CN105790946B - Method, system and related equipment for establishing data channel - Google Patents

Method, system and related equipment for establishing data channel Download PDF

Info

Publication number
CN105790946B
CN105790946B CN201410806632.7A CN201410806632A CN105790946B CN 105790946 B CN105790946 B CN 105790946B CN 201410806632 A CN201410806632 A CN 201410806632A CN 105790946 B CN105790946 B CN 105790946B
Authority
CN
China
Prior art keywords
data channel
application
information
card
authentication information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410806632.7A
Other languages
Chinese (zh)
Other versions
CN105790946A (en
Inventor
袁松
李亚强
葛欣
李征
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Sichuan Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Sichuan Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Sichuan Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201410806632.7A priority Critical patent/CN105790946B/en
Publication of CN105790946A publication Critical patent/CN105790946A/en
Application granted granted Critical
Publication of CN105790946B publication Critical patent/CN105790946B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a method for establishing a data channel, which comprises the following steps: the entity outside the card acquires the security authentication information of the application data channel from the intelligent card management platform; the entity outside the card sends an authentication registration message carrying the security authentication information to the intelligent card equipment; and after the smart card equipment successfully verifies the safety authentication information, establishing a data channel with the entity outside the card. The invention also discloses an off-card entity, an intelligent card management platform, intelligent card equipment and a system for establishing a data channel.

Description

Method, system and related equipment for establishing data channel
Technical Field
The present invention relates to the field of data services, and in particular, to a method, a system, and a related device for establishing a data track.
Background
With the popularization of mobile electronic commerce, data stored by the smart card is more and more important. The smart card can store sensitive information such as user identity information, bank card account balance and the like, so that the security of the smart card is more important.
At present, the smart card product supports the access of an external entity of the card through a plurality of physical connection forms of a non-contact card reader, a data line (contact type) and Bluetooth, and carries out data interaction with the smart card.
The security of a smart card relies on smart card hardware devices on the one hand and on data channel security mechanisms between the smart card and the off-card entity on the other hand.
As shown in fig. 1, currently, an entity outside a card (including an entity outside a card such as a card reader or a mobile phone) accesses a smart card through a physical channel established between the entity outside a card and the smart card, such as: a non-connected physical channel, or a bluetooth physical channel, etc. However, the data channel established between the smart card and the off-card entity has no security authentication mechanism, so the off-card entity can access the smart card at will, and thus attack damage can be caused to the smart card, so that sensitive information (user identity information, bank card information, bank account balance and the like) on the smart card can be acquired at will, data on the smart card can be modified and the like.
Disclosure of Invention
In order to solve the existing technical problem, embodiments of the present invention provide a method, a system, and a related device for establishing a data track.
The embodiment of the invention provides a method for establishing a data channel, which comprises the following steps:
the entity outside the card acquires the security authentication information of the application data channel from the intelligent card management platform;
the entity outside the card sends an authentication registration message carrying the security authentication information to the intelligent card equipment;
and after the smart card equipment successfully verifies the safety authentication information, establishing a data channel with the entity outside the card.
In the above scheme, the acquiring, by the off-card entity, the security authentication information of the application data channel from the smart card management platform includes:
the entity outside the card sends a data channel registration application carrying the relevant information of the corresponding application to the intelligent card management platform;
after receiving the data channel registration application, the smart card management platform generates security authentication information of the corresponding application by using a key or a certificate stored by the smart card management platform and according to the application related information;
and the intelligent card management platform sends the generated security authentication information to the entity outside the card.
In the above scheme, the checking, by the smart card device, the security authentication information includes:
the smart card equipment generates security authentication information of the corresponding application according to the relevant information of the corresponding application by using a key or a certificate stored in the smart card equipment;
and matching the generated security authentication information corresponding to the application with the security authentication information carried in the authentication registration message.
In the above scheme, after the data channel is established, the method further includes:
and the smart card equipment adds the information of the corresponding application in an application software registry of the smart card equipment.
In the above scheme, after the data channel is established, the method further includes:
after receiving an Application Protocol Data Unit (APDU) command of the entity outside the card, the smart card device performs corresponding transaction operation when determining that a Data channel corresponding to the APDU is valid.
In the foregoing solution, the determining that the data channel corresponding to the APDU is valid is:
and the smart card equipment determines that the data channel corresponding to the APDU is valid according to the information of the data channel corresponding to the APDU in the application software registry.
In the above scheme, the method further comprises:
after the transaction operation is completed, the smart card device closes the data channel corresponding to the APDU; and deleting the corresponding information in the application software registry.
An embodiment of the present invention further provides an out-of-card entity, including: the device comprises an acquisition unit, a first sending unit and a data channel establishing unit; wherein the content of the first and second substances,
the acquisition unit is used for acquiring the security authentication information of the application data channel from the intelligent card management platform;
the first sending unit is used for sending an authentication registration message carrying the security authentication information to the smart card device;
and the data channel establishing unit is used for establishing a data channel with the intelligent card after the intelligent card equipment successfully verifies the safety authentication information.
In the foregoing solution, the obtaining unit further includes: the device comprises a first sending module and a first receiving module; wherein the content of the first and second substances,
the first sending module is used for sending a data channel registration application carrying the relevant information of the corresponding application to the intelligent card management platform;
the first receiving module is used for receiving the security authentication information of the corresponding application sent by the smart card management platform; and the security authentication information is generated by the intelligent card management platform according to the application related information by utilizing a key or a certificate stored by the intelligent card management platform.
An embodiment of the present invention further provides a smart card management platform, including: a second receiving unit, an information generating unit and a second transmitting unit; wherein the content of the first and second substances,
the second receiving unit is used for a data channel registration application which is sent by an entity outside the card and carries the relevant information of the corresponding application;
the information generating unit is used for generating the security authentication information of the corresponding application according to the application related information by using a key or a certificate stored by the information generating unit;
and the second sending unit is used for sending the generated security authentication information to the entity outside the card.
In the foregoing solution, the information generating unit may further include: the device comprises a storage module and a data channel security module; wherein the content of the first and second substances,
the storage module is used for storing a secret key or a certificate;
and the data channel security module is used for generating the security authentication information of the corresponding application according to the key or the certificate stored by using the storage module and the relevant application information.
An embodiment of the present invention further provides a smart card device, including: a third receiving unit and a data channel establishing unit; wherein the content of the first and second substances,
the third receiving unit is used for receiving an authentication registration message which is sent by an entity outside the card and carries safety authentication information;
and the data channel establishing unit is used for establishing a data channel with the card external entity after the safety authentication information is verified successfully.
In the foregoing solution, the data channel establishing unit further includes: the device comprises an information generation module, a matching module and a data channel establishing module; wherein the content of the first and second substances,
the information generation module is used for generating the security authentication information of the corresponding application according to the relevant information of the corresponding application by using the key or the certificate stored in the information generation module;
the matching module is used for matching the generated security authentication information corresponding to the application with the security authentication information carried in the authentication registration message and triggering the data channel establishing module after matching;
and the data channel establishing module is used for establishing a data channel with the card external entity after receiving the trigger of the matching module.
In the above solution, the apparatus further includes: and the application software registry management unit is used for adding the information of the corresponding application in the own application software registry after the data channel is established.
In the foregoing solution, the apparatus may further include: and the SE operation unit is used for establishing a data channel, and performing corresponding transaction operation when the data channel corresponding to the APDU is determined to be valid after the APDU instruction of the entity outside the card is received.
In the above scheme, the data channel establishing unit is further configured to close the data channel corresponding to the APDU after the transaction operation is completed;
correspondingly, the application software registry management unit is further configured to delete corresponding information in the application software registry.
An embodiment of the present invention further provides a system for establishing a data channel, including: the intelligent card management platform, the card external entity and the intelligent card equipment; wherein the content of the first and second substances,
the off-card entity is used for acquiring the security authentication information of the application data channel from the intelligent card management platform; sending an authentication registration message carrying the security authentication information to the smart card device;
and the intelligent card equipment is used for establishing a data channel with the entity outside the card after the safety certification information is successfully verified.
In the above scheme, the off-card entity is configured to send a data channel registration application carrying corresponding application-related information to the smart card management platform; receiving full authentication information sent by the intelligent card management platform;
the intelligent card management platform is used for generating the safety certification information of the corresponding application by utilizing a key or a certificate stored by the intelligent card management platform after receiving the data channel registration application and according to the application related information; and sending the generated security authentication information to the entity outside the card.
In the above scheme, the smart card device is further configured to add the information of the corresponding application to an application software registry of the smart card device after the data channel is established.
In the above scheme, the smart card device is further configured to perform a corresponding transaction operation when the data channel corresponding to the APDU is determined to be valid after the data channel is established and the APDU command of the entity outside the card is received.
In the above scheme, the smart card device is further configured to close the data channel corresponding to the APDU after the transaction operation is completed; and deleting the corresponding information in the application software registry.
According to the method, the system and the related equipment for establishing the data channel, provided by the embodiment of the invention, the entity outside the card acquires the security authentication information of the application data channel from the intelligent card management platform; the entity outside the card sends an authentication registration message carrying the security authentication information to the intelligent card equipment; after the smart card device successfully verifies the security authentication information, a data channel is established with the entity outside the card, so that the smart card is prevented from being attacked and damaged, and the security of the smart card device is ensured.
Drawings
In the drawings, which are not necessarily drawn to scale, like reference numerals may describe similar components in different views. Like reference numerals having different letter suffixes may represent different examples of similar components. The drawings illustrate generally, by way of example, but not by way of limitation, various embodiments discussed herein.
FIG. 1 is a schematic diagram of a data channel of a related art smart card;
fig. 2 is a flowchart illustrating a method for establishing a data channel according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating an external card entity according to a second embodiment of the present invention;
FIG. 4 is a diagram illustrating a smart card management platform according to a second embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a smart card apparatus according to a second embodiment of the present invention;
fig. 6 is a schematic structural diagram of a system for establishing a data channel according to a second embodiment of the present invention;
fig. 7 is a system architecture and an interaction diagram for establishing a data channel according to a third embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
In various embodiments of the present invention, an entity outside a card obtains security authentication information of an application data channel from a smart card management platform; the entity outside the card sends an authentication registration message carrying the security authentication information to the intelligent card equipment; and after the smart card equipment successfully verifies the safety authentication information, establishing a data channel with the entity outside the card.
Example one
The embodiment provides a method for establishing a data channel, which is applied to an entity outside a card and comprises the following steps:
acquiring security authentication information of a data channel from a smart card management platform;
sending an authentication registration message carrying the security authentication information to the smart card device;
and after the smart card equipment successfully verifies the security authentication information, establishing a data channel with the smart card.
The method comprises the following steps of obtaining security authentication information of an application data channel from a smart card management platform, specifically:
sending a data channel registration application carrying the relevant information of the corresponding application to the intelligent card management platform;
receiving the security authentication information of the corresponding application sent by the intelligent card management platform; and the security authentication information is generated by the intelligent card management platform according to the application related information by utilizing a key or a certificate stored by the intelligent card management platform.
Here, the secure authentication information may be a signature or a Token (Token).
The embodiment also provides a method for establishing a data channel, which is applied to an intelligent card management platform and comprises the following steps:
receiving a data channel registration application which is sent by an entity outside a card and carries relevant information of a corresponding application;
generating the security authentication information of the corresponding application by using a key or a certificate stored by the user according to the application related information;
and sending the generated security authentication information to the entity outside the card.
Here, the secure authentication information may be a signature or Token.
The embodiment also provides a method for establishing a data channel, which is applied to the smart card device and comprises the following steps:
receiving an authentication registration message which is sent by an entity outside the card and carries safety authentication information;
and after the safety authentication information is successfully verified, establishing a data channel with the card external entity.
Here, the verifying the security authentication information specifically includes:
generating security authentication information of the corresponding application by using a key or a certificate stored by the user according to the relevant information of the corresponding application;
matching the generated security authentication information of the corresponding application with the security authentication information carried in the authentication registration message; if the two can be matched, the smart card device is successful in verifying the security authentication information, and if the two cannot be matched, the smart card device is failed in verifying the security authentication information, and at this moment, the smart card device returns error information to the entity outside the card.
Wherein, the security authentication information may be a signature or Token, etc.
After the data channel is established, the method may further include:
and the smart card equipment adds the information of the corresponding application in an application software registry of the smart card equipment. Here, the information of the corresponding application may include: the identifier of the corresponding application, the state of the channel and the assigned authority; wherein the assigned rights may include: corresponding registration, deregistration, and security module (SE) operations, etc.
After the data channel is established, the method may further include:
and after receiving the APDU command of the entity outside the card, the intelligent card equipment performs corresponding transaction operation when determining that the data channel corresponding to the APDU is valid.
Wherein the determining that the data channel corresponding to the APDU is valid specifically includes:
and determining that the data channel corresponding to the APDU is valid according to the information of the data channel corresponding to the APDU in the application software registry.
Specifically, if the state of the data channel is valid in the information of the data channel corresponding to the APDU in the application software registry, it indicates that the data channel corresponding to the APDU is valid; correspondingly, if the state of the data channel is invalid, it indicates that the data channel corresponding to the APDU is invalid.
And when the data channel corresponding to the APDU is determined to be invalid, the smart card equipment refuses to execute the operation related to the APDU instruction.
The method may further comprise:
after the transaction operation is completed, the smart card closes the data channel corresponding to the APDU; and deleting the corresponding information in the application software registry.
