Summary of the invention
For solving the problem, the present invention uses Web bank to provide a kind of safety prevention measure for user.
The concrete technological means that the present invention adopts is as follows: a kind of remote safe payment method, is characterized in that, comprises the following steps:
The bank intelligent card that one stores secure data is provided;
One terminal and a card reader are provided, smart card information is read by card reader, between bank intelligent card and remote server, authentication is carried out to user, and after passing through checking, between above-mentioned bank intelligent card and remote server, set up safe data link carry out online transaction.
Especially, described authentication comprises the following steps: described terminal reads the secure data of bank intelligent card, described remote server initiates a cipher key agreement process by the Internet to above-mentioned terminal, described terminal key is consulted successfully, return success to above-mentioned remote server, both sides carry out two-way authentication by this cipher key agreement process and produce a process key, this process key in subsequent communications process as the encryption key of described remote server and described terminal switch data, thus between described server and this bank intelligent card, form the data transmission link of a safety.
Especially, described terminal is mobile phone, and described remote server is Mobile banking's server.
Especially, described terminal is POS, and described remote server is POS server.
Especially, described terminal is mobile phone, and described remote server is online banking service device, and described mobile phone is communicated with described online banking service device by computer.
Especially, described bank intelligent card is provided with ISO7816 interface, and described card reader reads secure data in card by this interface.
Especially, described bank intelligent card is provided with the contactless communication interface meeting ISO14443 standard, and described card reader reads secure data in card by this interface.
Especially, described secure data comprises digital certificate and private key.
The present invention is a kind of telesecurity payment system also, it is characterized in that, comprising:
Bank intelligent card, in order to storage security data;
Card reader, in order to read above-mentioned secure data;
Terminal, is provided with client software, in order to carry out online transaction;
Described terminal reads smart card information by card reader, between bank intelligent card and remote server, authentication is carried out to user, and after by checking, between above-mentioned bank intelligent card and remote server, set up safe data link carry out online transaction.
Especially, described terminal is mobile phone, and described remote server is the ebanking server of bank.
Especially, described terminal is POS, and described remote server is POS server.
Especially, described terminal is mobile phone, and described remote server is online banking service device, and described mobile phone is communicated with described online banking service device by computer.
Especially, described bank intelligent card is provided with ISO7816 interface, and described card reader reads secure data in card by this interface.
Especially, described bank intelligent card is provided with the contactless communication interface meeting ISO14443 standard, and described card reader reads secure data in card by this interface.
Especially, described secure data comprises digital certificate and private key.
Beneficial effect of the present invention:
The present invention is on existing financial IC card basis, increase storage and the software interface of digital certificate, in order to verify user identity, ensure the safety of user's online transaction, the function of existing U shield can be realized, and IC-card process chip volume is little, and use the ISO7816 interface extensively existed, thus the present invention uses Web bank to provide a kind of safety prevention measure for user.
Embodiment
By describing technology contents of the present invention, structural feature in detail, realized object and effect, accompanying drawing is coordinated to be explained in detail below in conjunction with execution mode.
Referring to Fig. 1, is the structure chart of the bank intelligent card of the embodiment of the present invention.This bank intelligent card is on the fiscard IC-card basis of issuing to client in bank, increase security module, storage and the software interface of consumer digital certificate and private key is stored in security module, digital certificate and private key are referred to as secure data, and possessing logical encrypt calculation function, alternative USBKEY realizes the function of authenticating user identification.IC-card sheet compact, and each bank all can issue corresponding IC-card.In the present embodiment, bank IC card has ISO7816 interface, and card reader can read secure data in card by ISO7816 interface, also to wirelessly, can such as meet the contactless communication interface of ISO14443 standard, reads card internal information.
Please refer to Fig. 2, is a kind of remote safe payment method flow chart of the embodiment of the present invention.Wherein safe payment method comprises the following steps:
S1., the bank intelligent card that stores secure data is provided;
S2., one terminal and a card reader are provided, smart card information is read by card reader, between bank intelligent card and remote server, authentication is carried out to user, and after passing through checking, between above-mentioned bank intelligent card and remote server, set up safe data link carry out online transaction.
Wherein, authentication comprises the following steps: described terminal reads the secure data of bank intelligent card, described remote server initiates a cipher key agreement process by the Internet to above-mentioned terminal, described terminal key is consulted successfully, return success to above-mentioned remote server, both sides carry out two-way authentication by this cipher key agreement process and produce a process key, this process key in subsequent communications process as the encryption key of described remote server and described terminal switch data, thus between described server and this bank intelligent card, form the data transmission link of a safety.
In the present embodiment, terminal comprises mobile terminal, also comprises immobile terminal, comprises personal terminal, also comprises business terminal.Described mobile terminal comprises mobile phone, PAD, mobile PC etc., and the remote server of its correspondence is the ebanking server of bank; Described immobile terminal can make Desktop PC, and corresponding server is Web bank, and PC reads card internal information by card reader, logs in internet bank trade; Described business terminal can make commercial POS, and the server of its correspondence is POS server.
Wherein, described bank intelligent card is provided with ISO7816 interface, when described terminal does not have card-reading function, just can read secure data in card by card reader by this interface.Described bank intelligent card can also be provided with radio-frequency card near field communication interface, and card reader reads card internal information by adopting wireless mode such as wireless radio frequency mode.
Fig. 4 is authentication interaction figure between smart card of the present invention, Net silver client, server.This flow process is described for common Web bank's login process at this.Terminal is provided with Net silver client, needs use contact intelligent card to protect process of exchange.This smart card is equivalent to the effect of U-key, and Web bank is deposited for identifying digital certificate and the private key of client identity in the inside, and the processor of card inside can complete encryption and Digital Signature Algorithm.
In login process, mainly carry out mutual between smart card and system server (far end system).Client software is undertaken alternately by terminal, card reader and smart card, sends server command and receives response from smart card, thus completing login process.
Mutual in order to carry out, smart card and system server respectively have a digital certificate and corresponding private key.Certificate on smart card and private key are called client certificate and client private key, and on server, certificate and private key are called server certificate and privacy key.In addition, smart card and the server root certificate that has these certificates corresponding.
Smart card and remote server reciprocal process as follows:
1. client allows smart card produce 32 byte random numbers, add that some information package generate client handshaking information, here client is a kind of call relative to server, is on the whole treated by some row assemblies of client software, terminal, smart card, certificate etc. as one.From the angle of server, be exactly client with the object of server interaction;
2. client handshaking information is transferred to server by client;
3. server produces 32 byte random numbers, adds some information package, generation server handshaking information;
4. server handshaking information and server certificate are sent to client by server;
5. server certificate is sent to smart card by client, is verified the server certificate received by smart card, if the verification passes, then logins successfully; Otherwise login failure;
6. client uses smart card to carry out following process:
Produce the random number of 48 bytes as shared master key
PKI in this master key server certificate is encrypted, and generates encryption and shares master key
Client handshaking information and service end handshaking information are calculated handshaking information cryptographic Hash, is then encrypted by client private key, generate handshaking information digital signature;
7. client obtains encryption shared master key, handshaking information digital signature from smart card;
8. client certificate, the shared master key of encryption, handshaking information digital signature are sent to server by client;
9. server checks client certificate validity, if effectively, then shakes hands successfully; Otherwise shake hands unsuccessfully;
10. whether server uses the public key verifications handshaking information digital signature in client certificate to mate with client and service end handshaking information, if coupling, then shakes hands successfully; Otherwise shake hands unsuccessfully, return mistake;
11. servers use privacy key will be decrypted shared master key, draw shared master key;
12. both sides use shared master key to calculate session key.Subsequent communications process, all uses session key to be encrypted packet, namely establishes escape way, login successfully.
Please refer to Fig. 3, is the safety payment system structure chart of the embodiment of the present invention.Safety payment system comprises: bank intelligent card, in order to storage security data; Card reader, in order to read above-mentioned secure data; Terminal, is provided with client software, in order to carry out online transaction; Described terminal reads smart card information by card reader, between bank intelligent card and remote server, authentication is carried out to user, and after by checking, between above-mentioned bank intelligent card and remote server, set up safe data link carry out online transaction.Wherein, secure data comprises digital certificate and private key.In the present embodiment, for PC and online banking service device, described online banking service device holds initiation cipher key agreement process by the Internet to above-mentioned PC, after this PC holds key agreement success, return success to above-mentioned online banking service device, both sides carry out two-way authentication by this cipher key agreement process and produce a process key, this process key in subsequent communications process as the encryption key of this online banking service device and described terminal switch data, thus between this online banking service device and this smart card, form the data transmission link of a safety, follow-up transaction data transmits on this link.
The present invention is on existing financial IC card basis, increase storage and the software interface of digital certificate, in order to verify user identity, ensure the safety of user's online transaction, the function of existing U shield can be realized, and IC-card process chip volume is little, and use the ISO7816 interface extensively existed, with low cost, process technology is ripe, thus uses Web bank to provide the safeguard procedures of a kind of safety, low cost for user.
The foregoing is only embodiments of the invention; not thereby the scope of the claims of the present invention is limited; every utilize specification of the present invention and accompanying drawing content to do equivalent structure or equivalent flow process conversion; or be directly or indirectly used in other relevant technical fields, be all in like manner included in scope of patent protection of the present invention.