付终端激活方法及其系统
CN107835170B (zh) * 2017-11-04 2021-04-20 上海动联信息技术股份有限公司 一种智能Pos设备安全授权拆机系统及方法
CN107993062A (zh) * 2017-11-27 2018-05-04 百富计算机技术(深圳)有限公司 Pos终端交易方法、装置、计算机设备及可读存储介质
CN107944250B (zh) * 2017-11-28 2021-04-13 艾体威尔电子技术(北京)有限公司 一种应用于pos机的密钥采集方法
CN107919962B (zh) * 2017-12-22 2021-01-15 国民认证科技(北京)有限公司 一种物联网设备注册和认证方法
CN108365950A (zh) * 2018-01-03 2018-08-03 深圳怡化电脑股份有限公司 金融自助设备密钥的生成方法及装置
CN108390851B (zh) * 2018-01-05 2020-07-03 郑州信大捷安信息技术股份有限公司 一种用于工业设备的安全远程控制系统及方法
CN108235807B (zh) * 2018-01-15 2020-08-04 福建联迪商用设备有限公司 软件加密终端、支付终端、软件包加密及解密方法及系统
WO2019153119A1 (fr) * 2018-02-06 2019-08-15 福建联迪商用设备有限公司 Procédé de transmission de clé, terminal de réception et terminal de distribution
CN108446539B (zh) * 2018-03-16 2023-01-13 福建深空信息技术有限公司 一种软件授权方法和软件授权文件生成系统
CN108496323B (zh) * 2018-03-21 2020-01-21 福建联迪商用设备有限公司 一种证书导入方法及终端
CN108496194A (zh) * 2018-03-21 2018-09-04 福建联迪商用设备有限公司 一种验证终端合法性的方法、服务端及系统
CN108513704B (zh) * 2018-04-17 2021-01-19 福建联迪商用设备有限公司 终端主密钥的远程分发方法及其系统
CN108737106B (zh) * 2018-05-09 2021-06-01 深圳壹账通智能科技有限公司 区块链系统上用户验证方法、装置、终端设备及存储介质
CN108833088A (zh) * 2018-05-22 2018-11-16 珠海爱付科技有限公司 一种pos终端激活方法
CN110581829A (zh) * 2018-06-08 2019-12-17 中国移动通信集团有限公司 通信方法及装置
CN109218293B (zh) * 2018-08-21 2021-09-21 西安得安信息技术有限公司 一种分布式密码服务平台密钥管理的使用方法
CN109347625B (zh) * 2018-08-31 2020-04-24 阿里巴巴集团控股有限公司 密码运算、创建工作密钥的方法、密码服务平台及设备
CN109326061B (zh) * 2018-09-10 2021-10-26 惠尔丰(中国)信息系统有限公司 智能pos的防切机方法
CN109274684B (zh) * 2018-10-31 2020-12-29 中国—东盟信息港股份有限公司 基于eSIM通讯与导航服务为一体的物联网终端系统及其实现方法
CN109547208B (zh) * 2018-11-16 2021-11-09 交通银行股份有限公司 金融电子设备主密钥在线分发方法及系统
CN109670289B (zh) * 2018-11-20 2020-12-15 福建联迪商用设备有限公司 一种识别后台服务器合法性的方法及系统
CN109508995A (zh) * 2018-12-12 2019-03-22 福建新大陆支付技术有限公司 一种基于支付终端的脱机授权方法及支付终端
CN109510711B (zh) * 2019-01-08 2022-04-01 深圳市网心科技有限公司 一种网络通信方法、服务器、客户端及系统
CN111627174A (zh) * 2019-02-28 2020-09-04 南京摩铂汇信息技术有限公司 蓝牙pos设备及支付系统
CN110011794B (zh) * 2019-04-11 2021-08-13 北京智芯微电子科技有限公司 密码机密钥属性的测试方法
CN109995532A (zh) * 2019-04-11 2019-07-09 晏福平 一种终端主密钥的在线管理方法及系统
CN110061848B (zh) * 2019-04-17 2021-09-14 飞天诚信科技股份有限公司 一种安全导入支付终端密钥的方法、支付终端及系统
CN110545542B (zh) * 2019-06-13 2023-03-14 银联商务股份有限公司 基于非对称加密算法的主控密钥下载方法、装置和计算机设备
CN112532567A (zh) * 2019-09-19 2021-03-19 中国移动通信集团湖南有限公司 一种交易加密方法和posp系统
CN110855442A (zh) * 2019-10-10 2020-02-28 北京握奇智能科技有限公司 一种基于pki技术的设备间证书验证方法
CN111132154B (zh) * 2019-12-26 2022-10-21 飞天诚信科技股份有限公司 一种协商会话密钥的方法及系统
CN111193748B (zh) * 2020-01-06 2021-12-03 惠州市德赛西威汽车电子股份有限公司 一种交互式密钥安全认证方法及系统
CN111275440B (zh) * 2020-01-19 2023-11-10 中钞科堡现金处理技术(北京)有限公司 远程密钥下载方法及系统
TWI775061B (zh) * 2020-03-30 2022-08-21 尚承科技股份有限公司 軟韌體或資料保護系統及保護方法
CN111597512B (zh) * 2020-03-31 2023-10-31 尚承科技股份有限公司 软韧体或资料保护系统及保护方法
CN111526013B (zh) * 2020-04-17 2023-05-05 中国人民银行清算总中心 密钥分发方法及系统
CN111884804A (zh) * 2020-06-15 2020-11-03 上海祥承通讯技术有限公司 一种远程密钥管理方法
CN111815811B (zh) * 2020-06-22 2022-09-06 合肥智辉空间科技有限责任公司 一种电子锁安全系统
CN111950999B (zh) * 2020-07-28 2024-06-04 银盛支付服务股份有限公司 一种在pos机上实现基于ic卡灌密钥安全方法及系统
CN111931206A (zh) * 2020-07-31 2020-11-13 银盛支付服务股份有限公司 一种基于app数据加密方法
CN112134849B (zh) * 2020-08-28 2024-02-20 国电南瑞科技股份有限公司 一种智能变电站的动态可信加密通信方法及系统
CN112182599B (zh) * 2020-09-15 2024-06-11 中信银行股份有限公司 一种主密钥自动加载方法、装置、电子设备及可读存储介质
CN112311528B (zh) * 2020-10-17 2023-06-23 深圳市德卡科技股份有限公司 一种基于国密算法的数据安全传输方法
CN112291232B (zh) * 2020-10-27 2021-06-04 中国联合网络通信有限公司深圳市分公司 一种基于租户的安全能力和安全服务链管理平台
CN112332978B (zh) * 2020-11-10 2022-09-20 上海商米科技集团股份有限公司 一种基于密钥协商的远程密钥注入方法
CN112396416A (zh) * 2020-11-18 2021-02-23 上海商米科技集团股份有限公司 一种智能pos设备证书装载的方法
CN112560058B (zh) * 2020-12-17 2022-12-30 山东华芯半导体有限公司 基于智能密码钥匙的ssd分区加密存储系统及其实现方法
CN112968776B (zh) * 2021-02-02 2022-09-02 中钞科堡现金处理技术(北京)有限公司 远程密钥交换的方法、存储介质及电子设备
CN113037494B (zh) * 2021-03-02 2023-05-23 福州汇思博信息技术有限公司 一种烧片镜像文件签名方法及终端
CN113450511A (zh) * 2021-03-25 2021-09-28 深圳怡化电脑科技有限公司 受理终端设备与银行系统的交易方法及受理终端设备
CN113132980B (zh) * 2021-04-02 2023-10-13 四川省计算机研究院 应用于北斗导航系统的密钥管理系统方法和装置
CN113328851B (zh) * 2021-04-21 2022-01-14 北京连山科技股份有限公司 一种在多链路条件下随机传输密钥的方法及系统
CN113708923A (zh) * 2021-07-29 2021-11-26 银盛支付服务股份有限公司 一种远程下载主密钥的方法及系统
CN113645221A (zh) * 2021-08-06 2021-11-12 中国工商银行股份有限公司 灌密方法、装置、设备、存储介质和计算机程序
CN113810391A (zh) * 2021-09-01 2021-12-17 杭州视洞科技有限公司 一种跨机房通信双向认证和加密方法
CN113612612A (zh) * 2021-09-30 2021-11-05 阿里云计算有限公司 一种数据加密传输方法、系统、设备及存储介质
CN114423003B (zh) * 2021-12-29 2024-01-30 中国航空工业集团公司西安飞机设计研究所 一种飞机密钥综合管理方法及系统
CN114499891B (zh) * 2022-03-21 2024-05-31 宁夏凯信特信息科技有限公司 一种签名服务器系统以及签名验证方法
CN114726521A (zh) * 2022-04-14 2022-07-08 广东好太太智能家居有限公司 智能锁临时密码生成方法及电子设备
CN117176339B (zh) * 2023-08-31 2024-06-18 深圳手付通科技有限公司 一种在线更新pos终端设备主密钥TMK的方法和系统
CN116865966B (zh) * 2023-09-04 2023-12-05 中量科(南京)科技有限公司 基于量子密钥生成工作密钥的加密方法、装置及存储介质

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102013982A (zh) * 2010-12-01 2011-04-13 银联商务有限公司 远程加密方法、管理方法、加密管理方法及装置和系统
CN103220271A (zh) * 2013-03-15 2013-07-24 福建联迪商用设备有限公司 密钥下载方法、管理方法、下载管理方法及装置和系统
CN103220270A (zh) * 2013-03-15 2013-07-24 福建联迪商用设备有限公司 密钥下载方法、管理方法、下载管理方法及装置和系统
CN103237005A (zh) * 2013-03-15 2013-08-07 福建联迪商用设备有限公司 密钥管理方法及系统
CN103237004A (zh) * 2013-03-15 2013-08-07 福建联迪商用设备有限公司 密钥下载方法、管理方法、下载管理方法及装置和系统

Family Cites Families (61)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS57157371A (en) * 1981-03-24 1982-09-28 Sharp Corp Electronic cash register
JP2993833B2 (ja) * 1993-11-29 1999-12-27 富士通株式会社 Posシステム
JPH10112883A (ja) * 1996-10-07 1998-04-28 Hitachi Ltd 無線通信交換システム、交換機、公開鍵管理装置、移動端末および移動端末認証方法
DE60014047T2 (de) * 1999-03-22 2006-02-23 Purac Biochem B.V. Verfahren zur reinigung von milchsäure auf industrieller basis
CN1127033C (zh) * 2000-07-20 2003-11-05 天津南开戈德集团有限公司 无线移动网络销售点终端系统
US7110986B1 (en) * 2001-04-23 2006-09-19 Diebold, Incorporated Automated banking machine system and method
KR100641824B1 (ko) * 2001-04-25 2006-11-06 주식회사 하렉스인포텍 대칭키 보안 알고리즘을 이용한 금융정보 입력방법 및 그이동통신용 상거래 시스템
JP2002366285A (ja) * 2001-06-05 2002-12-20 Matsushita Electric Ind Co Ltd Pos端末
GB2384402B (en) * 2002-01-17 2004-12-22 Toshiba Res Europ Ltd Data transmission links
JP2003217028A (ja) * 2002-01-24 2003-07-31 Tonfuu:Kk Pos端末装置の運用状況監視システム
US7395427B2 (en) * 2003-01-10 2008-07-01 Walker Jesse R Authenticated key exchange based on pairwise master key
JP2005117511A (ja) * 2003-10-10 2005-04-28 Nec Corp 量子暗号通信システム及びそれに用いる量子暗号鍵配布方法
KR101282972B1 (ko) * 2004-03-22 2013-07-08 삼성전자주식회사 디바이스와 휴대형 저장장치와의 상호인증
US20060093149A1 (en) * 2004-10-30 2006-05-04 Shera International Ltd. Certified deployment of applications on terminals
DE102005022019A1 (de) * 2005-05-12 2007-02-01 Giesecke & Devrient Gmbh Sichere Verarbeitung von Daten
KR100652125B1 (ko) * 2005-06-03 2006-12-01 삼성전자주식회사 서비스 제공자, 단말기 및 사용자 식별 모듈 간을총괄적으로 인증하여 관리할 수 있도록 하는 상호 인증방법 및 이를 이용한 시스템과 단말 장치
CN100583743C (zh) * 2005-07-22 2010-01-20 华为技术有限公司 传输密钥的分发方法
NZ571321A (en) * 2006-02-22 2011-09-30 Hypercom Corp Secure electronic transaction system
JP2007241351A (ja) * 2006-03-06 2007-09-20 Cela System:Kk 顧客・商品・仕入れ管理システム(posを含む)と携帯端末とによる顧客・商品総合管理システム
EP1833009B1 (fr) * 2006-03-09 2019-05-08 First Data Corporation Reseau informatique de transactions securisees
US7818264B2 (en) * 2006-06-19 2010-10-19 Visa U.S.A. Inc. Track data encryption
CN101064695A (zh) * 2007-05-16 2007-10-31 杭州看吧科技有限公司 一种P2P(Peer to Peer)安全连接的方法
CN101145913B (zh) * 2007-10-25 2010-06-16 东软集团股份有限公司 一种实现网络安全通信的方法及系统
WO2009070041A2 (fr) * 2007-11-30 2009-06-04 Electronic Transaction Services Limited Système de paiement et procédé de fonctionnement
CN101541002A (zh) * 2008-03-21 2009-09-23 展讯通信(上海)有限公司 一种基于Web服务器的移动终端的软件许可证下载方法
CN101615322B (zh) * 2008-06-25 2012-09-05 上海富友金融网络技术有限公司 实现有磁支付功能的移动终端支付方法及系统
JP4666240B2 (ja) * 2008-07-14 2011-04-06 ソニー株式会社 情報処理装置、情報処理方法、プログラム、および情報処理システム
CN101686225A (zh) * 2008-09-28 2010-03-31 中国银联股份有限公司 一种用于网上支付的数据加密和密钥生成方法
KR20100052668A (ko) * 2008-11-11 2010-05-20 노틸러스효성 주식회사 온라인으로 에이티엠과 호스트 사이의 티엠케이를 공유하는방법
JP5329184B2 (ja) * 2008-11-12 2013-10-30 株式会社日立製作所 公開鍵証明書の検証方法及び検証サーバ
CN101425208B (zh) * 2008-12-05 2010-11-10 浪潮齐鲁软件产业有限公司 一种金融税控收款机密钥安全下载方法
CN101527714B (zh) * 2008-12-31 2012-09-05 飞天诚信科技股份有限公司 制证的方法、装置及系统
CN101930644B (zh) * 2009-06-25 2014-04-16 中国银联股份有限公司 一种银行卡支付系统中主密钥安全自动下载的方法及其系统
CN101719895A (zh) * 2009-06-26 2010-06-02 中兴通讯股份有限公司 一种实现网络安全通信的数据处理方法和系统
CN101593389B (zh) * 2009-07-01 2012-04-18 中国建设银行股份有限公司 一种用于pos终端的密钥管理方法和系统
CN101631305B (zh) * 2009-07-28 2011-12-07 交通银行股份有限公司 一种加密方法及系统
CN101656007B (zh) * 2009-08-14 2011-02-16 通联支付网络服务股份有限公司 一种在pos机上实现一机多密的安全系统及方法
CN102064939B (zh) * 2009-11-13 2013-06-12 福建联迪商用设备有限公司 Pos文件认证的方法及认证证书的维护方法
CN101710436B (zh) * 2009-12-01 2011-12-14 中国建设银行股份有限公司 一种控制pos终端的方法、系统以及pos终端管理设备
CN101807994B (zh) * 2009-12-18 2012-07-25 北京握奇数据系统有限公司 一种ic卡应用数据传输的方法及系统
CN102148799B (zh) * 2010-02-05 2014-10-22 中国银联股份有限公司 密钥下载方法及系统
CN101807997B (zh) * 2010-04-28 2012-08-22 中国工商银行股份有限公司 一种生成传输密钥的装置及方法
CN201656997U (zh) * 2010-04-28 2010-11-24 中国工商银行股份有限公司 一种生成传输密钥的装置
CN102262760A (zh) * 2010-05-28 2011-11-30 杨筑平 交易保密方法、受理装置和提交软件
EP2604017B1 (fr) * 2010-08-10 2017-10-04 Google Technology Holdings LLC Système et procédé en rapport avec le protocole cognizant transport layer security
CN101938520B (zh) * 2010-09-07 2015-01-28 中兴通讯股份有限公司 一种基于移动终端签名的远程支付系统及方法
CN101976403A (zh) * 2010-10-29 2011-02-16 北京拉卡拉网络技术有限公司 手机号支付平台、支付交易系统及方法
CN102903189A (zh) * 2011-07-25 2013-01-30 上海昂贝电子科技有限公司 一种终端交易方法及装置
CN102394749B (zh) * 2011-09-26 2014-03-05 深圳市文鼎创数据科技有限公司 数据传输的线路保护方法、系统、信息安全设备及应用设备
CN102521935B (zh) * 2011-12-15 2013-12-11 福建联迪商用设备有限公司 Pos机状态检测的方法及装置
CN102592369A (zh) * 2012-01-14 2012-07-18 福建联迪商用设备有限公司 自助终端接入金融交易中心的方法
CN102624711B (zh) * 2012-02-27 2015-06-03 福建联迪商用设备有限公司 一种敏感信息传输方法及系统
CN102624710B (zh) * 2012-02-27 2015-03-11 福建联迪商用设备有限公司 一种敏感信息传输方法及系统
CN102647274B (zh) * 2012-04-12 2014-10-08 福建联迪商用设备有限公司 Pos终端、终端接入前置、主密钥管理系统及其方法
CN102707972B (zh) * 2012-05-02 2016-03-09 银联商务有限公司 一种pos终端程序更新方法与系统
CN102768744B (zh) * 2012-05-11 2016-03-16 福建联迪商用设备有限公司 一种远程安全支付方法和系统
CN102868521B (zh) * 2012-09-12 2015-03-04 成都卫士通信息产业股份有限公司 一种增强对称密钥体系的密钥传输方法
CN103116505B (zh) * 2012-11-16 2016-05-25 福建联迪商用设备有限公司 一种自动匹配下载的方法
CN103117855B (zh) * 2012-12-19 2016-07-06 福建联迪商用设备有限公司 一种生成数字证书的方法及备份和恢复私钥的方法
CN103729942B (zh) * 2013-03-15 2016-01-13 福建联迪商用设备有限公司 将传输密钥从终端服务器传输到密钥服务器的方法及系统
CN103269266B (zh) * 2013-04-27 2016-07-06 北京宏基恒信科技有限责任公司 动态口令的安全认证方法和系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102013982A (zh) * 2010-12-01 2011-04-13 银联商务有限公司 远程加密方法、管理方法、加密管理方法及装置和系统
CN103220271A (zh) * 2013-03-15 2013-07-24 福建联迪商用设备有限公司 密钥下载方法、管理方法、下载管理方法及装置和系统
CN103220270A (zh) * 2013-03-15 2013-07-24 福建联迪商用设备有限公司 密钥下载方法、管理方法、下载管理方法及装置和系统
CN103237005A (zh) * 2013-03-15 2013-08-07 福建联迪商用设备有限公司 密钥管理方法及系统
CN103237004A (zh) * 2013-03-15 2013-08-07 福建联迪商用设备有限公司 密钥下载方法、管理方法、下载管理方法及装置和系统

Also Published As

Publication number Publication date
CN103714637A (zh) 2014-04-09
CN103746800A (zh) 2014-04-23
CN103714639A (zh) 2014-04-09
CN103729943B (zh) 2015-12-30
CN103729945A (zh) 2014-04-16
CN103714634B (zh) 2016-06-15
WO2014139406A1 (fr) 2014-09-18
CN103714633B (zh) 2016-05-04
CN103701812A (zh) 2014-04-02
CN103716320A (zh) 2014-04-09
CN103716321A (zh) 2014-04-09
CN103701609B (zh) 2016-09-28
CN103745351A (zh) 2014-04-23
CN103714641B (zh) 2016-03-30
CN103729944B (zh) 2015-09-30
CN103729941A (zh) 2014-04-16
CN103714637B (zh) 2016-03-16
CN103714640B (zh) 2016-02-03
CN103716153A (zh) 2014-04-09
CN103716155A (zh) 2014-04-09
CN103701610B (zh) 2018-04-17
CN103729942B (zh) 2016-01-13
CN103714636B (zh) 2015-12-02
CN103731260A (zh) 2014-04-16
CN103745351B (zh) 2017-09-29
CN103714635A (zh) 2014-04-09
CN103716321B (zh) 2017-08-29
CN103714639B (zh) 2016-05-04
CN103701609A (zh) 2014-04-02
CN103701812B (zh) 2017-01-25
WO2014139403A1 (fr) 2014-09-18
CN103701610A (zh) 2014-04-02
CN103716167A (zh) 2014-04-09
CN103729945B (zh) 2015-11-18
CN103714638B (zh) 2015-09-30
CN103716167B (zh) 2017-01-11
CN103714640A (zh) 2014-04-09
CN103729941B (zh) 2016-06-15
CN103731259B (zh) 2017-08-01
WO2014139412A1 (fr) 2014-09-18
CN103729942A (zh) 2014-04-16
CN103714634A (zh) 2014-04-09
CN103729940A (zh) 2014-04-16
CN103716154B (zh) 2017-08-01
WO2014139411A1 (fr) 2014-09-18
CN103714633A (zh) 2014-04-09
CN103746800B (zh) 2017-05-03
CN103731259A (zh) 2014-04-16
CN103729943A (zh) 2014-04-16
CN103729944A (zh) 2014-04-16
CN103729940B (zh) 2016-06-15
CN103714636A (zh) 2014-04-09
CN103714641A (zh) 2014-04-09
CN103716153B (zh) 2017-08-01
CN103714638A (zh) 2014-04-09
CN103716155B (zh) 2016-08-17
CN103731260B (zh) 2016-09-28
CN103716154A (zh) 2014-04-09
CN103714635B (zh) 2015-11-11
CN103716320B (zh) 2017-08-01

Similar Documents

Publication Publication Date Title
WO2014139408A1 (fr) Procédé et système pour télécharger en aval de manière sécurisée une clé maître de terminal (tmk)
WO2014139342A1 (fr) Procédé de téléchargement de clé, procédé de gestion, procédé de gestion de téléchargement, dispositif et système
WO2014139344A1 (fr) Procédé de téléchargement de clé, procédé de gestion, procédé de gestion de téléchargement, dispositif et système
US11394697B2 (en) Efficient methods for authenticated communication
WO2014139341A1 (fr) Procédé et système de gestion de clé
CN112260826B (zh) 用于安全凭证供应的方法
CN105556553B (zh) 安全的远程支付交易处理
WO2014139343A1 (fr) Procédé de téléchargement de clé, procédé de gestion, procédé de gestion de téléchargement, appareil et système
USRE38070E1 (en) Cryptography system and method for providing cryptographic services for a computer application
WO2020235782A1 (fr) Procédé d'authentification d'identification personnelle dans un environnement distribué
US11922384B2 (en) Method for obtaining a security token by a mobile terminal
US11956349B2 (en) Efficient authentic communication system and method
WO2015081763A1 (fr) Procédé et dispositif d'autorisation de dispositif virtuel
US20200160333A1 (en) System and method for the protection of consumer financial data utilizing dynamic content shredding
Milburn et al. FassKey: A secure and convenient authentication system
US12021850B2 (en) Efficient methods for authenticated communication
US20230063743A1 (en) Method for securely provisioning a device incorporating an integrated circuit without using a secure environment
WO2015108307A1 (fr) Procédé d'authentification d'utilisateur au moyen d'un dispositif utilisateur, et système numérique et système d'authentification à cet effet
JP2000215252A (ja) 電子ショッピング方法、電子ショッピングシステムおよび文書認証方法
WO2016172933A1 (fr) Procédé et système de traitement d'informations sur des données de produit
WO2016173041A1 (fr) Système de paiement basé sur un serveur partagé de gestion de fonds, et procédé, dispositif et serveur associés
WO2018169285A2 (fr) Système et procédé de gestion de cartes utilisant un dispositif de sécurité
KR101611214B1 (ko) 금융 시스템, 금융 시스템의 카드 결제 요청 및 승인 방법
Boyd TLS client handshake with a payment card

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14763548

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14763548

Country of ref document: EP

Kind code of ref document: A1