CN104618115B

CN104618115B - ID card information acquisition methods and system

Info

Publication number: CN104618115B
Application number: CN201510040841.XA
Authority: CN
Inventors: 李明
Original assignee: Individual
Current assignee: Tendyron Corp
Priority date: 2015-01-27
Filing date: 2015-01-27
Publication date: 2018-12-18
Anticipated expiration: 2035-01-27
Also published as: CN104618115A

Abstract

The present invention provides a kind of ID card information acquisition methods and system, wherein, this method comprises: the first preposition terminal, which sends ID card information to electronic signature equipment, reads instruction, the identity storage information saved in electronic signature equipment is read in request, wherein, identity storage information includes: the ID card information in user's resident identification card；First preposition terminal receives the cipher-text information for the identity storage information that electronic signature equipment is sent；The cipher-text information of identity storage information is sent to background server by the first preposition terminal；Cipher-text information is decrypted in background server, obtains ID card information；Obtained ID card information is returned to the first preposition terminal by background server.

Description

Identity card information acquisition method and system

Technical Field

The invention relates to the technical field of electronics, in particular to an identity card information acquisition method and system.

Background

When handling various services nowadays, a service handling person needs to hold a resident identification card for handling, and often carries the identification card, so that the loss of the identification card is easily caused, and the confidentiality and the security of the identity information in the identification card cannot be ensured.

Disclosure of Invention

The present invention is directed to solving one of the problems set forth above.

According to one aspect of the invention, an identity card information acquisition method is provided, which comprises the following steps: the method comprises the following steps that a first front-end terminal sends an identity card information reading instruction to an electronic signature device to request to read identity storage information stored in the electronic signature device, wherein the identity storage information comprises: identity card information in the user resident identity card; the method comprises the steps that a first front-end terminal receives ciphertext information of identity storage information sent by electronic signature equipment; the first front-end terminal sends the ciphertext information of the identity storage information to the background server; the background server decrypts the ciphertext information to obtain the identity card information; and the background server returns the obtained identity card information to the first prepositive terminal.

Optionally, the ciphertext information is obtained by encrypting the identity storage information by the electronic signature device by using a second encryption key; decrypting the ciphertext information to obtain the identity card information, comprising: and the background server decrypts the ciphertext information by adopting a second decryption key corresponding to the second encryption key to obtain the identity card information.

Optionally, before the first front-end terminal sends the identification card information reading instruction to the electronic signature device, the method further includes: and the background server acquires the identity storage information and sends the identity storage information to the electronic signature device through the second front-end terminal.

Optionally, before the first front-end terminal sends the identification card information reading instruction to the electronic signature device, the method further includes: the background server acquires the identity storage information, encrypts the identity storage information by adopting a first encryption key, and sends ciphertext information obtained by encryption to the electronic signature equipment through the second front-end terminal; decrypting the ciphertext information to obtain the identity card information, comprising: and the background server decrypts the ciphertext information by adopting a first decryption key corresponding to the first encryption key to obtain the identity card information.

Optionally, before the first front-end terminal sends the identification card information reading instruction to the electronic signature device, the method further includes: the background server acquires the identity storage information, encrypts the identity storage information by adopting a first encryption key, and sends encrypted data obtained by encryption to the electronic signature equipment through the second front-end terminal; the ciphertext information is obtained by encrypting the encrypted data by the electronic signature device by adopting a second encryption key; decrypting the ciphertext information to obtain the identity card information, comprising: the background server decrypts the ciphertext information by adopting a second decryption key corresponding to the second encryption key to obtain encrypted data, and then decrypts the encrypted data by utilizing a first decryption key corresponding to the first encryption key to obtain the identity card information.

Optionally, the data sent by the background server to the electronic signature device via the second front-end terminal further includes, in addition to the identity storage information: the background server signs the identity card information to obtain first signature information; the data sent to the first preposed terminal by the electronic signature device also comprises the following information besides the identity card storage information: the background server signs the identity card information to obtain first signature information or the electronic signature equipment encrypts the first signature information by adopting a third encryption key to obtain a first signature information ciphertext; decrypting the ciphertext information to obtain the identity card information and before returning the obtained identity card information to the first front-end terminal, the method further comprises the following steps: the background server verifies the first signature information, and the verification is passed; or the background server decrypts the first signature information ciphertext by using a third decryption key corresponding to the third encryption key, verifies the decrypted first signature information, and the verification is passed.

Optionally, the identity storage information further comprises: the background server signs the identity card information to obtain first signature information; decrypting the ciphertext information to obtain the identity card information and before returning the obtained identity card information to the first front-end terminal, the method further comprises the following steps: and the background server verifies the first signature information obtained by signature and passes the verification.

Optionally, the data sent by the electronic signature device to the first front-end terminal includes, in addition to the identity storage information: the electronic signature equipment signs the identity card information or the identity storage information to obtain second signature information or a ciphertext of the second signature information; decrypting the ciphertext information to obtain the identity card information and before returning the obtained identity card information to the first front-end terminal, the method further comprises the following steps: the background server verifies the second signature information and passes the verification; or the background server decrypts the ciphertext of the second signature information, verifies the decrypted second signature information and passes the verification.

According to another aspect of the present invention, there is provided an identification card information acquisition system including: the system comprises a first front terminal and a background server; wherein, first leading terminal includes: the first sending module is used for sending an identity card information reading instruction to the electronic signature device and requesting to read identity storage information stored in the electronic signature device, wherein the identity storage information comprises: identity card information in the user resident identity card; the first receiving module is used for receiving ciphertext information of the identity storage information sent by the electronic signature equipment; the second sending module is used for sending the ciphertext information of the identity storage information to the background server; the background server comprises: the second receiving module is used for receiving the ciphertext information; the encryption and decryption module is used for decrypting the ciphertext information to obtain the identity card information; and the third sending module is used for returning the identity card information obtained by decryption to the first preposed terminal.

Optionally, the ciphertext information is obtained by encrypting the identity storage information by the electronic signature device by using a second encryption key; the encryption and decryption module decrypts the ciphertext information in the following mode: and decrypting the ciphertext information by adopting a second decryption key corresponding to the second encryption key to obtain the identity card information.

Optionally, the backend server further comprises: the first acquisition module is used for acquiring identity storage information before the first front-end terminal sends an identity card information reading instruction to the electronic signature device; the third sending module is further used for sending the identity storage information to the electronic signature device through the second preposed terminal.

Optionally, the backend server further comprises: the second acquisition module is used for acquiring the identity storage information before the first front-end terminal sends an identity card information reading instruction to the electronic signature device; the encryption and decryption module is also used for encrypting the identity storage information acquired by the second acquisition module by adopting a first encryption key; the third sending module is also used for sending the encrypted ciphertext information to the electronic signature device through the second preposed terminal; the encryption and decryption module decrypts the ciphertext information in the following mode: and decrypting the ciphertext information by adopting a first decryption key corresponding to the first encryption key to obtain the identity card information.

Optionally, the backend server further comprises: the third acquisition module is used for acquiring the identity storage information before the first front-end terminal sends an identity card information reading instruction to the electronic signature device; the encryption and decryption module is also used for encrypting the identity storage information acquired by the third acquisition module by adopting a first encryption key; the third sending module is also used for sending the encrypted data obtained by encryption to the electronic signature device through the second prepositive terminal; the ciphertext information is obtained by encrypting the encrypted data by the electronic signature device by adopting a second encryption key; the encryption and decryption module decrypts the ciphertext information in the following mode: and decrypting the ciphertext information by using a second decryption key corresponding to the second encryption key to obtain encrypted data, and decrypting the encrypted data by using a first decryption key corresponding to the first encryption key to obtain the identity card information.

Optionally, the data sent by the third sending module to the electronic signature device via the second front-end terminal includes, in addition to the identity storage information: the background server signs the identity card information to obtain first signature information; the data sent by the electronic signature device and received by the first receiving module further comprises the following information besides the identity card storage information: the background server signs the identity card information to obtain first signature information or the electronic signature equipment encrypts the first signature information by adopting a third encryption key to obtain a first signature information ciphertext; the background server further comprises: the first verification module is used for verifying the first signature information and triggering the encryption and decryption module to decrypt the ciphertext information after the verification is passed; or, the third decryption key corresponding to the third encryption key is used for decrypting the first signature information ciphertext, the decrypted first signature information is verified, and after the verification is passed, the encryption and decryption module is triggered to decrypt the ciphertext information.

Optionally, the identity storage information further comprises: the background server signs the identity card information to obtain first signature information; the background server further comprises: and the second verification module is used for verifying the first signature information obtained by signature, and after the verification is passed, the encryption and decryption module is triggered to decrypt the ciphertext information.

Optionally, the data sent by the electronic signature device and received by the first receiving module further includes, in addition to the identity storage information: the electronic signature equipment signs the identity card information or the identity storage information to obtain second signature information or a ciphertext of the second signature information; the background server further comprises: the third verification module is used for verifying the second signature information and triggering the encryption and decryption module to decrypt the ciphertext information after the verification is passed; or the ciphertext of the second signature information is decrypted, the decrypted second signature information is verified, and the encryption and decryption module is triggered to decrypt the ciphertext information after the verification is passed.

According to still another aspect of the present invention, there is provided a resident identification card information verification system including: electronic signature equipment and above-mentioned ID card information acquisition system.

According to the technical scheme provided by the invention, the front-end terminal reads the identity card information in the resident identity card from the electronic signature equipment, so that the portable identity card can be prevented from being lost easily and the identity information can be prevented from being leaked due to the loss. In addition, because the identity storage information returned by the electronic signature device is a ciphertext, the plaintext of the identity card information can be acquired only after the ciphertext information is decrypted by the background server, so that the safety of the identity card information stored in the electronic signature device is ensured.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.

Fig. 1 is a schematic structural diagram of an identity card information acquisition system according to an embodiment of the present invention;

fig. 2 is a schematic structural diagram of a first front end terminal according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of a backend server according to an embodiment of the present invention;

fig. 4 is a flowchart of an identity card information obtaining method according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.

In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or quantity or location.

In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.

Embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.

The embodiment of the invention provides an identity card information acquisition system.

Fig. 1 is a schematic structural diagram of an identity card information acquisition system provided in an embodiment of the present invention, and referring to fig. 1, the identity card information acquisition system provided in the embodiment of the present invention includes: the first front end terminal 20 and the background server 40 connected with the first front end terminal 20.

In the embodiment of the present invention, when the identity card information of the user needs to be acquired, the first front end terminal 20 sends an identity card information reading instruction to the electronic signature device 10 to request to read the identity storage information stored in the electronic signature device 10 and including the identity card information in the resident identity card of the user, and then the first front end terminal 20 receives the ciphertext information of the identity storage information sent by the electronic signature device 10. The first front end terminal 20 sends the ciphertext information of the identity storage information to the background server 40. After receiving the ciphertext information of the identity storage information, the background server 40 decrypts the received ciphertext information to obtain the identity card information, and then returns the obtained identity card information to the first front-end terminal 20. So that the first front end terminal 20 can obtain directly readable identification card information.

The identity card information acquisition system provided in the embodiment of the present invention may include a plurality of front end terminals, and it can be understood that the first front end terminal 20 is one of the plurality of front end terminals in the system, and each front end terminal is connected to the background server 40. The background server 40 may be a server provided by a bank, and the front-end terminal may be a terminal provided by a bank counter, such as a PC, or the background server 40 may also be another server that needs to perform an identification card information acquisition system, and may also be a trusted third-party server (such as a cloud server). The electronic signature device 10 may be a key device provided by a bank (e.g., U shield of a working bank, K bank of a farming bank, etc.), or may be another device having a signature function. The electronic signature device 10 can be connected to any front-end terminal.

As an optional implementation manner of the embodiment of the present invention, as shown in fig. 1, the system may further include: a second front end 30. The second front end 30 and the first front end 20 may be the same front end or different front ends. In a specific application, the user may hold the resident identification card to the location of the second front-end terminal 30 connected to the backend server 40 to verify the identification card information, and the second front-end terminal 30 reads the identification card information stored in the identification card. After the identity card information is verified, the identity storage information may be sent to the electronic signature device 10 for storage by, but not limited to, one of the following ways:

the first method is as follows: the second front-end terminal 30 sends the read identity card information to the electronic signature device 10 as identity storage information, and the electronic signature device 10 receives the identity storage information sent by the second front-end terminal 30 and stores the identity storage information; of course, as an optional implementation manner of the embodiment of the present invention, the second front-end terminal 30 may also display the read identification card information, and after confirming that the identification card information is correct, the second front-end terminal 30 sends the identification storage information to the electronic signature device 10 for storage, thereby ensuring the authenticity of the identification card information.

The second method comprises the following steps: the second front-end terminal 30 sends the read identity card information as identity storage information to the background server 40, the background server 40 returns encrypted data obtained by encrypting the identity storage information to the second front-end terminal 30, the second front-end terminal 30 sends the encrypted data to the electronic signature device 10, and the electronic signature device 20 decrypts the encrypted data to obtain the identity storage information for storage, or the electronic signature device 10 can directly store the encrypted data. Therefore, even if the identity card information is intercepted in the sending process, the identity card information cannot be obtained without a decryption key, and the confidentiality and the safety of the identity card information are ensured.

The third method comprises the following steps: the second front-end terminal 30 sends the read identity card information as identity storage information to the background server 40, the background server 40 returns signature data obtained after signing the identity storage information to the second front-end terminal 30, the second front-end terminal 30 sends the identity storage information and the signature data to the electronic signature device 10, and the electronic signature device 10 stores the identity storage information. Of course, as an optional implementation manner of the embodiment of the present invention, the electronic signature device 10 may perform signature verification on the signature data, and store the identity storage information after the signature verification passes. Therefore, the source reliability, the non-repudiation property and the authenticity of the identity card information are ensured.

The method is as follows: the second front-end terminal 30 sends the read identity card information as identity storage information to the background server 40, the background server 40 encrypts the identity storage information to obtain encrypted data and signs the identity storage information to obtain signature data, the signature data is returned to the second front-end terminal 30, the second front-end terminal 30 is sent to the electronic signature device 10, the electronic signature device 10 can decrypt the encrypted data to obtain the identity storage information to store, or the electronic signature device 10 can directly store the encrypted data; of course, as an optional implementation manner of the embodiment of the present invention, the electronic signature device 10 may further perform signature verification on the signature data after decrypting the encrypted data to obtain the identity storage information, and after the signature verification passes, it is determined that the identity storage information is confirmed by the background server 40, and then the identity storage information is stored. Therefore, the non-repudiation and the authenticity of the identity card information can be ensured, and the confidentiality and the safety of the identity card information can also be ensured.

Therefore, the identity card information in the resident identity card can be safely stored.

The identity card information in the embodiment of the invention can be plaintext identity card information read from a user resident identity card by an identity card reader, and can also be ciphertext identity card information stored in the user resident identity card, and the ciphertext identity card information can be decrypted through a network so as to obtain the plaintext information. Of course, the identity card information may be all the identity card information stored in the user resident identity card, or may be part of the identity card information intercepted according to different requirements, and is not limited in the embodiment of the present invention.

Based on the manner in which the second front-end terminal 30 encrypts and sends the identity storage information to the electronic signature device 10 for storage, the backend server 40 may encrypt the information by using the public key of the electronic signature device 10, may encrypt the information by using a key negotiated with the electronic signature device 10, and may encrypt the information by using a preset symmetric key that is the same as the symmetric key of the electronic signature device 10. Correspondingly, the electronic signature device 10 may decrypt and store the encrypted information by using a private key, may decrypt and store the encrypted information by using a key negotiated with the backend server 40, and may decrypt and store the encrypted information by using a preset symmetric key the same as that of the backend server 40, or the electronic signature device 10 may directly store the encrypted identity storage information, and directly send the encrypted identity storage information to the first front-end terminal 10 when receiving the reading instruction. In addition, based on the above manner that the second front-end terminal 30 sends the identity storage information and the signature information of the identity storage information to the electronic signature device 10 for storage, the backend server 40 may sign the identity card information by using a private key of the backend server 40, the electronic signature device 10 verifies the signature data by using a public key of the backend server 40, and after the verification is passed, the electronic signature device 10 may store the identity card information and the signature data signed by the backend server 40 together (the identity card information and the signature data thereof may also be used as the identity storage information).

As an optional implementation manner of the embodiment of the present invention, the second front-end terminal 30 may obtain the identity card information stored in the resident identity card of the user by one of the following manners or a combination thereof:

the first method is as follows: the second front-end terminal 30 reads the identity card information stored in the resident identity card through equipment such as an identity card reader;

the second method comprises the following steps: the identity card information of the resident identity card is input into the second front-end terminal 30 through an input device or the like;

the third method comprises the following steps: the second front end terminal 30 scans the identification card information of the resident identification card by a scanning device or the like.

As an optional implementation manner of the embodiment of the present invention, the identity card information may be verified in one of the following manners or a combination thereof:

the first method is as follows: verifying the identity card information by the transactor;

the second method comprises the following steps: the second front-end terminal 30 sends the acquired identity card information to the background server 40, and the identity card information is sent to an identity card verification mechanism for verification and verification in a safe manner through the background server 40.

Only after the authenticity of the resident identification card information is verified, the identification card information is processed, so that the authenticity of the identification card information can be ensured.

As an optional implementation manner of the embodiment of the present invention, an identity card reader may be further disposed on the electronic signature device 10, and the identity card reader reads identity card information stored in a resident identity card, and stores the identity card information as identity storage information in the electronic signature device 10. With this alternative embodiment, the user can read the identification card information in the resident identification card to the electronic signature device 10 at any place for storage.

As an optional implementation manner of the embodiment of the present invention, the identification card information includes at least one of the following items or any combination thereof: name, identification number, expiration date, and biometric information. Of course, the identification card information may also include: gender, ethnicity, date of birth and/or address, etc. Of course, the biometric information may include one or any combination of the following: photos, fingerprints, and irises, etc.

As an optional implementation manner of the embodiment of the present invention, after the electronic signature device 10 stores the identity storage information, when going to the first front-end terminal 20 to handle a service, if the identity card information needs to be presented, the electronic signature device 10 only needs to be carried to provide the identity card information without carrying the identity card, which is convenient for a user to use, and meanwhile, the identity card information leakage caused by the loss of the identity card can be prevented. At this time, the electronic signature device 10 receives the read instruction transmitted from the first front end terminal 20, and transmits the identity storage information and the signature information to the first front end terminal 20.

As an optional implementation manner of the embodiment of the present invention, the first front end terminal 20 may read the identity storage information from the electronic signature device 10 through a dedicated interface, where the interface may be a wired interface, such as a USB, an audio, a serial port, or a wireless interface, such as: NFC, bluetooth, WIFI, RFID, etc. So that the first front end terminal 20 can accommodate a plurality of different types of electronic signature devices 10. Of course, the first front end terminal 20 may connect to the background server 40 using a secure link.

In an optional implementation of the embodiment of the present invention, the ciphertext information sent by the electronic signature device 10 and received by the first front end terminal 20 may be one of the following manners:

the first method is as follows: and the background server 40 encrypts the identity card information by using the first encryption key to obtain ciphertext information.

In this manner, when the electronic signature device 10 stores the identity storage information, the background server 40 sends the ciphertext information to the electronic signature device 10 via the second front-end terminal 30 for storage, and after receiving the ciphertext information, the electronic signature device 10 directly stores the ciphertext information. When receiving the reading instruction sent by the first front end terminal 20, the ciphertext information is directly returned to the first front end terminal 20.

The second method comprises the following steps: the electronic signature device 10 encrypts the id card information with the second encryption key to obtain ciphertext information.

In a specific application, the electronic signature device 10 may encrypt and store the identification card information when storing the identification card information, or may encrypt and send the plaintext of the stored identification card information to the first front end terminal 20 when receiving the reading instruction. The specific embodiments of the present invention are not limited.

The third method comprises the following steps: the electronic signature device 10 encrypts the encrypted data by using the second encryption key to obtain ciphertext information, wherein the encrypted data is obtained by encrypting the id card information by using the first encryption key by using the background server 40.

In this manner, when the electronic signature device 10 stores the identity storage information, the backend server 40 sends, via the second front-end terminal 30, encrypted data obtained by encrypting the identity card information with the first encryption key to the electronic signature device 10, and after receiving the encrypted data, the electronic signature device 10 may directly store the encrypted data, or may store the encrypted data after encrypting the encrypted data with the second encryption key. When receiving the reading instruction sent by the first front-end terminal 20, the electronic signature device 10 directly encrypts the stored encrypted data by using the second encryption key to obtain ciphertext information, and returns the ciphertext information to the first front-end terminal 20, or returns the stored ciphertext information to the first front-end terminal 20.

The method is as follows: the electronic signature device 10 encrypts the id card information and the second signature information by using a second encryption key to obtain ciphertext information, where the second signature information is obtained by the background server 40 signing the id card information by using the private key of the background server 40.

In this way, the second signature information may be sent to the electronic signature device 10 via the second front-end terminal 30 together with the id card information by the background server 40 when the electronic signature device 10 stores the id storage information, the electronic signature device 10 may encrypt and store the id card information and the second signature information as the id storage information by using the second encryption key when receiving the id card information and the second signature information, or may directly store the id card information and the second signature information, and when receiving the reading instruction, encrypt and return the id card information and the second signature information to the first front-end terminal 20 by using the second encryption key.

The fifth mode is as follows: the electronic signature device 10 encrypts, by using a second encryption key, encrypted data of the identification card information and ciphertext information obtained by encrypting second signature information, where the encrypted data of the identification card information is obtained by encrypting, by using the first encryption key, the identification card information by using the background server 40, and the second signature information is obtained by signing, by using a private key of the background server 40, the identification card information by using the background server 40.

In this way, the encrypted data of the identification card information and the second signature information may be sent to the electronic signature device 10 by the background server 40 via the second front-end terminal 30 when the electronic signature device 10 stores the identification storage information, the electronic signature device 10 may encrypt and store the encrypted data of the identification card information and the second signature information as the identification storage information by using the second encryption key when receiving the encrypted data of the identification card information and the second signature information, or directly store the encrypted data of the identification card information and the second signature information, and when receiving the reading instruction, encrypt and return the encrypted data of the identification card information and the second signature information to the first front-end terminal 20 by using the second encryption key.

After receiving the ciphertext information sent by the first front end terminal 20, the backend server 40 may decrypt the ciphertext information in the following manners:

the first method is as follows: the background server 40 decrypts the ciphertext information by using the first decryption key corresponding to the first encryption key to obtain the identity card information.

The first encryption key and the first decryption key are a pair of keys, which may be symmetric keys or asymmetric keys. The signature information may be preset, or may be negotiated between the background server 40 and the electronic signature device 10, and the embodiment of the present invention is not limited.

The second method comprises the following steps: the background server 40 decrypts the ciphertext information by using a second decryption key corresponding to the second encryption key to obtain the identity card information.

The second encryption key and the second decryption key are a pair of keys, which may be symmetric keys or asymmetric keys. The second encryption key may be preset, for example, the public key of the background server 40, and the second decryption key is the private key of the background server 40. Alternatively, the backend server 40 may negotiate with the electronic signature device 10, for example, the backend server 40 establishes a secure channel with the electronic signature device 10 through mutual authentication, and negotiates a transmission key. The specific embodiments of the present invention are not limited.

The third method comprises the following steps: the background server 40 decrypts the ciphertext information by using the second decryption key corresponding to the second encryption key to obtain encrypted data, and then decrypts the encrypted data by using the second decryption key corresponding to the second encryption key to obtain the identity card information.

The method is as follows: the background server 40 decrypts the ciphertext information by using a second decryption key corresponding to the second encryption key to obtain the identity card information and the second signature information.

In this case, after the background server 40 decrypts the id card information and the second signature information, the second signature information may be verified, and after the verification is passed, the obtained id card information is returned to the first front end terminal 20, so that the reliability of the id card information may be ensured.

The fifth mode is as follows: the background server 40 decrypts the ciphertext information by using the second decryption key corresponding to the second encryption key to obtain the encrypted data and the second signature information, and then decrypts the encrypted data by using the second decryption key corresponding to the second encryption key to obtain the identity card information.

In an optional implementation of the embodiment of the present invention, in each of the possible optional implementations, after receiving the reading instruction, the electronic signature device 10 returns data to the first front-end terminal 20, where the ciphertext information may include signature information, and the backend server 40 may further verify the signature information before returning the decrypted identification card information to the first front-end terminal 20, and return the obtained identification card information to the first front-end terminal 20 after the verification is passed, so as to ensure reliability and non-repudiation of the obtained identification card information.

In particular applications, the signature information may include, but is not limited to, at least one of:

the first method is as follows: the electronic signature device 10 uses its private key to sign the identity storage information or the ciphertext of the identity storage information to obtain the first signature information.

Correspondingly, when the background server 40 verifies the signature information, the first signature information may be verified by using the public key of the electronic signature device 10.

The ciphertext of the identity storage information may be obtained by encrypting the identity storage information by the electronic signature device 10, or may be obtained by encrypting the identity card information by the background server 40.

In this case, optionally, in order to avoid a replay attack, the first front end terminal 20 carries single authentication information in the read instruction sent to the electronic signature device 10; the signature information may further include: the electronic signature device 10 signs the single authentication information with its private key to obtain third signature information. Correspondingly, when the background server 40 verifies the signature information, the third signature information may also be verified by using the public key of the electronic signature device 10.

As an optional implementation manner of the embodiment of the present invention, the single authentication information may include one or a combination of the following: a random factor, a time factor, and an event factor.

Specifically, the random factor may be one or a combination of the following: random numbers, random characters, and random chinese characters. The time factor may be the time of day. The event factor may be a number of counts accumulated by the counter each time it occurs, each time it is different.

Since the first front-end terminal 20 includes the single authentication information each time the read instruction is sent, it can be ensured that different information is sent by the electronic signature device 10 each time the identity storage information is read from the electronic signature device 10, and even if intercepted, the information cannot be used on the first front-end terminal 20 for the second time, thereby preventing replay attack.

In a specific implementation process, the single authentication information carried in the read instruction may be sent to the first front end terminal 20 by the back end server 40. For example, before the first front-end terminal 20 needs to read the identification card information from the electronic signature device 10, the first front-end terminal may notify the backend server 40 first, after receiving the notification of the first front-end terminal 20, the backend server 40 sends single authentication information to the electronic signature device 10 to the first front-end terminal 20, and the electronic signature device 10 sends the single authentication information to the electronic signature device 10 by carrying a reading instruction. Of course, the first front end terminal 20 may not carry the single authentication information in the reading instruction and send the reading instruction to the electronic signature device 10, but send the single authentication information to the electronic signature device 10 through a separate signaling, for example, a signature instruction, and the first front end terminal 20 may also notify the background server 40 after sending the reading instruction to the electronic signature device 10, then receive the single authentication request sent by the background server 40, and then send the single authentication request to the first front end terminal 20. The specific embodiments of the present invention are not limited.

In an optional implementation of the embodiment of the present invention, the storing the information in the identity may further include: the background server 40 uses its private key to sign the id card information to obtain second signature information. Correspondingly, when the background server 40 verifies the signature information, the public key of the background server 40 is also used to verify the second signature information.

The second signature information may be sent to the electronic signature device 10 as a part of the identity storage information when the second front-end terminal 30 sends the identity storage information to the electronic signature device 10. That is, the second front-end terminal 30 may send the identification card information to the backend server 40 after acquiring the identification card information stored in the resident identification card, the backend server 40 signs the identification card information with the private key of the backend server 40 to obtain second signature information, and then returns the second signature information to the second front-end terminal 30, and the second front-end terminal 30 sends the second signature information to the electronic signature device 10 as a part of the identification storage information, and the electronic signature device 10 stores the second signature information as a part of the identification storage information after receiving the second signature information.

It should be noted that, if the backend server 40 needs to verify a plurality of signature information, the verification is confirmed only if all signature information is verified.

For those skilled in the art, in the embodiment of the present invention, the background server 40 verifies the signature information means that the background server 40 decrypts the signature information by using a public key (as described above, the public key of the electronic signature device 10 or the public key of the background server 40) to obtain a digest value, then the background server 40 performs digest calculation on corresponding information (as described above, the corresponding information may be the identity card information or the identity storage information), compares the calculated digest value with the decrypted digest value, if the calculated digest value is consistent with the decrypted digest value, the verification is passed, and otherwise, the verification is not passed.

The second method comprises the following steps: the background server 40 signs the identity card information or the ciphertext of the identity card information by using the private key thereof to obtain second signature information.

In this case, the second signature information may be transmitted to the electronic signature device 10 together with the id card information or the ciphertext of the id card information when the second front end terminal 30 transmits the id card information or the ciphertext of the id card information to the electronic signature device 10. That is, after acquiring the identification card information stored in the resident identification card, the second front-end terminal 30 may send the identification card information to the background server 40, the background server 40 signs the identification card information by using the private key of the background server 40 to obtain second signature information, and then returns the second signature information and the plaintext or ciphertext of the identification card information to the second front-end terminal 30 together, while the second front-end terminal 30 sends the plaintext or ciphertext of the identification card information and the second signature information to the electronic signature device 10 together, after receiving the second signature information and the plaintext or ciphertext of the identification card information are stored in a related manner by the electronic signature device 10, and when receiving the reading instruction, the second signature information is returned to the first front-end terminal 20 together. In this case, when the backend server 40 verifies the signature information, the second signature information is verified by using the public key of the backend server 40.

By using the system provided by the embodiment of the invention, the electronic signature device 10 stores the identity card information, the first front-end terminal 20 sends the ciphertext information of the read identity storage information to the background server 40 when reading the identity card information, and the background server 40 decrypts the ciphertext information of the identity storage information read from the electronic signature device 10, so that the problem that the identity card is easy to lose and lose when being carried about can be prevented, and the identity card information stored in the electronic signature device 10 can not be illegally read.

In this embodiment, the front end terminal and the background server are separately provided as an example, but the present invention is not limited to this, and in practical applications, the front end terminal and the background server may be provided as a single unit. As long as the functions provided by the embodiments of the present invention can be achieved.

According to the embodiment of the present invention, there is also provided a resident identification card information verification system, which includes the electronic signature device 10 and the identification card information acquisition system.

The following describes the structures of the first front-end terminal 20 and the backend server 40 in the identity card information acquisition system, respectively.

In an alternative implementation of the embodiment of the present invention, the first front terminal 20 may adopt a structure as shown in fig. 2. As shown in fig. 2, the first front end terminal 20 provided in the embodiment of the present invention mainly includes: a first sending module 200, a first receiving module 202 and a second sending module 204. Wherein,

a first sending module 200, configured to send an identification card information reading instruction to the electronic signature device 10, and request to read the identification storage information stored in the electronic signature device, where the identification storage information includes: identity card information in the user resident identity card.

The first receiving module 202 is configured to receive ciphertext information of the identity storage information sent by the electronic signature apparatus 10.

And a second sending module 204, configured to send the ciphertext information of the identity storage information to the background server 40.

In an alternative implementation of the embodiment of the present invention, background server 40 may adopt a structure as shown in fig. 3. As shown in fig. 3, the background server 40 provided in the embodiment of the present invention mainly includes: a second receiving module 400, a decryption module 402 and a third sending module 404. Wherein,

the second receiving module 400 is configured to receive the ciphertext information sent by the first preterminal 20.

And the encryption and decryption module 402 is configured to decrypt the received ciphertext information to obtain the identity card information.

And a third sending module 404, configured to return the decrypted identification card information to the first front end terminal 20.

Therefore, the identity card information acquisition system provided by the embodiment of the invention can prevent the problem of identity information leakage caused by the fact that the portable identity card is easy to lose and lose, and ensure that the identity card information stored in the electronic signature device 10 cannot be illegally read.

In an optional implementation manner of the embodiment of the present invention, as described above, the ciphertext information received by the first receiving module 202 includes the first to fifth manners, and the encrypting and decrypting module 402 may decrypt using the first to fifth manners.

Optionally, the background server 40 may further include: the first acquisition module is used for acquiring identity storage information before the first front-end terminal sends an identity card information reading instruction to the electronic signature device; the third sending module 404 is further configured to send the identity storage information to the electronic signature device via the second front end terminal.

Optionally, the background server 40 may further include: the second acquisition module is used for acquiring the identity storage information before the first front-end terminal sends an identity card information reading instruction to the electronic signature device; the encryption and decryption module 402 is further configured to encrypt the identity storage information acquired by the second acquisition module with a first encryption key; the third sending module 404 is further configured to send the encrypted ciphertext information to the electronic signature device via the second front-end terminal; the encryption and decryption module 402 decrypts the ciphertext message by: and decrypting the ciphertext information by adopting a first decryption key corresponding to the first encryption key to obtain the identity card information.

Optionally, the background server 40 may further include: the third acquisition module is used for acquiring the identity storage information before the first front-end terminal sends an identity card information reading instruction to the electronic signature device; the encryption and decryption module 402 is further configured to encrypt the identity storage information acquired by the third acquisition module with the first encryption key; the third sending module 404 is further configured to send the encrypted data obtained by encryption to the electronic signature device via the second front-end terminal; the ciphertext information is obtained by encrypting the encrypted data by the electronic signature device by adopting a second encryption key; the encryption and decryption module 402 decrypts the ciphertext message by: and decrypting the ciphertext information by using a second decryption key corresponding to the second encryption key to obtain encrypted data, and decrypting the encrypted data by using a first decryption key corresponding to the first encryption key to obtain the identity card information.

In an optional implementation of the embodiment of the present invention, after receiving the reading instruction, the electronic signature device 10 returns data to the first front end terminal 20, where the data may include signature information in addition to the above-mentioned ciphertext information, and the backend server 40 may also verify the signature information before returning the decrypted identification card information to the first front end terminal 20, and after the verification is passed, return the obtained identification card information to the first front end terminal 20, so as to ensure reliability and non-repudiation of the obtained identification card information. As described above, the signature information may include at least the contents of the above-described manner one and manner two.

In an optional implementation of the embodiment of the present invention, the data sent by the third sending module 404 to the electronic signature device 10 via the second front-end terminal may further include, in addition to the identity storage information: the background server signs the identity card information to obtain second signature information; the data sent by the electronic signature device 10 and received by the first receiving module 202 may include, in addition to the id card storage information: the background server 40 signs the identity card information to obtain second signature information or the electronic signature device encrypts the second signature information by using a third encryption key to obtain a second signature information ciphertext; background server 40 may also include: the first verification module is configured to verify the second signature information, and after the second signature information passes the verification, trigger the encryption and decryption module 402 to decrypt the ciphertext information; or, the second signature information ciphertext is decrypted by using a third decryption key corresponding to the third encryption key, the decrypted second signature information is verified, and after the verification is passed, the encryption and decryption module 402 is triggered to decrypt the ciphertext information.

In an optional implementation of the embodiment of the present invention, the identity storage information may further include: the background server 40 signs the identity card information to obtain second signature information; the background server may further include: and the second verification module is configured to verify the second signature information obtained by the signature, and after the second signature information passes the verification, trigger the encryption and decryption module 402 to decrypt the ciphertext information.

In an optional implementation of the embodiment of the present invention, the data sent by the electronic signature device and received by the first receiving module 202 may further include, in addition to the identity storage information: the electronic signature device 10 signs the identity card information or the identity storage information to obtain first signature information or a ciphertext of the first signature information; the background server may further include: the third verification module is configured to verify the first signature information, and after the verification passes, trigger the encryption and decryption module 402 to decrypt the ciphertext information; or, the ciphertext of the first signature information is decrypted, the decrypted first signature information is verified, and the encryption and decryption module 402 is triggered to decrypt the ciphertext information after the verification is passed.

As an optional implementation manner of the embodiment of the present invention, the identification card information includes at least one of the following items or any combination thereof: name, ID card number, validity period and biological identification information, of course, ID card information may also include: gender, ethnicity, date of birth and/or address, etc. Wherein, the biological identification information comprises one or any combination of the following: photos, fingerprints, and irises.

The embodiment of the invention also provides an identity card information acquisition method, which is applied to the system and can be completed by the cooperation of the first front-end terminal 20 and the background server 40.

Fig. 4 shows a flowchart of an identification card information obtaining method according to an embodiment of the present invention, and referring to fig. 4, the identification card information obtaining method according to the embodiment of the present invention mainly includes the following steps S410 to S450.

In this embodiment of the present invention, when the identity card information of the user needs to be acquired, step S410 is executed, and the first front end terminal 20 sends an identity card information reading instruction to the electronic signature device 10 to request to read the identity storage information stored in the electronic signature device 10 and including the identity card information in the resident identity card of the user, where the identity storage information includes: identity card information in the user resident identity card.

After receiving the reading instruction, the electronic signature device 10 sends the ciphertext information of the identity storage information to the first front-end terminal 20, and in step S420, the first front-end terminal 20 receives the ciphertext information of the identity storage information sent by the electronic signature device 10. After receiving the ciphertext information of the identity storage information from the electronic signature apparatus 10, since the first front end terminal 20 does not have the signature verification capability, the first front end terminal 20 sends the ciphertext information of the identity storage information to the background server 40 (step S430). Of course, if the first front end terminal 20 has the decryption function, the subsequent decryption step may be directly performed in the first front end terminal 20. Namely, the first front end terminal 20 and the background server 40 are integrated.

After the background server 40 receives the identity storage information and the signature information, step S440 is executed to decrypt the ciphertext information to obtain the identity card information. The backend server 40 then returns the decrypted identification card information to the first front end terminal 20 (step S450).

In an optional implementation of the embodiment of the present invention, the identity storage information stored in the electronic signature device 10 may be stored by the backend server 40 via the second front-end terminal 30, and therefore, in this optional implementation, before the first front-end terminal 20 sends the identification card information reading instruction to the electronic signature device 10, the backend server 40 may send the identity storage information to the electronic signature device 10 through the second front-end terminal 30.

In an optional implementation of the embodiment of the present invention, in step S420, the ciphertext information sent by the electronic signature device 10 and received by the first front end terminal 20 may include one of the following manners:

In this mode, before step S410, when the electronic signature device 10 stores the identity storage information, the background server 40 sends the ciphertext information to the electronic signature device 10 via the second front-end terminal 30 for storage, and after receiving the ciphertext information, the electronic signature device 10 directly stores the ciphertext information. When receiving the reading instruction sent by the first front end terminal 20, the ciphertext information is directly returned to the first front end terminal 20.

In a specific application, before step S410, the electronic signature device 10 may encrypt and store the identification card information when storing the identification card information, or may encrypt and send the plaintext of the stored identification card information to the first front end terminal 20 when receiving the reading instruction. The specific embodiments of the present invention are not limited.

In this manner, before step S410, when the identity storage information is stored, the background server 40 sends, to the electronic signature device 10 via the second front end terminal 30, encrypted data obtained by encrypting the identity card information with the first encryption key, and after receiving the encrypted data, the electronic signature device 10 may directly store the encrypted data, or may store the encrypted data after encrypting the encrypted data with the second encryption key. When receiving the reading instruction sent by the first front end terminal 20 in step S410, the electronic signature device 10 directly encrypts the stored encrypted data by using the second encryption key to obtain ciphertext information, and returns the ciphertext information to the first front end terminal 20, or returns the stored ciphertext information to the first front end terminal 20.

In this way, the second signature information may be that before step S410, when the electronic signature device 10 stores the identity storage information, the background server 40 sends the identity card information to the electronic signature device 10 via the second front-end terminal 30 together with the identity card information, when receiving the identity card information and the second signature information, the electronic signature device 10 may encrypt and store the identity card information and the second signature information as the identity storage information by using the second encryption key, or directly store the identity card information and the second signature information, and when receiving the read instruction in step S410, the electronic signature device may encrypt and return the identity card information and the second signature information to the first front-end terminal 20 by using the second encryption key.

In this way, the encrypted data and the second signature information of the id card information may be sent to the electronic signature device 10 by the background server 40 through the second front-end terminal 30 before step S410 when the electronic signature device 10 stores the id storage information, and the electronic signature device 10 may encrypt and store the encrypted data and the second signature information of the id card information as the id storage information by using the second encryption key when receiving the encrypted data and the second signature information of the id card information, or directly store the encrypted data and the second signature information of the id card information, and encrypt and return the encrypted data and the second signature information of the id card information to the first front-end terminal 20 by using the second encryption key when receiving the reading instruction in step S420.

After receiving the ciphertext information sent by the first front end terminal 20, the backend server 40 may decrypt the ciphertext information in the following manners in step S440:

In this case, after the background server 40 decrypts the identification card information and the second signature information, before the step S450 is executed, the second signature information may be verified, and after the verification is passed, the obtained identification card information is returned to the first front end terminal 20 (step S450), so that the reliability of the identification card information may be ensured.

In this case, after the background server 40 decrypts the identification card information and the second signature information, before step S450, the second signature information may be verified, and after the verification is passed, the obtained identification card information is returned to the first front-end terminal 20 (step S450), so that the reliability of the identification card information may be ensured.

In an optional implementation of the embodiment of the present invention, after receiving the reading instruction in step S410, the electronic signature device 10 returns data to the first front end terminal 20, where the ciphertext information may include signature information, and the background server 40 may further verify the signature information before returning the decrypted identification card information to the first front end terminal 20 (step S450), and after the verification is passed, return the obtained identification card information to the first front end terminal 20 (step S450), so as to ensure reliability and non-repudiation of the obtained identification card information.

Correspondingly, when the background server 40 verifies the signature information, the first signature information may be verified by using the public key of the electronic signature device 10. Through the optional implementation mode, the acquired identity card information can be ensured to be authenticated by the user of the electronic signature device, so that the reliability and the non-repudiation of the identity card information are ensured.

In this case, optionally, in order to avoid a replay attack, in step S410, the first front end terminal 20 carries single authentication information in the read instruction sent to the electronic signature device 10; the signature information may further include: the electronic signature device 10 signs the single authentication information with its private key to obtain third signature information. Correspondingly, when the background server 40 verifies the signature information, the third signature information may also be verified by using the public key of the electronic signature device 10.

In this case, the second signature information may be transmitted to the electronic signature device 10 together with the id card information or the ciphertext of the id card information when the second front end terminal 30 transmits the id card information or the ciphertext of the id card information to the electronic signature device 10. That is, after acquiring the identification card information stored in the resident identification card, the second front-end terminal 30 may send the identification card information to the background server 40, the background server 40 signs the identification card information by using the private key of the background server 40 to obtain second signature information, and then returns the second signature information and the plaintext or ciphertext of the identification card information to the second front-end terminal 30 together, while the second front-end terminal 30 sends the plaintext or ciphertext of the identification card information and the second signature information to the electronic signature device 10 together, after receiving the second signature information and the plaintext or ciphertext of the identification card information are stored in a related manner by the electronic signature device 10, and when receiving the reading instruction, the second signature information is returned to the first front-end terminal 20 together. In this case, when the backend server 40 verifies the signature information, the second signature information is verified by using the public key of the backend server 40. Through the optional implementation mode, the acquired identity card information can be ensured to be authenticated by the background server, so that the reliability of the identity card information is ensured.

That is to say, in an optional implementation of the embodiment of the present invention, the ciphertext information is obtained by encrypting, by the electronic signature apparatus, the identity storage information using the second encryption key; and when step S440 is executed, the background server decrypts the ciphertext information by using the second decryption key corresponding to the second encryption key, so as to obtain the identity card information.

In another optional implementation of the embodiment of the present invention, before the first front-end terminal sends the identification card information reading instruction to the electronic signature device, the background server obtains the identification storage information, and sends the identification storage information to the electronic signature device via the second front-end terminal.

In an optional implementation scheme of the embodiment of the present invention, before the first front-end terminal sends the identification card information reading instruction to the electronic signature device, the background server obtains the identification storage information, encrypts the identification storage information by using the first encryption key, and sends ciphertext information obtained by encryption to the electronic signature device via the second front-end terminal; and when step S440 is executed, the background server decrypts the ciphertext information by using the first decryption key corresponding to the first encryption key, so as to obtain the identity card information.

In another optional implementation manner of the embodiment of the present invention, before the first front-end terminal sends the identification card information reading instruction to the electronic signature device, the background server obtains the identification storage information, encrypts the identification storage information by using the first encryption key, and sends encrypted data obtained by encryption to the electronic signature device via the second front-end terminal; the ciphertext information is obtained by encrypting the encrypted data by the electronic signature device by adopting a second encryption key; and when step S440 is executed, the background server decrypts the ciphertext information by using the second decryption key corresponding to the second encryption key to obtain encrypted data, and then decrypts the encrypted data by using the first decryption key corresponding to the first encryption key to obtain the id card information.

In another optional implementation manner of the embodiment of the present invention, the data sent by the background server to the electronic signature device through the second front-end terminal further includes, in addition to the identity storage information: the background server signs the identity card information to obtain first signature information; the data sent to the first preposed terminal by the electronic signature device also comprises the following information besides the identity card storage information: the background server signs the identity card information to obtain first signature information or the electronic signature equipment encrypts the first signature information by adopting a third encryption key to obtain a first signature information ciphertext; after step S440 and before step S450 are executed, the background server verifies the first signature information, and the verification is passed; or the background server decrypts the first signature information ciphertext by using a third decryption key corresponding to the third encryption key, verifies the decrypted first signature information, and the verification is passed.

In yet another optional implementation manner of the embodiment of the present invention, the identity storage information may further include: the background server signs the identity card information to obtain first signature information; after step S440 and before step S450 are executed, the background server verifies the signed first signature information, and the verification is passed.

In another optional implementation manner of the embodiment of the present invention, the data sent by the electronic signature device to the first front-end terminal includes, in addition to the identity storage information: the electronic signature equipment signs the identity card information or the identity storage information to obtain second signature information or a ciphertext of the second signature information; after step S440 and before step S450 are executed, the background server verifies and passes the verification of the second signature information; or the background server decrypts the ciphertext of the second signature information, verifies the decrypted second signature information and passes the verification.

Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.

It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.

It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.

In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.

The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.

In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made in the above embodiments by those of ordinary skill in the art without departing from the principle and spirit of the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims

1. An identity card information acquisition method is characterized by comprising the following steps:

the electronic signature device obtains ciphertext information, the first front-end terminal sends an identity card information reading instruction to the electronic signature device to request to read identity storage information stored in the electronic signature device, wherein the identity storage information comprises: identity card information in a resident identity card of a user and signature of the identity card information by a background server to obtain first signature information; the method for obtaining the ciphertext information by the electronic signature device comprises the following steps: in a first mode, the background server acquires the identity storage information, the identity storage information is sent to the electronic signature device through a second front-end terminal, and the electronic signature device encrypts the identity storage information by adopting a second encryption key to obtain the ciphertext information; in a second mode, the background server acquires the identity storage information, encrypts the identity storage information by adopting a first encryption key, and sends the encrypted ciphertext information obtained by encryption to the electronic signature device through the second front-end terminal; in a third mode, the background server acquires the identity storage information, encrypts the identity storage information by using the first encryption key, and sends encrypted data obtained by encryption to the electronic signature device through a second front-end terminal, wherein the ciphertext information is obtained by encrypting the encrypted data by the electronic signature device by using the second encryption key;

the first front-end terminal receives the ciphertext information sent by the electronic signature device, and the electronic signature device signs the identity card information or the identity storage information to obtain second signature information or a ciphertext of the second signature information;

the first front-end terminal signs the identity card information or the identity storage information by the ciphertext information and the electronic signature equipment to obtain second signature information and sends the second signature information to the background server; the background server decrypts the ciphertext information to obtain the identity card information, verifies and passes the first signature information, and returns the obtained identity card information to the first preposed terminal after the second signature information is verified and passes the verification;

or,

the first front-end terminal sends the ciphertext information and a ciphertext of second signature information obtained by the electronic signature device signing the identity card information or the identity storage information to the background server; the background server decrypts the ciphertext information to obtain the identity card information, verifies and passes the first signature information, verifies and passes the second signature information obtained by decrypting the ciphertext of the second signature information, and returns the obtained identity card information to the first front-end terminal after the verification is passed;

the method for decrypting the ciphertext information by the background server comprises the following steps: when the electronic signature device obtains the ciphertext information in a first mode, the background server decrypts the ciphertext information by using a second decryption key corresponding to the second encryption key; when the electronic signature device obtains the ciphertext information in a second mode, the background server decrypts the ciphertext information by using a first decryption key corresponding to the first encryption key; and when the electronic signature device obtains the ciphertext information in a third mode, the background server decrypts the ciphertext information by using a second decryption key corresponding to the second encryption key to obtain the encrypted data, and then decrypts the encrypted data by using a first decryption key corresponding to the first encryption key.

2. The method of claim 1,

the data sent by the background server to the electronic signature device through the second front-end terminal further includes, in addition to the identity storage information: the background server signs the identity card information to obtain first signature information;

the data sent by the electronic signature device to the first front-end terminal includes, in addition to the identity card storage information: the background server signs the identity card information to obtain first signature information or the electronic signature equipment encrypts the first signature information by adopting a third encryption key to obtain a first signature information ciphertext;

after the ciphertext information is decrypted and the identity card information is obtained and before the obtained identity card information is returned to the first front-end terminal, the method further includes: the background server verifies the first signature information, and the verification is passed; or the background server decrypts the first signature information ciphertext by using a third decryption key corresponding to the third encryption key, verifies the decrypted first signature information, and the verification is passed.

3. An identification card information acquisition system, comprising: the system comprises a first front terminal and a background server; wherein,

the first front end terminal includes:

a first sending module, configured to send an identification card information reading instruction to an electronic signature device, and request to read the identification storage information stored in the electronic signature device, where the identification storage information includes: identity card information in a resident identity card of a user and the background server signing the identity card information to obtain first signature information;

the first receiving module is used for receiving ciphertext information sent by the electronic signature device, and the electronic signature device signs the identity card information or the identity storage information to obtain second signature information or ciphertext of the second signature information;

the method for obtaining the ciphertext information by the electronic signature device comprises the following steps: in a first mode, a first obtaining module of the background server is used for obtaining the identity storage information, a third sending module is used for sending the identity storage information to the electronic signature device through a second front-end terminal, and the electronic signature device encrypts the identity storage information by adopting a second encryption key to obtain the ciphertext information; in a second mode, the second obtaining module of the background server is configured to obtain the identity storage information before the first front-end terminal sends the identity card information reading instruction to the electronic signature device, the encryption and decryption module is configured to encrypt the identity storage information obtained by the second obtaining module with a first encryption key, and the third sending module is configured to send the encrypted ciphertext information obtained by encryption to the electronic signature device via the second front-end terminal; in a third mode, the third obtaining module of the background server is configured to obtain the identity storage information before the first front-end terminal sends the identity card information reading instruction to the electronic signature device, the encryption and decryption module is configured to encrypt the identity storage information obtained by the third obtaining module with the first encryption key, the third sending module is configured to send encrypted data obtained by encryption to the electronic signature device via the second front-end terminal, and the ciphertext information is obtained by encrypting the encrypted data with the second encryption key by the electronic signature device;

the second sending module is used for signing the identity card information or the identity storage information by the ciphertext information and the electronic signature equipment to obtain second signature information and sending the second signature information to the background server;

the background server comprises:

the second receiving module is used for receiving the ciphertext information and signing the identity card information or the identity storage information by the electronic signature device to obtain second signature information;

the encryption and decryption module is used for decrypting the ciphertext information to obtain the identity card information;

the second verification module is used for verifying the first signature information;

the third verification module is used for verifying the second signature information;

the third sending module is used for returning the identity card information obtained by decryption to the first preposed terminal after the second verification module verifies and passes the verification of the first signature information and the third verification module verifies and passes the verification of the second signature information;

or,

the second sending module of the first front-end terminal is configured to send the ciphertext information and a ciphertext of second signature information obtained by the electronic signature device signing the identity card information or the identity storage information to the background server;

the background server comprises:

the second receiving module is used for receiving the ciphertext information and a ciphertext of second signature information obtained by the electronic signature device signing the identity card information or the identity storage information;

the third verification module is used for verifying the second signature information obtained by decrypting the ciphertext of the second signature information;

the third sending module is used for returning the identity card information obtained by decryption to the first prepositive terminal after the encryption and decryption module verifies and passes the verification of the first signature information and verifies and passes the verification of the second signature information;

the method for decrypting the ciphertext information by the background server comprises the following steps: when the electronic signature device obtains the ciphertext information in a first mode, the encryption and decryption module of the background server is used for decrypting the ciphertext information by using a second decryption key corresponding to the second encryption key; when the electronic signature device obtains the ciphertext information in the second mode, the encryption and decryption module of the background server is used for decrypting the ciphertext information by using a first decryption key corresponding to the first encryption key; when the electronic signature device obtains the ciphertext information in the third mode, the encryption and decryption module of the background server is configured to decrypt the ciphertext information by using the second decryption key corresponding to the second encryption key to obtain the encrypted data, and decrypt the encrypted data by using the first decryption key corresponding to the first encryption key.

4. The system of claim 3,

the data sent by the third sending module to the electronic signature device via the second prepositive terminal further comprises, in addition to the identity storage information: the background server signs the identity card information to obtain first signature information;

the data sent by the electronic signature device and received by the first receiving module further includes, in addition to the identity card storage information: the background server signs the identity card information to obtain first signature information or the electronic signature equipment encrypts the first signature information by adopting a third encryption key to obtain a first signature information ciphertext;

the background server further comprises: the first verification module is used for verifying the first signature information and triggering the encryption and decryption module to decrypt the ciphertext information after the first signature information passes the verification; or, the first signature information ciphertext is decrypted by adopting a third decryption key corresponding to the third encryption key, the decrypted first signature information is verified, and after the verification is passed, the encryption and decryption module is triggered to decrypt the ciphertext information.

5. A resident identification card information verification system, comprising: an electronic signature device and an identification card information acquisition system as claimed in any one of claims 3 or 4.