CN102768744B - A kind of remote safe payment method and system - Google Patents

A kind of remote safe payment method and system Download PDF

Info

Publication number
CN102768744B
CN102768744B CN201210147405.9A CN201210147405A CN102768744B CN 102768744 B CN102768744 B CN 102768744B CN 201210147405 A CN201210147405 A CN 201210147405A CN 102768744 B CN102768744 B CN 102768744B
Authority
CN
China
Prior art keywords
terminal
server
remote server
smart card
remote
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210147405.9A
Other languages
Chinese (zh)
Other versions
CN102768744A (en
Inventor
彭波涛
苏龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Landi Commercial Equipment Co Ltd
Original Assignee
Fujian Landi Commercial Equipment Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Landi Commercial Equipment Co Ltd filed Critical Fujian Landi Commercial Equipment Co Ltd
Priority to CN201210147405.9A priority Critical patent/CN102768744B/en
Publication of CN102768744A publication Critical patent/CN102768744A/en
Application granted granted Critical
Publication of CN102768744B publication Critical patent/CN102768744B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

本发明公开一种远程安全支付方法,包括以下步骤:提供一存储有安全数据的银行智能卡;提供一终端和一读卡器,通过读卡器读取智能卡信息,在银行智能卡和远程服务器之间对用户进行身份验证,并且在通过验证后,在上述银行智能卡和远程服务器之间建立安全的数据链路进行网上交易。本发明为用户使用网上银行提供了一种安全防护措施。

The invention discloses a remote safe payment method, which includes the following steps: providing a bank smart card with safety data stored therein; providing a terminal and a card reader, and reading smart card information through the card reader, between the bank smart card and the remote server The user is authenticated, and after passing the authentication, a secure data link is established between the above-mentioned bank smart card and the remote server for online transactions. The invention provides a safety protection measure for the user to use the online bank.

Description

一种远程安全支付方法和系统A remote secure payment method and system

技术领域 technical field

本发明涉及电子支付领域,尤其是一种远程安全支付方法和系统。The invention relates to the field of electronic payment, in particular to a remote safe payment method and system.

背景技术 Background technique

随着电子商务的发展,网上交易已经越来越普及。此外,随着智能手机的价格下降,其销量也与日俱增。这就使得通过手机进行网上支付的需求日益明显,各大银行也推出了各自的手机银行。目前,常见的基于手机的移动支付方式有:With the development of e-commerce, online transactions have become more and more popular. In addition, as the price of smartphones has dropped, their sales have also increased day by day. This makes the demand for online payment through mobile phones increasingly obvious, and major banks have also launched their own mobile banking. At present, the common mobile payment methods based on mobile phones are:

方式1:通过本地文件证书,对远程支付提供安全认证。Method 1: Provide security authentication for remote payment through local file certificates.

方式2:通过短信码,对远程支付提供安全认证。Method 2: Provide security authentication for remote payment through SMS code.

方式3:对于部分提供USB-OTG接口的手机,已经有特定的U-key可用。通过这种U-key来保证远程支付的安全。Method 3: For some mobile phones that provide USB-OTG interface, a specific U-key is already available. The security of remote payment is guaranteed through this U-key.

上述方式的缺点:Disadvantages of the above approach:

方式1和方式2的缺点:由于智能手机可能受病毒和黑客入侵,方式1和方式2中的文件证书或短信码可能被恶意软件获取,从而危及网络交易安全Disadvantages of Method 1 and Method 2: Since smartphones may be invaded by viruses and hackers, the file certificate or SMS code in Method 1 and Method 2 may be obtained by malicious software, thus endangering the security of network transactions

方式3缺点:银行需要专门发行U-key,这种U-key常常只用于一个银行的网上交易。这提高了银行的运营成本,也使得用户除了银行卡外,还需要携带多种U-key,在使用上很不方便。Disadvantage of method 3: the bank needs to issue U-key specially, and this U-key is usually only used for online transactions of one bank. This increases the operating cost of the bank, and also makes the user need to carry a variety of U-keys in addition to the bank card, which is very inconvenient to use.

发明内容 Contents of the invention

为解决上述问题,本发明为用户使用网上银行提供了一种安全防护措施。In order to solve the above problems, the present invention provides a security protection measure for users to use online banking.

本发明采用的具体技术手段如下:一种远程安全支付方法,其特征在于,包括以下步骤:The specific technical means adopted by the present invention are as follows: a remote secure payment method, characterized in that it comprises the following steps:

提供一存储有安全数据的银行智能卡;Provide a bank smart card with stored secure data;

提供一终端和一读卡器,通过读卡器读取智能卡信息,在银行智能卡和远程服务器之间对用户进行身份验证,并且在通过验证后,在上述银行智能卡和远程服务器之间建立安全的数据链路进行网上交易。Provide a terminal and a card reader, read the smart card information through the card reader, authenticate the user between the bank smart card and the remote server, and establish a secure connection between the bank smart card and the remote server after passing the verification Data link for online transactions.

特别地,所述身份验证包括以下步骤:所述终端读取银行智能卡的安全数据,所述远程服务器通过互联网向上述终端发起一个密钥协商过程,所述终端密钥协商成功后,返回成功信息给上述远程服务器,双方通过该密钥协商过程进行双向认证并产生一个过程密钥,该过程密钥在后续通信过程中作为所述远程服务器和所述终端交换数据的加密密钥,从而在所述服务器和该银行智能卡之间形成一个安全的数据传输链路。In particular, the identity verification includes the following steps: the terminal reads the security data of the bank smart card, the remote server initiates a key negotiation process to the terminal through the Internet, and the terminal returns success information after the key negotiation is successful For the above-mentioned remote server, the two parties conduct mutual authentication through the key negotiation process and generate a process key, which is used as an encryption key for exchanging data between the remote server and the terminal in the subsequent communication process, so that in the A secure data transmission link is formed between the server and the bank smart card.

特别地,所述终端为手机,所述远程服务器为手机银行服务器。Particularly, the terminal is a mobile phone, and the remote server is a mobile banking server.

特别地,所述终端为POS机,所述远程服务器为POS服务器。In particular, the terminal is a POS machine, and the remote server is a POS server.

特别地,所述终端为手机,所述远程服务器为网上银行服务器,所述手机通过计算机与所述网上银行服务器通信。In particular, the terminal is a mobile phone, the remote server is an online banking server, and the mobile phone communicates with the online banking server through a computer.

特别地,所述银行智能卡设有ISO7816接口,所述读卡器通过该接口读取卡内安全数据。In particular, the bank smart card is provided with an ISO7816 interface, through which the card reader reads the security data in the card.

特别地,所述银行智能卡设有符合ISO14443标准的非接触式通信接口,所述读卡器通过该接口读取卡内安全数据。In particular, the bank smart card is provided with a non-contact communication interface conforming to the ISO14443 standard, and the card reader reads the security data in the card through the interface.

特别地,所述安全数据包括数字证书和私人密钥。In particular, said security data includes digital certificates and private keys.

本发明还一种远程安全支付系统,其特征在于,包括:The present invention also provides a remote security payment system, which is characterized in that it includes:

银行智能卡,用以存储安全数据;Bank smart cards to store secure data;

读卡器,用以读取上述安全数据;A card reader for reading the above security data;

终端,安装有客户端软件,用以进行网上交易;The terminal is installed with client software for online transactions;

所述终端通过读卡器读取智能卡信息,在银行智能卡和远程服务器之间对用户进行身份验证,并且在通过验证后,在上述银行智能卡和远程服务器之间建立安全的数据链路进行网上交易。The terminal reads the smart card information through the card reader, authenticates the user between the bank smart card and the remote server, and after passing the verification, establishes a secure data link between the bank smart card and the remote server for online transactions .

特别地,所述终端为手机,所述远程服务器为银行的网银服务器。Particularly, the terminal is a mobile phone, and the remote server is an online banking server of a bank.

特别地,所述终端为POS机,所述远程服务器为POS服务器。In particular, the terminal is a POS machine, and the remote server is a POS server.

特别地,所述终端为手机,所述远程服务器为网上银行服务器,所述手机通过计算机与所述网上银行服务器通信。In particular, the terminal is a mobile phone, the remote server is an online banking server, and the mobile phone communicates with the online banking server through a computer.

特别地,所述银行智能卡设有ISO7816接口,所述读卡器通过该接口读取卡内安全数据。In particular, the bank smart card is provided with an ISO7816 interface, through which the card reader reads the security data in the card.

特别地,所述银行智能卡设有符合ISO14443标准的非接触式通信接口,所述读卡器通过该接口读取卡内安全数据。In particular, the bank smart card is provided with a non-contact communication interface conforming to the ISO14443 standard, and the card reader reads the security data in the card through the interface.

特别地,所述安全数据包括数字证书和私人密钥。In particular, said security data includes digital certificates and private keys.

本发明有益效果:Beneficial effects of the present invention:

本发明在现有金融IC卡基础上,增加数字证书的存储和软件接口,用以对用户身份进行验证,保证用户网上交易的安全,可以实现现有U盾的功能,且IC卡处理芯片体积小,且使用广泛存在的ISO7816接口,从而本发明为用户使用网上银行提供了一种安全防护措施。Based on the existing financial IC card, the present invention adds storage of digital certificates and a software interface to verify the identity of the user and ensure the safety of the user's online transactions, and can realize the function of the existing U-shield, and the IC card processing chip volume It is small and uses the widely existing ISO7816 interface, so the present invention provides a safety protection measure for users to use online banking.

附图说明 Description of drawings

图1为本发明实施例的银行智能卡的结构图;Fig. 1 is the structural diagram of the bank smart card of the embodiment of the present invention;

图2为本发明实施例的一种远程安全支付方法流程图;Fig. 2 is a flow chart of a remote secure payment method according to an embodiment of the present invention;

图3为本发明实施例的远程安全支付系统结构图;3 is a structural diagram of a remote secure payment system according to an embodiment of the present invention;

图4为本发明智能卡、网银客户端、服务器之间身份验证交互图。Fig. 4 is an interaction diagram of identity verification between the smart card, the online banking client and the server in the present invention.

具体实施方式 detailed description

为详细说明本发明的技术内容、构造特征、所实现目的及效果,以下结合实施方式并配合附图详予说明。In order to describe the technical content, structural features, achieved goals and effects of the present invention in detail, the following will be described in detail in conjunction with the embodiments and accompanying drawings.

请参阅图1,为本发明实施例的银行智能卡的结构图。该银行智能卡是在银行向客户发行的金融卡IC卡基础上,增加安全模块,在安全模块中存储有客户数字证书和私人密钥的存储和软件接口,数字证书和私人密钥统称为安全数据,且具备逻辑加密运算功能,可替代USBKEY实现用户身份认证的功能。IC卡片体积小巧,且各银行均会发行相应IC卡。在本实施例中,银行IC卡具有ISO7816接口,读卡器可以通过ISO7816接口读取卡内安全数据,也可以通过无线方式,比如符合ISO14443标准的非接触式通信接口,读取卡内信息。Please refer to FIG. 1 , which is a structural diagram of a bank smart card according to an embodiment of the present invention. The bank smart card is based on the financial card IC card issued by the bank to the customer, adding a security module. The storage and software interface of the customer's digital certificate and private key are stored in the security module. The digital certificate and private key are collectively referred to as security data. , and has the function of logical encryption operation, which can replace USBKEY to realize the function of user identity authentication. IC cards are small in size, and each bank will issue corresponding IC cards. In this embodiment, the bank IC card has an ISO7816 interface, and the card reader can read the security data in the card through the ISO7816 interface, and can also read the information in the card through a wireless method, such as a non-contact communication interface conforming to the ISO14443 standard.

请参考图2,为本发明实施例的一种远程安全支付方法流程图。其中安全支付方法包括以下步骤:Please refer to FIG. 2 , which is a flowchart of a remote secure payment method according to an embodiment of the present invention. Wherein the secure payment method includes the following steps:

S1.提供一存储有安全数据的银行智能卡;S1. Provide a bank smart card with secure data stored therein;

S2.提供一终端和一读卡器,通过读卡器读取智能卡信息,在银行智能卡和远程服务器之间对用户进行身份验证,并且在通过验证后,在上述银行智能卡和远程服务器之间建立安全的数据链路进行网上交易。S2. Provide a terminal and a card reader, read the smart card information through the card reader, authenticate the user between the bank smart card and the remote server, and after passing the verification, establish between the bank smart card and the remote server Secure data link for online transactions.

其中,身份验证包括以下步骤:所述终端读取银行智能卡的安全数据,所述远程服务器通过互联网向上述终端发起一个密钥协商过程,所述终端密钥协商成功后,返回成功信息给上述远程服务器,双方通过该密钥协商过程进行双向认证并产生一个过程密钥,该过程密钥在后续通信过程中作为所述远程服务器和所述终端交换数据的加密密钥,从而在所述服务器和该银行智能卡之间形成一个安全的数据传输链路。Wherein, the identity verification includes the following steps: the terminal reads the security data of the bank smart card, the remote server initiates a key negotiation process to the terminal through the Internet, and after the terminal key negotiation is successful, it returns success information to the remote server. The server, the two parties perform mutual authentication through the key negotiation process and generate a process key, which is used as an encryption key for exchanging data between the remote server and the terminal in the subsequent communication process, so that the server and the terminal A secure data transmission link is formed between the bank smart cards.

在本实施例中,终端包括移动终端,也包括非移动终端,包括个人终端,也包括商用终端。所述移动终端包括手机、PAD、移动PC等,其对应的远程服务器为银行的网银服务器;所述非移动终端可以使台式PC,对应的服务器为网上银行,PC通过读卡器读取卡内信息,登陆网上银行交易;所述商用终端可以使商用POS机,其对应的服务器是POS服务器。In this embodiment, the terminals include mobile terminals, non-mobile terminals, personal terminals, and commercial terminals. The mobile terminal includes a mobile phone, a PAD, a mobile PC, etc., and its corresponding remote server is an online banking server of a bank; Information, login online banking transactions; the commercial terminal can be a commercial POS machine, and its corresponding server is a POS server.

其中,所述银行智能卡设有ISO7816接口,当所述终端没有读卡功能,就可以通过读卡器通过该接口读取卡内安全数据。所述银行智能卡还可以设有射频卡近场通信接口,读卡器通过采用无线方式比如无线射频方式读取卡内信息。Wherein, the bank smart card is provided with an ISO7816 interface, and when the terminal has no card reading function, the card reader can read the security data in the card through the interface. The bank smart card can also be provided with a radio frequency card near-field communication interface, and the card reader reads the information in the card by using a wireless method such as a wireless radio frequency method.

