CN107844707B - Card data management method and card data management system - Google Patents
Card data management method and card data management system Download PDFInfo
- Publication number
- CN107844707B CN107844707B CN201711035662.2A CN201711035662A CN107844707B CN 107844707 B CN107844707 B CN 107844707B CN 201711035662 A CN201711035662 A CN 201711035662A CN 107844707 B CN107844707 B CN 107844707B
- Authority
- CN
- China
- Prior art keywords
- card
- key
- data
- making data
- data management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a card data management system and a method. The method comprises the following steps: injecting a root key into the encryptor; selecting a specific algorithm and a dispersion factor, and performing dispersion calculation based on the root key to obtain a service key or/and a protection key of the service key; storing the obtained service key in a form of ciphertext; assembling the service key and the card data to generate card making data, encrypting and storing; when a user initiates an air card opening request, corresponding encrypted card making data is associated according to a card number and is input into an encryption machine, the encryption machine decrypts the encrypted card making data and verifies whether the encrypted card making data is consistent with the card making data stored in the encryption machine, and under the condition of consistency, the card making data is encrypted by a security domain key and then is output and provided for user equipment. According to the invention, card data can be preset in batches, the safety of the system can be ensured, and the concurrent processing capability of the system can also be provided.
Description
Technical Field
The present invention relates to communication technologies, and in particular, to a card data management method and a card data management system for NFC mobile payment.
Background
At present, in an air card-opening service system, no standardized description for card data management exists. The existing card data management scheme mainly comprises the following conditions:
(1) storing personalized data through DP file encryption;
(2) and acquiring the card key in real time through the encryption machine interface, and assembling personalized data.
The card personalization data contains a key for the card application, which belongs to the highly sensitive data. In a common solution, a relevant service key is obtained from an encryption machine in a scattered manner by a corresponding service master key, and although the card personalization data is safe, because a plurality of service keys are involved, the number of times of interaction with the encryption machine in actual service interaction is large, a certain time is consumed, and the service execution efficiency is reduced. Therefore, the system generally adopts a scheme of presetting card data, namely, a service key of the card is led out from an encryption machine in advance through a timing task, and is assembled with other card personalization data into complete card making data and is safely stored. For example, DP files are one of the pre-set schemes and are also the solution adopted by traditional card issuing.
However, in the field of NFC full terminals, DP files are only protected by a transmission key, and some control of system security is lacking, so a completely new solution needs to be proposed.
Disclosure of Invention
In view of the above-described problems, the present invention aims to provide a card data management method and a card data management system capable of further improving security and operational flexibility. The card data may also be referred to herein as card personalization data.
The card data management method of an aspect of the present invention is characterized by including the steps of:
a key injection step, namely injecting a root key into the encryption machine;
a key calculation step, namely selecting a specific algorithm and a dispersion factor, and performing dispersion calculation based on the root key to obtain a service key or/and a protection key of the service key; and
and a key storage step, namely storing the obtained service key in a form of a ciphertext.
Optionally, after the key storing step, the method further includes:
and a card making data generation step, namely assembling the service key and the card data to generate card making data, and encrypting and storing the card making data.
Optionally, after the key storing step, the method further includes:
and an air card opening step, namely when a user initiates an air card opening request, associating the card number with corresponding encrypted card making data and inputting the encrypted card making data into an encryption machine, decrypting the encrypted card making data by the encryption machine and verifying whether the encrypted card making data is consistent with the safely stored card making data, and under the condition of consistency, encrypting the card making data by using a security domain key, outputting the encrypted card making data and providing the encrypted card making data to user equipment.
Optionally, in the key calculation step, the SEID of the card is selected as the dispersion factor when the service of the card is generated, and the card number of the card is selected as the dispersion factor when the service key and the protection key of the card are generated.
Optionally, in the key injection step, a plurality of key components are injected into the encryption engine, and the plurality of key components form a root key;
the card data management system according to an aspect of the present invention is characterized by including at least an encryption device,
wherein the encryption device comprises:
the storage module is used for storing a root key of the encryption machine;
the first encryption module is used for acquiring a specific algorithm and a dispersion factor, performing dispersion calculation based on the root key to acquire and output a service key or/and a protection key of the service key;
the assembling module is used for encrypting and outputting card making data assembled by the service key and the input card data; and
a decryption module for decrypting encrypted card making data input from the outside and verifying whether it is identical to the card making data already stored in the storage module; and
and the second encryption module is used for encrypting the card making data by using the security domain key and outputting the encrypted card making data under the condition that the decryption module judges that the card making data are consistent.
Optionally, the card data management system further includes: a database is also provided for storing various keys and card making data.
Optionally, the first encryption module selects the SEID of the card as the dispersion factor when generating the key of the card, and selects the card number of the card as the dispersion factor when generating the service key and the protection key of the card.
The computer-readable medium of the present invention, on which a computer program is stored, is characterized in that the computer program realizes the steps of the card data management method when executed by a processor.
The computer device of the present invention includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and is characterized in that the processor implements the steps of the card data management method when executing the computer program.
Drawings
Fig. 1 is a flowchart showing specific steps of a card data management method of the present invention.
Fig. 2 is a schematic diagram showing the configuration of the card data management system of the present invention.
Fig. 3 is a schematic diagram showing a case where the card data management system of the present invention performs sensitive data storage.
Fig. 4 is a schematic diagram showing a conventional use method for a key of the card data management system of the present invention.
Detailed Description
The following description is of some of the several embodiments of the invention and is intended to provide a basic understanding of the invention. It is not intended to identify key or critical elements of the invention or to delineate the scope of the invention.
Fig. 1 is a flowchart showing specific steps of a card data management method of the present invention.
As shown in fig. 1, the card data management method of the present invention includes the steps of:
key injection step S100: a root key is injected into the encryption machine, and a key provider can directly inject a specific root key into the secret machine in a manual input mode;
key calculation step S200: selecting a specific algorithm and a dispersion factor, and performing dispersion calculation based on the root key to obtain a service key or/and a protection key of the service key;
key storage step S300: storing the obtained service key in a ciphertext mode, wherein the service key or/and a protection key of the service key obtained by dispersing the root key can be stored in an encryption machine or a database;
card making data generation step S400: assembling the service key and card data (DGI or other formats) to generate card making data, and storing the card making data and the CRC value in a database in a ciphertext mode;
an in-air card opening step S500: when a user initiates an air card opening request, corresponding encrypted card making data is associated according to a card number and is input into an encryption machine, the encryption machine decrypts the encrypted card making data and verifies whether the encrypted card making data is consistent with stored card making data (for example, whether CRC (cyclic redundancy check) is legal by the encryption machine, and plaintext data is ensured not to be falsified), and under the condition of consistency, the card making data is exported, and the decrypted card data is encrypted by a security domain key in a script mode, is output and is provided for user equipment (for example, NFC equipment provided for the user).
In the key injection step S100, a root key composed of a plurality of key components is injected into the encryption device, for example, each key component may be held by a different person, and the key components are input one by one in the component order during injection.
In the key calculation step S300, the SEID of the card may be selected as the dispersion factor when the service key of the card is generated, and the card number of the card may be selected as the dispersion factor when the protection key of the service key of the card is generated.
The card data management method of the present invention is explained above, and the card data management system of the present invention is explained next.
Fig. 2 is a schematic diagram showing the configuration of the card data management system of the present invention.
As shown in fig. 2, the card data management system of the present invention is provided with an encryptor 100 and a database 200 for various keys and card making data.
The encryption device 100 includes:
a storage module 110 for a root key of the encryption engine;
the first encryption module 120 is configured to invoke a specific algorithm and a dispersion factor (for example, the dispersion factor may be provided by application software), perform dispersion calculation on the root key acquired from the storage module 110 to obtain a service key or/and a protection key of the service key, and output the service key or/and the protection key, where the first encryption module 120 selects an SEID of a card as the dispersion factor when generating the service key of the card, and selects a card number of the card as the dispersion factor when generating the protection key of the service key of the card;
an assembling module 130, configured to encrypt and output card making data assembled by the service key and the input card data; and
a decryption module 140 for decrypting encrypted card making data inputted from the outside and verifying whether it is identical to the card making data already stored in the storage module; and
and a second encryption module 150, configured to encrypt the card making data with the security domain key and output the encrypted card making data when the decryption module determines that the card making data are consistent.
Next, a description will be given of a case of performing sensitive data storage of the card data management system of the present invention and a conventional use method for a key.
Fig. 3 is a schematic diagram showing a case where the card data management system of the present invention performs sensitive data storage.
As shown in fig. 3, the system B corresponds to the card data management system of the present invention, and acquires data from the external system a through an interface and performs sensitive data storage.
Specifically, in system a, the application software of system a obtains external data from the encryptor/other secure element of system a. The system B acquires external data from the application software of the system a through the interface, the application software of the system B acquires the external data and transmits the external data to the encryption device 100, the encryption device 100 calculates the root key to obtain a secret key, outputs a ciphertext, and stores the ciphertext in the database 200.
Fig. 4 is a schematic diagram showing a conventional use method for a key of the card data management system of the present invention.
As shown in fig. 4, the database 200 calls a key from the application software 300 and provides it to the encryptor 100 in ciphertext form, and the encryptor 100 calls a system encryption key (equivalent to a root key) and calls an algorithm to perform decryption computation, thereby obtaining a key plaintext and outputting ciphertext data, which may be used by the application software 300. Or the application software 300 may also provide the data to be encrypted to the encryption engine 100.
As described above, according to the card data management method and the card data management system of the present invention, in a scenario where the NFC mobile phone implements a bus card service, a bus card application and application data can be dynamically loaded into a security chip of the NFC mobile phone, where a core needs to be protected as private data when applying data. By using the card data management method and the card data management system, the safety of card data (such as public transport application data) in the processes of generation, transmission, storage and use can be protected. Moreover, by using the card data management method and the card data management system, the card data can be preset in batch, and then the personalized script is obtained in real time when the card starting service is initiated at the whole terminal, so that the safety of the system is ensured, and the high concurrent processing capacity of the system is also improved.
Further, the present invention provides a computer-readable medium having stored thereon a computer program which, when executed by a processor, implements the steps of the card data management method of the present invention described above.
Furthermore, the present invention provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the card data management method of the present invention when executing the computer program.
As the computer-readable medium, there are a magnetic recording device, an optical disk, an magneto-optical recording medium, a semiconductor memory, and the like. As the magnetic recording apparatus, there are HDD, FD, magnetic tape, and the like. As the optical disk, there are DVD (Digital Versatile disk), DVD-RAM, CD-ROM, CD-R (Recordable)/RW (ReWritable), and the like. As the Magneto-Optical recording apparatus, there is MO (Magneto Optical disk) or the like.
The above examples mainly explain the card data management method and the card data management system of the present invention. Although only a few embodiments of the present invention have been described in detail, those skilled in the art will appreciate that the present invention may be embodied in many other forms without departing from the spirit or scope thereof. Accordingly, the present examples and embodiments are to be considered as illustrative and not restrictive, and various modifications and substitutions may be made therein without departing from the spirit and scope of the present invention as defined by the appended claims.
Claims (8)
1. A card data management method, comprising the steps of:
a key injection step, namely injecting a root key into the encryption machine;
a key calculation step, namely selecting a specific algorithm and a dispersion factor, and performing dispersion calculation based on the root key to obtain a service key and a protection key of the service key;
a key storage step, in which the obtained service key is stored in a form of a ciphertext;
a card making data generation step, namely assembling the service key and card data to generate card making data, encrypting and storing the card making data; and
and an air card opening step, namely when a user initiates an air card opening request, associating the card number with corresponding encrypted card making data and inputting the encrypted card making data into an encryption machine, decrypting the encrypted card making data by the encryption machine and verifying whether the encrypted card making data is consistent with the safely stored card making data, and under the condition of consistency, encrypting the card making data by using a security domain key, outputting the encrypted card making data and providing the encrypted card making data to user equipment.
2. The card data management method of claim 1,
in the key calculation step, the SEID of the card is selected as a dispersion factor when the key of the card is generated, and the card number of the card is selected as the dispersion factor when the service key and the protection key of the card are generated.
3. The card data management method of claim 1,
in the key injection step, a plurality of key shares are injected into the encryptor, the plurality of key shares constituting a root key.
4. A card data management system, characterized in that the card data management system comprises an encryption engine,
wherein the encryption device comprises:
the storage module is used for storing a root key of the encryption machine;
the first encryption module is used for acquiring a specific algorithm and a dispersion factor, performing dispersion calculation based on the root key to acquire and output a service key and a protection key of the service key;
the assembling module is used for encrypting and outputting card making data assembled by the service key and the input card data; and
a decryption module for decrypting encrypted card making data input from the outside and verifying whether it is identical to the card making data already stored in the storage module; and
and the second encryption module is used for encrypting the card making data by using the security domain key and outputting the encrypted card making data under the condition that the decryption module judges that the card making data are consistent.
5. The card data management system according to claim 4, wherein the card data management system further comprises:
a database for storing various keys and card making data.
6. The card data management system of claim 4,
the first encryption module selects the SEID of the card as a dispersion factor when generating the key of the card, and selects the card number of the card as the dispersion factor when generating the service key and the protection key of the card.
7. A computer-readable medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 3.
8. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any one of claims 1 to 3 when executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711035662.2A CN107844707B (en) | 2017-10-30 | 2017-10-30 | Card data management method and card data management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711035662.2A CN107844707B (en) | 2017-10-30 | 2017-10-30 | Card data management method and card data management system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107844707A CN107844707A (en) | 2018-03-27 |
| CN107844707B true CN107844707B (en) | 2020-12-29 |
Family
ID=61681858
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711035662.2A Active CN107844707B (en) | 2017-10-30 | 2017-10-30 | Card data management method and card data management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107844707B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110569678B (en) * | 2019-08-02 | 2022-02-25 | 中国工商银行股份有限公司 | Security chip personalization method, terminal and server |
| CN110635900B (en) * | 2019-09-10 | 2022-05-20 | 北京中电华大电子设计有限责任公司 | Key management method and system suitable for Internet of things system |
| CN112532388B (en) * | 2020-12-04 | 2023-10-13 | 广州羊城通有限公司 | Encryption method and device for air issuing data of air issuing card |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593389A (en) * | 2009-07-01 | 2009-12-02 | 中国建设银行股份有限公司 | A kind of key management method and system that is used for the POS terminal |
| CN104602224A (en) * | 2014-12-31 | 2015-05-06 | 浙江融创信息产业有限公司 | Over-the-air card activating method based on SWP-SIM card of NFC mobile phone |
| CN105991276A (en) * | 2015-01-27 | 2016-10-05 | 北京数码视讯科技股份有限公司 | Key transmission system, method and apparatus for integrated circuit card |
| CN106161402A (en) * | 2015-04-22 | 2016-11-23 | 阿里巴巴集团控股有限公司 | Encryption equipment key injected system based on cloud environment, method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9230109B2 (en) * | 2008-10-07 | 2016-01-05 | Microsoft Technology Licensing, Llc | Trusted platform module security |
-
2017
- 2017-10-30 CN CN201711035662.2A patent/CN107844707B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593389A (en) * | 2009-07-01 | 2009-12-02 | 中国建设银行股份有限公司 | A kind of key management method and system that is used for the POS terminal |
| CN104602224A (en) * | 2014-12-31 | 2015-05-06 | 浙江融创信息产业有限公司 | Over-the-air card activating method based on SWP-SIM card of NFC mobile phone |
| CN105991276A (en) * | 2015-01-27 | 2016-10-05 | 北京数码视讯科技股份有限公司 | Key transmission system, method and apparatus for integrated circuit card |
| CN106161402A (en) * | 2015-04-22 | 2016-11-23 | 阿里巴巴集团控股有限公司 | Encryption equipment key injected system based on cloud environment, method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107844707A (en) | 2018-03-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10891384B2 (en) | Blockchain transaction device and method | |
| CN110378139B (en) | Data key protection method, system, electronic equipment and storage medium | |
| US9563772B2 (en) | Methods, systems and machine-readable media for providing security services | |
| CN1985466B (en) | Method of delivering direct proof private keys in signed groups to devices using a distribution CD | |
| CN110460439A (en) | Information transferring method, device, client, server-side and storage medium | |
| CN104184586B (en) | Message authentication code generating method realizes the authentication device and certification request device of this method | |
| US8495383B2 (en) | Method for the secure storing of program state data in an electronic device | |
| CN101771699A (en) | Method and system for improving SaaS application security | |
| CN111656345B (en) | Software module enabling encryption in container files | |
| CN107844707B (en) | Card data management method and card data management system | |
| CN109218295A (en) | Document protection method, device, computer equipment and storage medium | |
| CN102799815B (en) | A kind of method and apparatus of safe loading procedure storehouse | |
| CN107196907A (en) | A kind of guard method of Android SO files and device | |
| CN111401901A (en) | Authentication method and device of biological payment device, computer device and storage medium | |
| CN115129332A (en) | Firmware burning method, computer equipment and readable storage medium | |
| CN115442032A (en) | Data processing method, system on chip and readable storage medium | |
| CN110932853B (en) | Key management device and key management method based on trusted module | |
| CN104504309A (en) | Data encryption method and terminal for application program | |
| KR101329789B1 (en) | Encryption Method of Database of Mobile Communication Device | |
| CN113672955B (en) | Data processing method, system and device | |
| US11232219B1 (en) | Protection of electronic designs | |
| CN107682147B (en) | Security management method and system for smart card chip operating system file | |
| CN112804195A (en) | Data security storage method and system | |
| WO2020136857A1 (en) | Authentication device, system, authentication method, and program | |
| CN110912697B (en) | Scheme request verification method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |