WO2015158172A1 - User identity identification card - Google Patents

User identity identification card Download PDF

Info

Publication number
WO2015158172A1
WO2015158172A1 PCT/CN2015/070906 CN2015070906W WO2015158172A1 WO 2015158172 A1 WO2015158172 A1 WO 2015158172A1 CN 2015070906 W CN2015070906 W CN 2015070906W WO 2015158172 A1 WO2015158172 A1 WO 2015158172A1
Authority
WO
WIPO (PCT)
Prior art keywords
module
information
calculation
public key
perform
Prior art date
Application number
PCT/CN2015/070906
Other languages
French (fr)
Chinese (zh)
Inventor
李东声
Original Assignee
天地融科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天地融科技股份有限公司 filed Critical 天地融科技股份有限公司
Publication of WO2015158172A1 publication Critical patent/WO2015158172A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Definitions

  • the present invention relates to the field of electronic technologies, and in particular, to a user identity card.
  • the present invention is directed to solving one of the above problems.
  • the main object of the present invention is to provide a user identification card.
  • An aspect of the present invention provides a user identification card, including: a processing module, a communication module, a security authentication module, a permission control module, a security protection module, a security storage module, a public key algorithm module, a symmetric algorithm module, a random number module, and Hash module
  • the communication module is configured to perform information reception and output
  • the security authentication module is configured to perform security authentication on user identity information and user operation information
  • the permission control module is configured to perform authority control on the call of the processing module to each module;
  • the security protection module is configured to perform at least protection operations on the operations of the public key algorithm module, the symmetric algorithm module, the random number module, and/or the hash module;
  • the secure storage module is configured to store at least a private key for performing signature calculation, a negotiation key for performing encryption and decryption calculation, and/or a check calculation;
  • the public key algorithm module is configured to perform signature calculation
  • the symmetric algorithm module is configured to perform an encryption and decryption calculation and/or a verification calculation
  • a random number module set to generate a random factor
  • a hash module set to perform hash calculations
  • the processing module is configured to invoke the information receiving and outputting of the communication module, invoke the authentication result after the authentication of the security authentication module, and invoke the protection operation of the security protection module, where the security is invoked.
  • the hash calculation is called, and the calling of each module is performed according to the authority of the permission control module.
  • the communication module is further configured to receive the first authentication information and the to-be-processed information, and output the second authentication information, the second ciphertext information, and the processing information, where the first authentication information includes at least: first ciphertext information, The ciphertext signature information and the certificate to be authenticated, the first ciphertext information includes at least a first random factor and a second random factor, and the ciphertext signature information is a signature of the first ciphertext information;
  • the second authentication information includes at least: a first random factor and a user identification card certificate, where the second ciphertext information includes at least the second random factor and a third random factor;
  • the secure storage module is further configured to store a private key of the user identification card, a certificate of the user identification card, and a public key of the certificate to be authenticated;
  • the public key algorithm module is further configured to perform the verification calculation of the ciphertext signature information by using the public key of the certificate to be authenticated, and calculate the certificate authentication to be authenticated;
  • the symmetric algorithm module is further configured to perform decryption calculation on the first ciphertext information, and at least perform encryption calculation on the second random factor and the third random factor to obtain second ciphertext information;
  • a random number module further configured to generate the first random factor and the third random factor
  • the processing module is further configured to: after calling the public key algorithm module to authenticate the to-be-certified certificate, invoking the public key algorithm module to perform verification of the ciphertext signature information, and verifying After the symmetry algorithm module is invoked, the first ciphertext information is decrypted, the second random factor is obtained, and the third random factor generated by the random number module is invoked, and the symmetric algorithm module pair is invoked. The second random factor and the third random factor perform an encryption calculation to obtain the second ciphertext information.
  • the communication module is further configured to receive the first verification information and the to-be-processed information, and output the second verification information and the processing information; wherein the first verification information is calculated by using a first random factor, The second check information is calculated by the second random factor;
  • the secure storage module is further configured to store a private key of the user identity card, a first key and a second key for performing verification;
  • the symmetric algorithm module is further configured to perform a check calculation on the first check information by using the first key, Performing a check calculation on the second random factor by using the second key to obtain the second verification information;
  • a random number module further configured to generate at least the second random factor
  • the processing module is further configured to: check the first key stored by the security storage module and the symmetric algorithm module to verify the first verification information, and after the verification is passed, invoke the And the second random factor generated by the random number module, and calling the symmetric algorithm module to perform a check calculation on the second random factor to obtain the second verification information.
  • the communication module is further configured to receive the first ciphertext information and the to-be-processed information, and output the second ciphertext information and the processing information; wherein the first ciphertext information is the first public key pair of the user identity card
  • the random factor is obtained by performing encryption calculation, and the second ciphertext information is obtained by encrypting the second random factor by using a public key of the module to be interacted;
  • the secure storage module is further configured to store a private key of the user identification card and a public key calculation algorithm for generating a public key of the module to be interacted with;
  • the public key algorithm module is further configured to generate a public key of the module to be interacted according to the public key calculation algorithm and the identifier information to be exchanged;
  • the symmetric algorithm module is further configured to perform decryption calculation on the first ciphertext information by using a private key of the user identity card, and perform encryption calculation on the second random factor by using a public key of the module to be interacted;
  • a random number module further configured to generate at least the second random factor
  • the processing module is further configured to invoke the symmetric algorithm module to decrypt the first ciphertext information according to the private key of the user identity card to obtain a first random factor, and invoke the public storage module
  • the key calculation algorithm and the public key algorithm module generate the public key of the module to be interacted, and invoke the second random factor generated by the random number module, and invoke the symmetric algorithm module according to the module to be interacted
  • the public key performs encryption calculation on the second random factor to obtain the second ciphertext information.
  • the processing information includes: the encrypted information obtained by the symmetric algorithm module encrypting the signature information according to the negotiation key, wherein the signature information is the private key algorithm module according to the private identity of the user identification card.
  • the key is calculated by signing the information to be processed; or
  • the processing information includes: verification information obtained by performing verification on the signature information by the symmetric algorithm module according to the negotiation key, and the signature information, where the signature information is the public key algorithm module according to the Calculating the signature of the to-be-processed information by the private key of the user identification card; or
  • the processing information includes: the encrypted information obtained by encrypting the signature information by the symmetric algorithm module according to the negotiation key, and the verification information obtained by performing verification on the signature information, where the signature information is The public key algorithm module performs a signature calculation on the to-be-processed information according to the private key of the user identity card; or
  • the processing information includes: the encrypted information obtained by encrypting the signature information by the symmetric algorithm module according to the negotiation key, and the verification information obtained by performing verification on the encrypted information, wherein the signature information is
  • the public key algorithm module calculates the signature of the to-be-processed information according to the private key of the user identity card.
  • processing module is further configured to invoke a hash calculation of the hash module to obtain the signature when the public key algorithm module performs signature calculation on the to-be-processed information according to a private key of the user identity card. information.
  • the symmetric algorithm module is further configured to perform decryption calculation and/or verification calculation on the to-be-processed information.
  • the communication module includes: a serial port, a USB interface, an NFC interface, a Bluetooth interface, an infrared interface, a button or an audio interface.
  • protection operations include: frequency scrambling, power consumption scrambling, computational scrambling, or balance calculation.
  • the rights control module is further arranged to control the execution of the code and/or the application.
  • the user identification card of the present invention is used in conjunction with the secure portion of the mobile phone to implement secure online banking and/or confidential information transmission.
  • FIG. 1 is a schematic structural diagram of a user identity card provided by the present invention.
  • connection In the description of the present invention, it should be noted that the terms “installation”, “connected”, and “connected” are to be understood broadly, and may be fixed or detachable, for example, unless otherwise explicitly defined and defined. Connected, or integrally connected; can be mechanical or electrical; can be directly connected, or indirectly connected through an intermediate medium, can be the internal communication of the two components.
  • Connected, or integrally connected can be mechanical or electrical; can be directly connected, or indirectly connected through an intermediate medium, can be the internal communication of the two components.
  • first and second are used for descriptive purposes only, and not It is understood to indicate or imply relative importance or quantity or location.
  • the user identification card of the present invention may be any of the following cards: a SIM (Subscriber Identity Module) card, a UIM (User Identity Module) card, a USIM card, a PIM card, etc., and the above cards are all existing. Based on the functions, the security function is expanded, so that the mobile phone can be safely implemented to perform online banking and/or confidential information transmission.
  • SIM Subscriber Identity Module
  • UIM User Identity Module
  • USIM User Identity Module
  • the user identification card of the present invention needs to be matched with a mobile phone having a security function to ensure that the mobile phone with security function can perform the function of online banking service and/or confidential information transmission together with the user identification card of the present invention.
  • the user identity card of the embodiment 1 of the present invention includes: a communication module 101, a security authentication module 102, an authority control module 103, and security.
  • the communication module 101 is configured to perform information reception and output. Specifically, the communication module 101 can accept the call of the processing module 110 to receive the information sent by the secure part of the mobile phone with the security function matched with the user identity card, and can also generate various types of the user identity card. The information is output to the secure part of the phone.
  • the communication module 101 can be any interface such as a serial port, a USB interface, an NFC interface, a Bluetooth interface, an infrared interface, a button or an audio interface.
  • the security authentication module 102 is configured to perform security authentication on the user identity information and the user operation information. Specifically, the security authentication module 102 can accept the call of the processing module 110, perform security authentication on the identity information input by the user through the mobile phone input or other manners, and perform security authentication, such as a read operation, on the operation information of the user. The security authentication module 102 can set different security levels according to different users to complete the security authentication function according to the identity and/or operation of different users.
  • the permission control module 103 is configured to perform authority control on the call of the processing module 110 to each module. Specifically, the rights control module 103 can accept the call of the processing module 110 and cooperate with the processing module 110 to complete the call of the processing module 110 to each module, thereby controlling the call of the processing module 110. Of course, the rights control module 103 can also control the execution rights of the code and/or the application to ensure the security of the information, functions and applications.
  • the security protection module 104 is configured to at least perform operations on the operations of the public key algorithm module 106, the symmetric algorithm module 107, the random number module 108, and/or the hash module 109. Specifically, when the public key algorithm module 106 performs signature calculation, and when the symmetric algorithm module 107 performs encryption and decryption calculation and/or verification calculation, the processing module 110 invokes Protect in the calculations. Therefore, it can resist attack analysis such as energy analysis or electromagnetic analysis, and improve the difficulty of calculation and cracking, thereby improving the security of various information calculations.
  • the protection operation may include any scrambling operation such as frequency scrambling, power consumption scrambling or computational scrambling.
  • the protection operation may also be an operation such as balancing calculation, as long as the security protection purpose can be achieved, and operations such as attack prevention can belong to the protection scope of the present invention.
  • the security protection module 104 performs at least a protection operation on the calculation operations of the public key algorithm module 106 and/or the symmetric algorithm module 107.
  • the secure storage module 105 is configured to store at least a private key for performing signature calculation, a negotiation key for performing encryption and decryption calculation and/or verification calculation.
  • the security storage module 105 can store at least security information such as a security key and a negotiation key, and accept the call of the processing module 110 to complete the security function of the user identity card with other modules.
  • the private key for signature calculation can not be taken out at all, which improves the security of private key storage.
  • the public key algorithm module 106 is configured to perform signature calculations. Specifically, in the invocation of the processing module 110, the public key algorithm module 106 performs signature calculation according to the private key (which may be the private key of the user identification card in the present invention) that is set for the signature calculation stored in the secure storage module 105. Therefore, the security function of the user identification card can be realized.
  • the private key which may be the private key of the user identification card in the present invention
  • the symmetric algorithm module 107 is arranged to perform an encryption and decryption calculation and/or a verification calculation. Specifically, in the present invention, the processing module 110 may invoke the symmetric algorithm module 107 to perform encryption and decryption calculation and/or verification on the security part of the user identification card output to the mobile phone and the information sent to the user identification card of the security part of the mobile phone. The calculation ensures that the transmission of information transmitted between the secure part of the mobile phone and the user identification card is not tampered with, thereby improving security.
  • the random number module 108 is arranged to generate a random factor. Specifically, the random number module 108 can be invoked by the processing module 110 to generate a random factor, so that the random factor can be sent to the secure part of the mobile phone while receiving the random factor sent by the secure part of the mobile phone, so that the processing module 110 can be based on one or both sides.
  • the random factor generates a negotiation key for information interaction between the secure portion of the mobile phone and the user identification card, thereby improving the security of information interaction between the security module of the mobile phone and the user identification card.
  • the random factor can be added each time information is transmitted to prevent replay attacks.
  • the hash module 109 is set to perform hash calculations. Specifically, the hash module 109 can accept the call of the processing module 110. When the processing module 110 invokes the public key algorithm module 106 to perform signature calculation on the information according to the private key of the user identification card, the hash calculation is performed to obtain the signature information to complete. The security feature of the user identification card.
  • the processing module 110 is configured to invoke the information receiving and outputting of the communication module 101, invoke the authentication result after the security authentication module 102 is authenticated, invoke the protection operation of the security protection module 104, and store the information stored in the security storage module 105.
  • the call is made, the calculation of the public key algorithm module 106 is invoked, the calculation of the symmetric algorithm module 107 is invoked, the random factor generated by the random number module 108 is invoked, the hash calculation of the hash module 109 is invoked, and the permissions are controlled.
  • the authority of the module 103 is called by each module.
  • the processing module 110 can implement a call for each of the above modules to cooperate with the security function of the user identification card.
  • the user identification card of the present invention is used together with the security part of the mobile phone to implement safe execution of the mobile phone. Online banking and/or confidential information transmission.
  • the structure of the user identity card is as shown in FIG. 1.
  • a negotiation key is generated between the user identity card and the security part of the mobile phone by means of a mutual authentication certificate, so that the user identity card is used.
  • the secure part of the mobile phone uses the generated negotiation key for secure transmission of information.
  • the communication module 101 is configured to receive the first authentication information and the to-be-processed information, and output the second authentication information, the second ciphertext information, and the processing information, where the first authentication information includes at least: the first ciphertext information and the secret information. And the first ciphertext information includes at least a first random factor and a second random factor, the ciphertext signature information is a signature of the first ciphertext information, and the second authentication information includes at least: the first random identifier The factor and the user identification card certificate, the second ciphertext information including at least a second random factor and a third random factor.
  • the communication module 101 accepts the call of the processing module 110, and is configured to receive the first authentication information and the to-be-processed information, and output the second authentication information, the second ciphertext information, and the processing information.
  • the first authentication information is the authentication information sent by the security part of the mobile phone to the user identification card, and is used for authenticating the security part of the mobile phone;
  • the information to be processed is the information sent by the security part of the mobile phone to the user identification card,
  • the information may be confidential information that needs to be transmitted securely, or may be any information such as transaction information to be traded in the online banking. If the present invention is applied to secure transmission of confidential information, the information may be confidential information that the mobile phone needs to output. For example: confidential information obtained by the mobile phone from the secure storage area of the mobile phone. If the present invention is applied to online banking, the information may be transaction information of the transaction to be executed. For example, the transaction information, transaction amount and other transaction information obtained by the mobile phone through the online banking client.
  • the second authentication information is the authentication information sent by the user identification card to the secure part of the mobile phone, and is used for authenticating the user identification card of the secure part of the mobile phone.
  • the first ciphertext information may carry a part of the factor of the negotiation key generated by the security part of the mobile phone for generating the user identity card and the security part of the mobile phone to negotiate with each other.
  • the second ciphertext information may also carry the negotiation secrets generated by the user identification card and/or generated by the security part of the mobile phone and sent to the user identification card for generating the user identification card and the security part of the mobile phone. Part of the key in the key.
  • the processing information is information that the user identification card sends to the secure portion of the mobile phone in response to the pending information. If the present invention is applied to the secure transmission of confidential information, the processing information may be the signed confidential information or the like. If the present invention is applied to online banking, the processing information may be signed transaction information or the like.
  • processing information may further include: the encrypted information obtained by the symmetric algorithm module 107 performing the encryption calculation on the signature information according to the negotiation key, wherein the signature information is performed by the public key algorithm module 106 according to the private key of the user identification card. Calculated by signature; or
  • the processing information includes: verification information obtained by the symmetric algorithm module 107 for verifying the signature information according to the negotiation key, and signature information, wherein the signature information is treated by the public key algorithm module 106 according to the private key of the user identification card. Processing information for signature calculation; or
  • the processing information includes: the encryption information obtained by the symmetric algorithm module 107 by performing encryption calculation on the signature information according to the negotiation key, and the verification information obtained by performing verification on the signature information, wherein the signature information is identified by the public key algorithm module 106 according to the user identity.
  • the private key of the card is calculated by signing the processed information; or
  • the processing information includes: the encryption information obtained by the symmetric algorithm module 107 performing the encryption calculation on the signature information according to the negotiation key, and the verification information obtained by performing the check calculation on the encryption information, wherein the signature information is the public key algorithm module 106, which is identified according to the user identity.
  • the card's private key is calculated by signing the processed information.
  • the user identification card can ensure the security of the transmission of the signature information while transmitting the processing information.
  • the communication module 101 can be any interface such as a serial port, a USB interface, an NFC interface, a Bluetooth interface, an infrared interface, a button or an audio interface.
  • the security authentication module 102 is configured to perform security authentication on the user identity information and the user operation information. Specifically, the security authentication module 102 can accept the call of the processing module 110, perform security authentication on the identity information input by the user through the mobile phone input or other manners, and perform security authentication, such as a read operation, on the operation information of the user. The security authentication module 102 can set different security levels according to different users to complete the security authentication function according to the identity and/or operation of different users.
  • the permission control module 103 is configured to perform authority control on the call of the processing module 110 to each module. Specifically, the rights control module 103 can accept the call of the processing module 110 and cooperate with the processing module 110 to complete the call of the processing module 110 to each module, thereby controlling the call of the processing module 110. Of course, the rights control module 103 can also control the execution rights of the code and/or the application to ensure the security of the information, functions and applications.
  • the security protection module 104 is configured to at least perform operations on the operations of the public key algorithm module 106, the symmetric algorithm module 107, the random number module 108, and/or the hash module 109. Specifically, the security protection module 104 performs protection in the calculation by the call of the processing module 110 when the public key algorithm module 106 performs signature calculation and when the symmetric algorithm module 107 performs encryption and decryption calculation and/or verification calculation. Therefore, it can resist attack analysis such as energy analysis or electromagnetic analysis, and improve the difficulty of calculation and cracking, thereby improving the security of various information calculations.
  • the protection operation may include any scrambling operation such as frequency scrambling, power consumption scrambling or computational scrambling.
  • the protection operation may also be an operation such as balancing calculation, as long as the security protection purpose can be achieved, and operations such as attack prevention can belong to the protection scope of the present invention.
  • the security protection module 104 performs at least a protection operation on the calculation operations of the public key algorithm module 106 and/or the symmetric algorithm module 107.
  • the secure storage module 105 is further configured to store a private key of the user identification card, a certificate of the user identification card, and a public key of the certificate to be authenticated.
  • the secure storage module 105 stores, in addition to the private key for performing signature calculation, the negotiation key for performing encryption and decryption calculation and/or the verification calculation, the private key of the user identification card, so as to be accepted by the processing module 110. Call, perform signature operations in confidential information transmission, and/or online banking signature operations.
  • the secure storage module 105 stores the certificate of the user identification card to accept the call of the processing module 110 to send the certificate of the user identification card to The security part of the mobile phone authenticates the legality of the user identification card to improve security.
  • the security storage module 105 stores the public key of the certificate to be authenticated, so as to accept the call of the processing module 110, so that the user identification card authenticates the security part of the mobile phone, and the security is improved.
  • the certificate to be authenticated can be the certificate of the security part of the mobile phone. .
  • the public key algorithm module 106 performs the verification calculation of the ciphertext signature information through the public key of the certificate to be authenticated, and calculates the authentication certificate to be authenticated.
  • the public key algorithm module 106 is configured to receive the signature calculation, and is specifically configured to accept the call of the processing module 110, and perform the verification calculation on the ciphertext signature information sent by the security part of the mobile phone by using the public key of the certificate to be authenticated. In order to verify the correctness of the ciphertext signature information. At the same time, it also accepts the call of the processing module 110, and performs authentication calculation on the authentication certificate in order to authenticate the legality of the security part of the mobile phone.
  • the symmetric algorithm module 107 is further configured to perform decryption calculation on the first ciphertext information, and perform encryption calculation on at least the second random factor and the third random factor to obtain second ciphertext information.
  • the symmetric algorithm module 107 is specifically configured to accept the call of the processing module 110, decrypt the first ciphertext information, so as to obtain a factor for generating the negotiation key, and further set to accept the call of the processing module 110, and generate a negotiation key.
  • the factor is cryptographically calculated to safely send the factor that generated the negotiated key to the secure portion of the handset.
  • the symmetric algorithm module 107 of this embodiment may also be configured to perform decryption calculation and/or verification calculation on the information to be processed, and perform encryption calculation and/or verification calculation on the information to be processed in the security part of the mobile phone, in order to verify
  • the symmetric algorithm module 107 also performs a decryption calculation and/or a check calculation on the processed information.
  • the symmetric algorithm module 107 of the present embodiment can also accept the call of the processing module 110 to perform processing information. Encryption calculations and/or check calculations to ensure the authenticity and integrity of the processed information.