图4是本发明智能卡、网银客户端、服务器之间身份验证交互图。在此以常见的网上银行登录过程为例对该流程进行说明。终端安装有网银客户端,需要使用一张接触式智能卡对交易过程进行保护。该智能卡相当于U-key的作用,里面存放网上银行用于识别客户身份的数字证书和私人密钥,卡片内部的处理器可以完成加密和数字签名算法。Fig. 4 is an interaction diagram of identity verification between the smart card, the online banking client and the server in the present invention. Here, the common online banking login process is taken as an example to illustrate the process. The terminal is equipped with an online banking client, which needs to use a contact smart card to protect the transaction process. The smart card is equivalent to the function of U-key, which stores the digital certificate and private key used by the online bank to identify the customer's identity, and the processor inside the card can complete encryption and digital signature algorithms.

在登录过程中,主要是智能卡与系统服务器(远端系统)之间进行交互。客户端软件通过终端、读卡器与智能卡进行交互,发送服务器命令并从智能卡接收响应,从而完成登录过程。During the login process, there is mainly interaction between the smart card and the system server (remote system). The client software interacts with the smart card through the terminal, card reader, sends server commands and receives responses from the smart card to complete the login process.

为了进行交互,智能卡和系统服务器各存有一个数字证书和对应私钥。智能卡上的证书和私钥分别称为客户端证书和客户端私钥,服务器上证书和私钥分别称为服务器证书和服务器私钥。此外,智能卡和服务器都有这些证书对应的根证书。In order to interact, the smart card and the system server each store a digital certificate and a corresponding private key. The certificate and private key on the smart card are called client certificate and client private key respectively, and the certificate and private key on the server are called server certificate and server private key respectively. Additionally, both the smart card and the server have corresponding root certificates for these certificates.

智能卡和远程服务器交互过程如下:The interaction process between the smart card and the remote server is as follows:

1.客户端让智能卡产生32字节随机数,加上一些信息打包生成客户端握手信息,这里客户端是相对于服务器的一种叫法,是将客户端软件、终端、智能卡、证书等等一些列组件当做一个整体来看待的。从服务器的角度来看,与服务器交互的对象就是客户端;1. The client makes the smart card generate a 32-byte random number, and packs some information to generate the client handshake information. Here, the client is a name relative to the server. It is the client software, terminal, smart card, certificate, etc. A series of components are treated as a whole. From the perspective of the server, the object interacting with the server is the client;

2.客户端将客户端握手信息传输到服务器;2. The client transmits the client handshake information to the server;

3.服务器产生32字节随机数,加上一些信息打包,生成服务器握手信息;3. The server generates a 32-byte random number and packs some information to generate server handshake information;

4.服务器将服务器握手信息和服务器证书发送到客户端;4. The server sends the server handshake information and server certificate to the client;

5.客户端将服务器证书发送到智能卡,由智能卡对收到的服务器证书进行验证,如果验证通过,则登录成功;否则登录失败;5. The client sends the server certificate to the smart card, and the smart card verifies the received server certificate. If the verification passes, the login is successful; otherwise, the login fails;

6.客户端使用智能卡进行如下过程:6. The client uses the smart card to perform the following process:

产生一个48字节的随机数作为共享主密钥Generate a 48-byte random number as the shared master key

该主密钥用服务器证书中的公钥进行加密,生成加密共享主密钥This master key is encrypted with the public key in the server certificate to generate an encrypted shared master key

将客户端握手信息和服务端握手信息算出握手信息哈希值,然后用客户端私钥进行加密,生成握手信息数字签名;Calculate the hash value of the handshake information from the client side and the server side, and then encrypt it with the client's private key to generate a digital signature for the handshake information;

7.客户端从智能卡中获得加密共享主密钥、握手信息数字签名;7. The client obtains the encrypted shared master key and the digital signature of the handshake information from the smart card;

8.客户端将客户端证书、加密共享主密钥、握手信息数字签名发送到服务器;8. The client sends the client certificate, encrypted shared master key, and digital signature of the handshake information to the server;

9.服务器检查客户端证书有效性,如果有效,则握手成功;否则握手失败;9. The server checks the validity of the client certificate, if valid, the handshake is successful; otherwise, the handshake fails;

10.服务器使用客户端证书中的公钥验证握手信息数字签名是否与客户端和服务端握手信息匹配,如果匹配,则握手成功;否则握手失败,返回错误;10. The server uses the public key in the client certificate to verify whether the digital signature of the handshake information matches the handshake information between the client and the server. If they match, the handshake is successful; otherwise, the handshake fails and an error is returned;

11.服务器使用服务器私钥将进行解密共享主密钥,得出共享主密钥;11. The server uses the server private key to decrypt the shared master key to obtain the shared master key;

12.双方都使用共享主密钥算出会话密钥。后续通信过程,都使用会话密钥对数据包进行加密,即建立了安全通道,登录成功。12. Both parties use the shared master key to calculate the session key. In the subsequent communication process, the session key is used to encrypt the data packet, that is, a secure channel is established and the login is successful.

