+

CN113077261A - Offline card transaction authentication system and offline card transaction authentication method - Google Patents

Offline card transaction authentication system and offline card transaction authentication method Download PDF

Info

Publication number
CN113077261A
CN113077261A CN202010147123.3A CN202010147123A CN113077261A CN 113077261 A CN113077261 A CN 113077261A CN 202010147123 A CN202010147123 A CN 202010147123A CN 113077261 A CN113077261 A CN 113077261A
Authority
CN
China
Prior art keywords
transaction
card
key
transaction authentication
user card
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202010147123.3A
Other languages
Chinese (zh)
Inventor
林志贤
利建宏
蔡金翰
许银雄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Acer Intelligent Medical Co ltd
Original Assignee
Acer Intelligent Medical Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Acer Intelligent Medical Co ltd filed Critical Acer Intelligent Medical Co ltd
Publication of CN113077261A publication Critical patent/CN113077261A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Control Of Vending Devices And Auxiliary Devices For Vending Devices (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention provides an off-line card transaction authentication system and an off-line card transaction authentication method. The user card records the asymmetric private key and the balance information and generates a symmetric conference key. The transaction authentication host includes a card reading device coupled to the user card and generates a symmetric session key. And in response to the transaction authentication host receiving the transaction instruction, the transaction authentication host and the user card perform an identity authentication procedure according to the symmetric conference key. And in response to the user card passing the identity authentication program, the transaction authentication host and the user card perform the transaction specified by the transaction instruction, and the user card adjusts balance information according to the transaction. The user card generates a digital signature for the transaction record of the transaction by using the asymmetric private key, and stores the digital signature and the transaction record into a storage medium.

Description

Offline card transaction authentication system and offline card transaction authentication method
Technical Field
The present invention relates to electronic transaction technologies, and in particular, to an offline card transaction authentication system and an offline card transaction authentication method.
Background
With the development of technology, electronic transaction services using electronic cards have become increasingly popular. Furthermore, in the present life environment, for safety and convenience, various electronic cards have been used to replace real money in many applications and transaction environments, such as tickets, time counting cards and telephone cards, which are all applicable to electronic cards. The user needs to spend real money and store equivalent virtual points or virtual money in the electronic card, so as to consume with the electronic card, use specific instruments, or obtain price-matching services, etc.
Generally, a key authentication procedure is a common authentication method and transaction verification method in a process of a user using an electronic card to perform a transaction. In addition, in order to secure and confirm the balance or remaining points in the electronic card, it is common practice to track the transaction records of the electronic card each time through an online cloud database, so that the remaining points or balance can be correctly returned when the electronic card is lost or damaged. However, no matter the key authentication procedure or the online cloud database is used, most transaction hosts at the debit terminal need to connect to the network to upload the transaction records to the online cloud database or obtain the necessary key. However, in some specific situations, it is not desirable to use the transaction host under the condition of network connection because of the considerations of information security or data privacy, so as to prevent a malicious person from hacking into the transaction host through the network to modify or steal data. On the other hand, in recent years, the society has many problems of information security holes, which easily cause distrust of merchants and people for electronic transactions. Therefore, the information security problem of electronic transaction behaviors such as card tickets and the like cannot be ignored.
Disclosure of Invention
In view of the above, the present invention provides an offline card transaction authentication system and an offline card transaction authentication method, which can use an electronic card to perform a transaction in an offline environment, thereby ensuring the security and confidentiality of the electronic card transaction.
The invention provides an off-line card transaction authentication system, which comprises a user card and a transaction authentication host. The user card records an asymmetric private key and balance information and generates a symmetric conference key. The transaction authentication host comprises a card reading device coupled to the user card and generates a symmetric conference key. And in response to the transaction authentication host receiving the transaction instruction, the transaction authentication host and the user card perform an identity authentication procedure according to the symmetric conference key. And in response to the user card passing the identity authentication program, the transaction authentication host and the user card perform the transaction specified by the transaction instruction, and the user card adjusts balance information according to the transaction. The user card generates a digital signature for the transaction record of the transaction by using the asymmetric private key, and stores the digital signature and the transaction record into a storage medium.
The invention provides an off-line card transaction authentication method, which comprises the following steps. Generating a symmetric conference key by the user card in response to receiving the transaction instruction by the transaction authentication host, generating the symmetric conference key by the transaction authentication host, and performing an identity authentication procedure by the transaction authentication host and the user card according to the symmetric conference key; the user card passes through the identity authentication program, the transaction specified by the transaction instruction is carried out by the transaction authentication host and the user card, and the balance information recorded by the user card is adjusted by the user card according to the transaction; and generating a digital signature for the transaction record of the transaction by using the asymmetric private key through the user card, and storing the digital signature and the transaction record into a storage medium.
Based on the above, in the embodiment of the invention, when the user card is used for performing the electronic transaction, the user card and the transaction authentication host can improve the instruction cycle during the identity authentication by using the symmetric key encryption method. The user card and the transaction authentication host do not need to execute the action of inquiring the public key through the network, so the transaction authentication system of the embodiment of the invention can carry out identity authentication in an off-line environment, thereby ensuring the data confidentiality of the transaction authentication host. In addition, each transaction record of the user card is signed by the asymmetric private key, so that the verified transaction records are favorable for auditing and correctness of the transaction records, and the illegal balance swindling by a person with worry can be effectively prevented.
In order to make the aforementioned and other features and advantages of the invention more comprehensible, embodiments accompanied with figures are described in detail below.
Drawings
The accompanying drawings are included to provide a further understanding of the invention, and are incorporated in and constitute a part of this specification. The drawings illustrate embodiments of the invention and together with the description serve to explain the principles of the invention.
FIG. 1 is a schematic diagram of an off-line card transaction authentication system according to an embodiment of the invention.
FIG. 2 is a flow diagram of an off-line card transaction authentication method according to an embodiment of the invention.
Fig. 3 is a schematic diagram of an offline card transaction authentication system using a SAM card according to an embodiment of the present invention.
FIG. 4 is a flow chart of a debit process performed by the offline card transaction authentication system according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of an off-line card transaction authentication system using a dealer card, in accordance with an embodiment of the present invention.
FIG. 6 is a flow diagram of a stored value process performed by an off-line card transaction authentication system according to one embodiment of the invention.
Description of the reference numerals
10: an off-line card transaction authentication system;
110: a user card;
120: a transaction authentication host;
111: a transmission interface;
112: processing the chip;
121: a card reading device;
122: an instruction receiving unit;
123: a storage medium;
124: a processing circuit;
124_ 1: a processor;
124_ 2: SAM card;
124_ 3: a dealer card;
CMD, CMD', CMD ": a transaction instruction;
s201 to S203, S401 to S417, S601 to S617: and (5) carrying out the following steps.
Detailed Description
Reference will now be made in detail to exemplary embodiments of the invention, examples of which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings and the description to refer to the same or like parts.
Fig. 1 is a block diagram of a light source information prediction model building system according to an embodiment of the invention, which is for convenience of illustration only and is not intended to limit the invention. First, fig. 1 first introduces all the components and configuration relationships of the light source information prediction model building system, and the detailed functions will be disclosed together with fig. 2.
FIG. 1 is a schematic diagram of an off-line card transaction authentication system according to an embodiment of the invention. Referring to fig. 1, an off-line card transaction authentication system 10 includes a transaction authentication host 120 and a user card 110.
The user Card 110 is a Smart Card (Smart Card), which may also be called an IC Card (Integrated Circuit Card). The user card 110 is embedded with a dedicated processing chip 112 for data storage or arithmetic processing. More specifically, in one embodiment, the user card 110 may include a transmission interface 111 and a processing chip 112. The transmission interface 111 may be a contact transmission interface or a non-contact (inductive) transmission interface, which is not limited by the present invention. The processing chip 112 is an integration of processing circuitry with computing and data storage capabilities and memory circuitry.
The transaction verification host 120 includes a card reader 121, an instruction receiving unit 122, a storage medium 123, and a processing circuit 124. The card reading device 121 may be a card slot reader or an inductive card reader, which is not limited in the present invention. The command receiving unit is an input device such as a keyboard, a mouse, a touch input device, and the like, and is used for receiving a command issued by a user. The storage medium 123 is used for storing data, instructions, program code, software components, and the like, and may be any type of fixed or removable Random Access Memory (RAM), read-only memory (ROM), flash memory (flash memory), hard disk or other similar device, integrated circuit, and combinations thereof.
The processing circuit 124 is coupled to the card reading device 121, the command receiving unit 122 and the storage medium 123 to control the overall operation of the off-line card transaction authentication system 10. In the embodiment, the Processing circuit 124 is, for example, a Central Processing Unit (CPU), or other Programmable general purpose or special purpose Microprocessor (Microprocessor), Digital Signal Processor (DSP), Programmable controller, Application Specific Integrated Circuit (ASIC), Programmable Logic Device (PLD), or other similar devices or combinations thereof.
It should be noted that, in one embodiment, the transaction authentication host 120 may be implemented by a computer device (e.g., a notebook computer or a desktop computer) and an external card reading device 121. The external card reading device 121 can be connected to a computer device via a USB interface. In another embodiment, the transaction authentication host 120 may be a computer device having a built-in card reading device 121. In addition, in one embodiment, the processing circuit 124 may include a central processing unit of a computer device and a processing chip of another smart card. Alternatively, in one embodiment, the processing circuit 124 may comprise only a central processing unit of a computer device. Alternatively, in one embodiment, the processing circuit 124 may include only a central processing unit of a computer device and other integrated circuits with computing capabilities.
In one embodiment, the card reading device 121 may read data in the user card 110 or provide data to the user card 110, so that the processing circuit 124 may communicate with the user card through the card reading device 121.
Fig. 2 is a flowchart of a rearview mirror control method according to an embodiment of the invention. Referring to fig. 2, the method of the present embodiment is applied to the offline card transaction authentication system 10 in the above embodiment, and the detailed steps of the offline card transaction authentication method of the present embodiment are described below in conjunction with various components of the offline card transaction authentication system 10.
In step S201, in response to the transaction authentication host 120 receiving the transaction command CMD, the user card 110 generates a symmetric session key, the transaction authentication host 120 generates a symmetric session key, and the transaction authentication host 120 and the user card 110 perform an identity authentication procedure according to the symmetric session key.
In detail, when the card holder of the user card 110 intends to perform a transaction, the system operator may issue a transaction command CMD through the command receiving unit 122. For example, the card holder of the user card 110 may purchase items, use of specialized instruments, use of specialized software systems, traffic tickets or other specific services, etc. based on the amount, points or virtual currency in the user card 110. Heretofore, the card holder of the user card 110 has been required to spend real money to purchase the amount, points, or virtual money in the user card 110, the act of converting real money to the amount, points, or virtual money in the card being referred to as stored value. The balance information recorded by user card 110 will then change as the card holder of user card 110 consumes and stores value. When the card holder of the user card 110 intends to perform a transaction, the user card 110 is inserted into or close to the card reading device 121 of the transaction authentication host 120, and the system operator can issue a transaction command CMD to the transaction authentication host 120 according to the transaction type.
In response to the transaction command CMD, the transaction authentication host 120 and the user card 110 perform authentication according to symmetric key cryptography. In other words, before the two parties perform the transaction process, the transaction authentication host 120 and the user card 110 must go through a session to authenticate each other. In one embodiment, the transaction authentication host 120 and the user card 110 need to perform specific steps to generate the same symmetric session key respectively, and perform identity authentication using the symmetric session key. Here, the symmetric session key is a symmetric key used for encrypting the session at one time, and the transaction authentication host 120 and the user card 110 use the same key to encrypt plaintext and decrypt ciphertext. For example, the Encryption Algorithm of the symmetric key Encryption may include a Data Encryption Standard (DES), a three-stage Data Encryption Standard (3 DES), an Advanced Encryption Standard (AES), a Blowfish Algorithm, an International Data Encryption Algorithm (IDEA), and the like, which are not limited in this disclosure.
Next, in step S202, in response to the user card 110 passing through the identity authentication procedure, the transaction specified by the transaction command CMD is performed with the user card 110 by the transaction authentication host 120, and the balance information recorded by the user card 110 is adjusted by the user card 110 according to the transaction. In one embodiment, the transaction command CMD includes a debit transaction command or a stored value transaction command, and the transaction includes a debit transaction or a stored value transaction.
It should be noted that, in an embodiment, the transaction authentication host 120 and the user card 110 may encrypt a certain Message to be sent to the other party according to the symmetric session key to generate a Message Authentication Code (MAC), so that the other party may verify the integrity of the Message according to the received MAC. In one embodiment, the symmetric session key may include a first session key for verifying identity and another second session key for verifying information integrity. After both the transaction-authenticating host 120 and the user card 110 successfully authenticate the other party as a legitimate transaction object according to the first session key and successfully verify the integrity of the transmitted and received information according to the second session key, the transaction-authenticating host 120 and the user card 110 can perform a transaction specified by the transaction command CMD. For example, the user card 110 may deduct the amount or points required for the transaction from the balance information, and the transaction verification host 120 may unlock the usage rights of a specific instrument or specialized software depending on the contents of the transaction. Thus, the holder of the user card 110 can use a specific instrument or professional software through payment.
In one embodiment, the user card 110 records a first encryption key K1, and the user card 110 generates a symmetric session key according to the first encryption key K1. The transaction verification host 120 has a second encryption key K2, and the transaction verification host 120 derives the first encryption key K1 from a Key Derivation Function (KDF) and the second encryption key K2. The transaction authentication host 120 then generates a symmetric session key according to the first encryption key K1.
Finally, in step S203, the user card 110 generates a digital signature for the transaction record of the transaction by using the asymmetric private key, and stores the digital signature and the transaction record in a storage medium. For example, the digital signature and transaction record may be stored in the storage medium 123 built into the transaction verification host 120, or the digital signature and transaction record may be stored in the processing chip 112 of the user card 110. Specifically, when manufacturing the user card 110, the card manufacturer may first generate an asymmetric public key and an asymmetric private key according to the asymmetric encryption algorithm, write the asymmetric private key into the user card 110, and store the asymmetric public key in a database. The asymmetric encryption Algorithm is, for example, RSA (Rivest-Shamir-Adleman) Algorithm, Digital Signature Algorithm (DSA), Elliptic Curve Digital Signature Algorithm (ECDSA), or the like. Thus, when the transaction record of the user card 110 is to be audited, the verifier can obtain the asymmetric public key from the database and verify the digital signature and the transaction record recorded in the storage medium. The transaction record of the user card 110 can be correctly known by the verifier through the verified digital signature and the transaction record. Therefore, the embodiment of the invention can provide a card transaction method with verifiable transaction records in an off-line environment. In the event that a malicious person cannot learn the asymmetric private key of the user card 110, the transaction record cannot be forged.
Based on the foregoing, the transaction may comprise a debit transaction or a stored value transaction. However, whether a debit or stored value transaction is performed, the authentication process between the user card 110 and the transaction verification host 120 is similar, and the authentication and verification of the information is performed by symmetric key cryptography in an off-line environment. The following examples are given by way of illustration.
Fig. 3 is a schematic diagram of an offline card transaction authentication system using a SAM card according to an embodiment of the present invention. Referring to fig. 3, in the embodiment, when the transaction is a debit transaction, the transaction authentication host 120 further includes a Secure Access Module (SAM) card 124_1 coupled to the card reading device 121. In contrast, the second encryption key K2 for generating the symmetric conference key includes a deduction encryption key recorded in the SAM card 124_ 1. The SAM card 124_1 is also a smart card with an operation and storage chip. That is, the processing circuit 124 shown in fig. 1 can be implemented by the processor 124_1 and the SAM card 124_ 1. In other words, in the embodiment of fig. 3, the SAM card 124_1 is required for transaction authentication. By writing the second key K2 and the first key K1 derived based on the second key K2 to the SAM card 124_1 and the user card 110, respectively, the card maker will manufacture the SAM card 124_1 and the user card 110 that can be matched with each other.
FIG. 4 is a flow chart of a debit process performed by the offline card transaction authentication system according to an embodiment of the present invention. Referring to fig. 4, the method of the present embodiment is applied to the offline card transaction authentication system 10 in the embodiment of fig. 3, and the detailed steps of the offline card transaction authentication method of the present embodiment are described below with reference to various components in the offline card transaction authentication system 10.
It should be noted that the following embodiment will be described in terms of the balance information in the user card 110 being in units of points, but the invention is not limited thereto. That is, user card 110 may spend a particular amount of money to purchase card points on user card 110. In step S401, the processor 124_1 of the transaction verification host 120 receives a transaction command CMD', which is a debit command. In step S402, the processor 124_1 sends a deduction request to the SAM card 124_1 in response to the transaction command CMD'. In step S403, the SAM card 124_1 generates a first random number. In step S404, the SAM card 124_1 sends the first random number to the processor 124_1 of the transaction authentication host 120. In step S405, the processor 124_1 of the transaction verification host 120 sends the first random number and the point information to the user card 110, where the point information may include a point transaction point and a timestamp.
Next, in step S406, the user card 110 generates a second random number in response to receiving the click information. The user card 110 records a first encryption key for the deduction point. In step S407, the user card 110 generates a symmetric session key according to the first encryption key, the transaction counter, the first random number and the second random number, and generates a first encryption token (token) by encrypting a concatenation sequence of the first random number and the second random number according to the symmetric session key. In step S408, the user card 110 sends the user card number, the user card unique identifier (UUID), the second random number, the deduction point information, the balance information, and the first encrypted token to the SAM card 124_ 1. In addition, in step S408, the user card 110 may also generate a MAC according to the information content and send the MAC to the SAM card 124_ 1.
The SAM card 124_1 records a deduction encryption key. In step S409, the SAM card 124_1 derives a first encryption key according to a Key Derivation Function (KDF) and a deduction encryption key, and generates a symmetric conference key according to the first encryption key, the transaction counter, the first random number and the second random number. In step S410, the SAM card 124_1 verifies the first encrypted token using the symmetric session key. The SAM card 124_1 decrypts the first encrypted token using the symmetric session key, and thus performs verification by comparing the random number information in the decryption result with the first random number. In addition, the SAM card 124_1 may verify the integrity of the information from the MAC of the user card 110. In step S411, the SAM card 124_1 generates a second encrypted token (token) by encrypting the concatenated sequence of the second random number and the first random number according to the symmetric session key. In step S413, the SAM card 124_1 sends the user card number, the point information, the balance information, and the second encrypted token to the user card 110.
In step S414, the user card 110 confirms the transaction information and verifies the second encrypted token using the symmetric session key. The user card 110 decrypts the second encrypted token using the symmetric session key, and thereby performs authentication by comparing the random number information in the decryption result with the second random number. In step S415, the user card 110 adjusts the balance information according to the point deduction information, i.e. deducts the point transaction points from the balance. For example, if the balance information is originally 50 points and the point deduction transaction points are 5 points, the balance information of the user card 110 is reduced to 45 points based on the point deduction information of the money deduction transaction. In step S416, the user card 110 generates a digital signature for the transaction record by using the asymmetric private key, that is, signs the transaction record by using the asymmetric private key. In step S417, the user card 110 sends the transaction record including the user card number, the point deduction information and the balance information and the digital signature to the processor 124_1 to be recorded in the storage medium 123.
Based on the process shown in fig. 4, the user card 110 and the transaction verification host 120 may perform an identity verification process in an off-line environment to perform a debit transaction, and send the transaction record with the digital signature to the transaction verification host 120 for later auditing.
Specifically, in one embodiment, the transaction record includes the user card number of the user card 110. The verification host has access to all transaction records and digital signatures stored on the storage medium 123 for a plurality of user cards. The verification host may be the transaction verification host 120 or other devices, as the present invention is not limited in this respect. The verification host can search out an asymmetric public key matched with the asymmetric private key of the user card 110 from the database according to the card number of the user card 110, and verify the digital signature according to the asymmetric public key so as to audit the transaction record of the user card 110.
Based on the descriptions of fig. 3 to fig. 4, in an embodiment, the keys in the SAM card and the user card can be sorted as in the following example table 1.
TABLE 1
Figure BDA0002401148680000091
Here, kDEBIT and kDEBIT _ mac are the top keys that the card maker has. That is, the symmetric encryption keys recorded by the SAM card and the user card are derived from the top key of the card manufacturer.
Fig. 5 is a schematic diagram of an off-line card transaction authentication system using a dealer card, in accordance with an embodiment of the present invention. Referring to fig. 5, in the embodiment, when the transaction is a stored value transaction, the transaction authentication host 120 further includes a dealer card 124_3 coupled to the card reading device 121. In contrast, the second encryption key K2 used to generate the symmetric conference key comprises a stored-value encryption key recorded in the dealer card 124_ 3. The dealer card 124_3 is also a smart card with an operation and storage chip, and the dealer card 124_3 records the dealer points available for the user to purchase. That is, the processing circuit 124 shown in fig. 1 can be implemented by the processor 124_1 and the dealer card 124_ 3. In other words, in the embodiment of FIG. 5, the dealer card 124_3 is required for transaction authentication and value-storing processes. By writing the second key K2 and the first key K1 derived based on the second key K2 to the dealer card 124_3 and the user card 110, respectively, the card manufacturer will manufacture the dealer card 124_3 and the user card 110 that can be matched with each other.
FIG. 6 is a flow diagram of a stored value process performed by an off-line card transaction authentication system according to one embodiment of the invention. Referring to fig. 6, the method of the present embodiment is applied to the offline card transaction authentication system 10 in the embodiment of fig. 5, and the detailed steps of the offline card transaction authentication method of the present embodiment are described below with reference to various components in the offline card transaction authentication system 10.
It should be noted that the authentication procedure between the dealer card 124_3 and the user card 110 is similar to the authentication procedure between the SAM card 124_1 and the user card 110 in the foregoing embodiment. In step S601, the processor 124_1 of the transaction verification host 120 receives a transaction command CMD ", and the transaction command CMD" is a stored value command. In step S602, the processor 124_1 sends a stored value request to the dealer card 124_3 in response to the transaction command CMD ". In step S603, the dealer card 124_3 generates a first random number. In step S604, the dealer card 124_3 sends the first random number to the processor 124_1 of the transaction verification host 120. In step S605, the processor 124_1 of the transaction authentication host 120 sends the first random number and the stored value information to the user card 110, wherein the stored value information may include stored value transaction points and a timestamp.
Next, in step S606, the user card 110 generates a second random number in response to receiving the stored value information. The user card 110 records a first encryption key for stored value. In step S407, the user card 110 generates a symmetric session key according to the first encryption key, the transaction counter, the first random number and the second random number, and generates a first encryption token (token) by encrypting a concatenation sequence of the first random number and the second random number according to the symmetric session key. In step S608, the user card 110 sends the user card number, the user card UUID, the second random number, the stored value information, the balance information, and the first encrypted token to the dealer card 124_ 3. In addition, in step S408, the user card 110 may also generate a MAC according to the information content and send the MAC to the dealer card 124_ 3.
The dealer card 124_3 records a stored-value encryption key. In step S609, the SAM card 124_1 derives a first encryption key according to a Key Derivation Function (KDF) and a stored-value encryption key, and generates a symmetric conference key according to the first encryption key, a transaction counter, a first random number and a second random number. In step S610, the dealer card 124_3 verifies the first encrypted token using the symmetric session key. Further, the dealer card 124_3 verifies the integrity of the information by the MAC from the user card 110. In step S611, the dealer card 124_3 generates a second encrypted token by encrypting the concatenated sequence of the second random number and the first random number according to the symmetric conference key. In step S613, the dealer card 124_3 sends the user card number, the stored value information, the balance information, and the second encrypted token to the user card 110. In addition, after the dealer card 124_3 verifies the identity of the user card 110, in step S612, the dealer card 124_3 may adjust the dealer balance information in the dealer card 124_3 according to the stored value information. For example, the distribution balance of the dealer card 124_3 that can be purchased by the user card 110 holder is originally 1000 points, and if the stored value transaction points in the stored value information are 100 points, the distribution balance of the dealer card 124_3 will be reduced to 900 points.
In step S614, the user card 110 confirms the transaction information and verifies the second encrypted token using the symmetric session key. In step S615, the user card 110 raises the balance information according to the stored value information, i.e., adds the balance to the stored value transaction points in the stored value information. In step S616, the user card 110 generates a digital signature for the transaction record by using the asymmetric private key, that is, signs the transaction record by using the asymmetric private key. In step S617, the user card 110 sends the transaction record including the user card number, the stored value information and the balance information and the digital signature to the processor 124_1 to be recorded in the storage medium 123.
Based on the process shown in fig. 6, the user card 110 may perform an authentication process with the transaction-authenticating host 120 in an off-line environment to perform a stored-value transaction, and send the transaction record with a digital signature to the transaction-authenticating host 120 for later auditing. Similarly, the verification host may also verify that user card 110 is making a transaction record of the stored value.
Based on the descriptions of fig. 5 to fig. 6, in one embodiment, the keys in the user card and the dealer card can be sorted as in the following exemplary table 2.
TABLE 2
Figure BDA0002401148680000121
Here, kDEBIT and kDEBIT _ MAC are the top keys that the card maker has. That is, the symmetric encryption keys recorded by the dealer card and the user card are derived from the uppermost key of the card manufacturer.
In summary, in the embodiment of the present invention, a symmetric key encryption method is used when the card and the transaction authentication host perform the identity verification, and the digital signature of the transaction record is generated according to the asymmetric key encryption method. Therefore, the embodiment of the invention can avoid the steps of the asymmetric key management book and the online public key inquiry of the transaction authentication host in the identity authentication, thereby being capable of carrying out the identity authentication quickly and with low cost in an offline environment. Therefore, the data saved by the transaction authentication host can be prevented from being stolen or tampered due to the fact that the transaction authentication host is exposed to the network online environment. In addition, because the embodiment of the invention generates the digital signature of the transaction record according to the asymmetric key encryption method, the off-line card transaction authentication system can record the verifiable transaction record in the off-line environment, so that the verification host can use the public key to verify the correctness of the transaction record for auditing.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (14)

1.一种离线式卡片交易认证系统,其特征在于,所述系统包括:1. An off-line card transaction authentication system, wherein the system comprises: 用户卡片,记录有非对称私钥以及余额信息,并产生对称式会议密钥;User card, which records asymmetric private key and balance information, and generates symmetric conference key; 交易认证主机,包括耦接至所述用户卡片的读卡装置,并产生所述对称式会议密钥,a transaction authentication host, comprising a card reader coupled to the user card and generating the symmetric conference key, 其中反应于所述交易认证主机接收到交易指令,所述交易认证主机与所述用户卡片依据所述对称式会议密钥进行身份认证程序,In response to the transaction authentication host receiving a transaction instruction, the transaction authentication host and the user card perform an identity authentication procedure according to the symmetric conference key, 反应于所述用户卡片通过所述身份认证程序,所述交易认证主机与所述用户卡片进行所述交易指令所指定的交易,且所述用户卡片依据所述交易调整所述余额信息,In response to the user card passing the identity authentication program, the transaction authentication host performs the transaction specified by the transaction instruction with the user card, and the user card adjusts the balance information according to the transaction, 其中所述用户卡片利用所述非对称私钥对所述交易的交易记录产生数字签名,并将所述数字签名与交易记录储存至储存媒介。The user card uses the asymmetric private key to generate a digital signature for the transaction record of the transaction, and stores the digital signature and the transaction record in a storage medium. 2.根据权利要求1所述的离线式卡片交易认证系统,其中所述交易指令包括扣款交易指令或储值交易指令,且所述交易包括扣款交易或储值交易。2. The offline card transaction authentication system according to claim 1, wherein the transaction instruction includes a debit transaction instruction or a stored value transaction instruction, and the transaction includes a debit transaction or a stored value transaction. 3.根据权利要求2所述的离线式卡片交易认证系统,其中所述用户卡片记录有第一加密密钥,所述用户卡片依据所述第一加密密钥产生所述对称式会议密钥,所述交易认证主机具有第二加密密钥,所述交易认证主机依据一密钥衍生函数与所述第二加密密钥推导出所述第一加密密钥,且所述交易认证主机依据所述第一加密密钥产生所述对称式会议密钥。3. The offline card transaction authentication system according to claim 2, wherein the user card is recorded with a first encryption key, and the user card generates the symmetric conference key according to the first encryption key, The transaction authentication host has a second encryption key, the transaction authentication host derives the first encryption key according to a key derivation function and the second encryption key, and the transaction authentication host according to the The first encryption key generates the symmetric conference key. 4.根据权利要求3所述的离线式卡片交易认证系统,其中所述交易认证主机还包括耦接至所述读卡装置的一安全存取模块卡片,所述第二加密密钥包括记录于所述安全存取模块卡片中的扣款加密密钥。4. The off-line card transaction authentication system of claim 3, wherein the transaction authentication host further comprises a secure access module card coupled to the card reader, the second encryption key comprising a key recorded in the The debit encryption key in the secure access module card. 5.根据权利要求3所述的离线式卡片交易认证系统,其中所述交易认证主机还包括耦接至所述读卡装置的经销商卡片,所述第二加密密钥包括记录于所述经销商卡片中的储值加密密钥。5. The off-line card transaction authentication system of claim 3, wherein the transaction authentication host further comprises a dealer card coupled to the card reader, and the second encryption key includes a card recorded in the dealer Stored value encryption key in the merchant card. 6.根据权利要求1所述的离线式卡片交易认证系统,其中所述储存媒介内建于所述交易认证主机中。6. The offline card transaction authentication system of claim 1, wherein the storage medium is built in the transaction authentication host. 7.根据权利要求1所述的离线式卡片交易认证系统,其中所述交易记录包括所述用户卡片的卡号,7. The offline card transaction authentication system according to claim 1, wherein the transaction record includes the card number of the user card, 其中所述离线式卡片交易认证系统还包括验证主机,所述验证主机依据所述卡号自数据库搜寻出非对称公钥,并依据所述非对称公钥对所述数字签名进行验证,以稽核所述用户卡片的所述交易记录。The offline card transaction authentication system further includes a verification host, the verification host searches out the asymmetric public key from the database according to the card number, and verifies the digital signature according to the asymmetric public key to audit all the transaction record of the user card. 8.一种离线式卡片交易认证方法,其特征在于,包括:8. An offline card transaction authentication method, comprising: 反应于交易认证主机接收到交易指令,藉由用户卡片产生对称式会议密钥,藉由所述交易认证主机产生所述对称式会议密钥,并藉由所述交易认证主机与所述用户卡片依据所述对称式会议密钥进行身份认证程序;In response to the transaction authentication host receiving the transaction instruction, a symmetric conference key is generated by the user card, the symmetric conference key is generated by the transaction authentication host, and the transaction authentication host and the user card are generated by the transaction authentication host. performing an identity authentication procedure according to the symmetric conference key; 反应于所述用户卡片通过所述身份认证程序,藉由所述交易认证主机与所述用户卡片进行所述交易指令指定的交易,且藉由所述用户卡片依据所述交易调整所述用户卡片所记录的余额信息;以及In response to the user card passing the identity authentication program, the transaction authentication host and the user card perform the transaction specified by the transaction instruction, and the user card is adjusted according to the transaction by the user card recorded balance information; and 藉由所述用户卡片利用非对称私钥对所述交易的交易记录产生数字签名,并将所述数字签名与交易记录储存至储存媒介。A digital signature is generated on the transaction record of the transaction by the user card using the asymmetric private key, and the digital signature and the transaction record are stored in a storage medium. 9.根据权利要求8所述的离线式卡片交易认证方法,其中所述交易指令包括扣款交易指令或储值交易指令,且所述交易包括扣款交易或储值交易。9. The offline card transaction authentication method according to claim 8, wherein the transaction instruction includes a debit transaction instruction or a stored value transaction instruction, and the transaction includes a debit transaction or a stored value transaction. 10.根据权利要求9所述的离线式卡片交易认证方法,其中所述用户卡片记录有第一加密密钥,所述用户卡片依据所述第一加密密钥产生所述对称式会议密钥,所述交易认证主机具有第二加密密钥,所述交易认证主机依据密钥衍生函数与所述第二加密密钥推导出所述第一加密密钥,且所述交易认证主机依据所述第一加密密钥产生所述对称式会议密钥。10. The offline card transaction authentication method according to claim 9, wherein the user card is recorded with a first encryption key, and the user card generates the symmetric conference key according to the first encryption key, The transaction authentication host has a second encryption key, the transaction authentication host derives the first encryption key according to the key derivation function and the second encryption key, and the transaction authentication host uses the first encryption key. An encryption key generates the symmetric conference key. 11.根据权利要求10所述的离线式卡片交易认证方法,其中所述交易认证主机还包括耦接至读卡装置的一安全存取模块卡片,所述第二加密密钥记录于所述安全存取模块卡片中的扣款加密密钥。11. The offline card transaction authentication method of claim 10, wherein the transaction authentication host further comprises a secure access module card coupled to a card reader, and the second encryption key is recorded in the secure Access the debit encryption key in the module card. 12.根据权利要求10所述的离线式卡片交易认证方法,其中所述交易认证主机还包括耦接至读卡装置的经销商卡片,所述第二加密密钥包括记录于所述经销商卡片中的储值加密密钥。12. The offline card transaction authentication method according to claim 10, wherein the transaction authentication host further comprises a dealer card coupled to a card reader, and the second encryption key comprises a dealer card recorded on the dealer card. Stored value encryption key in . 13.根据权利要求8所述的离线式卡片交易认证方法,其中所述储存媒介内建于所述交易认证主机中。13. The offline card transaction authentication method according to claim 8, wherein the storage medium is built in the transaction authentication host. 14.根据权利要求8所述的离线式卡片交易认证方法,其中所述交易记录包括所述用户卡片的卡号,而所述方法还包括:14. The offline card transaction authentication method according to claim 8, wherein the transaction record includes the card number of the user card, and the method further comprises: 藉由验证主机依据所述卡号自数据库搜寻出非对称公钥,并依据所述非对称公钥对所述数字签名进行验证,以稽核所述用户卡片的所述交易记录。The verification host searches out the asymmetric public key from the database according to the card number, and verifies the digital signature according to the asymmetric public key, so as to check the transaction record of the user card.
CN202010147123.3A 2020-01-06 2020-03-05 Offline card transaction authentication system and offline card transaction authentication method Withdrawn CN113077261A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
TW109100305 2020-01-06
TW109100305A TW202127339A (en) 2020-01-06 2020-01-06 Offline card transaction authentication system and offline card transaction authentication method

Publications (1)

Publication Number Publication Date
CN113077261A true CN113077261A (en) 2021-07-06

Family

ID=76609103

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010147123.3A Withdrawn CN113077261A (en) 2020-01-06 2020-03-05 Offline card transaction authentication system and offline card transaction authentication method

Country Status (2)

Country Link
CN (1) CN113077261A (en)
TW (1) TW202127339A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5577121A (en) * 1994-06-09 1996-11-19 Electronic Payment Services, Inc. Transaction system for integrated circuit cards
CN101183456A (en) * 2007-12-18 2008-05-21 中国工商银行股份有限公司 Encryption device, system and method for encryption, identification using the encryption device
CN101848090A (en) * 2010-05-11 2010-09-29 武汉珞珈新世纪信息有限公司 Authentication device and system and method using same for on-line identity authentication and transaction
TW201123043A (en) * 2009-12-22 2011-07-01 Financial Information Service Co Ltd Off-line cross-bank authentication method of prepaid card.
WO2013130912A2 (en) * 2012-02-29 2013-09-06 Google Inc. In-card access control and monotonic counters for offline payment processing system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5577121A (en) * 1994-06-09 1996-11-19 Electronic Payment Services, Inc. Transaction system for integrated circuit cards
CN101183456A (en) * 2007-12-18 2008-05-21 中国工商银行股份有限公司 Encryption device, system and method for encryption, identification using the encryption device
TW201123043A (en) * 2009-12-22 2011-07-01 Financial Information Service Co Ltd Off-line cross-bank authentication method of prepaid card.
CN101848090A (en) * 2010-05-11 2010-09-29 武汉珞珈新世纪信息有限公司 Authentication device and system and method using same for on-line identity authentication and transaction
WO2013130912A2 (en) * 2012-02-29 2013-09-06 Google Inc. In-card access control and monotonic counters for offline payment processing system

Also Published As

Publication number Publication date
TW202127339A (en) 2021-07-16

Similar Documents

Publication Publication Date Title
US20220321359A1 (en) Methods and systems for ownership verification using blockchain
JP7230235B2 (en) Using Contactless Cards to Securely Share Personal Data Stored on Blockchain
CN113344570B (en) Method for transmitting and processing transaction messages and data processing device
CN110383757B (en) System and method for secure processing of electronic identities
CN112260826B (en) Method for secure credential provisioning
ES2599985T3 (en) Validation at any time for verification tokens
KR101863953B1 (en) System and method for providing electronic signature service
CN101923660B (en) Dynamic password identity authorization system and method based on RFID
WO2020020329A1 (en) Digital wallet allowing anonymous or real-name offline transaction and usage method
CN113924588A (en) Devices and payment systems for sending electronic money data records directly to another device
US11922428B2 (en) Security for contactless transactions
JP2003517658A (en) Portable electronic billing / authentication device and method
JP2003016397A (en) Data processing system, memory device, data processor, data processing method, and program
US8117453B2 (en) Customization of an electronic circuit
CN116842550A (en) System and method for binding software modules
CN112567682B (en) Token key for generating a password for token interactions
CA3239475A1 (en) Key recovery based on contactless card authentication
US10503936B2 (en) Systems and methods for utilizing magnetic fingerprints obtained using magnetic stripe card readers to derive transaction tokens
TW200525445A (en) Off-line pin verification using identity-based signatures
US20170372306A1 (en) Payment by mobile device secured by f-puf
CN113077261A (en) Offline card transaction authentication system and offline card transaction authentication method
CN111386544A (en) Information processing apparatus, information processing system, information processing method, and program
WO2019237258A1 (en) Digital currency interactive method, digital currency physical carrier, terminal device and storage medium
CN114745126A (en) Identity verification method and device and smart card
JP2025529911A (en) Hardware wallet for virtual currencies (crypto assets)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20210706

WW01 Invention patent application withdrawn after publication
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载