WO2015135398A1 - Negotiation key based data processing method - Google Patents

Negotiation key based data processing method Download PDF

Info

Publication number
WO2015135398A1
WO2015135398A1 PCT/CN2015/070911 CN2015070911W WO2015135398A1 WO 2015135398 A1 WO2015135398 A1 WO 2015135398A1 CN 2015070911 W CN2015070911 W CN 2015070911W WO 2015135398 A1 WO2015135398 A1 WO 2015135398A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
mobile phone
security module
verification
random
Prior art date
Application number
PCT/CN2015/070911
Other languages
French (fr)
Chinese (zh)
Inventor
李东声
Original Assignee
天地融科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天地融科技股份有限公司 filed Critical 天地融科技股份有限公司
Publication of WO2015135398A1 publication Critical patent/WO2015135398A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the user identification card wherein the first processing information at least includes: the information to be transmitted and the first verification information; after receiving the first processing information, the user identification card passes The first identification information is verified by the negotiation key of the user identification card end; if the user identification card verifies the first processing information, the user identification card pairs the information to be transmitted Sign the signature to get the first signature information.
  • the user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: the first And the second verification information is verified by the negotiation key of the mobile phone security module end; if the mobile phone security module receives the second processing information, if the mobile phone After the security module verifies the second processing information, the mobile phone security module sends out at least the first signature information; or the user identity identification card passes the negotiation key of the user identity card end.
  • Step S105 After obtaining the first random verification factor, the user identity identification card performs a check calculation on the first random verification factor according to the preset first key, and obtains the first verification verification information.
  • the second random factor acquired by the user identity card may be directly generated by the user identity card, or may be generated by the mobile phone security module and sent to the user identity card.
  • the second random factor may also be one or a string of random numbers, or may be one or a string of random characters, or any combination of a string of random numbers and random combinations.
  • Manner 5 generating according to the first key and the preset second key, and the first random verification factor.
  • Method 7 Generate according to the first key, and the first random verification factor and the second random factor.
  • Manner 2 generated according to the first key and the second random verification factor.
  • Manner 5 generating according to the first key and the second key, and the first random factor.
  • Manner 6 generated according to the first key and the second key, and the second random verification factor.
  • the mode 1 to mode 4 negotiation key generation factor is less, the generation rate is faster; the mode 5 to mode 9 negotiation key generation factors are more, and the generated negotiation key is more complicated and safe.
  • Step S113 The mobile security module and the user identification card perform secure transmission of information through the negotiation key of the mobile security module end and the negotiation key of the user identification card end.
  • the mobile phone security module and the user identification card pass the negotiation key of the two ends. Secure transmission of information.
  • the mobile phone security module obtains the information to be transmitted, and the information to be transmitted may be confidential information that needs to be transmitted securely, or may be transaction information to be traded in the online banking.
  • the information to be transmitted may be transaction information of a transaction to be executed, for example, transaction information such as a transaction account number and a transaction amount obtained by the mobile phone through an online banking client.
  • Step S116a The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: first ciphertext information.
  • the user identity card signs the information to be transmitted to ensure the integrity and non-repudiation of the information to be transmitted.
  • step S120 the user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: second ciphertext information.
  • the mobile phone security module decrypts the second ciphertext information through the negotiation key of the mobile phone security module to obtain the real first signature information.
  • a secure information interaction is completed between the mobile phone security module and the user identification card.
  • Step S122a The mobile phone security module issues at least the first signature information.
  • the signed confidential information is sent out to the device for extracting confidential information
  • the mobile phone security module obtains the information to be transmitted, and the information to be transmitted may be confidential information that needs to be transmitted securely, or may be transaction information to be traded in the online banking.
  • the information to be transmitted may be confidential information that the mobile phone needs to output, for example, confidential information obtained by the mobile phone from a secure storage area of the mobile phone.
  • the information to be transmitted may be transaction information of a transaction to be executed, for example, transaction information such as a transaction account number and a transaction amount obtained by the mobile phone through an online banking client.
  • Step S115b the mobile phone security module performs verification on the transmitted information by using the negotiation key of the mobile security module end. Calculate, get the first verification information.
  • the mobile phone security module performs check calculation on the transmission information through the negotiation key of the mobile phone security module generated by the mobile phone security module, thereby ensuring the integrity of the information to be transmitted.
  • the negotiation key includes at least one verification calculation key, and the verification calculation may be any verification manner such as calculating a MAC value.
  • Step S116b The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: information to be transmitted and first verification information.
  • the mobile phone security module performs verification calculation on the first ciphertext information through the negotiation key of the mobile phone security module end generated by the mobile phone security module, thereby ensuring the integrity of the first ciphertext information.
  • the check calculation can be any verification method such as calculating a MAC value.
  • the negotiation key includes at least one encryption key and one verification calculation key.
  • the first ciphertext information is verified by the negotiation key of the mobile phone security module.
  • the user identity identification card passes the user identification card.
  • the negotiation key in the same manner performs the check calculation on the first ciphertext information, and compares with the first check information, and after the comparison is consistent, the verification passes, thereby ensuring that the obtained first ciphertext information has not been tampered with.
  • Step S123c If the mobile phone security module verifies the second processing information, the second ciphertext information is decrypted by using the negotiation key of the mobile phone security module to obtain the first signature information.
  • the signed transaction information is transmitted to an online banking server or the like.
  • step S119d the user identification card signs the transmission information to obtain the first signature information.
  • Step S122d The mobile phone security module decrypts the second ciphertext information through the negotiation key of the mobile phone security module to obtain the first signature information.
  • Step S117e After receiving the first processing information, the user identity identification card verifies the first processing information by using the negotiation key of the user identity card end.
  • Step S121e The user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: first signature information and second verification information.
  • Step S122e After receiving the second processing information, the mobile phone security module verifies the second processing information by using the negotiation key of the mobile security module.
  • Step S121f After receiving the second processing information, the mobile phone security module verifies the second processing information by using the negotiation key of the mobile security module.
  • Step S122f If the mobile phone security module verifies the second processing information, the second ciphertext information is decrypted by using the negotiation key of the mobile phone security module to obtain the first signature information.
  • Step S114g The mobile phone security module acquires information to be transmitted.
  • Step S115g The mobile phone security module performs a check calculation on the transmission information by using the negotiation key of the mobile phone security module, and obtains the first verification information.
  • Step S116g The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: information to be transmitted and first verification information.
  • Step S117g After receiving the first processing information, the user identity identification card verifies the first processing information by using the negotiation key of the user identity card end.
  • Step S118g If the user identification card verifies the first processing information, the user identity card signs the transmission information to obtain the first signature information.
  • Step S119g The user identity card encrypts the first signature information by using the negotiation key of the user identity card, obtains the second ciphertext information, and performs a check calculation on the second ciphertext information to obtain the second verification information.
  • Step S120g The user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: second ciphertext information and second verification information.
  • Step S122g if the mobile phone security module verifies the second processing information, the mobile security module end The negotiation key decrypts the second ciphertext information to obtain the first signature information.
  • Step S123g The mobile phone security module sends out at least the first signature information.
  • Step S116h The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: first ciphertext information.
  • step S118h the user identification card signs the transmission information to obtain the first signature information.
  • step S120h the user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: first signature information and first verification information.
  • Step S121h After receiving the second processing information, the mobile phone security module verifies the second processing information by using the negotiation key of the mobile security module.
  • Step S122h If the mobile phone security module verifies the second processing information, the mobile phone security module issues at least the first signature information.
  • Step S114i The mobile phone security module acquires information to be transmitted.
  • Step S116i The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: first ciphertext information and first verification information.
  • Step S117i After receiving the first processing information, the user identity identification card verifies the first processing information by using the negotiation key of the user identity card end.
  • the step of performing verification calculation on each ciphertext information may be replaced by performing verification calculation on the original text of the ciphertext information, and after obtaining the verification information and the ciphertext information, , the first decryption to obtain the original text of the ciphertext information, and then verify the verification information.
  • the original text of ciphertext information or ciphertext information cannot be tampered with.
  • Step S1141 The mobile phone security module extracts key information in the information to be transmitted.
  • the mobile phone security module can extract key information such as the file name in the confidential information, so that the user can confirm whether the confidential file needs to be extracted for secure output.
  • the mobile security module can extract key information in the transaction information, such as transaction account number and transaction amount, so that the user can confirm whether the transaction is a real transaction.
  • the mobile phone security module and the user identity identification card are included in the mobile phone according to the embodiment 1 of the present invention.
  • the mobile phone security module and the user identification card can be divided into any module and/or any combination of the transceiver unit, the encryption and decryption unit, the verification calculation unit, the generation unit, the verification unit, the signature unit and the like to complete the corresponding functions. I will not repeat them here.
  • Step S205 After obtaining the first random verification factor, the mobile phone security module performs a check calculation on the first random verification factor according to the preset first key, and obtains the first verification verification information.
  • the data processing method based on the negotiation key of the present invention enables the mobile phone to securely perform online banking service and/or confidential information transmission.
  • the above mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.

Abstract

Provided is a negotiation key based data processing method, comprising: a mobile phone security module obtains a first random factor, and sends check information of the first random factor to a subscriber identity module; the subscriber identity module verifies whether the check information of the first random factor is the same as the first check verification information, if yes, then obtaining a second random factor, generating a negotiation key of the subscriber identity module end, and sending check information of the second random factor to the mobile phone security module; the mobile phone security module verifies whether the check information of the second random factor is the same as the second check verification information, if yes, then generating a negotiation key of the mobile phone security module end, and conducting secure transmission of information according to the negotiation key. The negotiation key based data processing method enables a mobile phone to securely conduct online banking service and/or confidential information transmission.

Description

一种基于协商密钥的数据处理方法Data processing method based on negotiation key 技术领域Technical field
本发明涉及信息安全技术领域,尤其涉及一种基于协商密钥的数据处理方法。The present invention relates to the field of information security technologies, and in particular, to a data processing method based on a negotiation key.
背景技术Background technique
网络的迅速发展给人们带来的极大便利,人们越来越依赖于网络进行各种活动,例如网络文件的传输、网上银行交易均已逐渐成为人们生活、工作中不可缺少的一部分。由于网络毕竟是一个虚拟的环境,存在着太多不安全的因素,而在网络环境中必然会进行数据交互的网络活动,尤其是像网上银行业务和机密信息的传输这样的网络活动,对网络的安全提出了很高的要求,因此需要发展网络信息安全技术。The rapid development of the network has brought great convenience to people. People are increasingly relying on the network for various activities, such as the transmission of network files and online banking transactions, which have gradually become an indispensable part of people's lives and work. Since the network is a virtual environment after all, there are too many insecure factors, and in the network environment, there will be network activities for data interaction, especially network activities such as online banking and confidential information transmission. The security poses high requirements and therefore requires the development of network information security technologies.
随着现今手机技术的飞速发展,手机终端越来越多的被用来替代计算机使用,但现今并没有一种使手机终端能够安全执行网上银行业务和/或机密信息传输的解决方案。With the rapid development of mobile phone technology today, mobile phone terminals are increasingly being used to replace computers, but today there is no solution that enables mobile terminals to safely perform online banking and/or confidential information transmission.
发明内容Summary of the invention
本发明旨在解决手机终端无法安全执行网上银行业务和/或机密信息传输的问题。The present invention aims to solve the problem that a mobile terminal cannot safely perform online banking and/or confidential information transmission.
本发明的主要目的在于提供一种基于协商密钥的数据处理方法。The main object of the present invention is to provide a data processing method based on a negotiation key.
为达到上述目的,本发明的技术方案具体是这样实现的:In order to achieve the above object, the technical solution of the present invention is specifically implemented as follows:
本发明一方面提供了一种基于协商密钥的数据处理方法,包括:手机安全模块获取第一随机因子;所述手机安全模块在获取所述第一随机因子后,根据预设的第一密钥对所述第一随机因子进行校验计算,获得第一随机因子校验信息;所述手机安全模块在获得所述第一随机因子校验信息后,将所述第一随机因子校验信息发送至用户身份识别卡;所述用户身份识别卡在接收到所述第一随机因子校验信息后,获取第一随机验证因子;所述用户身份识别卡在获取到所述第一随机验证因子后,根据预设的所述第一密钥对所述第一随机验证因子进行校验计算,获得第一校验验证信息;所述用户身份识别卡在获得所述第一校验验证信息后,验证所述第一随机因子校验信息与所述第一校验验证信息是否相同,如果验证所述第一随机因子校验信息与所述第一校验验证信息相同,则验证所述第一随机因子校验信息通过;所述用户身份识别卡在验证所述第一随机因子校验信息通过后,获取第二随机因子,根据预设的所述第二密钥对所述第二随机因子进行校验计算,获得第二随机因子校验信息,并根据所述第一密钥和/或预设的第二密钥对所述第一随机验证因子和/或所述第二随机因子生成所述用户身份识别卡端的协商密钥;所述用户身份识别卡在获得所述第 二随机因子校验信息后,将所述第二随机因子校验信息发送至所述手机安全模块;所述手机安全模块在接收到所述第二随机因子校验信息后,获取第二随机验证因子;所述手机安全模块在获取到所述第二随机验证因子后,根据预设的所述第二密钥对所述第二随机验证因子进行校验计算,获得第二校验验证信息;所述手机安全模块在获得所述第二校验验证信息后,验证所述第二随机因子校验信息与所述第二校验验证信息是否相同,如果验证所述第二随机因子校验信息与所述第二校验验证信息相同,则验证所述第二随机因子校验信息通过;所述手机安全模块在验证所述第二随机因子校验信息通过后,根据所述第一密钥和/或所述第二密钥对所述第一随机因子和/或所述第二随机验证因子生成所述手机安全模块端的协商密钥;所述手机安全模块与所述用户身份识别卡之间通过所述手机安全模块端的协商密钥以及所述用户身份识别卡端的协商密钥进行信息的安全传输。An aspect of the present invention provides a data processing method based on a negotiation key, including: a mobile phone security module acquires a first random factor; and after the mobile phone security module acquires the first random factor, according to a preset first secret The key performs a check calculation on the first random factor to obtain first random factor check information; the mobile phone security module obtains the first random factor check information after obtaining the first random factor check information Sending to the user identification card; after receiving the first random factor check information, the user identification card acquires a first random verification factor; the user identification card acquires the first random verification factor After performing the check calculation on the first random verification factor according to the preset first key, obtaining first verification verification information; after obtaining the first verification verification information, the user identification card And verifying whether the first random factor check information is the same as the first check verification information, if verifying the first random factor check information and the first check verification If the information is the same, the first random factor check information is verified to pass; after the user identification card verifies that the first random factor check information is passed, the second random factor is obtained, according to the preset second Performing a check calculation on the second random factor by the key, obtaining second random factor check information, and pairing the first random verification factor according to the first key and/or the preset second key / or the second random factor generates a negotiation key of the user identification card end; the user identification card is obtaining the After the second random factor check information, the second random factor check information is sent to the mobile phone security module; after receiving the second random factor check information, the mobile phone security module obtains a second random verification After obtaining the second random verification factor, the mobile phone security module performs a check calculation on the second random verification factor according to the preset second key to obtain second verification verification information; After obtaining the second verification verification information, the mobile phone security module verifies whether the second random factor verification information and the second verification verification information are the same, if the second random factor verification information is verified. Same as the second verification verification information, verifying that the second random factor verification information passes; after the mobile phone security module verifies that the second random factor verification information is passed, according to the first key And/or the second key generates a negotiation key of the mobile phone security module end to the first random factor and/or the second random verification factor; the mobile phone security module and the user Secure identification card between the parts of the information transmitted through the key agreement key negotiation and the user identification card of the mobile phone terminal end of the security module.
本发明另一方面提供了另一种基于协商密钥的数据处理方法,包括:用户身份识别卡获取第一随机因子;所述用户身份识别卡在获取所述第一随机因子后,根据预设的第一密钥对所述第一随机因子进行校验计算,获得第一随机因子校验信息;所述用户身份识别卡在获得所述第一随机因子校验信息后,将所述第一随机因子校验信息发送至手机安全模块;所述手机安全模块在接收到所述第一随机因子校验信息后,获取第一随机验证因子;所述手机安全模块在获取到所述第一随机验证因子后,根据预设的所述第一密钥对所述第一随机验证因子进行校验计算,获得第一校验验证信息;所述手机安全模块在获得所述第一校验验证信息后,验证所述第一随机因子校验信息与所述第一校验验证信息是否相同,如果验证所述第一随机因子校验信息与所述第一校验验证信息相同,则验证所述第一随机因子校验信息通过;所述手机安全模块在验证所述第一随机因子校验信息通过后,获取第二随机因子,根据预设的所述第二密钥对所述第二随机因子进行校验计算,获得第二随机因子校验信息,并根据所述第一密钥和/或预设的第二密钥对所述第一随机验证因子和/或所述第二随机因子生成所述手机安全模块端的协商密钥;所述手机安全模块在获得所述第二随机因子校验信息后,将所述第二随机因子校验信息发送至所述用户身份识别卡;所述用户身份识别卡在接收到所述第二随机因子校验信息后,获取第二随机验证因子;所述用户身份识别卡在获取到所述第二随机验证因子后,根据预设的所述第二密钥对所述第二随机验证因子进行校验计算,获得第二校验验证信息;所述用户身份识别卡在获得所述第二校验验证信息后,验证所述第二随机因子校验信息与所述第二校验验证信息是否相同,如果验证所述第二随机因子校验信息与所述第二校验验证信息相同,则验证所述第二随机因子校验信息通过;所述用户身份识别卡在验证所述第二随机因子校验信息通过后,根据所述第一密钥和/或所述第二密钥对所述第一随机因子和/或所述第二随机验证因子生成所述用户身份识别卡端的协商密钥;所述手机安全模块与所述用户身份识别卡之间通过所述手机安全 模块端的协商密钥以及所述用户身份识别卡端的协商密钥进行信息的安全传输。Another aspect of the present invention provides another data processing method based on a negotiation key, including: acquiring, by a user identity card, a first random factor; after acquiring the first random factor, the user identity identification card is preset according to a preset The first key performs a check calculation on the first random factor to obtain first random factor check information; after the user identification card obtains the first random factor check information, the first The random factor check information is sent to the mobile phone security module; after receiving the first random factor check information, the mobile phone security module acquires a first random verification factor; the mobile phone security module obtains the first random number After the verification factor, the first random verification factor is verified and calculated according to the preset first key, and the first verification verification information is obtained; the mobile phone security module obtains the first verification verification information. After verifying whether the first random factor check information is the same as the first check verification information, if the first random factor check information is verified and the first check check If the information is the same, the first random factor check information is verified to pass; after the mobile phone security module verifies that the first random factor check information is passed, the second random factor is obtained, according to the preset second secret. The key performs a check calculation on the second random factor, obtains second random factor check information, and pairs the first random verification factor according to the first key and/or the preset second key Or the second random factor generates a negotiation key of the mobile phone security module end; after obtaining the second random factor check information, the mobile phone security module sends the second random factor check information to the a user identification card; after receiving the second random factor check information, the user identification card acquires a second random verification factor; after the user identification card obtains the second random verification factor, Performing a check calculation on the second random verification factor according to the preset second key to obtain second verification verification information; after obtaining the second verification verification information, the user identification card And verifying whether the second random factor check information is the same as the second check verification information, and if the second random factor check information is verified to be the same as the second check verification information, verifying the Passing the second random factor check information; after verifying that the second random factor check information is passed, the user identification card pairs the first random according to the first key and/or the second key a factor and/or the second random verification factor generates a negotiation key of the user identity card end; the mobile phone security module and the user identity card are secure by the mobile phone The negotiation key of the module end and the negotiation key of the user identification card end perform secure transmission of information.
此外,所述手机安全模块与所述用户身份识别卡之间通过所述手机安全模块端的协商密钥以及所述用户身份识别卡端的协商密钥进行信息的安全传输的步骤包括:所述手机安全模块获取待传输信息;所述手机安全模块通过所述手机安全模块端的协商密钥对所述待传输信息进行加密,获得第一密文信息;所述手机安全模块将第一处理信息发送至所述用户身份识别卡,其中,所述第一处理信息至少包括:所述第一密文信息;所述用户身份识别卡接收到所述第一处理信息后,通过所述用户身份识别卡端的协商密钥对所述第一密文信息进行解密,获得待传输信息;所述用户身份识别卡对所述待传输信息进行签名,获得第一签名信息。In addition, the step of performing secure transmission of information between the mobile phone security module and the user identity card by using a negotiation key of the mobile phone security module end and a negotiation key of the user identity identification card end includes: the mobile phone security The module obtains information to be transmitted; the mobile phone security module encrypts the to-be-transmitted information by using a negotiation key of the mobile phone security module to obtain first ciphertext information; and the mobile phone security module sends the first processing information to the The user identification card, wherein the first processing information at least includes: the first ciphertext information; after the user identification card receives the first processing information, the user identification card end negotiation The key decrypts the first ciphertext information to obtain information to be transmitted, and the user identity identification card signs the information to be transmitted to obtain first signature information.
此外,所述手机安全模块与所述用户身份识别卡之间通过所述手机安全模块端的协商密钥以及所述用户身份识别卡端的协商密钥进行信息的安全传输的步骤包括:所述手机安全模块获取待传输信息;所述手机安全模块通过所述手机安全模块端的协商密钥对所述待传输信息进行校验计算,获得第一校验信息;所述手机安全模块将第一处理信息发送至所述用户身份识别卡,其中,所述第一处理信息至少包括:所述待传输信息和所述第一校验信息;所述用户身份识别卡接收到所述第一处理信息后,通过所述用户身份识别卡端的协商密钥对所述第一处理信息进行验证;如果所述用户身份识别卡对所述第一处理信息验证通过,则所述用户身份识别卡对所述待传输信息进行签名,获得第一签名信息。In addition, the step of performing secure transmission of information between the mobile phone security module and the user identity card by using a negotiation key of the mobile phone security module end and a negotiation key of the user identity identification card end includes: the mobile phone security The module obtains information to be transmitted; the mobile phone security module performs verification calculation on the to-be-transmitted information by using a negotiation key of the mobile phone security module to obtain first verification information; and the mobile phone security module sends the first processing information. The user identification card, wherein the first processing information at least includes: the information to be transmitted and the first verification information; after receiving the first processing information, the user identification card passes The first identification information is verified by the negotiation key of the user identification card end; if the user identification card verifies the first processing information, the user identification card pairs the information to be transmitted Sign the signature to get the first signature information.
此外,所述手机安全模块与所述用户身份识别卡之间通过所述手机安全模块端的协商密钥以及所述用户身份识别卡端的协商密钥进行信息的安全传输的步骤包括:所述手机安全模块获取待传输信息;所述手机安全模块通过所述手机安全模块端的协商密钥对所述待传输信息进行加密,获得第一密文信息,以及对所述第一密文信息进行校验计算,获得第一校验信息;所述手机安全模块将第一处理信息发送至所述用户身份识别卡,其中,所述第一处理信息至少包括:所述第一密文信息和所述第一校验信息;所述用户身份识别卡接收到所述第一处理信息后,通过所述用户身份识别卡端的协商密钥对所述第一处理信息进行验证;如果所述用户身份识别卡对所述第一处理信息验证通过,则所述用户身份识别卡通过所述用户身份识别卡端的协商密钥对所述第一密文信息进行解密,获得所述待传输信息;所述用户身份识别卡对所述待传输信息进行签名,获得第一签名信息。In addition, the step of performing secure transmission of information between the mobile phone security module and the user identity card by using a negotiation key of the mobile phone security module end and a negotiation key of the user identity identification card end includes: the mobile phone security The module obtains information to be transmitted; the mobile phone security module encrypts the to-be-transmitted information by using a negotiation key of the mobile phone security module to obtain first ciphertext information, and performs verification calculation on the first ciphertext information. Obtaining the first verification information; the mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: the first ciphertext information and the first Verifying the information; after receiving the first processing information, the user identification card verifies the first processing information by using a negotiation key of the user identification card end; if the user identification card is opposite After the first processing information is verified, the user identity card passes the negotiation key of the user identity card to the first secret. Decrypt the information, the information to be transmitted is obtained; the user identification card information to be transmitted to the sign to obtain the first signature information.
此外,在所述用户身份识别卡对所述待传输信息进行签名,获得第一签名信息的步骤之后,所述方法还包括:所述用户身份识别卡通过所述用户身份识别卡端的协商密钥对所述第一签名信息进行加密,获得第二密文信息;所述用户身份识别卡将第二处理信息发送至所述手机安全模块,其中,所述第二处理信息至少包括:所述第二密文信息;所述手机安全模块接收到所述第二处理信息后,通过所述手机安全模块端的协商密钥对所述第二密 文信息进行解密,获得所述第一签名信息;所述手机安全模块至少将所述第一签名信息外发;或者所述用户身份识别卡通过所述用户身份识别卡端的协商密钥对所述第一签名信息进行校验计算,获得第二校验信息;所述用户身份识别卡将第二处理信息发送至所述手机安全模块,其中,所述第二处理信息至少包括:所述第一签名信息和所述第二校验信息;所述手机安全模块接收到所述第二处理信息后,通过所述手机安全模块端的协商密钥对所述第二处理信息进行验证;如果所述手机安全模块对所述第二处理信息验证通过,则所述手机安全模块至少将所述第一签名信息外发;或者所述用户身份识别卡通过所述用户身份识别卡端的协商密钥对所述第一签名信息进行加密,获得第二密文信息,以及对所述第二密文信息进行校验计算,获得第二校验信息;所述用户身份识别卡将第二处理信息发送至所述手机安全模块,其中,所述第二处理信息至少包括:所述第二密文信息和所述第二校验信息;所述手机安全模块接收到所述第二处理信息后,通过所述手机安全模块端的协商密钥对所述第二处理信息进行验证;如果所述手机安全模块对所述第二处理信息验证通过,则通过所述手机安全模块端的协商密钥对所述第二密文信息进行解密,获得所述第一签名信息;所述手机安全模块至少将所述第一签名信息外发。In addition, after the user identity card signs the information to be transmitted to obtain the first signature information, the method further includes: the user identity identification card passes the negotiation key of the user identity identification card end Encrypting the first signature information to obtain second ciphertext information; the user identity identification card sending the second processing information to the mobile phone security module, where the second processing information includes at least: Two ciphertext information; after receiving the second processing information, the mobile phone security module uses the negotiation key of the mobile phone security module to the second secret Decrypting the text information to obtain the first signature information; the mobile phone security module at least transmitting the first signature information; or the user identity identification card is negotiated by the user identification card end The first signature information is subjected to a check calculation, and the second verification information is obtained. The user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: the first And the second verification information is verified by the negotiation key of the mobile phone security module end; if the mobile phone security module receives the second processing information, if the mobile phone After the security module verifies the second processing information, the mobile phone security module sends out at least the first signature information; or the user identity identification card passes the negotiation key of the user identity card end. Encrypting the first signature information, obtaining second ciphertext information, and performing a check calculation on the second ciphertext information to obtain second verification information; The user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: the second ciphertext information and the second verification information; the mobile phone security module receives After the second processing information, verify the second processing information by using a negotiation key of the mobile phone security module; if the mobile security module verifies the second processing information, pass the mobile phone The negotiation key of the security module decrypts the second ciphertext information to obtain the first signature information; and the mobile phone security module at least sends the first signature information.
此外,在所述手机安全模块获取待传输信息的步骤之后,在所述手机安全模块将第一处理信息发送至所述用户身份识别卡的步骤之前,所述方法还包括:所述手机安全模块提取所述待传输信息中的关键信息;所述手机安全模块控制手机显示屏显示所述提取出的待传输信息中的关键信息;所述手机安全模块接收手机键盘输出的确认指令;在所述手机安全模块接收到所述手机键盘输出的确认指令后,执行所述手机安全模块将第一处理信息发送至所述用户身份识别卡的步骤。In addition, after the step of the mobile phone security module acquiring the information to be transmitted, before the step of the mobile phone security module transmitting the first processing information to the user identification card, the method further includes: the mobile phone security module Extracting key information in the information to be transmitted; the mobile phone security module controls the mobile phone display screen to display key information in the extracted information to be transmitted; the mobile phone security module receives a confirmation instruction outputted by the mobile phone keyboard; After receiving the confirmation command output by the mobile phone keyboard, the mobile phone security module performs the step of the mobile phone security module transmitting the first processing information to the user identification card.
此外,所述第一随机因子为所述手机安全模块生成的,所述第一随机验证因子为所述用户身份识别卡通过与所述手机安全模块生成所述第一随机因子相同方式生成的,或者所述第一随机验证因子为所述用户身份识别卡从所述手机安全模块中获取的;或者所述第一随机因子为所述用户身份识别卡生成并发送给所述手机安全模块的,所述第一随机验证因子为所述用户身份识别卡通过与所述用户身份识别卡生成所述第一随机因子相同的方式生成的,或者所述第一随机验证因子为所述用户身份识别卡从所述手机安全模块中获取的。In addition, the first random factor is generated by the mobile phone security module, and the first random verification factor is generated by the user identity identification card in the same manner as the mobile phone security module generates the first random factor. Or the first random verification factor is obtained by the user identity card from the mobile phone security module; or the first random factor is generated by the user identity identification card and sent to the mobile phone security module, The first random verification factor is generated by the user identity card being the same as the first identity factor generated by the user identity card, or the first random verification factor is the user identity card Obtained from the mobile phone security module.
此外,所述第二随机因子为所述用户身份识别卡生成的,所述第二随机验证因子为所述手机安全模块通过与所述用户身份识别卡生成所述第二随机因子相同方式生成的,或者所述第二随机验证因子为所述手机安全模块从所述用户身份识别卡中获取的;或者所述第二随机因子为所述手机安全模块生成并发送给所述用户身份识别卡的,所述第二随机验证因子为所述手机安全模块通过与所述手机安全模块生成所述第二随机因子相同的方式生成的,或者所述第二随机验证因子为所述手机安全模块卡从所述用户身份识别卡中获取的。 In addition, the second random factor is generated by the user identification card, and the second random verification factor is generated by the mobile phone security module in the same manner as the second identifier is generated by the user identity card. Or the second random verification factor is obtained by the mobile phone security module from the user identification card; or the second random factor is generated by the mobile phone security module and sent to the user identification card The second random verification factor is generated by the mobile phone security module in the same manner as the mobile phone security module generates the second random factor, or the second random verification factor is the mobile phone security module card Obtained in the user identification card.
此外,所述手机安全模块为独立于手机CPU之外的模块,或者所述手机安全模块设置在所述手机CPU中的安全区域。In addition, the mobile phone security module is a module independent of the mobile phone CPU, or the mobile phone security module is disposed in a secure area in the mobile phone CPU.
本发明又一方面提供了一种存储介质,所述存储介质设置为存储应用程序,所述应用程序设置为在运行时执行本发明任一实施例所述的基于协商密钥的数据处理方法。Yet another aspect of the present invention provides a storage medium configured to store an application, the application being configured to perform a negotiation key based data processing method according to any of the embodiments of the present invention at runtime.
由上述本发明提供的技术方案可以看出,通过本发明的基于协商密钥的数据处理方法,可以使手机能够安全执行网上银行业务和/或机密信息传输。It can be seen from the technical solution provided by the present invention that the data processing method based on the negotiation key of the present invention enables the mobile phone to securely perform online banking service and/or confidential information transmission.
附图说明DRAWINGS
为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention, Those of ordinary skill in the art will be able to obtain other figures from these drawings without the inventive effort.
图1为本发明实施例1提供的基于协商密钥的数据处理方法的流程图;以及1 is a flowchart of a data processing method based on a negotiation key according to Embodiment 1 of the present invention;
图2为本发明实施例2提供的基于协商密钥的数据处理方法的流程图。2 is a flowchart of a data processing method based on a negotiation key according to Embodiment 2 of the present invention.
具体实施方式detailed description
下面结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明的保护范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
在本发明的描述中,需要说明的是,除非另有明确的规定和限定,术语“安装”、“相连”、“连接”应做广义理解,例如,可以是固定连接,也可以是可拆卸连接,或一体地连接;可以是机械连接,也可以是电连接;可以是直接相连,也可以通过中间媒介间接相连,可以是两个元件内部的连通。对于本领域的普通技术人员而言,可以具体情况理解上述术语在本发明中的具体含义。此外,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或数量或位置。In the description of the present invention, it should be noted that the terms "installation", "connected", and "connected" are to be understood broadly, and may be fixed or detachable, for example, unless otherwise explicitly defined and defined. Connected, or integrally connected; can be mechanical or electrical; can be directly connected, or indirectly connected through an intermediate medium, can be the internal communication of the two components. The specific meaning of the above terms in the present invention can be understood in a specific case by those skilled in the art. Moreover, the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or quantity or location.
下面将结合附图对本发明实施例作进一步地详细描述。The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.
本发明的基于协商密钥的数据处理方法是基于手机实现的,该手机至少包括一个具备安全功能的用户身份识别卡,以及一个手机安全模块。The data processing method based on the negotiation key of the present invention is implemented based on a mobile phone, and the mobile phone includes at least one user identification card with a security function and a mobile phone security module.
其中,用户身份识别卡可以为如下任一种卡片:SIM(Subscriber Identity Module,客户识别模块)卡、UIM(User Identity Module)卡、USIM卡、PIM卡等,以上的卡片均在 现有的功能的基础上,拓展了安全功能,以配合本发明的手机安全模块实现本发明的功能。The user identification card may be any of the following cards: a SIM (Subscriber Identity Module) card, a UIM (User Identity Module) card, a USIM card, a PIM card, etc. Based on the existing functions, the security function is extended to implement the functions of the present invention in conjunction with the mobile phone security module of the present invention.
该手机安全模块可以设置为独立于手机CPU之外的单独的模块,也可以设置为在手机CPU中的安全区域,以保证该手机安全模块可以实现的独立的安全功能,例如:手机安全模块可以独立进行安全的身份认证功能,以及进行显示的安全控制,保证显示内容的真实性等。The mobile phone security module can be set as a separate module independent of the mobile phone CPU, or can be set as a secure area in the mobile phone CPU to ensure independent security functions that the mobile phone security module can implement, for example, the mobile phone security module can Independently perform secure identity authentication functions, as well as display security control to ensure the authenticity of the displayed content.
此外,第三方CA可以对用户身份识别卡颁发了经过CA认证的证书,同时第三方CA还可以对手机安全模块也颁发了经过CA认证的证书,以保证双方可以验证对方身份的合法性,提高安全性。In addition, the third-party CA can issue a CA-certified certificate to the user ID card, and the third-party CA can also issue a CA-certified certificate to the mobile phone security module to ensure that both parties can verify the legality of the other party's identity and improve safety.
实施例1Example 1
图1出示了本发明实施例1提供的基于协商密钥的数据处理方法的流程图,参见图1,本发明的基于协商密钥的数据处理方法,包括以下步骤S101-步骤S113。FIG. 1 is a flowchart of a data processing method based on a negotiation key according to Embodiment 1 of the present invention. Referring to FIG. 1, a data processing method based on a negotiation key according to the present invention includes the following steps S101 to S113.
步骤S101,手机安全模块获取第一随机因子。Step S101, the mobile phone security module acquires a first random factor.
具体的,该第一随机因子可以为该手机安全模块直接生成的,或者该第一随机因子可以为用户身份识别卡生成,并发送给手机安全模块而获得的。该第一随机因子可以为一个或一串随机数,或者可以为一个或一串随机字符,或者一串随机数和随机组合的任意组合。Specifically, the first random factor may be directly generated by the mobile phone security module, or the first random factor may be generated by the user identity card and sent to the mobile phone security module. The first random factor may be one or a string of random numbers, or may be one or a string of random characters, or any combination of a string of random numbers and random combinations.
获取该第一随机因子以便后续可以使用该第一随机因子生成协商密钥。The first random factor is obtained so that the negotiation key can be generated subsequently using the first random factor.
步骤S102,手机安全模块在获取第一随机因子后,根据预设的第一密钥对第一随机因子进行校验计算,获得第一随机因子校验信息。Step S102: After acquiring the first random factor, the mobile phone security module performs a check calculation on the first random factor according to the preset first key to obtain the first random factor check information.
具体的,第一密钥为手机安全模块和用户身份识别卡分别预设的相同的密钥,其可以用来进行校验计算,从而可以保证信息在传输过程中不被篡改。使得手机安全模块向用户身份识别卡发送第一随机因子时,用以保证第一随机因子不被篡改。由于对第一随机因子进行了校验计算,即便第一随机因子被篡改,在用户身份识别卡端进行校验信息的验证时则无法通过,从而无法执行后续流程,提高安全性。Specifically, the first key is the same key preset by the mobile phone security module and the user identity card respectively, and can be used for performing verification calculation, thereby ensuring that the information is not tampered with during transmission. When the mobile phone security module sends the first random factor to the user identity card, it is used to ensure that the first random factor is not falsified. Since the first random factor is checked and verified, even if the first random factor is tampered with, the verification of the verification information at the user identification card end cannot be passed, so that the subsequent process cannot be performed and the security is improved.
步骤S103,手机安全模块在获得第一随机因子校验信息后,将第一随机因子校验信息发送至用户身份识别卡。Step S103: After obtaining the first random factor check information, the mobile phone security module sends the first random factor check information to the user identity card.
步骤S104,用户身份识别卡在接收到第一随机因子校验信息后,获取第一随机验证因子。Step S104: After receiving the first random factor check information, the user identity identification card acquires the first random verification factor.
具体的,用户身份识别卡获取的第一随机验证因子可以为用户身份识别卡通过与手机安全模块生成第一随机因子相同方式生成的,或者第一随机验证因子为用户身份识别卡从手机安全模块中获取的。只要保证第一随机验证因子与第一随机因子相同,即可以在用户身份识别卡中验证第一随机因子校验信息。 Specifically, the first random verification factor acquired by the user identity card may be generated by the user identity card in the same manner as the first security factor generated by the mobile phone security module, or the first random verification factor is the user identity identification card from the mobile phone security module. Obtained in . The first random factor check information can be verified in the user identification card as long as the first random verification factor is guaranteed to be the same as the first random factor.
步骤S105,用户身份识别卡在获取到第一随机验证因子后,根据预设的第一密钥对第一随机验证因子进行校验计算,获得第一校验验证信息。Step S105: After obtaining the first random verification factor, the user identity identification card performs a check calculation on the first random verification factor according to the preset first key, and obtains the first verification verification information.
具体的,用户身份识别卡在获取到第一随机验证因子后,根据与手机安全模块中预设的第一密钥进行校验计算相同的计算方法,对第一随机验证因子进行校验计算,从而获得第一校验验证信息,并用以进行第一随机因子校验信息的验证。Specifically, after obtaining the first random verification factor, the user identification card performs the same calculation method according to the verification calculation of the first key preset in the mobile phone security module, and performs verification calculation on the first random verification factor. Thereby obtaining the first verification verification information and performing verification of the first random factor verification information.
步骤S106,用户身份识别卡在获得第一校验验证信息后,验证第一随机因子校验信息与第一校验验证信息是否相同,如果验证第一随机因子校验信息与第一校验验证信息相同,则验证第一随机因子校验信息通过。Step S106: After obtaining the first verification verification information, the user identity identification card verifies whether the first random factor verification information is the same as the first verification verification information, if the first random factor verification information and the first verification verification are verified. If the information is the same, the first random factor check information is verified to pass.
具体的,只有第一校验验证信息与第一随机因子校验信息相同,才验证第一随机因子校验信息通过,表明第一随机验证因子与第一随机因子相同,第一随机因子并未被篡改。基于安全的真实的第一随机因子或者第一随机验证因子可以进行后续协商密钥的生成。Specifically, only the first verification verification information is the same as the first random factor verification information, and the first random factor verification information is verified to be passed, indicating that the first random verification factor is the same as the first random factor, and the first random factor is not Was tampered with. The subsequent negotiation key generation may be performed based on the security first true random factor or the first random verification factor.
步骤S107,用户身份识别卡在验证第一随机因子校验信息通过后,获取第二随机因子,根据预设的第二密钥对第二随机因子进行校验计算,获得第二随机因子校验信息,并根据第一密钥和/或预设的第二密钥对第一随机验证因子和/或第二随机因子生成用户身份识别卡端的协商密钥。Step S107: After verifying that the first random factor check information is passed, the user identity identification card acquires a second random factor, performs a check calculation on the second random factor according to the preset second key, and obtains a second random factor check. And generating a negotiation key of the user identity card end according to the first random verification factor and/or the second random factor according to the first key and/or the preset second key.
具体的,用户身份识别卡获取的第二随机因子,可以为用户身份识别卡直接生成的,也可以为手机安全模块生成,并发送给用户身份识别卡的。该第二随机因子也可以为一个或一串随机数,或者可以为一个或一串随机字符,或者一串随机数和随机组合的任意组合。Specifically, the second random factor acquired by the user identity card may be directly generated by the user identity card, or may be generated by the mobile phone security module and sent to the user identity card. The second random factor may also be one or a string of random numbers, or may be one or a string of random characters, or any combination of a string of random numbers and random combinations.
此外,预设的第二密钥可以为与第一密钥相同的密钥,减少计算复杂度,提高计算效率,也可以为与第一密钥不同的密钥,以提高每次校验计算的安全性。In addition, the preset second key may be the same key as the first key, which reduces computational complexity, improves computational efficiency, or may be a key different from the first key to improve the calculation of each check. Security.
获取该第二随机因子以便后续可以使用该第二随机因子生成协商密钥。The second random factor is obtained so that the negotiation key can be subsequently generated using the second random factor.
同时,用户身份识别卡对第二随机因子进行校验计算,可以使得用户身份识别卡向手机安全模块发送第二随机因子时,用以保证第二随机因子是否被篡改。由于对第二随机因子进行了校验计算,即便第二随机因子被篡改,在手机安全模块端进行校验信息的验证时则无法通过,从而无法执行后续流程,提高安全性。At the same time, the user identification card performs a check calculation on the second random factor, so that when the user identity card sends the second random factor to the mobile phone security module, it is used to ensure whether the second random factor is tampered with. Since the second random factor is checked and verified, even if the second random factor is tampered with, the verification of the verification information on the mobile phone security module cannot pass, and the subsequent process cannot be performed, thereby improving security.
由此,用户身份识别卡可以通过如下方式一至方式九中之一进行用户身份识别卡端的协商密钥的生成。Thus, the user identity card can perform the generation of the negotiation key of the user identity card end by one of the following methods one to nine.
方式一:根据第一密钥和第一随机验证因子生成。Manner 1: Generated according to the first key and the first random verification factor.
方式二:根据第一密钥和第二随机因子生成。Manner 2: generated according to the first key and the second random factor.
方式三:根据预设的第二密钥和第一随机验证因子生成。Manner 3: generated according to the preset second key and the first random verification factor.
方式四:根据预设的第二密钥和第二随机因子生成。Method 4: Generate according to the preset second key and the second random factor.
方式五:根据第一密钥和预设的第二密钥,以及第一随机验证因子生成。 Manner 5: generating according to the first key and the preset second key, and the first random verification factor.
方式六:根据第一密钥和预设的第二密钥,以及第二随机因子生成。Manner 6: generating according to the first key and the preset second key, and the second random factor.
方式七:根据第一密钥,以及第一随机验证因子和第二随机因子生成。Method 7: Generate according to the first key, and the first random verification factor and the second random factor.
方式八:根据预设的第二密钥,以及第一随机验证因子和第二随机因子生成。Manner 8: generated according to the preset second key, and the first random verification factor and the second random factor.
方式九:根据第一密钥和预设的第二密钥,以及第一随机验证因子和第二随机因子生成。Manner 9: generating according to the first key and the preset second key, and the first random verification factor and the second random factor.
其中,方式一至方式四协商密钥的生成因素较少,生成速率较快;方式五至方式九协商密钥生成因素较多,生成的协商密钥较为复杂和安全。Among them, the mode 1 to mode 4 negotiation key generation factor is less, the generation rate is faster; the mode 5 to mode 9 negotiation key generation factors are more, and the generated negotiation key is more complicated and safe.
当然,本步骤中,生成用户身份识别卡端的协商密钥可以在获取第二随机因子后立即生成,也可以在获得第二随机因子校验信息后生成。Certainly, in this step, the negotiation key for generating the user identity card end may be generated immediately after acquiring the second random factor, or may be generated after obtaining the second random factor check information.
步骤S108,用户身份识别卡在获得第二随机因子校验信息后,将第二随机因子校验信息发送至手机安全模块。Step S108: After obtaining the second random factor check information, the user identity identification card sends the second random factor check information to the mobile phone security module.
步骤S109,手机安全模块在接收到第二随机因子校验信息后,获取第二随机验证因子。Step S109: After receiving the second random factor check information, the mobile phone security module acquires a second random verification factor.
具体的,第二随机验证因子可以为手机安全模块通过与用户身份识别卡生成第二随机因子相同方式生成的,或者该第二随机验证因子为手机安全模块从用户身份识别卡中获取的。只要保证第二随机验证因子与第二随机因子相同,即可以在用户身份识别卡中验证第二随机因子校验信息。Specifically, the second random verification factor may be generated by the mobile phone security module in the same manner as the second identification factor generated by the user identity card, or the second random verification factor is obtained by the mobile phone security module from the user identification card. The second random factor check information can be verified in the user identification card as long as the second random verification factor is guaranteed to be the same as the second random factor.
步骤S110,手机安全模块在获取到第二随机验证因子后,根据预设的第二密钥对第二随机验证因子进行校验计算,获得第二校验验证信息。Step S110: After obtaining the second random verification factor, the mobile phone security module performs a check calculation on the second random verification factor according to the preset second key to obtain second verification verification information.
具体的,手机安全模块在获取到第二随机验证因子后,根据与用户身份识别卡中预设的第二密钥进行校验计算相同的计算方法,对第二随机验证因子进行校验计算,从而获得第二校验验证信息,并用以进行第二随机因子校验信息的验证。Specifically, after obtaining the second random verification factor, the mobile phone security module performs the same calculation method according to the verification calculation performed by the second key preset in the user identification card, and performs verification calculation on the second random verification factor. Thereby obtaining the second verification verification information and performing verification of the second random factor verification information.
步骤S111,手机安全模块在获得第二校验验证信息后,验证第二随机因子校验信息与第二校验验证信息是否相同,如果验证第二随机因子校验信息与第二校验验证信息相同,则验证第二随机因子校验信息通过。Step S111, after obtaining the second verification verification information, the mobile phone security module verifies whether the second random factor verification information and the second verification verification information are the same, if the second random factor verification information and the second verification verification information are verified. If the same, the second random factor check information is verified to pass.
具体的,只有第二校验验证信息与第二随机因子校验信息相同,才验证第二随机因子校验信息通过,表明第二随机验证因子与第二随机因子相同,第二随机因子并未被篡改。基于安全的真实的第二随机因子或者第二随机验证因子可以进行后续协商密钥的生成。Specifically, only the second verification verification information is the same as the second random factor verification information, and the second random factor verification information is verified to be passed, indicating that the second random verification factor is the same as the second random factor, and the second random factor is not Was tampered with. The subsequent negotiation key generation may be performed based on the secure second random factor or the second random verification factor.
步骤S112,手机安全模块在验证第二随机因子校验信息通过后,根据第一密钥和/或第二密钥对第一随机因子和/或第二随机验证因子生成手机安全模块端的协商密钥。Step S112: After verifying that the second random factor check information is passed, the mobile phone security module generates a negotiation secret of the mobile phone security module according to the first random factor and/or the second random verification factor according to the first key and/or the second key. key.
具体的,手机安全模块可以通过如下方式一至方式九中之一进行手机安全模块端的协商密钥的生成。Specifically, the mobile phone security module may perform the negotiation key generation of the mobile phone security module end by one of the following methods:
方式一:根据第一密钥和第一随机因子生成。 Manner 1: Generate according to the first key and the first random factor.
方式二:根据第一密钥和第二随机验证因子生成。Manner 2: generated according to the first key and the second random verification factor.
方式三:根据第二密钥和第一随机因子生成。Manner 3: generated according to the second key and the first random factor.
方式四:根据第二密钥和第二随机验证因子生成。Manner 4: generated according to the second key and the second random verification factor.
方式五:根据第一密钥和第二密钥,以及第一随机因子生成。Manner 5: generating according to the first key and the second key, and the first random factor.
方式六:根据第一密钥和第二密钥,以及第二随机验证因子生成。Manner 6: generated according to the first key and the second key, and the second random verification factor.
方式七:根据第一密钥,以及第一随机因子和第二随机验证因子生成。Method 7: Generate according to the first key, and the first random factor and the second random verification factor.
方式八:根据第二密钥,以及第一随机因子和第二随机验证因子生成。Manner 8: generated according to the second key, and the first random factor and the second random verification factor.
方式九:根据第一密钥和第二密钥,以及第一随机因子和第二随机验证因子生成。Manner nine: generating according to the first key and the second key, and the first random factor and the second random verification factor.
其中,方式一至方式四协商密钥的生成因素较少,生成速率较快;方式五至方式九协商密钥生成因素较多,生成的协商密钥较为复杂和安全。Among them, the mode 1 to mode 4 negotiation key generation factor is less, the generation rate is faster; the mode 5 to mode 9 negotiation key generation factors are more, and the generated negotiation key is more complicated and safe.
步骤S113,手机安全模块与用户身份识别卡之间通过手机安全模块端的协商密钥以及用户身份识别卡端的协商密钥进行信息的安全传输。Step S113: The mobile security module and the user identification card perform secure transmission of information through the negotiation key of the mobile security module end and the negotiation key of the user identification card end.
具体的,在手机安全模块生成了手机安全模块端的协商密钥,以及用户身份识别卡生成了用户身份识别卡端的协商密钥后,手机安全模块与用户身份识别卡之间通过两端的协商密钥进行信息的安全传输。Specifically, after the mobile phone security module generates the negotiation key of the mobile phone security module end, and the user identification card generates the negotiation key of the user identification card end, the mobile phone security module and the user identification card pass the negotiation key of the two ends. Secure transmission of information.
此时,可以通过如下方式一至方式九中之一实现信息的安全传输。At this time, the secure transmission of information can be realized by one of the following methods one to nine.
方式一method one
步骤S114a,手机安全模块获取待传输信息。Step S114a, the mobile phone security module acquires information to be transmitted.
具体的,手机安全模块获取待传输信息,该待传输信息可以为需要安全传输的机密信息,也可以为网银中待交易的交易信息。Specifically, the mobile phone security module obtains the information to be transmitted, and the information to be transmitted may be confidential information that needs to be transmitted securely, or may be transaction information to be traded in the online banking.
如果本发明应用于机密信息安全传输中,则待传输信息可以为手机需要输出的机密信息,例如:手机从手机的安全存储区域内获取的机密信息等。If the present invention is applied to secure transmission of confidential information, the information to be transmitted may be confidential information that the mobile phone needs to output, for example, confidential information obtained by the mobile phone from a secure storage area of the mobile phone.
如果本发明应用于网上银行业务中,则待传输信息可以为待执行交易的交易信息,例如:手机通过网上银行客户端获取到的交易账号、交易金额等交易信息。If the present invention is applied to an online banking service, the information to be transmitted may be transaction information of a transaction to be executed, for example, transaction information such as a transaction account number and a transaction amount obtained by the mobile phone through an online banking client.
步骤S115a,手机安全模块通过手机安全模块端的协商密钥对待传输信息进行加密,获得第一密文信息。Step S115a: The mobile phone security module encrypts the transmission information by using the negotiation key of the mobile phone security module to obtain the first ciphertext information.
具体的,手机安全模块通过其生成的手机安全模块端的协商密钥对待传输信息进行加密,从而使得待传输信息进行不透明传输,保证传输的安全性。此时,协商密钥至少包括一个加密密钥。Specifically, the mobile phone security module encrypts the transmission information through the negotiation key of the mobile phone security module generated by the mobile phone security module, so that the information to be transmitted is opaquely transmitted, and the security of the transmission is ensured. At this time, the negotiation key includes at least one encryption key.
步骤S116a,手机安全模块将第一处理信息发送至用户身份识别卡,其中,第一处理信息至少包括:第一密文信息。Step S116a: The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: first ciphertext information.
步骤S117a,用户身份识别卡接收到第一处理信息后,通过用户身份识别卡端的协商 密钥对第一密文信息进行解密,获得待传输信息。Step S117a, after the user identification card receives the first processing information, the user identity identifies the card end negotiation. The key decrypts the first ciphertext information to obtain information to be transmitted.
具体的,由于待传输信息通过手机安全模块端的协商密钥进行了加密,此时,用户身份识别卡接收到第一密文信息后,通过用户身份识别卡中的协商密钥进行解密,从而获得真实的待传输信息。Specifically, the information to be transmitted is encrypted by using the negotiation key of the security module of the mobile phone. At this time, after receiving the first ciphertext information, the user identification card decrypts through the negotiation key in the user identification card, thereby obtaining Real information to be transmitted.
步骤S118a,用户身份识别卡对待传输信息进行签名,获得第一签名信息。Step S118a: The user identity identification card signs the transmission information to obtain the first signature information.
具体的,用户身份识别卡在获得了真实的待传输信息后,对该待传输信息进行签名,以保证待传输信息的完整性和不可抵赖性。Specifically, after obtaining the real information to be transmitted, the user identity card signs the information to be transmitted to ensure the integrity and non-repudiation of the information to be transmitted.
步骤S119a,用户身份识别卡通过用户身份识别卡端的协商密钥对第一签名信息进行加密,获得第二密文信息。Step S119a: The user identity card encrypts the first signature information by using a negotiation key of the user identity card end to obtain second ciphertext information.
具体的,用户身份识别卡还通过用户身份识别卡端的协商密钥对第一签名信息进行加密,从而保证第一签名信息的不透明传输,提高安全性。Specifically, the user identity card encrypts the first signature information by using a negotiation key of the user identity card, thereby ensuring opaque transmission of the first signature information and improving security.
步骤S120a,用户身份识别卡将第二处理信息发送至手机安全模块,其中,第二处理信息至少包括:第二密文信息。In step S120, the user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: second ciphertext information.
步骤S121a,手机安全模块接收到第二处理信息后,通过手机安全模块端的协商密钥对第二密文信息进行解密,获得第一签名信息。Step S121a: After receiving the second processing information, the mobile phone security module decrypts the second ciphertext information through the negotiation key of the mobile phone security module to obtain the first signature information.
具体的,手机安全模块接收到第二密文信息后,还通过手机安全模块端的协商密钥对第二密文信息进行解密,获得真实的第一签名信息。由此,手机安全模块与用户身份识别卡之间完成了一次安全的信息交互。Specifically, after receiving the second ciphertext information, the mobile phone security module decrypts the second ciphertext information through the negotiation key of the mobile phone security module to obtain the real first signature information. Thus, a secure information interaction is completed between the mobile phone security module and the user identification card.
步骤S122a,手机安全模块至少将第一签名信息外发。Step S122a: The mobile phone security module issues at least the first signature information.
具体的,手机安全模块将对待传输信息进行了签名后的第一签名信息外发。Specifically, the mobile phone security module issues the first signature information after the signature of the transmission information is sent out.
如果本发明应用于机密信息安全传输中,则将签名后的机密信息外发至机密信息提取的装置中等;If the present invention is applied to secure transmission of confidential information, the signed confidential information is sent out to the device for extracting confidential information;
如果本发明应用于网上银行业务中,则将签名后的交易信息发送至网上银行服务器等。If the present invention is applied to an online banking service, the signed transaction information is transmitted to an online banking server or the like.
方式二Way two
步骤S114b,手机安全模块获取待传输信息。Step S114b: The mobile phone security module acquires information to be transmitted.
具体的,手机安全模块获取待传输信息,该待传输信息可以为需要安全传输的机密信息,也可以为网银中待交易的交易信息。Specifically, the mobile phone security module obtains the information to be transmitted, and the information to be transmitted may be confidential information that needs to be transmitted securely, or may be transaction information to be traded in the online banking.
如果本发明应用于机密信息安全传输中,则待传输信息可以为手机需要输出的机密信息,例如:手机从手机的安全存储区域内获取的机密信息等。If the present invention is applied to secure transmission of confidential information, the information to be transmitted may be confidential information that the mobile phone needs to output, for example, confidential information obtained by the mobile phone from a secure storage area of the mobile phone.
如果本发明应用于网上银行业务中,则待传输信息可以为待执行交易的交易信息,例如:手机通过网上银行客户端获取到的交易账号、交易金额等交易信息。If the present invention is applied to an online banking service, the information to be transmitted may be transaction information of a transaction to be executed, for example, transaction information such as a transaction account number and a transaction amount obtained by the mobile phone through an online banking client.
步骤S115b,手机安全模块通过手机安全模块端的协商密钥对待传输信息进行校验计 算,获得第一校验信息。Step S115b, the mobile phone security module performs verification on the transmitted information by using the negotiation key of the mobile security module end. Calculate, get the first verification information.
具体的,手机安全模块通过其生成的手机安全模块端的协商密钥对待传输信息进行校验计算,从而保证待传输信息的完整性。此时,协商密钥至少包括一个校验计算密钥,该校验计算可以为计算MAC值等任一校验方式。Specifically, the mobile phone security module performs check calculation on the transmission information through the negotiation key of the mobile phone security module generated by the mobile phone security module, thereby ensuring the integrity of the information to be transmitted. At this time, the negotiation key includes at least one verification calculation key, and the verification calculation may be any verification manner such as calculating a MAC value.
步骤S116b,手机安全模块将第一处理信息发送至用户身份识别卡,其中,第一处理信息至少包括:待传输信息和第一校验信息。Step S116b: The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: information to be transmitted and first verification information.
步骤S117b,用户身份识别卡接收到第一处理信息后,通过用户身份识别卡端的协商密钥对第一处理信息进行验证。Step S117b: After receiving the first processing information, the user identity identification card verifies the first processing information by using the negotiation key of the user identity card end.
具体的,由于待传输信息通过手机安全模块端的协商密钥进行了校验计算,此时,用户身份识别卡接收到待传输信息和第一校验信息后,通过用户身份识别卡中的协商密钥对待传输信息同样进行校验计算,并与第一校验信息进行比较,并在比较一致后,验证通过,从而确保获得的待传输信息未经篡改。Specifically, the information to be transmitted is verified by the negotiation key of the mobile phone security module. At this time, after receiving the information to be transmitted and the first verification information, the user identity card passes the negotiation key in the user identification card. The key is also subjected to check calculation for the transmitted information, and is compared with the first check information, and after the comparison is consistent, the verification is passed, thereby ensuring that the obtained information to be transmitted is not falsified.
步骤S118b,如果用户身份识别卡对第一处理信息验证通过,则用户身份识别卡对待传输信息进行签名,获得第一签名信息。Step S118b: If the user identification card verifies the first processing information, the user identity card signs the transmission information to obtain the first signature information.
具体的,用户身份识别卡在获得了真实的待传输信息后,对该待传输信息进行签名,以保证待传输信息的完整性和不可抵赖性。Specifically, after obtaining the real information to be transmitted, the user identity card signs the information to be transmitted to ensure the integrity and non-repudiation of the information to be transmitted.
步骤S119b,用户身份识别卡通过用户身份识别卡端的协商密钥对第一签名信息进行校验计算,获得第二校验信息。Step S119b: The user identity identification card performs a check calculation on the first signature information by using a negotiation key of the user identity card end to obtain second verification information.
具体的,用户身份识别卡还通过用户身份识别卡端的协商密钥对第一签名信息进行校验计算,从而保证第一签名信息的完整性。Specifically, the user identity card also performs verification calculation on the first signature information by using a negotiation key of the user identity card end, thereby ensuring the integrity of the first signature information.
步骤S120b,用户身份识别卡将第二处理信息发送至手机安全模块,其中,第二处理信息至少包括:第一签名信息和第二校验信息。Step S120b: The user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: first signature information and second verification information.
步骤S121b,手机安全模块接收到第二处理信息后,通过手机安全模块端的协商密钥对第二处理信息进行验证。Step S121b: After receiving the second processing information, the mobile phone security module verifies the second processing information by using the negotiation key of the mobile security module.
具体的,手机安全模块接收到第一签名信息和第二校验信息后,还通过手机安全模块端的协商密钥对第一签名信息进行校验计算,并与第二校验信息进行比较,并在比较一致后,验证通过,从而确保获得的第一签名信息未经篡改。由此,手机安全模块与用户身份识别卡之间完成了一次安全的信息交互。Specifically, after receiving the first signature information and the second verification information, the mobile phone security module performs a check calculation on the first signature information by using a negotiation key of the mobile phone security module, and compares with the second verification information, and compares After the comparison is made, the verification is passed, thereby ensuring that the obtained first signature information has not been tampered with. Thus, a secure information interaction is completed between the mobile phone security module and the user identification card.
步骤S122b,如果手机安全模块对第二处理信息验证通过,则手机安全模块至少将第一签名信息外发。Step S122b: If the mobile phone security module verifies the second processing information, the mobile phone security module issues at least the first signature information.
具体的,手机安全模块将对待传输信息进行了签名后的第一签名信息外发。Specifically, the mobile phone security module issues the first signature information after the signature of the transmission information is sent out.
如果本发明应用于机密信息安全传输中,则将签名后的机密信息外发至机密信息提取 的装置中等。If the present invention is applied to the secure transmission of confidential information, the signed confidential information is sent out to the confidential information extraction. The device is medium.
如果本发明应用于网上银行业务中,则将签名后的交易信息发送至网上银行服务器等。If the present invention is applied to an online banking service, the signed transaction information is transmitted to an online banking server or the like.
方式三Way three
步骤S114c,手机安全模块获取待传输信息。Step S114c: The mobile phone security module acquires information to be transmitted.
具体的,手机安全模块获取待传输信息,该待传输信息可以为需要安全传输的机密信息,也可以为网银中待交易的交易信息。Specifically, the mobile phone security module obtains the information to be transmitted, and the information to be transmitted may be confidential information that needs to be transmitted securely, or may be transaction information to be traded in the online banking.
如果本发明应用于机密信息安全传输中,则待传输信息可以为手机需要输出的机密信息,例如:手机从手机的安全存储区域内获取的机密信息等。If the present invention is applied to secure transmission of confidential information, the information to be transmitted may be confidential information that the mobile phone needs to output, for example, confidential information obtained by the mobile phone from a secure storage area of the mobile phone.
如果本发明应用于网上银行业务中,则待传输信息可以为待执行交易的交易信息,例如:手机通过网上银行客户端获取到的交易账号、交易金额等交易信息。If the present invention is applied to an online banking service, the information to be transmitted may be transaction information of a transaction to be executed, for example, transaction information such as a transaction account number and a transaction amount obtained by the mobile phone through an online banking client.
步骤S115c,手机安全模块通过手机安全模块端的协商密钥对待传输信息进行加密,获得第一密文信息,以及对第一密文信息进行校验计算,获得第一校验信息。Step S115c: The mobile phone security module encrypts the transmission information by using the negotiation key of the mobile phone security module, obtains the first ciphertext information, and performs check calculation on the first ciphertext information to obtain the first verification information.
具体的,手机安全模块通过其生成的手机安全模块端的协商密钥对待传输信息进行加密,从而使得待传输信息进行不透明传输,保证传输的安全性。Specifically, the mobile phone security module encrypts the transmission information through the negotiation key of the mobile phone security module generated by the mobile phone security module, so that the information to be transmitted is opaquely transmitted, and the security of the transmission is ensured.
手机安全模块通过其生成的手机安全模块端的协商密钥对第一密文信息进行校验计算,从而保证第一密文信息的完整性。该校验计算可以为计算MAC值等任一校验方式。The mobile phone security module performs verification calculation on the first ciphertext information through the negotiation key of the mobile phone security module end generated by the mobile phone security module, thereby ensuring the integrity of the first ciphertext information. The check calculation can be any verification method such as calculating a MAC value.
此时,协商密钥至少包括一个加密密钥一个校验计算密钥。At this time, the negotiation key includes at least one encryption key and one verification calculation key.
步骤S116c,手机安全模块将第一处理信息发送至用户身份识别卡,其中,第一处理信息至少包括:第一密文信息和第一校验信息。Step S116c: The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: first ciphertext information and first verification information.
步骤S117c,用户身份识别卡接收到第一处理信息后,通过用户身份识别卡端的协商密钥对第一处理信息进行验证。Step S117c: After receiving the first processing information, the user identity identification card verifies the first processing information by using the negotiation key of the user identity card end.
具体的,由于第一密文信息通过手机安全模块端的协商密钥进行了校验计算,此时,用户身份识别卡接收到第一密文信息和第一校验信息后,通过用户身份识别卡中的协商密钥对第一密文信息同样进行校验计算,并与第一校验信息进行比较,并在比较一致后,验证通过,从而确保获得的第一密文信息未经篡改。Specifically, the first ciphertext information is verified by the negotiation key of the mobile phone security module. At this time, after receiving the first ciphertext information and the first verification information, the user identity identification card passes the user identification card. The negotiation key in the same manner performs the check calculation on the first ciphertext information, and compares with the first check information, and after the comparison is consistent, the verification passes, thereby ensuring that the obtained first ciphertext information has not been tampered with.
步骤S118c,如果用户身份识别卡对第一处理信息验证通过,则用户身份识别卡通过用户身份识别卡端的协商密钥对第一密文信息进行解密,获得待传输信息。Step S118c: If the user identification card verifies the first processing information, the user identification card decrypts the first ciphertext information through the negotiation key of the user identification card end, and obtains the information to be transmitted.
具体的,由于待传输信息通过手机安全模块端的协商密钥进行了加密,此时,用户身份识别卡接收到真实的第一密文信息后,通过用户身份识别卡中的协商密钥进行解密,从而获得真实的待传输信息。Specifically, the information to be transmitted is encrypted by using the negotiation key of the mobile phone security module. At this time, after receiving the real first ciphertext information, the user identification card decrypts through the negotiation key in the user identification card. Thereby obtaining the true information to be transmitted.
步骤S119c,用户身份识别卡对待传输信息进行签名,获得第一签名信息。Step S119c: The user identity identification card signs the transmission information to obtain the first signature information.
具体的,用户身份识别卡在获得了真实的待传输信息后,对该待传输信息进行签名, 以保证待传输信息的完整性和不可抵赖性。Specifically, after obtaining the real information to be transmitted, the user identity card signs the information to be transmitted. To ensure the integrity and non-repudiation of the information to be transmitted.
步骤S120c,用户身份识别卡通过用户身份识别卡端的协商密钥对第一签名信息进行加密,获得第二密文信息,以及对第二密文信息进行校验计算,获得第二校验信息。Step S120c: The user identification card encrypts the first signature information by using the negotiation key of the user identity card, obtains the second ciphertext information, and performs check calculation on the second ciphertext information to obtain the second verification information.
具体的,用户身份识别卡还通过用户身份识别卡端的协商密钥对第一签名信息进行加密,从而保证第一签名信息的不透明传输,提高安全性。Specifically, the user identity card encrypts the first signature information by using a negotiation key of the user identity card, thereby ensuring opaque transmission of the first signature information and improving security.
用户身份识别卡还通过用户身份识别卡端的协商密钥对第二密文信息进行校验计算,从而保证第二密文信息的完整性。The user identification card also performs verification calculation on the second ciphertext information through the negotiation key of the user identification card end, thereby ensuring the integrity of the second ciphertext information.
步骤S121c,用户身份识别卡将第二处理信息发送至手机安全模块,其中,第二处理信息至少包括:第二密文信息和第二校验信息。Step S121c: The user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: second ciphertext information and second verification information.
步骤S122c,手机安全模块接收到第二处理信息后,通过手机安全模块端的协商密钥对第二处理信息进行验证。Step S122c: After receiving the second processing information, the mobile phone security module verifies the second processing information by using the negotiation key of the mobile security module.
具体的,手机安全模块接收到第二密文信息和第二校验信息后,还通过手机安全模块端的协商密钥对第二密文信息进行校验计算,并与第二校验信息进行比较,并在比较一致后,验证通过,从而确保获得的第二密文信息未经篡改。Specifically, after receiving the second ciphertext information and the second verification information, the mobile phone security module further performs verification calculation on the second ciphertext information by using a negotiation key of the mobile phone security module, and compares with the second verification information. And after the comparison is consistent, the verification is passed, thereby ensuring that the obtained second ciphertext information has not been tampered with.
步骤S123c,如果手机安全模块对第二处理信息验证通过,则通过手机安全模块端的协商密钥对第二密文信息进行解密,获得第一签名信息。Step S123c: If the mobile phone security module verifies the second processing information, the second ciphertext information is decrypted by using the negotiation key of the mobile phone security module to obtain the first signature information.
具体的,手机安全模块在获得了真实的第二密文信息后,还通过手机安全模块端的协商密钥对第二密文信息进行解密,获得真实的第一签名信息。Specifically, after obtaining the real second ciphertext information, the mobile phone security module decrypts the second ciphertext information through the negotiation key of the mobile phone security module to obtain the real first signature information.
由此,手机安全模块与用户身份识别卡之间完成了一次安全的信息交互。Thus, a secure information interaction is completed between the mobile phone security module and the user identification card.
步骤S124c,手机安全模块至少将第一签名信息外发。Step S124c: The mobile phone security module issues at least the first signature information.
具体的,手机安全模块将对待传输信息进行了签名后的第一签名信息外发。Specifically, the mobile phone security module issues the first signature information after the signature of the transmission information is sent out.
如果本发明应用于机密信息安全传输中,则将签名后的机密信息外发至机密信息提取的装置中等;If the present invention is applied to secure transmission of confidential information, the signed confidential information is sent out to the device for extracting confidential information;
如果本发明应用于网上银行业务中,则将签名后的交易信息发送至网上银行服务器等。If the present invention is applied to an online banking service, the signed transaction information is transmitted to an online banking server or the like.
方式四Way four
步骤S114d,手机安全模块获取待传输信息。Step S114d, the mobile phone security module acquires information to be transmitted.
步骤S115d,手机安全模块通过手机安全模块端的协商密钥对待传输信息进行加密,获得第一密文信息,以及对第一密文信息进行校验计算,获得第一校验信息。Step S115d: The mobile phone security module encrypts the transmission information by using the negotiation key of the mobile phone security module, obtains the first ciphertext information, and performs check calculation on the first ciphertext information to obtain the first verification information.
步骤S116d,手机安全模块将第一处理信息发送至用户身份识别卡,其中,第一处理信息至少包括:第一密文信息和第一校验信息。Step S116d: The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: first ciphertext information and first verification information.
步骤S117d,用户身份识别卡接收到第一处理信息后,通过用户身份识别卡端的协商密钥对第一处理信息进行验证。 Step S117d: After receiving the first processing information, the user identity identification card verifies the first processing information by using the negotiation key of the user identity card end.
步骤S118d,如果用户身份识别卡对第一处理信息验证通过,则用户身份识别卡通过用户身份识别卡端的协商密钥对第一密文信息进行解密,获得待传输信息。Step S118d: If the user identification card verifies the first processing information, the user identification card decrypts the first ciphertext information through the negotiation key of the user identification card, and obtains the information to be transmitted.
步骤S119d,用户身份识别卡对待传输信息进行签名,获得第一签名信息。In step S119d, the user identification card signs the transmission information to obtain the first signature information.
步骤S120d,用户身份识别卡通过用户身份识别卡端的协商密钥对第一签名信息进行加密,获得第二密文信息。Step S120d: The user identity card encrypts the first signature information by using a negotiation key of the user identity card end to obtain second ciphertext information.
步骤S121d,用户身份识别卡将第二处理信息发送至手机安全模块,其中,第二处理信息至少包括:第二密文信息。Step S121d: The user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: second ciphertext information.
步骤S122d,手机安全模块通过手机安全模块端的协商密钥对第二密文信息进行解密,获得第一签名信息。Step S122d: The mobile phone security module decrypts the second ciphertext information through the negotiation key of the mobile phone security module to obtain the first signature information.
步骤S123d,手机安全模块至少将第一签名信息外发。Step S123d: The mobile phone security module sends out at least the first signature information.
方式五Way five
步骤S114e,手机安全模块获取待传输信息。Step S114e: The mobile phone security module acquires information to be transmitted.
步骤S115e,手机安全模块通过手机安全模块端的协商密钥对待传输信息进行加密,获得第一密文信息,以及对第一密文信息进行校验计算,获得第一校验信息。Step S115e: The mobile phone security module encrypts the transmission information by using the negotiation key of the mobile phone security module, obtains the first ciphertext information, and performs check calculation on the first ciphertext information to obtain the first verification information.
步骤S116e,手机安全模块将第一处理信息发送至用户身份识别卡,其中,第一处理信息至少包括:第一密文信息和第一校验信息。Step S116e: The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: first ciphertext information and first verification information.
步骤S117e,用户身份识别卡接收到第一处理信息后,通过用户身份识别卡端的协商密钥对第一处理信息进行验证。Step S117e: After receiving the first processing information, the user identity identification card verifies the first processing information by using the negotiation key of the user identity card end.
步骤S118e,如果用户身份识别卡对第一处理信息验证通过,则用户身份识别卡通过用户身份识别卡端的协商密钥对第一密文信息进行解密,获得待传输信息。Step S118e: If the user identification card verifies the first processing information, the user identification card decrypts the first ciphertext information through the negotiation key of the user identity card end, and obtains the information to be transmitted.
步骤S119e,用户身份识别卡对待传输信息进行签名,获得第一签名信息。Step S119e, the user identity identification card signs the transmission information to obtain the first signature information.
步骤S120e,用户身份识别卡通过用户身份识别卡端的协商密钥对第一签名信息进行校验计算,获得第二校验信息。Step S120e: The user identity identification card performs a check calculation on the first signature information by using a negotiation key of the user identity card end, and obtains second verification information.
步骤S121e,用户身份识别卡将第二处理信息发送至手机安全模块,其中,第二处理信息至少包括:第一签名信息和第二校验信息。Step S121e: The user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: first signature information and second verification information.
步骤S122e,手机安全模块接收到第二处理信息后,通过手机安全模块端的协商密钥对第二处理信息进行验证。Step S122e: After receiving the second processing information, the mobile phone security module verifies the second processing information by using the negotiation key of the mobile security module.
步骤S123e,如果手机安全模块对第二处理信息验证通过,则手机安全模块至少将第一签名信息外发。Step S123e: If the mobile phone security module verifies the second processing information, the mobile phone security module issues at least the first signature information.
方式六Way six
步骤S114f,手机安全模块获取待传输信息。Step S114f: The mobile phone security module acquires information to be transmitted.
步骤S115f,手机安全模块通过手机安全模块端的协商密钥对待传输信息进行加密,获 得第一密文信息。Step S115f, the mobile phone security module encrypts the transmission information by using the negotiation key of the mobile phone security module end. Get the first ciphertext information.
步骤S116f,手机安全模块将第一处理信息发送至用户身份识别卡,其中,第一处理信息至少包括:第一密文信息。Step S116f: The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: first ciphertext information.
步骤S117f,用户身份识别卡接收到第一处理信息后,通过用户身份识别卡端的协商密钥对第一密文信息进行解密,获得待传输信息。Step S117f: After receiving the first processing information, the user identity card decrypts the first ciphertext information by using the negotiation key of the user identity card to obtain the information to be transmitted.
步骤S118f,用户身份识别卡对待传输信息进行签名,获得第一签名信息。Step S118f: The user identity identification card signs the transmission information to obtain the first signature information.
步骤S119f,用户身份识别卡通过用户身份识别卡端的协商密钥对第一签名信息进行加密,获得第二密文信息,以及对第二密文信息进行校验计算,获得第一校验信息。Step S119f: The user identity card encrypts the first signature information by using the negotiation key of the user identity card, obtains the second ciphertext information, and performs a check calculation on the second ciphertext information to obtain the first verification information.
步骤S120f,用户身份识别卡将第二处理信息发送至手机安全模块,其中,第二处理信息至少包括:第二密文信息和第一校验信息。In step S120, the user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: second ciphertext information and first verification information.
步骤S121f,手机安全模块接收到第二处理信息后,通过手机安全模块端的协商密钥对第二处理信息进行验证。Step S121f: After receiving the second processing information, the mobile phone security module verifies the second processing information by using the negotiation key of the mobile security module.
步骤S122f,如果手机安全模块对第二处理信息验证通过,则通过手机安全模块端的协商密钥对第二密文信息进行解密,获得第一签名信息。Step S122f: If the mobile phone security module verifies the second processing information, the second ciphertext information is decrypted by using the negotiation key of the mobile phone security module to obtain the first signature information.
步骤S123f,手机安全模块至少将第一签名信息外发。Step S123f: The mobile phone security module sends out at least the first signature information.
方式七Way seven
步骤S114g,手机安全模块获取待传输信息。Step S114g: The mobile phone security module acquires information to be transmitted.
步骤S115g,手机安全模块通过手机安全模块端的协商密钥对待传输信息进行校验计算,获得第一校验信息。Step S115g: The mobile phone security module performs a check calculation on the transmission information by using the negotiation key of the mobile phone security module, and obtains the first verification information.
步骤S116g,手机安全模块将第一处理信息发送至用户身份识别卡,其中,第一处理信息至少包括:待传输信息和第一校验信息。Step S116g: The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: information to be transmitted and first verification information.
步骤S117g,用户身份识别卡接收到第一处理信息后,通过用户身份识别卡端的协商密钥对第一处理信息进行验证。Step S117g: After receiving the first processing information, the user identity identification card verifies the first processing information by using the negotiation key of the user identity card end.
步骤S118g,如果用户身份识别卡对第一处理信息验证通过,则用户身份识别卡对待传输信息进行签名,获得第一签名信息。Step S118g: If the user identification card verifies the first processing information, the user identity card signs the transmission information to obtain the first signature information.
步骤S119g,用户身份识别卡通过用户身份识别卡端的协商密钥对第一签名信息进行加密,获得第二密文信息,以及对第二密文信息进行校验计算,获得第二校验信息。Step S119g: The user identity card encrypts the first signature information by using the negotiation key of the user identity card, obtains the second ciphertext information, and performs a check calculation on the second ciphertext information to obtain the second verification information.
步骤S120g,用户身份识别卡将第二处理信息发送至手机安全模块,其中,第二处理信息至少包括:第二密文信息和第二校验信息。Step S120g: The user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: second ciphertext information and second verification information.
步骤S121g,手机安全模块接收到第二处理信息后,通过手机安全模块端的协商密钥对第二处理信息进行验证。Step S121g: After receiving the second processing information, the mobile phone security module verifies the second processing information by using a negotiation key of the mobile security module.
步骤S122g,如果手机安全模块对第二处理信息验证通过,则通过手机安全模块端的 协商密钥对第二密文信息进行解密,获得第一签名信息。Step S122g, if the mobile phone security module verifies the second processing information, the mobile security module end The negotiation key decrypts the second ciphertext information to obtain the first signature information.
步骤S123g,手机安全模块至少将第一签名信息外发。Step S123g: The mobile phone security module sends out at least the first signature information.
方式八Way eight
步骤S114h,手机安全模块获取待传输信息。Step S114h, the mobile phone security module acquires information to be transmitted.
步骤S115h,手机安全模块通过手机安全模块端的协商密钥对待传输信息进行加密,获得第一密文信息。In step S115h, the mobile phone security module encrypts the transmission information by using the negotiation key of the mobile phone security module to obtain the first ciphertext information.
步骤S116h,手机安全模块将第一处理信息发送至用户身份识别卡,其中,第一处理信息至少包括:第一密文信息。Step S116h: The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: first ciphertext information.
步骤S117h,用户身份识别卡接收到第一处理信息后,通过用户身份识别卡端的协商密钥对第一密文信息进行解密,获得待传输信息。Step S117h: After receiving the first processing information, the user identity card decrypts the first ciphertext information by using the negotiation key of the user identity card to obtain the information to be transmitted.
步骤S118h,用户身份识别卡对待传输信息进行签名,获得第一签名信息。In step S118h, the user identification card signs the transmission information to obtain the first signature information.
步骤S119h,用户身份识别卡通过用户身份识别卡端的协商密钥对第一签名信息进行校验计算,获得第一校验信息。In step S119h, the user identification card performs verification calculation on the first signature information by using the negotiation key of the user identification card, and obtains the first verification information.
步骤S120h,用户身份识别卡将第二处理信息发送至手机安全模块,其中,第二处理信息至少包括:第一签名信息和第一校验信息。In step S120h, the user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: first signature information and first verification information.
步骤S121h,手机安全模块接收到第二处理信息后,通过手机安全模块端的协商密钥对第二处理信息进行验证。Step S121h: After receiving the second processing information, the mobile phone security module verifies the second processing information by using the negotiation key of the mobile security module.
步骤S122h,如果手机安全模块对第二处理信息验证通过,则手机安全模块至少将第一签名信息外发。Step S122h: If the mobile phone security module verifies the second processing information, the mobile phone security module issues at least the first signature information.
方式九Way nine
步骤S114i,手机安全模块获取待传输信息。Step S114i: The mobile phone security module acquires information to be transmitted.
步骤S115i,手机安全模块通过手机安全模块端的协商密钥对待传输信息进行加密,获得第一密文信息,以及对第一密文信息进行校验计算,获得第一校验信息。Step S115i: The mobile phone security module encrypts the transmission information by using the negotiation key of the mobile phone security module, obtains the first ciphertext information, and performs check calculation on the first ciphertext information to obtain the first verification information.
步骤S116i,手机安全模块将第一处理信息发送至用户身份识别卡,其中,第一处理信息至少包括:第一密文信息和第一校验信息。Step S116i: The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: first ciphertext information and first verification information.
步骤S117i,用户身份识别卡接收到第一处理信息后,通过用户身份识别卡端的协商密钥对第一处理信息进行验证。Step S117i: After receiving the first processing information, the user identity identification card verifies the first processing information by using the negotiation key of the user identity card end.
步骤S118i,如果用户身份识别卡对第一处理信息验证通过,则用户身份识别卡通过用户身份识别卡端的协商密钥对第一密文信息进行解密,获得待传输信息。Step S118i: If the user identification card verifies the first processing information, the user identification card decrypts the first ciphertext information through the negotiation key of the user identity card end, and obtains the information to be transmitted.
步骤S119i,用户身份识别卡对待传输信息进行签名,获得第一签名信息。In step S119i, the user identity card signs the transmission information to obtain the first signature information.
步骤S120i,用户身份识别卡通过用户身份识别卡端的协商密钥对第一签名信息进行加密,获得第二密文信息。 Step S120i: The user identity card encrypts the first signature information by using a negotiation key of the user identity card end to obtain second ciphertext information.
步骤S121i,用户身份识别卡将第二处理信息发送至手机安全模块,其中,第二处理信息至少包括:第二密文信息。In step S121i, the user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: second ciphertext information.
步骤S122i,手机安全模块通过手机安全模块端的协商密钥对第二密文信息进行解密,获得第一签名信息。Step S122i: The mobile phone security module decrypts the second ciphertext information through the negotiation key of the mobile phone security module to obtain the first signature information.
步骤S123i,手机安全模块至少将第一签名信息外发。In step S123i, the mobile phone security module issues at least the first signature information.
当然,以上方式一至方式九中,对于对每个对密文信息进行校验计算的步骤,均可以采用对密文信息的原文进行校验计算来替代,在获得校验信息和密文信息后,均先行解密获得密文信息的原文,再进行校验信息的验证。只要可以保证密文信息或者密文信息的原文无法被篡改即可。Of course, in the above manners 1 to 9, the step of performing verification calculation on each ciphertext information may be replaced by performing verification calculation on the original text of the ciphertext information, and after obtaining the verification information and the ciphertext information, , the first decryption to obtain the original text of the ciphertext information, and then verify the verification information. As long as it can be guaranteed that the original text of ciphertext information or ciphertext information cannot be tampered with.
由此可见,通过本发明的基于协商密钥的数据处理方法,可以使得手机能够安全执行网上银行业务和/或机密信息传输。It can be seen that the data processing method based on the negotiation key of the present invention enables the mobile phone to securely perform online banking service and/or confidential information transmission.
另外,在上述任一方式中,在手机安全模块获取待传输信息的步骤之后,在手机安全模块将第一处理信息发送至用户身份识别卡的步骤之前,基于协商密钥的数据处理方法还可包括如下步骤S1141-步骤S1144。In addition, in any of the foregoing manners, after the step of the mobile phone security module acquiring the information to be transmitted, before the step of the mobile phone security module transmitting the first processing information to the user identification card, the data processing method based on the negotiation key may further The following steps S1141 - step S1144 are included.
步骤S1141,手机安全模块提取待传输信息中的关键信息。Step S1141: The mobile phone security module extracts key information in the information to be transmitted.
具体的,手机安全模块将会提取待传输信息中的关键信息,以显示给用户确认是否是该信息。Specifically, the mobile phone security module will extract key information in the information to be transmitted to display to the user to confirm whether it is the information.
例如,如果本发明应用于机密信息安全传输中,则手机安全模块可以提取机密信息中的文件名等关键信息,以便用户确认是否需要提取该机密文件进行安全输出。如果本发明应用于网上银行业务中,则手机安全模块可以提取交易信息中的关键信息,例如交易账号和交易金额等关键信息,以便用户确认该笔交易是否为真实的交易。For example, if the present invention is applied to the secure transmission of confidential information, the mobile phone security module can extract key information such as the file name in the confidential information, so that the user can confirm whether the confidential file needs to be extracted for secure output. If the present invention is applied to online banking, the mobile security module can extract key information in the transaction information, such as transaction account number and transaction amount, so that the user can confirm whether the transaction is a real transaction.
步骤S1142,手机安全模块控制手机显示屏显示提取出的待传输信息中的关键信息。In step S1142, the mobile phone security module controls the mobile phone display screen to display the key information in the extracted information to be transmitted.
具体的,手机安全模块控制手机的显示屏显示提取出来的关键信息,以便用户确认关键信息的真实性,从而保证待传输信息的真实性。另外,通过手机安全模块控制手机的显示屏显示提取出的关键信息,还可以防止通过手机CPU控制手机显示屏显示关键信息可能被篡改的问题,保证通过手机安全模块控制显示的内容为真实的内容,提高安全性。Specifically, the mobile phone security module controls the display screen of the mobile phone to display the extracted key information, so that the user can confirm the authenticity of the key information, thereby ensuring the authenticity of the information to be transmitted. In addition, the mobile phone security module controls the display screen of the mobile phone to display the extracted key information, and also prevents the problem that the key information may be tampered with by the mobile phone CPU controlling the mobile phone display screen, and ensures that the displayed content is controlled by the mobile phone security module as real content. To improve safety.
步骤S1143,手机安全模块接收手机键盘输出的确认指令。Step S1143: The mobile phone security module receives an acknowledgement command outputted by the mobile phone keyboard.
具体的,当用户确认手机显示屏显示的关键信息无误后,按下手机上的确认键,该确认键可以为手机上设置的硬件按键,也可以为触屏手机的虚拟按键,在手机安全模块接收到手机键盘输出的确认指令后,确认待传输信息的真实性,做好后续安全传输的准备。Specifically, when the user confirms that the key information displayed on the mobile phone display screen is correct, press the confirmation button on the mobile phone, and the confirmation key can be a hardware button set on the mobile phone, or a virtual button of the touch screen mobile phone, in the mobile phone security module. After receiving the confirmation command of the mobile phone keyboard output, confirm the authenticity of the information to be transmitted, and prepare for subsequent secure transmission.
步骤S1144,在手机安全模块接收到手机键盘输出的确认指令后,执行手机安全模块 将第一处理信息发送至用户身份识别卡的步骤。Step S1144, after the mobile phone security module receives the confirmation command of the mobile phone keyboard output, execute the mobile phone security module. The step of transmitting the first processing information to the user identification card.
具体的,只有经过用户按键确认的待传输信息才被认为是真实的待传输信息,保证了待传输信息的真实性,从而提高了机密信息输出的真实性,和交易信息输出的安全性。Specifically, only the information to be transmitted confirmed by the user's button is considered to be the real information to be transmitted, which ensures the authenticity of the information to be transmitted, thereby improving the authenticity of the confidential information output and the security of the transaction information output.
当然,本发明实施例1还可以提供一种手机,该手机采用实施例1提供的基于协商密钥的数据处理方法,本发明实施例1的手机至少包括:手机安全模块以及用户身份识别卡;其中,手机安全模块和用户身份识别卡均可以划分为收发单元、加解密单元、校验计算单元、生成单元、验证单元、签名单元等模块的任意模块和/或任意组合以完成相应的功能,在此不再一一赘述。Of course, the mobile phone security module and the user identity identification card are included in the mobile phone according to the embodiment 1 of the present invention. The mobile phone security module and the user identification card can be divided into any module and/or any combination of the transceiver unit, the encryption and decryption unit, the verification calculation unit, the generation unit, the verification unit, the signature unit and the like to complete the corresponding functions. I will not repeat them here.
实施例2Example 2
本实施例2与实施例1的区别在于手机安全模块与用户身份识别卡之间的认证过程以及密钥生成过程为相反的过程,在此不再一一赘述,仅对本实施例2提供的基于协商密钥的数据处理方法进行简单说明。The difference between the embodiment 2 and the embodiment 1 is that the authentication process and the key generation process between the mobile phone security module and the user identity card are reversed, and are not further described herein. The data processing method of the negotiation key is briefly described.
图2出示本发明实施例2提供的基于协商密钥的数据处理方法的流程图,参见图2,本发明实施例2的基于协商密钥的数据处理方法,包括以下步骤S201-步骤S213。FIG. 2 is a flowchart of a data processing method based on a negotiation key according to Embodiment 2 of the present invention. Referring to FIG. 2, a data processing method based on a negotiation key according to Embodiment 2 of the present invention includes the following steps S201 to S213.
步骤S201,用户身份识别卡获取第一随机因子。Step S201, the user identification card acquires a first random factor.
步骤S202,用户身份识别卡在获取第一随机因子后,根据预设的第一密钥对第一随机因子进行校验计算,获得第一随机因子校验信息。Step S202: After acquiring the first random factor, the user identity identification card performs a check calculation on the first random factor according to the preset first key, to obtain the first random factor check information.
步骤S203,用户身份识别卡在获得第一随机因子校验信息后,将第一随机因子校验信息发送至手机安全模块。Step S203: After obtaining the first random factor check information, the user identity identification card sends the first random factor check information to the mobile phone security module.
步骤S204,手机安全模块在接收到第一随机因子校验信息后,获取第一随机验证因子。Step S204: After receiving the first random factor check information, the mobile phone security module acquires the first random verification factor.
步骤S205,手机安全模块在获取到第一随机验证因子后,根据预设的第一密钥对第一随机验证因子进行校验计算,获得第一校验验证信息。Step S205: After obtaining the first random verification factor, the mobile phone security module performs a check calculation on the first random verification factor according to the preset first key, and obtains the first verification verification information.
步骤S206,手机安全模块在获得第一校验验证信息后,验证第一随机因子校验信息与第一校验验证信息是否相同,如果验证第一随机因子校验信息与第一校验验证信息相同,则验证第一随机因子校验信息通过。Step S206: After obtaining the first verification verification information, the mobile phone security module verifies whether the first random factor verification information is the same as the first verification verification information, and if the first random factor verification information and the first verification verification information are verified. If the same, the first random factor check information is verified to pass.
步骤S207,手机安全模块在验证第一随机因子校验信息通过后,获取第二随机因子,根据预设的第二密钥对第二随机因子进行校验计算,获得第二随机因子校验信息,并根据第一密钥和/或预设的第二密钥对第一随机验证因子和/或第二随机因子生成手机安全模块端的协商密钥。Step S207: After verifying that the first random factor check information is passed, the mobile phone security module acquires a second random factor, performs a check calculation on the second random factor according to the preset second key, and obtains a second random factor check information. And generating a negotiation key of the mobile phone security module end according to the first random verification factor and/or the second random factor according to the first key and/or the preset second key.
步骤S208,手机安全模块在获得第二随机因子校验信息后,将第二随机因子校验信息 发送至用户身份识别卡。Step S208: After obtaining the second random factor check information, the mobile phone security module sets the second random factor check information. Send to the user ID card.
步骤S209,用户身份识别卡在接收到第二随机因子校验信息后,获取第二随机验证因子。Step S209: After receiving the second random factor check information, the user identity card acquires the second random verification factor.
步骤S210,用户身份识别卡在获取到第二随机验证因子后,根据预设的第二密钥对第二随机验证因子进行校验计算,获得第二校验验证信息。Step S210: After obtaining the second random verification factor, the user identity identification card performs a check calculation on the second random verification factor according to the preset second key, to obtain second verification verification information.
步骤S211,用户身份识别卡在获得第二校验验证信息后,验证第二随机因子校验信息与第二校验验证信息是否相同,如果验证第二随机因子校验信息与第二校验验证信息相同,则验证第二随机因子校验信息通过。Step S211, after obtaining the second verification verification information, the user identity identification card verifies whether the second random factor verification information and the second verification verification information are the same, if the second random factor verification information and the second verification verification are verified. If the information is the same, the second random factor check information is verified to pass.
步骤S212,用户身份识别卡在验证第二随机因子校验信息通过后,根据第一密钥和/或第二密钥对第一随机因子和/或第二随机验证因子生成用户身份识别卡端的协商密钥。Step S212, after verifying that the second random factor check information is passed, the user identity identification card generates a user identity card end according to the first random factor and/or the second random verification factor according to the first key and/or the second key. Negotiate the key.
步骤S213,手机安全模块与用户身份识别卡之间通过手机安全模块端的协商密钥以及用户身份识别卡端的协商密钥进行信息的安全传输。In step S213, the secure transmission of information is performed between the mobile phone security module and the user identification card through the negotiation key of the mobile security module and the negotiation key of the user identification card.
由此可见,通过本发明的基于协商密钥的数据处理方法,可以使得手机能够安全执行网上银行业务和/或机密信息传输。It can be seen that the data processing method based on the negotiation key of the present invention enables the mobile phone to securely perform online banking service and/or confidential information transmission.
其中,在步骤S213中,手机安全模块与用户身份识别卡之间通过手机安全模块端的协商密钥以及用户身份识别卡端的协商密钥进行信息的安全传输的过程与实施例1相同,在此不再赘述。In the step S213, the process of securely transmitting information between the mobile phone security module and the user identity card through the negotiation key of the mobile phone security module and the negotiation key of the user identity card is the same as that of the first embodiment. Let me repeat.
当然,本发明实施例2也可以提供一种手机,该手机采用实施例2提供的基于协商密钥的数据处理方法,本发明实施例2的手机至少包括:手机安全模块以及用户身份识别卡;其中,手机安全模块和用户身份识别卡均可以划分为收发单元、加解密单元、校验计算单元、生成单元、验证单元、签名单元等模块的任意模块和/或任意组合以完成相应的功能,在此不再一一赘述。Of course, the second embodiment of the present invention can also provide a mobile phone, which uses the data processing method based on the negotiation key provided by the second embodiment. The mobile phone of the second embodiment of the present invention includes at least: a mobile phone security module and a user identification card; The mobile phone security module and the user identification card can be divided into any module and/or any combination of the transceiver unit, the encryption and decryption unit, the verification calculation unit, the generation unit, the verification unit, the signature unit and the like to complete the corresponding functions. I will not repeat them here.
流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为,表示包括一个或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、片段或部分,并且本发明的优选实施方式的范围包括另外的实现,其中可以不按所示出或讨论的顺序,包括根据所涉及的功能按基本同时的方式或按相反的顺序,来执行功能,这应被本发明的实施例所属技术领域的技术人员所理解。Any process or method description in the flowcharts or otherwise described herein may be understood to represent a module, segment or portion of code that includes one or more executable instructions for implementing the steps of a particular logical function or process. And the scope of the preferred embodiments of the invention includes additional implementations, in which the functions may be performed in a substantially simultaneous manner or in an opposite order depending on the functions involved, in the order shown or discussed. It will be understood by those skilled in the art to which the embodiments of the present invention pertain.
应当理解,本发明的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行***执行的软件或固件来实现。例如,如果用硬件来实现,和在另一实施方式中一样,可用本领域公知的下列技术中的任一项或他们的组合来实现:具有用于对数据信号实现逻辑功能的逻辑门电路 的离散逻辑电路,具有合适的组合逻辑门电路的专用集成电路,可编程门阵列(PGA),现场可编程门阵列(FPGA)等。It should be understood that portions of the invention may be implemented in hardware, software, firmware or a combination thereof. In the above-described embodiments, multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), and the like.
本技术领域的普通技术人员可以理解实现上述实施例方法携带的全部或部分步骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,该程序在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art can understand that all or part of the steps carried by the method of implementing the above embodiments can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, one or a combination of the steps of the method embodiments is included.
此外,在本发明各个实施例中的各功能单元可以集成在一个处理模块中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules. The integrated modules, if implemented in the form of software functional modules and sold or used as stand-alone products, may also be stored in a computer readable storage medium.
上述提到的存储介质可以是只读存储器,磁盘或光盘等。The above mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of the present specification, the description with reference to the terms "one embodiment", "some embodiments", "example", "specific example", or "some examples" and the like means a specific feature described in connection with the embodiment or example. A structure, material or feature is included in at least one embodiment or example of the invention. In the present specification, the schematic representation of the above terms does not necessarily mean the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in a suitable manner in any one or more embodiments or examples.
尽管上面已经示出和描述了本发明的实施例,可以理解的是,上述实施例是示例性的,不能理解为对本发明的限制,本领域的普通技术人员在不脱离本发明的原理和宗旨的情况下在本发明的范围内可以对上述实施例进行变化、修改、替换和变型。本发明的范围由所附权利要求及其等同限定。 Although the embodiments of the present invention have been shown and described, it is understood that the foregoing embodiments are illustrative and not restrictive Variations, modifications, alterations and variations of the above-described embodiments are possible within the scope of the invention. The scope of the invention is defined by the appended claims and their equivalents.

Claims (11)

  1. 一种基于协商密钥的数据处理方法,其特征在于,包括:A data processing method based on a negotiation key, comprising:
    手机安全模块获取第一随机因子;The mobile phone security module acquires a first random factor;
    所述手机安全模块在获取所述第一随机因子后,根据预设的第一密钥对所述第一随机因子进行校验计算,获得第一随机因子校验信息;After acquiring the first random factor, the mobile phone security module performs a check calculation on the first random factor according to the preset first key to obtain first random factor check information.
    所述手机安全模块在获得所述第一随机因子校验信息后,将所述第一随机因子校验信息发送至用户身份识别卡;After obtaining the first random factor check information, the mobile phone security module sends the first random factor check information to the user identity card;
    所述用户身份识别卡在接收到所述第一随机因子校验信息后,获取第一随机验证因子;After receiving the first random factor check information, the user identity identification card acquires a first random verification factor;
    所述用户身份识别卡在获取到所述第一随机验证因子后,根据预设的所述第一密钥对所述第一随机验证因子进行校验计算,获得第一校验验证信息;After obtaining the first random verification factor, the user identity card performs a check calculation on the first random verification factor according to the preset first key, and obtains first verification verification information;
    所述用户身份识别卡在获得所述第一校验验证信息后,验证所述第一随机因子校验信息与所述第一校验验证信息是否相同,如果验证所述第一随机因子校验信息与所述第一校验验证信息相同,则验证所述第一随机因子校验信息通过;After obtaining the first verification verification information, the user identity identification card verifies whether the first random factor verification information is the same as the first verification verification information, if the first random factor check is verified. The information is the same as the first verification verification information, and then the first random factor verification information is verified to pass;
    所述用户身份识别卡在验证所述第一随机因子校验信息通过后,获取第二随机因子,根据预设的所述第二密钥对所述第二随机因子进行校验计算,获得第二随机因子校验信息,并根据所述第一密钥和/或预设的第二密钥对所述第一随机验证因子和/或所述第二随机因子生成所述用户身份识别卡端的协商密钥;After verifying that the first random factor check information is passed, the user identity identification card acquires a second random factor, and performs a check calculation on the second random factor according to the preset second key to obtain a first Two random factor check information, and generating the user identity card end according to the first random verification factor and/or the second random factor according to the first key and/or the preset second key Negotiate the key;
    所述用户身份识别卡在获得所述第二随机因子校验信息后,将所述第二随机因子校验信息发送至所述手机安全模块;After obtaining the second random factor check information, the user identity identification card sends the second random factor check information to the mobile phone security module;
    所述手机安全模块在接收到所述第二随机因子校验信息后,获取第二随机验证因子;After receiving the second random factor check information, the mobile phone security module acquires a second random verification factor;
    所述手机安全模块在获取到所述第二随机验证因子后,根据预设的所述第二密钥对所述第二随机验证因子进行校验计算,获得第二校验验证信息;After obtaining the second random verification factor, the mobile phone security module performs a check calculation on the second random verification factor according to the preset second key to obtain second verification verification information;
    所述手机安全模块在获得所述第二校验验证信息后,验证所述第二随机因子校验信息与所述第二校验验证信息是否相同,如果验证所述第二随机因子校验信息与所述第二校验验证信息相同,则验证所述第二随机因子校验信息通过;After obtaining the second verification verification information, the mobile phone security module verifies whether the second random factor verification information and the second verification verification information are the same, if the second random factor verification information is verified. Same as the second verification verification information, verifying that the second random factor verification information passes;
    所述手机安全模块在验证所述第二随机因子校验信息通过后,根据所述第一密钥和/或所述第二密钥对所述第一随机因子和/或所述第二随机验证因子生成所述手机安全模块端的协商密钥;After verifying that the second random factor check information is passed, the mobile phone security module pairs the first random factor and/or the second random according to the first key and/or the second key The verification factor generates a negotiation key of the mobile phone security module end;
    所述手机安全模块与所述用户身份识别卡之间通过所述手机安全模块端的协商密 钥以及所述用户身份识别卡端的协商密钥进行信息的安全传输。Negotiating between the mobile phone security module and the user identification card through the security module end of the mobile phone The key and the negotiation key of the user identification card end perform secure transmission of information.
  2. 一种基于协商密钥的数据处理方法,其特征在于,包括:A data processing method based on a negotiation key, comprising:
    用户身份识别卡获取第一随机因子;The user identification card acquires a first random factor;
    所述用户身份识别卡在获取所述第一随机因子后,根据预设的第一密钥对所述第一随机因子进行校验计算,获得第一随机因子校验信息;After acquiring the first random factor, the user identity card performs a check calculation on the first random factor according to the preset first key to obtain first random factor check information.
    所述用户身份识别卡在获得所述第一随机因子校验信息后,将所述第一随机因子校验信息发送至手机安全模块;After obtaining the first random factor check information, the user identity identification card sends the first random factor check information to the mobile phone security module;
    所述手机安全模块在接收到所述第一随机因子校验信息后,获取第一随机验证因子;After receiving the first random factor check information, the mobile phone security module acquires a first random verification factor;
    所述手机安全模块在获取到所述第一随机验证因子后,根据预设的所述第一密钥对所述第一随机验证因子进行校验计算,获得第一校验验证信息;After obtaining the first random verification factor, the mobile phone security module performs a check calculation on the first random verification factor according to the preset first key, and obtains first verification verification information;
    所述手机安全模块在获得所述第一校验验证信息后,验证所述第一随机因子校验信息与所述第一校验验证信息是否相同,如果验证所述第一随机因子校验信息与所述第一校验验证信息相同,则验证所述第一随机因子校验信息通过;After obtaining the first verification verification information, the mobile phone security module verifies whether the first random factor verification information is the same as the first verification verification information, if the first random factor verification information is verified. Same as the first verification verification information, verifying that the first random factor verification information passes;
    所述手机安全模块在验证所述第一随机因子校验信息通过后,获取第二随机因子,根据预设的所述第二密钥对所述第二随机因子进行校验计算,获得第二随机因子校验信息,并根据所述第一密钥和/或预设的第二密钥对所述第一随机验证因子和/或所述第二随机因子生成所述手机安全模块端的协商密钥;After verifying that the first random factor check information is passed, the mobile phone security module acquires a second random factor, performs a check calculation on the second random factor according to the preset second key, and obtains a second Randomly verifying information, and generating a negotiation secret of the mobile security module end according to the first random verification factor and/or the second random factor according to the first key and/or the preset second key key;
    所述手机安全模块在获得所述第二随机因子校验信息后,将所述第二随机因子校验信息发送至所述用户身份识别卡;After obtaining the second random factor check information, the mobile phone security module sends the second random factor check information to the user identity card;
    所述用户身份识别卡在接收到所述第二随机因子校验信息后,获取第二随机验证因子;After receiving the second random factor check information, the user identity card acquires a second random verification factor;
    所述用户身份识别卡在获取到所述第二随机验证因子后,根据预设的所述第二密钥对所述第二随机验证因子进行校验计算,获得第二校验验证信息;After obtaining the second random verification factor, the user identity identification card performs a check calculation on the second random verification factor according to the preset second key, to obtain second verification verification information;
    所述用户身份识别卡在获得所述第二校验验证信息后,验证所述第二随机因子校验信息与所述第二校验验证信息是否相同,如果验证所述第二随机因子校验信息与所述第二校验验证信息相同,则验证所述第二随机因子校验信息通过;After obtaining the second verification verification information, the user identity identification card verifies whether the second random factor verification information and the second verification verification information are the same, if the second random factor check is verified The information is the same as the second verification verification information, and then the second random factor verification information is verified to pass;
    所述用户身份识别卡在验证所述第二随机因子校验信息通过后,根据所述第一密钥和/或所述第二密钥对所述第一随机因子和/或所述第二随机验证因子生成所述用户身份识别卡端的协商密钥;After verifying that the second random factor check information is passed, the user identity card pairs the first random factor and/or the second according to the first key and/or the second key a random verification factor generates a negotiation key of the user identity card end;
    所述手机安全模块与所述用户身份识别卡之间通过所述手机安全模块端的协商密钥以及所述用户身份识别卡端的协商密钥进行信息的安全传输。 The secure transmission of information is performed between the mobile phone security module and the user identification card by using a negotiation key of the mobile phone security module end and a negotiation key of the user identity identification card end.
  3. 根据权利要求1或2所述的方法,其特征在于,所述手机安全模块与所述用户身份识别卡之间通过所述手机安全模块端的协商密钥以及所述用户身份识别卡端的协商密钥进行信息的安全传输的步骤包括:The method according to claim 1 or 2, wherein a negotiation key between the mobile phone security module and the user identification card passes through the security module of the mobile phone and a negotiation key of the user identification card end The steps to securely transfer information include:
    所述手机安全模块获取待传输信息;The mobile phone security module acquires information to be transmitted;
    所述手机安全模块通过所述手机安全模块端的协商密钥对所述待传输信息进行加密,获得第一密文信息;The mobile phone security module encrypts the to-be-transmitted information by using a negotiation key of the mobile phone security module to obtain first ciphertext information;
    所述手机安全模块将第一处理信息发送至所述用户身份识别卡,其中,所述第一处理信息至少包括:所述第一密文信息;The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: the first ciphertext information;
    所述用户身份识别卡接收到所述第一处理信息后,通过所述用户身份识别卡端的协商密钥对所述第一密文信息进行解密,获得待传输信息;After receiving the first processing information, the user identity card decrypts the first ciphertext information by using a negotiation key of the user identity card to obtain information to be transmitted.
    所述用户身份识别卡对所述待传输信息进行签名,获得第一签名信息。The user identification card signs the information to be transmitted to obtain first signature information.
  4. 根据权利要求1或2所述的方法,其特征在于,所述手机安全模块与所述用户身份识别卡之间通过所述手机安全模块端的协商密钥以及所述用户身份识别卡端的协商密钥进行信息的安全传输的步骤包括:The method according to claim 1 or 2, wherein a negotiation key between the mobile phone security module and the user identification card passes through the security module of the mobile phone and a negotiation key of the user identification card end The steps to securely transfer information include:
    所述手机安全模块获取待传输信息;The mobile phone security module acquires information to be transmitted;
    所述手机安全模块通过所述手机安全模块端的协商密钥对所述待传输信息进行校验计算,获得第一校验信息;The mobile phone security module performs verification calculation on the information to be transmitted by using a negotiation key of the mobile phone security module to obtain first verification information;
    所述手机安全模块将第一处理信息发送至所述用户身份识别卡,其中,所述第一处理信息至少包括:所述待传输信息和所述第一校验信息;The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: the information to be transmitted and the first verification information;
    所述用户身份识别卡接收到所述第一处理信息后,通过所述用户身份识别卡端的协商密钥对所述第一处理信息进行验证;After receiving the first processing information, the user identity identification card verifies the first processing information by using a negotiation key of the user identity identification card end;
    如果所述用户身份识别卡对所述第一处理信息验证通过,则所述用户身份识别卡对所述待传输信息进行签名,获得第一签名信息。If the user identification card verifies the first processing information, the user identification card signs the information to be transmitted to obtain first signature information.
  5. 根据权利要求1或2所述的方法,其特征在于,所述手机安全模块与所述用户身份识别卡之间通过所述手机安全模块端的协商密钥以及所述用户身份识别卡端的协商密钥进行信息的安全传输的步骤包括:The method according to claim 1 or 2, wherein a negotiation key between the mobile phone security module and the user identification card passes through the security module of the mobile phone and a negotiation key of the user identification card end The steps to securely transfer information include:
    所述手机安全模块获取待传输信息;The mobile phone security module acquires information to be transmitted;
    所述手机安全模块通过所述手机安全模块端的协商密钥对所述待传输信息进行加密,获得第一密文信息,以及对所述第一密文信息进行校验计算,获得第一校验信息;The mobile phone security module encrypts the to-be-transmitted information by using a negotiation key of the mobile phone security module to obtain first ciphertext information, and performs verification calculation on the first ciphertext information to obtain a first verification. information;
    所述手机安全模块将第一处理信息发送至所述用户身份识别卡,其中,所述第一处理信息至少包括:所述第一密文信息和所述第一校验信息;The mobile phone security module sends the first processing information to the user identification card, where the first processing information includes at least: the first ciphertext information and the first verification information;
    所述用户身份识别卡接收到所述第一处理信息后,通过所述用户身份识别卡端的 协商密钥对所述第一处理信息进行验证;After receiving the first processing information, the user identification card passes the user identification card end Negotiating a key to verify the first processing information;
    如果所述用户身份识别卡对所述第一处理信息验证通过,则所述用户身份识别卡通过所述用户身份识别卡端的协商密钥对所述第一密文信息进行解密,获得所述待传输信息;If the user identification card verifies the first processing information, the user identification card decrypts the first ciphertext information by using a negotiation key of the user identity card end, and obtains the to-be-obtained transmit information;
    所述用户身份识别卡对所述待传输信息进行签名,获得第一签名信息。The user identification card signs the information to be transmitted to obtain first signature information.
  6. 根据权利要求3至5任一项所述的方法,其特征在于,在所述用户身份识别卡对所述待传输信息进行签名,获得第一签名信息的步骤之后,所述方法还包括:The method according to any one of claims 3 to 5, wherein after the step of the user identification card signing the information to be transmitted to obtain the first signature information, the method further includes:
    所述用户身份识别卡通过所述用户身份识别卡端的协商密钥对所述第一签名信息进行加密,获得第二密文信息;The user identification card encrypts the first signature information by using a negotiation key of the user identity card end to obtain second ciphertext information;
    所述用户身份识别卡将第二处理信息发送至所述手机安全模块,其中,所述第二处理信息至少包括:所述第二密文信息;The user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: the second ciphertext information;
    所述手机安全模块接收到所述第二处理信息后,通过所述手机安全模块端的协商密钥对所述第二密文信息进行解密,获得所述第一签名信息;After receiving the second processing information, the mobile phone security module decrypts the second ciphertext information by using a negotiation key of the mobile phone security module to obtain the first signature information.
    所述手机安全模块至少将所述第一签名信息外发;或者The mobile phone security module sends out at least the first signature information; or
    所述用户身份识别卡通过所述用户身份识别卡端的协商密钥对所述第一签名信息进行校验计算,获得第二校验信息;The user identification card performs a check calculation on the first signature information by using a negotiation key of the user identity card end to obtain second verification information;
    所述用户身份识别卡将第二处理信息发送至所述手机安全模块,其中,所述第二处理信息至少包括:所述第一签名信息和所述第二校验信息;The user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: the first signature information and the second verification information;
    所述手机安全模块接收到所述第二处理信息后,通过所述手机安全模块端的协商密钥对所述第二处理信息进行验证;After receiving the second processing information, the mobile phone security module verifies the second processing information by using a negotiation key of the mobile phone security module end;
    如果所述手机安全模块对所述第二处理信息验证通过,则所述手机安全模块至少将所述第一签名信息外发;或者If the mobile phone security module verifies the second processing information, the mobile phone security module sends out at least the first signature information; or
    所述用户身份识别卡通过所述用户身份识别卡端的协商密钥对所述第一签名信息进行加密,获得第二密文信息,以及对所述第二密文信息进行校验计算,获得第二校验信息;The user identity card encrypts the first signature information by using a negotiation key of the user identity card, obtains second ciphertext information, and performs verification calculation on the second ciphertext information to obtain a Second check information;
    所述用户身份识别卡将第二处理信息发送至所述手机安全模块,其中,所述第二处理信息至少包括:所述第二密文信息和所述第二校验信息;The user identification card sends the second processing information to the mobile phone security module, where the second processing information includes at least: the second ciphertext information and the second verification information;
    所述手机安全模块接收到所述第二处理信息后,通过所述手机安全模块端的协商密钥对所述第二处理信息进行验证;After receiving the second processing information, the mobile phone security module verifies the second processing information by using a negotiation key of the mobile phone security module end;
    如果所述手机安全模块对所述第二处理信息验证通过,则通过所述手机安全模块端的协商密钥对所述第二密文信息进行解密,获得所述第一签名信息;And if the mobile phone security module verifies the second processing information, decrypting the second ciphertext information by using a negotiation key of the mobile phone security module to obtain the first signature information;
    所述手机安全模块至少将所述第一签名信息外发。 The mobile phone security module issues at least the first signature information.
  7. 根据权利要求3至6任一项所述的方法,其特征在于,在所述手机安全模块获取待传输信息的步骤之后,在所述手机安全模块将第一处理信息发送至所述用户身份识别卡的步骤之前,所述方法还包括:The method according to any one of claims 3 to 6, wherein after the step of the mobile phone security module acquiring information to be transmitted, the mobile phone security module sends the first processing information to the user identity identification Before the step of the card, the method further includes:
    所述手机安全模块提取所述待传输信息中的关键信息;The mobile phone security module extracts key information in the information to be transmitted;
    所述手机安全模块控制手机显示屏显示所述提取出的待传输信息中的关键信息;The mobile phone security module controls the mobile phone display screen to display key information in the extracted information to be transmitted;
    所述手机安全模块接收手机键盘输出的确认指令;The mobile phone security module receives an acknowledgement command output by the mobile phone keyboard;
    在所述手机安全模块接收到所述手机键盘输出的确认指令后,执行所述手机安全模块将第一处理信息发送至所述用户身份识别卡的步骤。After the mobile phone security module receives the confirmation command output by the mobile phone keyboard, the step of transmitting the first processing information to the user identification card by the mobile phone security module is performed.
  8. 根据权利要求1至7任一项所述的方法,其特征在于,A method according to any one of claims 1 to 7, wherein
    所述第一随机因子为所述手机安全模块生成的,所述第一随机验证因子为所述用户身份识别卡通过与所述手机安全模块生成所述第一随机因子相同方式生成的,或者所述第一随机验证因子为所述用户身份识别卡从所述手机安全模块中获取的;或者The first random factor is generated by the mobile phone security module, and the first random verification factor is generated by the user identity identification card in the same manner as the mobile phone security module generates the first random factor, or The first random verification factor is obtained by the user identification card from the mobile phone security module; or
    所述第一随机因子为所述用户身份识别卡生成并发送给所述手机安全模块的,所述第一随机验证因子为所述用户身份识别卡通过与所述用户身份识别卡生成所述第一随机因子相同的方式生成的,或者所述第一随机验证因子为所述用户身份识别卡从所述手机安全模块中获取的。The first random factor is generated by the user identification card and sent to the mobile phone security module, and the first random verification factor is that the user identification card generates the first by using the user identification card. A random factor is generated in the same manner, or the first random verification factor is obtained by the user identity card from the mobile phone security module.
  9. 根据权利要求1至8任一项所述的方法,其特征在于,A method according to any one of claims 1 to 8, wherein
    所述第二随机因子为所述用户身份识别卡生成的,所述第二随机验证因子为所述手机安全模块通过与所述用户身份识别卡生成所述第二随机因子相同方式生成的,或者所述第二随机验证因子为所述手机安全模块从所述用户身份识别卡中获取的;或者The second random factor is generated by the user identification card, and the second random verification factor is generated by the mobile phone security module by generating the second random factor in the same manner as the user identity card, or The second random verification factor is obtained by the mobile phone security module from the user identification card; or
    所述第二随机因子为所述手机安全模块生成并发送给所述用户身份识别卡的,所述第二随机验证因子为所述手机安全模块通过与所述手机安全模块生成所述第二随机因子相同的方式生成的,或者所述第二随机验证因子为所述手机安全模块卡从所述用户身份识别卡中获取的。The second random factor is generated by the mobile phone security module and sent to the user identity card, and the second random verification factor is that the mobile phone security module generates the second random by using the mobile phone security module. The factor is generated in the same manner, or the second random verification factor is obtained by the mobile phone security module card from the user identification card.
  10. 根据权利要求1至9任一项所述的方法,其特征在于,所述手机安全模块为独立于手机CPU之外的模块,或者所述手机安全模块设置在所述手机CPU中的安全区域。The method according to any one of claims 1 to 9, wherein the mobile phone security module is a module independent of the mobile phone CPU, or the mobile phone security module is disposed in a secure area in the mobile phone CPU.
  11. 一种存储介质,其特征在于,所述存储介质设置为存储应用程序,所述应用程序设置为在运行时执行如权利要求1-10任一项所述的基于协商密钥的数据处理方法。 A storage medium, characterized in that the storage medium is configured to store an application, the application being configured to perform a negotiation key-based data processing method according to any one of claims 1-10 at runtime.
PCT/CN2015/070911 2014-03-12 2015-01-16 Negotiation key based data processing method WO2015135398A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410089815.1A CN103888453B (en) 2014-03-12 2014-03-12 A kind of data processing method based on arranging key
CN201410089815.1 2014-03-12

Publications (1)

Publication Number Publication Date
WO2015135398A1 true WO2015135398A1 (en) 2015-09-17

Family

ID=50957173

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/070911 WO2015135398A1 (en) 2014-03-12 2015-01-16 Negotiation key based data processing method

Country Status (3)

Country Link
CN (1) CN103888453B (en)
HK (1) HK1199567A1 (en)
WO (1) WO2015135398A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111526509A (en) * 2020-05-26 2020-08-11 中国联合网络通信集团有限公司 Card data processing method and device
CN111814137A (en) * 2020-06-29 2020-10-23 深圳市海邻科信息技术有限公司 Operation and maintenance method and system of terminal and storage medium
CN112787977A (en) * 2019-11-07 2021-05-11 中国电信股份有限公司 Secure transmission method and system

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103888453B (en) * 2014-03-12 2018-02-16 天地融科技股份有限公司 A kind of data processing method based on arranging key
CN108924161A (en) * 2018-08-13 2018-11-30 南京敞视信息科技有限公司 A kind of encrypted transaction data communication means and system
CN109787955B (en) * 2018-12-12 2021-07-16 东软集团股份有限公司 Information transmission method, device and storage medium
CN112149099B (en) * 2019-06-26 2024-02-13 天地融科技股份有限公司 Office safety control method, safety keyboard and office system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101626370A (en) * 2008-07-07 2010-01-13 华为技术有限公司 Method, system and equipment for distributing secret keys to nodes
CN101686127A (en) * 2008-09-24 2010-03-31 北京创原天地科技有限公司 Novel USBKey secure calling method and USBKey device
US20130159195A1 (en) * 2011-12-16 2013-06-20 Rawllin International Inc. Authentication of devices
CN103888453A (en) * 2014-03-12 2014-06-25 天地融科技股份有限公司 Data processing method based on negotiation secret keys

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7783041B2 (en) * 2005-10-03 2010-08-24 Nokia Corporation System, method and computer program product for authenticating a data agreement between network entities
CN100488099C (en) * 2007-11-08 2009-05-13 西安西电捷通无线网络通信有限公司 Bidirectional access authentication method
CN102014386B (en) * 2010-10-15 2012-05-09 西安西电捷通无线网络通信股份有限公司 Entity authentication method and system based on symmetrical code algorithm
CN103002442A (en) * 2012-12-20 2013-03-27 邱华 Safe wireless local area network key distribution method
CN203278851U (en) * 2013-03-06 2013-11-06 上海阳扬电子科技有限公司 Authenticated encryption device with wireless communication function

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101626370A (en) * 2008-07-07 2010-01-13 华为技术有限公司 Method, system and equipment for distributing secret keys to nodes
CN101686127A (en) * 2008-09-24 2010-03-31 北京创原天地科技有限公司 Novel USBKey secure calling method and USBKey device
US20130159195A1 (en) * 2011-12-16 2013-06-20 Rawllin International Inc. Authentication of devices
CN103888453A (en) * 2014-03-12 2014-06-25 天地融科技股份有限公司 Data processing method based on negotiation secret keys

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112787977A (en) * 2019-11-07 2021-05-11 中国电信股份有限公司 Secure transmission method and system
CN112787977B (en) * 2019-11-07 2022-11-11 中国电信股份有限公司 Secure transmission method and system
CN111526509A (en) * 2020-05-26 2020-08-11 中国联合网络通信集团有限公司 Card data processing method and device
CN111526509B (en) * 2020-05-26 2022-08-02 中国联合网络通信集团有限公司 Card data processing method and device
CN111814137A (en) * 2020-06-29 2020-10-23 深圳市海邻科信息技术有限公司 Operation and maintenance method and system of terminal and storage medium
CN111814137B (en) * 2020-06-29 2024-03-22 深圳市海邻科信息技术有限公司 Operation and maintenance method, operation and maintenance system and storage medium of terminal

Also Published As

Publication number Publication date
CN103888453B (en) 2018-02-16
HK1199567A1 (en) 2015-07-03
CN103888453A (en) 2014-06-25

Similar Documents

Publication Publication Date Title
US20240007308A1 (en) Confidential authentication and provisioning
WO2015161689A1 (en) Data processing method based on negotiation key
WO2015135398A1 (en) Negotiation key based data processing method
EP3324572B1 (en) Information transmission method and mobile device
AU2019240671A1 (en) Methods for secure cryptogram generation
US20160080157A1 (en) Network authentication method for secure electronic transactions
CN108234115B (en) Information security verification method, device and system
CN103095456B (en) The processing method of transaction message and system
CN109194465B (en) Method for managing keys, user equipment, management device and storage medium
CN108566381A (en) A kind of security upgrading method, device, server, equipment and medium
CN103078742B (en) Generation method and system of digital certificate
WO2015158172A1 (en) User identity identification card
CN109064324A (en) Method of commerce, electronic device and readable storage medium storing program for executing based on alliance's chain
WO2014107977A1 (en) Key protection method and system
CN109861813B (en) Anti-quantum computing HTTPS communication method and system based on asymmetric key pool
CN112055019B (en) Method for establishing communication channel and user terminal
WO2018120938A1 (en) Offline key transmission method, terminal and storage medium
TWI724684B (en) Method, system and device for performing cryptographic operations subject to identity verification
WO2015109958A1 (en) Data processing method based on negotiation key, and mobile phone
WO2015158173A1 (en) Agreement key-based data processing method
CN114143117A (en) Data processing method and device
CN112003697A (en) Encryption and decryption method and device for cryptographic module, electronic equipment and computer storage medium
CN114389860A (en) Voice communication method and device
CN112583588B (en) Communication method and device and readable storage medium
CN109510711B (en) Network communication method, server, client and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15761603

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15761603

Country of ref document: EP

Kind code of ref document: A1