请参考图3,为本发明实施例的安全支付系统结构图。安全支付系统包括:银行智能卡,用以存储安全数据;读卡器,用以读取上述安全数据;终端,安装有客户端软件,用以进行网上交易;所述终端通过读卡器读取智能卡信息,在银行智能卡和远程服务器之间对用户进行身份验证,并且在通过验证后,在上述银行智能卡和远程服务器之间建立安全的数据链路进行网上交易。其中,安全数据包括数字证书和私人密钥。在本实施例中,以PC和网上银行服务器为例,所述网上银行服务器通过互联网向上述PC端发起一个密钥协商过程,该PC端密钥协商成功后,返回成功信息给上述网上银行服务器,双方通过该密钥协商过程进行双向认证并产生一个过程密钥,该过程密钥在后续通信过程中作为该网上银行服务器和所述终端交换数据的加密密钥,从而在该网上银行服务器和该智能卡之间形成一个安全的数据传输链路,后续的交易数据在此链路上进行传输。Please refer to FIG. 3 , which is a structural diagram of a secure payment system according to an embodiment of the present invention. The safe payment system includes: a bank smart card for storing safe data; a card reader for reading the above safe data; a terminal installed with client software for online transactions; the terminal reads the smart card through the card reader Information, authenticate the user between the bank smart card and the remote server, and after passing the verification, establish a secure data link between the bank smart card and the remote server for online transactions. Among them, security data includes digital certificates and private keys. In this embodiment, taking the PC and the online banking server as an example, the online banking server initiates a key negotiation process to the above-mentioned PC terminal through the Internet, and after the key negotiation of the PC terminal is successful, it returns success information to the above-mentioned online banking server , the two parties perform mutual authentication through the key negotiation process and generate a process key, which is used as an encryption key for exchanging data between the online banking server and the terminal in the subsequent communication process, so that the online banking server and the terminal A secure data transmission link is formed between the smart cards, and subsequent transaction data is transmitted on this link.

本发明在现有金融IC卡基础上,增加数字证书的存储和软件接口,用以对用户身份进行验证,保证用户网上交易的安全,可以实现现有U盾的功能,且IC卡处理芯片体积小,且使用广泛存在的ISO7816接口,成本低廉,加工技术成熟,从而为用户使用网上银行提供了一种安全、低成本的防护措施。Based on the existing financial IC card, the present invention adds storage of digital certificates and a software interface to verify the identity of the user and ensure the safety of the user's online transactions, and can realize the function of the existing U-shield, and the IC card processing chip volume It is small, and uses the widely existing ISO7816 interface, with low cost and mature processing technology, thus providing a safe and low-cost protection measure for users to use online banking.

以上所述仅为本发明的实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above is only an embodiment of the present invention, and does not limit the patent scope of the present invention. Any equivalent structure or equivalent process conversion made by using the description of the present invention and the contents of the accompanying drawings, or directly or indirectly used in other related technologies fields, all of which are equally included in the scope of patent protection of the present invention.

Claims (11)

1.一种远程安全支付方法,其特征在于,包括以下步骤: 1. A remote safe payment method, characterized in that, comprising the following steps: 提供一存储有安全数据的银行智能卡;所述安全数据包括数字证书和私人密钥; Provide a bank smart card with stored security data; said security data includes digital certificates and private keys; 提供一终端和一读卡器,通过读卡器读取智能卡信息,在银行智能卡和远程服务器之间对用户进行身份验证,并且在通过验证后,在上述银行智能卡和远程服务器之间建立安全的数据链路进行网上交易; Provide a terminal and a card reader, read the smart card information through the card reader, authenticate the user between the bank smart card and the remote server, and establish a secure connection between the bank smart card and the remote server after passing the verification Data link for online transactions; 所述身份验证包括以下步骤:所述终端读取银行智能卡的安全数据,所述远程服务器通过互联网向上述终端发起一个密钥协商过程,所述终端密钥协商成功后,返回成功信息给上述远程服务器,双方通过该密钥协商过程进行双向认证并产生一个过程密钥,该过程密钥在后续通信过程中作为所述远程服务器和所述终端交换数据的加密密钥,从而在所述服务器和该银行智能卡之间形成一个安全的数据传输链路; The identity verification includes the following steps: the terminal reads the security data of the bank smart card, the remote server initiates a key negotiation process to the terminal through the Internet, and after the terminal key negotiation is successful, it returns success information to the remote server. The server, the two parties perform mutual authentication through the key negotiation process and generate a process key, which is used as an encryption key for exchanging data between the remote server and the terminal in the subsequent communication process, so that the server and the terminal A secure data transmission link is formed between the bank's smart cards; 其中,银行智能卡与远程服务器交互过程如下: Among them, the interaction process between the bank smart card and the remote server is as follows: 终端让银行智能卡产生32字节随机数,打包生成终端握手信息; The terminal asks the bank smart card to generate a 32-byte random number, and packs and generates terminal handshake information; 终端将终端握手信息传输到远程服务器; The terminal transmits the terminal handshake information to the remote server; 远程服务器产生32字节随机数,打包生成服务器握手信息; The remote server generates a 32-byte random number, which is packaged to generate server handshake information; 远程服务器将服务器握手信息和服务器证书发送到终端; The remote server sends the server handshake information and server certificate to the terminal; 终端将远程服务器证书发送到银行智能卡,由银行智能卡对收到的远程服务器证书进行验证,如果验证通过,则登录成功;否则登录失败; The terminal sends the remote server certificate to the bank smart card, and the bank smart card verifies the received remote server certificate. If the verification passes, the login is successful; otherwise, the login fails; 终端使用银行智能卡进行如下过程: The terminal uses the bank smart card to carry out the following process: 产生一个48字节的随机数作为共享主密钥; Generate a 48-byte random number as the shared master key; 该主密钥用远程服务器证书中的公钥进行加密,生成加密共享主密钥; The master key is encrypted with the public key in the remote server certificate to generate an encrypted shared master key; 将终端握手信息和远程服务器握手信息算出握手信息哈希值,然后用终端私钥进行加密,生成握手信息数字签名; Calculate the hash value of the handshake information from the terminal handshake information and the remote server handshake information, and then encrypt it with the terminal private key to generate a digital signature for the handshake information; 终端从银行智能卡中获得加密共享主密钥、握手信息数字签名; The terminal obtains the encrypted shared master key and the digital signature of the handshake information from the bank smart card; 终端将终端证书、加密共享主密钥、握手信息数字签名发送到远程服务器; The terminal sends the terminal certificate, the encrypted shared master key, and the digital signature of the handshake information to the remote server; 远程服务器检查终端证书有效性,如果有效,则握手成功;否则握手失败; The remote server checks the validity of the terminal certificate, if valid, the handshake is successful; otherwise, the handshake fails; 远程服务器使用终端证书中的公钥验证握手信息数字签名是否与终端和服务端握手信息匹配,如果匹配,则握手成功;否则握手失败,返回错误; The remote server uses the public key in the terminal certificate to verify whether the digital signature of the handshake information matches the handshake information between the terminal and the server. If they match, the handshake is successful; otherwise, the handshake fails and an error is returned; 远程服务器使用服务器私钥将进行解密共享主密钥,得出共享主密钥; The remote server uses the server private key to decrypt the shared master key to obtain the shared master key; 双方都使用共享主密钥算出会话密钥;后续通信过程,都使用会话密钥对数据包进行加密,即建立了安全通道,登录成功; Both parties use the shared master key to calculate the session key; the subsequent communication process uses the session key to encrypt the data packet, that is, a secure channel is established and the login is successful; 所述银行智能卡设有ISO7816接口,所述读卡器通过该接口读取卡内安全数据。 The bank smart card is provided with an ISO7816 interface, and the card reader reads the security data in the card through the interface. 2.根据权利要求1所述的一种远程安全支付方法,其特征在于,所述终端为手机,所述远程服务器为银行的网银服务器。 2. A remote secure payment method according to claim 1, wherein the terminal is a mobile phone, and the remote server is an online banking server of a bank. 3.根据权利要求1所述的一种远程安全支付方法,其特征在于,所述终端为PAD,所述远程服务器为银行的网银服务器。 3. A remote secure payment method according to claim 1, wherein the terminal is a PAD, and the remote server is an online banking server of a bank. 4.根据权利要求1所述的一种远程安全支付方法,其特征在于,所述终端为POS机,所述远程服务器为POS服务器。 4. A remote secure payment method according to claim 1, wherein the terminal is a POS machine, and the remote server is a POS server. 5.根据权利要求1所述的一种远程安全支付方法,其特征在于,所述终端为手机,所述远程服务器为网上银行服务器,所述手机通过计算机与所述网上银行服务器通信。 5. A remote secure payment method according to claim 1, wherein the terminal is a mobile phone, the remote server is an online banking server, and the mobile phone communicates with the online banking server through a computer. 6.根据权利要求1所述的一种远程安全支付方法,其特征在于,所述银行智能卡设有符合ISO14443标准的非接触式通信接口,所述读卡器通过该接口读取卡内安全数据。 6. A remote secure payment method according to claim 1, wherein the bank smart card is provided with a contactless communication interface conforming to the ISO14443 standard, and the card reader reads the security data in the card through the interface . 7.一种远程安全支付系统,其特征在于,包括: 7. A remote security payment system, characterized in that it comprises: 银行智能卡,用以存储安全数据;所述安全数据包括数字证书和私人密钥; A bank smart card for storing secure data; said secure data includes digital certificates and private keys; 读卡器,用以读取上述安全数据; A card reader for reading the above security data; 终端,安装有客户端软件,用以进行网上交易; The terminal is installed with client software for online transactions; 所述终端通过读卡器读取智能卡信息,在银行智能卡和远程服务器之间对用户进行身份验证,并且在通过验证后,在上述银行智能卡和远程服务器之间建立安全的数据链路进行网上交易; The terminal reads the smart card information through the card reader, authenticates the user between the bank smart card and the remote server, and after passing the verification, establishes a secure data link between the bank smart card and the remote server for online transactions ; 其中,银行智能卡与远程服务器交互过程如下: Among them, the interaction process between the bank smart card and the remote server is as follows: 终端让银行智能卡产生32字节随机数,打包生成终端握手信息; The terminal asks the bank smart card to generate a 32-byte random number, and packs and generates terminal handshake information; 终端将终端握手信息传输到远程服务器; The terminal transmits the terminal handshake information to the remote server; 远程服务器产生32字节随机数,打包生成服务器握手信息; The remote server generates a 32-byte random number, which is packaged to generate server handshake information; 远程服务器将服务器握手信息和服务器证书发送到终端; The remote server sends the server handshake information and server certificate to the terminal; 终端将远程服务器证书发送到银行智能卡,由银行智能卡对收到的远程服务器证书进行验证,如果验证通过,则登录成功;否则登录失败; The terminal sends the remote server certificate to the bank smart card, and the bank smart card verifies the received remote server certificate. If the verification passes, the login is successful; otherwise, the login fails; 终端使用银行智能卡进行如下过程: The terminal uses the bank smart card to carry out the following process: 产生一个48字节的随机数作为共享主密钥; Generate a 48-byte random number as the shared master key; 该主密钥用远程服务器证书中的公钥进行加密,生成加密共享主密钥; The master key is encrypted with the public key in the remote server certificate to generate an encrypted shared master key; 将终端握手信息和远程服务器握手信息算出握手信息哈希值,然后用终端私钥进行加密,生成握手信息数字签名; Calculate the hash value of the handshake information from the terminal handshake information and the remote server handshake information, and then encrypt it with the terminal private key to generate a digital signature for the handshake information; 终端从银行智能卡中获得加密共享主密钥、握手信息数字签名; The terminal obtains the encrypted shared master key and the digital signature of the handshake information from the bank smart card; 终端将终端证书、加密共享主密钥、握手信息数字签名发送到远程服务器; The terminal sends the terminal certificate, the encrypted shared master key, and the digital signature of the handshake information to the remote server; 远程服务器检查终端证书有效性,如果有效,则握手成功;否则握手失败; The remote server checks the validity of the terminal certificate, if valid, the handshake is successful; otherwise, the handshake fails; 远程服务器使用终端证书中的公钥验证握手信息数字签名是否与终端和服务端握手信息匹配,如果匹配,则握手成功;否则握手失败,返回错误; The remote server uses the public key in the terminal certificate to verify whether the digital signature of the handshake information matches the handshake information between the terminal and the server. If they match, the handshake is successful; otherwise, the handshake fails and an error is returned; 远程服务器使用服务器私钥将进行解密共享主密钥,得出共享主密钥; The remote server uses the server private key to decrypt the shared master key to obtain the shared master key; 双方都使用共享主密钥算出会话密钥;后续通信过程,都使用会话密钥对数据包进行加密,即建立了安全通道,登录成功; Both parties use the shared master key to calculate the session key; the subsequent communication process uses the session key to encrypt the data packet, that is, a secure channel is established and the login is successful; 所述银行智能卡设有ISO7816接口,所述读卡器通过该接口读取卡内安全数据。 The bank smart card is provided with an ISO7816 interface, and the card reader reads the security data in the card through the interface. 8.根据权利要求7所述的一种远程安全支付系统,其特征在于,所述终端为手机,所述远程服务器为银行的网银服务器。 8. A remote secure payment system according to claim 7, wherein the terminal is a mobile phone, and the remote server is an online banking server of a bank. 9.根据权利要求7所述的一种远程安全支付系统,其特征在于,所述终端为POS机,所述远程服务器为POS服务器。 9. A remote secure payment system according to claim 7, wherein the terminal is a POS machine, and the remote server is a POS server. 10.根据权利要求7所述的一种远程安全支付系统,其特征在于,所述终端为手机,所述远程服务器为网上银行服务器,所述手机通过计算机与所述网上银行服务器通信。 10. A remote secure payment system according to claim 7, wherein the terminal is a mobile phone, the remote server is an online banking server, and the mobile phone communicates with the online banking server through a computer. 11.根据权利要求7所述的一种远程安全支付系统,其特征在于,所述银行智能卡设有符合ISO14443标准的非接触式通信接口,所述读卡器通过该接口读取卡内安全数据。 11. A remote secure payment system according to claim 7, wherein the bank smart card is provided with a non-contact communication interface conforming to the ISO14443 standard, and the card reader reads the security data in the card through the interface .
CN201210147405.9A 2012-05-11 2012-05-11 A kind of remote safe payment method and system Active CN102768744B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210147405.9A CN102768744B (en) 2012-05-11 2012-05-11 A kind of remote safe payment method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210147405.9A CN102768744B (en) 2012-05-11 2012-05-11 A kind of remote safe payment method and system

Publications (2)

Publication Number Publication Date
CN102768744A CN102768744A (en) 2012-11-07
CN102768744B true CN102768744B (en) 2016-03-16

Family

ID=47096138

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210147405.9A Active CN102768744B (en) 2012-05-11 2012-05-11 A kind of remote safe payment method and system

Country Status (1)

Country Link
CN (1) CN102768744B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103116843A (en) * 2012-12-18 2013-05-22 福建联迪商用设备有限公司 Electronic payment method and device thereof and peripheral device of electronic payment
CN103905388A (en) * 2012-12-26 2014-07-02 中国移动通信集团广东有限公司 Authentication method, authentication device, smart card, and server
CN103237004A (en) 2013-03-15 2013-08-07 福建联迪商用设备有限公司 Key download method, key management method, method, device and system for download management
CN103729941B (en) * 2013-03-15 2016-06-15 福建联迪商用设备有限公司 A kind of main cipher key T MK method for safely downloading of terminal and system
CN103617532A (en) * 2013-12-16 2014-03-05 杭州信雅达科技有限公司 Offline payment and collection method and device for mobile terminals
CN105023154A (en) * 2014-04-21 2015-11-04 航天信息股份有限公司 Electronic paying method and apparatus based on multifunctional financial IC cards
CN105515773B (en) * 2014-09-26 2018-12-07 杭州华为数字技术有限公司 Portable device, user equipment and data interactive method
CN105528537A (en) * 2014-09-29 2016-04-27 联芯科技有限公司 Portable wireless broad-band apparatus and safety protection method thereof
CN104410968A (en) * 2014-11-18 2015-03-11 王家城 Portable universal integrated circuit card (UICC) subscriber terminal equipment and identity authentication system thereof
CN104915689B (en) * 2015-04-15 2017-10-31 四川量迅科技有限公司 A kind of smart card information processing method
CN105138892A (en) * 2015-08-06 2015-12-09 深圳市文鼎创数据科技有限公司 Data interaction method and apparatus applied to composite smart card device
CN108256855A (en) * 2016-12-29 2018-07-06 夏飞 A kind of cross-border electric business utilizes long-distance intelligent card method of payment
CN108416952B (en) * 2018-03-09 2020-07-24 上海商米科技集团股份有限公司 Alarm relieving method of POS terminal, server and system applying alarm relieving method
CN108600218B (en) * 2018-04-23 2020-12-29 捷德(中国)科技有限公司 A remote authorization system and remote authorization method
CN108681909B (en) * 2018-05-18 2021-09-24 浙江超脑时空科技有限公司 Intelligent anti-counterfeiting device and source tracing anti-counterfeiting method based on block chain intelligent contract
CN109858295B (en) * 2019-01-15 2022-02-01 重庆乔松信息技术有限公司 Network payment method for directly reading and writing IC card by mobile phone
CN109816379B (en) * 2019-01-15 2022-02-22 重庆乔松信息技术有限公司 Network payment system for directly reading and writing IC card by mobile phone

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101394615A (en) * 2007-09-20 2009-03-25 中国银联股份有限公司 A mobile payment terminal and payment method based on PKI technology
CN102006275A (en) * 2010-07-21 2011-04-06 恒宝股份有限公司 System and method for financial IC (Integrated Circuit) card transaction

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4729839B2 (en) * 2003-05-20 2011-07-20 株式会社日立製作所 IC card
CN1921682B (en) * 2005-08-26 2010-04-21 华为技术有限公司 Enhancing the key agreement method in the general authentication framework
US8615787B2 (en) * 2006-05-22 2013-12-24 Nxp B.V. Secure internet transaction method and apparatus
CN101458853A (en) * 2007-12-11 2009-06-17 结行信息技术(上海)有限公司 On-line POS system and smart card on-line payment method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101394615A (en) * 2007-09-20 2009-03-25 中国银联股份有限公司 A mobile payment terminal and payment method based on PKI technology
CN102006275A (en) * 2010-07-21 2011-04-06 恒宝股份有限公司 System and method for financial IC (Integrated Circuit) card transaction

Also Published As

Publication number Publication date
CN102768744A (en) 2012-11-07

Similar Documents

Publication Publication Date Title
CN102768744B (en) A kind of remote safe payment method and system
CN102737311B (en) Internet bank security authentication method and system
JP7668209B2 (en) System and method for cryptographic authentication of contactless cards - Patents.com
JP7595001B2 (en) System and method for cryptographic authentication of contactless cards - Patents.com
CN112602300B (en) System and method for password authentication of contactless cards
Liu et al. State of the art: secure mobile payment
JP6498192B2 (en) How to secure the online transaction verification step
US20160117673A1 (en) System and method for secured transactions using mobile devices
JP7594999B2 (en) System and method for cryptographic authentication of contactless cards - Patents.com
CN107251595B (en) Secure authentication of users and mobile devices
US10410211B2 (en) Virtual POS terminal method and apparatus
US20130226812A1 (en) Cloud proxy secured mobile payments
US20150142666A1 (en) Authentication service
US20140337957A1 (en) Out-of-band authentication
CN104240074B (en) The online payment system of prepaid card and its method of payment of identity-based certification
CN202210326U (en) Personal payment terminal with keyboard
CN103123708A (en) Secure payment method, mobile device and secure payment system
US20150142667A1 (en) Payment authorization system
US20150142669A1 (en) Virtual payment chipcard service
WO2012031433A1 (en) System and method for remote payment based on mobile terminal
CN102710611A (en) Network security authentication method and system
CN101770619A (en) Multiple-factor authentication method for online payment and authentication system
JP2022502891A (en) Systems and methods for cryptographic authentication of non-contact cards
El Madhoun et al. An online security protocol for NFC payment: Formally analyzed by the scyther tool
CN104320261B (en) Identity authentication method, financial smart card and terminal are realized on financial smart card

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant