WO2007121631A1 - System and method of electronic bank safety certification based on cpk - Google Patents

System and method of electronic bank safety certification based on cpk Download PDF

Info

Publication number
WO2007121631A1
WO2007121631A1 PCT/CN2006/003497 CN2006003497W WO2007121631A1 WO 2007121631 A1 WO2007121631 A1 WO 2007121631A1 CN 2006003497 W CN2006003497 W CN 2006003497W WO 2007121631 A1 WO2007121631 A1 WO 2007121631A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
data
bank
cpk
transaction
Prior art date
Application number
PCT/CN2006/003497
Other languages
French (fr)
Chinese (zh)
Inventor
Xianghao Nan
Jianguo Zhao
Original Assignee
Beijing E-Hengxin Authentication Science & Technology Co. Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing E-Hengxin Authentication Science & Technology Co. Ltd. filed Critical Beijing E-Hengxin Authentication Science & Technology Co. Ltd.
Publication of WO2007121631A1 publication Critical patent/WO2007121631A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F19/00Complete banking systems; Coded card-freed arrangements adapted for dispensing or receiving monies or the like and posting such transactions to existing accounts, e.g. automatic teller machines
    • G07F19/20Automatic teller machines [ATMs]
    • G07F19/211Software architecture within ATMs or in relation to the ATM network

Definitions

  • the present invention relates to the field of digital communication security authentication, and in particular to an electronic banking security authentication system and method based on a combined public key algorithm (CPK) security authentication.
  • CPK public key algorithm
  • E-banking refers to an electronic business that conducts deposit and withdrawal and transfer services through ATMs and POS machines.
  • the bank has all the information of the customer, especially the symmetric key and password, the bank's information is lost, and the loss of customer information is also involved: Losing tens of millions of user information in banks in the United States and Hong Kong is an example.
  • the second is that the bank retains all the information of the customer, so it is quite easy for the bank's internal staff to obtain the password and steal the customer's deposit. If the bank's internal staff steals the customer's deposit and the customer does not withdraw the deposit, it may cause loss to the customer and affect the bank's reputation.
  • Another method is to implement the secure authentication of e-banking by using the technique of asymmetric key signature.
  • the encryption key and the decryption key are different, and the person who sends the information uses the recipient's public key to send the encrypted information, and the recipient then uses his own private key to decrypt.
  • This approach not only ensures the confidentiality of the information, but also ensures that the information is non-repudiation.
  • the method of passive security authentication of the e-banking system requires a third-party certification mechanism. It must be supported by a certificate library running online. It maintains a database with a large amount of data, occupies a large amount of storage space, and is not efficient at runtime.
  • the processing speed is very slow, and it is unable to adapt to the active protection requirements of public network security such as e-banking from passive protection to credible requirements, and it is impossible to establish a trusted system within the ultra-large-scale public network such as e-banking.
  • a CPK-based electronic banking security authentication system provided for the purpose of the present invention includes an account card, a client and a bank, the client can identify the account card, and the client connects with the bank.
  • the account card includes a first CPK security chip, configured to obtain a system integrity code by using transaction data according to transaction data input by the user, and use a private key to sign the data integrity code by using a CPK algorithm;
  • the client includes a second CPK security chip, configured to obtain client transaction data according to data sent by the first CPK security chip in the account card, and add client identification data; and obtain the client system integrity according to the client transaction data.
  • Character code use the private key pair to sign the client system integrity code through the CPK algorithm; then generate a random number, use the random number to encrypt the client transaction data, integrity code and signature to obtain the client encrypted data, using the bank
  • the public key provided by the terminal encrypts the random number to obtain random number encrypted data;
  • the bank end includes a third CPK security chip, which is used to decrypt the random number by using the CPK algorithm through the bank private key, and obtain the client transaction data by using the random number decryption; and then verify the client signature credibility by using the client public key. At the same time, verify the system integrity code of the client transaction data.
  • the account card signature is read from the client transaction data, and the account card public key verification number signature credibility is used, and the system integrity code of the transaction data is verified at the same time.
  • the user input transaction data is processed on the bank side.
  • the first CPK security chip, the second CPK security chip and the third CPK security chip comprise a CPK algorithm function module, an authentication protocol module and a key exchange protocol module, a public key matrix module, and a corresponding account card, a client. And the private key of the bank identification.
  • the account card is a smart card with a CPU.
  • the client is an ATM or a POS.
  • the second CPK security chip and the third CPK security chip are U-bars.
  • It also includes a computer network for connecting the client to the bank for data communication, and the client's transaction request is transmitted from the client to the bank.
  • a CPK-based electronic banking security authentication method which includes the following steps: Step A) The account card obtains the system integrity code according to the transaction data input by the user, and uses the private key to pass the CPK algorithm. The data integrity code is signed and then transmitted to the client;
  • Step B) The client obtains the client transaction data according to the data sent by the account card and adds the client identification data; obtains the client system integrity code according to the client transaction data; uses the private key pair to pass the CPK algorithm to the client The system integrity code is signed; then a random number is generated, and the client transaction data, the integrity code and the signature are encrypted by using the random number to obtain the client encrypted data, and the random number is encrypted by using the public key provided by the bank to obtain a random number. Encrypt data, transmit client-side encrypted data, client system integrity code and random data encrypted data to silver Line end
  • Step C) The bank side uses the bank private key to decrypt the random number by using the CPK algorithm, and obtains the client transaction data by using the random number decryption; and then uses the client public key to verify the client signature reliability and simultaneously verifies the client transaction data system. Integrity code, after the verification is passed, the account card signature is read from the client transaction data, the account card public key is used to verify the account signature credibility, and the system integrity code of the transaction data is verified, and after the verification is passed, the user is entered into the transaction. The data is processed on the bank side.
  • Step D) After the verification is passed, the bank saves the transaction time, the client signature and the account card signature data.
  • the step A) may include the following steps - step A1) after the user inserts the account card into the bank client device to apply for the transaction, after the client confirms that the card is an account card that the machine can recognize, the user inputs the password and checks the user. Whether the password is correct; if correct, the transaction is prompted to continue; otherwise, the user is prompted to re-enter or close the transaction;
  • Step A2) After the user inputs the correct password, the client device prompts the transaction content;
  • Step A3) The account card signs the integrity code by using the private key in the account card according to the integrity code of the data input by the user; and transmits the signature code to the client.
  • the step B) may include the following steps:
  • Step B1) After receiving the signature code of the account card, the client adds the client identification data to obtain the client transaction data of the transaction;
  • Step B2) The client uses the client transaction data of the transaction to generate a client integrity code of the transaction;
  • Step B3) The client uses the client private key to sign the client data integrity code;
  • Step B4) The client encrypts the data by using the public key of the bank to obtain encrypted data
  • Step B5) The client transmits the encrypted data to the bank.
  • the step C) may include the following steps:
  • Step C1) The bank device receives the client encrypted data transmitted by the client device, and decrypts the original data with its own private key;
  • Step C2) The bank uses the client's public key to verify the client signature and verify the data integrity code
  • Step C3) The bank uses the public key of the account card to verify the signature of the account card and verify the data integrity code.
  • CPK-based electronic banking authentication system and method which utilizes limited factors, binds the identification and the key through a mapping algorithm, and implements ultra-large-scale key management with a small resource, without third-party certification. No database support is required, so the system does not require maintenance. It adapts to different trading environments and trading requirements, and provides credibility (responsibility) proof of the account number, amount, location and time of the transaction.
  • FIG. 1 is a schematic structural diagram of a CPK-based electronic banking security authentication system according to the present invention. Detailed ways ,
  • an existing electronic banking system consists of a client and a bank.
  • a bank and an ATM form a star network, and a star network is formed between the ATM and the client.
  • the user allows the remote client of the bank to selectively initiate a cash service request to be processed automatically, including an ATM or POS machine.
  • the bank side is configured to respond to the client and automatically receive and process the cash service request described by the client.
  • a computer network that connects data between the client and the bank for transmitting client transaction requests from the client to the bank.
  • the electronic banking security authentication system of the present invention comprises a CPK chip at the account card client and the bank, and uses the CPK authentication algorithm to establish a secure transmission of data from the user to the client and the bank. .
  • the Combined Public Key Algorithm is an identification-based public key algorithm, and its key management center generates private key calculation parameters (private key calculation base) and public key calculation parameters (public key calculation base) corresponding to each other; Calculating, according to the identifier provided by the first user, the private key of the first user by using the private key calculation parameter, and providing the generated private key to the first user; and publishing the public key calculation parameter to enable the second user After obtaining the identifier of the first user, the public key of the first user may be calculated according to the identifier of the first user by using the public key calculation parameter.
  • private key calculation base private key calculation base
  • public key calculation parameters public key calculation base
  • the electronic bank security authentication system of the invention is implemented by using a CPK chip, and the CPK chip includes a CPK algorithm function module, a verification protocol module, a key exchange protocol module, a public key matrix module, and a corresponding account card and a client in the CPK algorithm. And the private key of the bank identification.
  • the CPK algorithm function module and the verification protocol module in the present invention are described in the specific embodiment of the applicant's Chinese invention patent application 2005100021564 based on the identification key generation device and method, and are referred to throughout the present invention.
  • the algorithm function module and the authentication protocol module of CPK provide all the parameters and protocols required for authentication, and the public key matrix can be used to calculate the public key of any entity.
  • the CPK security chip of the present invention can be embedded in a U-bar or embedded in an account card. All signature functions, authentication functions, and key exchange functions are performed in the CPK security chip.
  • the CPK algorithm can be used to sign the private key in the CPK algorithm, and the public key (double point) matrix can be used to verify any signed signature.
  • the public key (double point) matrix is a public variable that can be placed in a U-bar or account card, or placed in an ATM machine, POS machine, Bank] households and other places.
  • the user's account card has the same surface form as the current magnetic stripe card, mainly the issue name, serial number and account number. It can be temporarily registered at the bank counter to create an account.
  • the account card account number is defined by the merchant at the factory, and the account private key is configured in advance.
  • the private key is stored in the chip under password encryption and provides the ability to change the password.
  • the account card is implemented by a smart card (IC) with a CPU, and the private key of the account is stored.
  • the private key is also logically protected, that is, stored under the double encryption of the user password and the system integrity code.
  • the system integrity code does not exist in the CPK security chip of the account card. Instead, the system integrity code is temporarily calculated for the data input by the user each time the private key is invoked, thereby preventing the illegal stealing of the private key.
  • the user When the user uses the account card, the user first inserts the card into the client's ATM or POS machine, and enters the password.
  • the alpha check is not performed on the client or the bank of the bank, but is performed inside the user's CPK security chip.
  • the function of the chip can be called correctly only when the password is correct.
  • the ATM or POS machine of the client, and the CPK security chip equipped with the portal system of the bank, can be u-bars, which can function the same as the CPK security chip of the account card, and is equipped with a public key matrix. Since the client's and bank's CPK security chip is equipped with a public key (double point) matrix, the signature of the user's account card's identity can be verified.
  • the first CPK security chip 1 provides a user input password, checks whether the user password is correct; if correct, prompts the transaction to succeed
  • the client device When the user enters the correct password, the client device prompts for the transaction content, and the user inputs relevant data, including withdrawals, deposits, transfers, etc., and selects OK.
  • the first CPK security chip in the account card 1 obtains the data of the user input data according to the data input by the user.
  • the client device After receiving the signature code output by the account card, the client device (ATM, POS) adds the transaction time and the identifier of the second CPK security chip 2 of the machine to obtain the client transaction data of the transaction;
  • the client's second CPK security chip 2 uses the client transaction data of the transaction to generate the client system integrity code of the transaction;
  • the second CPK security chip 2 then uses the client private key to sign the client data integrity code
  • the second CPK security chip 2 uses the client private key to sign the client data integrity code; then, the second CPK security chip 2 encrypts the data by using the public key of the bank to obtain encrypted data; The client transmits the encrypted data to the bank.
  • the third CPK security chip 3 After the bank device (PORTAL, etc.) receives the client encrypted data transmitted from the client device, the third CPK security chip 3 first uses its own private key to decrypt the encrypted data to obtain the original data; The third CPK security chip 3 verifies the client signature by using the public key of the client, and verifies the client data integrity code, and confirms that the received data is consistent with the data transmitted by the client;
  • the third CPK security chip 3 verifies the signature of the account card by using the public key of the account card, and confirms that the received data is consistent with the data input by the user.
  • the bank device forwards the data content input by the user to the banking system for processing, notifies the bank device of the processing result, and the bank device notifies the client device to perform (payment, printing, etc.).
  • the CPK-based electronic banking security authentication system of the present invention can provide the CPK credibility certificate to the electronic bank at every stage of the electronic banking transaction.
  • the private key of the CPK algorithm is provided by the user's account card, the client and the bank's respective CPK security chip, and the public key is provided by the public key (double point) matrix in the CPK chip. Because the public key matrix is a public variable and the amount of data is very small (the amount of more than two thousand Chinese characters), its storage is very easy to solve.
  • the public key of the identifier can be calculated by the CPK mapping algorithm, so that the signature of any identifier can be easily verified.
  • the protocol modules in the electronic banking secure authentication system of the present invention include a digital signature protocol and an encryption protocol, and a key exchange protocol.
  • the digital signature protocol is implemented using the international 509 standard, but does not need to call a third-party certificate. It does not need to call the other party's certificate. Because the CPK algorithm is an algorithm that identifies its own certificate, the process of calling the other party's certificate and verifying the certificate becomes redundant.
  • the key exchange protocol of the present invention is not readily available, and a new non-handshake protocol is designed separately:
  • the key exchange protocol is as follows:
  • A1 Generate a random number r ;
  • the following describes the process of the electronic banking security authentication method of the present invention by taking the withdrawal process as a specific example.
  • the present invention is not limited thereto.
  • the process of performing the electronic banking service the process of authenticating the electronic banking security by using the CPK algorithm is involved.
  • the business method is within the scope of the present invention.
  • Step A According to the transaction data input by the user, the first CPK security chip 1 of the account card obtains the system integrity code, and the data integrity code is signed by the CPK algorithm using the private key in the first CPK security chip 1, and then transmitted to the client. end. .
  • the user When the customer conducts the 'electronic banking operation, the user first performs the security authentication work on the customer account card (ID): the customer inserts the account card (ID card), and can display the operation on the screen of the existing ATM machine. After the customer enters the password, the ID card verifies the user's password. Then, submit the business, press the ATM prompt, select the business: Withdraw, select the amount: 5000, and send the selected data to the ID card.
  • ID card The process in the ID card is as follows.
  • Mac1 HASH (datal); //* Use the hash function HASH to calculate the data datal integrity code Mac1*
  • the ID card sends the data datal, integrity code Ma, signature code Sign, and forwards it to the ATM.
  • Step B The second CPK security chip 2 in the client receives the data sent by the account card, adds the transaction time, and the client security chip identifier to obtain the client transaction data; and obtains the client by using the client transaction data.
  • the system integrity code, and the integrity code is signed by the private key in the second CPK security chip 2, and then the random number is encrypted by using the public key provided by the silver terminal to obtain the random number encrypted data, and the client is encrypted.
  • Data, client system integrity code and random data encrypted data are transmitted to the bank.
  • the client's ATM After the client's ATM receives the data transmitted by the account card, it uses the client security chip on the ATM to perform security authentication:
  • the ATM machine sends the data and transaction time sent by the ID card to the security chip (U stick) on the ATM machine, and the security chip (U stick) performs the security authentication process as follows;
  • Step C After receiving the data transmitted by the client, the bank (PORTAL) uses the third CPK security chip 3 on the bank to decrypt the client transaction data through the bank private key', and then authenticates the client by using the client public key. The integrity code of the end signature and the transaction data. After the verification is passed, the client transaction data is transferred to the third CPK security chip 3 of the bank, the account card signature is read from the client transaction data, and the account signature is verified by using the account card public key. At the same time, the integrity of the transaction data is verified. After the verification is passed, the user operation data is processed on the bank side, and the transaction time, the client signature, and the account card signature are saved. ⁇ . . .
  • the bank After receiving the data transmitted by the client, the bank (PORTAL) uses the bank-side CPK security chip for 'security certification work:
  • the data2 is handed over to the business department for processing.
  • the business department takes the signl from data2 and checks the account signature. If it is legal, the business department processes the withdrawal service and keeps the account signature as evidence for the payment.
  • the result of the processing is made into data data3, and the data should contain mac, Rl, portal signature, and as the receipt data, encrypted and sent to ATM1.
  • the ATM denies the receipt, checks the mac and the random number Rl, and if so, prompts and allows the withdrawal.
  • the electronic bank security authentication system and method of the invention are compatible with the implementation of the existing system, and the existing magnetic stripe card system related to the electronic banking system uses an ATM machine and a POS machine of an account number (IC) card, thereby realizing the original There are minimal changes to the e-banking system. Because the main certification work of this system is completed in the CPK security chip, the impact on the existing electronic banking system is not great. It only needs to change the security chip part of the reader, which has broad application prospects.
  • the invention is based on the CPK-based electronic banking security authentication system > deposit and withdrawal and transfer business through ATM and POS machines.
  • the user's account card is implemented with an IC card with a CPU, and the account seal (signature) can be easily implemented.
  • the credibility of withdrawals, deposits, and transfers is the replacement of credit cards and debit cards for existing magnetic stripe cards.
  • the security authentication process includes mutual authentication between the user and the account card, mutual authentication between the account card and the client (such as an ATM machine), mutual authentication between the client and the bank, and finally between the account card and the bank. Mutual authentication. Its security certification includes the authenticity of the account card, account number, transaction amount, transaction time, transaction location, etc., to ensure the credibility of the transaction.
  • the CPK-based electronic banking authentication system and method of the present invention utilizes a finite factor to bind an identification and a key through a mapping algorithm, and realizes ultra-large-scale key management with a small resource, without third-party certification, and does not require a database. Support, so the system does not require maintenance. It adapts to different trading environments and trading requirements, and provides credibility (responsibility) proof of the account number, amount, location and time of the transaction.

