The access of POS terminal, terminal is preposition, master key management system and method thereofTechnical field
The present invention relates to information security field, particularly preposition, the master key management system of a kind of POS terminal, terminal access and method.
Background technology
Use bank card to carry out bankcard consumption by POS terminal and become the consumption clearing form of current main flow; POS terminal is in the time of transaction at present; relate to master key and working key, this master key is stored in POS terminal, for encrypting this working key so that this working key is protected.Wherein, this working key comprises PIN key and verification MAC key, and this PIN key is for encrypting holder's customer bank password, and this MAC key is for carrying out MAC verification to message.
In the time of POS terminal initialization, need to download master key, traditional POS terminal master key download scenarios is, downloading before master key, first POS terminal is associated with the trade company's account that uses this POS terminal, bring to bank by POS terminal, the device number of POS terminal is associated with trade company account, then download master key to this POS terminal, this kind of way is more loaded down with trivial details, has increased the workload of downloading master key.
Summary of the invention
The technical problem that the present invention mainly solves is to provide a kind of easy master key management method for POS terminal and uses the master key management system of the method, POS terminal and terminal access preposition.Without POS terminal being associated with trade company account downloading before master key, female POS can be to the disposable distribution master key of the POS terminal that needs master key and cipher key index number, POS terminal combines this cipher key index number and generates security module number with the hardware sequence number of this POS terminal, then this security module number is accessed to the registration of preposition place in terminal.In the time sending transaction request message, POS terminal sends this security module number simultaneously and authenticates with the legitimacy to this POS terminal and cipher key index thereof number to terminal access is preposition.
For solving the problems of the technologies described above, the technical scheme that the present invention adopts is:
A kind of master key management method is provided, comprises: (1) generates master key and the master key ciphertext corresponding with described master key and described master key ciphertext is write to cipher key store table; (2) described cipher key store table is converted to the key file of the female POS agreement of key form and described key file is loaded into the female POS of described key; (3) the female POS of described key receives the key distribution request that a POS terminal sends, retrieve master key available in described key file and described master key and corresponding cipher key index number are distributed to described POS terminal according to described key distribution request, described master key is labeled as and is used simultaneously; (4) described POS terminal receives described master key and cipher key index number, generates security module number and described security module number is sent to terminal access preposition according to the hardware sequence number of the cipher key index receiving number and described POS terminal; And (5) described terminal accesses the described security module of preposition reception number and the described security module receiving number is write to a terminal list to register described security module number.
Wherein, described master key management method also comprises: (6) one POS terminals send transaction request and a security module number extremely described terminal access is preposition; (7) described terminal accesses the described security module of preposition reception number and retrieves described terminal list, judge whether to retrieve the registered security module number of mating with the described security module receiving number, and in the time retrieving the security module of coupling, process described transaction request, in the time not retrieving the security module of coupling, refuse described transaction request.
Wherein, in the time retrieving the security module of coupling, described terminal accesses preposition transmission authentication success prompting to described POS terminal.In the time not retrieving the security module of coupling, described terminal accesses preposition transmission authentification failure prompting to described POS terminal.
Another technical solution used in the present invention is:
A kind of master key management system is provided, comprise that the access of encryption equipment, terminal is preposition, the female POS of key and POS terminal, described encryption equipment is used for generating master key and adopts specifies key to be encrypted to generate master key ciphertext to described master key, the preposition transaction unit that comprises of described terminal access.Described terminal access preposition comprising: key writing unit, for obtaining described master key ciphertext and described master key ciphertext being write to cipher key store table, wherein, described cipher key store table comprises cipher key index number, master key ciphertext and working key; Database Unit, for storing described cipher key store table; WEB administrative unit, for converting described cipher key store table to the key file of arranging form with the female POS of described key; Key loading unit, for being loaded into described key file the female POS of described key; The female POS of described key, for retrieving the available master key of described key file and described master key and corresponding cipher key index number being distributed to described POS terminal, is labeled as described master key and uses simultaneously.
Described POS terminal comprises: memory cell; Key acquiring unit, for sending key distribution request to the female POS of described key, and receives and stores associatedly described master key and cipher key index number to described memory cell; Security module generation unit, preposition for generating security module number according to the hardware sequence number of described cipher key index number and described POS terminal and described security module number being sent to described terminal access; And the access of described terminal is preposition also comprises: registration unit, for receiving described security module number and the described security module receiving number being write to the security module number of a terminal list to receive described in registering, described Database Unit is also for storing described terminal list.
Wherein, described POS terminal is also preposition for send in the lump number extremely described terminal access of described security module in the time sending transaction request; Described terminal access is preposition also to be comprised: authentication ' unit, for when receiving described security module number and retrieving described terminal list, judge whether to retrieve the security module number of mating with the described security module receiving number, and in the time retrieving the security module of coupling, send a trading instruction to described transaction unit to process described transaction request; Described authentication ' unit also in the time not retrieving the security module of coupling, send a refusal trading instruction to described transaction unit to refuse described transaction request.
Wherein, the form of described key file is TXT form.
Another technical solution used in the present invention is:
Provide a kind of terminal access preposition, comprise transaction unit, described terminal access is preposition also to be comprised: key writing unit, for obtaining master key ciphertext and described master key ciphertext write to cipher key store table from encryption equipment, wherein, described cipher key store table comprises cipher key index number, master key ciphertext and working key; Database Unit, for storing described cipher key store table; WEB administrative unit, for converting described cipher key store table to the key file of arranging form with the female POS of described key; Key loading unit, for being loaded into described key file the female POS of described key; And registration unit, for receiving security module number that POS terminal sends and the described security module receiving number being write to the security module number of a terminal list to receive described in registering, described Database Unit is also for storing described terminal list.
Wherein, described terminal access is preposition also to be comprised: authentication ' unit, for when receiving described security module number and retrieving described terminal list, judge whether to retrieve the security module number of mating with the described security module receiving number, and in the time retrieving the security module of coupling, send a trading instruction to described transaction unit to process described transaction request; Described authentication ' unit also in the time not retrieving the security module of coupling, send a refusal trading instruction to described transaction unit to refuse described transaction request.
Another technical solution used in the present invention is:
A kind of POS terminal is provided, comprises: memory cell; Key acquiring unit, for sending key distribution request to the female POS of key, and receives and associatedly master key and the cipher key index number of female described key POS distribution is stored to described memory cell; And security module generation unit, preposition for generating security module number according to the hardware sequence number of described cipher key index number and described POS terminal and described security module number being sent to terminal access.
Brief description of the drawings
Fig. 1 is the system architecture diagram of master key management system in an embodiment of the present invention;
Fig. 2 is that in an embodiment of the present invention, terminal accesses preposition functional block diagram;
Fig. 3 is the functional block diagram of POS terminal in an embodiment of the present invention;
Fig. 4 generates and when distribution at master key in an embodiment of the present invention, the flow chart that master key management method is carried out in the system of Fig. 1;
Fig. 5 be in an embodiment of the present invention in the time of POS terminal transaction, the flow chart of carrying out in the system of master key management method in Fig. 1.
Main element symbol description
10, terminal access is preposition; 20, encryption equipment; 30, the female POS of key; 40, POS terminal;
11, Database Unit; 12, WEB administrative unit; 13, key loading unit; 14, registration unit;
15, authentication ' unit; 16, transaction unit; 17, key writing unit; 41, key acquiring unit;
42, memory cell; 43, security module generation unit.
Embodiment
By describing technology contents of the present invention, structural feature in detail, being realized object and effect, below in conjunction with execution mode and coordinate accompanying drawing to be explained in detail.
Referring to Fig. 1, is the system architecture diagram of master key management system in an embodiment of the present invention.This master key management system comprises that terminal accesses preposition 10 and access respectively the female POS 30 of encryption equipments 20, key and the POS terminal 40 of preposition 10 communication connections with this terminal, and the female POS 30 of this key communicates to connect with POS terminal 40.
Encryption equipment 20, for the random terminal master key that generates, adopts and specifies key to be encrypted to generate master key ciphertext to this master key, and this master key ciphertext is sent to described terminal accesses preposition 10.
Refer to Fig. 2, for terminal in an embodiment of the present invention accesses preposition 10 functional block diagram.This terminal accesses preposition 10 and comprises Database Unit 11, WEB administrative unit 12, key loading unit 13, registration unit 14, authentication ' unit 15, transaction unit 16 and key writing unit 17.
This key writing unit 17 receives these master key ciphertexts and by the cipher key store table of storage in this master key ciphertext data writing library unit 11 receiving.This cipher key store table comprises cipher key index number, master key ciphertext and working key ciphertext, and this working key ciphertext comprises check value, PIN key and MAC key etc.
This WEB administrative unit 12 is for obtaining cipher key store table and the cipher key store table that this obtains being converted to the key file of arranging form with the female POS 30 of key from Database Unit 11, wherein, this key file comprises cipher key index number, master key ciphertext and check value etc.In the present embodiment, the form of this key file is TXT form.This key loading unit 13 is for being loaded into the female POS30 of key by key file by communication interface.
The female POS 30 of this key is for being distributed to POS terminal 40 by the key file of loading, particularly, the female POS 30 of this key is in the time receiving the key distribution request that POS terminal 40 sends, current available master key in retrieval key file, this master key of mark has been used and this master key and the cipher key index number corresponding with this master key has been sent to the POS terminal 40 of carrying out key distribution request.
Referring to Fig. 3, is the functional block diagram of POS terminal in an embodiment of the present invention.This POS terminal 40 comprises key acquiring unit 41, memory cell 42 and security module generation unit 43.
This key acquiring unit 41 is for sending key distribution request to the female POS 30 of key, and the master key that female key POS 30 is distributed and cipher key index number are stored to this memory cell 42 associatedly, this security module generation unit 43 is for generating security module number according to the hardware sequence number of this cipher key index number and POS terminal, and this security module number is stored to memory cell 42.This security module number comprises hardware sequence number and cipher key index number, and for example, if hardware sequence number is " 123L013K ", cipher key index number is " 278 ", and security module number is " 123L013K00000278 ".This security module generation unit is also inputted preposition registration unit 14 and is registered for the security module of generation number being sent to terminal.
This registration unit 14 is for writing the security module receiving number a terminal list so that this security module number is registered, and this terminal list is stored in this Database Unit 11, and this terminal list is for recording the security module number that completes registration.
In the time that POS terminal 40 sends transaction request to terminal and inputs preposition transaction unit 16 and conclude the business, POS terminal sends security module in the lump number to authentication ' unit 15, and this authentication ' unit 15 is for searching terminal table and be confirmed whether to retrieve the security module number that completes registration of mating with received security module number.
This authentication ' unit 15 is during also for security module when the coupling retrieving, sends authentication success and points out to POS terminal 40 is concurrent and send trading instruction to the unit 16 of concluding the business, and the transaction request that POS terminal 40 sends is processed according to this trading instruction in transaction unit 16.This authentication ' unit 15 also, for when not in the time that terminal list retrieves the security module of coupling, sends authentification failure and points out to POS terminal 40 and send refusal trading instruction to the unit 16 of concluding the business, and transaction unit 16 refusals are processed transaction request.
Refer to Fig. 4, for generating and when distribution at master key in one embodiment of the present invention, the flow chart that master key management method is carried out in the system of Fig. 1.
Step S40, the random master key that generates of encryption equipment 20, adopt and specify key to be encrypted to generate master key ciphertext to this master key, this key writing unit 17 receives these master key ciphertexts and by the cipher key store table of storage in this master key ciphertext data writing library unit 11 receiving.
Wherein, this this cipher key store table comprises cipher key index number, master key ciphertext and working key ciphertext, and this working key ciphertext comprises check value, PIN key and MAC key etc.
Step S41, this WEB administrative unit 12 converts this cipher key store table to the key file of arranging form with the female POS 30 of key, and this key file is loaded into the female POS 30 of this key by this key loading unit 13.
In the present embodiment, the form of this key file is TXT form.This key loading unit 13 is for being loaded into the female POS 30 of key by key file by communication interface.
Step S42, the key distribution request that the key acquiring unit 41 that the female POS 30 of this key receives POS terminal 40 sends, retrieve master key available in this key file and described master key and corresponding cipher key index number are distributed to this POS terminal 40 according to this key distribution request, described master key is labeled as and is used simultaneously;
Step S43, the key acquiring unit 41 of this POS terminal 40 receives master key and the cipher key index number of the female POS30 distribution of this key, and this security module generation unit 43 generates security module number and this security module number is sent to terminal according to the hardware sequence number of this cipher key index receiving number and described POS terminal and accesses preposition 10.
Step S44, described terminal accesses preposition 10 registration unit 14 and receives this security modules number and this security module receiving number is write to a terminal list to register this security module number.
Wherein, this terminal list is stored in this Database Unit 11, and this terminal list is for recording the security module number that completes registration.
Refer to Fig. 5, in an embodiment of the present invention when the POS terminal transaction, the flow chart of carrying out in the system of master key management method in Fig. 1.
Step S50, POS terminal 40 sends transaction request to the unit 16 of concluding the business, and sends security module number to authentication ' unit 15.
Step S51, these authentication ' unit 15 searching terminal tables also judge whether to retrieve the security module number that completes registration of mating with received security module number.In the time retrieving the security module of coupling, execution step S52, otherwise, execution step S53.
Step S52, described transaction request is processed in transaction unit 16.
Step S53, described transaction request is refused in transaction unit 16.
In the present embodiment, this step S51 also comprises that authentication ' unit 15 sends authentication success in the time retrieving the security module of coupling and points out to this POS terminal 40; In the time not retrieving the security module of coupling, authentication ' unit 15 sends authentification failure and points out to this POS terminal 40.
The access of POS terminal of the present invention, terminal is preposition, master key management system and method, without POS terminal being associated with trade company account downloading before master key, female POS of the present invention can be to the disposable distribution master key of the POS terminal that needs master key and cipher key index number, POS terminal combines this cipher key index number and generates security module number with the hardware sequence number of this POS terminal, then this security module number is accessed to the registration of preposition place in terminal.In the time sending transaction request message, POS terminal sends this security module number simultaneously and authenticates with the legitimacy to this POS terminal and cipher key index thereof number to terminal access is preposition.
This is only embodiments of the invention above; not thereby limit the scope of the claims of the present invention; every equivalent structure or conversion of equivalent flow process that utilizes specification of the present invention and accompanying drawing content to do; or be directly or indirectly used in other relevant technical fields, be all in like manner included in scope of patent protection of the present invention.