  • the random number module 108 is further configured to generate a first random factor and a third random factor.
  • the random number module 108 is specifically configured to generate a first random factor for preventing a replay attack, and generate a third random factor for generating the negotiation key, and accept the call of the processing module 110.
  • the hash module 109 is set to perform hash calculations. Specifically, the hash module 109 can accept the call of the processing module 110. When the processing module 110 invokes the public key algorithm module 106 to perform signature calculation on the information according to the private key of the user identification card, the hash calculation is performed to obtain the signature information to complete. The security feature of the user identification card.
  • the processing module 110 is further configured to: after the public key algorithm module 106 is invoked to authenticate the authentication certificate, the public key algorithm module 106 is invoked to perform the verification of the ciphertext signature information, and after the verification is passed, the symmetric algorithm module 107 is invoked. Decrypting the first ciphertext information, obtaining a second random factor, and calling the third random factor generated by the random number module 108, and calling the symmetric algorithm module 107 to encrypt the second random factor and the third random factor to obtain the second ciphertext. information. Specifically, the processing module 110 invokes each module to authenticate the certificate sent by the secure part of the mobile phone, check the signature sent by the secure part of the mobile phone, and decrypt the ciphertext sent by the secure part of the mobile phone.
  • the negotiation key of the card end enables the security part of the mobile phone and the user identification card to exchange information through the negotiation key, thereby improving the security of information interaction.
  • the user identification card of the present invention is used in conjunction with the secure portion of the mobile phone to implement secure online banking and/or confidential information transmission.
  • the structure of the user identity card is as shown in FIG. 1.
  • the user identity card and the security part of the mobile phone calculate the factors of the negotiation key through symmetric key calculation and send and verify each other.
  • the method generates a negotiation key, so that the user identification card and the mobile phone security part use the generated negotiation key to securely transmit information.
  • the communication module 101 is further configured to receive the first verification information and the to-be-processed information, and output the second verification information and the processing information; wherein the first verification information is calculated by using the first random factor.
  • the second verification information is calculated by the second random factor.
  • the communication module 101 accepts the call of the processing module 110, and is configured to receive the first verification information and the to-be-processed information, and output the second verification information and the processing information.
  • the first verification information is obtained by verifying the first random factor by using the first key by the security part of the mobile phone, and obtaining the first verification information by the user identification card and verifying the authenticity after obtaining the tampering
  • the first random factor may be generated by the secure part of the mobile phone, or may be generated by the user identity card to be sent securely to the secure part of the mobile phone.
  • the information to be processed is the information sent by the security part of the mobile phone to the user identification card, and the information may be confidential information that needs to be transmitted securely, or may be any information such as transaction information to be traded in the online banking.
  • the information may be confidential information that the mobile phone needs to output, for example, confidential information obtained by the mobile phone from a secure storage area of the mobile phone.
  • the information may be transaction information of the transaction to be executed, for example, transaction information such as a transaction account number and a transaction amount obtained by the mobile phone through the online banking client.
  • the second verification information is obtained by verifying the second random factor by the second identification key of the user identification card, so that the security part of the mobile phone obtains the second verification information and obtains the authenticity of the tampering after the verification is passed. Two random factors.
  • the user identification card and the secure part of the mobile phone generate a negotiation key of both parties according to the first random factor and the second random factor respectively obtained.
  • the processing information is information that the user identification card sends to the secure part of the mobile phone in response to the pending information. If the present invention is applied to secure transmission of confidential information, the processing information may be signed confidential information, etc.; if the present invention is applied to the Internet In the banking business, the processing information may be the signed transaction information and the like.
  • processing information may further include: the symmetric algorithm module 107 encrypts the signature information according to the negotiation key. Calculating the obtained encrypted information, wherein the signature information is obtained by the public key algorithm module 106 performing signature calculation according to the private key of the user identification card; or
  • the processing information includes: verification information obtained by the symmetric algorithm module 107 for verifying the signature information according to the negotiation key, and signature information, wherein the signature information is performed by the public key algorithm module 106 according to the private key of the user identification card. Calculated by signature; or
  • the processing information includes: the encryption information obtained by the symmetric algorithm module 107 by performing encryption calculation on the signature information according to the negotiation key, and the verification information obtained by performing verification on the signature information, wherein the signature information is identified by the public key algorithm module 106 according to the user identity.
  • the private key of the card is calculated by signing the processed information; or
  • the processing information includes: the encryption information obtained by the symmetric algorithm module 107 performing the encryption calculation on the signature information according to the negotiation key, and the verification information obtained by performing the check calculation on the encryption information, wherein the signature information is the public key algorithm module 106, which is identified according to the user identity.
  • the card's private key is calculated by signing the processed information.
  • the user identification card can ensure the security of the transmission of the signature information while transmitting the processing information.
  • the communication module 101 can be any interface such as a serial port, a USB interface, an NFC interface, a Bluetooth interface, an infrared interface, a button or an audio interface.
  • the security authentication module 102 is configured to perform security authentication on the user identity information and the user operation information. Specifically, the security authentication module 102 can accept the call of the processing module 110, perform security authentication on the identity information input by the user through the mobile phone input or other manners, and perform security authentication, such as a read operation, on the operation information of the user. The security authentication module 102 can set different security levels according to different users to complete the security authentication function according to the identity and/or operation of different users.
  • the permission control module 103 is configured to perform authority control on the call of the processing module 110 to each module. Specifically, the rights control module 103 can accept the call of the processing module 110 and cooperate with the processing module 110 to complete the call of the processing module 110 to each module, thereby controlling the call of the processing module 110. Of course, the rights control module 103 can also control the execution rights of the code and/or the application to ensure the security of the information, functions and applications.
  • the security protection module 104 is configured to at least perform operations on the operations of the public key algorithm module 106, the symmetric algorithm module 107, the random number module 108, and/or the hash module 109. Specifically, the security protection module 104 performs protection in the calculation by the call of the processing module 110 when the public key algorithm module 106 performs signature calculation and when the symmetric algorithm module 107 performs encryption and decryption calculation and/or verification calculation. Therefore, it can resist attack analysis such as energy analysis or electromagnetic analysis, and improve the difficulty of calculation and cracking, thereby improving the security of various information calculations.
  • the protection operation may include any scrambling operation such as frequency scrambling, power consumption scrambling or computational scrambling.
  • the protection operation may also be an operation such as balancing calculation, as long as the security protection purpose can be achieved, and operations such as attack prevention can belong to the protection scope of the present invention.
  • the security protection module 104 performs at least a protection operation on the calculation operations of the public key algorithm module 106 and/or the symmetric algorithm module 107.
  • the secure storage module 105 is further configured to store a private key of the user identification card, a first key for verification, and a second key.
  • the secure storage module 105 stores, in addition to the private key for performing signature calculation, the negotiation key for performing encryption and decryption calculation and/or the verification calculation, the private key of the user identification card, so as to be accepted by the processing module 110. Call, perform signature operations in confidential information transmission, and/or online banking signature operations.
  • the secure storage module 105 stores the first key and the second key for verification to accept the call of the processing module 110 to verify that the first check information obtains a true first random factor and to use the second random factor Perform a check calculation so that the secure part of the phone gets a true second random factor and improves security.
  • the first key and the second key may be the same key or different keys, as long as the user identification card and the security part of the mobile phone store the same verification calculation key. It should fall within the scope of protection of the present invention.
  • the public key algorithm module 106 is configured to perform signature calculations. Specifically, in the invocation of the processing module 110, the public key algorithm module 106 performs signature calculation according to the private key (which may be the private key of the user identification card in the present invention) that is set for the signature calculation stored in the secure storage module 105. Therefore, the security function of the user identification card can be realized.
  • the private key which may be the private key of the user identification card in the present invention
  • the symmetric algorithm module 107 is further configured to perform a check calculation on the first check information by using the first key, and perform a check calculation on the second random factor by using the second key to obtain the second check information.
  • the symmetric algorithm module 107 is specifically configured to accept the call of the processing module 110, and perform a check calculation on the first check information by using the first key, so that the processing module 110 obtains the true first random factor after the check is passed. .
  • the symmetric algorithm module 107 is further configured to accept the call of the processing module 110, and perform a check calculation on the second random factor by using the second key to obtain second check information, so as to securely transmit the second random factor, and ensure that the second random factor is transmitted.
  • the process is not tampered with, or even if it is tampered with, it can be verified in the security part of the mobile phone, so that the safe part of the mobile phone can obtain a true untamed second random factor.
  • the symmetric algorithm module 107 of this embodiment may also be configured to perform decryption calculation and/or verification calculation on the information to be processed, and perform encryption calculation and/or verification calculation on the information to be processed in the security part of the mobile phone, in order to verify The symmetric algorithm module 107 also performs a decryption calculation and/or a check calculation on the processed information.
  • the symmetric algorithm module 107 of the present embodiment can also accept the call of the processing module 110 to perform processing information. Encryption calculations and/or check calculations to ensure the authenticity and integrity of the processed information.
  • the random number module 108 is further configured to generate at least a second random factor.
  • the random number module 108 is specifically configured to generate a second random factor for generating a negotiation key, and accept the call of the processing module 110.
  • the hash module 109 is set to perform hash calculations. Specifically, the hash module 109 can accept the call of the processing module 110. When the processing module 110 invokes the public key algorithm module 106 to perform signature calculation on the information according to the private key of the user identification card, the hash calculation is performed to obtain the signature information to complete. The security feature of the user identification card.
  • the processing module 110 is further configured to check the first verification information by calling the first key stored by the security storage module 105 and the symmetric algorithm module 107, and after the verification is passed, calling the second generated by the random number module 108. A random factor is obtained, and the symmetric algorithm module 107 is called to perform a check calculation on the second random factor to obtain second verification information. specific, The processing module 110 is configured to invoke each module to verify the verification information sent by the security part of the mobile phone, and obtain a negotiation key generation factor to generate a negotiation key of the user identification card end, thereby making the security part of the mobile phone The user identification cards exchange information through negotiation keys to improve the security of information interaction.
  • the user identification card of the present invention is used in conjunction with the secure portion of the mobile phone to implement secure online banking and/or confidential information transmission.
  • the structure of the user identity card is as shown in FIG. 1.
  • the user identity card and the security part of the mobile phone generate a mutual public key to generate a negotiation by using the public key of the other party.
  • the key factor is sent and decrypted to obtain a negotiation key, and the negotiation key is generated, so that the user identity card and the mobile phone security part use the generated negotiation key to securely transmit the information.
  • the communication module 101 is further configured to receive the first ciphertext information and the to-be-processed information, and output the second ciphertext information and the processing information; wherein the first ciphertext information is a public key of the user identification card.
  • the second random cipher information is obtained by encrypting the first random factor
  • the second ciphertext information is obtained by encrypting the second random factor by the public key of the module to be interacted.
  • the communication module 101 accepts the call of the processing module 110, and is configured to receive the first ciphertext information and the to-be-processed information, and output the second ciphertext information and the processing information.
  • the first ciphertext information is obtained by encrypting the first random factor by using the generated public key of the user identification card, and the user identification card obtains the first encrypted information and identifies the private card of the user identity card.
  • the real first random factor obtained after the key is decrypted, the first random factor may be generated by the security part of the mobile phone, or may be generated by the user identity card to be sent securely to the secure part of the mobile phone.
  • the information to be processed is the information sent by the security part of the mobile phone to the user identification card, and the information may be confidential information that needs to be transmitted securely, or may be any information such as transaction information to be traded in the online banking.
  • the information may be confidential information that the mobile phone needs to output, for example, confidential information obtained by the mobile phone from a secure storage area of the mobile phone.
  • the information may be transaction information of a transaction to be executed, for example, transaction information such as a transaction account number and a transaction amount obtained by the mobile phone through an online banking client.
  • the second ciphertext information is obtained by encrypting the second random factor by the public key of the module to be interacted by the user identification card generated by the user identification card, so that the secure part of the mobile phone obtains the second ciphertext information and decrypts the real information.
  • the second random factor is obtained by encrypting the second random factor by the public key of the module to be interacted by the user identification card generated by the user identification card, so that the secure part of the mobile phone obtains the second ciphertext information and decrypts the real information.
  • the second random factor is obtained by encrypting the second random factor by the public key of the module to be interacted by the user identification card generated by the user identification card
  • the user identification card and the secure part of the mobile phone generate a negotiation key of both parties according to the first random factor and the second random factor respectively obtained.
  • Processing information that is, information sent by the user identification card to the secure part of the mobile phone in response to the pending information, if
  • the processing information may be confidential information after signature or the like. If the present invention is applied to online banking, the processing information may be signed transaction information or the like.
  • processing information may further include: the encrypted information obtained by the symmetric algorithm module 107 performing the encryption calculation on the signature information according to the negotiation key, wherein the signature information is performed by the public key algorithm module 106 according to the private key of the user identification card. Calculated by signature; or
  • the processing information includes: verification information obtained by the symmetric algorithm module 107 for verifying the signature information according to the negotiation key, and signature information, wherein the signature information is performed by the public key algorithm module 106 according to the private key of the user identification card. Calculated by signature; or
  • the processing information includes: the encryption information obtained by the symmetric algorithm module 107 by performing encryption calculation on the signature information according to the negotiation key, and the verification information obtained by performing verification on the signature information, wherein the signature information is identified by the public key algorithm module 106 according to the user identity.
  • the private key of the card is calculated by signing the processed information; or
  • the processing information includes: the encryption information obtained by the symmetric algorithm module 107 performing the encryption calculation on the signature information according to the negotiation key, and the verification information obtained by performing the check calculation on the encryption information, wherein the signature information is the public key algorithm module 106, which is identified according to the user identity.
  • the card's private key is calculated by signing the processed information.
  • the user identification card can ensure the security of the transmission of the signature information while transmitting the processing information.
  • the communication module 101 can be any interface such as a serial port, a USB interface, an NFC interface, a Bluetooth interface, an infrared interface, a button or an audio interface.
  • the security authentication module 102 is configured to perform security authentication on the user identity information and the user operation information. Specifically, the security authentication module 102 can accept the call of the processing module 110, perform security authentication on the identity information input by the user through the mobile phone input or other manners, and perform security authentication, such as a read operation, on the operation information of the user. The security authentication module 102 can set different security levels according to different users to complete the security authentication function according to the identity and/or operation of different users.
  • the permission control module 103 is configured to perform authority control on the call of the processing module 110 to each module. Specifically, the rights control module 103 can accept the call of the processing module 110 and cooperate with the processing module 110 to complete the call of the processing module 110 to each module, thereby controlling the call of the processing module 110. Of course, the rights control module 103 can also control the execution rights of the code and/or the application to ensure the security of the information, functions and applications.
  • the security protection module 104 is configured to at least perform operations on the operations of the public key algorithm module 106, the symmetric algorithm module 107, the random number module 108, and/or the hash module 109. Specifically, the security protection module 104 performs protection in the calculation by the call of the processing module 110 when the public key algorithm module 106 performs signature calculation and when the symmetric algorithm module 107 performs encryption and decryption calculation and/or verification calculation. Therefore, it can resist attack analysis such as energy analysis or electromagnetic analysis, and improve the difficulty of calculation and cracking, thereby improving the security of various information calculations.
  • the protection operation may include any scrambling operation such as frequency scrambling, power consumption scrambling or computational scrambling.
  • the protection operation may also be an operation such as balancing calculation, as long as the security protection purpose can be achieved, and operations such as attack prevention can belong to the protection scope of the present invention.
  • the safety protection mode Block 104 performs at least a guard operation on the computational operations of public key algorithm module 106 and/or symmetric algorithm module 107.
  • the secure storage module 105 is further configured to store a private key of the user identification card and a public key calculation algorithm for generating a public key of the module to be interacted.
  • the secure storage module 105 stores, in addition to the private key for performing signature calculation, the negotiation key for performing encryption and decryption calculation and/or the verification calculation, the private key of the user identification card, so as to be accepted by the processing module 110.
  • the calling, performing the signature operation in the transmission of the confidential information and/or the signature operation of the online banking, etc. can also accept the call of the processing module 110, and decrypt the information to be encrypted and transmitted by the interactive module to be encrypted by the public key of the user identification card.
  • the security storage module 105 stores a public key calculation algorithm for performing public key generation of the module to be interacted, so as to accept the call of the processing module 110, and together with the public key algorithm module 106, generate a public key of the module to be interacted according to the identification information of the security part of the mobile phone (That is, the public key of the secure part of the mobile phone), so that the information that needs to be sent to the secure part of the mobile phone can be encrypted by the public key of the secure part of the mobile phone to ensure transmission security.
  • the public key algorithm module 106 is further configured to generate a public key of the module to be interacted according to the public key calculation algorithm and the identification information of the module to be interacted with.
  • the public key algorithm module 106 is configured to accept the call calculation, and is specifically configured to accept the call of the processing module 110, and generate the to-be-interactive module according to the public key calculation algorithm and the identification information of the module to be interacted (ie, the security part of the mobile phone).
  • Public key The identification information of the interaction module may include, but is not limited to, a serial number of the mobile phone CPU, a MAC address of the mobile phone CPU, and the like.
  • the symmetric algorithm module 107 is further configured to decrypt the first ciphertext information by using the private key of the user identity card, and perform encryption calculation on the second random factor by using the public key of the module to be interacted.
  • the symmetric algorithm module 107 is specifically configured to accept the call of the processing module 110, and decrypt the first ciphertext information by using the private key of the user identity card to obtain a factor for generating the negotiation key, and is further configured to receive the processing module 110.
  • the call, the factor for generating the negotiation key is encrypted and calculated by the public key of the module to be exchanged, so that the factor for generating the negotiation key is securely transmitted to the secure part of the mobile phone.
  • the symmetric algorithm module 107 of this embodiment may also be configured to perform decryption calculation and/or verification calculation on the information to be processed, and perform encryption calculation and/or verification calculation on the information to be processed in the security part of the mobile phone, in order to verify Processing the integrity and authenticity of the information, the symmetric algorithm module 107 also performs decryption calculations and/or check calculations on the processed information.
  • the symmetric algorithm module 107 of the present embodiment can also accept the call of the processing module 110, and perform encryption calculation and/or check calculation on the processing information to ensure the authenticity and integrity of the processed information.
  • the random number module 108 is further configured to generate at least a second random factor.
  • the random number module 108 is specifically configured to generate a second random factor for generating a negotiation key, and accept the call of the processing module 110.
  • the hash module 109 is set to perform hash calculations. Specifically, the hash module 109 can accept the call of the processing module 110, and the processing module 110 invokes the public key algorithm module 106 to sign the information according to the private key of the user identity card. In the calculation of the name, the hash calculation is performed to obtain the signature information to complete the security function of the user identification card.
  • the processing module 110 is further configured to invoke the symmetric algorithm module 107 to decrypt the first ciphertext information according to the private key of the user identity card to obtain the first random factor, and invoke the public key calculation algorithm and the public key algorithm module 106 stored by the secure storage module 105.
  • the public key of the module to be interacted is generated, and the second random factor generated by the random number module 108 is invoked, and the symmetric algorithm module 107 is invoked to perform encryption calculation on the second random factor according to the public key of the module to be interacted to obtain the second ciphertext information.
  • the processing module 110 is configured to invoke each module to decrypt the encrypted information sent by the secure part of the mobile phone to obtain a generation factor of the negotiation key, and generate a public key of the security part of the mobile phone according to the identification information of the security part of the mobile phone. Therefore, the negotiation key generation factor generated by the user identification card end can be securely transmitted to the security part of the mobile phone, and the negotiation key of the identification card is generated according to the negotiation key, so that the security part and the user identity of the mobile phone are obtained.
  • the identification cards exchange information through negotiation keys to improve the security of information interaction.
  • the user identification card of the present invention is used in conjunction with the secure portion of the mobile phone to implement secure online banking and/or confidential information transmission.
  • portions of the invention may be implemented in hardware, software, firmware or a combination thereof.
  • multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system.
  • a suitable instruction execution system For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals. Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.
  • each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
  • the integrated modules, if implemented in the form of software functional modules and sold or used as stand-alone products, may also be stored in a computer readable storage medium.
  • the above mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephone Function (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided is a user identity identification card, comprising: a communication module, arranged to perform receiving and outputting of information; a security authentication module, arranged to perform security authentication on user identity information and user operation information; a permission control module, arranged to perform permission control on calling performed by a processing module on various modules; a security protection module, arranged to at least perform a protection operation on operations of a public key algorithm module, a symmetric algorithm module, a random number module and/or a hash module; a security storage module, arranged to at least store a private key for performing signature calculation, and an agreement key for performing encryption and decryption calculation and/or check calculation; the public key algorithm module, arranged to perform signature calculation; the symmetric algorithm module, arranged to perform encryption and decryption calculation and/or check calculation; the random number module, arranged to generate a random factor; the hash module, arranged to perform hash calculation; the processing module, arranged to perform calling on various modules. The present user identity identification card securely performs data transmission.

Description

一种用户身份识别卡User identification card 技术领域Technical field
本发明涉及电子技术领域,尤其涉及一种用户身份识别卡。The present invention relates to the field of electronic technologies, and in particular, to a user identity card.
背景技术Background technique
网络的迅速发展给人们带来了极大便利,人们越来越依赖于网络进行各种活动,例如网络文件的传输、网上银行交易均已逐渐成为人们生活、工作中不可缺少的一部分。由于网络是一个虚拟的环境,存在着太多不安全的因素,而在网络环境中必然会进行数据交互的网络活动,尤其是像网上银行业务和机密信息的传输这样的网络活动,对网络的安全提出了很高的要求,因此人们开始大力发展网络信息安全技术。The rapid development of the network has brought great convenience to people. People are increasingly relying on the network for various activities, such as the transmission of network files and online banking transactions, which have gradually become an indispensable part of people's lives and work. Since the network is a virtual environment, there are too many insecure factors, and in the network environment, network activities are inevitable for data interaction, especially network activities such as online banking and confidential information transmission. Security has raised high demands, so people have begun to vigorously develop network information security technologies.
然而,随着现今手机技术的飞速发展,手机终端越来越多的被用来替代计算机使用,但现今并没有一种能够让手机终端安全的执行网上银行业务和/或机密信息传输的解决方案,并且现在手机中使用的用户身份识别卡仅具有数据传输功能,并不具备更加安全的其他功能。However, with the rapid development of mobile phone technology today, mobile phone terminals are increasingly being used to replace computers, but today there is no solution that enables mobile terminals to secure online banking and/or confidential information transmission. And the user identification card used in the mobile phone now only has data transmission function and does not have other functions that are more secure.
发明内容Summary of the invention
本发明旨在解决上述问题之一。The present invention is directed to solving one of the above problems.
本发明的主要目的在于提供一种用户身份识别卡。The main object of the present invention is to provide a user identification card.
为达到上述目的,本发明的技术方案具体是这样实现的:In order to achieve the above object, the technical solution of the present invention is specifically implemented as follows:
本发明一方面提供了一种用户身份识别卡,包括:处理模块、通讯模块、安全认证模块、权限控制模块、安全防护模块、安全存储模块、公钥算法模块、对称算法模块、随机数模块以及杂凑模块;An aspect of the present invention provides a user identification card, including: a processing module, a communication module, a security authentication module, a permission control module, a security protection module, a security storage module, a public key algorithm module, a symmetric algorithm module, a random number module, and Hash module
所述通讯模块,设置为进行信息接收和输出;The communication module is configured to perform information reception and output;
所述安全认证模块,设置为对用户身份信息以及用户操作信息进行安全认证;The security authentication module is configured to perform security authentication on user identity information and user operation information;
所述权限控制模块,设置为对所述处理模块对各个模块的调用进行权限控制;The permission control module is configured to perform authority control on the call of the processing module to each module;
所述安全防护模块,设置为至少对所述公钥算法模块、所述对称算法模块、所述随机数模块和/或所述杂凑模块的操作进行防护操作;The security protection module is configured to perform at least protection operations on the operations of the public key algorithm module, the symmetric algorithm module, the random number module, and/or the hash module;
所述安全存储模块,设置为至少存储进行签名计算的私钥、进行加解密计算和/或校验计算的协商密钥;The secure storage module is configured to store at least a private key for performing signature calculation, a negotiation key for performing encryption and decryption calculation, and/or a check calculation;
所述公钥算法模块,设置为进行签名计算;The public key algorithm module is configured to perform signature calculation;
所述对称算法模块,设置为进行加解密计算和/或校验计算; The symmetric algorithm module is configured to perform an encryption and decryption calculation and/or a verification calculation;
随机数模块,设置为生成随机因子;a random number module, set to generate a random factor;
杂凑模块,设置为进行杂凑计算;a hash module, set to perform hash calculations;
所述处理模块,设置为对所述通讯模块的信息接收和输出进行调用,对所述安全认证模块认证后的认证结果进行调用,对所述安全防护模块的防护操作进行调用,对所述安全存储模块存储的信息进行调用,对所述公钥算法模块的计算进行调用,对所述对称算法模块的计算进行调用,对所述随机数模块生成的随机因子进行调用,对所述杂凑模块的杂凑计算进行调用,以及根据所述权限控制模块的权限进行各个模块的调用。The processing module is configured to invoke the information receiving and outputting of the communication module, invoke the authentication result after the authentication of the security authentication module, and invoke the protection operation of the security protection module, where the security is invoked. Calling the information stored by the storage module, calling the calculation of the public key algorithm module, calling the calculation of the symmetric algorithm module, and calling the random factor generated by the random number module, and calling the random module The hash calculation is called, and the calling of each module is performed according to the authority of the permission control module.
此外,In addition,
所述通讯模块,还设置为接收第一认证信息以及待处理信息,输出第二认证信息、第二密文信息以及处理信息,其中,所述第一认证信息至少包括:第一密文信息、密文签名信息以及待认证证书,所述第一密文信息至少包括第一随机因子以及第二随机因子,所述密文签名信息为对所述第一密文信息进行的签名;所述第二认证信息至少包括:第一随机因子以及用户身份识别卡证书,所述第二密文信息至少包括所述第二随机因子以及第三随机因子;The communication module is further configured to receive the first authentication information and the to-be-processed information, and output the second authentication information, the second ciphertext information, and the processing information, where the first authentication information includes at least: first ciphertext information, The ciphertext signature information and the certificate to be authenticated, the first ciphertext information includes at least a first random factor and a second random factor, and the ciphertext signature information is a signature of the first ciphertext information; The second authentication information includes at least: a first random factor and a user identification card certificate, where the second ciphertext information includes at least the second random factor and a third random factor;
所述安全存储模块,还设置为存储用户身份识别卡的私钥、所述用户身份识别卡的证书、所述待认证证书的公钥;The secure storage module is further configured to store a private key of the user identification card, a certificate of the user identification card, and a public key of the certificate to be authenticated;
所述公钥算法模块,还设置为通过所述待认证证书的公钥进行所述密文签名信息的验签计算,以及对所述待认证证书认证计算;The public key algorithm module is further configured to perform the verification calculation of the ciphertext signature information by using the public key of the certificate to be authenticated, and calculate the certificate authentication to be authenticated;
所述对称算法模块,还设置为对所述第一密文信息进行解密计算,以及至少对所述第二随机因子和所述第三随机因子进行加密计算获得第二密文信息;The symmetric algorithm module is further configured to perform decryption calculation on the first ciphertext information, and at least perform encryption calculation on the second random factor and the third random factor to obtain second ciphertext information;
随机数模块,还设置为生成所述第一随机因子以及所述第三随机因子;a random number module, further configured to generate the first random factor and the third random factor;
所述处理模块,还设置为在调用所述公钥算法模块对所述待认证证书进行认证通过后,调用所述公钥算法模块对所述密文签名信息的验签计算,并在验签通过后,调用所述对称算法模块解密所述第一密文信息,获得所述第二随机因子,以及调用所述随机数模块生成的所述第三随机因子,并调用所述对称算法模块对所述第二随机因子和所述第三随机因子进行加密计算获得所述第二密文信息。The processing module is further configured to: after calling the public key algorithm module to authenticate the to-be-certified certificate, invoking the public key algorithm module to perform verification of the ciphertext signature information, and verifying After the symmetry algorithm module is invoked, the first ciphertext information is decrypted, the second random factor is obtained, and the third random factor generated by the random number module is invoked, and the symmetric algorithm module pair is invoked. The second random factor and the third random factor perform an encryption calculation to obtain the second ciphertext information.
此外,In addition,
所述通讯模块,还设置为接收第一校验信息以及待处理信息,输出第二校验信息以及处理信息;其中,所述第一校验信息是通过第一随机因子计算得到的,所述第二校验信息是通过第二随机因子计算得到的;The communication module is further configured to receive the first verification information and the to-be-processed information, and output the second verification information and the processing information; wherein the first verification information is calculated by using a first random factor, The second check information is calculated by the second random factor;
所述安全存储模块,还设置为存储用户身份识别卡的私钥、进行验证的第一密钥和第二密钥;The secure storage module is further configured to store a private key of the user identity card, a first key and a second key for performing verification;
所述对称算法模块,还设置为通过所述第一密钥对所述第一校验信息进行校验计算, 通过所述第二密钥对第二随机因子进行校验计算获得所述第二校验信息;The symmetric algorithm module is further configured to perform a check calculation on the first check information by using the first key, Performing a check calculation on the second random factor by using the second key to obtain the second verification information;
随机数模块,还设置为至少生成所述第二随机因子;a random number module, further configured to generate at least the second random factor;
所述处理模块,还设置为在调用所述安全存储模块存储的所述第一密钥以及所述对称算法模块对所述第一校验信息进行校验,并在校验通过后,调用所述随机数模块生成的所述第二随机因子,并调用所述对称算法模块对所述第二随机因子进行校验计算获得所述第二校验信息。The processing module is further configured to: check the first key stored by the security storage module and the symmetric algorithm module to verify the first verification information, and after the verification is passed, invoke the And the second random factor generated by the random number module, and calling the symmetric algorithm module to perform a check calculation on the second random factor to obtain the second verification information.
此外,In addition,
所述通讯模块,还设置为接收第一密文信息以及待处理信息,输出第二密文信息以及处理信息;其中,所述第一密文信息是通过用户身份识别卡的公钥对第一随机因子进行加密计算得到的,所述第二密文信息是通过待交互模块的公钥对第二随机因子进行加密计算得到的;The communication module is further configured to receive the first ciphertext information and the to-be-processed information, and output the second ciphertext information and the processing information; wherein the first ciphertext information is the first public key pair of the user identity card The random factor is obtained by performing encryption calculation, and the second ciphertext information is obtained by encrypting the second random factor by using a public key of the module to be interacted;
所述安全存储模块,还设置为存储用户身份识别卡的私钥、进行待交互模块的公钥生成的公钥计算算法;The secure storage module is further configured to store a private key of the user identification card and a public key calculation algorithm for generating a public key of the module to be interacted with;
所述公钥算法模块,还设置为根据所述公钥计算算法以及待交互模块标识信息生成所述待交互模块的公钥;The public key algorithm module is further configured to generate a public key of the module to be interacted according to the public key calculation algorithm and the identifier information to be exchanged;
所述对称算法模块,还设置为通过用户身份识别卡的私钥对所述第一密文信息进行解密计算,通过所述待交互模块的公钥对所述第二随机因子进行加密计算;The symmetric algorithm module is further configured to perform decryption calculation on the first ciphertext information by using a private key of the user identity card, and perform encryption calculation on the second random factor by using a public key of the module to be interacted;
随机数模块,还设置为至少生成所述第二随机因子;a random number module, further configured to generate at least the second random factor;
所述处理模块,还设置为调用所述对称算法模块根据所述用户身份识别卡的私钥解密所述第一密文信息获得第一随机因子,并调用所述安全存储模块存储的所述公钥计算算法以及所述公钥算法模块生成所述待交互模块的公钥,以及调用所述随机数模块生成的所述第二随机因子,并调用所述对称算法模块根据所述待交互模块的公钥对所述第二随机因子进行加密计算获得所述第二密文信息。The processing module is further configured to invoke the symmetric algorithm module to decrypt the first ciphertext information according to the private key of the user identity card to obtain a first random factor, and invoke the public storage module The key calculation algorithm and the public key algorithm module generate the public key of the module to be interacted, and invoke the second random factor generated by the random number module, and invoke the symmetric algorithm module according to the module to be interacted The public key performs encryption calculation on the second random factor to obtain the second ciphertext information.
此外,In addition,
所述处理信息包括:所述对称算法模块根据所述协商密钥对签名信息进行加密计算得到的加密信息,其中,所述签名信息为所述公钥算法模块根据所述用户身份识别卡的私钥对所述待处理信息进行签名计算得到的;或者The processing information includes: the encrypted information obtained by the symmetric algorithm module encrypting the signature information according to the negotiation key, wherein the signature information is the private key algorithm module according to the private identity of the user identification card. The key is calculated by signing the information to be processed; or
所述处理信息包括:所述对称算法模块根据所述协商密钥对签名信息进行校验计算得到的校验信息以及所述签名信息,其中,所述签名信息为所述公钥算法模块根据所述用户身份识别卡的私钥对所述待处理信息进行签名计算得到的;或者The processing information includes: verification information obtained by performing verification on the signature information by the symmetric algorithm module according to the negotiation key, and the signature information, where the signature information is the public key algorithm module according to the Calculating the signature of the to-be-processed information by the private key of the user identification card; or
所述处理信息包括:所述对称算法模块根据所述协商密钥对签名信息进行加密计算得到的加密信息和对所述签名信息进行校验计算得到的校验信息,其中,所述签名信息为所述公钥算法模块根据所述用户身份识别卡的私钥对所述待处理信息进行签名计算得到的; 或者The processing information includes: the encrypted information obtained by encrypting the signature information by the symmetric algorithm module according to the negotiation key, and the verification information obtained by performing verification on the signature information, where the signature information is The public key algorithm module performs a signature calculation on the to-be-processed information according to the private key of the user identity card; or
所述处理信息包括:所述对称算法模块根据所述协商密钥对签名信息进行加密计算得到的加密信息和对所述加密信息进行校验计算得到的校验信息,其中,所述签名信息为所述公钥算法模块根据所述用户身份识别卡的私钥对所述待处理信息进行签名计算得到的。The processing information includes: the encrypted information obtained by encrypting the signature information by the symmetric algorithm module according to the negotiation key, and the verification information obtained by performing verification on the encrypted information, wherein the signature information is The public key algorithm module calculates the signature of the to-be-processed information according to the private key of the user identity card.
此外,所述处理模块还设置为在所述公钥算法模块根据所述用户身份识别卡的私钥对所述待处理信息进行签名计算时,调用所述杂凑模块的杂凑计算以获得所述签名信息。In addition, the processing module is further configured to invoke a hash calculation of the hash module to obtain the signature when the public key algorithm module performs signature calculation on the to-be-processed information according to a private key of the user identity card. information.
此外,所述对称算法模块,还设置为对所述待处理信息进行解密计算和/或校验计算。In addition, the symmetric algorithm module is further configured to perform decryption calculation and/or verification calculation on the to-be-processed information.
此外,所述通讯模块包括:串口、USB接口、NFC接口、蓝牙接口、红外接口、按键或者音频接口。In addition, the communication module includes: a serial port, a USB interface, an NFC interface, a Bluetooth interface, an infrared interface, a button or an audio interface.
此外,所述防护操作包括:频率加扰、功耗加扰、计算加扰或者平衡计算。In addition, the protection operations include: frequency scrambling, power consumption scrambling, computational scrambling, or balance calculation.
此外,所述权限控制模块还设置为对代码和/或应用程序的执行进行控制。Furthermore, the rights control module is further arranged to control the execution of the code and/or the application.
由上述本发明提供的技术方案可以看出,通过本发明的具备安全功能的用户身份识别卡,可以安全地进行数据传输。It can be seen from the technical solution provided by the above invention that data transmission can be performed securely by the user identification card with security function of the present invention.
进而通过本发明的用户身份识别卡配合手机的***分共同使用以实现手机安全执行网上银行业务和/或机密信息传输。Furthermore, the user identification card of the present invention is used in conjunction with the secure portion of the mobile phone to implement secure online banking and/or confidential information transmission.
附图说明DRAWINGS
为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention, Those of ordinary skill in the art will be able to obtain other figures from these drawings without the inventive effort.
图1为本发明提供的用户身份识别卡的结构示意图。FIG. 1 is a schematic structural diagram of a user identity card provided by the present invention.
具体实施方式detailed description
下面结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明的保护范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
在本发明的描述中,需要说明的是,除非另有明确的规定和限定,术语“安装”、“相连”、“连接”应做广义理解,例如,可以是固定连接,也可以是可拆卸连接,或一体地连接;可以是机械连接,也可以是电连接;可以是直接相连,也可以通过中间媒介间接相连,可以是两个元件内部的连通。对于本领域的普通技术人员而言,可以具体情况理解上述术语在本发明中的具体含义。此外,术语“第一”、“第二”仅用于描述目的,而不能 理解为指示或暗示相对重要性或数量或位置。In the description of the present invention, it should be noted that the terms "installation", "connected", and "connected" are to be understood broadly, and may be fixed or detachable, for example, unless otherwise explicitly defined and defined. Connected, or integrally connected; can be mechanical or electrical; can be directly connected, or indirectly connected through an intermediate medium, can be the internal communication of the two components. The specific meaning of the above terms in the present invention can be understood in a specific case by those skilled in the art. In addition, the terms "first" and "second" are used for descriptive purposes only, and not It is understood to indicate or imply relative importance or quantity or location.
下面将结合附图对本发明实施例作进一步地详细描述。The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.
本发明的用户身份识别卡是可以为如下任一种卡片:SIM(Subscriber Identity Module,客户识别模块)卡、UIM(User Identity Module)卡、USIM卡、PIM卡等,以上的卡片均在现有的功能的基础上,拓展了安全功能,从而可以配合手机实现手机安全执行网上银行业务和/或机密信息传输的功能。The user identification card of the present invention may be any of the following cards: a SIM (Subscriber Identity Module) card, a UIM (User Identity Module) card, a USIM card, a PIM card, etc., and the above cards are all existing. Based on the functions, the security function is expanded, so that the mobile phone can be safely implemented to perform online banking and/or confidential information transmission.
此外,本发明的用户身份识别卡需要与具备安全功能的手机进行匹配使用,以保证具有安全功能的手机可以与本发明的用户身份识别卡共同完成网上银行业务和/或机密信息传输的功能。In addition, the user identification card of the present invention needs to be matched with a mobile phone having a security function to ensure that the mobile phone with security function can perform the function of online banking service and/or confidential information transmission together with the user identification card of the present invention.
图1出示了本发明实施例1的用户身份识别卡的结构示意图,参见图1,本发明实施例1的用户身份识别卡,包括:通讯模块101、安全认证模块102、权限控制模块103、安全防护模块104、安全存储模块105、公钥算法模块106、对称算法模块107、随机数模块108、杂凑模块109以及处理模块110。1 is a schematic structural diagram of a user identity card according to Embodiment 1 of the present invention. Referring to FIG. 1, the user identity card of the embodiment 1 of the present invention includes: a communication module 101, a security authentication module 102, an authority control module 103, and security. The protection module 104, the security storage module 105, the public key algorithm module 106, the symmetric algorithm module 107, the random number module 108, the hash module 109, and the processing module 110.
其中,通讯模块101,设置为进行信息接收和输出。具体的,该通讯模块101可以接受处理模块110的调用,以便接收与用户身份识别卡相匹配使用的具有安全功能的手机的***分发送的信息,同时也可以将用户身份识别卡生成的各类信息输出至手机的***分。该通讯模块101可以为串口、USB接口、NFC接口、蓝牙接口、红外接口、按键或者音频接口等任意接口。The communication module 101 is configured to perform information reception and output. Specifically, the communication module 101 can accept the call of the processing module 110 to receive the information sent by the secure part of the mobile phone with the security function matched with the user identity card, and can also generate various types of the user identity card. The information is output to the secure part of the phone. The communication module 101 can be any interface such as a serial port, a USB interface, an NFC interface, a Bluetooth interface, an infrared interface, a button or an audio interface.
安全认证模块102,设置为对用户身份信息以及用户操作信息进行安全认证。具体的,安全认证模块102可以接受处理模块110的调用,对用户通过手机输入或者其他方式输入的身份信息进行安全认证,也可以对用户的操作信息进行安全认证,例如读取操作等操作。该安全认证模块102可以根据不同的用户设定不同的安全级别,以便根据不同用户的身份和/或操作完成安全认证功能。The security authentication module 102 is configured to perform security authentication on the user identity information and the user operation information. Specifically, the security authentication module 102 can accept the call of the processing module 110, perform security authentication on the identity information input by the user through the mobile phone input or other manners, and perform security authentication, such as a read operation, on the operation information of the user. The security authentication module 102 can set different security levels according to different users to complete the security authentication function according to the identity and/or operation of different users.
权限控制模块103,设置为对处理模块110对各个模块的调用进行权限控制。具体的,权限控制模块103可以接受处理模块110的调用,并与处理模块110配合完成处理模块110对各个模块的调用,从而控制处理模块110的调用。当然,权限控制模块103还可以对代码和/或应用程序的执行权限进行控制,以保证信息、功能和应用的安全。The permission control module 103 is configured to perform authority control on the call of the processing module 110 to each module. Specifically, the rights control module 103 can accept the call of the processing module 110 and cooperate with the processing module 110 to complete the call of the processing module 110 to each module, thereby controlling the call of the processing module 110. Of course, the rights control module 103 can also control the execution rights of the code and/or the application to ensure the security of the information, functions and applications.
安全防护模块104,设置为至少对公钥算法模块106、对称算法模块107、随机数模块108和/或杂凑模块109的操作进行防护操作。具体的,在公钥算法模块106进行签名计算时,以及在对称算法模块107进行加解密计算和/或校验计算时,通过处理模块110的调用 在计算中进行防护。从而可以抵御能量分析或电磁分析等攻击分析,提高计算破解的难度,从而提高各类信息计算的安全性。其中,防护操作可以包括:频率加扰、功耗加扰或者计算加扰等任意加扰操作。防护操作还可以为平衡计算等操作,只要可以实现安全防护目的,防止攻击等操作均可以属于本发明的保护范围。其中,安全防护模块104至少对公钥算法模块106和/或对称算法模块107的计算操作进行防护操作。The security protection module 104 is configured to at least perform operations on the operations of the public key algorithm module 106, the symmetric algorithm module 107, the random number module 108, and/or the hash module 109. Specifically, when the public key algorithm module 106 performs signature calculation, and when the symmetric algorithm module 107 performs encryption and decryption calculation and/or verification calculation, the processing module 110 invokes Protect in the calculations. Therefore, it can resist attack analysis such as energy analysis or electromagnetic analysis, and improve the difficulty of calculation and cracking, thereby improving the security of various information calculations. The protection operation may include any scrambling operation such as frequency scrambling, power consumption scrambling or computational scrambling. The protection operation may also be an operation such as balancing calculation, as long as the security protection purpose can be achieved, and operations such as attack prevention can belong to the protection scope of the present invention. The security protection module 104 performs at least a protection operation on the calculation operations of the public key algorithm module 106 and/or the symmetric algorithm module 107.
安全存储模块105,设置为至少存储进行签名计算的私钥、进行加解密计算和/或校验计算的协商密钥。具体的,安全存储模块105可以至少对安全密钥、协商密钥等安全的信息进行存储,并接受处理模块110的调用,以便配合其他模块完成用户身份识别卡的安全功能。其中,进行签名计算的私钥完全不可被取出,提高私钥存储的安全性。The secure storage module 105 is configured to store at least a private key for performing signature calculation, a negotiation key for performing encryption and decryption calculation and/or verification calculation. Specifically, the security storage module 105 can store at least security information such as a security key and a negotiation key, and accept the call of the processing module 110 to complete the security function of the user identity card with other modules. Among them, the private key for signature calculation can not be taken out at all, which improves the security of private key storage.
公钥算法模块106,设置为进行签名计算。具体的,公钥算法模块106在被处理模块110的调用中,根据安全存储模块105中存储的设置为进行签名计算的私钥(本发明中可以是用户身份识别卡的私钥)进行签名计算,从而可以实现用户身份识别卡的安全功能。The public key algorithm module 106 is configured to perform signature calculations. Specifically, in the invocation of the processing module 110, the public key algorithm module 106 performs signature calculation according to the private key (which may be the private key of the user identification card in the present invention) that is set for the signature calculation stored in the secure storage module 105. Therefore, the security function of the user identification card can be realized.
对称算法模块107,设置为进行加解密计算和/或校验计算。具体的,本发明中,处理模块110可以调用对称算法模块107对用户身份识别卡输出至手机的***分以及对手机的***分发送至用户身份识别卡的信息进行加解密计算和/或校验计算,从而保证手机的***分与用户身份识别卡之间传输的信息传输不被篡改,提高安全性。The symmetric algorithm module 107 is arranged to perform an encryption and decryption calculation and/or a verification calculation. Specifically, in the present invention, the processing module 110 may invoke the symmetric algorithm module 107 to perform encryption and decryption calculation and/or verification on the security part of the user identification card output to the mobile phone and the information sent to the user identification card of the security part of the mobile phone. The calculation ensures that the transmission of information transmitted between the secure part of the mobile phone and the user identification card is not tampered with, thereby improving security.
随机数模块108,设置为生成随机因子。具体的,随机数模块108可以被处理模块110调用其生成的随机因子,从而可以将随机因子发送至手机的***分同时接收手机的***分发送的随机因子,以便处理模块110可以根据一方或者双方的随机因子产生用于手机的***分和用户身份识别卡之间信息交互的协商密钥,从而提高手机的安全模块与用户身份识别卡之间信息交互的安全性。此外,在每次进行信息传输时还可以增加该随机因子,防止重放攻击。The random number module 108 is arranged to generate a random factor. Specifically, the random number module 108 can be invoked by the processing module 110 to generate a random factor, so that the random factor can be sent to the secure part of the mobile phone while receiving the random factor sent by the secure part of the mobile phone, so that the processing module 110 can be based on one or both sides. The random factor generates a negotiation key for information interaction between the secure portion of the mobile phone and the user identification card, thereby improving the security of information interaction between the security module of the mobile phone and the user identification card. In addition, the random factor can be added each time information is transmitted to prevent replay attacks.
杂凑模块109,设置为进行杂凑计算。具体的,杂凑模块109可以接受处理模块110的调用,在处理模块110调用公钥算法模块106根据用户身份识别卡的私钥对信息进行签名计算时,配合进行杂凑计算以获得签名信息,以完成用户身份识别卡的安全功能。The hash module 109 is set to perform hash calculations. Specifically, the hash module 109 can accept the call of the processing module 110. When the processing module 110 invokes the public key algorithm module 106 to perform signature calculation on the information according to the private key of the user identification card, the hash calculation is performed to obtain the signature information to complete. The security feature of the user identification card.
处理模块110,设置为对通讯模块101的信息接收和输出进行调用,对安全认证模块102认证后的认证结果进行调用,对安全防护模块104的防护操作进行调用,对安全存储模块105存储的信息进行调用,对公钥算法模块106的计算进行调用,对对称算法模块107的计算进行调用,对随机数模块108生成的随机因子进行调用,对杂凑模块109的杂凑计算进行调用,以及根据权限控制模块103的权限进行各个模块的调用。具体的,处理模块110对于以上各个模块均可以实现调用从而配合完成用户身份识别卡的安全功能。The processing module 110 is configured to invoke the information receiving and outputting of the communication module 101, invoke the authentication result after the security authentication module 102 is authenticated, invoke the protection operation of the security protection module 104, and store the information stored in the security storage module 105. The call is made, the calculation of the public key algorithm module 106 is invoked, the calculation of the symmetric algorithm module 107 is invoked, the random factor generated by the random number module 108 is invoked, the hash calculation of the hash module 109 is invoked, and the permissions are controlled. The authority of the module 103 is called by each module. Specifically, the processing module 110 can implement a call for each of the above modules to cooperate with the security function of the user identification card.
由此,通过本发明的具备安全功能的用户身份识别卡,可以安全地进行数据传输。Thus, data transmission can be performed securely by the user identification card having the security function of the present invention.
进而采用本发明的用户身份识别卡配合手机的***分共同使用以实现手机安全执行 网上银行业务和/或机密信息传输。Further, the user identification card of the present invention is used together with the security part of the mobile phone to implement safe execution of the mobile phone. Online banking and/or confidential information transmission.
实施例1Example 1
本实施例中,用户身份识别卡的结构如图1所示,在本实施例中,用户身份识别卡与手机的***分之间通过相互认证证书的方式生成协商密钥,以便用户身份识别卡与手机***分采用生成的协商密钥进行信息的安全传输。In this embodiment, the structure of the user identity card is as shown in FIG. 1. In this embodiment, a negotiation key is generated between the user identity card and the security part of the mobile phone by means of a mutual authentication certificate, so that the user identity card is used. And the secure part of the mobile phone uses the generated negotiation key for secure transmission of information.
其中,通讯模块101,具体设置为接收第一认证信息以及待处理信息,输出第二认证信息、第二密文信息以及处理信息,其中,第一认证信息至少包括:第一密文信息、密文签名信息以及待认证证书,第一密文信息至少包括第一随机因子以及第二随机因子,密文签名信息为对第一密文信息进行的签名;第二认证信息至少包括:第一随机因子以及用户身份识别卡证书,第二密文信息至少包括第二随机因子以及第三随机因子。The communication module 101 is configured to receive the first authentication information and the to-be-processed information, and output the second authentication information, the second ciphertext information, and the processing information, where the first authentication information includes at least: the first ciphertext information and the secret information. And the first ciphertext information includes at least a first random factor and a second random factor, the ciphertext signature information is a signature of the first ciphertext information, and the second authentication information includes at least: the first random identifier The factor and the user identification card certificate, the second ciphertext information including at least a second random factor and a third random factor.
具体的,通讯模块101接受处理模块110的调用,设置为接收第一认证信息以及待处理信息,输出第二认证信息、第二密文信息以及处理信息。Specifically, the communication module 101 accepts the call of the processing module 110, and is configured to receive the first authentication information and the to-be-processed information, and output the second authentication information, the second ciphertext information, and the processing information.
其中,第一认证信息即是手机的***分发送给用户身份识别卡的认证信息,用于认证手机的***分的合法性;待处理信息即手机的***分发送给用户身份识别卡的信息,该信息可以为需要安全传输的机密信息,也可以为网银中待交易的交易信息等任意信息。如果本发明应用于机密信息安全传输中,则该信息可以为手机需要输出的机密信息。例如:手机从手机的安全存储区域内获取的机密信息等。如果本发明应用于网上银行业务中,则该信息可以为待执行交易的交易信息。例如:手机通过网上银行客户端获取到的交易账号、交易金额等交易信息。The first authentication information is the authentication information sent by the security part of the mobile phone to the user identification card, and is used for authenticating the security part of the mobile phone; the information to be processed is the information sent by the security part of the mobile phone to the user identification card, The information may be confidential information that needs to be transmitted securely, or may be any information such as transaction information to be traded in the online banking. If the present invention is applied to secure transmission of confidential information, the information may be confidential information that the mobile phone needs to output. For example: confidential information obtained by the mobile phone from the secure storage area of the mobile phone. If the present invention is applied to online banking, the information may be transaction information of the transaction to be executed. For example, the transaction information, transaction amount and other transaction information obtained by the mobile phone through the online banking client.
第二认证信息即用户身份识别卡发送至手机的***分的认证信息,用于手机的***分认证用户身份识别卡的合法性。第一密文信息可以携带手机的***分生成的用于生成用户身份识别卡和手机的***分互相协商的协商密钥中的部分因子。当然,第二密文信息也可以携带用户身份识别卡生成的和/或手机的***分生成的并发送给用户身份识别卡的用于生成用户身份识别卡和手机的***分互相协商的协商密钥中的部分因子。The second authentication information is the authentication information sent by the user identification card to the secure part of the mobile phone, and is used for authenticating the user identification card of the secure part of the mobile phone. The first ciphertext information may carry a part of the factor of the negotiation key generated by the security part of the mobile phone for generating the user identity card and the security part of the mobile phone to negotiate with each other. Of course, the second ciphertext information may also carry the negotiation secrets generated by the user identification card and/or generated by the security part of the mobile phone and sent to the user identification card for generating the user identification card and the security part of the mobile phone. Part of the key in the key.
处理信息即用户身份识别卡向手机的***分发送的响应待处理信息的信息,如果本发明应用于机密信息安全传输中,则处理信息可以为签名后的机密信息等。如果本发明应用于网上银行业务中,则处理信息可以为签名后的交易信息等。The processing information is information that the user identification card sends to the secure portion of the mobile phone in response to the pending information. If the present invention is applied to the secure transmission of confidential information, the processing information may be the signed confidential information or the like. If the present invention is applied to online banking, the processing information may be signed transaction information or the like.
当然,该处理信息还可以包括:对称算法模块107根据协商密钥对签名信息进行加密计算得到的加密信息,其中,签名信息为公钥算法模块106根据用户身份识别卡的私钥对待处理信息进行签名计算得到的;或者Of course, the processing information may further include: the encrypted information obtained by the symmetric algorithm module 107 performing the encryption calculation on the signature information according to the negotiation key, wherein the signature information is performed by the public key algorithm module 106 according to the private key of the user identification card. Calculated by signature; or
处理信息包括:对称算法模块107根据协商密钥对签名信息进行校验计算得到的校验信息以及签名信息,其中,签名信息为公钥算法模块106根据用户身份识别卡的私钥对待 处理信息进行签名计算得到的;或者The processing information includes: verification information obtained by the symmetric algorithm module 107 for verifying the signature information according to the negotiation key, and signature information, wherein the signature information is treated by the public key algorithm module 106 according to the private key of the user identification card. Processing information for signature calculation; or
处理信息包括:对称算法模块107根据协商密钥对签名信息进行加密计算得到的加密信息和对签名信息进行校验计算得到的校验信息,其中,签名信息为公钥算法模块106根据用户身份识别卡的私钥对待处理信息进行签名计算得到的;或者The processing information includes: the encryption information obtained by the symmetric algorithm module 107 by performing encryption calculation on the signature information according to the negotiation key, and the verification information obtained by performing verification on the signature information, wherein the signature information is identified by the public key algorithm module 106 according to the user identity. The private key of the card is calculated by signing the processed information; or
处理信息包括:对称算法模块107根据协商密钥对签名信息进行加密计算得到的加密信息和对加密信息进行校验计算得到的校验信息,其中,签名信息为公钥算法模块106根据用户身份识别卡的私钥对待处理信息进行签名计算得到的。The processing information includes: the encryption information obtained by the symmetric algorithm module 107 performing the encryption calculation on the signature information according to the negotiation key, and the verification information obtained by performing the check calculation on the encryption information, wherein the signature information is the public key algorithm module 106, which is identified according to the user identity. The card's private key is calculated by signing the processed information.
由此,用户身份识别卡在传输处理信息的同时还可以保证签名信息传输的安全性。Thereby, the user identification card can ensure the security of the transmission of the signature information while transmitting the processing information.
该通讯模块101可以为串口、USB接口、NFC接口、蓝牙接口、红外接口、按键或者音频接口等任意接口。The communication module 101 can be any interface such as a serial port, a USB interface, an NFC interface, a Bluetooth interface, an infrared interface, a button or an audio interface.
安全认证模块102,设置为对用户身份信息以及用户操作信息进行安全认证。具体的,安全认证模块102可以接受处理模块110的调用,对用户通过手机输入或者其他方式输入的身份信息进行安全认证,也可以对用户的操作信息进行安全认证,例如读取操作等操作,该安全认证模块102可以根据不同的用户设定不同的安全级别,以便根据不同用户的身份和/或操作完成安全认证功能。The security authentication module 102 is configured to perform security authentication on the user identity information and the user operation information. Specifically, the security authentication module 102 can accept the call of the processing module 110, perform security authentication on the identity information input by the user through the mobile phone input or other manners, and perform security authentication, such as a read operation, on the operation information of the user. The security authentication module 102 can set different security levels according to different users to complete the security authentication function according to the identity and/or operation of different users.
权限控制模块103,设置为对处理模块110对各个模块的调用进行权限控制。具体的,权限控制模块103可以接受处理模块110的调用,并与处理模块110配合完成处理模块110对各个模块的调用,从而控制处理模块110的调用。当然,权限控制模块103还可以对代码和/或应用程序的执行权限进行控制,以保证信息、功能和应用的安全。The permission control module 103 is configured to perform authority control on the call of the processing module 110 to each module. Specifically, the rights control module 103 can accept the call of the processing module 110 and cooperate with the processing module 110 to complete the call of the processing module 110 to each module, thereby controlling the call of the processing module 110. Of course, the rights control module 103 can also control the execution rights of the code and/or the application to ensure the security of the information, functions and applications.
安全防护模块104,设置为至少对公钥算法模块106、对称算法模块107、随机数模块108和/或杂凑模块109的操作进行防护操作。具体的,安全防护模块104在公钥算法模块106进行签名计算时,以及在对称算法模块107进行加解密计算和/或校验计算时,通过处理模块110的调用在计算中进行防护。从而可以抵御能量分析或电磁分析等攻击分析,提高计算破解的难度,从而提高各类信息计算的安全性。其中,防护操作可以包括:频率加扰、功耗加扰或者计算加扰等任意加扰操作。防护操作还可以为平衡计算等操作,只要可以实现安全防护目的,防止攻击等操作均可以属于本发明的保护范围。其中,安全防护模块104至少对公钥算法模块106和/或对称算法模块107的计算操作进行防护操作。The security protection module 104 is configured to at least perform operations on the operations of the public key algorithm module 106, the symmetric algorithm module 107, the random number module 108, and/or the hash module 109. Specifically, the security protection module 104 performs protection in the calculation by the call of the processing module 110 when the public key algorithm module 106 performs signature calculation and when the symmetric algorithm module 107 performs encryption and decryption calculation and/or verification calculation. Therefore, it can resist attack analysis such as energy analysis or electromagnetic analysis, and improve the difficulty of calculation and cracking, thereby improving the security of various information calculations. The protection operation may include any scrambling operation such as frequency scrambling, power consumption scrambling or computational scrambling. The protection operation may also be an operation such as balancing calculation, as long as the security protection purpose can be achieved, and operations such as attack prevention can belong to the protection scope of the present invention. The security protection module 104 performs at least a protection operation on the calculation operations of the public key algorithm module 106 and/or the symmetric algorithm module 107.
安全存储模块105,还设置为存储用户身份识别卡的私钥、用户身份识别卡的证书、待认证证书的公钥。The secure storage module 105 is further configured to store a private key of the user identification card, a certificate of the user identification card, and a public key of the certificate to be authenticated.
具体的,安全存储模块105除了存储进行签名计算的私钥、进行加解密计算和/或校验计算的协商密钥外,还具体存储了用户身份识别卡的私钥,以便接受处理模块110的调用,执行机密信息传输中的签名操作和/或网上银行的签名操作等。安全存储模块105存储用户身份识别卡的证书,以便接受处理模块110的调用,用以将用户身份识别卡的证书发送至 手机的***分进行用户身份识别卡的合法性认证,提高安全性。安全存储模块105存储待认证证书的公钥,以便接受处理模块110的调用,从而令用户身份识别卡对手机的***分进行认证,提高安全性,该待认证证书可以为手机的***分的证书。Specifically, the secure storage module 105 stores, in addition to the private key for performing signature calculation, the negotiation key for performing encryption and decryption calculation and/or the verification calculation, the private key of the user identification card, so as to be accepted by the processing module 110. Call, perform signature operations in confidential information transmission, and/or online banking signature operations. The secure storage module 105 stores the certificate of the user identification card to accept the call of the processing module 110 to send the certificate of the user identification card to The security part of the mobile phone authenticates the legality of the user identification card to improve security. The security storage module 105 stores the public key of the certificate to be authenticated, so as to accept the call of the processing module 110, so that the user identification card authenticates the security part of the mobile phone, and the security is improved. The certificate to be authenticated can be the certificate of the security part of the mobile phone. .
公钥算法模块106,通过待认证证书的公钥进行密文签名信息的验签计算,以及对待认证证书认证计算。The public key algorithm module 106 performs the verification calculation of the ciphertext signature information through the public key of the certificate to be authenticated, and calculates the authentication certificate to be authenticated.
具体的,公钥算法模块106除了设置为进行签名计算外,还具体设置为接受处理模块110的调用,通过待认证证书的公钥对手机的***分发送的密文签名信息进行验签计算,以便验证密文签名信息的正确性。同时还接受处理模块110的调用,对待认证证书进行认证计算,以便认证手机的***分的合法性。Specifically, the public key algorithm module 106 is configured to receive the signature calculation, and is specifically configured to accept the call of the processing module 110, and perform the verification calculation on the ciphertext signature information sent by the security part of the mobile phone by using the public key of the certificate to be authenticated. In order to verify the correctness of the ciphertext signature information. At the same time, it also accepts the call of the processing module 110, and performs authentication calculation on the authentication certificate in order to authenticate the legality of the security part of the mobile phone.
对称算法模块107,还设置为对第一密文信息进行解密计算,以及至少对第二随机因子和第三随机因子进行加密计算获得第二密文信息。The symmetric algorithm module 107 is further configured to perform decryption calculation on the first ciphertext information, and perform encryption calculation on at least the second random factor and the third random factor to obtain second ciphertext information.
具体的,对称算法模块107具体设置为接受处理模块110的调用,对第一密文信息进行解密,以便获得生成协商密钥的因子,还设置为接受处理模块110的调用,对生成协商密钥的因子进行加密计算,以便将生成协商密钥的因子安全的发送至手机的***分。当然,本实施例的对称算法模块107还可以设置为对待处理信息进行解密计算和/或校验计算,在手机的***分对待处理信息进行了加密计算和/或校验计算后,为了核实待处理信息的完整性和真实性,对称算法模块107还对待处理信息进行解密计算和/或校验计算,当然,本实施例的对称算法模块107还可以接受处理模块110的调用,对处理信息进行加密计算和/或校验计算,以便保证处理信息的真实性性和完整性。Specifically, the symmetric algorithm module 107 is specifically configured to accept the call of the processing module 110, decrypt the first ciphertext information, so as to obtain a factor for generating the negotiation key, and further set to accept the call of the processing module 110, and generate a negotiation key. The factor is cryptographically calculated to safely send the factor that generated the negotiated key to the secure portion of the handset. Of course, the symmetric algorithm module 107 of this embodiment may also be configured to perform decryption calculation and/or verification calculation on the information to be processed, and perform encryption calculation and/or verification calculation on the information to be processed in the security part of the mobile phone, in order to verify The symmetric algorithm module 107 also performs a decryption calculation and/or a check calculation on the processed information. Of course, the symmetric algorithm module 107 of the present embodiment can also accept the call of the processing module 110 to perform processing information. Encryption calculations and/or check calculations to ensure the authenticity and integrity of the processed information.
随机数模块108,还设置为生成第一随机因子以及第三随机因子。The random number module 108 is further configured to generate a first random factor and a third random factor.
具体的,随机数模块108具体设置为生成防止重放攻击的第一随机因子,以及生成用于生成协商密钥的第三随机因子,并接受处理模块110的调用。Specifically, the random number module 108 is specifically configured to generate a first random factor for preventing a replay attack, and generate a third random factor for generating the negotiation key, and accept the call of the processing module 110.
杂凑模块109,设置为进行杂凑计算。具体的,杂凑模块109可以接受处理模块110的调用,在处理模块110调用公钥算法模块106根据用户身份识别卡的私钥对信息进行签名计算时,配合进行杂凑计算以获得签名信息,以完成用户身份识别卡的安全功能。The hash module 109 is set to perform hash calculations. Specifically, the hash module 109 can accept the call of the processing module 110. When the processing module 110 invokes the public key algorithm module 106 to perform signature calculation on the information according to the private key of the user identification card, the hash calculation is performed to obtain the signature information to complete. The security feature of the user identification card.
处理模块110,还设置为在调用公钥算法模块106对待认证证书进行认证通过后,调用公钥算法模块106对密文签名信息的验签计算,并在验签通过后,调用对称算法模块107解密第一密文信息,获得第二随机因子,以及调用随机数模块108生成的第三随机因子,并调用对称算法模块107对第二随机因子和第三随机因子进行加密计算获得第二密文信息。具体的,处理模块110对上述各个模块进行调用,以便可以对手机的***分发送的证书进行认证,对手机的***分发送的签名进行验签,以及对手机的***分发送的密文进行解密获得协商密钥的生成因子,而后调用生成的另一协商密钥的生成因子,根据手机的***分发送来的生成因子和用户身份识别卡生成的生成因子共同生成用户身份识别 卡端的协商密钥,从而令手机的***分与用户身份识别卡之间通过协商密钥进行信息交互,提高信息交互的安全性。The processing module 110 is further configured to: after the public key algorithm module 106 is invoked to authenticate the authentication certificate, the public key algorithm module 106 is invoked to perform the verification of the ciphertext signature information, and after the verification is passed, the symmetric algorithm module 107 is invoked. Decrypting the first ciphertext information, obtaining a second random factor, and calling the third random factor generated by the random number module 108, and calling the symmetric algorithm module 107 to encrypt the second random factor and the third random factor to obtain the second ciphertext. information. Specifically, the processing module 110 invokes each module to authenticate the certificate sent by the secure part of the mobile phone, check the signature sent by the secure part of the mobile phone, and decrypt the ciphertext sent by the secure part of the mobile phone. Obtaining a generation factor of the negotiation key, and then calling the generated generation factor of another negotiation key, and generating the user identity according to the generation factor sent by the security part of the mobile phone and the generation factor generated by the user identification card The negotiation key of the card end enables the security part of the mobile phone and the user identification card to exchange information through the negotiation key, thereby improving the security of information interaction.
由此,通过本发明的具备安全功能的用户身份识别卡,可以安全地进行数据传输。Thus, data transmission can be performed securely by the user identification card having the security function of the present invention.
进而采用本发明的用户身份识别卡配合手机的***分共同使用以实现手机安全执行网上银行业务和/或机密信息传输。Furthermore, the user identification card of the present invention is used in conjunction with the secure portion of the mobile phone to implement secure online banking and/or confidential information transmission.
实施例2Example 2
本实施例中,用户身份识别卡的结构如图1所示,在本实施例中,用户身份识别卡与手机的***分之间通过对称密钥计算生成协商密钥的因子并相互发送和验证的方式生成协商密钥,以便用户身份识别卡与手机***分采用生成的协商密钥进行信息的安全传输。In this embodiment, the structure of the user identity card is as shown in FIG. 1. In this embodiment, the user identity card and the security part of the mobile phone calculate the factors of the negotiation key through symmetric key calculation and send and verify each other. The method generates a negotiation key, so that the user identification card and the mobile phone security part use the generated negotiation key to securely transmit information.
在本实施例中,通讯模块101,还设置为接收第一校验信息以及待处理信息,输出第二校验信息以及处理信息;其中,第一校验信息是通过第一随机因子计算得到的,第二校验信息是通过第二随机因子计算得到的。In this embodiment, the communication module 101 is further configured to receive the first verification information and the to-be-processed information, and output the second verification information and the processing information; wherein the first verification information is calculated by using the first random factor. The second verification information is calculated by the second random factor.
具体的,通讯模块101接受处理模块110的调用,设置为接收第一校验信息以及待处理信息,输出第二校验信息以及处理信息。Specifically, the communication module 101 accepts the call of the processing module 110, and is configured to receive the first verification information and the to-be-processed information, and output the second verification information and the processing information.
其中,第一校验信息是手机的***分通过第一密钥对第一随机因子进行校验计算得到的,用户身份识别卡获得第一校验信息并验证通过后获得未经篡改的真实的第一随机因子,该第一随机因子可以是手机的***分生成的,也可以是用户身份识别卡生成安全发送至手机的***分的。待处理信息即手机的***分发送给用户身份识别卡的信息,该信息可以为需要安全传输的机密信息,也可以为网银中待交易的交易信息等任意信息。如果本发明应用于机密信息安全传输中,则该信息可以为手机需要输出的机密信息,例如,手机从手机的安全存储区域内获取的机密信息等。如果本发明应用于网上银行业务中,则该信息可以为待执行交易的交易信息,例如,手机通过网上银行客户端获取到的交易账号、交易金额等交易信息。The first verification information is obtained by verifying the first random factor by using the first key by the security part of the mobile phone, and obtaining the first verification information by the user identification card and verifying the authenticity after obtaining the tampering The first random factor may be generated by the secure part of the mobile phone, or may be generated by the user identity card to be sent securely to the secure part of the mobile phone. The information to be processed is the information sent by the security part of the mobile phone to the user identification card, and the information may be confidential information that needs to be transmitted securely, or may be any information such as transaction information to be traded in the online banking. If the present invention is applied to secure transmission of confidential information, the information may be confidential information that the mobile phone needs to output, for example, confidential information obtained by the mobile phone from a secure storage area of the mobile phone. If the present invention is applied to online banking, the information may be transaction information of the transaction to be executed, for example, transaction information such as a transaction account number and a transaction amount obtained by the mobile phone through the online banking client.
第二校验信息是用户身份识别卡通过第二密钥对第二随机因子进行校验计算得到的,以便手机的***分获得第二校验信息并验证通过后获得未经篡改的真实的第二随机因子。The second verification information is obtained by verifying the second random factor by the second identification key of the user identification card, so that the security part of the mobile phone obtains the second verification information and obtains the authenticity of the tampering after the verification is passed. Two random factors.
用户身份识别卡与手机的***分根据各自获得的第一随机因子和第二随机因子生成双方的协商密钥。The user identification card and the secure part of the mobile phone generate a negotiation key of both parties according to the first random factor and the second random factor respectively obtained.
处理信息即用户身份识别卡向手机的***分发送的响应待处理信息的信息,如果本发明应用于机密信息安全传输中,则处理信息可以为签名后的机密信息等;如果本发明应用于网上银行业务中,则处理信息可以为签名后的交易信息等。The processing information is information that the user identification card sends to the secure part of the mobile phone in response to the pending information. If the present invention is applied to secure transmission of confidential information, the processing information may be signed confidential information, etc.; if the present invention is applied to the Internet In the banking business, the processing information may be the signed transaction information and the like.
当然,该处理信息还可以包括:对称算法模块107根据协商密钥对签名信息进行加密 计算得到的加密信息,其中,签名信息为公钥算法模块106根据用户身份识别卡的私钥对待处理信息进行签名计算得到的;或者Of course, the processing information may further include: the symmetric algorithm module 107 encrypts the signature information according to the negotiation key. Calculating the obtained encrypted information, wherein the signature information is obtained by the public key algorithm module 106 performing signature calculation according to the private key of the user identification card; or
处理信息包括:对称算法模块107根据协商密钥对签名信息进行校验计算得到的校验信息以及签名信息,其中,签名信息为公钥算法模块106根据用户身份识别卡的私钥对待处理信息进行签名计算得到的;或者The processing information includes: verification information obtained by the symmetric algorithm module 107 for verifying the signature information according to the negotiation key, and signature information, wherein the signature information is performed by the public key algorithm module 106 according to the private key of the user identification card. Calculated by signature; or
处理信息包括:对称算法模块107根据协商密钥对签名信息进行加密计算得到的加密信息和对签名信息进行校验计算得到的校验信息,其中,签名信息为公钥算法模块106根据用户身份识别卡的私钥对待处理信息进行签名计算得到的;或者The processing information includes: the encryption information obtained by the symmetric algorithm module 107 by performing encryption calculation on the signature information according to the negotiation key, and the verification information obtained by performing verification on the signature information, wherein the signature information is identified by the public key algorithm module 106 according to the user identity. The private key of the card is calculated by signing the processed information; or
处理信息包括:对称算法模块107根据协商密钥对签名信息进行加密计算得到的加密信息和对加密信息进行校验计算得到的校验信息,其中,签名信息为公钥算法模块106根据用户身份识别卡的私钥对待处理信息进行签名计算得到的。The processing information includes: the encryption information obtained by the symmetric algorithm module 107 performing the encryption calculation on the signature information according to the negotiation key, and the verification information obtained by performing the check calculation on the encryption information, wherein the signature information is the public key algorithm module 106, which is identified according to the user identity. The card's private key is calculated by signing the processed information.
由此,用户身份识别卡在传输处理信息的同时还可以保证签名信息传输的安全性。Thereby, the user identification card can ensure the security of the transmission of the signature information while transmitting the processing information.
该通讯模块101可以为串口、USB接口、NFC接口、蓝牙接口、红外接口、按键或者音频接口等任意接口。The communication module 101 can be any interface such as a serial port, a USB interface, an NFC interface, a Bluetooth interface, an infrared interface, a button or an audio interface.
安全认证模块102,设置为对用户身份信息以及用户操作信息进行安全认证。具体的,安全认证模块102可以接受处理模块110的调用,对用户通过手机输入或者其他方式输入的身份信息进行安全认证,也可以对用户的操作信息进行安全认证,例如读取操作等操作。该安全认证模块102可以根据不同的用户设定不同的安全级别,以便根据不同用户的身份和/或操作完成安全认证功能。The security authentication module 102 is configured to perform security authentication on the user identity information and the user operation information. Specifically, the security authentication module 102 can accept the call of the processing module 110, perform security authentication on the identity information input by the user through the mobile phone input or other manners, and perform security authentication, such as a read operation, on the operation information of the user. The security authentication module 102 can set different security levels according to different users to complete the security authentication function according to the identity and/or operation of different users.
权限控制模块103,设置为对处理模块110对各个模块的调用进行权限控制。具体的,权限控制模块103可以接受处理模块110的调用,并与处理模块110配合完成处理模块110对各个模块的调用,从而控制处理模块110的调用。当然,权限控制模块103还可以对代码和/或应用程序的执行权限进行控制,以保证信息、功能和应用的安全。The permission control module 103 is configured to perform authority control on the call of the processing module 110 to each module. Specifically, the rights control module 103 can accept the call of the processing module 110 and cooperate with the processing module 110 to complete the call of the processing module 110 to each module, thereby controlling the call of the processing module 110. Of course, the rights control module 103 can also control the execution rights of the code and/or the application to ensure the security of the information, functions and applications.
安全防护模块104,设置为至少对公钥算法模块106、对称算法模块107、随机数模块108和/或杂凑模块109的操作进行防护操作。具体的,安全防护模块104在公钥算法模块106进行签名计算时,以及在对称算法模块107进行加解密计算和/或校验计算时,通过处理模块110的调用在计算中进行防护。从而可以抵御能量分析或电磁分析等攻击分析,提高计算破解的难度,从而提高各类信息计算的安全性。其中,防护操作可以包括:频率加扰、功耗加扰或者计算加扰等任意加扰操作。防护操作还可以为平衡计算等操作,只要可以实现安全防护目的,防止攻击等操作均可以属于本发明的保护范围。其中,安全防护模块104至少对公钥算法模块106和/或对称算法模块107的计算操作进行防护操作。The security protection module 104 is configured to at least perform operations on the operations of the public key algorithm module 106, the symmetric algorithm module 107, the random number module 108, and/or the hash module 109. Specifically, the security protection module 104 performs protection in the calculation by the call of the processing module 110 when the public key algorithm module 106 performs signature calculation and when the symmetric algorithm module 107 performs encryption and decryption calculation and/or verification calculation. Therefore, it can resist attack analysis such as energy analysis or electromagnetic analysis, and improve the difficulty of calculation and cracking, thereby improving the security of various information calculations. The protection operation may include any scrambling operation such as frequency scrambling, power consumption scrambling or computational scrambling. The protection operation may also be an operation such as balancing calculation, as long as the security protection purpose can be achieved, and operations such as attack prevention can belong to the protection scope of the present invention. The security protection module 104 performs at least a protection operation on the calculation operations of the public key algorithm module 106 and/or the symmetric algorithm module 107.
安全存储模块105,还设置为存储用户身份识别卡的私钥、进行验证的第一密钥和第二密钥。 The secure storage module 105 is further configured to store a private key of the user identification card, a first key for verification, and a second key.
具体的,安全存储模块105除了存储进行签名计算的私钥、进行加解密计算和/或校验计算的协商密钥外,还具体存储了用户身份识别卡的私钥,以便接受处理模块110的调用,执行机密信息传输中的签名操作和/或网上银行的签名操作等。安全存储模块105存储进行验证的第一密钥和第二密钥,以便接受处理模块110的调用,用以验证第一校验信息获得真实的第一随机因子,以及用以对第二随机因子进行校验计算,以便手机的***分获得真实的第二随机因子,提高安全性。当然,第一密钥和第二密钥可以为相同的密钥,也可以为不同的密钥,只要用户身份识别卡和手机的***分均存储相同的校验计算密钥即可,这均应属于本发明的保护范围。Specifically, the secure storage module 105 stores, in addition to the private key for performing signature calculation, the negotiation key for performing encryption and decryption calculation and/or the verification calculation, the private key of the user identification card, so as to be accepted by the processing module 110. Call, perform signature operations in confidential information transmission, and/or online banking signature operations. The secure storage module 105 stores the first key and the second key for verification to accept the call of the processing module 110 to verify that the first check information obtains a true first random factor and to use the second random factor Perform a check calculation so that the secure part of the phone gets a true second random factor and improves security. Of course, the first key and the second key may be the same key or different keys, as long as the user identification card and the security part of the mobile phone store the same verification calculation key. It should fall within the scope of protection of the present invention.
公钥算法模块106,设置为进行签名计算。具体的,公钥算法模块106在被处理模块110的调用中,根据安全存储模块105中存储的设置为进行签名计算的私钥(本发明中可以是用户身份识别卡的私钥)进行签名计算,从而可以实现用户身份识别卡的安全功能。The public key algorithm module 106 is configured to perform signature calculations. Specifically, in the invocation of the processing module 110, the public key algorithm module 106 performs signature calculation according to the private key (which may be the private key of the user identification card in the present invention) that is set for the signature calculation stored in the secure storage module 105. Therefore, the security function of the user identification card can be realized.
对称算法模块107,还设置为通过第一密钥对第一校验信息进行校验计算,通过第二密钥对第二随机因子进行校验计算获得第二校验信息。The symmetric algorithm module 107 is further configured to perform a check calculation on the first check information by using the first key, and perform a check calculation on the second random factor by using the second key to obtain the second check information.
具体的,对称算法模块107具体设置为接受处理模块110的调用,通过第一密钥对第一校验信息进行校验计算,从而在校验通过后以便处理模块110获得真实的第一随机因子。对称算法模块107还设置为接受处理模块110的调用,通过第二密钥对第二随机因子进行校验计算获得第二校验信息,以便安全传输第二随机因子,确保第二随机因子在传输过程中不被篡改,或者即便被篡改,在手机的***分也可以校验出其被篡改,以便手机的***分获得真实的未经篡改的第二随机因子。当然,本实施例的对称算法模块107还可以设置为对待处理信息进行解密计算和/或校验计算,在手机的***分对待处理信息进行了加密计算和/或校验计算后,为了核实待处理信息的完整性和真实性,对称算法模块107还对待处理信息进行解密计算和/或校验计算,当然,本实施例的对称算法模块107还可以接受处理模块110的调用,对处理信息进行加密计算和/或校验计算,以便保证处理信息的真实性性和完整性。Specifically, the symmetric algorithm module 107 is specifically configured to accept the call of the processing module 110, and perform a check calculation on the first check information by using the first key, so that the processing module 110 obtains the true first random factor after the check is passed. . The symmetric algorithm module 107 is further configured to accept the call of the processing module 110, and perform a check calculation on the second random factor by using the second key to obtain second check information, so as to securely transmit the second random factor, and ensure that the second random factor is transmitted. The process is not tampered with, or even if it is tampered with, it can be verified in the security part of the mobile phone, so that the safe part of the mobile phone can obtain a true untamed second random factor. Of course, the symmetric algorithm module 107 of this embodiment may also be configured to perform decryption calculation and/or verification calculation on the information to be processed, and perform encryption calculation and/or verification calculation on the information to be processed in the security part of the mobile phone, in order to verify The symmetric algorithm module 107 also performs a decryption calculation and/or a check calculation on the processed information. Of course, the symmetric algorithm module 107 of the present embodiment can also accept the call of the processing module 110 to perform processing information. Encryption calculations and/or check calculations to ensure the authenticity and integrity of the processed information.
随机数模块108,还设置为至少生成第二随机因子。The random number module 108 is further configured to generate at least a second random factor.
具体的,随机数模块108具体设置为生成用于生成协商密钥的第二随机因子,并接受处理模块110的调用。Specifically, the random number module 108 is specifically configured to generate a second random factor for generating a negotiation key, and accept the call of the processing module 110.
杂凑模块109,设置为进行杂凑计算。具体的,杂凑模块109可以接受处理模块110的调用,在处理模块110调用公钥算法模块106根据用户身份识别卡的私钥对信息进行签名计算时,配合进行杂凑计算以获得签名信息,以完成用户身份识别卡的安全功能。The hash module 109 is set to perform hash calculations. Specifically, the hash module 109 can accept the call of the processing module 110. When the processing module 110 invokes the public key algorithm module 106 to perform signature calculation on the information according to the private key of the user identification card, the hash calculation is performed to obtain the signature information to complete. The security feature of the user identification card.
处理模块110,还设置为在调用安全存储模块105存储的第一密钥以及对称算法模块107对第一校验信息进行校验,并在校验通过后,调用随机数模块108生成的第二随机因子,并调用对称算法模块107对第二随机因子进行校验计算获得第二校验信息。具体的, 处理模块110用于调用上述各个模块,以便对手机的***分发送的校验信息进行校验,以及获取协商密钥生成因子而生成用户身份识别卡端的协商密钥,从而令手机的***分与用户身份识别卡之间通过协商密钥进行信息交互,提高信息交互的安全性。The processing module 110 is further configured to check the first verification information by calling the first key stored by the security storage module 105 and the symmetric algorithm module 107, and after the verification is passed, calling the second generated by the random number module 108. A random factor is obtained, and the symmetric algorithm module 107 is called to perform a check calculation on the second random factor to obtain second verification information. specific, The processing module 110 is configured to invoke each module to verify the verification information sent by the security part of the mobile phone, and obtain a negotiation key generation factor to generate a negotiation key of the user identification card end, thereby making the security part of the mobile phone The user identification cards exchange information through negotiation keys to improve the security of information interaction.
由此,通过本发明的具备安全功能的用户身份识别卡,可以安全地进行数据传输。Thus, data transmission can be performed securely by the user identification card having the security function of the present invention.
进而采用本发明的用户身份识别卡配合手机的***分共同使用以实现手机安全执行网上银行业务和/或机密信息传输。Furthermore, the user identification card of the present invention is used in conjunction with the secure portion of the mobile phone to implement secure online banking and/or confidential information transmission.
实施例3Example 3
本实施例中,用户身份识别卡的结构如图1所示,在本实施例中,用户身份识别卡与手机的***分之间通过生成对方的公钥,以便用对方的公钥加密生成协商密钥的因子进行发送和解密获得生成协商密钥的因子的方式生成协商密钥,以便用户身份识别卡与手机***分采用生成的协商密钥进行信息的安全传输。In this embodiment, the structure of the user identity card is as shown in FIG. 1. In this embodiment, the user identity card and the security part of the mobile phone generate a mutual public key to generate a negotiation by using the public key of the other party. The key factor is sent and decrypted to obtain a negotiation key, and the negotiation key is generated, so that the user identity card and the mobile phone security part use the generated negotiation key to securely transmit the information.
在本实施例中,通讯模块101,还设置为接收第一密文信息以及待处理信息,输出第二密文信息以及处理信息;其中,第一密文信息是通过用户身份识别卡的公钥对第一随机因子进行加密计算得到的,第二密文信息是通过待交互模块的公钥对第二随机因子进行加密计算得到的。In this embodiment, the communication module 101 is further configured to receive the first ciphertext information and the to-be-processed information, and output the second ciphertext information and the processing information; wherein the first ciphertext information is a public key of the user identification card. The second random cipher information is obtained by encrypting the first random factor, and the second ciphertext information is obtained by encrypting the second random factor by the public key of the module to be interacted.
具体的,通讯模块101接受处理模块110的调用,设置为接收第一密文信息以及待处理信息,输出第二密文信息以及处理信息。Specifically, the communication module 101 accepts the call of the processing module 110, and is configured to receive the first ciphertext information and the to-be-processed information, and output the second ciphertext information and the processing information.
其中,第一密文信息是手机的***分通过生成的用户身份识别卡的公钥对第一随机因子进行加密计算得到的,用户身份识别卡获得第一加密信息并以用户身份识别卡的私钥解密后获得的真实的第一随机因子,该第一随机因子可以是手机的***分生成的,也可以是用户身份识别卡生成安全发送至手机的***分的。待处理信息即手机的***分发送给用户身份识别卡的信息,该信息可以为需要安全传输的机密信息,也可以为网银中待交易的交易信息等任意信息。如果本发明应用于机密信息安全传输中,则该信息可以为手机需要输出的机密信息,例如:手机从手机的安全存储区域内获取的机密信息等。如果本发明应用于网上银行业务中,则该信息可以为待执行交易的交易信息,例如:手机通过网上银行客户端获取到的交易账号、交易金额等交易信息。The first ciphertext information is obtained by encrypting the first random factor by using the generated public key of the user identification card, and the user identification card obtains the first encrypted information and identifies the private card of the user identity card. The real first random factor obtained after the key is decrypted, the first random factor may be generated by the security part of the mobile phone, or may be generated by the user identity card to be sent securely to the secure part of the mobile phone. The information to be processed is the information sent by the security part of the mobile phone to the user identification card, and the information may be confidential information that needs to be transmitted securely, or may be any information such as transaction information to be traded in the online banking. If the present invention is applied to secure transmission of confidential information, the information may be confidential information that the mobile phone needs to output, for example, confidential information obtained by the mobile phone from a secure storage area of the mobile phone. If the present invention is applied to an online banking service, the information may be transaction information of a transaction to be executed, for example, transaction information such as a transaction account number and a transaction amount obtained by the mobile phone through an online banking client.
第二密文信息是用户身份识别卡通过用户身份识别卡生成的待交互模块的公钥对第二随机因子进行加密计算得到的,以便手机的***分获得第二密文信息并解密后获得真实的第二随机因子。The second ciphertext information is obtained by encrypting the second random factor by the public key of the module to be interacted by the user identification card generated by the user identification card, so that the secure part of the mobile phone obtains the second ciphertext information and decrypts the real information. The second random factor.
用户身份识别卡与手机的***分根据各自获得的第一随机因子和第二随机因子生成双方的协商密钥。The user identification card and the secure part of the mobile phone generate a negotiation key of both parties according to the first random factor and the second random factor respectively obtained.
处理信息即用户身份识别卡向手机的***分发送的响应待处理信息的信息,如果本 发明应用于机密信息安全传输中,则处理信息可以为签名后的机密信息等。如果本发明应用于网上银行业务中,则处理信息可以为签名后的交易信息等。Processing information, that is, information sent by the user identification card to the secure part of the mobile phone in response to the pending information, if When the invention is applied to secure transmission of confidential information, the processing information may be confidential information after signature or the like. If the present invention is applied to online banking, the processing information may be signed transaction information or the like.
当然,该处理信息还可以包括:对称算法模块107根据协商密钥对签名信息进行加密计算得到的加密信息,其中,签名信息为公钥算法模块106根据用户身份识别卡的私钥对待处理信息进行签名计算得到的;或者Of course, the processing information may further include: the encrypted information obtained by the symmetric algorithm module 107 performing the encryption calculation on the signature information according to the negotiation key, wherein the signature information is performed by the public key algorithm module 106 according to the private key of the user identification card. Calculated by signature; or
处理信息包括:对称算法模块107根据协商密钥对签名信息进行校验计算得到的校验信息以及签名信息,其中,签名信息为公钥算法模块106根据用户身份识别卡的私钥对待处理信息进行签名计算得到的;或者The processing information includes: verification information obtained by the symmetric algorithm module 107 for verifying the signature information according to the negotiation key, and signature information, wherein the signature information is performed by the public key algorithm module 106 according to the private key of the user identification card. Calculated by signature; or
处理信息包括:对称算法模块107根据协商密钥对签名信息进行加密计算得到的加密信息和对签名信息进行校验计算得到的校验信息,其中,签名信息为公钥算法模块106根据用户身份识别卡的私钥对待处理信息进行签名计算得到的;或者The processing information includes: the encryption information obtained by the symmetric algorithm module 107 by performing encryption calculation on the signature information according to the negotiation key, and the verification information obtained by performing verification on the signature information, wherein the signature information is identified by the public key algorithm module 106 according to the user identity. The private key of the card is calculated by signing the processed information; or
处理信息包括:对称算法模块107根据协商密钥对签名信息进行加密计算得到的加密信息和对加密信息进行校验计算得到的校验信息,其中,签名信息为公钥算法模块106根据用户身份识别卡的私钥对待处理信息进行签名计算得到的。The processing information includes: the encryption information obtained by the symmetric algorithm module 107 performing the encryption calculation on the signature information according to the negotiation key, and the verification information obtained by performing the check calculation on the encryption information, wherein the signature information is the public key algorithm module 106, which is identified according to the user identity. The card's private key is calculated by signing the processed information.
由此,用户身份识别卡在传输处理信息的同时还可以保证签名信息传输的安全性。Thereby, the user identification card can ensure the security of the transmission of the signature information while transmitting the processing information.
该通讯模块101可以为串口、USB接口、NFC接口、蓝牙接口、红外接口、按键或者音频接口等任意接口。The communication module 101 can be any interface such as a serial port, a USB interface, an NFC interface, a Bluetooth interface, an infrared interface, a button or an audio interface.
安全认证模块102,设置为对用户身份信息以及用户操作信息进行安全认证。具体的,安全认证模块102可以接受处理模块110的调用,对用户通过手机输入或者其他方式输入的身份信息进行安全认证,也可以对用户的操作信息进行安全认证,例如读取操作等操作,该安全认证模块102可以根据不同的用户设定不同的安全级别,以便根据不同用户的身份和/或操作完成安全认证功能。The security authentication module 102 is configured to perform security authentication on the user identity information and the user operation information. Specifically, the security authentication module 102 can accept the call of the processing module 110, perform security authentication on the identity information input by the user through the mobile phone input or other manners, and perform security authentication, such as a read operation, on the operation information of the user. The security authentication module 102 can set different security levels according to different users to complete the security authentication function according to the identity and/or operation of different users.
权限控制模块103,设置为对处理模块110对各个模块的调用进行权限控制。具体的,权限控制模块103可以接受处理模块110的调用,并与处理模块110配合完成处理模块110对各个模块的调用,从而控制处理模块110的调用。当然,权限控制模块103还可以对代码和/或应用程序的执行权限进行控制,以保证信息、功能和应用的安全。The permission control module 103 is configured to perform authority control on the call of the processing module 110 to each module. Specifically, the rights control module 103 can accept the call of the processing module 110 and cooperate with the processing module 110 to complete the call of the processing module 110 to each module, thereby controlling the call of the processing module 110. Of course, the rights control module 103 can also control the execution rights of the code and/or the application to ensure the security of the information, functions and applications.
安全防护模块104,设置为至少对公钥算法模块106、对称算法模块107、随机数模块108和/或杂凑模块109的操作进行防护操作。具体的,安全防护模块104在公钥算法模块106进行签名计算时,以及在对称算法模块107进行加解密计算和/或校验计算时,通过处理模块110的调用在计算中进行防护。从而可以抵御能量分析或电磁分析等攻击分析,提高计算破解的难度,从而提高各类信息计算的安全性。其中,防护操作可以包括:频率加扰、功耗加扰或者计算加扰等任意加扰操作。防护操作还可以为平衡计算等操作,只要可以实现安全防护目的,防止攻击等操作均可以属于本发明的保护范围。其中,安全防护模 块104至少对公钥算法模块106和/或对称算法模块107的计算操作进行防护操作。The security protection module 104 is configured to at least perform operations on the operations of the public key algorithm module 106, the symmetric algorithm module 107, the random number module 108, and/or the hash module 109. Specifically, the security protection module 104 performs protection in the calculation by the call of the processing module 110 when the public key algorithm module 106 performs signature calculation and when the symmetric algorithm module 107 performs encryption and decryption calculation and/or verification calculation. Therefore, it can resist attack analysis such as energy analysis or electromagnetic analysis, and improve the difficulty of calculation and cracking, thereby improving the security of various information calculations. The protection operation may include any scrambling operation such as frequency scrambling, power consumption scrambling or computational scrambling. The protection operation may also be an operation such as balancing calculation, as long as the security protection purpose can be achieved, and operations such as attack prevention can belong to the protection scope of the present invention. Among them, the safety protection mode Block 104 performs at least a guard operation on the computational operations of public key algorithm module 106 and/or symmetric algorithm module 107.
安全存储模块105,还设置为存储用户身份识别卡的私钥、进行待交互模块的公钥生成的公钥计算算法。The secure storage module 105 is further configured to store a private key of the user identification card and a public key calculation algorithm for generating a public key of the module to be interacted.
具体的,安全存储模块105除了存储进行签名计算的私钥、进行加解密计算和/或校验计算的协商密钥外,还具体存储了用户身份识别卡的私钥,以便接受处理模块110的调用,执行机密信息传输中的签名操作和/或网上银行的签名操作等,同时,还可以接受处理模块110的调用,解密待交互模块以用户身份识别卡的公钥加密传输的信息。安全存储模块105存储进行待交互模块的公钥生成的公钥计算算法,以便接受处理模块110的调用,与公钥算法模块106共同根据手机的***分的标识信息生成待交互模块的公钥(即手机的***分的公钥),以便对需要发送至手机的***分的信息可以被手机的***分的公钥进行加密,保证传输安全性。Specifically, the secure storage module 105 stores, in addition to the private key for performing signature calculation, the negotiation key for performing encryption and decryption calculation and/or the verification calculation, the private key of the user identification card, so as to be accepted by the processing module 110. The calling, performing the signature operation in the transmission of the confidential information and/or the signature operation of the online banking, etc., can also accept the call of the processing module 110, and decrypt the information to be encrypted and transmitted by the interactive module to be encrypted by the public key of the user identification card. The security storage module 105 stores a public key calculation algorithm for performing public key generation of the module to be interacted, so as to accept the call of the processing module 110, and together with the public key algorithm module 106, generate a public key of the module to be interacted according to the identification information of the security part of the mobile phone ( That is, the public key of the secure part of the mobile phone), so that the information that needs to be sent to the secure part of the mobile phone can be encrypted by the public key of the secure part of the mobile phone to ensure transmission security.
公钥算法模块106,还设置为根据公钥计算算法以及待交互模块标识信息生成待交互模块的公钥。The public key algorithm module 106 is further configured to generate a public key of the module to be interacted according to the public key calculation algorithm and the identification information of the module to be interacted with.
具体的,公钥算法模块106除了设置为进行签名计算外,还具体设置为接受处理模块110的调用,根据公钥计算算法以及待交互模块(即手机的***分)标识信息生成待交互模块的公钥。待交互模块的标识信息可以包括但不限于:手机CPU的序列号、手机CPU的MAC地址等。Specifically, the public key algorithm module 106 is configured to accept the call calculation, and is specifically configured to accept the call of the processing module 110, and generate the to-be-interactive module according to the public key calculation algorithm and the identification information of the module to be interacted (ie, the security part of the mobile phone). Public key. The identification information of the interaction module may include, but is not limited to, a serial number of the mobile phone CPU, a MAC address of the mobile phone CPU, and the like.
对称算法模块107,还设置为通过用户身份识别卡的私钥对第一密文信息进行解密计算,通过待交互模块的公钥对第二随机因子进行加密计算。The symmetric algorithm module 107 is further configured to decrypt the first ciphertext information by using the private key of the user identity card, and perform encryption calculation on the second random factor by using the public key of the module to be interacted.
具体的,对称算法模块107具体设置为接受处理模块110的调用,通过用户身份识别卡的私钥对第一密文信息进行解密,以便获得生成协商密钥的因子,还设置为接受处理模块110的调用,对生成协商密钥的因子通过待交互模块的公钥进行加密计算,以便将生成协商密钥的因子安全的发送至手机的***分。当然,本实施例的对称算法模块107还可以设置为对待处理信息进行解密计算和/或校验计算,在手机的***分对待处理信息进行了加密计算和/或校验计算后,为了核实待处理信息的完整性和真实性,对称算法模块107还对待处理信息进行解密计算和/或校验计算。当然,本实施例的对称算法模块107还可以接受处理模块110的调用,对处理信息进行加密计算和/或校验计算,以便保证处理信息的真实性性和完整性。Specifically, the symmetric algorithm module 107 is specifically configured to accept the call of the processing module 110, and decrypt the first ciphertext information by using the private key of the user identity card to obtain a factor for generating the negotiation key, and is further configured to receive the processing module 110. The call, the factor for generating the negotiation key is encrypted and calculated by the public key of the module to be exchanged, so that the factor for generating the negotiation key is securely transmitted to the secure part of the mobile phone. Of course, the symmetric algorithm module 107 of this embodiment may also be configured to perform decryption calculation and/or verification calculation on the information to be processed, and perform encryption calculation and/or verification calculation on the information to be processed in the security part of the mobile phone, in order to verify Processing the integrity and authenticity of the information, the symmetric algorithm module 107 also performs decryption calculations and/or check calculations on the processed information. Of course, the symmetric algorithm module 107 of the present embodiment can also accept the call of the processing module 110, and perform encryption calculation and/or check calculation on the processing information to ensure the authenticity and integrity of the processed information.
随机数模块108,还设置为至少生成第二随机因子。The random number module 108 is further configured to generate at least a second random factor.
具体的,随机数模块108具体设置为生成用于生成协商密钥的第二随机因子,并接受处理模块110的调用。Specifically, the random number module 108 is specifically configured to generate a second random factor for generating a negotiation key, and accept the call of the processing module 110.
杂凑模块109,设置为进行杂凑计算。具体的,杂凑模块109可以接受处理模块110的调用,在处理模块110调用公钥算法模块106根据用户身份识别卡的私钥对信息进行签 名计算时,配合进行杂凑计算以获得签名信息,以完成用户身份识别卡的安全功能。The hash module 109 is set to perform hash calculations. Specifically, the hash module 109 can accept the call of the processing module 110, and the processing module 110 invokes the public key algorithm module 106 to sign the information according to the private key of the user identity card. In the calculation of the name, the hash calculation is performed to obtain the signature information to complete the security function of the user identification card.
处理模块110,还设置为调用对称算法模块107根据用户身份识别卡的私钥解密第一密文信息获得第一随机因子,并调用安全存储模块105存储的公钥计算算法以及公钥算法模块106生成待交互模块的公钥,以及调用随机数模块108生成的第二随机因子,并调用对称算法模块107根据待交互模块的公钥对第二随机因子进行加密计算获得第二密文信息。具体的,处理模块110用于调用上述各个模块,以便对手机的***分发送的加密信息进行解密获得协商密钥的生成因子,以及根据手机的***分的标识信息生成手机的***分的公钥,从而可以将用户身份识别卡端生成的协商密钥生成因子安全的传输至手机的***分,同时根据协商密钥生成因子户身份识别卡端的协商密钥,从而令手机的***分与用户身份识别卡之间通过协商密钥进行信息交互,提高信息交互的安全性。The processing module 110 is further configured to invoke the symmetric algorithm module 107 to decrypt the first ciphertext information according to the private key of the user identity card to obtain the first random factor, and invoke the public key calculation algorithm and the public key algorithm module 106 stored by the secure storage module 105. The public key of the module to be interacted is generated, and the second random factor generated by the random number module 108 is invoked, and the symmetric algorithm module 107 is invoked to perform encryption calculation on the second random factor according to the public key of the module to be interacted to obtain the second ciphertext information. Specifically, the processing module 110 is configured to invoke each module to decrypt the encrypted information sent by the secure part of the mobile phone to obtain a generation factor of the negotiation key, and generate a public key of the security part of the mobile phone according to the identification information of the security part of the mobile phone. Therefore, the negotiation key generation factor generated by the user identification card end can be securely transmitted to the security part of the mobile phone, and the negotiation key of the identification card is generated according to the negotiation key, so that the security part and the user identity of the mobile phone are obtained. The identification cards exchange information through negotiation keys to improve the security of information interaction.
由此,通过本发明的具备安全功能的用户身份识别卡,可以安全地进行数据传输。Thus, data transmission can be performed securely by the user identification card having the security function of the present invention.
进而采用本发明的用户身份识别卡配合手机的***分共同使用以实现手机安全执行网上银行业务和/或机密信息传输。Furthermore, the user identification card of the present invention is used in conjunction with the secure portion of the mobile phone to implement secure online banking and/or confidential information transmission.
应当理解,本发明的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行***执行的软件或固件来实现。例如,如果用硬件来实现,和在另一实施方式中一样,可用本领域公知的下列技术中的任一项或他们的组合来实现:具有用于对数据信号实现逻辑功能的逻辑门电路的离散逻辑电路,具有合适的组合逻辑门电路的专用集成电路,可编程门阵列(PGA),现场可编程门阵列(FPGA)等。It should be understood that portions of the invention may be implemented in hardware, software, firmware or a combination thereof. In the above-described embodiments, multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals. Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.
本技术领域的普通技术人员可以理解实现上述实施例方法携带的全部或部分步骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,该程序在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art can understand that all or part of the steps carried by the method of implementing the above embodiments can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, one or a combination of the steps of the method embodiments is included.
此外,在本发明各个实施例中的各功能单元可以集成在一个处理模块中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules. The integrated modules, if implemented in the form of software functional modules and sold or used as stand-alone products, may also be stored in a computer readable storage medium.
上述提到的存储介质可以是只读存储器,磁盘或光盘等。The above mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点 可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of the present specification, the description with reference to the terms "one embodiment", "some embodiments", "example", "specific example", or "some examples" and the like means a specific feature described in connection with the embodiment or example. A structure, material or feature is included in at least one embodiment or example of the invention. In the present specification, the schematic representation of the above terms does not necessarily mean the same embodiment or example. Moreover, the specific features, structures, materials or characteristics described It may be combined in any suitable manner in any one or more embodiments or examples.
尽管上面已经示出和描述了本发明的实施例,可以理解的是,上述实施例是示例性的,不能理解为对本发明的限制,本领域的普通技术人员在不脱离本发明的原理和宗旨的情况下在本发明的范围内可以对上述实施例进行变化、修改、替换和变型。本发明的范围由所附权利要求及其等同限定。 Although the embodiments of the present invention have been shown and described, it is understood that the foregoing embodiments are illustrative and not restrictive Variations, modifications, alterations and variations of the above-described embodiments are possible within the scope of the invention. The scope of the invention is defined by the appended claims and their equivalents.

Claims (10)

  1. 一种用户身份识别卡,其特征在于,包括:处理模块、通讯模块、安全认证模块、权限控制模块、安全防护模块、安全存储模块、公钥算法模块、对称算法模块、随机数模块以及杂凑模块;A user identification card, comprising: a processing module, a communication module, a security authentication module, a permission control module, a security protection module, a security storage module, a public key algorithm module, a symmetric algorithm module, a random number module, and a hash module ;
    所述通讯模块,设置为进行信息接收和输出;The communication module is configured to perform information reception and output;
    所述安全认证模块,设置为对用户身份信息以及用户操作信息进行安全认证;The security authentication module is configured to perform security authentication on user identity information and user operation information;
    所述权限控制模块,设置为对所述处理模块对各个模块的调用进行权限控制;The permission control module is configured to perform authority control on the call of the processing module to each module;
    所述安全防护模块,设置为至少对所述公钥算法模块、所述对称算法模块、所述随机数模块和/或所述杂凑模块的操作进行防护操作;The security protection module is configured to perform at least protection operations on the operations of the public key algorithm module, the symmetric algorithm module, the random number module, and/or the hash module;
    所述安全存储模块,设置为至少存储进行签名计算的私钥、进行加解密计算和/或校验计算的协商密钥;The secure storage module is configured to store at least a private key for performing signature calculation, a negotiation key for performing encryption and decryption calculation, and/or a check calculation;
    所述公钥算法模块,设置为进行签名计算;The public key algorithm module is configured to perform signature calculation;
    所述对称算法模块,设置为进行加解密计算和/或校验计算;The symmetric algorithm module is configured to perform an encryption and decryption calculation and/or a verification calculation;
    随机数模块,设置为生成随机因子;a random number module, set to generate a random factor;
    杂凑模块,设置为进行杂凑计算;a hash module, set to perform hash calculations;
    所述处理模块,设置为对所述通讯模块的信息接收和输出进行调用,对所述安全认证模块认证后的认证结果进行调用,对所述安全防护模块的防护操作进行调用,对所述安全存储模块存储的信息进行调用,对所述公钥算法模块的计算进行调用,对所述对称算法模块的计算进行调用,对所述随机数模块生成的随机因子进行调用,对所述杂凑模块的杂凑计算进行调用,以及根据所述权限控制模块的权限进行各个模块的调用。The processing module is configured to invoke the information receiving and outputting of the communication module, invoke the authentication result after the authentication of the security authentication module, and invoke the protection operation of the security protection module, where the security is invoked. Calling the information stored by the storage module, calling the calculation of the public key algorithm module, calling the calculation of the symmetric algorithm module, and calling the random factor generated by the random number module, and calling the random module The hash calculation is called, and the calling of each module is performed according to the authority of the permission control module.
  2. 根据权利要求1所述的用户身份识别卡,其特征在于,A user identification card according to claim 1 wherein:
    所述通讯模块,还设置为接收第一认证信息以及待处理信息,输出第二认证信息、第二密文信息以及处理信息,其中,所述第一认证信息至少包括:第一密文信息、密文签名信息以及待认证证书,所述第一密文信息至少包括第一随机因子以及第二随机因子,所述密文签名信息为对所述第一密文信息进行的签名;所述第二认证信息至少包括:第一随机因子以及用户身份识别卡证书,所述第二密文信息至少包括所述第二随机因子以及第三随机因子;The communication module is further configured to receive the first authentication information and the to-be-processed information, and output the second authentication information, the second ciphertext information, and the processing information, where the first authentication information includes at least: first ciphertext information, The ciphertext signature information and the certificate to be authenticated, the first ciphertext information includes at least a first random factor and a second random factor, and the ciphertext signature information is a signature of the first ciphertext information; The second authentication information includes at least: a first random factor and a user identification card certificate, where the second ciphertext information includes at least the second random factor and a third random factor;
    所述安全存储模块,还设置为存储用户身份识别卡的私钥、所述用户身份识别卡的证书、所述待认证证书的公钥;The secure storage module is further configured to store a private key of the user identification card, a certificate of the user identification card, and a public key of the certificate to be authenticated;
    所述公钥算法模块,通过所述待认证证书的公钥进行所述密文签名信息的验签计算,以及对所述待认证证书认证计算; The public key algorithm module performs the verification calculation of the ciphertext signature information by using the public key of the certificate to be authenticated, and performs the authentication calculation on the to-be-certified certificate;
    所述对称算法模块,还设置为对所述第一密文信息进行解密计算,以及至少对所述第二随机因子和所述第三随机因子进行加密计算获得第二密文信息;The symmetric algorithm module is further configured to perform decryption calculation on the first ciphertext information, and at least perform encryption calculation on the second random factor and the third random factor to obtain second ciphertext information;
    随机数模块,还设置为生成所述第一随机因子以及所述第三随机因子;a random number module, further configured to generate the first random factor and the third random factor;
    所述处理模块,还设置为在调用所述公钥算法模块对所述待认证证书进行认证通过后,调用所述公钥算法模块对所述密文签名信息的验签计算,并在验签通过后,调用所述对称算法模块解密所述第一密文信息,获得所述第二随机因子,以及调用所述随机数模块生成的所述第三随机因子,并调用所述对称算法模块对所述第二随机因子和所述第三随机因子进行加密计算获得所述第二密文信息。The processing module is further configured to: after calling the public key algorithm module to authenticate the to-be-certified certificate, invoking the public key algorithm module to perform verification of the ciphertext signature information, and verifying After the symmetry algorithm module is invoked, the first ciphertext information is decrypted, the second random factor is obtained, and the third random factor generated by the random number module is invoked, and the symmetric algorithm module pair is invoked. The second random factor and the third random factor perform an encryption calculation to obtain the second ciphertext information.
  3. 根据权利要求1所述的用户身份识别卡,其特征在于,A user identification card according to claim 1 wherein:
    所述通讯模块,还设置为接收第一校验信息以及待处理信息,输出第二校验信息以及处理信息;其中,所述第一校验信息是通过第一随机因子计算得到的,所述第二校验信息是通过第二随机因子计算得到的;The communication module is further configured to receive the first verification information and the to-be-processed information, and output the second verification information and the processing information; wherein the first verification information is calculated by using a first random factor, The second check information is calculated by the second random factor;
    所述安全存储模块,还设置为存储用户身份识别卡的私钥、进行验证的第一密钥和第二密钥;The secure storage module is further configured to store a private key of the user identity card, a first key and a second key for performing verification;
    所述对称算法模块,还设置为通过所述第一密钥对所述第一校验信息进行校验计算,通过所述第二密钥对第二随机因子进行校验计算获得所述第二校验信息;The symmetric algorithm module is further configured to perform a check calculation on the first check information by using the first key, and perform a check calculation on the second random factor by using the second key to obtain the second Calibration information;
    随机数模块,还设置为至少生成所述第二随机因子;a random number module, further configured to generate at least the second random factor;
    所述处理模块,还设置为在调用所述安全存储模块存储的所述第一密钥以及所述对称算法模块对所述第一校验信息进行校验,并在校验通过后,调用所述随机数模块生成的所述第二随机因子,并调用所述对称算法模块对所述第二随机因子进行校验计算获得所述第二校验信息。The processing module is further configured to: check the first key stored by the security storage module and the symmetric algorithm module to verify the first verification information, and after the verification is passed, invoke the And the second random factor generated by the random number module, and calling the symmetric algorithm module to perform a check calculation on the second random factor to obtain the second verification information.
  4. 根据权利要求1所述的用户身份识别卡,其特征在于,A user identification card according to claim 1 wherein:
    所述通讯模块,还设置为接收第一密文信息以及待处理信息,输出第二密文信息以及处理信息;其中,所述第一密文信息是通过用户身份识别卡的公钥对第一随机因子进行加密计算得到的,所述第二密文信息是通过待交互模块的公钥对第二随机因子进行加密计算得到的;The communication module is further configured to receive the first ciphertext information and the to-be-processed information, and output the second ciphertext information and the processing information; wherein the first ciphertext information is the first public key pair of the user identity card The random factor is obtained by performing encryption calculation, and the second ciphertext information is obtained by encrypting the second random factor by using a public key of the module to be interacted;
    所述安全存储模块,还设置为存储用户身份识别卡的私钥、进行待交互模块的公钥生成的公钥计算算法;The secure storage module is further configured to store a private key of the user identification card and a public key calculation algorithm for generating a public key of the module to be interacted with;
    所述公钥算法模块,还设置为根据所述公钥计算算法以及待交互模块标识信息生成所述待交互模块的公钥;The public key algorithm module is further configured to generate a public key of the module to be interacted according to the public key calculation algorithm and the identifier information to be exchanged;
    所述对称算法模块,还设置为通过用户身份识别卡的私钥对所述第一密文信息进行解密计算,通过所述待交互模块的公钥对所述第二随机因子进行加密计算;The symmetric algorithm module is further configured to perform decryption calculation on the first ciphertext information by using a private key of the user identity card, and perform encryption calculation on the second random factor by using a public key of the module to be interacted;
    随机数模块,还设置为至少生成所述第二随机因子; a random number module, further configured to generate at least the second random factor;
    所述处理模块,还设置为调用所述对称算法模块根据所述用户身份识别卡的私钥解密所述第一密文信息获得第一随机因子,并调用所述安全存储模块存储的所述公钥计算算法以及所述公钥算法模块生成所述待交互模块的公钥,以及调用所述随机数模块生成的所述第二随机因子,并调用所述对称算法模块根据所述待交互模块的公钥对所述第二随机因子进行加密计算获得所述第二密文信息。The processing module is further configured to invoke the symmetric algorithm module to decrypt the first ciphertext information according to the private key of the user identity card to obtain a first random factor, and invoke the public storage module The key calculation algorithm and the public key algorithm module generate the public key of the module to be interacted, and invoke the second random factor generated by the random number module, and invoke the symmetric algorithm module according to the module to be interacted The public key performs encryption calculation on the second random factor to obtain the second ciphertext information.
  5. 根据权利要求2至4任一项所述的用户身份识别卡,其特征在于,A user identification card according to any one of claims 2 to 4, characterized in that
    所述处理信息包括:所述对称算法模块根据所述协商密钥对签名信息进行加密计算得到的加密信息,其中,所述签名信息为所述公钥算法模块根据所述用户身份识别卡的私钥对所述待处理信息进行签名计算得到的;或者The processing information includes: the encrypted information obtained by the symmetric algorithm module encrypting the signature information according to the negotiation key, wherein the signature information is the private key algorithm module according to the private identity of the user identification card. The key is calculated by signing the information to be processed; or
    所述处理信息包括:所述对称算法模块根据所述协商密钥对签名信息进行校验计算得到的校验信息以及所述签名信息,其中,所述签名信息为所述公钥算法模块根据所述用户身份识别卡的私钥对所述待处理信息进行签名计算得到的;或者The processing information includes: verification information obtained by performing verification on the signature information by the symmetric algorithm module according to the negotiation key, and the signature information, where the signature information is the public key algorithm module according to the Calculating the signature of the to-be-processed information by the private key of the user identification card; or
    所述处理信息包括:所述对称算法模块根据所述协商密钥对签名信息进行加密计算得到的加密信息和对所述签名信息进行校验计算得到的校验信息,其中,所述签名信息为所述公钥算法模块根据所述用户身份识别卡的私钥对所述待处理信息进行签名计算得到的;或者The processing information includes: the encrypted information obtained by encrypting the signature information by the symmetric algorithm module according to the negotiation key, and the verification information obtained by performing verification on the signature information, where the signature information is The public key algorithm module performs a signature calculation on the to-be-processed information according to the private key of the user identity card; or
    所述处理信息包括:所述对称算法模块根据所述协商密钥对签名信息进行加密计算得到的加密信息和对所述加密信息进行校验计算得到的校验信息,其中,所述签名信息为所述公钥算法模块根据所述用户身份识别卡的私钥对所述待处理信息进行签名计算得到的。The processing information includes: the encrypted information obtained by encrypting the signature information by the symmetric algorithm module according to the negotiation key, and the verification information obtained by performing verification on the encrypted information, wherein the signature information is The public key algorithm module calculates the signature of the to-be-processed information according to the private key of the user identity card.
  6. 根据权利要求2至5任一项所述的用户身份识别卡,其特征在于,A user identification card according to any one of claims 2 to 5, characterized in that
    所述处理模块还设置为在所述公钥算法模块根据所述用户身份识别卡的私钥对所述待处理信息进行签名计算时,调用所述杂凑模块的杂凑计算以获得所述签名信息。The processing module is further configured to invoke the hash calculation of the hash module to obtain the signature information when the public key algorithm module performs signature calculation on the to-be-processed information according to the private key of the user identity card.
  7. 根据权利要求2至6任一项所述的用户身份识别卡,其特征在于,A user identification card according to any one of claims 2 to 6, wherein
    所述对称算法模块,还设置为对所述待处理信息进行解密计算和/或校验计算。The symmetric algorithm module is further configured to perform a decryption calculation and/or a verification calculation on the to-be-processed information.
  8. 根据权利要求1至7任一项所述的用户身份识别卡,其特征在于,所述通讯模块包括:串口、USB接口、NFC接口、蓝牙接口、红外接口、按键或者音频接口。The user identification card according to any one of claims 1 to 7, wherein the communication module comprises: a serial port, a USB interface, an NFC interface, a Bluetooth interface, an infrared interface, a button or an audio interface.
  9. 根据权利要求1至8任一项所述的用户身份识别卡,其特征在于,所述防护操作包括:频率加扰、功耗加扰、计算加扰或者平衡计算。The user identification card according to any one of claims 1 to 8, wherein the protection operation comprises: frequency scrambling, power consumption scrambling, computational scrambling or balance calculation.
  10. 根据权利要求1至9任一项所述的用户身份识别卡,其特征在于,所述权限控制模块还设置为对代码和/或应用程序的执行进行控制。 A user identification card according to any one of claims 1 to 9, characterized in that the authorization control module is further arranged to control the execution of the code and/or the application.
PCT/CN2015/070906 2014-04-18 2015-01-16 User identity identification card WO2015158172A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410156521.6 2014-04-18
CN201410156521.6A CN103944724B (en) 2014-04-18 2014-04-18 A kind of subscriber identification card

Publications (1)

Publication Number Publication Date
WO2015158172A1 true WO2015158172A1 (en) 2015-10-22

Family

ID=51192224

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/070906 WO2015158172A1 (en) 2014-04-18 2015-01-16 User identity identification card

Country Status (3)

Country Link
CN (1) CN103944724B (en)
HK (1) HK1199984A1 (en)
WO (1) WO2015158172A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106652665A (en) * 2016-12-09 2017-05-10 西安电子科技大学 Experimental device of computer composition principle
CN107451647A (en) * 2016-06-01 2017-12-08 北京军地联合网络技术中心 A kind of post special SIM card of built-in security mechanisms
CN112885434A (en) * 2021-03-23 2021-06-01 中国人民解放军联勤保障部队第九六〇医院 System and method for integrating portable information acquisition and psychological test in network-free environment
CN114615046A (en) * 2022-03-07 2022-06-10 中国大唐集团科学技术研究总院有限公司 Administrator double-factor authentication method based on national secret certificate

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103944724B (en) * 2014-04-18 2017-10-03 天地融科技股份有限公司 A kind of subscriber identification card
CN104158567B (en) * 2014-07-25 2016-05-18 天地融科技股份有限公司 Matching method between bluetooth equipment and system, data interactive method and system
CN105812334B (en) * 2014-12-31 2019-02-05 北京华虹集成电路设计有限责任公司 A kind of method for network authorization
CN106982214A (en) * 2017-03-31 2017-07-25 山东超越数控电子有限公司 A kind of cloud desktop security of use NFC technique logs in ID card and cloud desktop security login method
CN108985046A (en) * 2018-06-07 2018-12-11 国民技术股份有限公司 A kind of safety stop control method, system and computer readable storage medium
CN110728347A (en) * 2019-09-16 2020-01-24 中云信安(深圳)科技有限公司 Solid electronic card and method for updating card surface display information of solid electronic card
CN115022093B (en) * 2022-08-05 2022-12-02 确信信息股份有限公司 Trusted CPU key calculation method and system based on multi-stage key

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101938520A (en) * 2010-09-07 2011-01-05 中兴通讯股份有限公司 Mobile terminal signature-based remote payment system and method
CN103164738A (en) * 2013-02-06 2013-06-19 厦门盛华电子科技有限公司 Mobile phone user identification card based on mobile payment multichannel digital certificate
US20140032898A1 (en) * 2012-07-26 2014-01-30 Shenzhen Skyworth-RGB electronics Co. Ltd. Authentication system and method for digital televisions
CN103944724A (en) * 2014-04-18 2014-07-23 天地融科技股份有限公司 User identity identification card

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7076062B1 (en) * 2000-09-14 2006-07-11 Microsoft Corporation Methods and arrangements for using a signature generating device for encryption-based authentication
CN100586065C (en) * 2006-04-24 2010-01-27 北京易恒信认证科技有限公司 CPK credibility authorization system
CN100555936C (en) * 2007-01-08 2009-10-28 中国信息安全产品测评认证中心 A kind of method that in smart card and USB flash disk equipment complex, improves access security
CN101106455B (en) * 2007-08-20 2010-10-13 北京飞天诚信科技有限公司 Identity authentication method and intelligent secret key device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101938520A (en) * 2010-09-07 2011-01-05 中兴通讯股份有限公司 Mobile terminal signature-based remote payment system and method
US20140032898A1 (en) * 2012-07-26 2014-01-30 Shenzhen Skyworth-RGB electronics Co. Ltd. Authentication system and method for digital televisions
CN103164738A (en) * 2013-02-06 2013-06-19 厦门盛华电子科技有限公司 Mobile phone user identification card based on mobile payment multichannel digital certificate
CN103944724A (en) * 2014-04-18 2014-07-23 天地融科技股份有限公司 User identity identification card

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
XUAN, LEI ET AL.: "Smart Card Design Based on CPK Authentication Technology", PROCEEDINGS OF 2009 CONFERENCE ON COMMUNICATION FACULTY, 31 December 2009 (2009-12-31), pages 177 - 180 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107451647A (en) * 2016-06-01 2017-12-08 北京军地联合网络技术中心 A kind of post special SIM card of built-in security mechanisms
CN107451647B (en) * 2016-06-01 2023-08-29 北京军地联合网络技术中心 Built-in safety mechanism's special SIM card of barracks
CN106652665A (en) * 2016-12-09 2017-05-10 西安电子科技大学 Experimental device of computer composition principle
CN112885434A (en) * 2021-03-23 2021-06-01 中国人民解放军联勤保障部队第九六〇医院 System and method for integrating portable information acquisition and psychological test in network-free environment
CN114615046A (en) * 2022-03-07 2022-06-10 中国大唐集团科学技术研究总院有限公司 Administrator double-factor authentication method based on national secret certificate
CN114615046B (en) * 2022-03-07 2024-04-30 中国大唐集团科学技术研究总院有限公司 Administrator double-factor authentication method based on national secret certificate

Also Published As

Publication number Publication date
CN103944724B (en) 2017-10-03
CN103944724A (en) 2014-07-23
HK1199984A1 (en) 2015-07-24

Similar Documents

Publication Publication Date Title
US11757662B2 (en) Confidential authentication and provisioning
WO2015158172A1 (en) User identity identification card
CN109309565B (en) Security authentication method and device
US9467430B2 (en) Device, method, and system for secure trust anchor provisioning and protection using tamper-resistant hardware
USH2270H1 (en) Open protocol for authentication and key establishment with privacy
US20190364032A1 (en) Method for carrying out a two-factor authentication
US10142107B2 (en) Token binding using trust module protected keys
US8689290B2 (en) System and method for securing a credential via user and server verification
EP2639997B1 (en) Method and system for secure access of a first computer to a second computer
AU2011305477B2 (en) Shared secret establishment and distribution
KR101634158B1 (en) Method for authenticating identity and generating share key
WO2015161689A1 (en) Data processing method based on negotiation key
WO2016054905A1 (en) Method for processing data
WO2015135398A1 (en) Negotiation key based data processing method
CN113507372A (en) Bidirectional authentication method for interface request
CN117081736A (en) Key distribution method, key distribution device, communication method, and communication device
WO2015109958A1 (en) Data processing method based on negotiation key, and mobile phone
CN102999710A (en) Method, equipment and system for safely sharing digital content
KR102128244B1 (en) Ssl/tls based network security apparatus and method
WO2015158173A1 (en) Agreement key-based data processing method
WO2023284691A1 (en) Account opening method, system, and apparatus
Nishimura et al. Secure authentication key sharing between personal mobile devices based on owner identity
KR101271464B1 (en) Method for coding private key in dual certificate system
Chen et al. Building general-purpose security services on EMV payment cards
KR101298216B1 (en) Authentication system and method using multiple category

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15780370

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15780370

Country of ref document: EP

Kind code of ref document: A1