Landscapes

  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A system and method of electronic bank safety certification based on CPK. The system comprises an account number card (4), a client party and a bank party (5). The client party can identify the account number card (4). The client party and the bank party (5) are connected. The account number card (4) includes a first CPK safety chip (1) and uses for obtaining a system integrity code through the trade data by using a private key signature. The client party includes a second CPK safety chip (2) and uses for obtaining the trade data, the system integrity code and the signature of the client party, and generating a random number for encrypting the data. The bank party (5) includes a third CPK safety chip (3) and uses for decrypting the data transferred from the client party and identifying the signature and the integrity code. And a method corresponding to the system is also provided.

Description

一种基于 CPK的电子银行安全认证***和方法  E-banking safety certification system and method based on CPK
技术领域 Technical field
本发明涉及数字通信安全认证领域,特别是涉及一种基于组合公钥算法 (CPK)安全认 证的电子银行安全认证***和方法。 背景技术  The present invention relates to the field of digital communication security authentication, and in particular to an electronic banking security authentication system and method based on a combined public key algorithm (CPK) security authentication. Background technique
电子银行是指通过 ATM、 POS机进行存取款和转帐业务的一种电子业务。  E-banking refers to an electronic business that conducts deposit and withdrawal and transfer services through ATMs and POS machines.
到目前为止, 电子银行***中均釆用磁性卡, 为支付带来了很大的方便, 起到历史 的作用.。但安全性也受到了很大的挑战。磁性卡验证***是用对称密钥加密的方法来实现 的, 即客户密钥在银行中也有。 否则, 银行也就无法解密验证。 这种方式存在以下两个问 题:  So far, the use of magnetic cards in the e-banking system has brought great convenience to payment and played a historical role. But security has also been greatly challenged. The magnetic card verification system is implemented by symmetric key encryption, that is, the customer key is also available in the bank. Otherwise, the bank will not be able to decrypt the verification. There are two problems with this approach:
一是因为银行存有客户的所有信息, 特别是对称密钥和口令, 所以银行的信息丢失, 也涉及客户信息的丢失: 在美国、 香港的银行丢失几千万个用户信息就是例子。  First, because the bank has all the information of the customer, especially the symmetric key and password, the bank's information is lost, and the loss of customer information is also involved: Losing tens of millions of user information in banks in the United States and Hong Kong is an example.
' 二是银行保留了客户的所有信息, 因此银行内部人员相当容易获得密码而窃取客户 的存款。 如果银行内部人员窃取了客户存款后, 而客户并没有提取存款., 则可能会造成客 户损失, 同时对银行的信誉造成影响。  The second is that the bank retains all the information of the customer, so it is quite easy for the bank's internal staff to obtain the password and steal the customer's deposit. If the bank's internal staff steals the customer's deposit and the customer does not withdraw the deposit, it may cause loss to the customer and affect the bank's reputation.
现有另一种方法是,釆用非对称密钥签名的 ΡΚΙ技术方法实现电子银行的安全认证。 , 在这一算法中, 加密密钥与解密密钥各不相同, 发送信息的人利用接收者的公钥发 送加密信息, 接收者再利用自己专有的私钥进行解密。 这种方式既保证了信息的机密性, 又能保证信息具有不可抵赖性。 但是, 这电子银行***被动安全认证的方法, 需要第三方 证明的机制, 必须有在线运行的证书库的支持, 其维护具有大量数据的数据库, 占用大量 的存储空间, 运行时的效率也不高, 处理速度很慢, 不能适应电子银行这样的公众网络安 全由被动防护进入可信要求的主动防护要求,无法在电子银行这样的超大规模的公众网络 范围内建立可信***。 发明内容  Another method is to implement the secure authentication of e-banking by using the technique of asymmetric key signature. In this algorithm, the encryption key and the decryption key are different, and the person who sends the information uses the recipient's public key to send the encrypted information, and the recipient then uses his own private key to decrypt. This approach not only ensures the confidentiality of the information, but also ensures that the information is non-repudiation. However, the method of passive security authentication of the e-banking system requires a third-party certification mechanism. It must be supported by a certificate library running online. It maintains a database with a large amount of data, occupies a large amount of storage space, and is not efficient at runtime. The processing speed is very slow, and it is unable to adapt to the active protection requirements of public network security such as e-banking from passive protection to credible requirements, and it is impossible to establish a trusted system within the ultra-large-scale public network such as e-banking. Summary of the invention
本发明的目的在于克服上述缺陷而提供一种基于 CPK的电子银行认 ***和方法, ' 其不需要维护大量数据的数据库, 运行的效率得到大大提高。 为实现本发明目的而提供的一种基于 CPK的电子银行安全认证***, 包括账号卡, 客户端和银行端, 客户端能够识别账号卡, 客户端与银行端连接。 The object of the present invention is to overcome the above drawbacks and to provide a CPK-based electronic banking system and method, which does not require a database for maintaining large amounts of data, and the operational efficiency is greatly improved. A CPK-based electronic banking security authentication system provided for the purpose of the present invention includes an account card, a client and a bank, the client can identify the account card, and the client connects with the bank.
所述账号卡包括第一 CPK安全芯片, 用于根据用户输入的交易数据, 利用交易数据 得到***完整性码, 利用私钥通过 CPK算法对数据完整性码进行签名;  The account card includes a first CPK security chip, configured to obtain a system integrity code by using transaction data according to transaction data input by the user, and use a private key to sign the data integrity code by using a CPK algorithm;
所述客户端包括第二 CPK安全芯片, 用于根据账号卡中第一 CPK安全芯片发送来 的数据, 并加上客户端标识数据, 得到客户 交易数据; 根据客户端交易数据得到客户端 ***完整性码; 利用私钥对通过 CPK算法对客户端***完整性码进行签名; 然后产生随 机数, 利用随机数对客户端交易数据、 完整性码及签名进行加密, 得到客户端加密数据, 利用银行端提供的公钥对随机数进行加密, 得到随机数加密数据;  The client includes a second CPK security chip, configured to obtain client transaction data according to data sent by the first CPK security chip in the account card, and add client identification data; and obtain the client system integrity according to the client transaction data. Character code; use the private key pair to sign the client system integrity code through the CPK algorithm; then generate a random number, use the random number to encrypt the client transaction data, integrity code and signature to obtain the client encrypted data, using the bank The public key provided by the terminal encrypts the random number to obtain random number encrypted data;
所述银行端包括第三 CPK安全芯片, 用于通过银行端私钥, 利用 CPK算法解密得 到随机数, 利用随机数解密得到客户端交易数据; 然后利用客户端公钥验证客户端签名可 信性, 同时验证客户端交易数据的***完整性码, 验证通过后, 从客户端交易数据中读取 账号卡签名, 利用账号卡公钥验证 号签名可信性, 同时验证交易数据的***完整性码, 验证通过后, 将用户输入交易数据在银行端进行处理。  The bank end includes a third CPK security chip, which is used to decrypt the random number by using the CPK algorithm through the bank private key, and obtain the client transaction data by using the random number decryption; and then verify the client signature credibility by using the client public key. At the same time, verify the system integrity code of the client transaction data. After the verification is passed, the account card signature is read from the client transaction data, and the account card public key verification number signature credibility is used, and the system integrity code of the transaction data is verified at the same time. After the verification is passed, the user input transaction data is processed on the bank side.
所述第一 CPK安全芯片、 第二 CPK安全芯片和第三 CPK安全芯片包括 CPK算法 功能模块, 验证协议模块以及密钥交换协议模块, 公钥矩阵模块, 以及对应于账号卡、 客. 户端和银行端标识的私钥,。  The first CPK security chip, the second CPK security chip and the third CPK security chip comprise a CPK algorithm function module, an authentication protocol module and a key exchange protocol module, a public key matrix module, and a corresponding account card, a client. And the private key of the bank identification.
所述账号卡为带 CPU的智能卡。  The account card is a smart card with a CPU.
所述客户端为 ATM机或者 POS机。  The client is an ATM or a POS.
' 所述第二 CPK安全芯片和第三 CPK安全芯片为 U棒。  The second CPK security chip and the third CPK security chip are U-bars.
还包括计算机网络, 用于连接客户端与银行端, 进行数据通信, 客户端的交易请求 从客户端传送到银行端。  It also includes a computer network for connecting the client to the bank for data communication, and the client's transaction request is transmitted from the client to the bank.
为实现本发明目的还提供一种基于 CPK的电子银行安全认证方法, 包括下列步骤- 步骤 A) 账号卡根据用户输入的交易数据, 利用交易数据得到***完整性码, 利用 私钥通过 CPK算法对数据完整性码进行签名, 然后传输给客户端;  In order to achieve the object of the present invention, a CPK-based electronic banking security authentication method is provided, which includes the following steps: Step A) The account card obtains the system integrity code according to the transaction data input by the user, and uses the private key to pass the CPK algorithm. The data integrity code is signed and then transmitted to the client;
步骤 B) 客户端根据账号卡发送来的数据, 并加上客户端标识数据, 得到客户端交 易数据; 根据客户端交易数据得到客户端***完整性码; 利用私钥对通过 CPK算法对客 户端***完整性码进行签名; 然后产生随机数, 利用随机数对客户端交易数据、 完整性码 及签名进行加密, 得到客户端加密数据, 利用银行端提供的公钥对随机数进行加密, 得到 随机数加密数据, 将客户端加密数据, 客户端***完整性码和随机数据加密数据传送给银 行端; Step B) The client obtains the client transaction data according to the data sent by the account card and adds the client identification data; obtains the client system integrity code according to the client transaction data; uses the private key pair to pass the CPK algorithm to the client The system integrity code is signed; then a random number is generated, and the client transaction data, the integrity code and the signature are encrypted by using the random number to obtain the client encrypted data, and the random number is encrypted by using the public key provided by the bank to obtain a random number. Encrypt data, transmit client-side encrypted data, client system integrity code and random data encrypted data to silver Line end
步骤 C)银行端通过银行端私钥, 利用 CPK算法解密得到随机数, 利用随机数解密 得到客户端交易数据; 然后利用客户端公钥验证客户端签名 信性, 同时验证客户端交易 数据的***完整性码, 验证通过后, 从客户端交易数据中读取账号卡签名, 利用账号卡公 钥验证账号签名可信性, 同时验证交易数据的***完整性码, 验证通过后, 将用户输入交 易数据在银行端进行处理。  Step C) The bank side uses the bank private key to decrypt the random number by using the CPK algorithm, and obtains the client transaction data by using the random number decryption; and then uses the client public key to verify the client signature reliability and simultaneously verifies the client transaction data system. Integrity code, after the verification is passed, the account card signature is read from the client transaction data, the account card public key is used to verify the account signature credibility, and the system integrity code of the transaction data is verified, and after the verification is passed, the user is entered into the transaction. The data is processed on the bank side.
步骤 D) 在验证通过后, 银行端保存交易时间, 客户端签名以及账号卡签名数据。 所述步骤 A) 可以包括下列步骤- 步骤 A1 )在用户将账号卡***银行客户端设备申请交易后, 客户端确认该卡为本机 可以识别的账号卡后, 提供用户输入口令, 检査用户口令是否正确; 如果正确, 则提示交 易继续进行; 否则, 提示用户重新输入或者结束交易;  Step D) After the verification is passed, the bank saves the transaction time, the client signature and the account card signature data. The step A) may include the following steps - step A1) after the user inserts the account card into the bank client device to apply for the transaction, after the client confirms that the card is an account card that the machine can recognize, the user inputs the password and checks the user. Whether the password is correct; if correct, the transaction is prompted to continue; otherwise, the user is prompted to re-enter or close the transaction;
步骤 A2) 当用户输入正确的口令后, 客户端设备提示交易内容;  Step A2) After the user inputs the correct password, the client device prompts the transaction content;
步骤 A3 )账号卡根据用户输入的数据的完整性码, 利用账号卡中的私钥对完整性码 签名; 并将签名码传送给客户端。  Step A3) The account card signs the integrity code by using the private key in the account card according to the integrity code of the data input by the user; and transmits the signature code to the client.
. 所述步骤 B) 可以包括下列步骤:  The step B) may include the following steps:
步骤 B1 )客户端收到账号卡的签名码后, 加上客户端标识数据, 得到本次交易的客. 户端交易数据; '  Step B1) After receiving the signature code of the account card, the client adds the client identification data to obtain the client transaction data of the transaction;
步骤 B2)客户端利用本次交易的客户端交易数据,生成本次交易的客户端完整性码; 步骤 B3 ) 客户端利用客户端私钥对客户端数据完整性码签名;  Step B2) The client uses the client transaction data of the transaction to generate a client integrity code of the transaction; Step B3) The client uses the client private key to sign the client data integrity code;
步骤 B4) 客户端利用银行端的公钥将数据加密, 得到加密数据;  Step B4) The client encrypts the data by using the public key of the bank to obtain encrypted data;
步骤 B5) 客户端将加密数据传送给银行端。  Step B5) The client transmits the encrypted data to the bank.
所述步骤 C) 可以包括下列步骤:  The step C) may include the following steps:
步骤 C1 )银行端设备收到客户端设备传送来的客户端加密数据, 用自己的私钥解密 到原文数据;  Step C1) The bank device receives the client encrypted data transmitted by the client device, and decrypts the original data with its own private key;
步骤 C2) 银行端利用客户端的公钥验证客户端签名, 并验证数据完整性码;  Step C2) The bank uses the client's public key to verify the client signature and verify the data integrity code;
步骤 C3 ) 银行端利用账号卡的公钥验证账号卡的签名, 并验证数据完整性码。  Step C3) The bank uses the public key of the account card to verify the signature of the account card and verify the data integrity code.
本发明的有益效果是: 基于 CPK的电子银行认证***和方法, 其利用有限因素, 通 过映射算法将标识和密钥绑定, 以很小的资源实现超大规模密钥管理, 无需第三方证明, 不需要数据库的支持, 因此***不需要维护。 其适应不同的交易环境和交易要求, 为交易 的账号、 金额、 地点和时间等提供可信性 (负责性) 证明。 附图说明 The beneficial effects of the present invention are: CPK-based electronic banking authentication system and method, which utilizes limited factors, binds the identification and the key through a mapping algorithm, and implements ultra-large-scale key management with a small resource, without third-party certification. No database support is required, so the system does not require maintenance. It adapts to different trading environments and trading requirements, and provides credibility (responsibility) proof of the account number, amount, location and time of the transaction. DRAWINGS
图 1为本发明的基于 CPK的电子银行安全认证***结构示意图。 具体实施方式 ,  FIG. 1 is a schematic structural diagram of a CPK-based electronic banking security authentication system according to the present invention. Detailed ways ,
下面结合附图进一步详细说明本发明的基于 CPK的电子银行认证***和方法。 一般地, 现有的电子银行***, 由客户端和银行端 (Portal) 构成,  The CPK-based electronic banking authentication system and method of the present invention will be further described in detail below with reference to the accompanying drawings. Generally, an existing electronic banking system consists of a client and a bank.
用户在 ATM机和 POS机上进行的交易。以 ATM***为例,银行端(Portal)和 ATM 机构成星状网, ATM机和客户之间又构成一个星状网。  User transactions on ATMs and POS machines. Taking the ATM system as an example, a bank and an ATM form a star network, and a star network is formed between the ATM and the client.
客户端, 用户允许银行的远程客户有选择地发起要自动处理的现金业务请求, 包括 ATM机或者 POS机。  On the client side, the user allows the remote client of the bank to selectively initiate a cash service request to be processed automatically, including an ATM or POS machine.
银行端, 用于响应客户端, 自动接收和处理客户端所述的现金业务请求。  The bank side is configured to respond to the client and automatically receive and process the cash service request described by the client.
连接客户端与银行端之间进行数据通信的的计算机网络, 用于将客户端的交易请求 从客户端传送给银行端。  A computer network that connects data between the client and the bank for transmitting client transaction requests from the client to the bank.
. 如图 1所示, .本发明的电子银行安全认证***, 其包括在账号卡客户端以及银行端 的 CPK芯片, 利用 CPK认证算法, 建立从用户到客户端和银行端之间的数据安全传送。  As shown in FIG. 1 , the electronic banking security authentication system of the present invention comprises a CPK chip at the account card client and the bank, and uses the CPK authentication algorithm to establish a secure transmission of data from the user to the client and the bank. .
组合公钥算法(Combined Pubic Key, CPK)是基于标识的公钥算法, 其密钥管理中 心生成彼此对应的私钥计算参数 (私钥计算基) 和公钥计算参数 (公钥计算基); 根据第 一用户提供的标识, 利用所述私钥计算参数计算第一用户的私钥, 并将所产生的私钥提供 给第一用户; 以及公布所述公钥计算参数, 以使得第二用户在获得第一用户的标识后, 可 根据第一用户的标识, 利用所述的公钥计算参数, 计算第一用户的公钥。  The Combined Public Key Algorithm (CPK) is an identification-based public key algorithm, and its key management center generates private key calculation parameters (private key calculation base) and public key calculation parameters (public key calculation base) corresponding to each other; Calculating, according to the identifier provided by the first user, the private key of the first user by using the private key calculation parameter, and providing the generated private key to the first user; and publishing the public key calculation parameter to enable the second user After obtaining the identifier of the first user, the public key of the first user may be calculated according to the identifier of the first user by using the public key calculation parameter.
本发明的电子银行安全认证***, 利用 CPK芯片实现, CPK芯片中包括 CPK算法 中的 CPK算法功能模块, 验证协议模块, 密钥交换协议模块, 公钥矩阵模块, 以及对应 于账号卡、 客户端和银行端标识的私钥。  The electronic bank security authentication system of the invention is implemented by using a CPK chip, and the CPK chip includes a CPK algorithm function module, a verification protocol module, a key exchange protocol module, a public key matrix module, and a corresponding account card and a client in the CPK algorithm. And the private key of the bank identification.
本发明中的具有 CPK算法功能模块、验证协议模块, 在申请人的中国发明专利申请 2005100021564基于标识的密钥产生装置及方法中具体实施方式所述, 在本发明中全文引 用。 CPK的算法功能模块和验证协议模块提供认证所需所有参数和协议,利用公钥矩阵则 就能计算任何实体的公钥。  The CPK algorithm function module and the verification protocol module in the present invention are described in the specific embodiment of the applicant's Chinese invention patent application 2005100021564 based on the identification key generation device and method, and are referred to throughout the present invention. The algorithm function module and the authentication protocol module of CPK provide all the parameters and protocols required for authentication, and the public key matrix can be used to calculate the public key of any entity.
本发明的 CPK安全芯片可镶嵌在 U棒中,也可以镶嵌在账号卡中。所有的签名功能、 验证功能以及密钥交换功能均在 CPK安全芯片中进行。通过 CPK算法中的私钥就可以利 用 CPK算法进行签名, 有了公钥 (倍点) 矩阵就可以对任何标识的签名进行验证。 公钥 (倍点)矩阵是公开变量, 可以放置在 U棒或账号卡中, 也可以放置在 ATM机、 POS机、 银行 ]户等地方。 The CPK security chip of the present invention can be embedded in a U-bar or embedded in an account card. All signature functions, authentication functions, and key exchange functions are performed in the CPK security chip. The CPK algorithm can be used to sign the private key in the CPK algorithm, and the public key (double point) matrix can be used to verify any signed signature. The public key (double point) matrix is a public variable that can be placed in a U-bar or account card, or placed in an ATM machine, POS machine, Bank] households and other places.
用户的账号卡的表面形式与目前的磁条卡一样, 主要是发行名、 流水号和账号, 可 以在银行柜台临时注册建立账号。账号卡的账号由商户在出厂时定义好, 事先配置好账号 私钥。 私钥在口令加密下存入芯片中, 并提供更改口令的功能。  The user's account card has the same surface form as the current magnetic stripe card, mainly the issue name, serial number and account number. It can be temporarily registered at the bank counter to create an account. The account card account number is defined by the merchant at the factory, and the account private key is configured in advance. The private key is stored in the chip under password encryption and provides the ability to change the password.
账号卡用带 CPU的智能卡 (IC) 实现, 存有该账号的私钥, 私钥除物理保护外, 还 受到逻辑保护, 即在用户口令和***完整性码双重加密下存储。 ***完整性码并不存在于 账号卡的 CPK安全芯片中, 而是在每一次调用私钥时对用户输入的数据临时计算***完 整性码, 以此防止以非法手段来偷窃私钥的行为。  The account card is implemented by a smart card (IC) with a CPU, and the private key of the account is stored. In addition to the physical protection, the private key is also logically protected, that is, stored under the double encryption of the user password and the system integrity code. The system integrity code does not exist in the CPK security chip of the account card. Instead, the system integrity code is temporarily calculated for the data input by the user each time the private key is invoked, thereby preventing the illegal stealing of the private key.
用户在使用帐户卡时, 先将该卡***客户端的 ATM机或 POS机后, 要输入口令, α令的检查并不在银行的客户端或者银行端进行, 而是在用户的 CPK安全芯片内部进行, 只有口令正确时才能正确调用芯片的功能。  When the user uses the account card, the user first inserts the card into the client's ATM or POS machine, and enters the password. The alpha check is not performed on the client or the bank of the bank, but is performed inside the user's CPK security chip. The function of the chip can be called correctly only when the password is correct.
客户端的 ATM机或者 POS机, 以及银行端的门户***配备的 CPK安全芯片, '可以 是 u棒, 其功 ^能与账号卡的 CPK安全芯片功能相同, 而且配备了公钥矩阵。 由于客户端 '及银行端的 CPK安全芯片配备了公钥 (倍点) 矩阵, 可以验证用户的账号卡的标识的签 名。  The ATM or POS machine of the client, and the CPK security chip equipped with the portal system of the bank, can be u-bars, which can function the same as the CPK security chip of the account card, and is equipped with a public key matrix. Since the client's and bank's CPK security chip is equipped with a public key (double point) matrix, the signature of the user's account card's identity can be verified.
A) 电子银行交易处理过程中, 首先在用户将账号卡***银行客户端设备, (ATM, POS) 申请交易后, 客户端确认该卡为本机可以识别的账号卡后, 运行账号卡上的第一 CPK安全芯片 1, 提供用户输入口令, 检査用户口令是否正确; 如果正确, 则提示交易继 A) In the process of electronic banking transaction processing, firstly after the user inserts the account card into the bank client device, (ATM, POS) applies for the transaction, the client confirms that the card is an account card that can be recognized by the machine, and then runs the account card. The first CPK security chip 1, provides a user input password, checks whether the user password is correct; if correct, prompts the transaction to succeed
'续进行; 否则, 提示用户重新输入或者结束交易。 'Continued; otherwise, prompt the user to re-enter or close the transaction.
当用户输入正确的口令后, 客户端设备提示交易内容, 用户输入相关数据, 包括取 款、 存款、 转账等, 并选择确定。  When the user enters the correct password, the client device prompts for the transaction content, and the user inputs relevant data, including withdrawals, deposits, transfers, etc., and selects OK.
账号卡中的第一 CPK安全芯片 1根据用户输入的数据,得到用户输入数据的数据完 The first CPK security chip in the account card 1 obtains the data of the user input data according to the data input by the user.
'整性码, 并将签名码传送给客户端。 'Integrity code, and pass the signature code to the client.
B) 客户端设备 (ATM, POS 机)收到账号卡输出的签名码后, 加上交易时间和本' 机的第二 CPK安全芯片 2的标识, 得到本次交易的客户端交易数据;  B) After receiving the signature code output by the account card, the client device (ATM, POS) adds the transaction time and the identifier of the second CPK security chip 2 of the machine to obtain the client transaction data of the transaction;
客户端的第二 CPK安全芯片 2利用本次交易的客户端交易数据,生成本次交易的客 户端***完整性码;  The client's second CPK security chip 2 uses the client transaction data of the transaction to generate the client system integrity code of the transaction;
然后第二 CPK安全芯片 2利用客户端私钥对客户端数据完整性码签名;  The second CPK security chip 2 then uses the client private key to sign the client data integrity code;
其后, 第二 CPK安全芯片 2利用客户端私钥对客户端数据完整性码签名; 接着, 第二 CPK安全芯片 2利用银行端的公钥将数据加密, 得到加密数据; 客户端将加密数据传送给银行端。 Thereafter, the second CPK security chip 2 uses the client private key to sign the client data integrity code; then, the second CPK security chip 2 encrypts the data by using the public key of the bank to obtain encrypted data; The client transmits the encrypted data to the bank.
C)银行端设备(PORTAL等)收到客户端设备传送来的客户端加密数据后, 银行端 •第三 CPK安全芯片 3首先利用自己的私钥, 解密加密数据, 得到原来的数据; .. 第三 CPK安全芯片 3利用客户端的公钥验证客户端签名,并验证客户端数据完整性 码, 确认所收到的数据与客户端传送的数据一致;  C) After the bank device (PORTAL, etc.) receives the client encrypted data transmitted from the client device, the third CPK security chip 3 first uses its own private key to decrypt the encrypted data to obtain the original data; The third CPK security chip 3 verifies the client signature by using the public key of the client, and verifies the client data integrity code, and confirms that the received data is consistent with the data transmitted by the client;
第三 CPK安全芯片 3利用账号卡的公钥验证账号卡的签名,确认所收到的数据与用 户输入的数据一致。  The third CPK security chip 3 verifies the signature of the account card by using the public key of the account card, and confirms that the received data is consistent with the data input by the user.
. 银行端设备将用户输入的数据内容再转交银行业务***处理, 将处理结果通知银行 端设备, 银行端设备通知客户端设备执行 (出款, 打印等)。 '  The bank device forwards the data content input by the user to the banking system for processing, notifies the bank device of the processing result, and the bank device notifies the client device to perform (payment, printing, etc.). '
因此, 本发明的基于 CPK的电子银行安全认证***, 可以在电子银行的交易每一个 环节都要向电子银行提供 CPK可信性证明。 其中, CPK算法的私钥分别由用户手中的账 号卡,客户端以及银行端的各自 CPK安全芯片提供, 公钥则由 CPK芯片中的公钥(倍点) 矩阵提供。 因为公钥矩阵是公开变量, 而且数据量非常小 (两千多个汉字的量), 其存储 非常容易解决。 根据 CPK算法, 只要有了公钥 (倍点) 矩阵和标识, 就能通过 CPK映射 算法把该标识的公钥计算出来, 因此能够简便地验证任何标识的签名。  Therefore, the CPK-based electronic banking security authentication system of the present invention can provide the CPK credibility certificate to the electronic bank at every stage of the electronic banking transaction. The private key of the CPK algorithm is provided by the user's account card, the client and the bank's respective CPK security chip, and the public key is provided by the public key (double point) matrix in the CPK chip. Because the public key matrix is a public variable and the amount of data is very small (the amount of more than two thousand Chinese characters), its storage is very easy to solve. According to the CPK algorithm, as long as the public key (double point) matrix and the identifier are available, the public key of the identifier can be calculated by the CPK mapping algorithm, so that the signature of any identifier can be easily verified.
' 本发明电子银行安全认证***中的协议模块包括数字签名协议和加密协议, 以及密 钥交换协议。 数字签名协议采用国际 509标准执行, 但不需要调用第三方证明, 不需要调 用对方证书, 因为 CPK算法是标识自身证明的算法, 因此调用对方证书, 验 ¾证书的过 程变为多余。  The protocol modules in the electronic banking secure authentication system of the present invention include a digital signature protocol and an encryption protocol, and a key exchange protocol. The digital signature protocol is implemented using the international 509 standard, but does not need to call a third-party certificate. It does not need to call the other party's certificate. Because the CPK algorithm is an algorithm that identifies its own certificate, the process of calling the other party's certificate and verifying the certificate becomes redundant.
本发明的密钥交换协议没有现成的, 另行设计非握手式的新协议: '  The key exchange protocol of the present invention is not readily available, and a new non-handshake protocol is designed separately:
. 密钥交换协议如下:  The key exchange protocol is as follows:
设用户 A的私钥为 SKA, 公钥为 ΡΚΛ, 用户 Β的私钥为 SK1S,公钥为 PKB, 那么 A和 B的 密钥交换过程是: Let user A's private key be SK A , the public key be ΡΚ Λ , the user's private key is SK 1S , and the public key is PK B. Then the key exchange process of A and B is:
A1 : 生成随机数 r ;  A1 : Generate a random number r ;
A2: 计算 rG , G是椭圆曲线密钥的基点, 令 rG=key;  A2: Calculate rG, G is the base point of the elliptic curve key, let rG=key;
A3: 用 key对数据 data加密: Ekey (data) = α; A3: Encrypt data data with key: E key (data) = α;
Α4: 在 Β的公钥基础上计算 r (PKB) = β ; Α 4: Calculate r (PK B ) = β based on the public key of Β ;
. Α5: 将 α、 β发给 Β;  Α5: Send α, β to Β;
. ,ΒΙ : 用自己的私钥对 β进行运算, 求出加密密钥 key : . , ΒΙ : Calculate β with its own private key to find the encryption key key :
- β (SKB) -1=r (PKB) (SKB) "'=r (SKB*G) (SKB) " = rG = key; B2: 用 key脱密数据: DKEY ( α ) =data; - β (SK B ) -1 = r (PK B ) (SK B ) "'=r (SK B *G) (SK B ) " = rG = key; B2: Decrypt data with key: D KEY ( α ) = data;
下面以取款流程作为具体例子, 说明本发明的电子银行安全认证方法过程, 但本发 明并不以此为限, 在进行电子银行业务过程中, 涉及到利用 CPK算法对电子银行安全进行 认证的过程业务方法, 都在本发明的保护范围之内。  The following describes the process of the electronic banking security authentication method of the present invention by taking the withdrawal process as a specific example. However, the present invention is not limited thereto. In the process of performing the electronic banking service, the process of authenticating the electronic banking security by using the CPK algorithm is involved. The business method is within the scope of the present invention.
步骤 A:根据用户输入的交易数据,账号卡第一 CPK安全芯片 1得到***完整性码, 利用第一 CPK安全芯片 1中的私钥通过 CPK算法对数据完整性码进行签名, 然后传输给 客户端。 .  Step A: According to the transaction data input by the user, the first CPK security chip 1 of the account card obtains the system integrity code, and the data integrity code is signed by the CPK algorithm using the private key in the first CPK security chip 1, and then transmitted to the client. end. .
客户在进行'电子银行操作时, 首先在客户账号卡 (ID) 进行安全认证的工作: 客户***账号卡(ID卡), 可以按目前现有 ATM机的屏幕显示操作。 客户输入口令 后, ID卡验证用户口令。 然后, 提交业务, 按 ATM机提示, 选择业务: 取款, 选择金额: 5000, 并将选择的数据送入 ID卡中。 在 ID卡中的流程如下。  When the customer conducts the 'electronic banking operation, the user first performs the security authentication work on the customer account card (ID): the customer inserts the account card (ID card), and can display the operation on the screen of the existing ATM machine. After the customer enters the password, the ID card verifies the user's password. Then, submit the business, press the ATM prompt, select the business: Withdraw, select the amount: 5000, and send the selected data to the ID card. The process in the ID card is as follows.
1 . data1= (账号 //取款 //5000); //*用本卡账号、 取款代码、 5000作数据 datal*  1. data1= (account / withdrawal / 5000); / * use the card account, withdrawal code, 5000 for datal
2. Mac1=HASH (datal ); //*用散列函数 HASH计算数据 datal的完整性码 Mac1* 2. Mac1=HASH (datal); //* Use the hash function HASH to calculate the data datal integrity code Mac1*
' 3. Sign1=SIG 账躺 (mad ), //*用账号私钥利用 CPK算法对完整性码签名, 得至签名 码 S1GN1* ' 3. Sign1=SIG account lie (mad), //* Sign the integrity code with the CPK algorithm using the account private key, get the signature code S1GN1*
4. ID卡将数据 datal,完整性码 Ma ,签名码 Sign 送出, 并转交给 ATM机。  4. The ID card sends the data datal, integrity code Ma, signature code Sign, and forwards it to the ATM.
步骤 B: 客户端中的第二 CPK安全芯片 2接收到账号卡发送来的数据, 并加上交易 时间, 以及客户端安全芯片标识, 得到客户端交易数据; 利用客户端交易数据得到客户端 · ***完整性码, 并利用第二 CPK安全芯片 2中的私钥对完整性码进行签名, 然后利用银' 行端提供的公钥对随机数进行加密, 得到随机数加密数据, 将客户端加密数据, 客户端系 统完整性码和随机数据加密数据传送给银行端。  Step B: The second CPK security chip 2 in the client receives the data sent by the account card, adds the transaction time, and the client security chip identifier to obtain the client transaction data; and obtains the client by using the client transaction data. The system integrity code, and the integrity code is signed by the private key in the second CPK security chip 2, and then the random number is encrypted by using the public key provided by the silver terminal to obtain the random number encrypted data, and the client is encrypted. Data, client system integrity code and random data encrypted data are transmitted to the bank.
当客户端的 ATM机接收到账号卡传输来的数据后, 利用 ATM机上的客户端安全芯 片进行安全认证的工作:  After the client's ATM receives the data transmitted by the account card, it uses the client security chip on the ATM to perform security authentication:
ATM机将 ID卡送出的数据和交易时间送入 ATM机上的安全芯片 (U棒) 中, 安全芯 片 (U棒) 进行安全认证中的流程如下;  The ATM machine sends the data and transaction time sent by the ID card to the security chip (U stick) on the ATM machine, and the security chip (U stick) performs the security authentication process as follows;
1 . data2= (datal,Mac1,Sign1、 交易时间、 ATM1 ); /ΓΑΤΜ1是该 ATM1的标识  1. data2= (datal, Mac1, Sign1, transaction time, ATM1); /ΓΑΤΜ1 is the identifier of the ATM1
2. Mac2=Hash(data2);  2. Mac2=Hash(data2);
3. Sign2= SIGATMi私钥 (mac2);  3. Sign2= SIGATMi private key (mac2);
4. 然后进行数据加密:  4. Then encrypt the data:
41 ) 产生随机数 R3, 并计算 Key = R3 · G; 42) 用 Key对数据加密: Ekey(data2/Mac2/Sign2)=cipher-text; 41) Generate a random number R3 and calculate Key = R 3 · G; 42) Encrypt the data with Key: Ekey(data2/Mac2/Sign2)=cipher-text;
43) 再用对方公钥 (PORTAL公钥)计算;  43) Calculate with the other party's public key (PORTAL public key);
EPORTAL公 ( R3) = coded-key;  EPORTAL public ( R3) = coded-key;
5. 将加密后的数据 cipher-text和 coded-key送出 U棒外, 通过 ATM机发送给银行 端 PORTAL。  5. Send the encrypted data cipher-text and coded-key out of the U-bar and send it to the bank PORTAL through the ATM.
步骤 C: 银行端 (PORTAL) 接收到客户端传送来的数据后, 利用银行端第三 CPK 安全芯片 3, 通过银行端私钥', 解密得到客户端交易数据; 然后利用客户端公钥验证客户 端签名和交易数据的完整性码, 验证通过后, 将客户端交易数据交由银行端第三 CPK安 全芯片 3, 从客户端交易数据中读取账号卡签名, 利用账号卡公钥验证账号签名, 同时验 证交易数据的完整性,验证通过后,将用户操作数据在银行端进行处理,并保存交易时间, 客户端签名以及账号卡签名等数据。 · . .  Step C: After receiving the data transmitted by the client, the bank (PORTAL) uses the third CPK security chip 3 on the bank to decrypt the client transaction data through the bank private key', and then authenticates the client by using the client public key. The integrity code of the end signature and the transaction data. After the verification is passed, the client transaction data is transferred to the third CPK security chip 3 of the bank, the account card signature is read from the client transaction data, and the account signature is verified by using the account card public key. At the same time, the integrity of the transaction data is verified. After the verification is passed, the user operation data is processed on the bank side, and the transaction time, the client signature, and the account card signature are saved. · . . .
银行端 (PORTAL) 接收到客户端传送来的数据后, 利用银行端 CPK安全芯片进行' 安全认证工作: .  After receiving the data transmitted by the client, the bank (PORTAL) uses the bank-side CPK security chip for 'security certification work:
1 . 对客户端 (ATM机) 的发送来的数据进行解密  1. Decrypt the data sent by the client (ATM machine)
用银行端 ( PORTAL) 自己的 CPK私钥, 利用 CPK算法解密: ·  Use the CPK private key on the bank ( PORTAL) to decrypt it using the CPK algorithm:
DPORTAL私切 (coded-key) =R3;  DPORTAL private (coded-key) = R3;
DR3 (cipher-text) = (data2/Mac2/Sign2)  DR3 (cipher-text) = (data2/Mac2/Sign2)
2. 用 ATM1的公钥检査签名 Sign2, 对 ATM1的负责性进行检查;  2. Check the signature Sign2 with the public key of ATM1 to check the responsibility of ATM1;
3. 检査均通过, 将 data2交给业务部门处理, 业务部门从 data2中取出 signl, 检查 账号签名, 如果合法, 业务部门处理取款业务, 并将账号签名留作取过款的证据。  3. After the check is passed, the data2 is handed over to the business department for processing. The business department takes the signl from data2 and checks the account signature. If it is legal, the business department processes the withdrawal service and keeps the account signature as evidence for the payment.
4. 将处理结果做成数据 data3, 数据要包含 mac, Rl, portal签名, 作为回执数据, 加密发送给 ATM1。  4. The result of the processing is made into data data3, and the data should contain mac, Rl, portal signature, and as the receipt data, encrypted and sent to ATM1.
5. 最后, ATM对回执脱密, 检查 mac和随机数 Rl, 如果符合, 则提示并允许执行 取款。  5. Finally, the ATM denies the receipt, checks the mac and the random number Rl, and if so, prompts and allows the withdrawal.
本发明的电子银行安全认证***及方法, 与现有***的实现兼容, 其与电子银行系 统涉及的现有磁条卡***使用账号 (IC) 卡的 ATM机、 POS机, 因此, 实现对原有电子 银行***最小改动。 因为本***的主要认证工作均在 CPK安全芯片中完成, 对现有电子 银行***的影响并不大, 只是需要改变读卡器安全芯片部分, 具有广泛的应用前景。  The electronic bank security authentication system and method of the invention are compatible with the implementation of the existing system, and the existing magnetic stripe card system related to the electronic banking system uses an ATM machine and a POS machine of an account number (IC) card, thereby realizing the original There are minimal changes to the e-banking system. Because the main certification work of this system is completed in the CPK security chip, the impact on the existing electronic banking system is not great. It only needs to change the security chip part of the reader, which has broad application prospects.
本发明基于 CPK的电子银行安全认证*** > 通过 ATM 、 POS机进行的存取款和转 帐业务。 用户的账号卡用带 CPU的 IC卡实现, 可以简便地实现账号*** (签名), 保证 取款、 存款、 转帐的可信性, 是现有磁条卡的***、 借贷卡的换代产品。 其安全认证过 程包括用户与账号卡的互相认证、 账号卡与客户端 (如 ATM机) 之间的互相认证、 客户 端和银行端之间的互相认证, 最后形成账号卡与银行端之间的互相认证。其安全认证包括 了对账号卡、账号、交易金额、交易时间、交易地点等的真实性证明, 保证交易的可信性。 The invention is based on the CPK-based electronic banking security authentication system > deposit and withdrawal and transfer business through ATM and POS machines. The user's account card is implemented with an IC card with a CPU, and the account seal (signature) can be easily implemented. The credibility of withdrawals, deposits, and transfers is the replacement of credit cards and debit cards for existing magnetic stripe cards. The security authentication process includes mutual authentication between the user and the account card, mutual authentication between the account card and the client (such as an ATM machine), mutual authentication between the client and the bank, and finally between the account card and the bank. Mutual authentication. Its security certification includes the authenticity of the account card, account number, transaction amount, transaction time, transaction location, etc., to ensure the credibility of the transaction.
本发明的基于 CPK的电子银行认证***和方法, 其利用有限因素, 通过映射算法将 标识和密钥绑定, 以很小的资源实现超大规模密钥管理, 无需第三方证明, 不需要数据库 的支持, 因此***不需要维护。其适应不同的交易环境和交易要求, 为交易的账号、金额、 地点和时间等提供可信性 (负责性) 证明。  The CPK-based electronic banking authentication system and method of the present invention utilizes a finite factor to bind an identification and a key through a mapping algorithm, and realizes ultra-large-scale key management with a small resource, without third-party certification, and does not require a database. Support, so the system does not require maintenance. It adapts to different trading environments and trading requirements, and provides credibility (responsibility) proof of the account number, amount, location and time of the transaction.
本实施例是使本领域普通技术人员理解本发明, 而对本发明所进行的详细描述, 但 可以想到, 在不脱离本发明的权利要求所涵盖的范围内还可以做出其它的变化和修改, 这 些变化和修改均在本发明的保护范围内。  The present invention is intended to be understood by those of ordinary skill in the art, and the invention is described in detail, but it is contemplated that other changes and modifications may be made without departing from the scope of the invention. These variations and modifications are within the scope of the invention.

Claims

权利要求书 Claim
1.一种基于 CPK的电子银行安全认证***, 包括账号卡, 客户端和银行端, 客户端 能够识别账号卡, 客户端与银行端连接, 其特征在于: 1. A CPK-based electronic banking security authentication system, including an account card, a client and a bank, the client can identify the account card, and the client is connected to the bank, and is characterized by:
所述账号卡包括第一 CPK安全芯片 (1), 用于根据用户输入的交易数据, 利用交易数 据得到***完整性码, 利用私钥通过 CPK算法对数据完整性码进^1签名; CPK card to the account comprises a first security chip (1), according to a user's input, obtained using the system's integrity code, by using the private key algorithm CPK data integrity code into the signature ^ 1;
所述客户端包括第二 CPK安全芯片 (2), 用于根据账号卡中第一 CPK安全芯片 (1)发 送来的数据, 并加上客户端标识数据, 得到客户端交易数据; 根据客户端交易数据得到客 户端***完整性码; 利用私钥对通过 CPK算法对客户端***完整性码进行签名; 然后产 生随机数, 利用随机数对客户端交易数据、 完整性码及签名进行加密, 得到客户端加密数 据, 利用银行端提供的公钥对随机数进行加密, 得到随机数加密数据; . 所述银行端包括第三 CPK安全芯片 (3), 用于通过银行端私钥, 利用 CPK算法解密 得到随机数, 利用随机数解密得到客户端交易数据; 然后利用客户端公钥验证客户端签名 可信性, 同时验证客户端交易数据的***完整性码, 验证通过后, 从客户端交易数据中读 取账号卡签名,利用账号卡公钥验证账号签名可信性,同时验证交易数据的***完整性码, 验证通过后, 将用户输入交易数据在银行端进行处理。  The client includes a second CPK security chip (2) for obtaining data of the client transaction according to the data sent by the first CPK security chip (1) in the account card, and adding the client identification data; The transaction data is obtained by the client system integrity code; the client system integrity code is signed by the CPK algorithm by using the private key pair; then the random number is generated, and the client transaction data, the integrity code and the signature are encrypted by using the random number to obtain The client encrypts the data, encrypts the random number by using the public key provided by the bank, and obtains the random number encrypted data. The bank includes a third CPK security chip (3) for using the CPK algorithm through the bank private key. Decrypt the random number, use the random number to decrypt the client transaction data; then use the client public key to verify the client signature credibility, and at the same time verify the client's transaction data system integrity code, after the verification, the client transaction data Read the account card signature, use the account card public key to verify the account signature credibility, and verify the number of transactions The system integrity code, authentication is passed, the user input is processed in the bank's end.
2. 根据权利要求 1所述的电子银行安全认证***, 其特征在于, 所述第一 CPK安全 芯片 (1)、 第二 CPK安全芯片 (2)和第三 CPK安全芯片 (3)包括 CPK算法功能模块, 验证协 议模块以及密钥交换协议模块, 公钥矩阵模块, 以及对应于账号卡、 客户端和银行端标识 的私钥,。 ' 2. The electronic banking security authentication system according to claim 1, wherein the first CPK security chip (1), the second CPK security chip (2) and the third CPK security chip (3) comprise a CPK algorithm. The function module, the authentication protocol module and the key exchange protocol module, the public key matrix module, and the private key corresponding to the account card, the client and the bank end identifier. '
3. 根据权利要求 1或 2所述的电子银行安全认证***, 其特征在于, 所述账号卡为 带 CPU的智能卡。 The electronic banking security authentication system according to claim 1 or 2, wherein the account card is a smart card with a CPU.
4. 根据权利要求 1或 2所述的电子银行安全认证***, 其特征在于, 所述客户端为 ATM机或者 POS机。 The electronic banking security authentication system according to claim 1 or 2, wherein the client is an ATM or a POS.
5. 根据权利要求 1或 2所述的电子锒行安全认证***, 其特征在于, 所述第二 CPK 安全芯片 (2)和第三 CPK安全芯片 (3)为 U棒。 The electronic limp security authentication system according to claim 1 or 2, wherein the second CPK security chip (2) and the third CPK security chip (3) are U-bars.
6. 根据权利要求 1或 2所述的电子银行安全认证***, 其特征在于, 还包括计算机 网络, 用于连接客户端与银行端, 进行数据通信, 客户端的交易请求从客户端传送到银行 The electronic bank security authentication system according to claim 1 or 2, further comprising a computer network, configured to connect the client to the bank for data communication, and the client transaction request is transmitted from the client to the bank.
7. 一种基于 CPK的电子银行安全认证方法, 其特征在于, 包括下列步骤: 步骤 A)账号卡根据用户输入的交易数据, 利用交易数据得到***完整性码, 利用私 钥通过 CPK算法对数据完整性码进行签名, 然后传输给客户端; A CPK-based electronic banking security authentication method, comprising the following steps: Step A) The account card obtains a system integrity code by using the transaction data according to the transaction data input by the user, and uses the private key to use the CPK algorithm to compare the data. The integrity code is signed and then transmitted to the client;
步骤 B)客户端根据账号卡发送来的数据, 并加上客户端标识数据, 得到客户端交易 数据; 根 ¾客户端交易数据得到客户端***完整性码; 利用私钥对通过 CPK算法对客户 端***完整性码进行签名; 然后产生随机数, 利用随机数对客户端交易数揮、 完整性码及 签名进行加密, 得到客户端加密数据, 利用银行端提供的公钥对随机数进行加密, 得到随 机数加密数据, 将客户端加密数据, 客户端***完整性码和随机数据加密数据传送^银行 端;  Step B) The client obtains the client transaction data according to the data sent by the account card and adds the client identification data; the client transaction integrity data is obtained from the client transaction data; and the client uses the private key pair to authenticate the client through the CPK algorithm. The end system integrity code is signed; then a random number is generated, and the client transaction number, integrity code and signature are encrypted by using the random number to obtain the client encrypted data, and the random number is encrypted by using the public key provided by the bank. Obtain random number encrypted data, transmit client encrypted data, client system integrity code and random data encrypted data to the bank;
步骤 C) 银行端通过银行端私钥, 利用 CPK算法解密得到随机数, 利用随机数'解密 得到客户端交易数据; 然后利用客户端公钥验证客户端签名可信性, 同时验证客户端交易 数据的***完整性码, 验证通过后, 从客户端交易数据中读取账号卡签名, 利用账号卡公 钥验证账号签名可信性, 同时验证交易数据的***完整性码, 验证通过后, 将用户输入交 易数据在银行端进行处理。  Step C) The bank end decrypts the random number by using the CPK algorithm through the bank private key, and decrypts the client transaction data by using the random number 'decryption; then uses the client public key to verify the client signature credibility and simultaneously verifies the client transaction data. The system integrity code, after the verification is passed, the account card signature is read from the client transaction data, the account card public key is used to verify the account signature credibility, and the system integrity code of the transaction data is verified. After the verification is passed, the user is authenticated. Input transaction data is processed at the bank.
8. 根据权利要求 7所述的电子银行安全认证方法, 其特征在于, 还包括下列步骤: 步骤 D) 在验证通过后, 银行端保存交易时间, 客户端签名以及账号卡签名数据。 8. The electronic bank security authentication method according to claim 7, further comprising the following steps: Step D) After the verification is passed, the bank saves the transaction time, the client signature, and the account card signature data.
9. 根据权利要求 7或 8所述的电子银行安全认证方法, 其特征在于, 所述步骤 A.) 包括下列步骤: The electronic banking security authentication method according to claim 7 or 8, wherein the step A.) comprises the following steps:
步骤 A1 ) 在用户将账号卡***银行客户端设备申请交易后, 客户端确认该卡为本机 可以识别的账号卡后, 提供用户输入口令, 检査用户口令是否正确; 如果正确, 则提示交 易继续进行; 否则, 提示用户重新输入或者结束交易; - ' 步骤 A2) 当用户输入正确的口令后, 客户端设备提示交易内容; '  Step A1) After the user inserts the account card into the bank client device to apply for the transaction, after confirming that the card is an account card that the machine can recognize, the client provides the user to input a password, and checks whether the user password is correct; if correct, the transaction is prompted. Continue; otherwise, prompt the user to re-enter or end the transaction; - 'Step A2) After the user enters the correct password, the client device prompts the transaction content;
步骤 A3 ) 账号卡根据用户输入的数据, 得到用户输入数据的***完整性码, 然后利 用账号卡中保存的与账号相应的私钥对***完整性码签名; 并将用 '户输入的数据, ***完 整性码以及签名一起传送给客户端。  Step A3) The account card obtains the system integrity code of the user input data according to the data input by the user, and then signs the system integrity code by using the private key corresponding to the account saved in the account card; and the data input by the user is used, The system integrity code along with the signature is passed to the client.
. .
10. 根据权利要求 7或 8所述的电子银行安全认证方法, 其特征在于, 所述步骤 B) 包括下列步骤: 步骤 Bl ) 客户端收到账号卡传送来的用户输入的数据, ***完整性码以及签名后, 加上客户端标识数据, 得到本次交易的客户端交易数据; . The electronic bank security authentication method according to claim 7 or 8, wherein the step B) comprises the following steps: Step B1) The client receives the data input by the user transmitted by the account card, the system integrity code and the signature, and adds the client identification data to obtain the client transaction data of the transaction;
步骤 B2) 客户端利用本次交易的客户端交易数据, 生成本次交易的客户端***完整 性码;  Step B2) The client uses the client transaction data of the transaction to generate a client system integrity code of the transaction;
步骤 B3 ) 客户端利用客户端私钥对客户端码签名;  Step B3) The client signs the client code by using the client private key;
步骤 B4)客户端生成随机数, 利用随机数, .通过 CPK算法对客户端交易数据进行加 密, 得到客户端加密数据;  Step B4) The client generates a random number, and uses a random number to encrypt the client transaction data through the CPK algorithm to obtain client-side encrypted data.
步骤 B5 ) 客户端利用银行端的公钥将随机数加密, 得到加密随机数;  Step B5) The client encrypts the random number by using the public key of the bank to obtain an encrypted random number;
步骤 B6) 客户端将客户端加密数据, 客户端***完整性码, 客户端签名, 客户端加 密数据, 以及加密随机数一并传送给银行端。 '  Step B6) The client transmits the client encrypted data, the client system integrity code, the client signature, the client encrypted data, and the encrypted random number to the bank. '
11. 根据权利要求 7或 8所述的电子银行安全认证方法, 其特征在于, 所述步骤 C) 包括下列步骤: The electronic bank security authentication method according to claim 7 or 8, wherein the step C) comprises the following steps:
步骤 C1 ) 银行端设备收到客户端设备传送来的客户端加密数据, 客户端***完整性 码', 客户端签名, 客户端加密数据, 以及加密随机数后, 银行端利用自己的私钥, 解密收 到的加密随机数, 得到原来的随机数;  Step C1) After receiving the client encrypted data transmitted by the client device, the client system integrity code ', the client signature, the client encrypted data, and the encrypted random number, the bank uses its own private key. Decrypt the received encrypted random number to obtain the original random number;
步骤 C2) 银行端利用客户端的公钥验证客户端签名, 确认客户端的可信性, 并验证 客户端***完整性码, 确认所收到的数据与客户端传送的数据一致;  Step C2) The bank side verifies the client signature by using the client's public key, confirms the client's credibility, and verifies the client system integrity code, and confirms that the received data is consistent with the data transmitted by the client;
步骤 C3 )银行端利用随机数, 通过 CPK算法, 解密客户端加密数据, 得到原客户端 '交易数据;  Step C3) The bank uses the random number to decrypt the client encrypted data through the CPK algorithm to obtain the original client 'transaction data;
步骤 C4) 银行端保存客户端标识数据, 利用账号卡的公钥验证账号卡的签名, 确认 账号卡可信性, 并验证账号卡***完整性码, 确认所收到的数据与用户输入的数据一致。  Step C4) The bank saves the client identification data, verifies the signature of the account card by using the public key of the account card, confirms the credibility of the account card, and verifies the integrity code of the account card system, and confirms the received data and the data input by the user. Consistent.
PCT/CN2006/003497 2006-04-24 2006-12-20 System and method of electronic bank safety certification based on cpk WO2007121631A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610076020.2 2006-04-24
CN2006100760202A CN1831865B (en) 2006-04-24 2006-04-24 Electronic bank safety authorization system and method based on CPK

Publications (1)

Publication Number Publication Date
WO2007121631A1 true WO2007121631A1 (en) 2007-11-01

Family

ID=36994146

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/003497 WO2007121631A1 (en) 2006-04-24 2006-12-20 System and method of electronic bank safety certification based on cpk

Country Status (2)

Country Link
CN (1) CN1831865B (en)
WO (1) WO2007121631A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3550492A4 (en) * 2016-11-29 2019-12-18 Jin Shang Bo Chuang (Beijing) Science&Technology Co., Ltd Cpk-based digital bank, digital currency, and payment method
CN111147245A (en) * 2020-01-08 2020-05-12 江苏恒为信息科技有限公司 Algorithm for encrypting by using national password in block chain

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101079698B (en) * 2007-02-14 2011-05-11 四川易恒科技发展有限公司 A file encryption method based on Linux operating system with CPK authentication
CN108596605A (en) * 2013-02-06 2018-09-28 天地融科技股份有限公司 Smart card with electronic signature functionality
CN103136667B (en) * 2013-03-06 2016-09-14 天地融科技股份有限公司 There is the smart card of electronic signature functionality, smart card transaction system and method
CN103136664B (en) * 2013-03-06 2016-05-18 天地融科技股份有限公司 There is smart card transaction system and the method for electronic signature functionality
CN103136666B (en) * 2013-03-06 2016-08-03 天地融科技股份有限公司 There is smart card method of commerce and the system of electronic signature functionality
CN103208151B (en) * 2013-04-03 2016-08-03 天地融科技股份有限公司 Process the method and system of operation requests
CN104424568A (en) * 2013-08-22 2015-03-18 成都市易恒信科技有限公司 Authentication false-proof traceability system employing circuit core chip ID number as identification
CN105096119A (en) * 2014-05-15 2015-11-25 东方斯泰克信息技术研究院(北京)有限公司 Virtual bank system and realization method thereof
CN103971236A (en) * 2014-05-16 2014-08-06 天地融科技股份有限公司 Information interaction method, system and trading terminal and trading terminal query suite
CN106788991A (en) * 2016-12-05 2017-05-31 北京中交兴路信息科技有限公司 A kind of method and device of data transfer
CN108011722A (en) * 2017-12-12 2018-05-08 金邦达有限公司 Data signature method, system, chip card and micro-control unit
CN108306892B (en) * 2018-03-01 2020-12-18 武汉大学 TrustZone-based request response method and system
CN108776896A (en) * 2018-06-04 2018-11-09 中钞***产业发展有限公司杭州区块链技术研究院 Digital cash wallet business management method based on multi-signature and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998025220A1 (en) * 1996-12-04 1998-06-11 Kent Ridge Digital Labs (Krdl) Microprocessor card payment system
FR2815203A1 (en) * 2000-10-05 2002-04-12 Ntsys INTERNET SECURE PAYMENT AGENT WITH MOBILE PHONE VALIDATION
CN1571453A (en) * 2003-07-18 2005-01-26 英华达(南京)科技有限公司 Method for implementing network trade safety certification

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6052468A (en) * 1998-01-15 2000-04-18 Dew Engineering And Development Limited Method of securing a cryptographic key
CN1262087C (en) * 2005-01-14 2006-06-28 南相浩 Method and apparatus for cipher key generation based on identification
CN100380369C (en) * 2005-03-23 2008-04-09 蔡冠群 Intelligent digital audio emitter and electronic identity safety certification method therefor

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998025220A1 (en) * 1996-12-04 1998-06-11 Kent Ridge Digital Labs (Krdl) Microprocessor card payment system
FR2815203A1 (en) * 2000-10-05 2002-04-12 Ntsys INTERNET SECURE PAYMENT AGENT WITH MOBILE PHONE VALIDATION
CN1571453A (en) * 2003-07-18 2005-01-26 英华达(南京)科技有限公司 Method for implementing network trade safety certification

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3550492A4 (en) * 2016-11-29 2019-12-18 Jin Shang Bo Chuang (Beijing) Science&Technology Co., Ltd Cpk-based digital bank, digital currency, and payment method
US11301842B2 (en) 2016-11-29 2022-04-12 Js Bochtec Co., Ltd. CPK-based digital bank, digital currency, and payment method
CN111147245A (en) * 2020-01-08 2020-05-12 江苏恒为信息科技有限公司 Algorithm for encrypting by using national password in block chain

Also Published As

Publication number Publication date
CN1831865B (en) 2010-09-29
CN1831865A (en) 2006-09-13

Similar Documents

Publication Publication Date Title
WO2007121631A1 (en) System and method of electronic bank safety certification based on cpk
US9967090B2 (en) Efficient methods for protecting identity in authenticated transmissions
US8359474B2 (en) Method and system for secure authentication
CN101312453B (en) User terminal, method for login network service system
EP2380308B1 (en) Secure remote authentication through an untrusted network
US20180276664A1 (en) Key download method and apparatus for pos terminal
US20110103586A1 (en) System, Method and Device To Authenticate Relationships By Electronic Means
US20060123465A1 (en) Method and system of authentication on an open network
US20050069137A1 (en) Method of distributing a public key
CN101770619A (en) Multiple-factor authentication method for online payment and authentication system
CN106096947B (en) The half off-line anonymous method of payment based on NFC
KR20030095341A (en) Ic card and authentication method in electronic ticket distribution system
WO2003038719A1 (en) One-time credit card number generator and single round-trip authentication
US20030070074A1 (en) Method and system for authentication
GB2434724A (en) Secure transactions using authentication tokens based on a device "fingerprint" derived from its physical parameters
CN101393628A (en) Novel network safe transaction system and method
EP3008852A1 (en) System and method for encryption
WO2012034339A1 (en) Method and mobile terminal for realizing network payment
US20210110027A1 (en) Smart card as a security token
JP2003044436A (en) Authentication processing method, information processor, and computer program
US7110986B1 (en) Automated banking machine system and method
WO2008113302A2 (en) Method for generation of the authorized electronic signature of the authorized person and the device to perform the method
TWM603166U (en) Financial transaction device and system with non-contact authentication function
JP4148465B2 (en) Electronic value distribution system and electronic value distribution method
Xiao et al. A purchase protocol with live cardholder authentication for online credit card payment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06828404

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06828404

Country of ref document: EP

Kind code of ref document: A1