WO2017166113A1 - Key management system - Google Patents

Key management system Download PDF

Info

Publication number
WO2017166113A1
WO2017166113A1 PCT/CN2016/077837 CN2016077837W WO2017166113A1 WO 2017166113 A1 WO2017166113 A1 WO 2017166113A1 CN 2016077837 W CN2016077837 W CN 2016077837W WO 2017166113 A1 WO2017166113 A1 WO 2017166113A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
card
management
kms
client
Prior art date
Application number
PCT/CN2016/077837
Other languages
French (fr)
Chinese (zh)
Inventor
李昕光
Original Assignee
李昕光
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 李昕光 filed Critical 李昕光
Priority to PCT/CN2016/077837 priority Critical patent/WO2017166113A1/en
Publication of WO2017166113A1 publication Critical patent/WO2017166113A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present invention relates to the field of key management, and in particular, to a key management system.
  • a multi-level key management system is implemented for a unified root key.
  • the three-level key management system is a symmetric 3DES algorithm using double-length keys, which defines a national unified consumption root key, and then is dispersed according to different organization codes and area codes, and is divided into two levels to form a third level. Key system.
  • the financial IC card is an IC card that implements the financial function of the bank card by using a smart card chip.
  • the domestic financial IC card complies with the PBOC standard.
  • the extensive use of financial IC cards will greatly improve the security of bank card payments, reduce fraud, and provide a basis for multi-functional application of bank cards.
  • the financial IC card is a high-security and multi-purpose bank card. It can be used not only as a financial card, but also can load many industry applications to form multi-purpose bank films, such as financial social security cards, citizen cards, financial consumer cards, etc.
  • the financial IC card issuance system mainly consists of a financial IC card root CA, a key management system, a data preparation system and a personalization system.
  • the completion of the card issuance system will greatly improve the efficiency and speed of the bank issuing financial IC cards, and is a bank card business. provide assurance.
  • the national bank IC card key management rules are specially formulated.
  • the embodiment of the present invention provides a key tube. Management system.
  • the technical solution is as follows:
  • a key management system comprising: a KMS server, including one or more:
  • a KMS server for installing software and performing the functions of the software, and accessing the KMS server through a client interface software or an API of the software;
  • a cipher machine for performing various security algorithm operations and saving all or part of the keys
  • the cryptographic management terminal is connected to the cipher machine through one or more serial ports to implement management of the cipher machine, including but not limited to configuring the cipher machine and the management key;
  • the cipher card management card is used to authenticate the operation authority when managing the cipher machine
  • the cipher key card is used to back up the key stored in the cipher machine, and can also be used to restore the key backed up in the cipher key card to the cipher machine;
  • KMS client including one or more:
  • the KMS client is used to install interface software, and the user can perform system management and key management operations through the interface of the client;
  • An IC card for storing a user authentication key for performing identity authentication when logging in to the key management system
  • the key management system can support multi-level key distribution and key two-level management
  • system further comprises:
  • the data preparation system is configured to collect the information required for issuing the IC card when the IC card is issued, and provide all the information issued by the IC card to the personalized system, and the card is issued by the personalized system;
  • An interaction center including but not limited to an organization through which information must be exchanged between systems;
  • Terminals including but not limited to devices that use a magnetic stripe card or an IC card for transactions;
  • Counters including but not limited to counters at bank outlets.
  • system further includes:
  • the KMS server also includes one or more:
  • Printers including but not limited to dot matrix printers, for printing key envelopes;
  • a key envelope ie, a digital envelope, for storing the encrypted content and the encrypted key for encrypting the content
  • the KMS client also includes one or more:
  • the user card that is, the IC card held by the individual user, is used to save the key written by the client through the card reader when the card is issued, and supports the terminal device of the IC card to perform the transaction;
  • PSAM card for storing various keys used in transactions
  • Terminal security module for handling terminal security, including but not limited to saving client keys and security algorithm operations;
  • a key transmission medium for storing a key during key transmission
  • a PIN pad for the user to enter a password and the key stored in the PIN pad is used to encrypt the password entered by the user.
  • a key management method comprising:
  • N is a natural number greater than 1;
  • the manufacturer transfer card and the M supervisor leadership card are saved in the first-level management center, and M is a natural number greater than 3;
  • the secondary management center issues the card issuing mother card by using the branch master key card and the main transmission card delivered by the first-level management center, or importing the partial master key into the encryption of the secondary management center In the machine.
  • the partial application file key of the electronic cash card is replaced with the file key of the industry
  • the file key of the industry is decentralized by the master key or the partial master key.
  • the application file key of the electronic cash card when the partial application file key of the electronic cash card is replaced with the file key of the industry, the application file key of the electronic cash card may also be retained. .
  • the M is equal to four.
  • the first-level management center may be a national key management center.
  • the secondary management center may be the one A financial IC card key management center established by a subordinate organization authorized by the level management center.
  • the secondary management center may be a pilot city or a commercial bank key management center, or a card issuing bank key management center.
  • the invention realizes the multi-level key dispersion of the software under the primary key distribution system, realizes the key replacement of the electronic cash industry, reduces the purchase cost, and achieves higher scalability.
  • FIG. 1 is a schematic structural view of an implementation environment involved in various embodiments of the present invention.
  • FIG. 2 is a flowchart of a method for a key management method according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a key management system according to another embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a KMS server according to another embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a KMS client according to another embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a data processing module according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a server according to another embodiment of the present invention.
  • FIG. 1 is a schematic structural diagram of an implementation environment involved in various embodiments of the present invention.
  • the key management system consists of software and hardware components.
  • the software part mainly implements key production, distribution, key import, key download, and key storage.
  • the hardware part mainly implements key calculation, key backup, key transaction, business transaction, and the like.
  • the key system supports multiple levels of key scatter and key management.
  • Multi-level key dispersion refers to the time of card issuance
  • the key written to the user card may be a subkey after each master key is dispersed multiple times.
  • the multi-level decentralized key system can ensure that the keys between different decentralized areas are independent of each other and can be mutually common; and the two-level management of the keys refers to the management at the headquarters level and the management at the branch level.
  • Headquarters level management can be managed by the operating company.
  • the headquarters is responsible for the maintenance of the factory transfer card and the four supervisor leadership cards.
  • the master key card and the master transport card of the system are generated by the supervisor leader card, and the master key is imported into the encryptor.
  • the branch-level management is managed and operated by the financial IC card key management center set up by the subordinate organization authorized by the operating company headquarters.
  • the branch-level key management is performed by using the branch master key card and the main transport card issued by the headquarters to issue various card-issuing cards required for the branch or directly into the encryption machine of the branch.
  • the bank first provides an electronic cash card, and the bank provides the authority to replace some of the application file keys with the industry's file key, which is obtained by the operator's self-built key. Therefore, the electronic cash card that has been replaced by the industry key can be used in the application scope of the city level; while retaining the previous file, the electronic cash card can also be applied to the original scene.
  • the key management system is a software system that manages various keys in the business system from the perspective of key usage.
  • the key algorithm operations and operations are implemented by hardware cryptographic devices.
  • the key function of the key management system is to provide key management and service functions for the business system, which can be widely applied to related electronic payment such as mobile payment, telecommunications, banking, social security, and public transportation.
  • the key system adopts configuration management to meet the multi-application multi-service key management requirements of users.
  • the key system construction strictly implements the idea that “secret lies in the key” and has high security and advanced nature. In terms of safety management, it has perfect personnel certification, security control, operation and maintenance monitoring and auditing mechanism. In terms of application functions, it supports EMV/PBOC2.0 standard bank credit/debit card, e-wallet, etc. Key management and service requirements in key generation, transmission, card issuance, key update, etc., can be used as independent The key management center can also be used to connect with business systems such as data preparation systems and card issuance systems to support related key management services.
  • the present invention realizes multi-level key distribution of software under the primary key distribution system, realizes key replacement in the electronic cash industry, reduces purchase cost, and achieves higher scalability.
  • FIG. 2 is a flowchart of a method for a key management method according to an embodiment of the present invention. This embodiment is exemplified by applying the key management method to the implementation environment shown in FIG. 1.
  • the method can include:
  • the subkey obtained by dispersing the master key N times is used as the key of the user card, and is written at the time of card issuance.
  • N is a natural number greater than 1; or
  • step 201 the manufacturer transmission card and the M supervisor leadership card are saved in the first-level management center, and M is a natural number greater than 3.
  • the first-level management center may be a national key management center
  • the M is equal to 4.
  • Step 202 Generate a master key card and a master transport card by using the supervisor leader card, and import the master key into the encryption machine of the first-level management center;
  • Step 203 The secondary management center issues a card issuing mother card by using the branch master key card and the main transmission card delivered by the first-level management center, or importing the branch master key into the second-level management. Central encryption machine.
  • the partial application file key of the electronic cash card is replaced with the file key of the industry, and the file key of the industry is used by the master key Or the branch master key is decentralized.
  • the application file key of the electronic cash card may also be retained.
  • the secondary management center may be a financial IC card key management center established by a lower-level organization authorized by the first-level management center.
  • the secondary management center may be a pilot city or a commercial bank key management center, or a card issuing bank key management center.
  • the present invention realizes multi-level key distribution of software under the primary key distribution system, realizes key replacement in the electronic cash industry, reduces purchase cost, and achieves higher scalability.
  • FIG. 3 is a schematic structural diagram of a key management system according to another embodiment of the present invention. This embodiment is exemplified by applying the method to the implementation environment shown in FIG. 1.
  • the system includes a KMS server 201 and a KMS client 202.
  • FIG. 4 is a schematic structural diagram of a KMS server according to another embodiment of the present invention. This embodiment is exemplified by applying the method to the implementation environment shown in FIG. 1.
  • the KMS server 201 includes:
  • a KMS server 1011 configured to install software and perform functions of the software, and access the KMS server through a client interface software or an API of the software;
  • the cryptographic machine 1012 is configured to perform various security algorithm operations and save all or part of the keys;
  • the cryptographic management terminal 1013 is connected to the cipher machine through one or more serial ports to implement management of the cipher machine, including but not limited to configuring the cipher machine and the management key;
  • the cryptographic management card 1014 is configured to authenticate the operation authority when managing the cipher machine
  • the cipher key card 1015 is configured to back up the key stored in the cipher machine, and may also be used to restore the key backed up in the cipher key card to the cipher machine;
  • Printer 1016 including but not limited to a dot matrix printer, for printing a key envelope
  • a key envelope 1017 a digital envelope, is used to store the encrypted content and the encrypted key used to encrypt the content.
  • the present invention realizes multi-level key distribution of software under the primary key distribution system, realizes key replacement in the electronic cash industry, reduces purchase cost, and achieves higher scalability.
  • FIG. 5 is a schematic structural diagram of a KMS client according to another embodiment of the present invention. This embodiment is exemplified by applying the method to the implementation environment shown in FIG. 1.
  • KMS client 201 including one or more:
  • the KMS client 2011 is used to install interface software, and the user can perform system management and key management operations through the interface of the client;
  • the 2012 IC card is configured to store a user authentication key for performing identity authentication when logging in to the key management system;
  • the user card 2014 that is, the IC card held by the individual user, is used to save the key written by the client through the card reader when the card is issued, and supports the terminal device of the IC card to perform the transaction;
  • PSAM card 2015 used to store various keys used in transactions
  • the terminal security module 2016 is configured to process terminal security, including but not limited to saving a client key and a security algorithm operation;
  • the PIN pad 2018 is used for the user to input a password, and the key stored in the PIN pad is used to encrypt the password input by the user.
  • the key management system provided by the foregoing embodiment only uses The division of each of the above functional modules is illustrated by an example. In actual applications, the above function assignments may be completed by different functional modules as needed, that is, the internal structure of the system is divided into different functional modules to complete all or part of the functions described above. .
  • the embodiment of the key management system and the key management method provided in the foregoing embodiments are in the same concept, and the specific implementation process is described in detail in the method embodiment, and details are not described herein again.
  • FIG. 6 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
  • the electronic device can be used to implement the item transfer method provided in the above embodiments. Specifically:
  • the terminal 1000 may include an RF (Radio Frequency) circuit 1010, a memory 1020 including one or more computer readable storage media, an input unit 1030, a display unit 1040, a sensor 1050, an audio circuit 1060, a short-range communication module 1070, A processor 1080 having one or more processing cores, and a power supply 1090 and the like are included.
  • RF Radio Frequency
  • FIG. 10 does not constitute a limitation to the terminal, and may include more or less components than those illustrated, or combine some components, or different component arrangements. among them:
  • the RF circuit 1010 can be used for receiving and transmitting signals during and after receiving or transmitting information, in particular, receiving downlink information of the base station and then processing it by one or more processors 1080; in addition, transmitting data related to the uplink to the base station .
  • the RF circuit 1010 includes, but is not limited to, an antenna, at least one amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, an LNA (Low Noise Amplifier). , duplexer, etc.
  • SIM Subscriber Identity Module
  • RF circuit 1010 can also communicate with the network and other devices via wireless communication.
  • Wireless communication can use any communication standard or protocol, including but not limited to GSM (Global System of Mobile communication), GPRS (General Packet Radio Service), CDMA (Code Division Multiple Access) Divisional Multiple Access), WCDMA (Wideband Code Division Multiple Access), LTE (Long Term Evolution), e-mail, SMS (Short Messaging Service), and the like.
  • GSM Global System of Mobile communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • e-mail Short Messaging Service
  • the memory 1020 can be used to store software programs and modules, and the processor 1080 executes various functional applications and data processing by running software programs and modules stored in the memory 1020.
  • the memory 1020 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.)
  • the storage data area can store data (such as audio data, phone book, etc.) created according to the use of the terminal 1000.
  • memory 1020 can include high speed random access memory, and can also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, memory 1020 can also include a memory controller to provide access to memory 1020 by processor 1080 and input unit 1030.
  • Input unit 1030 can be used to receive input numeric or character information, as well as to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function controls.
  • input unit 1030 can include touch-sensitive surface 1031 as well as other input devices 1032.
  • Touch-sensitive surface 1031 also known as a touch display or touchpad, can collect touch operations on or near the user (such as a user using a finger, stylus, etc., on any touch-sensitive surface 1031 or The operation near the touch-sensitive surface 1031) and driving the corresponding connecting device according to a preset program.
  • the touch-sensitive surface 1031 may include two parts of a touch detection device and a touch controller.
  • the touch detection device detects the touch orientation of the user, and detects a signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts the touch information into contact coordinates, and sends the touch information.
  • the processor 1080 is provided and can receive commands from the processor 1080 and execute them.
  • the touch sensitive surface 1031 can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves.
  • the input unit 1030 can also include other input devices 1032.
  • other input devices 1032 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.
  • Display unit 1040 can be used to display information entered by the user or information provided to the user and various graphical user interfaces of terminal 1000, which can be constructed from graphics, text, icons, video, and any combination thereof.
  • the display unit 1040 may include a display panel 1041.
  • the display panel 1041 may be configured in the form of an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), or the like.
  • the touch-sensitive surface 1031 can cover the display panel 1041, and when the touch-sensitive surface 1031 detects a touch operation thereon or nearby, it is transmitted to the processor 1080 to determine the type of the touch event, and then the processor 1080 according to the touch event The type provides a corresponding visual output on display panel 1041.
  • touch-sensitive surface 1031 and display panel 1041 are implemented as two separate components to implement input and input functions, in some embodiments, touch-sensitive surface 1031 can be integrated with display panel 1041 for input. And output function.
  • Terminal 1000 can also include at least one type of sensor 1050, such as a light sensor, motion sensor, and other sensors.
  • the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 1041 according to the brightness of the ambient light, and the proximity sensor may close the display panel 1041 when the terminal 1000 moves to the ear. / or backlight.
  • the gravity acceleration sensor can detect the magnitude of acceleration in all directions (usually three axes). When it is stationary, it can detect the magnitude and direction of gravity.
  • the terminal 1000 can also be configured with gyroscopes, barometers, hygrometers, thermometers, infrared sensors and other sensors, not here Let me repeat.
  • Audio circuit 1060, speaker 1061, and microphone 1062 can provide an audio interface between the user and terminal 1000.
  • the audio circuit 1060 can transmit the converted electrical data of the received audio data to the speaker 1061, and convert it into a sound signal output by the speaker 1061; on the other hand, the microphone 1062 converts the collected sound signal into an electrical signal, by the audio circuit 1060. After receiving, it is converted into audio data, and then processed by the audio data output processor 180, transmitted to the terminal, for example, via the RF circuit 110, or outputted to the memory 120 for further processing.
  • the audio circuit 160 may also include an earbud jack to provide communication of the peripheral earphones with the terminal 1000.
  • the short-range communication module 170 may include WiFi (wireless fidelity) technology and/or NFC technology and/or Bluetooth technology and/or infrared technology, and the terminal 1000 may help the user to send and receive emails and browse the webpage through the short-range communication module 170. And accessing streaming media, etc., it provides users with wireless broadband Internet access and close-range communication, such as reading and writing of electronic cards in the embodiment of the present invention.
  • the processor 1080 is the control center of the terminal 1000, connecting various portions of the entire handset with various interfaces and lines, by running or executing software programs and/or modules stored in the memory 1020, and recalling data stored in the memory 1020, The various functions and processing data of the terminal 1000 are performed to perform overall monitoring of the mobile phone.
  • the processor 1080 may include one or more processing cores; preferably, the processor 1080 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application, and the like.
  • the modem processor primarily handles wireless communications. It will be appreciated that the above described modem processor may also not be integrated into the processor 1080.
  • the terminal 1000 also includes a power source 1090 (such as a battery) that supplies power to the various components, preferably, electricity.
  • the source can be logically coupled to the processor 1080 through a power management system to manage functions such as charging, discharging, and power management through a power management system.
  • the power supply 1090 may also include any one or more of a DC or AC power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
  • the terminal 1000 may further include a camera, a Bluetooth module, and the like, and details are not described herein again.
  • the display unit of the electronic device is a touch screen display
  • the electronic device further includes a memory, and one or more programs, wherein one or more programs are stored in the memory and configured to be one or one
  • the above processor executes one or more programs including a key management method for performing the above.
  • FIG. 7 is a schematic structural diagram of a server according to an embodiment of the present invention.
  • the server 1100 includes a central processing unit (CPU) 1101, a system memory 1104 including a random access memory (RAM) 1102 and a read only memory (ROM) 1103, and a system bus 1105 that connects the system memory 1104 and the central processing unit 1101.
  • the server 1100 also includes a basic input/output system (I/O system) 1106 that facilitates transfer of information between various devices within the computer, and mass storage for storing the operating system 1113, applications 1114, and other program modules 1115.
  • I/O system basic input/output system
  • the basic input/output system 1106 includes a display 1108 for displaying information and an input device 1109 such as a mouse or keyboard for user input of information.
  • the display 1108 and the input device 1109 are both connected to the central processing unit 1101 via an input-output controller 1110 connected to the system bus 1105.
  • the basic input/output system 1106 can also include an input output controller 1110 for receiving and processing input from a plurality of other devices, such as a keyboard, mouse, or electronic stylus.
  • the input and output controller 1110 also provides output to a display screen, printer, or other type of output device.
  • the mass storage device 1107 is connected to the central processing unit 1101 by a mass storage controller (not shown) connected to the system bus 1105.
  • the mass storage device 1107 and its associated computer readable medium provide non-volatile storage for the server 1100. That is, the mass storage device 1107 can include a computer readable medium such as a hard disk or a CD-ROM drive. (not shown).
  • the computer readable medium can include computer storage media and communication media.
  • Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data.
  • Computer storage media include RAM, ROM, EPROM, EEPROM, flash memory or other solid state storage technologies, CD-ROM, DVD or other optical storage, tape cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices.
  • RAM random access memory
  • ROM read only memory
  • EPROM Erasable programmable read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • the server 1100 may also be operated by a remote computer connected to the network through a network such as the Internet. That is, the server 1100 can be connected to the network 1112 through the network interface unit 1111 connected to the system bus 1105, or can also be connected to other types of networks or remote computer systems (not shown) using the network interface unit 1111. .
  • the memory further includes one or more programs, the one or more programs being stored in a memory, the one or more programs including instructions for performing a key management method provided by an embodiment of the present invention.
  • a person skilled in the art may understand that all or part of the steps of implementing the above embodiments may be completed by hardware, or may be instructed by a program to execute related hardware, and the program may be stored in a computer readable storage medium.
  • the storage medium mentioned may be a read only memory, a magnetic disk or an optical disk or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A key management system, which relates to the data processing field. The key management system comprises: a KMS server (101) including one or more KMS servers (1011), a cipher machine (1012), a cipher machine management terminal (1013), a cipher machine management card (1014), a cipher machine key card (1015), a KMS client (102) including one or more KMS clients (1021), an IC card (1022), a card reader (1023), and the key management system can support key multi-level distribution management and key two-stages management. The system realizes multi-level key distribution of software and key replacement in the electronic cash industry through one level key distribution architecture, the purchasing cost is reduced and higher expandability is achieved.

Description

密钥管理系统Key management system 技术领域Technical field
本发明涉及密钥管理领域,特别涉及一种密钥管理系统。The present invention relates to the field of key management, and in particular, to a key management system.
背景技术Background technique
在住建部密钥体系下,或是银联密钥体系下,为统一的根密钥,实行多级密钥管理体系。如三级密钥管理体系,是采用双倍长度密钥的对称3DES算法,定义全国统一消费根密钥,然后根据不同机构代码和地区代码进行逐级分散,向下共有二级分散形成三级密钥体系。Under the Ministry of Housing and Construction key system, or under the UnionPay key system, a multi-level key management system is implemented for a unified root key. For example, the three-level key management system is a symmetric 3DES algorithm using double-length keys, which defines a national unified consumption root key, and then is dispersed according to different organization codes and area codes, and is divided into two levels to form a third level. Key system.
金融IC卡是采用智能卡芯片实现银行卡金融服务功能的IC卡,目前国内金融IC卡遵守PBOC标准。根据人民银行安排,目前全国都开始了磁条卡向IC卡的迁移工作,金融IC卡的广泛使用,将大大提高银行卡支付的安全性,减少欺诈行为,同时为银行卡多功能应用提供基础。金融IC卡是一种具备高安全性和多用途的银行卡,它不仅仅可以作为金融卡片使用,同时可以加载很多行业应用形成多用途银行片,如金融社保卡、市民卡、金融消费卡等卡种,可广泛应用于商场消费、自助购物、公共交通等领域,极大地方便消费者,为银行开发新的银行卡产品提供基础。目前金融IC卡的发卡系统主要有金融IC卡根CA、密钥管理系统、数据准备系统和个人化系统组成,发卡系统的建成将大大提高银行发行金融IC卡的效率和速度,为银行卡业务提供保障。The financial IC card is an IC card that implements the financial function of the bank card by using a smart card chip. At present, the domestic financial IC card complies with the PBOC standard. According to the arrangement of the People's Bank of China, the migration of magnetic stripe cards to IC cards has begun in the country. The extensive use of financial IC cards will greatly improve the security of bank card payments, reduce fraud, and provide a basis for multi-functional application of bank cards. . The financial IC card is a high-security and multi-purpose bank card. It can be used not only as a financial card, but also can load many industry applications to form multi-purpose bank films, such as financial social security cards, citizen cards, financial consumer cards, etc. Card types can be widely used in shopping malls, self-service shopping, public transportation and other fields, greatly facilitating consumers and providing a basis for banks to develop new bank card products. At present, the financial IC card issuance system mainly consists of a financial IC card root CA, a key management system, a data preparation system and a personalization system. The completion of the card issuance system will greatly improve the efficiency and speed of the bank issuing financial IC cards, and is a bank card business. provide assurance.
为加强全国银行IC卡密钥统一管理,保证银行IC卡业务运行的安全,特制定全国银行IC卡密钥管理规则。In order to strengthen the unified management of the IC card key of the national bank and ensure the security of the operation of the bank IC card business, the national bank IC card key management rules are specially formulated.
在实现本发明的过程中,发明人发现现有技术至少存在以下问题:In the process of implementing the present invention, the inventors have found that the prior art has at least the following problems:
密钥管理体系,由大型企业掌管根密钥,并布置多台加密机,实现全国统一的密钥管理体系。下属的使用二级或三级分散密钥的机构,如果有发卡等操作,需要向总部发起申请,并由总部收取一定费用。In the key management system, large enterprises are in charge of the root key, and multiple encryption machines are arranged to realize a unified key management system throughout the country. Subordinate organizations that use secondary or tertiary decentralized keys, if there is an operation such as issuing a card, need to initiate an application to the headquarters and receive a fee from the headquarters.
发明内容Summary of the invention
为了解决目前的密钥系统成本高的问题,本发明实施例提供了一种密钥管 理系统。所述技术方案如下:In order to solve the problem of the current high cost of the key system, the embodiment of the present invention provides a key tube. Management system. The technical solution is as follows:
根据本发明实施例的第一方面,提供了一种密钥管理系统,所述系统包括:KMS服务端,包括一个或多个:According to a first aspect of the embodiments of the present invention, a key management system is provided, the system comprising: a KMS server, including one or more:
KMS服务器,用于安装软件并执行所述软件的功能,并可通过客户端界面软件或者所述软件的API访问所述KMS服务器;a KMS server for installing software and performing the functions of the software, and accessing the KMS server through a client interface software or an API of the software;
密码机,用于执行各种安全算法运算,并可保存全部或部分密钥;A cipher machine for performing various security algorithm operations and saving all or part of the keys;
密码机管理终端,通过一个或多个串口与所述密码机相连,实现对所述密码机的管理,包括但不限于配置所述密码机和管理密钥;The cryptographic management terminal is connected to the cipher machine through one or more serial ports to implement management of the cipher machine, including but not limited to configuring the cipher machine and the management key;
密码机管理卡,用于对所述密码机进行管理时,对操作权限进行认证;The cipher card management card is used to authenticate the operation authority when managing the cipher machine;
密码机密钥卡,用于备份所述密码机中存储的密钥,也可用于将所述密码机密钥卡中备份的密钥恢复到所述密码机中;The cipher key card is used to back up the key stored in the cipher machine, and can also be used to restore the key backed up in the cipher key card to the cipher machine;
KMS客户端,包括一个或多个:KMS client, including one or more:
KMS客户端,用于安装界面软件,用户可通过所述客户端的界面进行系统管理和密钥管理操作;The KMS client is used to install interface software, and the user can perform system management and key management operations through the interface of the client;
IC卡,用于存放用户认证密钥,供登录所述密钥管理系统时进行身份认证;An IC card for storing a user authentication key for performing identity authentication when logging in to the key management system;
读卡器,用于读/写IC卡;Card reader for reading/writing an IC card;
所述密钥管理系统可支持密钥多级分散和密钥两级管理;The key management system can support multi-level key distribution and key two-level management;
其中,所述系统还包括:Wherein, the system further comprises:
数据准备系统,用于当IC卡发卡时,收集IC卡发卡需要的资料,并将IC卡发卡的所有资料提供给个人化系统,由个人化系统发卡;The data preparation system is configured to collect the information required for issuing the IC card when the IC card is issued, and provide all the information issued by the IC card to the personalized system, and the card is issued by the personalized system;
交互中心,包括但不限于各个系统之间交换信息必须通过的机构;An interaction center, including but not limited to an organization through which information must be exchanged between systems;
终端,包括但不限于用户使用磁条卡或IC卡进行交易的设备;Terminals, including but not limited to devices that use a magnetic stripe card or an IC card for transactions;
柜台,包括但不限于银行网点的柜面。Counters, including but not limited to counters at bank outlets.
在第一方面的第一种可能的实施方式中,所述系统还包括:In a first possible implementation manner of the first aspect, the system further includes:
KMS服务端,还包括一个或多个:The KMS server also includes one or more:
打印机,包括但不限于针式打印机,用于打印密钥信封;Printers, including but not limited to dot matrix printers, for printing key envelopes;
密钥信封,即数字信封,用于存储被加密的内容和被加密的用于加密所述内容的密钥; a key envelope, ie, a digital envelope, for storing the encrypted content and the encrypted key for encrypting the content;
KMS客户端,还包括一个或多个:The KMS client also includes one or more:
用户卡,即个人用户持有的IC卡,用于保存发卡时客户端通过所述读卡器写入的密钥,并支持IC卡的终端设备进行交易;The user card, that is, the IC card held by the individual user, is used to save the key written by the client through the card reader when the card is issued, and supports the terminal device of the IC card to perform the transaction;
PSAM卡,用于保存交易中用到的各种密钥;PSAM card for storing various keys used in transactions;
终端安全模块,用于处理终端安全,包括但不限于保存客户端密钥和安全算法运算;Terminal security module for handling terminal security, including but not limited to saving client keys and security algorithm operations;
密钥传输介质,用于在密钥传输过程中存储密钥;a key transmission medium for storing a key during key transmission;
密码键盘,用于用户输入密码,所述密码键盘中存放的密钥用于加密用户输入的密码。A PIN pad for the user to enter a password, and the key stored in the PIN pad is used to encrypt the password entered by the user.
根据本发明实施例的第二方面,提供了一种密钥管理方法,所述方法包括:According to a second aspect of the embodiments of the present invention, a key management method is provided, the method comprising:
将主密钥N次分散后的子密钥,作为用户卡的密钥,在发卡时写入所述用户卡中,N为大于1的自然数;或者The subkey with the master key dispersed N times as the key of the user card is written into the user card at the time of card issuance, and N is a natural number greater than 1; or
将厂家传输卡和M张主管领导卡保存在一级管理中心,M为大于3的自然数;The manufacturer transfer card and the M supervisor leadership card are saved in the first-level management center, and M is a natural number greater than 3;
通过所述主管领导卡生成主密钥卡和主传输卡,并将所述主密钥导入所述一级管理中心的加密机中;Generating a master key card and a master transport card by using the supervisor leader card, and importing the master key into the encryption machine of the first-level management center;
二级管理中心利用所述一级管理中心下发的分部主密钥卡和所述主传输卡,发行发卡母卡,或者将所述分部主密钥导入所述二级管理中心的加密机中。The secondary management center issues the card issuing mother card by using the branch master key card and the main transmission card delivered by the first-level management center, or importing the partial master key into the encryption of the secondary management center In the machine.
在第二方面的第一种可能的实施方式中,当银行提供电子现金卡并提供密钥权限时,将所述电子现金卡的部分应用文件密钥,替换为行业的文件密钥,所述行业的文件密钥由所述主密钥或者所述分部主密钥分散得出。In a first possible implementation manner of the second aspect, when the bank provides the electronic cash card and provides the key authority, the partial application file key of the electronic cash card is replaced with the file key of the industry, The file key of the industry is decentralized by the master key or the partial master key.
在第二方面的第二种可能的实施方式中,将所述电子现金卡的部分应用文件密钥替换为行业的文件密钥时,还可以保留所述电子现金卡的所述应用文件密钥。In a second possible implementation manner of the second aspect, when the partial application file key of the electronic cash card is replaced with the file key of the industry, the application file key of the electronic cash card may also be retained. .
在第二方面的第三种可能的实施方式中,所述M等于4。In a third possible implementation of the second aspect, the M is equal to four.
在第二方面的第四种可能的实施方式中,所述一级管理中心可以是全国密钥管理中心。In a fourth possible implementation manner of the second aspect, the first-level management center may be a national key management center.
在第二方面的第五种可能的实施方式中,所述二级管理中心可以是所述一 级管理中心授权的下级机构设立的金融IC卡密钥管理中心。In a fifth possible implementation manner of the second aspect, the secondary management center may be the one A financial IC card key management center established by a subordinate organization authorized by the level management center.
在第二方面的第六种可能的实施方式中,所述二级管理中心可以是试点城市或商业银行密钥管理中心,或者发卡银行密钥管理中心。In a sixth possible implementation manner of the second aspect, the secondary management center may be a pilot city or a commercial bank key management center, or a card issuing bank key management center.
本发明实施例提供的技术方案带来的有益效果是:The beneficial effects brought by the technical solutions provided by the embodiments of the present invention are:
本发明通过在一级密钥分散体系下,实现软件的多级密钥分散,实现电子现金行业密钥替换,降低了购买成本,实现了更高的扩展性。The invention realizes the multi-level key dispersion of the software under the primary key distribution system, realizes the key replacement of the electronic cash industry, reduces the purchase cost, and achieves higher scalability.
附图说明DRAWINGS
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention. Other drawings may also be obtained from those of ordinary skill in the art in light of the inventive work.
图1是本发明各个实施例所涉及的实施环境的结构示意图;1 is a schematic structural view of an implementation environment involved in various embodiments of the present invention;
图2是本发明一个实施例提供的密钥管理方法的方法流程图;2 is a flowchart of a method for a key management method according to an embodiment of the present invention;
图3是本发明另一个实施例提供的密钥管理系统的结构示意图;3 is a schematic structural diagram of a key management system according to another embodiment of the present invention;
图4是本发明另一个实施例提供的KMS服务器的结构示意图;4 is a schematic structural diagram of a KMS server according to another embodiment of the present invention;
图5是本发明另一个实施例提供的KMS客户端的结构示意图;FIG. 5 is a schematic structural diagram of a KMS client according to another embodiment of the present invention; FIG.
图6是本发明一个实施例提供的数据处理模块的结构示意图;6 is a schematic structural diagram of a data processing module according to an embodiment of the present invention;
图7是本发明另一实施例提供的服务器的结构示意图。FIG. 7 is a schematic structural diagram of a server according to another embodiment of the present invention.
具体实施方式detailed description
为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明实施方式作进一步地详细描述。The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.
请参考图1,其示出了本发明各个实施例所涉及的实施环境的结构示意图。Please refer to FIG. 1, which is a schematic structural diagram of an implementation environment involved in various embodiments of the present invention.
密钥管理系统有软硬件部分组成,软件部分主要实现密钥的生产、分散、密钥导入、密钥的下载、密钥的存储功能。硬件部分主要实现密钥的运算、密钥的备份、密钥的交易、业务的交易等。The key management system consists of software and hardware components. The software part mainly implements key production, distribution, key import, key download, and key storage. The hardware part mainly implements key calculation, key backup, key transaction, business transaction, and the like.
密钥系统支持密钥多级分散和密钥两级管理。密钥多级分散指的是发卡时 写入到用户卡中的密钥可以是各主密钥多次分散以后的子密钥。采用多级分散的密钥体制,可以保证不同的分散区域之间的密钥相互独立,同时又可以相互通用;而密钥两级管理指的是总部级管理和分部级管理。总部级管理可以由运营公司管理。总部负责对厂家传输卡和4张主管领导卡进行保管。通过主管领导卡产生系统的主密钥卡和主传输卡,并将主密钥导入加密机中。分部级管理由运营公司总部授权的下级机构设立的金融IC卡密钥管理中心来负责管理和操作。分部级密钥管理,是利用总部下发的分部主密钥卡和主传输卡来发行分部所需要用的各种发卡母卡或直接导入分部的加密机中进行使用。The key system supports multiple levels of key scatter and key management. Multi-level key dispersion refers to the time of card issuance The key written to the user card may be a subkey after each master key is dispersed multiple times. The multi-level decentralized key system can ensure that the keys between different decentralized areas are independent of each other and can be mutually common; and the two-level management of the keys refers to the management at the headquarters level and the management at the branch level. Headquarters level management can be managed by the operating company. The headquarters is responsible for the maintenance of the factory transfer card and the four supervisor leadership cards. The master key card and the master transport card of the system are generated by the supervisor leader card, and the master key is imported into the encryptor. The branch-level management is managed and operated by the financial IC card key management center set up by the subordinate organization authorized by the operating company headquarters. The branch-level key management is performed by using the branch master key card and the main transport card issued by the headquarters to issue various card-issuing cards required for the branch or directly into the encryption machine of the branch.
实现电子现金行业密钥替换,首先由银行提供电子现金卡,由银行提供权限,使系统将其中的部分应用文件密钥替换为行业的文件密钥,该密钥为运营方自建密钥分散得出,故进行过行业密钥替换的电子现金卡可以在城市级的应用范围中使用;同时保留以前的文件,使电子现金卡也可以应用在原有的场景。To realize the electronic cash industry key replacement, the bank first provides an electronic cash card, and the bank provides the authority to replace some of the application file keys with the industry's file key, which is obtained by the operator's self-built key. Therefore, the electronic cash card that has been replaced by the industry key can be used in the application scope of the city level; while retaining the previous file, the electronic cash card can also be applied to the original scene.
密钥管理系统是一套软件系统,从密钥使用的角度对业务系统中的各种密钥进行管理,关键算法运算和操作通过硬件密码设备来实现。The key management system is a software system that manages various keys in the business system from the perspective of key usage. The key algorithm operations and operations are implemented by hardware cryptographic devices.
密钥管理系统主要功能是为业务系统提供密钥管理与服务功能,可以广泛应用于移动支付、电信、银行、社保、公交等相关电子支付。该密钥系统采用配置化管理,满足用户多应用多业务密钥管理需求。The key function of the key management system is to provide key management and service functions for the business system, which can be widely applied to related electronic payment such as mobile payment, telecommunications, banking, social security, and public transportation. The key system adopts configuration management to meet the multi-application multi-service key management requirements of users.
密钥体系建设严格贯彻“秘密在于密钥”的思想,具有较高的安全性和先进性。在安全管理上,具有完善的人员认证、安全控制、运维监控及审计机制。在应用功能上,支持EMV/PBOC2.0标准银行贷记卡/借记卡、电子钱包等在密钥产生、传输、发卡、密钥更新等方面的密钥管理与服务需求,可以作为独立的密钥管理中心使用,也可以与数据准备系统、发卡系统等业务系统连接支持相关密钥管理服务。The key system construction strictly implements the idea that “secret lies in the key” and has high security and advanced nature. In terms of safety management, it has perfect personnel certification, security control, operation and maintenance monitoring and auditing mechanism. In terms of application functions, it supports EMV/PBOC2.0 standard bank credit/debit card, e-wallet, etc. Key management and service requirements in key generation, transmission, card issuance, key update, etc., can be used as independent The key management center can also be used to connect with business systems such as data preparation systems and card issuance systems to support related key management services.
综上所述,本发明通过在一级密钥分散体系下,实现软件的多级密钥分散,实现电子现金行业密钥替换,降低了购买成本,实现了更高的扩展性。In summary, the present invention realizes multi-level key distribution of software under the primary key distribution system, realizes key replacement in the electronic cash industry, reduces purchase cost, and achieves higher scalability.
请参考图2,其示出了本发明一个实施例提供的密钥管理方法的方法流程图。本实施例以密钥管理方法应用于图1所示实施环境来举例说明。该方法,可以包括:Please refer to FIG. 2, which is a flowchart of a method for a key management method according to an embodiment of the present invention. This embodiment is exemplified by applying the key management method to the implementation environment shown in FIG. 1. The method can include:
将主密钥N次分散后的子密钥,作为用户卡的密钥,在发卡时写入所述 用户卡中,N为大于1的自然数;或者The subkey obtained by dispersing the master key N times is used as the key of the user card, and is written at the time of card issuance. In the user card, N is a natural number greater than 1; or
步骤201,将厂家传输卡和M张主管领导卡保存在一级管理中心,M为大于3的自然数;In step 201, the manufacturer transmission card and the M supervisor leadership card are saved in the first-level management center, and M is a natural number greater than 3.
优选的,所述一级管理中心可以是全国密钥管理中心;Preferably, the first-level management center may be a national key management center;
优选的,所述M等于4;Preferably, the M is equal to 4;
步骤202,通过所述主管领导卡生成主密钥卡和主传输卡,并将所述主密钥导入所述一级管理中心的加密机中;Step 202: Generate a master key card and a master transport card by using the supervisor leader card, and import the master key into the encryption machine of the first-level management center;
步骤203,二级管理中心利用所述一级管理中心下发的分部主密钥卡和所述主传输卡,发行发卡母卡,或者将所述分部主密钥导入所述二级管理中心的加密机中。Step 203: The secondary management center issues a card issuing mother card by using the branch master key card and the main transmission card delivered by the first-level management center, or importing the branch master key into the second-level management. Central encryption machine.
优选的,当银行提供电子现金卡并提供密钥权限时,将所述电子现金卡的部分应用文件密钥,替换为行业的文件密钥,所述行业的文件密钥由所述主密钥或者所述分部主密钥分散得出。Preferably, when the bank provides the electronic cash card and provides the key authority, the partial application file key of the electronic cash card is replaced with the file key of the industry, and the file key of the industry is used by the master key Or the branch master key is decentralized.
优选的,将所述电子现金卡的部分应用文件密钥替换为行业的文件密钥时,还可以保留所述电子现金卡的所述应用文件密钥。Preferably, when the partial application file key of the electronic cash card is replaced with the file key of the industry, the application file key of the electronic cash card may also be retained.
优选的,所述二级管理中心可以是所述一级管理中心授权的下级机构设立的金融IC卡密钥管理中心。Preferably, the secondary management center may be a financial IC card key management center established by a lower-level organization authorized by the first-level management center.
优选的,所述二级管理中心可以是试点城市或商业银行密钥管理中心,或者发卡银行密钥管理中心。Preferably, the secondary management center may be a pilot city or a commercial bank key management center, or a card issuing bank key management center.
综上所述,本发明通过在一级密钥分散体系下,实现软件的多级密钥分散,实现电子现金行业密钥替换,降低了购买成本,实现了更高的扩展性。In summary, the present invention realizes multi-level key distribution of software under the primary key distribution system, realizes key replacement in the electronic cash industry, reduces purchase cost, and achieves higher scalability.
请参考图3,其示出了本发明另一个实施例提供的密钥管理系统的结构示意图。,本实施例以该方法应用于图1所示实施环境来举例说明。所述系统包括:KMS服务端201和KMS客户端202。Please refer to FIG. 3, which is a schematic structural diagram of a key management system according to another embodiment of the present invention. This embodiment is exemplified by applying the method to the implementation environment shown in FIG. 1. The system includes a KMS server 201 and a KMS client 202.
请参考图4,其示出了本发明另一个实施例提供的KMS服务器的结构示意图。本实施例以该方法应用于图1所示实施环境来举例说明。KMS服务端201包括:Please refer to FIG. 4, which is a schematic structural diagram of a KMS server according to another embodiment of the present invention. This embodiment is exemplified by applying the method to the implementation environment shown in FIG. 1. The KMS server 201 includes:
KMS服务器1011,用于安装软件并执行所述软件的功能,并可通过客户端界面软件或者所述软件的API访问所述KMS服务器; a KMS server 1011, configured to install software and perform functions of the software, and access the KMS server through a client interface software or an API of the software;
密码机1012,用于执行各种安全算法运算,并可保存全部或部分密钥;The cryptographic machine 1012 is configured to perform various security algorithm operations and save all or part of the keys;
密码机管理终端1013,通过一个或多个串口与所述密码机相连,实现对所述密码机的管理,包括但不限于配置所述密码机和管理密钥;The cryptographic management terminal 1013 is connected to the cipher machine through one or more serial ports to implement management of the cipher machine, including but not limited to configuring the cipher machine and the management key;
密码机管理卡1014,用于对所述密码机进行管理时,对操作权限进行认证;The cryptographic management card 1014 is configured to authenticate the operation authority when managing the cipher machine;
密码机密钥卡1015,用于备份所述密码机中存储的密钥,也可用于将所述密码机密钥卡中备份的密钥恢复到所述密码机中;The cipher key card 1015 is configured to back up the key stored in the cipher machine, and may also be used to restore the key backed up in the cipher key card to the cipher machine;
打印机1016,包括但不限于针式打印机,用于打印密钥信封; Printer 1016, including but not limited to a dot matrix printer, for printing a key envelope;
密钥信封1017,即数字信封,用于存储被加密的内容和被加密的用于加密所述内容的密钥。A key envelope 1017, a digital envelope, is used to store the encrypted content and the encrypted key used to encrypt the content.
综上所述,本发明通过在一级密钥分散体系下,实现软件的多级密钥分散,实现电子现金行业密钥替换,降低了购买成本,实现了更高的扩展性。In summary, the present invention realizes multi-level key distribution of software under the primary key distribution system, realizes key replacement in the electronic cash industry, reduces purchase cost, and achieves higher scalability.
请参考图5,其示出了本发明另一个实施例提供的KMS客户端的结构示意图。,本实施例以该方法应用于图1所示实施环境来举例说明。KMS客户端201,包括一个或多个:Please refer to FIG. 5, which is a schematic structural diagram of a KMS client according to another embodiment of the present invention. This embodiment is exemplified by applying the method to the implementation environment shown in FIG. 1. KMS client 201, including one or more:
KMS客户端2011,用于安装界面软件,用户可通过所述客户端的界面进行系统管理和密钥管理操作;The KMS client 2011 is used to install interface software, and the user can perform system management and key management operations through the interface of the client;
2012IC卡,用于存放用户认证密钥,供登录所述密钥管理系统时进行身份认证;The 2012 IC card is configured to store a user authentication key for performing identity authentication when logging in to the key management system;
读卡器2013,用于读/写IC卡;Card reader 2013 for reading/writing an IC card;
用户卡2014,即个人用户持有的IC卡,用于保存发卡时客户端通过所述读卡器写入的密钥,并支持IC卡的终端设备进行交易;The user card 2014, that is, the IC card held by the individual user, is used to save the key written by the client through the card reader when the card is issued, and supports the terminal device of the IC card to perform the transaction;
PSAM卡2015,用于保存交易中用到的各种密钥;PSAM card 2015, used to store various keys used in transactions;
终端安全模块2016,用于处理终端安全,包括但不限于保存客户端密钥和安全算法运算;The terminal security module 2016 is configured to process terminal security, including but not limited to saving a client key and a security algorithm operation;
密钥传输介质2017,用于在密钥传输过程中存储密钥;a key transmission medium 2017 for storing a key during key transmission;
密码键盘2018,用于用户输入密码,所述密码键盘中存放的密钥用于加密用户输入的密码。The PIN pad 2018 is used for the user to input a password, and the key stored in the PIN pad is used to encrypt the password input by the user.
需要说明的是:上述实施例提供的密钥管理系统在进行密钥管理时,仅以 上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将系统的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的密钥管理系统和密钥管理方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that the key management system provided by the foregoing embodiment only uses The division of each of the above functional modules is illustrated by an example. In actual applications, the above function assignments may be completed by different functional modules as needed, that is, the internal structure of the system is divided into different functional modules to complete all or part of the functions described above. . In addition, the embodiment of the key management system and the key management method provided in the foregoing embodiments are in the same concept, and the specific implementation process is described in detail in the method embodiment, and details are not described herein again.
请参考图6,其示出了本发明一个实施例提供的终端的结构示意图。该电子设备可以用于实施上述实施例中提供的物品转移方法。具体来讲:Please refer to FIG. 6, which is a schematic structural diagram of a terminal according to an embodiment of the present invention. The electronic device can be used to implement the item transfer method provided in the above embodiments. Specifically:
终端1000可以包括RF(Radio Frequency,射频)电路1010、包括有一个或一个以上计算机可读存储介质的存储器1020、输入单元1030、显示单元1040、传感器1050、音频电路1060、短距离通信模块1070、包括有一个或者一个以上处理核心的处理器1080、以及电源1090等部件。本领域技术人员可以理解,图10中示出的终端结构并不构成对终端的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。其中:The terminal 1000 may include an RF (Radio Frequency) circuit 1010, a memory 1020 including one or more computer readable storage media, an input unit 1030, a display unit 1040, a sensor 1050, an audio circuit 1060, a short-range communication module 1070, A processor 1080 having one or more processing cores, and a power supply 1090 and the like are included. It will be understood by those skilled in the art that the terminal structure shown in FIG. 10 does not constitute a limitation to the terminal, and may include more or less components than those illustrated, or combine some components, or different component arrangements. among them:
RF电路1010可用于收发信息或通话过程中,信号的接收和发送,特别地,将基站的下行信息接收后,交由一个或者一个以上处理器1080处理;另外,将涉及上行的数据发送给基站。通常,RF电路1010包括但不限于天线、至少一个放大器、调谐器、一个或多个振荡器、用户身份模块(SIM)卡、收发信机、耦合器、LNA(Low Noise Amplifier,低噪声放大器)、双工器等。此外,RF电路1010还可以通过无线通信与网络和其他设备通信。无线通信可以使用任一通信标准或协议,包括但不限于GSM(Global System of Mobile communication,全球移动通讯系统)、GPRS(General Packet Radio Service,通用分组无线服务)、CDMA(Code Division Multiple Access,码分多址)、WCDMA(Wideband Code Division Multiple Access,宽带码分多址)、LTE(Long Term Evolution,长期演进)、电子邮件、SMS(Short Messaging Service,短消息服务)等。The RF circuit 1010 can be used for receiving and transmitting signals during and after receiving or transmitting information, in particular, receiving downlink information of the base station and then processing it by one or more processors 1080; in addition, transmitting data related to the uplink to the base station . Generally, the RF circuit 1010 includes, but is not limited to, an antenna, at least one amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, an LNA (Low Noise Amplifier). , duplexer, etc. In addition, RF circuit 1010 can also communicate with the network and other devices via wireless communication. Wireless communication can use any communication standard or protocol, including but not limited to GSM (Global System of Mobile communication), GPRS (General Packet Radio Service), CDMA (Code Division Multiple Access) Divisional Multiple Access), WCDMA (Wideband Code Division Multiple Access), LTE (Long Term Evolution), e-mail, SMS (Short Messaging Service), and the like.
存储器1020可用于存储软件程序以及模块,处理器1080通过运行存储在存储器1020的软件程序以及模块,从而执行各种功能应用以及数据处理。存储器1020可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等) 等;存储数据区可存储根据终端1000的使用所创建的数据(比如音频数据、电话本等)等。此外,存储器1020可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。相应地,存储器1020还可以包括存储器控制器,以提供处理器1080和输入单元1030对存储器1020的访问。The memory 1020 can be used to store software programs and modules, and the processor 1080 executes various functional applications and data processing by running software programs and modules stored in the memory 1020. The memory 1020 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.) The storage data area can store data (such as audio data, phone book, etc.) created according to the use of the terminal 1000. Moreover, memory 1020 can include high speed random access memory, and can also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, memory 1020 can also include a memory controller to provide access to memory 1020 by processor 1080 and input unit 1030.
输入单元1030可用于接收输入的数字或字符信息,以及产生与用户设置以及功能控制有关的键盘、鼠标、操作杆、光学或者轨迹球信号输入。具体地,输入单元1030可包括触敏表面1031以及其他输入设备1032。触敏表面1031,也称为触摸显示屏或者触控板,可收集用户在其上或附近的触摸操作(比如用户使用手指、触笔等任何适合的物体或附件在触敏表面1031上或在触敏表面1031附近的操作),并根据预先设定的程式驱动相应的连接装置。可选的,触敏表面1031可包括触摸检测装置和触摸控制器两个部分。其中,触摸检测装置检测用户的触摸方位,并检测触摸操作带来的信号,将信号传送给触摸控制器;触摸控制器从触摸检测装置上接收触摸信息,并将它转换成触点坐标,再送给处理器1080,并能接收处理器1080发来的命令并加以执行。此外,可以采用电阻式、电容式、红外线以及表面声波等多种类型实现触敏表面1031。除了触敏表面1031,输入单元1030还可以包括其他输入设备1032。具体地,其他输入设备1032可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆等中的一种或多种。 Input unit 1030 can be used to receive input numeric or character information, as well as to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function controls. In particular, input unit 1030 can include touch-sensitive surface 1031 as well as other input devices 1032. Touch-sensitive surface 1031, also known as a touch display or touchpad, can collect touch operations on or near the user (such as a user using a finger, stylus, etc., on any touch-sensitive surface 1031 or The operation near the touch-sensitive surface 1031) and driving the corresponding connecting device according to a preset program. Alternatively, the touch-sensitive surface 1031 may include two parts of a touch detection device and a touch controller. Wherein, the touch detection device detects the touch orientation of the user, and detects a signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts the touch information into contact coordinates, and sends the touch information. The processor 1080 is provided and can receive commands from the processor 1080 and execute them. In addition, the touch sensitive surface 1031 can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves. In addition to the touch-sensitive surface 1031, the input unit 1030 can also include other input devices 1032. Specifically, other input devices 1032 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.
显示单元1040可用于显示由用户输入的信息或提供给用户的信息以及终端1000的各种图形用户接口,这些图形用户接口可以由图形、文本、图标、视频和其任意组合来构成。显示单元1040可包括显示面板1041,可选的,可以采用LCD(Liquid Crystal Display,液晶显示器)、OLED(Organic Light-Emitting Diode,有机发光二极管)等形式来配置显示面板1041。进一步的,触敏表面1031可覆盖显示面板1041,当触敏表面1031检测到在其上或附近的触摸操作后,传送给处理器1080以确定触摸事件的类型,随后处理器1080根据触摸事件的类型在显示面板1041上提供相应的视觉输出。虽然在图10中,触敏表面1031与显示面板1041是作为两个独立的部件来实现输入和输入功能,但是在某些实施例中,可以将触敏表面1031与显示面板1041集成而实现输入和输出功能。 Display unit 1040 can be used to display information entered by the user or information provided to the user and various graphical user interfaces of terminal 1000, which can be constructed from graphics, text, icons, video, and any combination thereof. The display unit 1040 may include a display panel 1041. Alternatively, the display panel 1041 may be configured in the form of an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), or the like. Further, the touch-sensitive surface 1031 can cover the display panel 1041, and when the touch-sensitive surface 1031 detects a touch operation thereon or nearby, it is transmitted to the processor 1080 to determine the type of the touch event, and then the processor 1080 according to the touch event The type provides a corresponding visual output on display panel 1041. Although in FIG. 10, touch-sensitive surface 1031 and display panel 1041 are implemented as two separate components to implement input and input functions, in some embodiments, touch-sensitive surface 1031 can be integrated with display panel 1041 for input. And output function.
终端1000还可包括至少一种传感器1050,比如光传感器、运动传感器以及其他传感器。具体地,光传感器可包括环境光传感器及接近传感器,其中,环境光传感器可根据环境光线的明暗来调节显示面板1041的亮度,接近传感器可在终端1000移动到耳边时,关闭显示面板1041和/或背光。作为运动传感器的一种,重力加速度传感器可检测各个方向上(一般为三轴)加速度的大小,静止时可检测出重力的大小及方向,可用于识别手机姿态的应用(比如横竖屏切换、相关游戏、磁力计姿态校准)、振动识别相关功能(比如计步器、敲击)等;至于终端1000还可配置的陀螺仪、气压计、湿度计、温度计、红外线传感器等其他传感器,在此不再赘述。Terminal 1000 can also include at least one type of sensor 1050, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 1041 according to the brightness of the ambient light, and the proximity sensor may close the display panel 1041 when the terminal 1000 moves to the ear. / or backlight. As a kind of motion sensor, the gravity acceleration sensor can detect the magnitude of acceleration in all directions (usually three axes). When it is stationary, it can detect the magnitude and direction of gravity. It can be used to identify the gesture of the mobile phone (such as horizontal and vertical screen switching, related Game, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.; as for the terminal 1000 can also be configured with gyroscopes, barometers, hygrometers, thermometers, infrared sensors and other sensors, not here Let me repeat.
音频电路1060、扬声器1061、传声器1062可提供用户与终端1000之间的音频接口。音频电路1060可将接收到的音频数据转换后的电信号,传输到扬声器1061,由扬声器1061转换为声音信号输出;另一方面,传声器1062将收集的声音信号转换为电信号,由音频电路1060接收后转换为音频数据,再将音频数据输出处理器180处理后,经RF电路110以发送给比如另一终端,或者将音频数据输出至存储器120以便进一步处理。音频电路160还可能包括耳塞插孔,以提供外设耳机与终端1000的通信。 Audio circuit 1060, speaker 1061, and microphone 1062 can provide an audio interface between the user and terminal 1000. The audio circuit 1060 can transmit the converted electrical data of the received audio data to the speaker 1061, and convert it into a sound signal output by the speaker 1061; on the other hand, the microphone 1062 converts the collected sound signal into an electrical signal, by the audio circuit 1060. After receiving, it is converted into audio data, and then processed by the audio data output processor 180, transmitted to the terminal, for example, via the RF circuit 110, or outputted to the memory 120 for further processing. The audio circuit 160 may also include an earbud jack to provide communication of the peripheral earphones with the terminal 1000.
短距离通信模块170可以包括WiFi(wireless fidelity,无线保真)技术和/或NFC技术和/或蓝牙技术和/或红外技术,终端1000通过短距离通信模块170可以帮助用户收发电子邮件、浏览网页和访问流式媒体等,它为用户提供了无线的宽带互联网访问及近距离通信,比如在本发明实施例中用于电子卡片的读写。The short-range communication module 170 may include WiFi (wireless fidelity) technology and/or NFC technology and/or Bluetooth technology and/or infrared technology, and the terminal 1000 may help the user to send and receive emails and browse the webpage through the short-range communication module 170. And accessing streaming media, etc., it provides users with wireless broadband Internet access and close-range communication, such as reading and writing of electronic cards in the embodiment of the present invention.
处理器1080是终端1000的控制中心,利用各种接口和线路连接整个手机的各个部分,通过运行或执行存储在存储器1020内的软件程序和/或模块,以及调用存储在存储器1020内的数据,执行终端1000的各种功能和处理数据,从而对手机进行整体监控。可选的,处理器1080可包括一个或多个处理核心;优选的,处理器1080可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器1080中。The processor 1080 is the control center of the terminal 1000, connecting various portions of the entire handset with various interfaces and lines, by running or executing software programs and/or modules stored in the memory 1020, and recalling data stored in the memory 1020, The various functions and processing data of the terminal 1000 are performed to perform overall monitoring of the mobile phone. Optionally, the processor 1080 may include one or more processing cores; preferably, the processor 1080 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application, and the like. The modem processor primarily handles wireless communications. It will be appreciated that the above described modem processor may also not be integrated into the processor 1080.
终端1000还包括给各个部件供电的电源1090(比如电池),优选的,电 源可以通过电源管理系统与处理器1080逻辑相连,从而通过电源管理系统实现管理充电、放电、以及功耗管理等功能。电源1090还可以包括一个或一个以上的直流或交流电源、再充电系统、电源故障检测电路、电源转换器或者逆变器、电源状态指示器等任意组件。The terminal 1000 also includes a power source 1090 (such as a battery) that supplies power to the various components, preferably, electricity. The source can be logically coupled to the processor 1080 through a power management system to manage functions such as charging, discharging, and power management through a power management system. The power supply 1090 may also include any one or more of a DC or AC power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
尽管未示出,终端1000还可以包括摄像头、蓝牙模块等,在此不再赘述。具体在本实施例中,电子设备的显示单元是触摸屏显示器,电子设备还包括有存储器,以及一个或者一个以上的程序,其中一个或者一个以上程序存储于存储器中,且经配置以由一个或者一个以上处理器执行述一个或者一个以上程序包含用于执行如上所述的密钥管理方法。Although not shown, the terminal 1000 may further include a camera, a Bluetooth module, and the like, and details are not described herein again. Specifically, in this embodiment, the display unit of the electronic device is a touch screen display, the electronic device further includes a memory, and one or more programs, wherein one or more programs are stored in the memory and configured to be one or one The above processor executes one or more programs including a key management method for performing the above.
请参考图7,其示出了本发明一个实施例提供的服务器的结构示意图。一个或者多个该服务器可以组成本发明实施例中的订单管理系统、卡片管理系统、汇聚管理系统或者物品提供方设备。所述服务器1100包括中央处理单元(CPU)1101、包括随机存取存储器(RAM)1102和只读存储器(ROM)1103的系统存储器1104,以及连接系统存储器1104和中央处理单元1101的系统总线1105。所述服务器1100还包括帮助计算机内的各个器件之间传输信息的基本输入/输出系统(I/O系统)1106,和用于存储操作系统1113、应用程序1114和其他程序模块1115的大容量存储设备1107。Please refer to FIG. 7, which is a schematic structural diagram of a server according to an embodiment of the present invention. One or more of the servers may constitute an order management system, a card management system, a convergence management system, or an item provider device in the embodiment of the present invention. The server 1100 includes a central processing unit (CPU) 1101, a system memory 1104 including a random access memory (RAM) 1102 and a read only memory (ROM) 1103, and a system bus 1105 that connects the system memory 1104 and the central processing unit 1101. The server 1100 also includes a basic input/output system (I/O system) 1106 that facilitates transfer of information between various devices within the computer, and mass storage for storing the operating system 1113, applications 1114, and other program modules 1115. Device 1107.
所述基本输入/输出系统1106包括有用于显示信息的显示器1108和用于用户输入信息的诸如鼠标、键盘之类的输入设备1109。其中所述显示器1108和输入设备1109都通过连接到系统总线1105的输入输出控制器1110连接到中央处理单元1101。所述基本输入/输出系统1106还可以包括输入输出控制器1110以用于接收和处理来自键盘、鼠标、或电子触控笔等多个其他设备的输入。类似地,输入输出控制器1110还提供输出到显示屏、打印机或其他类型的输出设备。The basic input/output system 1106 includes a display 1108 for displaying information and an input device 1109 such as a mouse or keyboard for user input of information. The display 1108 and the input device 1109 are both connected to the central processing unit 1101 via an input-output controller 1110 connected to the system bus 1105. The basic input/output system 1106 can also include an input output controller 1110 for receiving and processing input from a plurality of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, the input and output controller 1110 also provides output to a display screen, printer, or other type of output device.
所述大容量存储设备1107通过连接到系统总线1105的大容量存储控制器(未示出)连接到中央处理单元1101。所述大容量存储设备1107及其相关联的计算机可读介质为服务器1100提供非易失性存储。也就是说,所述大容量存储设备1107可以包括诸如硬盘或者CD-ROM驱动器之类的计算机可读介质 (未示出)。The mass storage device 1107 is connected to the central processing unit 1101 by a mass storage controller (not shown) connected to the system bus 1105. The mass storage device 1107 and its associated computer readable medium provide non-volatile storage for the server 1100. That is, the mass storage device 1107 can include a computer readable medium such as a hard disk or a CD-ROM drive. (not shown).
不失一般性,所述计算机可读介质可以包括计算机存储介质和通信介质。计算机存储介质包括以用于存储诸如计算机可读指令、数据结构、程序模块或其他数据等信息的任何方法或技术实现的易失性和非易失性、可移动和不可移动介质。计算机存储介质包括RAM、ROM、EPROM、EEPROM、闪存或其他固态存储其技术,CD-ROM、DVD或其他光学存储、磁带盒、磁带、磁盘存储或其他磁性存储设备。当然,本领域技术人员可知所述计算机存储介质不局限于上述几种。上述的系统存储器1104和大容量存储设备1107可以统称为存储器。Without loss of generality, the computer readable medium can include computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media include RAM, ROM, EPROM, EEPROM, flash memory or other solid state storage technologies, CD-ROM, DVD or other optical storage, tape cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices. Of course, those skilled in the art will appreciate that the computer storage medium is not limited to the above. The system memory 1104 and the mass storage device 1107 described above may be collectively referred to as a memory.
根据本发明的各种实施例,所述服务器1100还可以通过诸如因特网等网络连接到网络上的远程计算机运行。也即服务器1100可以通过连接在所述系统总线1105上的网络接口单元1111连接到网络1112,或者说,也可以使用网络接口单元1111来连接到其他类型的网络或远程计算机系统(未示出)。According to various embodiments of the present invention, the server 1100 may also be operated by a remote computer connected to the network through a network such as the Internet. That is, the server 1100 can be connected to the network 1112 through the network interface unit 1111 connected to the system bus 1105, or can also be connected to other types of networks or remote computer systems (not shown) using the network interface unit 1111. .
所述存储器还包括一个或者一个以上的程序,所述一个或者一个以上程序存储于存储器中,所述一个或者一个以上程序包含用于进行本发明实施例提供的密钥管理方法的指令。The memory further includes one or more programs, the one or more programs being stored in a memory, the one or more programs including instructions for performing a key management method provided by an embodiment of the present invention.
上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the embodiments of the present invention are merely for the description, and do not represent the advantages and disadvantages of the embodiments.
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。A person skilled in the art may understand that all or part of the steps of implementing the above embodiments may be completed by hardware, or may be instructed by a program to execute related hardware, and the program may be stored in a computer readable storage medium. The storage medium mentioned may be a read only memory, a magnetic disk or an optical disk or the like.
以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The above are only the preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalents, improvements, etc., which are within the spirit and scope of the present invention, should be included in the protection of the present invention. Within the scope.

Claims (2)

  1. 一种密钥管理系统,其特征在于,所述系统包括:A key management system, characterized in that the system comprises:
    KMS服务端,包括一个或多个:KMS server, including one or more:
    KMS服务器,用于安装软件并执行所述软件的功能,并可通过客户端界面软件或者所述软件的API访问所述KMS服务器;a KMS server for installing software and performing the functions of the software, and accessing the KMS server through a client interface software or an API of the software;
    密码机,用于执行各种安全算法运算,并可保存全部或部分密钥;A cipher machine for performing various security algorithm operations and saving all or part of the keys;
    密码机管理终端,通过一个或多个串口与所述密码机相连,实现对所述密码机的管理,包括但不限于配置所述密码机和管理密钥;The cryptographic management terminal is connected to the cipher machine through one or more serial ports to implement management of the cipher machine, including but not limited to configuring the cipher machine and the management key;
    密码机管理卡,用于对所述密码机进行管理时,对操作权限进行认证;The cipher card management card is used to authenticate the operation authority when managing the cipher machine;
    密码机密钥卡,用于备份所述密码机中存储的密钥,也可用于将所述密码机密钥卡中备份的密钥恢复到所述密码机中;The cipher key card is used to back up the key stored in the cipher machine, and can also be used to restore the key backed up in the cipher key card to the cipher machine;
    KMS客户端,包括一个或多个:KMS client, including one or more:
    KMS客户端,用于安装界面软件,用户可通过所述客户端的界面进行系统管理和密钥管理操作;The KMS client is used to install interface software, and the user can perform system management and key management operations through the interface of the client;
    IC卡,用于存放用户认证密钥,供登录所述密钥管理系统时进行身份认证;An IC card for storing a user authentication key for performing identity authentication when logging in to the key management system;
    读卡器,用于读/写IC卡;Card reader for reading/writing an IC card;
    所述密钥管理系统可支持密钥多级分散和密钥两级管理;The key management system can support multi-level key distribution and key two-level management;
    其中,所述系统还包括:Wherein, the system further comprises:
    数据准备系统,用于当IC卡发卡时,收集IC卡发卡需要的资料,并将IC卡发卡的所有资料提供给个人化系统,由个人化系统发卡;The data preparation system is configured to collect the information required for issuing the IC card when the IC card is issued, and provide all the information issued by the IC card to the personalized system, and the card is issued by the personalized system;
    交互中心,包括但不限于各个系统之间交换信息必须通过的机构;An interaction center, including but not limited to an organization through which information must be exchanged between systems;
    终端,包括但不限于用户使用磁条卡或IC卡进行交易的设备;Terminals, including but not limited to devices that use a magnetic stripe card or an IC card for transactions;
    柜台,包括但不限于银行网点的柜面。Counters, including but not limited to counters at bank outlets.
  2. 根据权利要求1所述的系统,其特征在于,所述系统还包括:The system of claim 1 wherein the system further comprises:
    KMS服务端,还包括一个或多个:The KMS server also includes one or more:
    打印机,包括但不限于针式打印机,用于打印密钥信封;Printers, including but not limited to dot matrix printers, for printing key envelopes;
    密钥信封,即数字信封,用于存储被加密的内容和被加密的用于加密所述 内容的密钥;a key envelope, ie a digital envelope, for storing the encrypted content and being encrypted for encrypting said Key to the content;
    KMS客户端,还包括一个或多个:The KMS client also includes one or more:
    用户卡,即个人用户持有的IC卡,用于保存发卡时客户端通过所述读卡器写入的密钥,并支持IC卡的终端设备进行交易;The user card, that is, the IC card held by the individual user, is used to save the key written by the client through the card reader when the card is issued, and supports the terminal device of the IC card to perform the transaction;
    PSAM卡,用于保存交易中用到的各种密钥;PSAM card for storing various keys used in transactions;
    终端安全模块,用于处理终端安全,包括但不限于保存客户端密钥和安全算法运算;Terminal security module for handling terminal security, including but not limited to saving client keys and security algorithm operations;
    密钥传输介质,用于在密钥传输过程中存储密钥;a key transmission medium for storing a key during key transmission;
    密码键盘,用于用户输入密码,所述密码键盘中存放的密钥用于加密用户输入的密码。 A PIN pad for the user to enter a password, and the key stored in the PIN pad is used to encrypt the password entered by the user.
PCT/CN2016/077837 2016-03-30 2016-03-30 Key management system WO2017166113A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/077837 WO2017166113A1 (en) 2016-03-30 2016-03-30 Key management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/077837 WO2017166113A1 (en) 2016-03-30 2016-03-30 Key management system

Publications (1)

Publication Number Publication Date
WO2017166113A1 true WO2017166113A1 (en) 2017-10-05

Family

ID=59962389

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/077837 WO2017166113A1 (en) 2016-03-30 2016-03-30 Key management system

Country Status (1)

Country Link
WO (1) WO2017166113A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111800267A (en) * 2020-07-10 2020-10-20 信雅达系统工程股份有限公司 Password service support system with unified management

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593389A (en) * 2009-07-01 2009-12-02 中国建设银行股份有限公司 A kind of key management method and system that is used for the POS terminal
KR20110031037A (en) * 2009-09-18 2011-03-24 한국건설교통기술평가원 Key card for compatible traffic card and management method therefore
CN104202369A (en) * 2014-08-19 2014-12-10 西安邮电大学 Novel multi-application authentication card issuing system for smart card
CN104363090A (en) * 2014-11-19 2015-02-18 成都卫士通信息产业股份有限公司 Secret key distribution device and method for enhancing safety of banking terminal equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593389A (en) * 2009-07-01 2009-12-02 中国建设银行股份有限公司 A kind of key management method and system that is used for the POS terminal
KR20110031037A (en) * 2009-09-18 2011-03-24 한국건설교통기술평가원 Key card for compatible traffic card and management method therefore
CN104202369A (en) * 2014-08-19 2014-12-10 西安邮电大学 Novel multi-application authentication card issuing system for smart card
CN104363090A (en) * 2014-11-19 2015-02-18 成都卫士通信息产业股份有限公司 Secret key distribution device and method for enhancing safety of banking terminal equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111800267A (en) * 2020-07-10 2020-10-20 信雅达系统工程股份有限公司 Password service support system with unified management
CN111800267B (en) * 2020-07-10 2024-04-30 信雅达科技股份有限公司 Password service supporting system for unified management

Similar Documents

Publication Publication Date Title
JP7181914B2 (en) Conducting Transactions Using Electronic Devices with Non-Native Credentials
US20230018976A1 (en) Initiation of online payments using an electronic device identifier
TWI703521B (en) Recommendation of payment credential to be used based on merchant information
CN105706131B (en) Providing credentials on an electronic device using a password transmitted over an authenticated channel
US20160132862A1 (en) Enhanced near field communications attachment
US10552830B2 (en) Deletion of credentials from an electronic device
US11669822B2 (en) Point-of-sale system having a secure touch mode
CN107210912A (en) Mandate to application library is accessed
CA3050132A1 (en) Enhanced near field communications attachment
WO2017166113A1 (en) Key management system
WO2017166118A1 (en) Key management method
WO2017166111A1 (en) Key management system
US12131306B2 (en) Point-of-sale system having a secure touch mode
WO2017166101A1 (en) Card manufacturing system
WO2017166103A1 (en) Card manufacturing system
WO2017166100A1 (en) Card manufacturing system
WO2017166110A1 (en) Card manufacturing method
WO2017166107A1 (en) Card manufacturing method
WO2017166068A1 (en) Recharging system
WO2017166061A1 (en) Recharging system

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16895894

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16895894

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 08/03/2019)

122 Ep: pct application non-entry in european phase

Ref document number: 16895894

Country of ref document: EP

Kind code of ref document: A1