[go: up one dir, main page]

WO2018045916A1 - Authorization method, system, and card - Google Patents

Authorization method, system, and card Download PDF

Info

Publication number
WO2018045916A1
WO2018045916A1 PCT/CN2017/100208 CN2017100208W WO2018045916A1 WO 2018045916 A1 WO2018045916 A1 WO 2018045916A1 CN 2017100208 W CN2017100208 W CN 2017100208W WO 2018045916 A1 WO2018045916 A1 WO 2018045916A1
Authority
WO
WIPO (PCT)
Prior art keywords
card
authentication
card reader
information
state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/100208
Other languages
French (fr)
Chinese (zh)
Inventor
李东声
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tendyron Corp
Original Assignee
Tendyron Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tendyron Corp filed Critical Tendyron Corp
Publication of WO2018045916A1 publication Critical patent/WO2018045916A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Definitions

  • the present invention relates to the field of electronic technologies, and in particular, to an authorization method, system, and card.
  • each reader is independent of each other and has no association with other readers. Therefore, the criminals only need to break through a card reader to obtain the authorization that the card reader can implement.
  • the time required for a criminal to break through each card reader is similar, that is, a card reader that is not capable of a higher level of authorization in the prior art does not achieve a higher security guarantee.
  • the present invention is directed to solving the above problems/one of them.
  • the main object of the present invention is to provide an authorization method
  • Another object of the present invention is to provide a card
  • An aspect of the present invention provides an authorization method, including: a card receiving an authentication instruction sent by a first card reader, wherein the authentication instruction carries identification information and first authentication information; and the card is based on the identification information. Acquiring a first authentication key in a first state corresponding to the first card reader, wherein the first state is an available state; the card using the first authentication key to the first authentication The information is authenticated, and when the authentication is passed, the second authentication information is sent to the first card reader; the first card reader receives the second authentication information, and at least determines whether the message is based on the second authentication information.
  • the method further includes: the card Obtaining, by using the first authentication key in the first state, a second authentication key in a first state corresponding to the second card reader, and storing the second authentication key in the first state, where Description Prerequisite two card readers given authorization for the card have succeeded in obtaining Authorization of the first card reader.
  • a card including: a first receiving module, configured to receive an authentication command sent by a first card reader, where the authentication command carries identification information and first authentication information; An acquiring module, configured to acquire, according to the identifier information, a first authentication key in a first state corresponding to the first card reader, where the first state is an available state; and the first authentication module is configured to: The first authentication information is authenticated by using the first authentication key, and the first sending module is triggered when the authentication is passed; the first sending module is configured to send the first sending card to the first card reader.
  • the first receiving module is further configured to receive the authentication response information returned by the first card reader, and the second acquiring module is configured to perform, by the first authentication module, the first authentication information.
  • the first authentication key in the first state is used to acquire the second authentication in the first state corresponding to the second card reader. Key, and sending the second authentication key in the first state to the first storage module, wherein the second card reader gives the card authorization: the card has successfully obtained the first read
  • the first storage module is configured to store the second authentication key in the first state.
  • Another aspect of the present invention provides an authorization system, comprising: a card reader according to any one of claims 10 to 15, wherein the first card reader comprises: a second receiving module, Receiving the second authentication information sent by the card; the authorization module, configured to determine, according to the second authentication information, whether the card is authorized; and the second sending module, configured to send, to the card, whether the indication is Response information for card authorization.
  • the present invention provides an authorization method, each card reader corresponding to an authentication key, and the card only uses the first authentication in the available state corresponding to the first card reader.
  • the key can authenticate the first authentication information of the first card reader, and send the authentication information to the first card reader, in order to obtain the authorization of the first card reader, and use the first authentication key pair in the card.
  • the second authentication key in the first state of the second card reader is obtained according to the first authentication key in the first state, thereby implementing hierarchical management of the authentication key.
  • corresponding control authority can be set, for example, if one card has been authorized by one or more other card readers, according to the other one or more card readers.
  • the authentication key in one state acquires the authentication key in the first state of the card reader, and thus it is possible to obtain the authorization of the card reader.
  • FIG. 2 is a schematic structural diagram of an authorization system according to Embodiment 2 of the present invention.
  • FIG. 3 is another schematic structural diagram of an authorization system according to Embodiment 2 of the present invention.
  • FIG. 4 is a schematic structural diagram of a card according to Embodiment 3 of the present invention.
  • FIG. 5 is a schematic diagram of another structure of a card according to Embodiment 3 of the present invention.
  • This embodiment provides an authorization method. As shown in FIG. 1, the method includes the following steps (S101-S105).
  • the card receives the authentication command sent by the first card reader, where the authentication command carries the identification information and the first authentication information;
  • the card acquires a first authentication key in a first state corresponding to the first card reader according to the identifier information, where the first state is an available state;
  • the card authenticates the first authentication information by using the first authentication key, and sends the second authentication information to the first card reader if the authentication passes;
  • the first card reader receives the second authentication information, determines, according to the second authentication information, whether it is a card authorization, and sends the authentication response information to the card.
  • step S105 The card acquires the second authentication key in the first state corresponding to the second card reader by using the first authentication key in the first state, and stores the second authentication key in the first state, and the second card is read.
  • the precondition for the card to be authorized is that the card has successfully obtained the authorization of the first card reader.
  • step S105 is illustrated in FIG. 1 after step S104, step 105 is not only performed after step S104, and step S105 may be performed in step S103, the card uses the first authentication key pair.
  • the card may receive the response information sent by the first card reader in step S104, and if it is determined that the response information indicates that the first card reader is authorized by the card, step S105 is performed.
  • each card reader corresponds to an authentication key
  • the card can only use the first authentication key in the available state corresponding to the first card reader to be the first card reader.
  • An authentication information is authenticated, and the authentication information is sent to the first card reader, so as to obtain the authorization of the first card reader, and after the card authenticates the first authentication information by using the first authentication key, according to the first state
  • the first first authentication key acquires the second authentication key in the first state of the second card reader, thereby implementing hierarchical management of the authentication key.
  • the card reader can be obtained according to the authentication key in the first state of the other card reader or cards.
  • the authentication key in the first state in order to obtain the authorization of the card reader.
  • the card may be a magnetic stripe card, an integrated circuit card (IC card), a smart card, or the like, which is not limited in this embodiment, as long as it can be read by the card reader.
  • the first card reader is a card reader currently interacting with the card, and the type of the first card reader corresponds to the type of the card, for example, when the card is a magnetic stripe card, the first card reader may be a magnetic card reader.
  • the first card reader can be an IC card reader; the first card reader can also be other types of card readers, which is not specifically limited in this embodiment.
  • the card may be of a contact type or a non-contact type. If the card is non-contact type, the contact between the card and the first card reader is non-contact communication, and the communication standard can adopt standard protocols such as ISO14443A, ISO14443B, and ISO15693. When the card is within the working distance of the first card reader, the card can communicate with the first card reader, enabling communication without the need for a card. When the card is in contact type, contact communication is performed between the card and the first card reader, and the card can communicate with the first card reader only when the card contact is properly connected to the interface of the first card reader.
  • the first card reader when the card is non-contact type, can periodically broadcast a card search instruction, and if the card is located in the card reading range of the first card reader, the card can respond to the first card reader.
  • the card-finding instruction sends a card-seeking response to the first card reader, and after receiving the card-seeking response, the first card reader can determine the currently read card, and then send an authentication command to the card.
  • the identifier information carried in the authentication command sent by the first card reader may be a unique identifier corresponding to the first card reader.
  • the identifier information may be the serial number of the first card reader, or It is identification information of a first authentication key (ie, an authentication key used to authenticate the first authentication information) corresponding to the first card reader.
  • the card determines the first authentication key in the available state corresponding to the first card reader by using the identification information, thereby determining whether the first authentication information sent by the first card reader can be authenticated.
  • the first authentication key in a plurality of different states may be stored in the card, and the first authentication keys in different states may be separately stored in different storage areas of the card to facilitate the calling of the card.
  • the first authentication key in the first state is stored in the first storage area
  • the first authentication key in the other state is stored in the second storage area.
  • the card may pre-store the mapping relationship between the identification information of all the card readers and the authentication key. After receiving the identification information of the first card reader, the card may be obtained from the first storage area according to the identification information of the first card reader.
  • the first authentication key in the first state refers to the first authentication key that can be directly used.
  • the first state may be a plain text state. Only the first authentication key in the first state can be directly used. The authentication key in other states cannot be directly used. Only the first authentication key in other states can be converted into the first authentication key in the first state. use.
  • the card can authenticate the identity of the first card reader by using the first authentication information.
  • the first authentication information may be a first check value generated by the first card reader by using the own authentication key to calculate the first calculation factor, where the first calculation factor may be a random number generated by the first card reader. The number of times that the first card reader is authorized, and the total number of times the card is requested for authorization, which is not limited in this embodiment.
  • the first card reader uses the authentication key to calculate the first calculation factor according to a preset verification algorithm to obtain a check value, and the check value is carried in the first authentication information and sent to the card.
  • the preset verification algorithm may be a MAC algorithm, or may be another verification algorithm, for example, a signature algorithm, which is not limited in this embodiment.
  • the card When the card authenticates the first authentication information, the first authentication key in the first state of the obtained first card reader is used, and the card adopts the same verification algorithm as the first card reader, and the first calculation is performed on the card.
  • the factor is calculated to obtain a check value, and the calculated check value is compared with the check value in the received first authentication information. If the same, the first authentication information is authenticated. If not, the first authentication information is obtained. The certification did not pass. If the first authentication information is authenticated, it indicates that the first authentication information has not been tampered with and the identity of the first card reader is legal. If the authentication fails, the first authentication information is tampered with and/or the identity of the first card reader. illegal.
  • the first calculation factor may be that the first card reader is carried in the authentication command and sent to the card, or the card is obtained by using the same rule as the first card reader, which is not limited in this embodiment.
  • the card generates the second authentication information when the card passes the authentication of the first authentication information.
  • the second authentication information may be a verification value generated by the card using the authentication key to calculate the second calculation factor according to a preset verification algorithm, or the second authentication.
  • the information may also be a third verification value generated by the card using the authentication key to calculate the first calculation factor and the second calculation factor according to a preset verification algorithm, wherein the second calculation factor may be the card according to the first reading.
  • the algorithm generated by the card (or background) agreed by the algorithm may also be a count of the number of times the card is authorized, or may be a random factor generated by the card (in this case, the card may use the second calculation factor and the second authentication information) Send it to the first card reader together).
  • the first card reader may determine whether it is a card authorization according to at least the second authentication information, or may perform a judgment jointly with the background.
  • the first card reader can authenticate at least the second authentication information by itself, obtain the authentication result, and then determine whether it is the card authorization according to at least the authentication result; or the first card reader can also send the second authentication information to the background.
  • the background authentication is performed on at least the second authentication information, and the authentication result is returned to the first card reader, and then the first card reader determines whether the card is authorized according to at least the authentication result.
  • the first card reader or the background authenticates the second authentication information, using the authentication key of the card, using the same verification algorithm as the card, the second calculation factor, or the first calculation factor Computation with the second calculation factor to generate a check value, and comparing whether the calculated check value and the received check value in the second authentication information are the same. If they are the same, the second authentication information is authenticated. If not, then The second authentication information authentication fails. If the second authentication information is authenticated, it indicates that the second authentication information has not been tampered with and the identity of the card is legal. If the authentication fails, the second authentication information is falsified and/or the identity of the card is invalid. The first card reader only judges whether it is based on the authentication result. In the case of card authorization, if the second authentication information is authenticated, the response information indicating successful authorization is sent to the card, and if the second authentication information is not authenticated, the response information indicating that the authorization is not authorized is sent to the card.
  • the first card reader can determine whether it is a card authorization according to the second authentication information, and can determine whether the card is authorized according to other information. Therefore, as an optional implementation manner of the embodiment of the present invention, If the authentication result of the second authentication information indicates that the authentication is passed, further determining whether the card is authorized according to the authorization authority list of the first card reader. Whether the card is an authorized user of the first card reader is determined whether the card is authorized by the card according to whether the card is in the authorization permission list of the first card reader.
  • the authorization list of the first card reader may be stored in the background, or may be stored locally in the first card reader, and if it is stored locally in the first card reader, it is judged by the first card reader.
  • the background If it is stored in the background, it is judged by the background, and finally, it is combined with the authentication result of authenticating the second authentication information to determine whether it is a card authorization. For example, if the second authentication information is authenticated by the background and the authorized permission list is stored in the background, after the background authenticates the second authentication information, it is further determined whether the card is in the authorization permission list of the first card reader, and if And authenticating the authentication result to the first card reader, the first card reader determines to authorize the card according to the authentication result; and if the first card reader authenticates the second authentication information, the authorization permission list is After being stored in the first card reader, the background authentication of the second authentication information is passed, and the first card reader is returned with an authentication result indicating whether the second authentication information is authenticated, if the authentication result indicates that the second authentication information is authenticated.
  • the first card reader further determines whether the card is in the authorization permission list of the first card reader, and if so, determines to authorize the card, otherwise determines that the card is not authorized.
  • the second authentication information is authenticated by the first card reader and the authorization authority list is stored in the first card reader
  • the first card reader authenticates the second authentication information
  • it is further determined whether the card is in the first In the list of authorized rights of a card reader if yes, it is determined that the card is authorized; and when the first card reader authenticates the second authentication information and the authorized permission list is stored in the background, the first card is read.
  • the device can send the related information of the card to the background, and the background determines whether the card is in the authorization permission list of the first card reader, and returns the determination result to the first card reader, first The card reader determines whether to authorize the card based on the returned judgment result.
  • the premise that the card satisfies the authorization of the card by the first card reader may be authenticated in the background.
  • the background may use the first security status to record information about the authorization obtained by the card.
  • the pre-condition for granting the card authorization by the first card reader may include only a group of third card readers that have authorized the same card, and the background only needs to judge whether the card has been successfully obtained according to the first security state.
  • the authorization of all the third card readers in the precondition of the card authorization given by the card reader If the card has successfully obtained the authorization of all the third card readers in the precondition, the card satisfies the precondition of the authorization given by the first card reader. Otherwise, the card does not satisfy the preconditions for the authorization given by the first card reader.
  • the first card reader can also define a group of preconditions for granting authorization.
  • the first security state further includes: the order in which the card is successfully authorized, and/or the time when the card successfully obtains the authorization, that is, the background also needs to record the order and/or time of successfully obtaining the authorization of each card reader.
  • the method further includes: determining, according to the first security state, whether the order in which the card is successfully authorized is consistent with the authorization order in the precondition; and/or determining according to the first security state Whether the time the card was successfully authorized is within the valid time of the precondition. If the order in which the card is successfully authorized is consistent with the authorization order in the precondition, and/or the time when the card is successfully authorized is within the valid time in the precondition, the card satisfies the precondition of the authorization given by the first card reader; otherwise, The card does not satisfy the preconditions for the authorization given by the first card reader.
  • the card after the card authenticates the first authentication information, the card can directly acquire the second authentication key in the first state corresponding to the second card reader by using the first authentication key in the first state.
  • the authentication response information received by the card is the authorization of the card
  • the card acquires the second authentication key in the first state corresponding to the second card reader by using the first authentication key in the first state.
  • the second authentication key in the first state may be stored in the storage area of the card.
  • the second The second authentication key in one state authenticates the authentication information sent by the second card reader, thereby obtaining the authorization of the second card reader.
  • the card acquires the second authentication key in the first state corresponding to the second card reader by using the first authentication key in the first state, including: using the first state of the card
  • the first first authentication key calculates a second authentication key in the second state corresponding to the second card reader that is stored locally, and obtains the second authentication key in the first state.
  • the second authentication key in the second state includes: an encrypted second authentication key; the card is stored locally by using the first authentication key in the first state.
  • the second authentication key in the second state corresponding to the second card reader is calculated, and the second authentication key in the first state is obtained, including: the card is stored locally by using the first authentication key in the first state.
  • the encrypted second authentication key corresponding to the second card reader is decrypted to obtain a decrypted second authentication key.
  • the first state refers to a decrypted state, that is, a plaintext state
  • the second state refers to an encrypted state.
  • the card can decrypt the encrypted second authentication key by using the first authentication key in the first state as a decryption key, and obtain the decrypted second authentication key, that is, the second authentication key of the plaintext.
  • the second authentication key is stored in the form of cipher text, which ensures the storage security of the second authentication key.
  • the second authentication key in the second state may be obtained by encrypting the second authentication key in the first state by using the first authentication key in the first state, and the card is utilized.
  • the first authentication key in the first state acquires the second authentication key in the first state
  • the second authentication key in the second state is decrypted using the first authentication key in the first state, that is, The second authentication key in the first state. That is, in the optional implementation manner, in the initial state, the authentication key stored in the card may be processed according to the preconditions for granting authorization by each card reader.
  • the second authentication key of the second card reader that the first card reader has authorized the card to authorize the card when storing, may use the first authentication key of the first card reader for the second reading
  • the second authentication key of the card device is encrypted and stored, and a decryption mechanism is set in the card: after the card passes the authentication of the first authentication information sent by the first card reader, or after receiving the indication that the first card reader has been After responding to the authorization of the card, decrypting the encrypted second authentication key of the second card reader to obtain the plaintext of the second authentication key of the second card reader, so that the subsequent card is authorized to request the second card reader At the same time, the authentication information sent by the second card reader can be successfully authenticated using the second authentication key.
  • the precondition for granting authorization by the first card reader may be that the same card does not need to obtain authorization of any card reader, and the corresponding authentication key is K1, and the precondition for granting authorization by the second card reader may be that the same card has been successfully obtained.
  • the authorization of the No. 1 card reader, the corresponding authentication key is K2, and the precondition for the authorization of the No. 3 card reader can be that the same card has successfully obtained the authorization of the No. 1 card reader and the No.
  • the order of authorization is: first obtain the authorization of the first card reader, then obtain the authorization of the second card reader, and the authentication key corresponding to the third card reader is K3.
  • the authentication key stored in the card is: K1 of plaintext, ciphertext K2' of K2 obtained by encrypting K2 with K1, and ciphertext K3' of K3 obtained by encrypting K3 with K2.
  • the second card reader sends the authentication information calculated by K2 to the card, and after receiving the authentication information, the card cannot store the plaintext of K2 locally.
  • the authentication information is authenticated, so that the corresponding authentication information cannot be returned to the second card reader, and the authorization of the second card reader cannot be obtained.
  • the first card reader sends the authentication information calculated by K1 to the card, and after receiving the authentication information, the card obtains the plaintext of the local storage K1, and authenticates the authentication information.
  • the corresponding authentication information is returned to the first card reader, and the first card reader authenticates the authentication information.
  • the card is authorized to be authorized, and the corresponding response information is returned, and the card is received.
  • the card reader After responding to the information, it is determined that the card reader has authorized the card, decrypting K2' to obtain the plaintext of K2; after that, the card requests the authorization of the second card reader, and the second card reader sends the card to K2.
  • the card After the authentication information is obtained, the card obtains the plaintext of the local storage K2 after receiving the authentication information, and authenticates the authentication information.
  • the corresponding authentication information is returned to the second card reader, and the second card is read.
  • the device authenticates the authentication information, and after the authentication is passed, determines to authorize the card, and returns corresponding response information, and the card is received. After the response information, determining II card reader have to be authorized to K3 'decrypts the plaintext K3.
  • the card requests the authorization of the third card reader, and the third card reader sends the authentication information calculated by K3 to the card, and after receiving the authentication information, the card obtains the plaintext of the local storage K3, and performs the authentication information.
  • the certification is passed, the corresponding authentication information is returned to the third card reader, and the third card reader authenticates the authentication information, and after the authentication is passed, the card is authorized to be authorized. Thereby, linkage authorization between multiple card readers is realized.
  • the second state may be an unavailable state, and the authentication key in the second state may not be directly used to authenticate the authentication information sent by the card reader.
  • the second authentication key in the second state of the second card reader is pre-stored in the card Key, the card can only obtain the second authentication key in the first state by using the first authentication key in the first state to calculate the second authentication key in the second state, and then obtain the second card reader in the first state.
  • Authorization In a specific implementation process, the card may store all the authentication keys in the first state in the same storage area, and store all the authentication keys in the second state in another storage area, so as to facilitate the card call and the same state. The next authentication key is processed in batches.
  • the card may store the second authentication key in the first state in a buffer area, where the buffer area refers to an accessor that can perform high-speed data exchange, for example, a Random Access Memory (RAM). Storing the second authentication key in the first state in the buffer area can improve the speed at which the card reads the first authentication key and the second authentication key in the first state.
  • the second authentication key is stored in the form of the second state that is unavailable, ensuring the storage security of the second authentication key; and the card only uses the first authentication in the first state.
  • the key can calculate the second authentication key in the first state, that is, the card must obtain the authorization of the first card reader to obtain the authorization of the second card reader, thus implementing the first card reader and the second reading.
  • the linkage of the card is not a card reader.
  • the card may empty the buffer area under predetermined conditions, and thus, as an embodiment of the present invention
  • the method provided in this embodiment further includes: clearing the buffer area when a preset time arrives or a preset event occurs.
  • the card can be timed from when it is activated, and all data in the buffer area is cleared every preset time.
  • the card may also start timing when the second authentication key in the first state is stored in the buffer area, and the buffer area is cleared every predetermined time.
  • the preset time may have an initial value. If the length of the preset time is not set in the card, the card clears the buffer area according to the initial preset time. It is also possible to set the length of the preset time in the card so that the preset time is not equal to the initial value, and the card clears the buffer area according to the reset preset time.
  • the preset event may be that the first authentication information is not authenticated.
  • the buffer area is cleared, which can save the storage space of the buffer area.
  • the method further includes: the card acquiring the attribute information of the current authentication, The attribute information is encrypted and stored; before the card receives the authentication command sent by the first card reader, the method may further include: the first card reader obtains the identification information of the card, and the first card reader sends an authentication instruction to the card; The first card reader sends a notification including at least the identification information of the card to the background; the background acquires and stores the attribute information of the current authentication of the card according to the notification, for example, the first card reader can send a card search instruction, and the card responds to the card search.
  • the instruction sends a card seek response to the first card reader, and the first card reader receives the card search response, and obtains the identification information of the card from the card search response.
  • the method may further include: acquiring encrypted attribute information stored in the card; decrypting the encrypted attribute information; and comparing the decrypted attribute information with the attribute information of the card stored in the background If it does not match, the identification card is an illegal card.
  • the card may be instructed to delete each authentication key of the internal cache, that is, the card is restored.
  • the initial setting indicates that the card is illegal in the background or each card reader, and the card cannot be authorized. Therefore, it can be avoided that the background cannot be known that the card is illegally read.
  • the attribute information of the current authentication of the card may be attribute information of the first card reader for authenticating the card, for example, the time, location, and first card reader of the first card reader for authenticating the card. Information such as the cumulative number of times the authentication command is sent.
  • the recording mode of the location may be a serial number of the first card reader, and the serial number of the first card reader may be associated with the location of the first card reader, and may be determined according to the serial number of the first card reader.
  • the location of the first card reader; in addition, a chip having a positioning function may be disposed inside the first card reader, and the location information of the card authentication by the first card reader may be acquired according to the positioning chip.
  • the attribute information is encrypted and stored in the card, which prevents the attribute information inside the card from being acquired by other illegal devices, and ensures the security of the attribute information.
  • the attribute information of the current authentication is associated with the identification information of the card and stored.
  • the encrypted attribute information stored in the card may be read by the background or read by the proprietary device capable of reading the attribute information inside the card, and the encrypted attribute information is decrypted and decrypted.
  • the attribute information is compared with the attribute information of the card recorded in the background. If the comparison is inconsistent, the card has the risk of being illegally read by the illegal device, and the card is identified as an illegal card.
  • the illegal device can be prevented from attacking the card, the illegal authentication command is initiated, and the data inside the card is obtained, thereby breaking the card.
  • FIG. 2 is a schematic structural diagram of the card 21 provided in this embodiment.
  • the structure of the card 21 is briefly described. For other matters not mentioned, refer to the description in Embodiment 1.
  • the card 21 provided in this embodiment includes: a first receiving module 2101, configured to receive an authentication command sent by the first card reader, where the authentication command carries the identification information and the first authentication information;
  • the first obtaining module 2102 is configured to obtain, according to the identifier information, a first authentication key in a first state corresponding to the first card reader, where the first state is an available state, and the first authentication module 2103 is configured to use the first An authentication key is used to authenticate the first authentication information, and in the case that the authentication is passed, the first sending module 2104 is triggered; the first sending module 2104 is configured to send the second authentication information to the first card reader; the first receiving module 2101.
  • the method is further configured to receive the authentication response information returned by the first card reader.
  • the second obtaining module 2105 is configured to perform the authentication on the first authentication information by the first authentication module 2103, and the authentication pass or the authentication response information indicates the card.
  • the second authentication key in the first state corresponding to the second card reader is obtained by using the first authentication key in the first state, and the second authentication key in the first state is dense.
  • the key is sent to the first storage module 2106, wherein the second card reader gives the card authorization condition that the card has successfully obtained the authorization of the first card reader; the first storage module 2106 is configured to store the first state. Two authentication keys.
  • each card reader corresponds to an authentication key, and the card is only used and the first card is read.
  • the first authentication key in the available state corresponding to the device can authenticate the first authentication information of the first card reader, and send the authentication information to the first card reader, so as to obtain the authorization of the first card reader, and After the first authentication information is authenticated by the card using the first authentication key, the second authentication key in the first state of the second card reader is obtained according to the first authentication key in the first state, thereby implementing authentication. Hierarchical management of keys.
  • the first receiving module 2101 and the first sending module 2104 may be separate modules, or may be integrated in the same communication module.
  • the first receiving module 2101 and the first sending module 2104 may be a contactless communication module or a contact communication module.
  • the first storage module 2106 can be a buffer area, for example, a Random Access Memory (RAM). Data in the buffer area enables high-speed data exchange.
  • RAM Random Access Memory
  • the second acquisition The module 2105 acquires the second authentication key in the first state corresponding to the second card reader by using the first authentication key in the first state.
  • the card 21 further includes: a second storage module 2107, configured to store a second authentication key in a second state corresponding to the second card reader;
  • the second obtaining module 2105 acquires the second authentication key in the first state corresponding to the second card reader by using the first authentication key in the first state and the second storage module 2107
  • the second authentication key in the second state corresponding to the card reader is calculated to obtain the second authentication key in the first state.
  • the second storage module 2107 is configured to store an authentication key in the second state.
  • the second storage module 2107 may be a non-Volatile Random Access Memory (NVRAM), and the stored data will not be lost even after the NVRAM is powered off.
  • NVRAM non-Volatile Random Access Memory
  • the second authentication key in the second state includes: an encrypted second authentication key; and the second obtaining module 2105 is configured to correspond to the second card reader in the following manner.
  • the second authentication key in the second state is calculated to obtain the second authentication key in the first state: using the first authentication key in the first state to store the second card reader stored in the second storage module 2107
  • the corresponding encrypted second authentication key is decrypted to obtain a decrypted second authentication key.
  • the card can empty the buffer area under predetermined conditions, and thus, as the present invention
  • the card 21 provided in this embodiment further includes: an emptying module 2108, configured to clear the first storage module 2106 when a preset time arrives or a preset event occurs.
  • the stored data may include: the first authentication module 2103 fails to authenticate the first authentication information.
  • the clearing module 2108 arrives at a preset time or a preset event occurs, the first storage module 2106 is emptied, and the storage space of the first storage module 2106 can be saved.
  • the card 21 provided in this embodiment further includes: a third obtaining module 2109, an encryption module 2110, a third storage module 2111, and a response module 2112;
  • the third obtaining module 2109 is configured to obtain the attribute information of the current authentication after receiving the authentication instruction sent by the first card reader, and The information is sent to the encryption module 2110.
  • the encryption module 2110 is configured to receive the attribute information, and encrypt the attribute information to obtain the attribute information ciphertext, and send the attribute information ciphertext to the third storage module 2111.
  • the third storage module 2111 receives The attribute information ciphertext is stored; the response module 2112 is configured to send the attribute information ciphertext stored by the third storage module 2111 in response to the read instruction.
  • the attribute information is encrypted and stored in the third storage module 2111, and the attribute information can be obtained by other illegal devices to ensure the security of the attribute information.
  • the authorization system includes a first card reader 22 and a card 21.
  • the card 21 in this embodiment is the same as the card 21 in the second embodiment.
  • the structure of the authorization system is briefly described. For other unworked matters, refer to the description in Embodiment 1.
  • the first card reader 22 includes: a second receiving module 221, configured to receive second authentication information sent by the card 21; and an authorization module 222, configured to determine, according to at least the second authentication information, whether the card is 21 or not Authorization; a second sending module 223, configured to send, to the card 21, response information indicating whether the card 21 is authorized.
  • each card reader corresponds to an authentication key
  • the card can only use the first authentication key in the available state corresponding to the first card reader to be the first card reader.
  • An authentication information is authenticated, and the authentication information is sent to the first card reader, so as to obtain the authorization of the first card reader, and obtain the first state of the second card reader according to the first authentication key in the first state.
  • the second authentication key thereby implementing hierarchical management of the authentication key. Therefore, for a card reader with a higher security level, corresponding control authority can be set, for example, if one card has been authorized by one or more other card readers, according to the other one or more card readers.
  • the authentication key in one state acquires the authentication key in the first state of the card reader, and thus it is possible to obtain the authorization of the card reader.
  • the authorization module 222 may determine, according to the second authentication information, whether it is a card authorization, or may perform a determination jointly with the background. Therefore, as an optional implementation manner of the embodiment of the present invention, as shown in FIG. 5, the authorization system provided in this embodiment further includes: a background 23; an authorization module 222, including: a sending unit 2221, configured to send a second to the background 23
  • the authentication unit 2222 is configured to receive an authentication result obtained by the background 23 at least authenticating the second authentication information.
  • the authorization unit 2223 is configured to determine, according to the authentication result, whether the card 21 is authorized.
  • the background 23 includes: a third receiving module. 231.
  • the second authentication module 232 is configured to receive the second authentication information.
  • the second authentication module 232 is configured to perform at least the second authentication information to obtain the authentication result.
  • the third sending module 233 is configured to return the authentication result to the first card reader 22.
  • the authorization module 222 can determine whether it is a card authorization according to the second authentication information, and can also determine whether it is a card authorization according to other information. Therefore, as an optional implementation manner of the embodiment of the present invention, the authorization module is authorized.
  • the module 222 judges by the following method Whether or not the card is authorized: according to the authorization authority list of the first card reader 22, it is judged whether or not the card 21 is authorized. Whether or not the card 21 is an authorized user of the first card reader 22 is determined based on whether the card 21 is in the authorization authority list of the first card reader 22 to determine whether or not the card 21 is authorized.
  • the background 23 can authenticate the premise that the card 21 satisfies the authorization of the card 21 by the first card reader 22, and thus, as the present invention
  • the second authentication module 232 is further configured to perform authentication on the precondition for authorizing the card 21 by the first card reader 22 to obtain an authentication result.
  • the background 23 can use the first security status to record the authorization related information obtained by the card 21, and the second authentication module 232 determines whether the card 21 satisfies the authorization of the card 21 by the first card reader 22 according to the first security status. Prerequisites.
  • the system provided in this embodiment further includes: a verification device 24; a background 23, further comprising: a fourth acquisition module 234, a fourth storage module 235;
  • the card reader further includes: a fifth obtaining module 224; wherein the fifth obtaining module 224 is configured to obtain the identification information of the card 21; the sending unit 2222 is further configured to send, to the background 23, a notification that includes at least the identification information of the card 21.
  • the third receiving module 231 is further configured to receive the notification, the fourth obtaining module 234 is configured to obtain the attribute information of the current authentication of the card according to the notification, and the fourth storage module 235 is configured to store the attribute information of the current authentication of the card.
  • the verification device 24 is configured to acquire the encrypted attribute information from the card 21 and acquire the attribute information of the fourth storage module 235 from the background 23, decrypt the encrypted attribute information, and decrypt the attribute information obtained from the background 23 The information is compared, and if it does not match, the identification card 21 is an illegal card.
  • the verification device 24 can be a standalone device or an integral part of the background 23. With the optional implementation, it is possible to prevent the illegal device from attacking the card 21, initiate an illegal authentication command, and acquire data inside the card 21, thereby breaking the card 21.
  • portions of the invention may be implemented in hardware, software, firmware or a combination thereof.
  • multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system.
  • a suitable instruction execution system For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals. Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.
  • each functional unit in each embodiment of the present invention may be integrated into one processing component, or each unit may exist physically separately, or two or more units may be integrated into one component.
  • the above integrated components can be implemented in the form of hardware or in the form of software functional components.
  • the integrated components, if implemented in the form of software functional components and sold or used as separate products, may also be stored in a computer readable storage medium.
  • the above mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

An authorization method, system, and a card. The authorization method comprises: a card receives an authentication instruction sent by a first card reader, the authentication instruction carrying identification information and first authentication information (S101); the card obtains, according to the identification information, a first authentication key in a first state corresponding to the first card reader (S102); the card authenticates the first authentication information with the first authentication key, and sends second authentication information to the first card reader if the authentication succeeds (S103); the first card reader receives the second authentication information, determines whether to authorize the card or not at least according to the second authentication information, and sends response information to the card (S104); the card obtains, with the first authentication key in the first state, a second authentication key in the first state corresponding to a second card reader, and stores the second authentication key in the first state, a precondition for the second card reader to authorize the card being that the card has been successfully authorized by the first card reader (S105).

Description

一种授权方法、系统及卡片Authorization method, system and card

相关申请的交叉引用Cross-reference to related applications

本申请要求天地融科技股份有限公司于2016年9月9日提交中国专利局、申请号为201610815363.X、发明名称为“一种授权方法、系统及卡片”的中国专利申请的优先权。This application claims the priority of the Chinese patent application filed by the China Patent Office on September 9, 2016, with the application number 201610815363.X, and the invention name is "an authorization method, system and card".

技术领域Technical field

本发明涉及一种电子技术领域,尤其涉及一种授权方法、系统及卡片。The present invention relates to the field of electronic technologies, and in particular, to an authorization method, system, and card.

背景技术Background technique

在授权系统中,为了实现不同等级的授权,往往需要设置多个读卡器,每一个读卡器能够实现特定等级的授权。然而,现有的授权系统中,每个读卡器都是相互独立的,与其他读卡器之间没有关联。因此,不法分子只需要攻破一个读卡器,就能够获取该读卡器能够实现的授权。然而,不法分子攻破每一个读卡器所需的时间都是差不多的,即现有技术中并不能够进行更高等级授权的读卡器并没有实现更高的安全保证。In the authorization system, in order to achieve different levels of authorization, it is often necessary to set a plurality of card readers, each of which can implement a specific level of authorization. However, in the existing authorization system, each reader is independent of each other and has no association with other readers. Therefore, the criminals only need to break through a card reader to obtain the authorization that the card reader can implement. However, the time required for a criminal to break through each card reader is similar, that is, a card reader that is not capable of a higher level of authorization in the prior art does not achieve a higher security guarantee.

发明内容Summary of the invention

本发明旨在解决上述问题/之一。The present invention is directed to solving the above problems/one of them.

本发明的主要目的在于提供一种授权方法;The main object of the present invention is to provide an authorization method;

本发明的另一目的在于提供一种卡片;Another object of the present invention is to provide a card;

本发明的又一目的在于提供一种授权系统。It is still another object of the present invention to provide an authorization system.

为达到上述目的,本发明的技术方案具体是这样实现的:In order to achieve the above object, the technical solution of the present invention is specifically implemented as follows:

本发明一方面提供了一种授权方法,包括:卡片接收第一读卡器发送的认证指令,其中,所述认证指令中携带有标识信息和第一认证信息;所述卡片根据所述标识信息获取与所述第一读卡器对应的第一状态下的第一认证密钥,其中,所述第一状态为可用状态;所述卡片利用所述第一认证密钥对所述第一认证信息进行认证,在认证通过的情况下,向所述第一读卡器发送第二认证信息;所述第一读卡器接收所述第二认证信息,至少根据所述第二认证信息判断是否为所述卡片授权,并向所述卡片发送响应信息;其中,在所述卡片利用所述第一认证密钥对所述第一认证信息进行认证通过之后,所述方法还包括:所述卡片利用所述第一状态下的第一认证密钥获取第二读卡器对应的第一状态下的第二认证密钥,并存储所述第一状态下的所述第二认证密钥,所述第二读卡器给予卡片授权的前提条件为所述卡片已成功获得 所述第一读卡器的授权。An aspect of the present invention provides an authorization method, including: a card receiving an authentication instruction sent by a first card reader, wherein the authentication instruction carries identification information and first authentication information; and the card is based on the identification information. Acquiring a first authentication key in a first state corresponding to the first card reader, wherein the first state is an available state; the card using the first authentication key to the first authentication The information is authenticated, and when the authentication is passed, the second authentication information is sent to the first card reader; the first card reader receives the second authentication information, and at least determines whether the message is based on the second authentication information. Authorizing the card and transmitting response information to the card; wherein, after the card authenticates the first authentication information by using the first authentication key, the method further includes: the card Obtaining, by using the first authentication key in the first state, a second authentication key in a first state corresponding to the second card reader, and storing the second authentication key in the first state, where Description Prerequisite two card readers given authorization for the card have succeeded in obtaining Authorization of the first card reader.

本发明另一方面提供了一种卡片,包括:第一接收模块,用于接收第一读卡器发送的认证指令,其中,所述认证指令中携带有标识信息和第一认证信息;第一获取模块,用于根据所述标识信息获取与所述第一读卡器对应的第一状态下的第一认证密钥,其中,所述第一状态为可用状态;第一认证模块,用于利用所述第一认证密钥对所述第一认证信息进行认证,在认证通过的情况下,触发第一发送模块;所述第一发送模块,用于向所述第一读卡器发送第二认证信息;所述第一接收模块,还用于接收所述第一读卡器返回的认证响应信息;第二获取模块,用于在所述第一认证模块对所述第一认证信息进行认证且认证通过或所述认证响应信息指示对所述卡片进行授权的情况下,利用所述第一状态下的第一认证密钥获取第二读卡器对应的第一状态下的第二认证密钥,并将所述第一状态下的第二认证密钥发送至第一存储模块,其中,所述第二读卡器给予卡片授权的前提条件为所述卡片已成功获得所述第一读卡器的授权;所述第一存储模块,用于存储所述第一状态下的第二认证密钥。Another aspect of the present invention provides a card, including: a first receiving module, configured to receive an authentication command sent by a first card reader, where the authentication command carries identification information and first authentication information; An acquiring module, configured to acquire, according to the identifier information, a first authentication key in a first state corresponding to the first card reader, where the first state is an available state; and the first authentication module is configured to: The first authentication information is authenticated by using the first authentication key, and the first sending module is triggered when the authentication is passed; the first sending module is configured to send the first sending card to the first card reader. The first receiving module is further configured to receive the authentication response information returned by the first card reader, and the second acquiring module is configured to perform, by the first authentication module, the first authentication information. When the authentication and the authentication pass or the authentication response information indicates that the card is authorized, the first authentication key in the first state is used to acquire the second authentication in the first state corresponding to the second card reader. Key, and sending the second authentication key in the first state to the first storage module, wherein the second card reader gives the card authorization: the card has successfully obtained the first read The first storage module is configured to store the second authentication key in the first state.

本发明另一方面提供了一种授权系统,包括:第一读卡器和方案10至15任一项所述的卡片;其中,所述第一读卡器,包括:第二接收模块,用于接收所述卡片发送的第二认证信息;授权模块,用于至少根据所述第二认证信息判断是否为所述卡片授权;第二发送模块,用于向所述卡片发送指示是否为所述卡片授权的响应信息。Another aspect of the present invention provides an authorization system, comprising: a card reader according to any one of claims 10 to 15, wherein the first card reader comprises: a second receiving module, Receiving the second authentication information sent by the card; the authorization module, configured to determine, according to the second authentication information, whether the card is authorized; and the second sending module, configured to send, to the card, whether the indication is Response information for card authorization.

由上述本发明提供的技术方案可以看出,本发明提供了一种授权方法,每一个读卡器对应一个认证密钥,卡片只有利用与第一读卡器对应的可用状态下的第一认证密钥,才能对第一读卡器的第一认证信息进行认证,并向第一读卡器发送认证信息,以期获得第一读卡器的授权,并在卡片利用第一认证密钥对第一认证信息进行认证通过之后,根据第一状态下的第一认证密钥获取第二读卡器的第一状态下的第二认证密钥,从而实现认证密钥的分级管理。因而,对于安全级别较高的读卡器,可以设置对应的控制权限,例如,需要一张卡片已经获得其它一个或多个读卡器的授权,才能根据其它一个或多个读卡器的第一状态下的认证密钥获取该读卡器第一状态下的认证密钥,进而才有可能获取该读卡器的授权。It can be seen from the technical solution provided by the present invention that the present invention provides an authorization method, each card reader corresponding to an authentication key, and the card only uses the first authentication in the available state corresponding to the first card reader. The key can authenticate the first authentication information of the first card reader, and send the authentication information to the first card reader, in order to obtain the authorization of the first card reader, and use the first authentication key pair in the card. After the authentication information is passed, the second authentication key in the first state of the second card reader is obtained according to the first authentication key in the first state, thereby implementing hierarchical management of the authentication key. Therefore, for a card reader with a higher security level, corresponding control authority can be set, for example, if one card has been authorized by one or more other card readers, according to the other one or more card readers. The authentication key in one state acquires the authentication key in the first state of the card reader, and thus it is possible to obtain the authorization of the card reader.

附图说明DRAWINGS

为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention, Those of ordinary skill in the art will be able to obtain other figures from these drawings without the inventive effort.

图1为本发明实施例1提供的授权方法的流程图;1 is a flowchart of an authorization method according to Embodiment 1 of the present invention;

图2为本发明实施例2提供的授权系统的一种结构示意图;2 is a schematic structural diagram of an authorization system according to Embodiment 2 of the present invention;

图3为本发明实施例2提供的授权系统的另一种结构示意图; 3 is another schematic structural diagram of an authorization system according to Embodiment 2 of the present invention;

图4为本发明实施例3提供的卡片的一种结构示意图;4 is a schematic structural diagram of a card according to Embodiment 3 of the present invention;

图5为本发明实施例3提供的卡片的另一种结构示意图。FIG. 5 is a schematic diagram of another structure of a card according to Embodiment 3 of the present invention.

具体实施方式detailed description

下面结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明的保护范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

下面将结合附图对本发明实施例作进一步地详细描述。The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.

实施例1Example 1

本实施例提供了一种授权方法,如图1所示,该方法包括如下步骤(S101-S105)。This embodiment provides an authorization method. As shown in FIG. 1, the method includes the following steps (S101-S105).

S101:卡片接收第一读卡器发送的认证指令,其中,认证指令中携带有标识信息和第一认证信息;S101: The card receives the authentication command sent by the first card reader, where the authentication command carries the identification information and the first authentication information;

S102:卡片根据标识信息获取与第一读卡器对应的第一状态下的第一认证密钥,其中,第一状态为可用状态;S102: The card acquires a first authentication key in a first state corresponding to the first card reader according to the identifier information, where the first state is an available state;

S103:卡片利用第一认证密钥对第一认证信息进行认证,在认证通过的情况下,向第一读卡器发送第二认证信息;S103: The card authenticates the first authentication information by using the first authentication key, and sends the second authentication information to the first card reader if the authentication passes;

S104:第一读卡器接收第二认证信息,至少根据第二认证信息判断是否为卡片授权,并向卡片发送认证响应信息;S104: The first card reader receives the second authentication information, determines, according to the second authentication information, whether it is a card authorization, and sends the authentication response information to the card.

S105,卡片利用第一状态下的第一认证密钥获取第二读卡器对应的第一状态下的第二认证密钥,并存储第一状态下的第二认证密钥,第二读卡器给予卡片授权的前提条件为卡片已成功获得第一读卡器的授权。需要说明的是,虽然图1中将步骤S105示意在步骤S104之后执行,但是,步骤105并不是只能在步骤S104之后执行,步骤S105可以在步骤S103中,卡片利用第一认证密钥对第一认证信息进行认证通过之后执行,也可以是卡片接收到骤S104中第一读卡器发送的响应信息后,确定该响应信息指示第一读卡器为卡片授权的情况下,执行步骤S105。S105. The card acquires the second authentication key in the first state corresponding to the second card reader by using the first authentication key in the first state, and stores the second authentication key in the first state, and the second card is read. The precondition for the card to be authorized is that the card has successfully obtained the authorization of the first card reader. It should be noted that although step S105 is illustrated in FIG. 1 after step S104, step 105 is not only performed after step S104, and step S105 may be performed in step S103, the card uses the first authentication key pair. After the authentication information is sent after the authentication is passed, the card may receive the response information sent by the first card reader in step S104, and if it is determined that the response information indicates that the first card reader is authorized by the card, step S105 is performed.

通过本实施例提供的授权方法,每一个读卡器对应一个认证密钥,卡片只有利用与第一读卡器对应的可用状态下的第一认证密钥,才能对第一读卡器的第一认证信息进行认证,并向第一读卡器发送认证信息,以期获得第一读卡器的授权,并在卡片利用第一认证密钥对第一认证信息进行认证通过之后,根据第一状态下的第一认证密钥获取第二读卡器的第一状态下的第二认证密钥,从而实现认证密钥的分级管理。因而,对于安全级别较高的读卡器,可 以设置对应的控制权限,例如,需要一张卡片已经获得其它一个或多个读卡器的授权,才能根据其它一个或多个读卡器的第一状态下的认证密钥获取该读卡器第一状态下的认证密钥,进而才有可能获取该读卡器的授权。With the authorization method provided in this embodiment, each card reader corresponds to an authentication key, and the card can only use the first authentication key in the available state corresponding to the first card reader to be the first card reader. An authentication information is authenticated, and the authentication information is sent to the first card reader, so as to obtain the authorization of the first card reader, and after the card authenticates the first authentication information by using the first authentication key, according to the first state The first first authentication key acquires the second authentication key in the first state of the second card reader, thereby implementing hierarchical management of the authentication key. Therefore, for a card reader with a higher security level, To set the corresponding control authority, for example, if a card needs to be authorized by one or more other card readers, the card reader can be obtained according to the authentication key in the first state of the other card reader or cards. The authentication key in the first state, in order to obtain the authorization of the card reader.

在本实施例中,卡片可以为磁条卡、集成电路卡(Integrated Circuit Card,简称IC卡)、智能卡等类型的卡片,在本实施例中不作具体限定,只要能够被读卡器读取的卡片,均在本实施例的保护范围之内。第一读卡器为当前与卡片交互的读卡器,第一读卡器的类型与卡片的类型相对应,例如:当卡片为磁条卡时,第一读卡器可以为磁卡读卡器;当卡片为IC卡时,第一读卡器可以为IC卡读卡器;第一读卡器也可以为其他类型的读卡器,在本实施例中不作具体限定。In this embodiment, the card may be a magnetic stripe card, an integrated circuit card (IC card), a smart card, or the like, which is not limited in this embodiment, as long as it can be read by the card reader. Cards are all within the scope of this embodiment. The first card reader is a card reader currently interacting with the card, and the type of the first card reader corresponds to the type of the card, for example, when the card is a magnetic stripe card, the first card reader may be a magnetic card reader. When the card is an IC card, the first card reader can be an IC card reader; the first card reader can also be other types of card readers, which is not specifically limited in this embodiment.

另外,在本实施例中,卡片可以为接触型或非接触型。如果卡片为非接触型,卡片和第一读卡器之间进行非接触通信,通信标准可以采用ISO14443A、ISO14443B、ISO15693等标准协议。当卡片位于第一读卡器的工作距离以内时,卡片与第一读卡器可以进行通信,实现无需插卡即可进行通信。当卡片为接触型时,卡片和第一读卡器之间进行接触通信,只有卡片的触点与第一读卡器的接口正确连接时,卡片才能与第一读卡器进行通信。在本实施例中,当卡片为非接触型时,第一读卡器可以周期性的广播寻卡指令,卡片如果位于第一读卡器的读卡范围,则卡片可以响应第一读卡器的寻卡指令,向第一读卡器发送寻卡响应,第一读卡器在接收到寻卡响应后,可以确定当前读取的卡片,进而向卡片发送认证指令。Further, in the present embodiment, the card may be of a contact type or a non-contact type. If the card is non-contact type, the contact between the card and the first card reader is non-contact communication, and the communication standard can adopt standard protocols such as ISO14443A, ISO14443B, and ISO15693. When the card is within the working distance of the first card reader, the card can communicate with the first card reader, enabling communication without the need for a card. When the card is in contact type, contact communication is performed between the card and the first card reader, and the card can communicate with the first card reader only when the card contact is properly connected to the interface of the first card reader. In this embodiment, when the card is non-contact type, the first card reader can periodically broadcast a card search instruction, and if the card is located in the card reading range of the first card reader, the card can respond to the first card reader. The card-finding instruction sends a card-seeking response to the first card reader, and after receiving the card-seeking response, the first card reader can determine the currently read card, and then send an authentication command to the card.

在本实施例中,第一读卡器发送的认证指令中携带的标识信息可以是第一读卡器对应的唯一标识,例如,该标识信息可以为第一读卡器的序列号,也可以是第一读卡器对应的第一认证密钥(即用于对第一认证信息进行认证的认证密钥)的标识信息。在本实施例中,卡片通过该标识信息来确定与第一读卡器对应的可用状态下的第一认证密钥,从而判断是否能对第一读卡器发送的第一认证信息进行认证。In this embodiment, the identifier information carried in the authentication command sent by the first card reader may be a unique identifier corresponding to the first card reader. For example, the identifier information may be the serial number of the first card reader, or It is identification information of a first authentication key (ie, an authentication key used to authenticate the first authentication information) corresponding to the first card reader. In this embodiment, the card determines the first authentication key in the available state corresponding to the first card reader by using the identification information, thereby determining whether the first authentication information sent by the first card reader can be authenticated.

在本实施例中,卡片中可以存储多种不同状态下的第一认证密钥,不同状态下的第一认证密钥可以分别存储在卡片的不同的存储区域中,以方便卡片进行调用。例如,第一状态下的第一认证密钥存储在第一存储区域中,其他状态下的第一认证密钥存储在第二存储区域中。卡片中可以预先存储所有读卡器的标识信息与认证密钥的映射关系,卡片接收第一读卡器的标识信息后,可以根据第一读卡器的标识信息,从第一存储区域中获取第一状态下的第一认证密钥。第一状态下的第一认证密钥指的是可以直接使用的第一认证密钥,具体的,第一状态可以为明文状态。只有第一状态下的第一认证密钥才能直接使用;其他状态下的认证密钥不能直接使用,只有将其他状态下的第一认证密钥转换为第一状态下的第一认证密钥才能使用。In this embodiment, the first authentication key in a plurality of different states may be stored in the card, and the first authentication keys in different states may be separately stored in different storage areas of the card to facilitate the calling of the card. For example, the first authentication key in the first state is stored in the first storage area, and the first authentication key in the other state is stored in the second storage area. The card may pre-store the mapping relationship between the identification information of all the card readers and the authentication key. After receiving the identification information of the first card reader, the card may be obtained from the first storage area according to the identification information of the first card reader. The first authentication key in the first state. The first authentication key in the first state refers to the first authentication key that can be directly used. Specifically, the first state may be a plain text state. Only the first authentication key in the first state can be directly used. The authentication key in other states cannot be directly used. Only the first authentication key in other states can be converted into the first authentication key in the first state. use.

在本实施例中,卡片通过第一认证信息可以对第一读卡器的身份进行认证。在具体应用 中,第一认证信息可以是第一读卡器利用自身的认证密钥对第一计算因子计算生成的第一校验值,其中,第一计算因子可以为第一读卡器生成的随机数也可以为第一读卡器给予授权的次数,还可以是该卡片请求授权的总次数,具体本实施例不作限定。第一读卡器利用认证密钥,按照预设的校验算法对第一计算因子进行计算,得到校验值,将该校验值携带在第一认证信息中发送给卡片。其中,预设的校验算法可以为MAC算法,也可以为其它检验算法,例如,签名算法,具体本实施例不作限定。而卡片在对第一认证信息进行认证时,利用获取到的第一读卡器的第一状态下的第一认证密钥,卡片采用与第一读卡器相同的检验算法,对第一计算因子进行计算得到校验值,比较计算得到的校验值和接收的第一认证信息中的校验值是否相同,如果相同,则第一认证信息认证通过,如果不相同,则第一认证信息认证不通过。如果第一认证信息认证通过,则表明第一认证信息没有被篡改且第一读卡器的身份合法,如果认证不通过,则表明第一认证信息被篡改和/或第一读卡器的身份不合法。其中,第一计算因子可以是第一读卡器携带在认证指令中发送给卡片的,也可以是卡片采用与第一读卡器相同的规则获取到的,具体本实施例不作限定。In this embodiment, the card can authenticate the identity of the first card reader by using the first authentication information. In specific applications The first authentication information may be a first check value generated by the first card reader by using the own authentication key to calculate the first calculation factor, where the first calculation factor may be a random number generated by the first card reader. The number of times that the first card reader is authorized, and the total number of times the card is requested for authorization, which is not limited in this embodiment. The first card reader uses the authentication key to calculate the first calculation factor according to a preset verification algorithm to obtain a check value, and the check value is carried in the first authentication information and sent to the card. The preset verification algorithm may be a MAC algorithm, or may be another verification algorithm, for example, a signature algorithm, which is not limited in this embodiment. When the card authenticates the first authentication information, the first authentication key in the first state of the obtained first card reader is used, and the card adopts the same verification algorithm as the first card reader, and the first calculation is performed on the card. The factor is calculated to obtain a check value, and the calculated check value is compared with the check value in the received first authentication information. If the same, the first authentication information is authenticated. If not, the first authentication information is obtained. The certification did not pass. If the first authentication information is authenticated, it indicates that the first authentication information has not been tampered with and the identity of the first card reader is legal. If the authentication fails, the first authentication information is tampered with and/or the identity of the first card reader. illegal. The first calculation factor may be that the first card reader is carried in the authentication command and sent to the card, or the card is obtained by using the same rule as the first card reader, which is not limited in this embodiment.

在本实施例中,卡片在对第一认证信息认证通过的情况下,卡片才会生成第二认证信息。向第一读卡器发送第二认证信息,其中,第二认证信息可以是卡片利用认证密钥对第二计算因子按照预设的校验算法进行计算生成的校验值,或者,第二认证信息也可以是卡片利用认证密钥对第一计算因子和第二计算因子按照预设的校验算法进行计算生成的第三校验值,其中,第二计算因子可以为卡片按照与第一读卡器(或者后台)约定的算法生成的,也可以是卡片获得授权的次数的计数,还可以是卡片生成的随机因子(在这种情况下,卡片可以将第二计算因子与第二认证信息一起发送给第一读卡器)等。In this embodiment, the card generates the second authentication information when the card passes the authentication of the first authentication information. Sending the second authentication information to the first card reader, where the second authentication information may be a verification value generated by the card using the authentication key to calculate the second calculation factor according to a preset verification algorithm, or the second authentication. The information may also be a third verification value generated by the card using the authentication key to calculate the first calculation factor and the second calculation factor according to a preset verification algorithm, wherein the second calculation factor may be the card according to the first reading. The algorithm generated by the card (or background) agreed by the algorithm may also be a count of the number of times the card is authorized, or may be a random factor generated by the card (in this case, the card may use the second calculation factor and the second authentication information) Send it to the first card reader together).

作为本发明实施例的一个可选实施方式,第一读卡器在接收第二认证信息后,可以自己至少根据第二认证信息判断是否为卡片授权,也可以与后台联合进行判断。例如,第一读卡器可以自己至少对第二认证信息进行认证,获取认证结果,然后至少根据认证结果判断是否为卡片授权;或者,第一读卡器也可以将第二认证信息发送至后台,后台至少对第二认证信息进行认证,将认证结果返回给第一读卡器,然后第一读卡器至少根据认证结果判断是否为卡片授权。As an optional implementation manner of the embodiment of the present invention, after receiving the second authentication information, the first card reader may determine whether it is a card authorization according to at least the second authentication information, or may perform a judgment jointly with the background. For example, the first card reader can authenticate at least the second authentication information by itself, obtain the authentication result, and then determine whether it is the card authorization according to at least the authentication result; or the first card reader can also send the second authentication information to the background. The background authentication is performed on at least the second authentication information, and the authentication result is returned to the first card reader, and then the first card reader determines whether the card is authorized according to at least the authentication result.

在上述可选实施方式中,第一读卡器或后台对第二认证信息进行认证时,利用卡片的认证密钥,采用与卡片相同的检验算法,对第二计算因子、或者第一计算因子和第二计算因子进行计算生成校验值,比较计算得到的校验值和接收的第二认证信息中的校验值是否相同,如果相同,则第二认证信息认证通过,如果不相同,则第二认证信息认证不通过。如果第二认证信息认证通过,则表明第二认证信息没有被篡改且卡片的身份合法,如果认证不通过,则表明第二认证信息篡改和/或卡片的身份不合法。第一读卡器只根据认证结果判断是否为 卡片授权的情况下,如果第二认证信息认证通过,向卡片发送指示成功授权的响应信息,如果第二认证信息认证不通过,向卡片发送指示不授权的响应信息。In the above optional implementation manner, when the first card reader or the background authenticates the second authentication information, using the authentication key of the card, using the same verification algorithm as the card, the second calculation factor, or the first calculation factor Computation with the second calculation factor to generate a check value, and comparing whether the calculated check value and the received check value in the second authentication information are the same. If they are the same, the second authentication information is authenticated. If not, then The second authentication information authentication fails. If the second authentication information is authenticated, it indicates that the second authentication information has not been tampered with and the identity of the card is legal. If the authentication fails, the second authentication information is falsified and/or the identity of the card is invalid. The first card reader only judges whether it is based on the authentication result. In the case of card authorization, if the second authentication information is authenticated, the response information indicating successful authorization is sent to the card, and if the second authentication information is not authenticated, the response information indicating that the authorization is not authorized is sent to the card.

在本实施例中,第一读卡器除了可以根据第二认证信息判断是否为卡片授权之外,还可以根据其他信息判断是否为卡片授权,因此,作为本发明实施例的一个可选实施方式,在对第二认证信息进行的认证结果指示认证通过的情况下,进一步根据第一读卡器的授权权限列表,判断是否为卡片授权。根据卡片是否在第一读卡器的授权权限列表中判断是否为卡片授权,即判断卡片是否为第一读卡器的授权用户。在具体应用中,第一读卡器的授权权限列表可以存储在后台,也可以存储在第一读卡器本地,如果是存储在第一读卡器本地,则由第一读卡器进行判断,如果是存储在后台,则由后台进行判断,最后结合对第二认证信息进行认证的认证结果判断是否为卡片授权。例如,如果由后台对第二认证信息进行认证且授权权限列表存储在后台,则后台对第二认证信息进行认证通过之后,进一步判断卡片是否在第一读卡器的授权权限列表中,如果是,则向第一读卡器认证通过的认证结果,第一读卡器根据该认证结果,确定对该卡片进行授权;如果是由第一读卡器对第二认证信息进行认证而授权权限列表存储在第一读卡器,则后台对第二认证信息进行认证通过之后,向第一读卡器返回指示第二认证信息是否认证通过的认证结果,如果该认证结果指示第二认证信息认证通过,则第一读卡器进一步判断卡片是否在第一读卡器的授权权限列表中,如果是,则确定对该卡片进行授权,否则确定不对卡片进行授权。另外,如果由第一读卡器对第二认证信息进行认证且授权权限列表存储在第一读卡器,则第一读卡器对第二认证信息进行认证通过之后,进一步判断卡片是否在第一读卡器的授权权限列表中,如果是,则确定对该卡片进行授权;而由第一读卡器对第二认证信息进行认证且授权权限列表存储在后台的情况下,第一读卡器对第二认证信息进行认证通过之后,可以将卡片的相关信息发送给后台,后台判断卡片是否在第一读卡器的授权权限列表中,将判断结果返回给第一读卡器,第一读卡器根据返回的判断结果判断是否对该卡片进行授权。In this embodiment, the first card reader can determine whether it is a card authorization according to the second authentication information, and can determine whether the card is authorized according to other information. Therefore, as an optional implementation manner of the embodiment of the present invention, If the authentication result of the second authentication information indicates that the authentication is passed, further determining whether the card is authorized according to the authorization authority list of the first card reader. Whether the card is an authorized user of the first card reader is determined whether the card is authorized by the card according to whether the card is in the authorization permission list of the first card reader. In a specific application, the authorization list of the first card reader may be stored in the background, or may be stored locally in the first card reader, and if it is stored locally in the first card reader, it is judged by the first card reader. If it is stored in the background, it is judged by the background, and finally, it is combined with the authentication result of authenticating the second authentication information to determine whether it is a card authorization. For example, if the second authentication information is authenticated by the background and the authorized permission list is stored in the background, after the background authenticates the second authentication information, it is further determined whether the card is in the authorization permission list of the first card reader, and if And authenticating the authentication result to the first card reader, the first card reader determines to authorize the card according to the authentication result; and if the first card reader authenticates the second authentication information, the authorization permission list is After being stored in the first card reader, the background authentication of the second authentication information is passed, and the first card reader is returned with an authentication result indicating whether the second authentication information is authenticated, if the authentication result indicates that the second authentication information is authenticated. Then, the first card reader further determines whether the card is in the authorization permission list of the first card reader, and if so, determines to authorize the card, otherwise determines that the card is not authorized. In addition, if the second authentication information is authenticated by the first card reader and the authorization authority list is stored in the first card reader, after the first card reader authenticates the second authentication information, it is further determined whether the card is in the first In the list of authorized rights of a card reader, if yes, it is determined that the card is authorized; and when the first card reader authenticates the second authentication information and the authorized permission list is stored in the background, the first card is read. After the second authentication information is authenticated, the device can send the related information of the card to the background, and the background determines whether the card is in the authorization permission list of the first card reader, and returns the determination result to the first card reader, first The card reader determines whether to authorize the card based on the returned judgment result.

作为本发明实施例的一个可选实施方式,为了提高授权方法的安全性,可以在后台对卡片是否满足第一读卡器给予卡片授权的前提条件进行认证。在具体实施过程中,后台可以使用第一安全状态记录卡片获得的授权的相关信息。As an optional implementation manner of the embodiment of the present invention, in order to improve the security of the authorization method, the premise that the card satisfies the authorization of the card by the first card reader may be authenticated in the background. In a specific implementation process, the background may use the first security status to record information about the authorization obtained by the card.

在具体实施过程中,第一读卡器给予卡片授权的前提条件中可以只包括一组第三读卡器已对同一卡片进行授权,后台只需根据第一安全状态判断卡片是否已成功获得第一读卡器给予卡片授权的前提条件中所有第三读卡器的授权,如果卡片已成功获得前提条件中所有第三读卡器的授权,则卡片满足第一读卡器给予授权的前提条件,否则,卡片不满足第一读卡器给予授权的前提条件。In the specific implementation process, the pre-condition for granting the card authorization by the first card reader may include only a group of third card readers that have authorized the same card, and the background only needs to judge whether the card has been successfully obtained according to the first security state. The authorization of all the third card readers in the precondition of the card authorization given by the card reader. If the card has successfully obtained the authorization of all the third card readers in the precondition, the card satisfies the precondition of the authorization given by the first card reader. Otherwise, the card does not satisfy the preconditions for the authorization given by the first card reader.

在具体应用中,为了增加安全性,第一读卡器给予授权的前提条件中还可以限定一组第 三读卡器对同一卡片进行授权的顺序和/或每个第三读卡器对同一卡片授权的有效时间。对应地,第一安全状态还包括:卡片成功获得授权的顺序,和/或,卡片成功获取授权的时间,即后台还需要记录成功获得各个读卡器授权的顺序和/或时间。后台根据第一安全状态判断卡片是否满足控制权限时,包括:还可以根据第一安全状态判断卡片成功获得授权的顺序是否与前提条件中的授权顺序一致;和/或,根据第一安全状态判断卡片成功获得授权的时间是否在前提条件中的有效时间内。如果卡片成功获得授权的顺序与前提条件中的授权顺序一致,和/或卡片成功获得授权的时间在前提条件中的有效时间内,则卡片满足第一读卡器给予授权的前提条件,否则,卡片不满足第一读卡器给予授权的前提条件。In a specific application, in order to increase security, the first card reader can also define a group of preconditions for granting authorization. The order in which the third card authorizes the same card and/or the effective time each third card reader authorizes the same card. Correspondingly, the first security state further includes: the order in which the card is successfully authorized, and/or the time when the card successfully obtains the authorization, that is, the background also needs to record the order and/or time of successfully obtaining the authorization of each card reader. When the background determines whether the card satisfies the control authority according to the first security state, the method further includes: determining, according to the first security state, whether the order in which the card is successfully authorized is consistent with the authorization order in the precondition; and/or determining according to the first security state Whether the time the card was successfully authorized is within the valid time of the precondition. If the order in which the card is successfully authorized is consistent with the authorization order in the precondition, and/or the time when the card is successfully authorized is within the valid time in the precondition, the card satisfies the precondition of the authorization given by the first card reader; otherwise, The card does not satisfy the preconditions for the authorization given by the first card reader.

在本实施例中,在卡片对第一认证信息认证通过之后,卡片可以直接利用第一状态下的第一认证密钥获取第二读卡器对应的第一状态下的第二认证密钥,或者,卡片接收的认证响应信息为对卡片进行授权的情况下,卡片才利用第一状态下的第一认证密钥获取第二读卡器对应的第一状态下的第二认证密钥。卡片获取第一状态下的第二认证密钥后,可以将第一状态下的第二认证密钥存储在卡片的存储区域中,当卡片需要获取第二读卡器的授权时,可以使用第一状态下的第二认证密钥对第二读卡器发送的认证信息进行认证,进而获得第二读卡器的授权。In this embodiment, after the card authenticates the first authentication information, the card can directly acquire the second authentication key in the first state corresponding to the second card reader by using the first authentication key in the first state. Alternatively, in the case that the authentication response information received by the card is the authorization of the card, the card acquires the second authentication key in the first state corresponding to the second card reader by using the first authentication key in the first state. After the card acquires the second authentication key in the first state, the second authentication key in the first state may be stored in the storage area of the card. When the card needs to obtain the authorization of the second card reader, the second The second authentication key in one state authenticates the authentication information sent by the second card reader, thereby obtaining the authorization of the second card reader.

作为本发明实施例的一个可选实施方式,卡片利用第一状态下的第一认证密钥获取第二读卡器对应的第一状态下的第二认证密钥,包括:卡片利用第一状态下的第一认证密钥对本地存储的与第二读卡器对应的第二状态下的第二认证密钥进行计算,得到第一状态下的第二认证密钥。As an optional implementation manner of the embodiment of the present invention, the card acquires the second authentication key in the first state corresponding to the second card reader by using the first authentication key in the first state, including: using the first state of the card The first first authentication key calculates a second authentication key in the second state corresponding to the second card reader that is stored locally, and obtains the second authentication key in the first state.

作为本发明实施例的一个可选实施方式,第二状态下的第二认证密钥包括:加密的第二认证密钥;卡片利用第一状态下的第一认证密钥对本地存储的与第二读卡器对应的第二状态下的第二认证密钥进行计算,得到第一状态下的第二认证密钥,包括:卡片利用第一状态下的第一认证密钥对本地存储的与第二读卡器对应的加密的第二认证密钥进行解密,得到解密的第二认证密钥。即在该可选实施方式中,第一状态指的是解密状态,即明文状态,第二状态指的是加密状态。卡片能够将第一状态下的第一认证密钥作为解密密钥,对加密的第二认证密钥进行解密,得到解密的第二认证密钥,即明文的第二认证密钥。在卡片对第一认证信息认证通过之前,第二认证密钥以密文的形式存储,保证了第二认证密钥的存储安全。As an optional implementation manner of the embodiment of the present invention, the second authentication key in the second state includes: an encrypted second authentication key; the card is stored locally by using the first authentication key in the first state. The second authentication key in the second state corresponding to the second card reader is calculated, and the second authentication key in the first state is obtained, including: the card is stored locally by using the first authentication key in the first state. The encrypted second authentication key corresponding to the second card reader is decrypted to obtain a decrypted second authentication key. That is, in the alternative embodiment, the first state refers to a decrypted state, that is, a plaintext state, and the second state refers to an encrypted state. The card can decrypt the encrypted second authentication key by using the first authentication key in the first state as a decryption key, and obtain the decrypted second authentication key, that is, the second authentication key of the plaintext. Before the card authenticates the first authentication information, the second authentication key is stored in the form of cipher text, which ensures the storage security of the second authentication key.

例如,在该可选实施方式中,第二状态下的第二认证密钥可以是采用第一状态的第一认证密钥对第一状态下的第二认证密钥进行加密得到的,卡片利用第一状态下的第一认证密钥获取第一状态下的第二认证密钥时,使用第一状态下的第一认证密钥对第二状态下的第二认证密钥进行解密,即得到第一状态下的第二认证密钥。即在该可选实施方式中,在初始状态下,可以根据各个读卡器给予授权的前提条件,对卡片中存储的认证密钥进行处理,对于需 要第一读卡器已对卡片进行授权才能对卡片进行授权的第二读卡器的第二认证密钥,在存储时,可以使用第一读卡器的第一认证密钥对第二读卡器的第二认证密钥进行加密存储,并在卡片中设置解密机制:卡片在对第一读卡器发送的第一认证信息进行认证通过之后,或在接收到指示第一读卡器已对卡片进行授权的响应之后,解密第二读卡器的加密第二认证密钥,以得到第二读卡器的第二认证密钥的明文,使得后续卡片在请求第二读卡器的授权时,能够成功的使用第二认证密钥对第二读卡器发送的认证信息进行认证。For example, in the optional implementation, the second authentication key in the second state may be obtained by encrypting the second authentication key in the first state by using the first authentication key in the first state, and the card is utilized. When the first authentication key in the first state acquires the second authentication key in the first state, the second authentication key in the second state is decrypted using the first authentication key in the first state, that is, The second authentication key in the first state. That is, in the optional implementation manner, in the initial state, the authentication key stored in the card may be processed according to the preconditions for granting authorization by each card reader. The second authentication key of the second card reader that the first card reader has authorized the card to authorize the card, when storing, may use the first authentication key of the first card reader for the second reading The second authentication key of the card device is encrypted and stored, and a decryption mechanism is set in the card: after the card passes the authentication of the first authentication information sent by the first card reader, or after receiving the indication that the first card reader has been After responding to the authorization of the card, decrypting the encrypted second authentication key of the second card reader to obtain the plaintext of the second authentication key of the second card reader, so that the subsequent card is authorized to request the second card reader At the same time, the authentication information sent by the second card reader can be successfully authenticated using the second authentication key.

以一个包含三个读卡器的系统为例,假设三个读卡器的编号分别为一号读卡器、二号读卡器和三号读卡器。一号读卡器给予授权的前提条件可以为同一卡片不需要获得任何读卡器的授权,其对应的认证密钥为K1,二号读卡器给予授权的前提条件可以为同一卡片已成功获得一号读卡器的授权,其对应的认证密钥为K2,三号读卡器给予授权的前提条件可以为同一卡片已成功获得一号读卡器和二号读卡器的授权,且获得授权的顺序为:先获得一号读卡器的授权,然后再获得二号读卡器的授权,三号读卡器对应的认证密钥为K3。则在初始状态下,卡片中存储的认证密钥形式为:明文的K1,以K1对K2进行加密得到的K2的密文K2‘,以及以K2对K3进行加密得到的K3的密文K3‘。在使用时,如果卡片首先请求二号读卡器的授权,二号读卡器向卡片发送以K2进行计算得到的认证信息,卡片接收到该认证信息之后,由于本地没有存储K2的明文,无法对该认证信息进行认证,从而无法向二号读卡器返回相应的认证信息,无法获得二号读卡器的授权。如果卡片首先请求一号读卡器的授权,一号读卡器向卡片发送以K1进行计算得到的认证信息,卡片接收到该认证信息之后,获取本地存储K1的明文,对该认证信息进行认证,在认证通过之后,向一号读卡器返回相应的认证信息,一号读卡器对该认证信息进行认证,认证通过之后,确定对卡片进行授权,并返回相应的响应信息,卡片接收到响应信息之后,确定一号读卡器已对卡片进行授权,对K2’进行解密,得到K2的明文;之后,卡片再请求二号读卡器的授权,二号读卡器向卡片发送以K2进行计算得到的认证信息,卡片接收到该认证信息之后,获取本地存储K2的明文,对该认证信息进行认证,在认证通过之后,向二号读卡器返回相应的认证信息,二号读卡器对该认证信息进行认证,认证通过之后,确定对卡片进行授权,并返回相应的响应信息,卡片接收到响应信息之后,确定二号读卡器已对卡片进行授权,对K3’进行解密,得到K3的明文。之后,卡片再请求三号读卡器的授权,三号读卡器向卡片发送以K3进行计算得到的认证信息,卡片接收到该认证信息之后,获取本地存储K3的明文,对该认证信息进行认证,在认证通过之后,向三号读卡器返回相应的认证信息,三号读卡器对该认证信息进行认证,认证通过之后,确定对卡片进行授权。从而实现了多个读卡器之间的联动授权。Taking a system with three card readers as an example, assume that the three card readers are numbered as the first card reader, the second card reader, and the third card reader. The precondition for granting authorization by the first card reader may be that the same card does not need to obtain authorization of any card reader, and the corresponding authentication key is K1, and the precondition for granting authorization by the second card reader may be that the same card has been successfully obtained. The authorization of the No. 1 card reader, the corresponding authentication key is K2, and the precondition for the authorization of the No. 3 card reader can be that the same card has successfully obtained the authorization of the No. 1 card reader and the No. 2 card reader, and obtained The order of authorization is: first obtain the authorization of the first card reader, then obtain the authorization of the second card reader, and the authentication key corresponding to the third card reader is K3. In the initial state, the authentication key stored in the card is: K1 of plaintext, ciphertext K2' of K2 obtained by encrypting K2 with K1, and ciphertext K3' of K3 obtained by encrypting K3 with K2. . In use, if the card first requests the authorization of the second card reader, the second card reader sends the authentication information calculated by K2 to the card, and after receiving the authentication information, the card cannot store the plaintext of K2 locally. The authentication information is authenticated, so that the corresponding authentication information cannot be returned to the second card reader, and the authorization of the second card reader cannot be obtained. If the card first requests authorization of the first card reader, the first card reader sends the authentication information calculated by K1 to the card, and after receiving the authentication information, the card obtains the plaintext of the local storage K1, and authenticates the authentication information. After the certification is passed, the corresponding authentication information is returned to the first card reader, and the first card reader authenticates the authentication information. After the authentication is passed, the card is authorized to be authorized, and the corresponding response information is returned, and the card is received. After responding to the information, it is determined that the card reader has authorized the card, decrypting K2' to obtain the plaintext of K2; after that, the card requests the authorization of the second card reader, and the second card reader sends the card to K2. After the authentication information is obtained, the card obtains the plaintext of the local storage K2 after receiving the authentication information, and authenticates the authentication information. After the authentication is passed, the corresponding authentication information is returned to the second card reader, and the second card is read. The device authenticates the authentication information, and after the authentication is passed, determines to authorize the card, and returns corresponding response information, and the card is received. After the response information, determining II card reader have to be authorized to K3 'decrypts the plaintext K3. After that, the card requests the authorization of the third card reader, and the third card reader sends the authentication information calculated by K3 to the card, and after receiving the authentication information, the card obtains the plaintext of the local storage K3, and performs the authentication information. After the certification is passed, the corresponding authentication information is returned to the third card reader, and the third card reader authenticates the authentication information, and after the authentication is passed, the card is authorized to be authorized. Thereby, linkage authorization between multiple card readers is realized.

在本实施例中,第二状态可以为不可用状态,第二状态下的认证密钥不能直接用来对读卡器发送的认证信息进行认证。卡片中预先存储了第二读卡器的第二状态下的第二认证密 钥,卡片只有使用第一状态下的第一认证密钥对第二状态下的第二认证密钥进行计算,才能得到第一状态下的第二认证密钥,进而获取第二读卡器的授权。在具体实施过程中,卡片可以将第一状态下的所有认证密钥存储在同一个存储区域,将第二状态下的所有认证密钥存储在另一个存储区域,以方便卡片调用以及对同一状态下的认证密钥进行批量处理。卡片可以将第一状态下的第二认证密钥存储在缓存区,其中,缓存区是指可以进行高速数据交换的存取器,例如,随机存取存储器(Random-Access Memory,简称RAM)。将第一状态下的第二认证密钥存储在缓存区中,可以提高卡片读取第一状态下的第一认证密钥和第二认证密钥的速度。在卡片对第一认证信息认证通过之前,第二认证密钥以不可用的第二状态的形式存储,保证了第二认证密钥的存储安全;且卡片只有使用第一状态下的第一认证密钥才能计算得到第一状态下的第二认证密钥,即卡片要获得第二读卡器的授权必须先获得第一读卡器的授权,因此实现了第一读卡器和第二读卡器的联动。In this embodiment, the second state may be an unavailable state, and the authentication key in the second state may not be directly used to authenticate the authentication information sent by the card reader. The second authentication key in the second state of the second card reader is pre-stored in the card Key, the card can only obtain the second authentication key in the first state by using the first authentication key in the first state to calculate the second authentication key in the second state, and then obtain the second card reader in the first state. Authorization. In a specific implementation process, the card may store all the authentication keys in the first state in the same storage area, and store all the authentication keys in the second state in another storage area, so as to facilitate the card call and the same state. The next authentication key is processed in batches. The card may store the second authentication key in the first state in a buffer area, where the buffer area refers to an accessor that can perform high-speed data exchange, for example, a Random Access Memory (RAM). Storing the second authentication key in the first state in the buffer area can improve the speed at which the card reads the first authentication key and the second authentication key in the first state. Before the card authenticates the first authentication information, the second authentication key is stored in the form of the second state that is unavailable, ensuring the storage security of the second authentication key; and the card only uses the first authentication in the first state. The key can calculate the second authentication key in the first state, that is, the card must obtain the authorization of the first card reader to obtain the authorization of the second card reader, thus implementing the first card reader and the second reading. The linkage of the card.

在卡片将第一状态下的第一认证密钥和第一状态下的第二认证密钥存储在缓存区的情况下,卡片可以在预定的条件下清空缓存区,因此,作为本发明实施例的一个可选实施方式,本实施例提供的方法还包括:在预设时间到达或预设事件发生时,清空缓存区。In the case where the card stores the first authentication key in the first state and the second authentication key in the first state in the buffer area, the card may empty the buffer area under predetermined conditions, and thus, as an embodiment of the present invention In an optional implementation manner, the method provided in this embodiment further includes: clearing the buffer area when a preset time arrives or a preset event occurs.

在本实施例中,卡片可以从被激活时开始计时,每隔预设时间,清空缓存区中的全部数据。卡片也可以从缓存区中存入第一状态下的第二认证密钥时开始计时,每隔预定时间,清空缓存区。在具体实施过程中,预设时间可以有一个初始值,如果卡片中没有设置预设时间的长短,则卡片按照初始的预设时间定时清空缓存区。也可以在卡片中设置预设时间的长短,使得预设时间不等于初始值,卡片按照重新设定的预设时间定时清空缓存区。也可以在卡片中设定触发清空缓存区的预设事件,当预设事件发生时,卡片执行清空缓存区的操作。具体的,预设事件可以为第一认证信息认证不通过。卡片在预设时间到达或预设事件发生时,清空缓存区,可以节省缓存区的存储空间。In this embodiment, the card can be timed from when it is activated, and all data in the buffer area is cleared every preset time. The card may also start timing when the second authentication key in the first state is stored in the buffer area, and the buffer area is cleared every predetermined time. In the specific implementation process, the preset time may have an initial value. If the length of the preset time is not set in the card, the card clears the buffer area according to the initial preset time. It is also possible to set the length of the preset time in the card so that the preset time is not equal to the initial value, and the card clears the buffer area according to the reset preset time. It is also possible to set a preset event for triggering to clear the buffer area in the card, and when the preset event occurs, the card performs the operation of clearing the buffer area. Specifically, the preset event may be that the first authentication information is not authenticated. When the card arrives at the preset time or the preset event occurs, the buffer area is cleared, which can save the storage space of the buffer area.

作为本发明实施例的一个可选实施方式,在所述卡片接收到所述第一读卡器发送的认证指令之后,所述方法还包括:所述卡片获取本次认证的属性信息,对所述属性信息进行加密后存储;在卡片接收第一读卡器发送的认证指令之前,该方法还可以包括:第一读卡器获取卡片的标识信息,第一读卡器向卡片发送认证指令;第一读卡器向后台发送至少包括卡片的标识信息的通知;后台根据通知,获取并存储卡片的本次认证的属性信息,例如,第一读卡器可以发送寻卡指令,卡片响应寻卡指令,向第一读卡器发送寻卡响应,第一读卡器接收寻卡响应,从寻卡响应中获取卡片的标识信息。在卡片对属性信息进行加密后存储之后,该方法还可以包括:获取卡片存储的加密的属性信息;对加密的属性信息进行解密;将解密得到的属性信息与后台存储的卡片的属性信息进行对比,如果不匹配,标识卡片为非法卡片。在标识该卡片为非法卡片之后,可以指示卡片删除内部缓存的各个认证密钥,即指示卡片恢复 初始设置,指示后台或各个读卡器该卡片非法,不能对该卡片进行授权。从而可以避免后台不能获知卡片被非法读取的情况。As an optional implementation manner of the embodiment of the present invention, after the card receives the authentication command sent by the first card reader, the method further includes: the card acquiring the attribute information of the current authentication, The attribute information is encrypted and stored; before the card receives the authentication command sent by the first card reader, the method may further include: the first card reader obtains the identification information of the card, and the first card reader sends an authentication instruction to the card; The first card reader sends a notification including at least the identification information of the card to the background; the background acquires and stores the attribute information of the current authentication of the card according to the notification, for example, the first card reader can send a card search instruction, and the card responds to the card search. The instruction sends a card seek response to the first card reader, and the first card reader receives the card search response, and obtains the identification information of the card from the card search response. After the card is encrypted and stored, the method may further include: acquiring encrypted attribute information stored in the card; decrypting the encrypted attribute information; and comparing the decrypted attribute information with the attribute information of the card stored in the background If it does not match, the identification card is an illegal card. After identifying that the card is an illegal card, the card may be instructed to delete each authentication key of the internal cache, that is, the card is restored. The initial setting indicates that the card is illegal in the background or each card reader, and the card cannot be authorized. Therefore, it can be avoided that the background cannot be known that the card is illegally read.

在本实施例中,卡片的本次认证的属性信息可以是第一读卡器对卡片进行认证的属性信息,例如,第一读卡器对卡片进行认证的时间、地点和第一读卡器发送认证指令的累计次数等信息。具体的,地点的记录方式可以为第一读卡器的序列号,根据第一读卡器的序列号可以与第一读卡器的位置进行关联,根据第一读卡器的序列号可以确定第一读卡器的地点;此外,也可以在第一读卡器内部设置具有定位功能的芯片,根据该定位芯片可以获取第一读卡器对卡片进行认证的地点信息。将属性信息加密后存储在卡片内部,可以防止卡片内部的属性信息被其他非法设备获取,保证属性信息的安全。In this embodiment, the attribute information of the current authentication of the card may be attribute information of the first card reader for authenticating the card, for example, the time, location, and first card reader of the first card reader for authenticating the card. Information such as the cumulative number of times the authentication command is sent. Specifically, the recording mode of the location may be a serial number of the first card reader, and the serial number of the first card reader may be associated with the location of the first card reader, and may be determined according to the serial number of the first card reader. The location of the first card reader; in addition, a chip having a positioning function may be disposed inside the first card reader, and the location information of the card authentication by the first card reader may be acquired according to the positioning chip. The attribute information is encrypted and stored in the card, which prevents the attribute information inside the card from being acquired by other illegal devices, and ensures the security of the attribute information.

在本实施例中,后台获取至少包括卡片的标识信息的通知后,将本次认证的属性信息与卡片的标识信息关联并存储。在卡片对属性信息进行加密后存储之后,可以由后台获取或者由能够读取卡片内部的属性信息的专有设备读取卡片存储的加密的属性信息,对加密的属性信息进行解密,将解密得到的属性信息与后台记录的卡片的属性信息进行比对,如果比对不一致,则卡片存在被不法设备非法读取的风险,此时将卡片标识为非法卡片。通过本可选实施方式,可以防止不法设备对卡片进行攻击,发起非法认证指令,获取卡片内部的数据,从而攻破卡片。In this embodiment, after the background obtains the notification including at least the identification information of the card, the attribute information of the current authentication is associated with the identification information of the card and stored. After the card encrypts the attribute information and stores it, the encrypted attribute information stored in the card may be read by the background or read by the proprietary device capable of reading the attribute information inside the card, and the encrypted attribute information is decrypted and decrypted. The attribute information is compared with the attribute information of the card recorded in the background. If the comparison is inconsistent, the card has the risk of being illegally read by the illegal device, and the card is identified as an illegal card. With the optional implementation manner, the illegal device can be prevented from attacking the card, the illegal authentication command is initiated, and the data inside the card is obtained, thereby breaking the card.

实施例2Example 2

本实施例提供了一种卡片,图2为本实施例提供的卡片21的结构示意图。在本实施例中,对卡片21的结构进行了简要说明,其他未尽事宜,可参见实施例1中的说明。This embodiment provides a card, and FIG. 2 is a schematic structural diagram of the card 21 provided in this embodiment. In the present embodiment, the structure of the card 21 is briefly described. For other matters not mentioned, refer to the description in Embodiment 1.

如图2所示,本实施例提供的卡片21,包括:第一接收模块2101,用于接收第一读卡器发送的认证指令,其中,认证指令中携带有标识信息和第一认证信息;第一获取模块2102,用于根据标识信息获取与第一读卡器对应的第一状态下的第一认证密钥,其中,第一状态为可用状态;第一认证模块2103,用于利用第一认证密钥对第一认证信息进行认证,在认证通过的情况下,触发第一发送模块2104;第一发送模块2104,用于向第一读卡器发送第二认证信息;第一接收模块2101,还用于接收第一读卡器返回的认证响应信息;第二获取模块2105,用于在第一认证模块2103对所述第一认证信息进行认证且认证通过或认证响应信息指示对卡片21进行授权的情况下,利用第一状态下的第一认证密钥获取第二读卡器对应的第一状态下的第二认证密钥,并将第一状态下的第二认证密钥发送至第一存储模块2106,其中,第二读卡器给予卡片授权的前提条件为卡片已成功获得第一读卡器的授权;第一存储模块2106,用于存储第一状态下的第二认证密钥。As shown in FIG. 2, the card 21 provided in this embodiment includes: a first receiving module 2101, configured to receive an authentication command sent by the first card reader, where the authentication command carries the identification information and the first authentication information; The first obtaining module 2102 is configured to obtain, according to the identifier information, a first authentication key in a first state corresponding to the first card reader, where the first state is an available state, and the first authentication module 2103 is configured to use the first An authentication key is used to authenticate the first authentication information, and in the case that the authentication is passed, the first sending module 2104 is triggered; the first sending module 2104 is configured to send the second authentication information to the first card reader; the first receiving module 2101. The method is further configured to receive the authentication response information returned by the first card reader. The second obtaining module 2105 is configured to perform the authentication on the first authentication information by the first authentication module 2103, and the authentication pass or the authentication response information indicates the card. When the authorization is performed, the second authentication key in the first state corresponding to the second card reader is obtained by using the first authentication key in the first state, and the second authentication key in the first state is dense. The key is sent to the first storage module 2106, wherein the second card reader gives the card authorization condition that the card has successfully obtained the authorization of the first card reader; the first storage module 2106 is configured to store the first state. Two authentication keys.

通过本实施例提供的卡片,每一个读卡器对应一个认证密钥,卡片只有利用与第一读卡 器对应的可用状态下的第一认证密钥,才能对第一读卡器的第一认证信息进行认证,并向第一读卡器发送认证信息,以期获得第一读卡器的授权,并在卡片利用第一认证密钥对第一认证信息进行认证通过之后,根据第一状态下的第一认证密钥获取第二读卡器的第一状态下的第二认证密钥,从而实现认证密钥的分级管理。With the card provided in this embodiment, each card reader corresponds to an authentication key, and the card is only used and the first card is read. The first authentication key in the available state corresponding to the device can authenticate the first authentication information of the first card reader, and send the authentication information to the first card reader, so as to obtain the authorization of the first card reader, and After the first authentication information is authenticated by the card using the first authentication key, the second authentication key in the first state of the second card reader is obtained according to the first authentication key in the first state, thereby implementing authentication. Hierarchical management of keys.

在本实施例中,第一接收模块2101和第一发送模块2104可以是分别独立的模块,也可以集成在同一个通信模块中。第一接收模块2101和第一发送模块2104可以非接触通信模块,也可以为接触通信模块。第一存储模块2106可以为缓存区,例如,随机存取存储器(Random-Access Memory,简称RAM)。在缓存区中的数据可以实现高速的数据交换。In this embodiment, the first receiving module 2101 and the first sending module 2104 may be separate modules, or may be integrated in the same communication module. The first receiving module 2101 and the first sending module 2104 may be a contactless communication module or a contact communication module. The first storage module 2106 can be a buffer area, for example, a Random Access Memory (RAM). Data in the buffer area enables high-speed data exchange.

在本实施例中,在第一认证模块2103对第一认证信息认证通过之后,或者,在第一接收模块2101接收响应信息之后,且响应信息为对卡片21进行授权的情况下,第二获取模块2105才利用第一状态下的第一认证密钥获取第二读卡器对应的第一状态下的第二认证密钥。In this embodiment, after the first authentication module 2103 authenticates the first authentication information, or after the first receiving module 2101 receives the response information, and the response information is the authorization of the card 21, the second acquisition The module 2105 acquires the second authentication key in the first state corresponding to the second card reader by using the first authentication key in the first state.

作为本发明实施例的一个可选实施方式,如图3所示,卡片21还包括:第二存储模块2107,用于存储第二读卡器对应的第二状态下的第二认证密钥;第二获取模块2105通过以下方式获取第二读卡器对应的第一状态下的第二认证密钥:利用第一状态下的第一认证密钥对第二存储模块2107中存储的与第二读卡器对应的第二状态下的第二认证密钥进行计算,得到第一状态下的第二认证密钥。As an optional implementation of the embodiment of the present invention, as shown in FIG. 3, the card 21 further includes: a second storage module 2107, configured to store a second authentication key in a second state corresponding to the second card reader; The second obtaining module 2105 acquires the second authentication key in the first state corresponding to the second card reader by using the first authentication key in the first state and the second storage module 2107 The second authentication key in the second state corresponding to the card reader is calculated to obtain the second authentication key in the first state.

在本实施例中,第二存储模块2107用于存储第二状态下的认证密钥。第二存储模块2107可以是非易失性随机访问存储器(Non-Volatile Random Access Memory,简称NVRAM),NVRAM即使在断电后,所存储的数据也不会丢失。In this embodiment, the second storage module 2107 is configured to store an authentication key in the second state. The second storage module 2107 may be a non-Volatile Random Access Memory (NVRAM), and the stored data will not be lost even after the NVRAM is powered off.

作为本发明实施例的一个可选实施方式,第二状态下的第二认证密钥包括:加密的第二认证密钥;第二获取模块2105用于通过以下方式对第二读卡器对应的第二状态下的第二认证密钥进行计算得到第一状态下的第二认证密钥:利用第一状态下的第一认证密钥对第二存储模块2107中存储的与第二读卡器对应的加密的第二认证密钥进行解密,得到解密的第二认证密钥。在将第一状态下的第一认证密钥和第一状态下的第二认证密钥存储在第一存储区域2106的情况下,卡片可以在预定的条件下清空缓存区,因此,作为本发明实施例的一个可选实施方式,如图3所示,本实施例提供的卡片21还包括:清空模块2108,用于在预设时间到达或预设事件发生时,清空第一存储模块2106中存储的数据,其中,预设事件可以包括:第一认证模块2103对第一认证信息认证不通过。清空模块2108在预设时间到达或预设事件发生时,清空第一存储模块2106,可以节省第一存储模块2106的存储空间。As an optional implementation manner of the embodiment of the present invention, the second authentication key in the second state includes: an encrypted second authentication key; and the second obtaining module 2105 is configured to correspond to the second card reader in the following manner. The second authentication key in the second state is calculated to obtain the second authentication key in the first state: using the first authentication key in the first state to store the second card reader stored in the second storage module 2107 The corresponding encrypted second authentication key is decrypted to obtain a decrypted second authentication key. In the case where the first authentication key in the first state and the second authentication key in the first state are stored in the first storage area 2106, the card can empty the buffer area under predetermined conditions, and thus, as the present invention An optional embodiment of the embodiment, as shown in FIG. 3, the card 21 provided in this embodiment further includes: an emptying module 2108, configured to clear the first storage module 2106 when a preset time arrives or a preset event occurs. The stored data may include: the first authentication module 2103 fails to authenticate the first authentication information. When the clearing module 2108 arrives at a preset time or a preset event occurs, the first storage module 2106 is emptied, and the storage space of the first storage module 2106 can be saved.

作为本发明实施例的一个可选实施方式,如图3所示,本实施例提供的卡片21还包括:第三获取模块2109、加密模块2110、第三存储模块2111和响应模块2112;其中,第三获取模块2109,用于在接收第一读卡器发送的认证指令之后,获取本次认证的属性信息,将属 性信息发送至加密模块2110;加密模块2110,用于接收属性信息,并对属性信息进行加密得到属性信息密文,将属性信息密文发送至第三存储模块2111;第三存储模块2111,接收属性信息密文并存储;响应模块2112,用于响应读取指令,外发第三存储模块2111存储的属性信息密文。将属性信息加密后存储在第三存储模块2111中,可以属性信息被其他非法设备获取,保证属性信息的安全。As an optional implementation of the embodiment of the present invention, as shown in FIG. 3, the card 21 provided in this embodiment further includes: a third obtaining module 2109, an encryption module 2110, a third storage module 2111, and a response module 2112; The third obtaining module 2109 is configured to obtain the attribute information of the current authentication after receiving the authentication instruction sent by the first card reader, and The information is sent to the encryption module 2110. The encryption module 2110 is configured to receive the attribute information, and encrypt the attribute information to obtain the attribute information ciphertext, and send the attribute information ciphertext to the third storage module 2111. The third storage module 2111 receives The attribute information ciphertext is stored; the response module 2112 is configured to send the attribute information ciphertext stored by the third storage module 2111 in response to the read instruction. The attribute information is encrypted and stored in the third storage module 2111, and the attribute information can be obtained by other illegal devices to ensure the security of the attribute information.

实施例3Example 3

本实施例提供了一种授权系统,如图4所示,该授权系统包括:第一读卡器22和卡片21。本实施例中的卡片21与实施例2中的卡片21相同,具体参见实施例2的说明。在本实施例中,对授权系统的结构进行了简要说明,其他未尽事宜,可参见实施例1中的说明。This embodiment provides an authorization system. As shown in FIG. 4, the authorization system includes a first card reader 22 and a card 21. The card 21 in this embodiment is the same as the card 21 in the second embodiment. For details, refer to the description of the second embodiment. In this embodiment, the structure of the authorization system is briefly described. For other unworked matters, refer to the description in Embodiment 1.

如图4所示,第一读卡器22,包括:第二接收模块221,用于接收卡片21发送的第二认证信息;授权模块222,用于至少根据第二认证信息判断是否为卡片21授权;第二发送模块223,用于向卡片21发送指示是否为卡片21授权的响应信息。As shown in FIG. 4, the first card reader 22 includes: a second receiving module 221, configured to receive second authentication information sent by the card 21; and an authorization module 222, configured to determine, according to at least the second authentication information, whether the card is 21 or not Authorization; a second sending module 223, configured to send, to the card 21, response information indicating whether the card 21 is authorized.

通过本实施例提供的授权系统,每一个读卡器对应一个认证密钥,卡片只有利用与第一读卡器对应的可用状态下的第一认证密钥,才能对第一读卡器的第一认证信息进行认证,并向第一读卡器发送认证信息,以期获得第一读卡器的授权,并根据第一状态下的第一认证密钥获取第二读卡器的第一状态下的第二认证密钥,从而实现认证密钥的分级管理。因而,对于安全级别较高的读卡器,可以设置对应的控制权限,例如,需要一张卡片已经获得其它一个或多个读卡器的授权,才能根据其它一个或多个读卡器的第一状态下的认证密钥获取该读卡器第一状态下的认证密钥,进而才有可能获取该读卡器的授权。With the authorization system provided in this embodiment, each card reader corresponds to an authentication key, and the card can only use the first authentication key in the available state corresponding to the first card reader to be the first card reader. An authentication information is authenticated, and the authentication information is sent to the first card reader, so as to obtain the authorization of the first card reader, and obtain the first state of the second card reader according to the first authentication key in the first state. The second authentication key, thereby implementing hierarchical management of the authentication key. Therefore, for a card reader with a higher security level, corresponding control authority can be set, for example, if one card has been authorized by one or more other card readers, according to the other one or more card readers. The authentication key in one state acquires the authentication key in the first state of the card reader, and thus it is possible to obtain the authorization of the card reader.

在具体实施过程中,第二接收模块221接收第二认证信息后,可以由授权模块222至少根据第二认证信息判断是否为卡片授权,也可以与后台联合进行判断。因此作为本发明实施例的一个可选实施方式,如图5所示,本实施例提供的授权系统还包括:后台23;授权模块222,包括:发送单元2221,用于向后台23发送第二认证信息;接收单元2222,用于接收后台23至少对第二认证信息进行认证得到的认证结果;授权单元2223,用于至少根据认证结果判断是否为卡片21授权;后台23包括:第三接收模块231,用于接收第二认证信息;第二认证模块232,用于至少对第二认证信息进行认证,得到认证结果;第三发送模块233,用于向第一读卡器22返回认证结果。In the specific implementation process, after the second receiving module 221 receives the second authentication information, the authorization module 222 may determine, according to the second authentication information, whether it is a card authorization, or may perform a determination jointly with the background. Therefore, as an optional implementation manner of the embodiment of the present invention, as shown in FIG. 5, the authorization system provided in this embodiment further includes: a background 23; an authorization module 222, including: a sending unit 2221, configured to send a second to the background 23 The authentication unit 2222 is configured to receive an authentication result obtained by the background 23 at least authenticating the second authentication information. The authorization unit 2223 is configured to determine, according to the authentication result, whether the card 21 is authorized. The background 23 includes: a third receiving module. 231. The second authentication module 232 is configured to receive the second authentication information. The second authentication module 232 is configured to perform at least the second authentication information to obtain the authentication result. The third sending module 233 is configured to return the authentication result to the first card reader 22.

在本实施例中,授权模块222除了可以根据第二认证信息判断是否为卡片授权之外,还可以根据其他信息判断是否为卡片授权,因此,作为本发明实施例的一个可选实施方式,授权模块222在对第二认证信息进行认证的认证结果指示认证通过的情况下,通过以下方式判 断是否为卡片授权:根据第一读卡器22的授权权限列表,判断是否为卡片21授权。根据卡片21是否在第一读卡器22的授权权限列表中判断是否为卡片21授权,即判断卡片21是否为第一读卡器22的授权用户。In this embodiment, the authorization module 222 can determine whether it is a card authorization according to the second authentication information, and can also determine whether it is a card authorization according to other information. Therefore, as an optional implementation manner of the embodiment of the present invention, the authorization module is authorized. When the authentication result of the authentication of the second authentication information indicates that the authentication is passed, the module 222 judges by the following method Whether or not the card is authorized: according to the authorization authority list of the first card reader 22, it is judged whether or not the card 21 is authorized. Whether or not the card 21 is an authorized user of the first card reader 22 is determined based on whether the card 21 is in the authorization authority list of the first card reader 22 to determine whether or not the card 21 is authorized.

作为本发明实施例的一个可选实施方式,为了提高授权方法的安全性,可以在后台23对卡片21是否满足第一读卡器22给予卡片21授权的前提条件进行认证,因此,作为本发明实施例的一个可选实施方式,第二认证模块232,还用于对第一读卡器22给予卡片21授权的前提条件进行认证,得到认证结果。在具体实施过程中,后台23可以使用第一安全状态记录卡片21获得的授权的相关信息,第二认证模块232根据第一安全状态判断卡片21是否满足第一读卡器22给予卡片21授权的前提条件。As an optional implementation manner of the embodiment of the present invention, in order to improve the security of the authorization method, the background 23 can authenticate the premise that the card 21 satisfies the authorization of the card 21 by the first card reader 22, and thus, as the present invention In an optional implementation manner of the embodiment, the second authentication module 232 is further configured to perform authentication on the precondition for authorizing the card 21 by the first card reader 22 to obtain an authentication result. In a specific implementation process, the background 23 can use the first security status to record the authorization related information obtained by the card 21, and the second authentication module 232 determines whether the card 21 satisfies the authorization of the card 21 by the first card reader 22 according to the first security status. Prerequisites.

作为本发明实施例的一个可选实施方式,如图5所示,本实施例提供的系统还包括:验证装置24;后台23,还包括:第四获取模块234,第四存储模块235;第一读卡器还包括:第五获取模块224;其中,第五获取模块224,用于获取卡片21的标识信息;发送单元2222,还用于向后台23发送至少包括卡片21的标识信息的通知;第三接收模块231,还用于接收通知;第四获取模块234,用于根据通知获取卡片的本次认证的属性信息;第四存储模块235,用于存储卡片的本次认证的属性信息;验证装置24,用于从卡片21获取加密的属性信息以及从后台23获取第四存储模块235的属性信息,对加密的属性信息进行解密,将解密得到的属性信息与从后台23获取的属性信息进行对比,如果不匹配,标识卡片21为非法卡片。在本实施例中,验证装置24可以是一个独立的装置,也可以是后台23的组成部分。通过本可选实施方式,可以防止不法设备对卡片21进行攻击,发起非法认证指令,获取卡片21内部的数据,从而攻破卡片21。As an alternative embodiment of the embodiment of the present invention, as shown in FIG. 5, the system provided in this embodiment further includes: a verification device 24; a background 23, further comprising: a fourth acquisition module 234, a fourth storage module 235; The card reader further includes: a fifth obtaining module 224; wherein the fifth obtaining module 224 is configured to obtain the identification information of the card 21; the sending unit 2222 is further configured to send, to the background 23, a notification that includes at least the identification information of the card 21. The third receiving module 231 is further configured to receive the notification, the fourth obtaining module 234 is configured to obtain the attribute information of the current authentication of the card according to the notification, and the fourth storage module 235 is configured to store the attribute information of the current authentication of the card. The verification device 24 is configured to acquire the encrypted attribute information from the card 21 and acquire the attribute information of the fourth storage module 235 from the background 23, decrypt the encrypted attribute information, and decrypt the attribute information obtained from the background 23 The information is compared, and if it does not match, the identification card 21 is an illegal card. In the present embodiment, the verification device 24 can be a standalone device or an integral part of the background 23. With the optional implementation, it is possible to prevent the illegal device from attacking the card 21, initiate an illegal authentication command, and acquire data inside the card 21, thereby breaking the card 21.

流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为,表示包括一个或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的组件、片段或部分,并且本发明的优选实施方式的范围包括另外的实现,其中可以不按所示出或讨论的顺序,包括根据所涉及的功能按基本同时的方式或按相反的顺序,来执行功能,这应被本发明的实施例所属技术领域的技术人员所理解。Any process or method description in the flowcharts or otherwise described herein can be understood as a component, segment or portion of code representing executable instructions including one or more steps for implementing a particular logical function or process. And the scope of the preferred embodiments of the invention includes additional implementations, in which the functions may be performed in a substantially simultaneous manner or in an opposite order depending on the functions involved, in the order shown or discussed. It will be understood by those skilled in the art to which the embodiments of the present invention pertain.

应当理解,本发明的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或固件来实现。例如,如果用硬件来实现,和在另一实施方式中一样,可用本领域公知的下列技术中的任一项或他们的组合来实现:具有用于对数据信号实现逻辑功能的逻辑门电路的离散逻辑电路,具有合适的组合逻辑门电路的专用集成电路,可编程门阵列(PGA),现场可编程门阵列(FPGA)等。 It should be understood that portions of the invention may be implemented in hardware, software, firmware or a combination thereof. In the above-described embodiments, multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals. Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.

本技术领域的普通技术人员可以理解实现上述实施例方法携带的全部或部分步骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,该程序在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art can understand that all or part of the steps carried by the method of implementing the above embodiments can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, one or a combination of the steps of the method embodiments is included.

此外,在本发明各个实施例中的各功能单元可以集成在一个处理组件中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个组件中。上述集成的组件既可以采用硬件的形式实现,也可以采用软件功能组件的形式实现。所述集成的组件如果以软件功能组件的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing component, or each unit may exist physically separately, or two or more units may be integrated into one component. The above integrated components can be implemented in the form of hardware or in the form of software functional components. The integrated components, if implemented in the form of software functional components and sold or used as separate products, may also be stored in a computer readable storage medium.

上述提到的存储介质可以是只读存储器,磁盘或光盘等。The above mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.

在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of the present specification, the description with reference to the terms "one embodiment", "some embodiments", "example", "specific example", or "some examples" and the like means a specific feature described in connection with the embodiment or example. A structure, material or feature is included in at least one embodiment or example of the invention. In the present specification, the schematic representation of the above terms does not necessarily mean the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in a suitable manner in any one or more embodiments or examples.

尽管上面已经示出和描述了本发明的实施例,可以理解的是,上述实施例是示例性的,不能理解为对本发明的限制,本领域的普通技术人员在不脱离本发明的原理和宗旨的情况下在本发明的范围内可以对上述实施例进行变化、修改、替换和变型。本发明的范围由所附权利要求及其等同限定。 Although the embodiments of the present invention have been shown and described, it is understood that the foregoing embodiments are illustrative and not restrictive Variations, modifications, alterations and variations of the above-described embodiments are possible within the scope of the invention. The scope of the invention is defined by the appended claims and their equivalents.

Claims (20)

一种授权方法,其特征在于,包括:An authorization method, comprising: 卡片接收第一读卡器发送的认证指令,其中,所述认证指令中携带有标识信息和第一认证信息;The card receives the authentication command sent by the first card reader, where the authentication command carries the identification information and the first authentication information; 所述卡片根据所述标识信息获取与所述第一读卡器对应的第一状态下的第一认证密钥,其中,所述第一状态为可用状态;The card acquires a first authentication key in a first state corresponding to the first card reader according to the identifier information, where the first state is an available state; 所述卡片利用所述第一认证密钥对所述第一认证信息进行认证,在认证通过的情况下,向所述第一读卡器发送第二认证信息;The card uses the first authentication key to authenticate the first authentication information, and if the authentication passes, sends the second authentication information to the first card reader; 所述第一读卡器接收所述第二认证信息,至少根据所述第二认证信息判断是否为所述卡片授权,并向所述卡片发送响应信息;Receiving, by the first card reader, the second authentication information, determining, according to the second authentication information, whether the card is authorized, and sending the response information to the card; 其中,在所述卡片利用所述第一认证密钥对所述第一认证信息进行认证通过之后,所述方法还包括:所述卡片利用所述第一状态下的第一认证密钥获取第二读卡器对应的第一状态下的第二认证密钥,并存储所述第一状态下的所述第二认证密钥,所述第二读卡器给予卡片授权的前提条件为所述卡片已成功获得所述第一读卡器的授权。After the card authenticates the first authentication information by using the first authentication key, the method further includes: the card acquiring the first authentication key by using the first authentication key in the first state. a second authentication key in a first state corresponding to the second card reader, and storing the second authentication key in the first state, and a precondition for the second card reader to authorize the card is the The card has been successfully authorized by the first card reader. 根据权利要求1所述的方法,其特征在于,The method of claim 1 wherein 所述卡片利用所述第一状态下的第一认证密钥获取第二读卡器对应的第一状态下的所述第二认证密钥,包括:And acquiring, by the first authentication key in the first state, the second authentication key in the first state corresponding to the second card reader, where the card includes: 所述卡片利用所述第一状态下的第一认证密钥对本地存储的与第二读卡器对应的第二状态下的第二认证密钥进行计算,得到所述第一状态下的所述第二认证密钥。The card calculates, by using the first authentication key in the first state, the locally stored second authentication key in the second state corresponding to the second card reader, to obtain the location in the first state. The second authentication key is described. 根据权利要求2所述的方法,其特征在于,The method of claim 2 wherein: 所述第二状态下的所述第二认证密钥包括:加密的所述第二认证密钥;The second authentication key in the second state includes: the encrypted second authentication key; 所述卡片利用所述第一状态下的第一认证密钥对本地存储的与第二读卡器对应的第二状态下的第二认证密钥进行计算,得到所述第一状态下的所述第二认证密钥,包括:The card calculates, by using the first authentication key in the first state, the locally stored second authentication key in the second state corresponding to the second card reader, to obtain the location in the first state. The second authentication key includes: 所述卡片利用所述第一状态下的第一认证密钥对本地存储的与第二读卡器对应的加密的所述第二认证密钥进行解密,得到解密的所述第二认证密钥。Decrypting the locally stored encrypted second authentication key corresponding to the second card reader by using the first authentication key in the first state to obtain the decrypted second authentication key . 根据权利要求2或3所述的方法,其特征在于,Method according to claim 2 or 3, characterized in that 所述第一读卡器接收所述第二认证信息,至少根据所述第二认证信息判断是否为所述卡片授权,包括:The first card reader receives the second authentication information, and at least determines whether the card is authorized according to the second authentication information, including: 所述第一读卡器至少对第二认证信息进行认证,获取认证结果;或者,所述第一读卡器将所述第二认证信息发送至后台,所述后台至少对所述第二认证信息进行认证,将认证结果返回给所述第一读卡器;The first card reader authenticates at least the second authentication information to obtain an authentication result; or the first card reader sends the second authentication information to the background, and the background is at least for the second authentication. The information is authenticated, and the authentication result is returned to the first card reader; 所述第一读卡器至少根据所述认证结果判断是否为所述卡片授权。 The first card reader determines whether the card is authorized according to at least the authentication result. 根据权利要求4所述的方法,其特征在于,The method of claim 4 wherein: 所述第一读卡器至少根据对所述第二认证信息进行认证的认证结果判断是否为所述卡片授权,包括:Determining, by the first card reader, whether the card is authorized according to the authentication result of authenticating the second authentication information, including: 在认证结果指示认证通过的情况下,所述第一读卡器根据所述第一读卡器的授权权限列表,判断是否为所述卡片授权。When the authentication result indicates that the authentication is passed, the first card reader determines whether the card is authorized according to the authorization permission list of the first card reader. 根据权利要求4或5所述的方法,其特征在于,Method according to claim 4 or 5, characterized in that 所述后台至少对所述第二认证信息进行认证,包括:The background at least authenticating the second authentication information includes: 所述后台对所述第一读卡器给予卡片授权的前提条件进行认证。The background authenticates the preconditions that the first card reader gives the card authorization. 根据权利要求1至6任一项所述的方法,其特征在于,A method according to any one of claims 1 to 6, wherein 所述存储所述第一状态下的所述第二认证密钥,包括:将所述第一状态下的所述第二认证密钥存储在缓存区;The storing the second authentication key in the first state includes: storing the second authentication key in the first state in a buffer area; 所述方法还包括:在预设时间到达或预设事件发生时,清空所述缓存区。The method further includes: clearing the buffer area when a preset time arrives or a preset event occurs. 根据权利要求7所述的方法,其特征在于,The method of claim 7 wherein: 所述预设事件包括:所述卡片对所述第一认证信息认证不通过。The preset event includes: the card fails to pass the first authentication information authentication. 根据权利要求1至8任一项所述的方法,其特征在于,A method according to any one of claims 1 to 8, wherein 在所述卡片接收到所述第一读卡器发送的认证指令之后,所述方法还包括:所述卡片获取本次认证的属性信息,对所述属性信息进行加密后存储;After the card receives the authentication command sent by the first card reader, the method further includes: the card acquiring the attribute information of the current authentication, and encrypting and storing the attribute information; 在卡片接收第一读卡器发送的认证指令之前,所述方法还包括:所述第一读卡器获取所述卡片的标识信息;所述第一读卡器向所述卡片发送所述认证指令;所述第一读卡器向后台发送至少包括所述卡片的标识信息的通知;所述后台根据所述通知,获取并存储所述卡片的本次认证的所述属性信息;Before the card receives the authentication command sent by the first card reader, the method further includes: the first card reader acquiring identification information of the card; the first card reader transmitting the authentication to the card The first card reader sends a notification including at least the identification information of the card to the background; the background acquires and stores the attribute information of the current authentication of the card according to the notification; 在所述卡片对所述属性信息进行加密后存储之后,所述方法还包括:获取所述卡片存储的加密的所述属性信息;对所述加密的属性信息进行解密;将解密得到的所述属性信息与所述后台存储的所述卡片的所述属性信息进行对比,如果不匹配,标识所述卡片为非法卡片。After the card is encrypted and stored, the method further includes: acquiring the encrypted attribute information stored by the card; decrypting the encrypted attribute information; and decrypting the obtained The attribute information is compared with the attribute information of the card stored in the background, and if not, the card is identified as an illegal card. 一种卡片,其特征在于,包括:A card comprising: 第一接收模块,用于接收第一读卡器发送的认证指令,其中,所述认证指令中携带有标识信息和第一认证信息;a first receiving module, configured to receive an authentication command sent by the first card reader, where the authentication command carries the identification information and the first authentication information; 第一获取模块,用于根据所述标识信息获取与所述第一读卡器对应的第一状态下的第一认证密钥,其中,所述第一状态为可用状态;a first acquiring module, configured to acquire, according to the identifier information, a first authentication key in a first state corresponding to the first card reader, where the first state is an available state; 第一认证模块,用于利用所述第一认证密钥对所述第一认证信息进行认证,在认证通过的情况下,触发第一发送模块; The first authentication module is configured to authenticate the first authentication information by using the first authentication key, and trigger the first sending module if the authentication is passed; 所述第一发送模块,用于向所述第一读卡器发送第二认证信息;The first sending module is configured to send second authentication information to the first card reader; 所述第一接收模块,还用于接收所述第一读卡器返回的认证响应信息;The first receiving module is further configured to receive authentication response information returned by the first card reader; 第二获取模块,用于在所述第一认证模块对所述第一认证信息进行认证且认证通过或所述认证响应信息指示对所述卡片进行授权的情况下,利用所述第一状态下的第一认证密钥获取第二读卡器对应的第一状态下的第二认证密钥,并将所述第一状态下的第二认证密钥发送至第一存储模块,其中,所述第二读卡器给予卡片授权的前提条件为所述卡片已成功获得所述第一读卡器的授权;a second acquiring module, configured to use, in the first state, in the case that the first authentication module authenticates the first authentication information and the authentication passes or the authentication response information indicates that the card is authorized The first authentication key acquires the second authentication key in the first state corresponding to the second card reader, and sends the second authentication key in the first state to the first storage module, where The precondition for the second card reader to authorize the card is that the card has successfully obtained the authorization of the first card reader; 所述第一存储模块,用于存储所述第一状态下的第二认证密钥。The first storage module is configured to store a second authentication key in the first state. 根据权利要求10所述的卡片,其特征在于,A card according to claim 10, wherein 所述卡片还包括:第二存储模块,用于存储所述第二读卡器对应的第二状态下的第二认证密钥;The card further includes: a second storage module, configured to store a second authentication key in a second state corresponding to the second card reader; 所述第二获取模块通过以下方式获取所述第二读卡器对应的第一状态下的第二认证密钥:利用所述第一状态下的第一认证密钥对所述第二存储模块中存储的与所述第二读卡器对应的第二状态下的第二认证密钥进行计算,得到所述第一状态下的所述第二认证密钥。Obtaining, by the second acquiring module, the second authentication key in the first state corresponding to the second card reader by using the first authentication key in the first state to the second storage module The second authentication key stored in the second state corresponding to the second card reader is calculated to obtain the second authentication key in the first state. 根据权利要求11所述的卡片,其特征在于,所述第二状态下的所述第二认证密钥包括:加密的所述第二认证密钥;The card according to claim 11, wherein the second authentication key in the second state comprises: the encrypted second authentication key; 所述第二获取模块通过以下方式对所述第二读卡器对应的第二状态下的第二认证密钥进行计算得到所述第一状态下的所述第二认证密钥:利用所述第一状态下的第一认证密钥对所述第二存储模块中存储的与第二读卡器对应的加密的所述第二认证密钥进行解密,得到解密的所述第二认证密钥。The second obtaining module calculates the second authentication key in the second state by using the second authentication key in the second state corresponding to the second card reader by: using the The first authentication key in the first state decrypts the encrypted second authentication key corresponding to the second card reader stored in the second storage module, to obtain the decrypted second authentication key. . 根据权利要求10至12任一项所述的卡片,其特征在于,还包括:The card according to any one of claims 10 to 12, further comprising: 清空模块,用于在预设时间到达或预设事件发生时,清空所述第一存储模块中存储的数据。The module is cleared to clear the data stored in the first storage module when a preset time arrives or a preset event occurs. 根据权利要求13所述的卡片,其特征在于,所述预设事件包括:The card of claim 13 wherein said predetermined event comprises: 所述第一认证模块对所述第一认证信息认证不通过。The first authentication module fails to pass the first authentication information authentication. 根据权利要求10至14任一项所述的卡片,其特征在于,所述卡片还包括:第三获取模块、加密模块、第三存储模块和响应模块;其中,The card according to any one of claims 10 to 14, wherein the card further comprises: a third acquisition module, an encryption module, a third storage module, and a response module; 所述第三获取模块,用于在所述第一接收模块接收第一读卡器发送的认证指令之后,获取本次认证的属性信息,将所述属性信息发送至所述加密模块;The third obtaining module is configured to: after the first receiving module receives the authentication command sent by the first card reader, acquire the attribute information of the current authentication, and send the attribute information to the encryption module; 所述加密模块,用于接收所述属性信息,并对所述属性信息进行加密得到属性信息密文,将所述属性信息密文发送至所述第三存储模块; The cryptographic module is configured to receive the attribute information, and encrypt the attribute information to obtain an attribute information ciphertext, and send the attribute information ciphertext to the third storage module; 所述第三存储模块,还用于接收所述属性信息密文并存储;The third storage module is further configured to receive the attribute information ciphertext and store the attribute information; 所述响应模块,用于响应读取指令,外发所述第三存储模块存储的所述属性信息密文。The response module is configured to send the attribute information ciphertext stored by the third storage module in response to the read instruction. 一种授权系统,其特征在于,包括:第一读卡器和权利要求10至15任一项所述的卡片;其中,An authorization system, comprising: a first card reader and the card of any one of claims 10 to 15; 所述第一读卡器,包括:The first card reader includes: 第二接收模块,用于接收所述卡片发送的第二认证信息;a second receiving module, configured to receive second authentication information sent by the card; 授权模块,用于至少根据所述第二认证信息判断是否为所述卡片授权;And an authorization module, configured to determine, according to the second authentication information, whether the card is authorized; 第二发送模块,用于向所述卡片发送指示是否为所述卡片授权的响应信息。And a second sending module, configured to send, to the card, response information indicating whether the card is authorized. 根据权利要求16所述的授权系统,其特征在于,所述系统还包括:后台;The authorization system according to claim 16, wherein the system further comprises: a background; 所述授权模块,包括:发送单元,用于向所述后台发送所述第二认证信息;接收单元,用于接收所述后台至少对所述第二认证信息进行认证得到的认证结果;授权单元,用于至少根据所述认证结果判断是否为所述卡片授权;The authorization module includes: a sending unit, configured to send the second authentication information to the background; and a receiving unit, configured to receive an authentication result obtained by the background at least authenticating the second authentication information; Determining, by at least according to the authentication result, whether the card is authorized; 所述后台包括:第三接收模块,用于接收所述第二认证信息;第二认证模块,用于至少对所述第二认证信息进行认证,得到认证结果;第三发送模块,用于向所述第一读卡器返回所述认证结果。The background includes: a third receiving module, configured to receive the second authentication information; a second authentication module, configured to perform at least authentication on the second authentication information, to obtain an authentication result; and a third sending module, configured to The first card reader returns the authentication result. 根据权利要求17所述的授权系统,其特征在于,The authorization system of claim 17 wherein: 所述授权模块在对所述第二认证信息进行认证的认证结果指示认证通过的情况下,通过以下方式判断是否为所述卡片授权:根据所述第一读卡器的授权权限列表,判断是否为所述卡片授权。If the authentication result of the authentication of the second authentication information indicates that the authentication is passed, the authorization module determines whether the card is authorized by: determining, according to the authorization permission list of the first card reader, whether Authorize the card. 根据权利要求17或18所述的授权系统,其特征在于,The authorization system according to claim 17 or 18, characterized in that 所述第二认证模块,还用于对所述第一读卡器给予卡片授权的前提条件进行认证,得到认证结果。The second authentication module is further configured to perform authentication on a precondition for granting the card authorization by the first card reader, and obtain an authentication result. 根据权利要求17至19任一项所述的授权系统,其特征在于,所述系统还包括:验证装置;所述后台还包括:第四存储模块和第四获取模块;所述第一读卡器还包括:第五获取模块;其中,The authorization system according to any one of claims 17 to 19, wherein the system further comprises: a verification device; the background further comprising: a fourth storage module and a fourth acquisition module; the first reading card The device further includes: a fifth acquisition module; wherein 所述第五获取模块,用于获取所述卡片的标识信息;The fifth obtaining module is configured to acquire identification information of the card; 所述发送单元,还用于向后台发送至少包括所述卡片的标识信息的通知;The sending unit is further configured to send, to the background, a notification that includes at least the identification information of the card; 所述第三接收模块,还用于接收所述通知;The third receiving module is further configured to receive the notification; 所述第四获取模块,用于根据所述通知获取所述卡片的本次认证的所述属性信息;所述第四存储模块,用于存储所述卡片的本次认证的所述属性信息;The fourth obtaining module is configured to acquire the attribute information of the current authentication of the card according to the notification; the fourth storage module is configured to store the attribute information of the current authentication of the card; 所述验证装置,用于从所述卡片获取所述加密的属性信息以及从所述后台获取所述 第四存储模块的所述属性信息,对所述加密的属性信息进行解密,将解密得到的所述属性信息与从所述后台获取的所述属性信息进行对比,如果不匹配,标识所述卡片为非法卡片。 The verification device, configured to acquire the encrypted attribute information from the card and obtain the The attribute information of the fourth storage module decrypts the encrypted attribute information, compares the decrypted attribute information with the attribute information obtained from the background, and if not, identifies the card Is an illegal card.
PCT/CN2017/100208 2016-09-09 2017-09-01 Authorization method, system, and card Ceased WO2018045916A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610815363.X 2016-09-09
CN201610815363.XA CN107392001B (en) 2016-09-09 2016-09-09 Authorization method, system and card

Publications (1)

Publication Number Publication Date
WO2018045916A1 true WO2018045916A1 (en) 2018-03-15

Family

ID=60338194

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/100208 Ceased WO2018045916A1 (en) 2016-09-09 2017-09-01 Authorization method, system, and card

Country Status (2)

Country Link
CN (1) CN107392001B (en)
WO (1) WO2018045916A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112585608A (en) * 2020-01-13 2021-03-30 深圳市大疆创新科技有限公司 Embedded equipment, legality identification method, controller and encryption chip
CN112948808A (en) * 2021-03-01 2021-06-11 湖南优美科技发展有限公司 Authorization management method and system, authorization management device and embedded device

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110651270B (en) * 2017-12-29 2023-11-10 华为技术有限公司 A data access method and device
CN112486500B (en) * 2020-11-03 2022-10-21 杭州云嘉云计算有限公司 System authorization deployment method
CN113327371B (en) * 2021-05-21 2022-08-05 福建星云电子股份有限公司 Card swiping authentication method and system for charging pile

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6370249B1 (en) * 1997-07-25 2002-04-09 Entrust Technologies, Ltd. Method and apparatus for public key management
CN101488111A (en) * 2009-02-17 2009-07-22 普天信息技术研究院有限公司 Identification authentication method and system
CN101527714A (en) * 2008-12-31 2009-09-09 北京飞天诚信科技有限公司 Method, device and system for accreditation
CN102118385A (en) * 2010-12-14 2011-07-06 北京握奇数据系统有限公司 Security domain management method and device
CN102546172A (en) * 2011-12-16 2012-07-04 北京握奇数据系统有限公司 Access control method of intelligent card, intelligent card, terminal and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843237B (en) * 2012-09-13 2016-02-17 天地融科技股份有限公司 Authorization token, tokens, dynamic password token remote-authorization method and system
CN103078744B (en) * 2013-01-25 2015-06-17 西安电子科技大学 Public key-based bidirectional radio frequency identification authorization method
EP2768178A1 (en) * 2013-02-14 2014-08-20 Gemalto SA Method of privacy-preserving proof of reliability between three communicating parties
CN104038342A (en) * 2013-03-08 2014-09-10 中外建设信息有限责任公司 Security certification system and method
CN104202369A (en) * 2014-08-19 2014-12-10 西安邮电大学 Novel multi-application authentication card issuing system for smart card
CN104850764B (en) * 2015-05-22 2018-09-11 东信和平科技股份有限公司 A kind of method for protecting software and system based on smart card

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6370249B1 (en) * 1997-07-25 2002-04-09 Entrust Technologies, Ltd. Method and apparatus for public key management
CN101527714A (en) * 2008-12-31 2009-09-09 北京飞天诚信科技有限公司 Method, device and system for accreditation
CN101488111A (en) * 2009-02-17 2009-07-22 普天信息技术研究院有限公司 Identification authentication method and system
CN102118385A (en) * 2010-12-14 2011-07-06 北京握奇数据系统有限公司 Security domain management method and device
CN102546172A (en) * 2011-12-16 2012-07-04 北京握奇数据系统有限公司 Access control method of intelligent card, intelligent card, terminal and system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112585608A (en) * 2020-01-13 2021-03-30 深圳市大疆创新科技有限公司 Embedded equipment, legality identification method, controller and encryption chip
CN112948808A (en) * 2021-03-01 2021-06-11 湖南优美科技发展有限公司 Authorization management method and system, authorization management device and embedded device
CN112948808B (en) * 2021-03-01 2023-11-24 湖南优美科技发展有限公司 Authorization management method and system, authorization management device and embedded device

Also Published As

Publication number Publication date
CN107392001A (en) 2017-11-24
CN107392001B (en) 2020-03-24

Similar Documents

Publication Publication Date Title
CA2554300C (en) System and method for encrypted smart card pin entry
JP7194847B2 (en) A method for authenticating the identity of digital keys, terminal devices, and media
EP0865695B1 (en) An apparatus and method for cryptographic companion imprinting
TWI524275B (en) Storage device and method of operating a storage device
US20080181409A1 (en) Method for guaranteeing security of critical data, terminal and secured chip
JP2020511069A (en) System access using mobile devices
KR20190122655A (en) Update of Biometric Data Template
WO2018045916A1 (en) Authorization method, system, and card
US9280650B2 (en) Authenticate a fingerprint image
CN101140605A (en) Data safe reading method and safe storage device thereof
JP7735274B2 (en) Secure authentication based on passport data stored on contactless cards
JP2024528476A (en) Cryptographic authentication for controlling access to storage devices
WO2018133675A1 (en) Key update method, device and system
CN115529591A (en) Token-based authentication method, device, equipment and storage medium
CN107423609B (en) Authorization system, method and card
CN112241633A (en) Bidirectional authentication implementation method and system for non-contact smart card
CN112735005A (en) Access control card, authorization and verification method thereof, terminal subsystem and access control system
JP2012044430A (en) Portable information apparatus and encrypted communication program
WO2018045918A1 (en) Authorization method and system
JP4760124B2 (en) Authentication device, registration device, registration method, and authentication method
CN118536928A (en) Seal management method and system
HK40068620A (en) Secure authentication based on passport data stored in a contactless card
HK1097633A (en) System and method for encrypted smart card pin entry
CN102025499A (en) Physical extension-based CA (certificate authority) digital signature method and CA digital signature device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17848089

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17848089

Country of ref document: EP

Kind code of ref document: A1