The method for establishing a data channel provided in this embodiment, as shown in fig. 2, includes the following steps:
step 201: the entity outside the card acquires the security authentication information of the application data channel from the intelligent card management platform;
specifically, the off-card entity sends a data channel registration application carrying the relevant information of the corresponding application to the smart card management platform;
after receiving the data channel registration application, the smart card management platform generates security authentication information of the corresponding application by using a key or a certificate stored by the smart card management platform and according to the application related information;
and the intelligent card management platform sends the generated security authentication information to the entity outside the card.
The physical form of the card-external entity may be various, for example, it may be a non-contact IC card, a bluetooth card, etc.
The security authentication information may be a signature or Token, etc.
Step 202: the entity outside the card sends an authentication registration message carrying the security authentication information to the intelligent card equipment;
step 203: and after the smart card equipment successfully verifies the safety authentication information, establishing a data channel with the entity outside the card.
Here, the verifying, by the smart card device, the security authentication information specifically includes:
the smart card equipment generates security authentication information of the corresponding application according to the relevant information of the corresponding application by using a key or a certificate stored in the smart card equipment;
matching the generated security authentication information of the corresponding application with the security authentication information carried in the authentication registration message; if the two can be matched, the smart card device is successful in verifying the security authentication information, and if the two cannot be matched, the smart card device is failed in verifying the security authentication information, and at this moment, the smart card device returns error information to the entity outside the card.
After the data channel is established, the method may further include:
and the smart card equipment adds the information of the corresponding application in an application software registry of the smart card equipment. Here, the information of the corresponding application may include: the identifier of the corresponding application, the state of the channel and the assigned authority; wherein the assigned rights may include: corresponding registration, deregistration, and SE operations, etc.
After the data channel is established, the method may further include:
and after receiving the APDU command of the entity outside the card, the intelligent card equipment performs corresponding transaction operation when determining that the data channel corresponding to the APDU is valid.
Wherein the determining that the data channel corresponding to the APDU is valid specifically includes:
and the smart card equipment determines that the data channel corresponding to the APDU is valid according to the information of the data channel corresponding to the APDU in the application software registry.
Specifically, if the state of the data channel is valid in the information of the data channel corresponding to the APDU in the application software registry, it indicates that the data channel corresponding to the APDU is valid; correspondingly, if the state of the data channel is invalid, it indicates that the data channel corresponding to the APDU is invalid.
And when the data channel corresponding to the APDU is determined to be invalid, the smart card equipment refuses to execute the operation related to the APDU instruction.
The method may further comprise:
after the transaction operation is completed, the smart card device closes the data channel corresponding to the APDU; and deleting the corresponding information in the application software registry.
In the method for establishing a data channel provided by this embodiment, an entity outside a card obtains security authentication information of a data channel application from an intelligent card management platform; the entity outside the card sends an authentication registration message carrying the security authentication information to the intelligent card equipment; after the smart card device successfully verifies the security authentication information, a data channel is established with the entity outside the card, so that the smart card is prevented from being attacked and damaged, and the security of the smart card device is ensured.
In addition, after receiving the APDU command of the entity outside the card, the smart card device performs corresponding transaction operation only when determining that the data channel corresponding to the APDU is valid; thus, the safety of the intelligent card device is further ensured.
Example two
To implement the method of the first embodiment, this embodiment provides an off-card entity, as shown in fig. 3, where the off-card entity includes: an acquiring unit 31, a first sending unit 32 and a data channel establishing unit 33; wherein the content of the first and second substances,
the acquiring unit 31 is configured to acquire security authentication information of the application data channel from the smart card management platform;
the first sending unit 32 is configured to send an authentication registration message carrying the security authentication information to the smart card device;
the data channel establishing unit 33 is configured to establish a data channel with the smart card after the smart card device successfully verifies the security authentication information.
Wherein, the obtaining unit 31 may further include: the device comprises a first sending module and a first receiving module; wherein the content of the first and second substances,
the first sending module is used for sending a data channel registration application carrying the relevant information of the corresponding application to the intelligent card management platform;
the first receiving module is used for receiving the security authentication information of the corresponding application sent by the smart card management platform; and the security authentication information is generated by the intelligent card management platform according to the application related information by utilizing a key or a certificate stored by the intelligent card management platform.
Here, the security authentication information may be a signature or Token.
In practical applications, the obtaining Unit 31 may be implemented by a Central Processing Unit (CPU), a Microprocessor (MCU), a Digital Signal Processor (DSP), or a Programmable logic Array (FPGA) in combination with a transceiver; the first sending module of the first sending unit 32 can be implemented by a transmitter in an entity outside the card, and the data channel establishing unit 33 can be implemented by a CPU, MCU, DSP or FPGA of the entity outside the card in combination with the transceiver; the first receiving module may be implemented by a receiver in an off-card entity.
To implement the method of the first embodiment, this embodiment further provides a smart card management platform, as shown in fig. 4, including: a second receiving unit 41, an information generating unit 42, and a second transmitting unit 43; wherein the content of the first and second substances,
the second receiving unit 41 is configured to receive a data channel registration application carrying corresponding application related information from an entity outside the card;
the information generating unit 42 is configured to generate the security authentication information of the corresponding application according to the application-related information by using a key or a certificate stored in the information generating unit;
the second sending unit 43 is configured to send the generated security authentication information to the off-card entity.
Here, the secure authentication information may be a signature or Token.
The information generating unit 42 may further include: the device comprises a storage module and a data channel security module; wherein the content of the first and second substances,
the storage module is used for storing a secret key or a certificate;
and the data channel security module is used for generating the security authentication information of the corresponding application according to the key or the certificate stored by using the storage module and the relevant application information.
In practical application, the second receiving unit 41 may be implemented by a receiver in a smart card management platform; the information generation unit can be realized by combining a CPU, an MCU, a DSP or an FPGA in the intelligent card management platform with a memory; the second sending unit 43 may be implemented by a transmitter in the smart card management platform; the storage module can be realized by a memory in a smart card management platform; the data channel security module can be realized by a CPU, an MCU, a DSP or an FPGA in the smart card management platform.
To implement the method of the first embodiment, this embodiment further provides a smart card device, as shown in fig. 5, including: a third receiving unit 51 and a data channel establishing unit 52; wherein the content of the first and second substances,
the third receiving unit 51 is configured to receive an authentication registration message carrying security authentication information sent by an entity outside the card;
the data channel establishing unit 52 is configured to establish a data channel with the entity outside the card after the security authentication information is successfully verified.
Here, the data path establishing unit 52 may further include: the device comprises an information generation module, a matching module and a data channel establishing module; wherein the content of the first and second substances,
the information generation module is used for generating the security authentication information of the corresponding application according to the relevant information of the corresponding application by using the key or the certificate stored in the information generation module;
the matching module is used for matching the generated security authentication information corresponding to the application with the security authentication information carried in the authentication registration message and triggering the data channel establishing module after matching;
and the data channel establishing module is used for establishing a data channel with the card external entity after receiving the trigger of the matching module.
When the matching module matches the generated security authentication information corresponding to the application with the security authentication information carried in the authentication registration message, if the generated security authentication information can be matched with the authentication registration message, the verification of the security authentication information is successful, and if the generated security authentication information cannot be matched with the authentication registration message, the verification of the security authentication information is failed, and at this moment, the matching module returns error information to the entity outside the card.
Wherein, the security authentication information may be a signature or Token, etc.
The smart card device may further include: and the application software registry management unit is used for adding the information of the corresponding application in the own application software registry after the data channel is established. Here, the information of the corresponding application may include: the identifier of the corresponding application, the state of the channel and the assigned authority; wherein the assigned rights may include: corresponding registration, cancellation, and SE operation security, etc.
The smart card device may further include: and the SE operation unit is used for establishing a data channel, and performing corresponding transaction operation when the data channel corresponding to the APDU is determined to be valid after the APDU instruction of the entity outside the card is received.
Wherein the determining that the data channel corresponding to the APDU is valid specifically includes:
and determining that the data channel corresponding to the APDU is valid according to the information of the data channel corresponding to the APDU in the application software registry.
Specifically, if the state of the data channel is valid in the information of the data channel corresponding to the APDU in the application software registry, it indicates that the data channel corresponding to the APDU is valid; correspondingly, if the state of the data channel is invalid, it indicates that the data channel corresponding to the APDU is invalid.
And when the data channel corresponding to the APDU is determined to be invalid, the SE operation unit refuses to execute the operation related to the APDU instruction.
The data channel establishing unit 52 is further configured to close the data channel corresponding to the APDU after the transaction operation is completed;
correspondingly, the application software registry management unit is further configured to delete corresponding information in the application software registry.
In practical applications, the third receiving unit 51 may be implemented by a receiver in a smart card device; the data channel establishing unit 52 and the data channel establishing module can be realized by a transceiver combined with a CPU, an MCU, a DSP or an FPGA in the smart card device; the information generation module, the matching module, the application software registry management unit and the SE operation unit can be realized by a CPU, an MCU, a DSP or an FPGA in the intelligent card equipment.
To implement the method of the first embodiment, this embodiment further provides a system for establishing a data channel, as shown in fig. 6, where the system includes: a smart card management platform 61, an off-card entity 62, and a smart card device 63; wherein the content of the first and second substances,
the off-card entity 62 is configured to obtain security authentication information of the application data channel from the smart card management platform 61; and sends an authentication registration message carrying the security authentication information to the smart card device 63;
the smart card device 63 is configured to establish a data channel with the card external entity 62 after the security authentication information is successfully verified.
The off-card entity 62 is configured to send a data channel registration application carrying corresponding application-related information to the smart card management platform 61; receiving the full authentication information sent by the smart card management platform 61;
the smart card management platform 61 is configured to generate the security authentication information of the corresponding application according to the application-related information by using a key or a certificate stored in the smart card management platform after receiving the data channel registration application; and sends the generated security authentication information to the off-card entity 62.
The physical form of the card outer body 62 may be various, and may be, for example, a non-contact IC card, a bluetooth card, or the like.
The security authentication information may be a signature or Token, etc.
Here, the verifying the security authentication information by the smart card device 63 specifically includes:
the smart card device 63 generates security authentication information of the corresponding application according to the relevant information of the corresponding application by using a key or a certificate stored in the smart card device itself;
matching the generated security authentication information of the corresponding application with the security authentication information carried in the authentication registration message; if the two can be matched, it means that the smart card device 63 successfully verifies the security authentication information, and if the two cannot be matched, it means that the smart card device 63 fails to verify the security authentication information, and at this time, the smart card device 63 returns an error message to the card external entity 62.
The smart card device 63 is further configured to add the information of the corresponding application to its own application software registry after the data channel is established. Here, the information of the corresponding application may include: the identifier of the corresponding application, the state of the channel and the assigned authority; wherein the assigned rights may include: corresponding registration, deregistration, and SE operations, etc.
The smart card device 63 is further configured to perform a corresponding transaction operation when determining that the data channel corresponding to the APDU is valid after the data channel is established and the APDU command of the entity outside the card is received.
Wherein the determining that the data channel corresponding to the APDU is valid specifically includes:
and the smart card device 63 determines that the data channel corresponding to the APDU is valid according to the information of the data channel corresponding to the APDU in the application software registry.
Specifically, if the state of the data channel is valid in the information of the data channel corresponding to the APDU in the application software registry, it indicates that the data channel corresponding to the APDU is valid; correspondingly, if the state of the data channel is invalid, it indicates that the data channel corresponding to the APDU is invalid.
When determining that the data channel corresponding to the APDU is invalid, the smart card device 63 refuses to execute the operation related to the APDU command.
The smart card device 63 is further configured to close the data channel corresponding to the APDU after the transaction operation is completed; and deleting the corresponding information in the application software registry.
In the system for establishing a data channel provided in this embodiment, the off-card entity 62 obtains the security authentication information of the application data channel from the smart card management platform 61; the off-card entity 62 sends an authentication registration message carrying the security authentication information to the smart card device 63; after the smart card device 63 successfully verifies the security authentication information, a data channel is established with the card external entity 62, so that the smart card is not attacked and damaged, and the security of the smart card device is ensured.
In addition, after receiving the APDU command of the entity outside the card, the smart card device 63 performs a corresponding transaction operation when determining that the data channel corresponding to the APDU is valid; thus, the safety of the intelligent card device is further ensured.
EXAMPLE III
The system for establishing a data channel in this embodiment, as shown in fig. 7, includes a smart card management platform 71, an off-card entity 72, and a smart card 73; wherein the content of the first and second substances,
the smart card management platform 71 is mainly responsible for generating a signature or Token (Token) of the application software according to the information of the application software, and may include a data channel key or certificate storage module 711 (whose function is equivalent to the function of the storage module in the second embodiment) and a data channel security module 712 (whose function is equivalent to the sum of the functions of the second receiving unit, the second sending unit and the data channel security module in the second embodiment). Here, the data channel key or certificate storage module 711 is used to store a key or certificate of the data channel; the data channel security module 712 is used to generate a signature or Token for the application software.
The off-card entity 72 includes a smart card management software 721 (the function of which is equivalent to the sum of the functions of the first sending module, the first receiving module, the first sending unit and the data channel establishing unit in the second embodiment), an application software 722 and a bottom chip 723, and is mainly responsible for authenticating and registering the application software of the off-card entity 72 on the smart card 73; specifically, the registration application of the application software is sent to the smart card management platform 71; sending the signature or Token of the application software returned by the intelligent card management 71 platform to the intelligent card 73 for authentication and registration; and notifies the application software of the authentication registration result on the smart card 73. In practical applications, the physical form of the card outer body 72 may be various, for example, a non-contact IC card, a bluetooth card, or the like.
The smart card 73 is a smart card device capable of securely managing a data channel, and compared with an existing smart card, the smart card of this embodiment is additionally provided with a data channel management unit 731, which specifically includes: a key or certificate storage module 7311, an off-card entity application authentication module 7312 (whose function is equivalent to the sum of the functions of the third receiving unit, the information generation module and the matching module in the second embodiment), an off-card entity application registry management module 7313 (whose function is equivalent to the function of the application registry management unit in the second embodiment), a data channel lifecycle management module 7314 and an SE operation module 7315 (whose function is equivalent to the function of the SE operation unit in the second embodiment).
Here, the key or certificate storage module 7311 stores a key or certificate for authenticating application software.
Off-card entity application authentication module 7312 verifies whether the security authentication information (signature or Token) of the off-card entity 72 application is valid.
The off-card entity application software registry management module 7313 stores the application software identifier passing the authentication and allocates the application software authority; and after the data channel is closed, deleting the application software identifier from the off-card entity application software registry. The permissions of the application software include: software registration (the right is assigned only to the smart card management software), software logout (the right is assigned only to the smart card management software), SE operation (the right may be assigned to the smart card management software and the application software).
Data channel lifecycle management module 7314 is used to maintain the state of each data channel lifecycle, including: the states of data channel creation, closing, etc.; after the data channels are created, an identification is assigned to each data channel.
The SE operation module 7315 passes the APDU command sent by the valid and valid application software to the SE 732; and rejects the APDU command of the invalid application software.
In practical application, the security requirements for a system for establishing a data channel mainly include the following points:
(1) the data channel management unit 731 of the smart card 73 provides the authentication and registration capability for the application software, and can perform authentication in a signature mode or a Token mode.
(2) The software registration information in the off-card entity application registry of the smart card 73 is only "temporarily" valid, i.e., valid for the lifetime for which the data channel is valid, and the application software may only allow access to the smart card 73 for the lifetime for which the data channel is valid.
(3) For the data channel key or certificate, the smart card 73 and the smart card management platform 71 store the key or certificate for establishing the data channel; specifically, the smart Card management platform 71 stores a private key or a root key, and the smart Card 73 stores a public key or a sub-key dispersed according to an Integrated Circuit Card Identification (ICCID) during Card manufacturing, so as to ensure that a certificate or a key of each SE is different.
(4) Security between the smart card 73 and the smart card management platform 71; the instruction interaction between each intelligent card and the intelligent card management platform is protected by a secret key, the intelligent card management platform stores a private key or a root secret key, and a public key or sub-secret keys dispersed according to the ICCID are written into the intelligent card during card manufacturing, and the secret keys of the intelligent cards are different.
The process of establishing a data channel in this embodiment, as shown in fig. 7, includes the following steps:
step 701: before establishing a data channel with the smart card, the application software 722 sends a data channel registration application to the smart card management software 721;
step 702: after receiving the data channel registration application, the smart card management software 722 sends the data channel registration application sent by the application software 522 to the smart card management platform 51;
step 703: after the smart card management platform 71 receives the data channel registration application, the data channel security module 712 reads the key or certificate of the data channel from the data channel key or certificate storage module 711;
step 704: the data channel security module 712 calculates the signature or Token of the data channel applied by the application software according to the information of the application software by using the read key or certificate;
step 705: the smart card management platform 71 sends a message of application authentication registration to the smart card management software 722;
here, the transmitted message carries the signature or Token of the application software application data channel.
Step 706: after receiving the message, the smart card management software 722 sends a message of application software authentication registration to the smart card data channel management unit 731; after receiving the message, the smart card data channel management unit 731 performs data channel authentication registration on the application software, and executes step 707 after the authentication registration is successful;
here, the transmitted message carries the signature or Token of the application software application data channel.
Specifically, the off-card entity application software authentication module 7312 reads the key or certificate stored in the key or certificate storage module 7311, calculates a signature or Token according to the information of the application software, matches the signature or Token sent by the smart card management software 721, and after matching, triggers the off-card entity application software registry management module 7313 to add the information of the application software in the off-card entity application software registry, which indicates that the authentication and registration is successful, and continues the operation of step 707; if the matching is not possible, the smart card data channel management unit 731 returns an error message to the smart card management software 521, and the process ends.
Step 707: the smart card management software 721 returns the result of successful data channel authentication registration to the application software 722;
step 708: after receiving the result, the application software 722 establishes a data channel with the data channel management unit 731 of the smart card 73, and the data channel life cycle management module 7314 maintains the data channel life cycle;
here, the data channel lifecycle management module 7314 dynamically determines whether the data channel is valid and notifies the software registry management module 7313 of the status of the data channel, so that the software registry management module 7313 updates the relevant information of the corresponding data channel status.
The data channel life cycle management module 7314 may dynamically determine whether the data channel is valid according to the time duration for establishing the data channel, the type of the APDU command, and the like.
Step 709: after the data channel is established, the application software 722 may send an APDU instruction of the application processing logic to the smart card 73, and after the smart card data channel management unit verifies that the state of the application software is valid, the APDU instruction sent by the application software 722 is forwarded to the SE to perform an application transaction.
Here, after the transaction is completed, the data channel between the application software and the smart card is closed, and the off-card entity application software registry management module 7313 deletes the relevant information in the off-card entity application software registry.
As can be seen from the above description, the solution provided by this embodiment can ensure the security of the smart card accessed by the application software of the entity outside the card.
In addition, the security policy between the smart card management software 722 and the smart card management platform 51, and between the smart card management software 722 and the smart card data channel management unit 731 can be flexibly adjusted and upgraded.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims (21)

1. A method for establishing a data channel, the method comprising:
the application of the entity outside the card acquires the security authentication information of the data channel corresponding to the application from the intelligent card management platform; the security authentication information is generated by the intelligent card management platform by using a key or a certificate stored by the intelligent card management platform and the related information of the application;
the entity outside the card sends an authentication registration message carrying the security authentication information to the intelligent card equipment;
after the smart card equipment successfully verifies the safety authentication information, establishing a data channel with the application of the entity outside the card;
the method further comprises the following steps:
and the smart card equipment stores the application software identification passing the authentication and distributes the application software authority.
2. The method of claim 1, wherein the acquiring, by the off-card entity, the security authentication information of the application data channel from the smart card management platform comprises:
the entity outside the card sends a data channel registration application carrying the relevant information of the corresponding application to the intelligent card management platform;
after receiving the data channel registration application, the smart card management platform generates security authentication information of the corresponding application by using a key or a certificate stored by the smart card management platform and according to the application related information;
and the intelligent card management platform sends the generated security authentication information to the entity outside the card.
3. The method of claim 2, wherein the smart card device verifies the security authentication information, comprising:
the smart card equipment generates security authentication information of the corresponding application according to the relevant information of the corresponding application by using a key or a certificate stored in the smart card equipment;
and matching the generated security authentication information corresponding to the application with the security authentication information carried in the authentication registration message.
4. The method of claim 1, wherein after the data channel is established, the method further comprises:
and the intelligent card equipment adds the information of the corresponding application in an application software registry of the intelligent card equipment.
5. The method of claim 4, wherein after the data channel is established, the method further comprises:
and after receiving an Application Protocol Data Unit (APDU) instruction of the entity outside the card, the intelligent card equipment performs corresponding transaction operation when determining that a data channel corresponding to the APDU is valid.
6. The method of claim 5, wherein the determining that the data channel corresponding to the APDU is valid is:
and the smart card equipment determines that the data channel corresponding to the APDU is valid according to the information of the data channel corresponding to the APDU in the application software registry.
7. The method of claim 5, further comprising:
after the transaction operation is completed, the smart card device closes the data channel corresponding to the APDU; and deleting the corresponding information in the application software registry.
8. An off-card entity, comprising: the device comprises an acquisition unit, a first sending unit and a data channel establishing unit; wherein the content of the first and second substances,
the acquisition unit is used for acquiring the security authentication information of the data channel corresponding to the application from the intelligent card management platform; the security authentication information is generated by the intelligent card management platform by using a key or a certificate stored by the intelligent card management platform and the related information of the application;
the first sending unit is used for sending an authentication registration message carrying the security authentication information to the smart card device;
the data channel establishing unit is used for establishing a data channel with the intelligent card after the intelligent card equipment successfully verifies the safety authentication information;
and after the smart card equipment successfully verifies the safety authentication information, the smart card equipment stores the application software identification passing the authentication and distributes the application software permission.
9. The off-card entity of claim 8, wherein the obtaining unit further comprises: the device comprises a first sending module and a first receiving module; wherein the content of the first and second substances,
the first sending module is used for sending a data channel registration application carrying the relevant information of the corresponding application to the intelligent card management platform;
the first receiving module is used for receiving the security authentication information of the corresponding application sent by the smart card management platform; and the security authentication information is generated by the intelligent card management platform according to the application related information by utilizing a key or a certificate stored by the intelligent card management platform.
10. A smart card management platform, the platform comprising: a second receiving unit, an information generating unit and a second transmitting unit; wherein the content of the first and second substances,
the second receiving unit is used for a data channel registration application which is sent by an entity outside the card and carries the relevant information of the corresponding application;
the information generating unit is used for generating the security authentication information of the corresponding application according to the application related information by using a key or a certificate stored by the information generating unit;
the second sending unit is used for sending the generated security authentication information to the entity outside the card; and the safety certification information is used for the entity outside the card to send to the intelligent card equipment, so that after the intelligent card equipment successfully verifies the safety certification information, a data channel is established with the application of the entity outside the card, and the application software identification passing the certification and the application software permission are stored and distributed.
11. The platform of claim 10, wherein the information generating unit further comprises: the device comprises a storage module and a data channel security module; wherein the content of the first and second substances,
the storage module is used for storing a secret key or a certificate;
and the data channel security module is used for generating the security authentication information of the corresponding application according to the key or the certificate stored by using the storage module and the relevant application information.
12. A smart card device, characterized in that the device comprises: a third receiving unit and a data channel establishing unit; wherein the content of the first and second substances,
the third receiving unit is used for receiving an authentication registration message which is sent by an entity outside the card and carries safety authentication information; the security authentication information is generated by the intelligent card management platform by using a key or a certificate stored by the intelligent card management platform and the related information of the application of the entity outside the intelligent card;
the data channel establishing unit is used for establishing a data channel with the card external entity after the safety authentication information is verified successfully; and the system is also used for storing the application software identification passing the authentication and distributing the application software authority.
13. The apparatus of claim 12, wherein the data channel establishing unit further comprises: the device comprises an information generation module, a matching module and a data channel establishing module; wherein the content of the first and second substances,
the information generation module is used for generating the security authentication information of the corresponding application according to the relevant information of the corresponding application by using the key or the certificate stored in the information generation module;
the matching module is used for matching the generated security authentication information corresponding to the application with the security authentication information carried in the authentication registration message and triggering the data channel establishing module after matching;
and the data channel establishing module is used for establishing a data channel with the card external entity after receiving the trigger of the matching module.
14. The apparatus of claim 12, further comprising: and the application software registry management unit is used for adding information corresponding to the application in the application software registry of the application software registry after the data channel is established.
15. The apparatus of claim 14, wherein the apparatus further comprises: and the SE operation unit is used for establishing a data channel, and performing corresponding transaction operation when the data channel corresponding to the APDU is determined to be valid after the APDU instruction of the entity outside the card is received.
16. The apparatus according to claim 15, wherein the data channel establishing unit is further configured to close the data channel corresponding to the APDU after the transaction operation is completed;
correspondingly, the application software registry management unit is further configured to delete corresponding information in the application software registry.
17. A system for establishing a data channel, the system comprising: the intelligent card management platform, the card external entity and the intelligent card equipment; wherein the content of the first and second substances,
the off-card entity is used for acquiring security authentication information of a data channel corresponding to the application from the intelligent card management platform; sending an authentication registration message carrying the security authentication information to the smart card device; the security authentication information is generated by the intelligent card management platform by using a key or a certificate stored by the intelligent card management platform and the related information of the application;
the intelligent card equipment is used for establishing a data channel with the application of the entity outside the card after the safety certification information is successfully verified; and the system is also used for storing the application software identification passing the authentication and distributing the application software authority.
18. The system according to claim 17, wherein the off-card entity is configured to send a data channel registration application carrying information related to a corresponding application to the smart card management platform; receiving full authentication information sent by the intelligent card management platform;
the intelligent card management platform is used for generating the safety certification information of the corresponding application by utilizing a key or a certificate stored by the intelligent card management platform after receiving the data channel registration application and according to the application related information; and sending the generated security authentication information to the entity outside the card.
19. The system according to claim 17, wherein the smart card device is further configured to add information of a corresponding application to its own application software registry after the data channel is established.
20. The system according to claim 19, wherein the smart card device is further configured to perform a corresponding transaction operation when determining that the data channel corresponding to the APDU is valid after the data channel is established and receiving an APDU command from the entity outside the card.
21. The system according to claim 20, wherein the smart card device is further configured to close the data channel corresponding to the APDU after the transaction operation is completed; and deleting the corresponding information in the application software registry.
CN201410806632.7A 2014-12-22 2014-12-22 Method, system and related equipment for establishing data channel Active CN105790946B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410806632.7A CN105790946B (en) 2014-12-22 2014-12-22 Method, system and related equipment for establishing data channel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410806632.7A CN105790946B (en) 2014-12-22 2014-12-22 Method, system and related equipment for establishing data channel

Publications (2)

Publication Number Publication Date
CN105790946A CN105790946A (en) 2016-07-20
CN105790946B true CN105790946B (en) 2020-05-12

Family

ID=56385312

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410806632.7A Active CN105790946B (en) 2014-12-22 2014-12-22 Method, system and related equipment for establishing data channel

Country Status (1)

Country Link
CN (1) CN105790946B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110622536A (en) * 2018-01-05 2019-12-27 深圳市大疆创新科技有限公司 Communication method, device and system
CN113840274B (en) * 2021-09-18 2023-06-02 中国联合网络通信集团有限公司 BIP channel state management method, mobile device, UICC and user terminal

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101257683A (en) * 2008-02-01 2008-09-03 北京握奇数据***有限公司 Method for electric communication smart card signaling interactive with external non-contact card
CN101477607A (en) * 2009-01-16 2009-07-08 北京海升天达科技有限公司 Smart card and smart card user identity authentication process thereof
CN101488111A (en) * 2009-02-17 2009-07-22 普天信息技术研究院有限公司 Identification authentication method and system
CN101917216A (en) * 2010-08-25 2010-12-15 罗正棣 System and method for realizing safe mobile application by adopting Bluetooth intelligent card
CN102479089A (en) * 2010-11-23 2012-05-30 天津中兴软件有限责任公司 Software upgrading method for card reader
CN102547691A (en) * 2010-12-22 2012-07-04 国民技术股份有限公司 Security electronic control system and method based on 2.4G radio frequency identification (RFID) smart card system
CN103971149A (en) * 2013-01-24 2014-08-06 国民技术股份有限公司 Smart card device and authentication method of smart card device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101257683A (en) * 2008-02-01 2008-09-03 北京握奇数据***有限公司 Method for electric communication smart card signaling interactive with external non-contact card
CN101477607A (en) * 2009-01-16 2009-07-08 北京海升天达科技有限公司 Smart card and smart card user identity authentication process thereof
CN101488111A (en) * 2009-02-17 2009-07-22 普天信息技术研究院有限公司 Identification authentication method and system
CN101917216A (en) * 2010-08-25 2010-12-15 罗正棣 System and method for realizing safe mobile application by adopting Bluetooth intelligent card
CN102479089A (en) * 2010-11-23 2012-05-30 天津中兴软件有限责任公司 Software upgrading method for card reader
CN102547691A (en) * 2010-12-22 2012-07-04 国民技术股份有限公司 Security electronic control system and method based on 2.4G radio frequency identification (RFID) smart card system
CN103971149A (en) * 2013-01-24 2014-08-06 国民技术股份有限公司 Smart card device and authentication method of smart card device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
智能卡数据交互安全性的研究与实现;岳佩;《中国优秀硕士学位论文全文数据库 信息科技辑》;20080815;正文第3章节 *

Also Published As

Publication number Publication date
CN105790946A (en) 2016-07-20

Similar Documents

Publication Publication Date Title
KR102477453B1 (en) Transaction messaging
RU2537795C2 (en) Trusted remote attestation agent (traa)
US9734091B2 (en) Remote load and update card emulation support
CN107820238B (en) SIM card, blockchain application security module, client and security operation method thereof
US20050137889A1 (en) Remotely binding data to a user device
US20140365781A1 (en) Receiving a Delegated Token, Issuing a Delegated Token, Authenticating a Delegated User, and Issuing a User-Specific Token for a Resource
EP3017580B1 (en) Signatures for near field communications
US10880739B2 (en) Protection of a communication channel between a security module and an NFC circuit
KR20160101117A (en) Cloud-based transactions methods and systems
EA012094B1 (en) Security token and method for authentication of a user with the security token
CN103685138A (en) Method and system for authenticating application software of Android platform on mobile internet
CN110326011B (en) Determining legal conditions at a computing device
US9246910B2 (en) Determination of apparatus configuration and programming data
CN105790946B (en) Method, system and related equipment for establishing data channel
KR20080099117A (en) Method for removable element authentication in an embedded system
CN104361304A (en) Method and device for downloading application program of smart card
CN110313005B (en) Security architecture for device applications
JP6318868B2 (en) Authentication system and portable communication terminal
US20230385418A1 (en) Information processing device, information processing method, program, mobile terminal, and information processing system
Tamrakar Applications of Trusted Execution Environments (TEEs)
CN105103180B (en) Method for handling the distribution of mobile credit card
EP2985724B1 (en) Remote load and update card emulation support
JP6305284B2 (en) Portable electronic device
Kasper et al. Rights management with NFC smartphones and electronic ID cards: A proof of concept for modern car sharing
JP6505893B2 (en) Portable electronic devices

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant