CN112688774A - Secure communication method and system for protecting key negotiation by using timing communication - Google Patents
Secure communication method and system for protecting key negotiation by using timing communication Download PDFInfo
- Publication number
- CN112688774A CN112688774A CN202011427084.9A CN202011427084A CN112688774A CN 112688774 A CN112688774 A CN 112688774A CN 202011427084 A CN202011427084 A CN 202011427084A CN 112688774 A CN112688774 A CN 112688774A
- Authority
- CN
- China
- Prior art keywords
- card
- key
- information
- response
- card reader
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 94
- 238000000034 method Methods 0.000 title claims abstract description 77
- 230000008569 process Effects 0.000 claims abstract description 38
- 238000012545 processing Methods 0.000 claims abstract description 28
- 230000004044 response Effects 0.000 claims description 128
- 230000005540 biological transmission Effects 0.000 claims description 38
- 230000003993 interaction Effects 0.000 claims description 25
- 238000012795 verification Methods 0.000 claims description 13
- 230000001360 synchronised effect Effects 0.000 description 8
- 238000005259 measurement Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 4
- 230000004308 accommodation Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a secure communication method and a system for protecting key agreement by using timing communication, which are different from the prior communication mode of sending data immediately after the card processing is finished. Therefore, the safety risk of data hijacking of a man-in-the-middle possibly existing in the card reading process is solved.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a secure communication method and system using a timing communication protection key negotiation.
Background
For non-contact or network communication such as NFC, bluetooth, 2.4G, etc., the security risk of man-in-the-middle attack is often faced, so it is very important to establish a secure communication channel and ensure that key steps of key agreement in establishing the secure channel cannot be attacked.
The existing card reading mechanism of the non-contact IC card reader is based on protocols such as 14443, 15693 and the like to carry out data transmission, in the protocol, in the card reading process of the card reader and a card, after the card reader sends instruction data, a frame waiting time is generated, which indicates the maximum time range of the card reader waiting for receiving card response data. That is to say, after the card reader sends an instruction to the card, the card reader waits for receiving the response data of the card, and the card reader receives the response data as long as the response data is returned within the waiting time, so that the communication protocol is easy to be attacked by a man-in-the-middle, and the data is easily tampered and has other security risks.
Disclosure of Invention
The present invention is directed to solving the above problems.
The invention mainly aims to provide a secure communication method for protecting key negotiation by using timing communication;
it is another object of the present invention to provide a secure communication system using timed communication to protect key agreement.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
one aspect of the present invention provides a secure communication method for protecting key agreement by using timing communication, including: the card reader and the intelligent card establish communication connection, and the communication connection comprises wired connection or wireless connection; the card reader and the intelligent card perform key negotiation operation; in the key agreement operation process of the card reader and the intelligent card, the card reader sends first information to the intelligent card and starts timing; the smart card receives the first information, starts timing and generates a first response; the smart card sends a first response to the card reader when the timing reaches a preset time length, wherein the preset time length is the time length of data processing of the smart card; the card reader starts to receive a first response within a window range of timing to reach a preset time length, wherein the window range of the preset time length is [ T, T + Delta T ], T is the preset time length, Delta T is a transmission time length, and the transmission time length is obtained by calculation at least according to the distance between the intelligent card and the card reader; after receiving the first response, the card reader and the intelligent card respectively generate session keys; the card reader and the smart card communicate through a session key.
The first information is key information in the key agreement operation process of the card reader and the intelligent card, and the first response is a key information response generated after the key information is processed; the preset duration is the time length of the smart card for processing the key information.
Wherein the key information includes: data to be signed; the key information response includes: signing the data to be signed; or the key information includes: data to be verified; the key information response includes: a verification result for verifying the data to be verified, or the data to be transmitted generated after the data to be verified passes the verification; or the key information includes: data to be calculated; the key information response includes: the response generated after processing the data to be calculated, or the key information includes: a key hopping instruction; the key information response includes: response to the key hopping instruction.
The first information is first information sent by the card reader to the intelligent card, and the first response is the last information response generated after the card reader and the intelligent card perform data interaction in the key agreement operation process; the preset time length is the time length for the intelligent card to perform data interaction and generate the last information response; the transmission time is calculated according to the distance between the intelligent card and the card reader and the interaction times.
After the smart card receives the first information, timing is started, and before the first response is generated, the method further comprises the following steps: the intelligent card judges whether the first information is preset information or whether the first information carries an identifier; and the smart card judges that the first information is preset information or the first information carries an identifier.
Wherein, the card reader and smart card respectively generate the session key, include: and under the condition that the key information comprises a key hopping instruction and the key information response comprises a response to the key hopping instruction, the card reader and the intelligent card determine a session key from a plurality of session keys according to the key hopping instruction in a preset mode.
The preset duration is obtained by negotiation between the card reader and the intelligent card; or the preset time length is pre-stored in the card reader and the smart card; or the first information comprises a duration identifier, and the preset duration is the duration corresponding to the duration identifier acquired by the intelligent card according to the duration identifier.
Wherein, the timing includes: the card reader and the intelligent card respectively use a built-in clock to time; or the card reader and the intelligent card are respectively timed through the period of the communication signal; or the card reader and the intelligent card are respectively timed through the phase of the communication signal; or the card reader and the intelligent card respectively carry out timing through the modulated pulse signals of the communication signals.
Another aspect of the present invention provides a secure communication system for protecting key agreement by using timed communication, comprising: card readers and smart cards; wherein: the card reader is used for establishing communication connection with the intelligent card, and the communication connection comprises wired connection or wireless connection; performing key agreement operation with the smart card; in the key agreement operation process of the card reader and the intelligent card, first information is sent to the intelligent card, and timing is started; the intelligent card is used for receiving the first information, starting timing and generating a first response; sending a first response to the card reader when the timing reaches a preset time length, wherein the preset time length is the time length of data processing of the intelligent card; the card reader is also used for starting to receive a first response within a window range of timing to reach a preset time length, wherein the window range of the preset time length is [ T, T + Delta T ], T is the preset time length, Delta T is transmission time length, and the transmission time length is obtained by calculation at least according to the distance between the intelligent card and the card reader; after receiving the first response, respectively generating a session key with the smart card; and the intelligent card communicates with the intelligent card through the session key.
The first information is key information in the key agreement operation process of the card reader and the intelligent card, and the first response is a key information response generated after the key information is processed; the preset duration is the time length of the smart card for processing the key information.
Wherein the key information includes: data to be signed; the key information response includes: signing the data to be signed; or the key information includes: data to be verified; the key information response includes: a verification result for verifying the data to be verified, or the data to be transmitted generated after the data to be verified passes the verification; or the key information includes: data to be calculated; the key information response includes: a response generated after processing the data to be calculated, or the key information includes: a key hopping instruction; the key information response includes: a response to the key hopping instruction.
The first information is first information sent by the card reader to the intelligent card, and the first response is the last information response generated after the card reader and the intelligent card perform data interaction in the key agreement operation process; the preset time length is the time length for the intelligent card to perform data interaction and generate the last information response; the transmission time is calculated according to the distance between the intelligent card and the card reader and the interaction times.
The smart card is further used for starting timing after receiving the first information and judging whether the first information is preset information or not or whether the first information carries an identifier or not before generating a first response; and the smart card judges that the first information is preset information or the first information carries an identifier.
Wherein, the session key is multiple; the card reader and the smart card respectively generate a session key in the following way: and under the condition that the key information comprises a key hopping instruction and the key information response comprises a response to the key hopping instruction, the card reader and the intelligent card determine a session key from a plurality of session keys according to the key hopping instruction in a preset mode.
The preset duration is obtained by negotiation between the card reader and the intelligent card; or the preset time length is pre-stored in the card reader and the smart card; or the first information comprises a duration identifier, and the preset duration is the duration corresponding to the duration identifier acquired by the intelligent card according to the duration identifier.
Wherein, card reader and smart card are through following mode timing respectively: the card reader and the intelligent card respectively use a built-in clock to time; or the card reader and the intelligent card are respectively timed through the period of the communication signal; or the card reader and the intelligent card are respectively timed through the phase of the communication signal; or the card reader and the intelligent card respectively carry out timing through the modulated pulse signals of the communication signals.
The technical scheme provided by the invention can be seen that the invention provides a secure communication method and a system for protecting key agreement by using timing communication, which are different from the existing communication mode that data is sent immediately after the card processing is finished. Therefore, the safety risk of data hijacking of a man-in-the-middle possibly existing in the card reading process is solved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a flowchart of a secure communication method using a timed communication protection key negotiation according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a secure communication system using a timed communication protection key negotiation according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or quantity or location.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.
In order to ensure the safety of the key agreement process, the invention firstly judges the preset condition in the executing process of the key agreement process, only under the condition of meeting the preset condition, the key agreement process is determined to be safe, and then the negotiated session key is used for protecting the subsequent transaction application process, thereby thoroughly solving the problem of man-in-the-middle attack.
Fig. 1 is a flowchart illustrating a secure communication method using a timed communication protection key agreement according to an embodiment of the present invention, and referring to fig. 1, the secure communication method using a timed communication protection key agreement according to an embodiment of the present invention includes:
and S1, establishing communication connection between the card reader and the smart card, wherein the communication connection comprises wired connection or wireless connection.
Specifically, the card reader may establish a connection with the smart card, where the connection may be a wired connection, such as a USB connection, or a network connection, or may also establish a wireless connection, such as an NFC connection, a bluetooth connection, or a 2.4G connection, and the specific connection manner is not particularly limited in the present invention.
And S2, the card reader and the smart card perform key agreement operation.
Two key agreement procedures are provided below, and the present invention is described by taking this as an example, but the present invention is not limited thereto. A and B represent both communication parties, and can be a card reader, B is a smart card, or B is a card reader, and A is a smart card.
The first method is as follows:
1) b generating a random number R1;
2) a obtains R1, signs the R1 and the A serial number by using a private key, generates a random signature S1, and sends the random signature S1, the certificate of A to B;
3) b, verifying the received certificate of A by using a prefabricated CA root certificate, if the certificate is not verified, sending an error message, and ending the link; otherwise, executing the next step;
4) b, checking whether the random signature S1 is correct, if the random signature S1 is not correct, sending an error message, and ending the link; otherwise, executing the next step;
5) b generates a random number R2, connects R1| R2, encrypts R1| R2 by using a public key in the A certificate to generate a ciphertext E1, and signs E1 by using a private key to generate S2;
6) b sends certificates of E1, S2 and B;
7) a uses the pre-made CA root certificate in A to verify the received certificate of B, if the verification is not passed, then an error message is sent, and the link is ended; otherwise, executing the next step;
8) a, checking whether the signature S2 is correct, if the signature is not verified, sending an error message, and ending the link; otherwise, executing the next step;
9) the A pair decrypts the E1 by using a private key to obtain R1| R2 plaintext;
10) both a and B calculate a session key, which may include an encryption key for encryption of a sender and decryption of a receiver at the time of data transmission and a check key for calculating a check value at the time of transmitting data, using a specific method based on R1| R2, respectively.
The second method comprises the following steps:
1) a generates a random number R2, and sends the random number R2 and the certificate of A to B;
2) b, acquiring the certificates of R2 and A, verifying the received certificate of A by using a prefabricated CA root certificate, and if the certificate of A is not verified, sending an error message and ending the link; otherwise, executing the next step;
3) b generating a random number R1;
4) b encrypts R1 by using the public key in the A certificate to generate a ciphertext E1, and signs R2| E1 by using a private key to generate S1;
5) b sends certificates of E1, S2 and B;
6) a, verifying the received certificate of B by using a prefabricated CA root certificate, if the certificate is not verified, sending an error message, and ending the link; otherwise, executing the next step;
7) a, checking whether the signature S1 is correct, if the signature is not verified, sending an error message, and ending the link; otherwise, executing the next step;
8) decrypting the E1 by using a private key to obtain an R1 plaintext;
9) both a and B calculate a session key using a specific method based on R1, respectively, and the session key may include an encryption key for encryption of a sender and decryption of a receiver at the time of data transmission and a check key for calculating a check value at the time of data transmission.
S3, in the key agreement operation process between the card reader and the smart card, the card reader sends the first information to the smart card and starts timing;
and S4, the smart card receives the first information, starts timing and generates a first response.
Specifically, the card reader sends first information to the smart card, and after the smart card receives the first information, the two parties synchronously time.
As an optional implementation manner of the embodiment of the present invention, after the smart card receives the first information, starts timing, and before generating the first response, the secure communication method for protecting key agreement by using timed communication according to the embodiment of the present invention further includes: the intelligent card judges whether the first information is preset information or whether the first information carries an identifier; and the smart card judges that the first information is preset information or the first information carries an identifier. Specifically, only after the first information is the preset information or carries the identifier, the timing can be started.
The present invention may have two types of presence of first information and first response:
the first method comprises the following steps: as an optional implementation manner of the embodiment of the present invention, the first information is key information in a key agreement operation process between the card reader and the smart card, and the first response is a key information response generated after processing the key information; the preset duration is the time length of the smart card for processing the key information. Wherein the key information includes: data to be signed; the key information response includes: signing the data to be signed; or the key information includes: data to be verified; the key information response includes: a verification result for verifying the data to be verified, or the data to be transmitted generated after the data to be verified passes the verification; or the key information includes: data to be calculated; the key information response includes: the response generated after processing the data to be calculated, or the key information includes: a key hopping instruction; the key information response includes: response to the key hopping instruction.
For example, in the key agreement process in the first mode, the key information is the random number R1 generated by B, and the response of the key information is the certificate of the random signature S1 and a generated after a is processed; in the key agreement process of the second mode, the key information is certificates of R2 and A; the key information response is the certificate of E1, S2 and B sent after B processes the received data, which is only one implementation manner of the present invention, and the present invention is not limited thereto.
And the second method comprises the following steps: as an optional implementation manner of the embodiment of the present invention, the first information is first information sent by the card reader to the smart card, and the first response is a last information response generated after the card reader and the smart card perform data interaction during a key agreement operation; the preset time length is the time length for the intelligent card to perform data interaction and generate the last information response; the transmission time is calculated according to the distance between the intelligent card and the card reader and the interaction times.
For example, in the key agreement process of the first mode, the first message is the random number R1 generated by B, and the first response is the random signature S1 sent by a and the certificate of a; in the key agreement process of the second mode, the first information is the certificates of R2 and a sent by a, and the first response is the certificates of E1, S2 and B sent by B.
S5, the smart card sends a first response to the card reader when the timing reaches a preset time length, wherein the preset time length is the time length of data processing of the smart card;
and S6, the card reader starts to receive the first response within a window range of a preset time length reached by timing, wherein the window range of the preset time length is [ T, T + Delta T ], T is the preset time length, Delta T is transmission time length, and the transmission time length is obtained by calculation at least according to the distance between the intelligent card and the card reader.
Specifically, a preset time length is set between the card reader and the smart card, after the two parties count time and reach the preset time length, the smart card sends a first response, the card reader receives the first response, and the card reader only receives the first response within a window range of the preset time length.
The method comprises the steps that a card reader and an intelligent card both determine a fixed transceiving communication preset time length T, the card reader determines a data transmission time length delta T, the intelligent card sends a first response after a time interval T according to convention, the card reader can only receive the first response within the time interval of a time window [ T, T plus delta T ], and if a third party intermediate person remotely attacks, the time for forwarding and processing data cannot meet the time window, so that the data transmission cannot be tampered in a key negotiation process.
In specific implementation, a time window of the card reader receiving the first response is T +. DELTA.T, where T is time limit of instruction processing, the smart card sends the first response according to T, and if the first response is a response obtained by processing the first information, then. DELTA.T is a data transmission time accommodation range, for example, if the smart card is in non-contact communication, then the smart card is in an air transmission time accommodation range; the Δ T transmission duration is calculated according to a distance between the smart card and the card reader, for example, if the communication is performed in a non-contact manner, Δ T may be a ratio of a maximum allowable transmission distance between the card reader and the smart card to a light speed, that is, Δ T is 2S/v, where S is the maximum allowable transmission distance between the card reader and the smart card, and v is the light speed; if the first response is the last information response generated after the card reader and the smart card perform data interaction in the key agreement operation process, Δ T is the sum of the data transmission time accommodation range and the data interaction time duration, for example, if the data interaction is performed in a non-contact manner, the Δ T transmission time duration is the sum of the data interaction time duration and the time duration calculated according to the distance between the smart card and the card reader, for example, if the data interaction is performed in a non-contact manner, Δ T may be the sum of the data interaction time duration and the ratio of the maximum transmission distance allowed between the card reader and the smart card to the light speed, that is, Δ T ═ Tt +2S/v, where S is the maximum transmission distance allowed between the card reader and the smart card, v is the light speed, and Tt is the data interaction time duration.
As an optional implementation manner of the embodiment of the present invention, the preset time duration is obtained by negotiation between the card reader and the smart card; or
The preset time length is pre-stored in the card reader and the smart card; or the first information comprises a duration identifier, and the preset duration is the duration corresponding to the duration identifier acquired by the intelligent card according to the duration identifier. In specific implementation, the preset duration T may be pre-stored in a fixed area of the chip before the device leaves the factory, or the preset duration set may be stored in the device, and the selected T may be determined by sending the identifier each time, or each piece of transmitted instruction data may have a T value. The preset duration can be a duration identifier carried by the card reader in the first information and sent to the smart card, and the smart card acquires the corresponding preset duration according to the duration identifier; or both sides can store a preset time length list, and each time, a preset time length is selected according to a preset rule. This is not particularly limited in the present invention.
As an optional implementation of the embodiment of the present invention, the timing includes: the card reader and the intelligent card respectively use a built-in clock to time; or the card reader and the intelligent card are respectively timed through the period of the communication signal; or the card reader and the intelligent card are respectively timed through the phase of the communication signal; or the card reader and the intelligent card respectively carry out timing through the modulated pulse signals of the communication signals.
Specifically, the timing manner may include, but is not limited to:
1. timing measurement: the card reader and the smart card support the accurate timing function, and a built-in clock is used for timing.
2. Periodic measurement: the time is recorded by recording the carrier wave period for a non-on message. During specific implementation, the card reader and the intelligent card respectively carry out synchronous timing measurement through the period of a communication signal; the card reader and the smart card can use the end of the first information transmission and reception as the starting mark of the synchronous timing.
3. Phase measurement: during specific implementation, the card reader and the smart card can perform synchronous timing measurement according to the phase of the communication signal, an expected phase is set, and the card reader and the smart card can use the receiving and sending end of the first information as a starting identifier of synchronous timing.
4. Pulse counting measurement: the card reader and the smart card can perform synchronous counting measurement according to the modulated pulse signals of the communication signals, and the card reader and the smart card can use the receiving and sending end of the first information as the starting identifier of synchronous timing.
S7, after receiving the first response, the card reader and the smart card respectively generate a session key;
as an optional implementation manner of the embodiment of the present invention, the generating, by the card reader and the smart card, a session key respectively includes: and under the condition that the key information comprises a key hopping instruction and the key information response comprises a response to the key hopping instruction, the card reader and the intelligent card determine a session key from a plurality of session keys according to the key hopping instruction in a preset mode. In specific implementation, when the card reader and the smart card communicate with each other, one session key can be determined from a plurality of session keys for communication, two parties share a key pool, and keys are changed based on the same key pool in a rolling manner, so that one-time key for communication of the two parties is ensured, and the security of subsequent data transmission is ensured.
And S8, the card reader and the smart card communicate through the session key.
Specifically, the card reader and the smart card communicate through a session key, so that the security of subsequent data transmission is ensured.
Therefore, the secure communication method for protecting the key agreement by using the timing communication is different from the existing communication mode of immediately sending data after the card processing is finished, the synchronous timing mode is set for the card reader and the intelligent card in the execution process of the key agreement process, the intelligent card only sends the first response when the timing is up after the card reader sends the first information to the intelligent card, and the card reader only receives the first response within the window range when the timing reaches the preset time length, so that the secure communication method ensures that no man-in-the-middle attack exists between the card reader and the intelligent card, and the key agreement process is secure, thereby ensuring the security of subsequent data transmission. Therefore, the safety risk of data hijacking of a man-in-the-middle possibly existing in the card reading process is solved.
Fig. 2 is a schematic structural diagram illustrating a secure communication system using timed communication protection key negotiation according to an embodiment of the present invention, where the secure communication system using timed communication protection key negotiation is applied to the method, and only the structure of the secure communication system using timed communication protection key negotiation is described below, but other matters are not the case, please refer to the related description in the secure communication method using timed communication protection key negotiation, and no further description is given here. Referring to fig. 2, the secure communication system using a timing communication protection key negotiation provided in the embodiment of the present invention includes: card readers and smart cards; wherein:
the card reader is used for establishing communication connection with the intelligent card, and the communication connection comprises wired connection or wireless connection; performing key agreement operation with the smart card; in the key agreement operation process of the card reader and the intelligent card, first information is sent to the intelligent card, and timing is started;
the intelligent card is used for receiving the first information, starting timing and generating a first response; sending a first response to the card reader when the timing reaches a preset time length, wherein the preset time length is the time length of data processing of the intelligent card;
the card reader is also used for starting to receive a first response within a window range of timing to reach a preset time length, wherein the window range of the preset time length is [ T, T + Delta T ], T is the preset time length, Delta T is transmission time length, and the transmission time length is obtained by calculation at least according to the distance between the intelligent card and the card reader; after receiving the first response, respectively generating a session key with the smart card; and the intelligent card communicates with the intelligent card through the session key.
As an optional implementation manner of the embodiment of the present invention, the first information is key information in a key agreement operation process between the card reader and the smart card, and the first response is a key information response generated after processing the key information; the preset duration is the time length of the smart card for processing the key information.
As an optional implementation of the embodiment of the present invention, the key information includes: data to be signed; the key information response includes: signing the data to be signed; or the key information includes: data to be verified; the key information response includes: a verification result for verifying the data to be verified, or the data to be transmitted generated after the data to be verified passes the verification; or the key information includes: data to be calculated; the key information response includes: and (5) a response generated after the data to be calculated is processed.
As an optional implementation manner of the embodiment of the present invention, the first information is first information sent by the card reader to the smart card, and the first response is a last information response generated after the card reader and the smart card perform data interaction during a key agreement operation; the preset time length is the time length for the intelligent card to perform data interaction and generate the last information response; the transmission time is calculated according to the distance between the intelligent card and the card reader and the interaction times.
As an optional implementation manner of the embodiment of the present invention, the smart card is further configured to, after receiving the first information, start timing, and before generating the first response, determine whether the first information is preset information or determine whether the first information carries an identifier; and the smart card judges that the first information is preset information or the first information carries an identifier.
As an optional implementation manner of the embodiment of the present invention, there are a plurality of session keys; the card reader communicates with the smart card through the session key as follows: and the card reader is particularly used for communicating with the smart card according to a preset mode and determining one of the session keys.
As an optional implementation manner of the embodiment of the present invention, the preset time duration is obtained by negotiation between the card reader and the smart card; or the preset time length is pre-stored in the card reader and the smart card; or the first information comprises a duration identifier, and the preset duration is the duration corresponding to the duration identifier acquired by the intelligent card according to the duration identifier.
As an optional implementation manner of the embodiment of the present invention, the card reader and the smart card are clocked by the following methods, respectively: the card reader and the intelligent card respectively use a built-in clock to time; or the card reader and the intelligent card are respectively timed through the period of the communication signal; or the card reader and the intelligent card are respectively timed through the phase of the communication signal; or the card reader and the intelligent card respectively carry out timing through the modulated pulse signals of the communication signals.
Therefore, the secure communication system for protecting the key agreement by using the timing communication is different from the existing communication mode of immediately sending data after the card processing is finished, the synchronous timing mode is set for the card reader and the intelligent card in the key agreement process, the intelligent card only sends the first response when the timing is up after the card reader sends the first information to the intelligent card, and the card reader only receives the first response within the window range when the timing reaches the preset time length, so that the condition that no man-in-the-middle attack exists between the card reader and the intelligent card is ensured, and the key agreement process is safe, and the safety of subsequent data transmission can be ensured. Therefore, the safety risk of data hijacking of a man-in-the-middle possibly existing in the card reading process is solved.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made in the above embodiments by those of ordinary skill in the art without departing from the principle and spirit of the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (16)
1. A secure communication method for protecting key agreement by using timed communication, comprising:
the card reader and the intelligent card establish communication connection, and the communication connection comprises wired connection or wireless connection;
the card reader and the smart card carry out key agreement operation;
in the key agreement operation process between the card reader and the intelligent card, the card reader sends first information to the intelligent card and starts timing;
the smart card receives the first information, starts timing and generates a first response;
the smart card sends the first response to the card reader when the timing reaches a preset time length, wherein the preset time length is the time length of data processing of the smart card;
the card reader starts to receive the first response within a window range of the preset time length after timing, wherein the window range of the preset time length is [ T, T + Delta T ], T is the preset time length, Delta T is transmission time length, and the transmission time length is obtained by calculation according to at least the distance between the intelligent card and the card reader;
after receiving the first response, the card reader and the smart card respectively generate a session key;
and the card reader and the smart card are communicated through the session key.
2. The method according to claim 1, wherein the first information is key information in a key agreement operation process between the card reader and the smart card, and the first response is a key information response generated after processing the key information; the preset duration is the time length of the smart card for processing the key information.
3. The method of claim 2,
the key information includes: data to be signed; the key information response includes: signing the data to be signed; or
The key information includes: data to be verified; the key information response includes: a verification result for verifying the data to be verified, or data to be transmitted generated after the data to be verified passes the verification; or
The key information includes: data to be calculated; the key information response includes: the response is generated after the data to be calculated are processed; or,
the key information includes: a key hopping instruction; the key information response includes: a response to the key hopping instruction.
4. The method according to claim 1, wherein the first information is first information sent by the card reader to the smart card, and the first response is a last information response generated after the card reader and the smart card perform data interaction during a key agreement operation; the preset time length is the time length for the intelligent card to carry out data interaction and generate the last information response; the transmission duration is calculated according to the distance between the intelligent card and the card reader and the interaction times.
5. The method according to any one of claims 1 to 4,
after the smart card receives the first information, timing is started, and before a first response is generated, the method further includes:
the intelligent card judges whether the first information is preset information or whether the first information carries an identifier; and the smart card judges that the first information is preset information or the first information carries an identifier.
6. The method according to any one of claims 1 to 4, wherein the session key is plural;
the card reader and the smart card respectively generate session keys, including:
and under the condition that the key information comprises a key hopping instruction and the key information response comprises a response to the key hopping instruction, the card reader and the smart card determine one session key from the plurality of session keys according to the key hopping instruction in a preset mode.
7. The method of claim 1,
the preset duration is obtained by negotiation between the card reader and the intelligent card; or
The preset duration is pre-stored in the card reader and the smart card; or
The first information comprises a duration identification, and the preset duration is the duration corresponding to the duration identification acquired by the intelligent card according to the duration identification.
8. The method of claim 1, wherein the timing comprises:
the card reader and the intelligent card are respectively timed by utilizing a built-in clock; or
The card reader and the intelligent card are respectively timed through the period of a communication signal; or
The card reader and the intelligent card are respectively timed through phases of communication signals; or
The card reader and the intelligent card are respectively timed through the modulated pulse signals of the communication signals.
9. A secure communication system for securing a key agreement using timed communication, comprising: card readers and smart cards; wherein:
the card reader is used for establishing communication connection with the intelligent card, and the communication connection comprises wired connection or wireless connection; performing key agreement operation with the smart card; in the key agreement operation process between the card reader and the intelligent card, first information is sent to the intelligent card, and timing is started;
the intelligent card is used for receiving the first information, starting timing and generating a first response; sending the first response to the card reader when the timing reaches a preset time length, wherein the preset time length is the time length of data processing of the intelligent card;
the card reader is further configured to start receiving the first response within a window range of the preset duration reached by timing, wherein the window range of the preset duration is [ T, T +/Δ T ], T is the preset duration, Δ T is a transmission duration, and the transmission duration is calculated according to at least a distance between the smart card and the card reader; after receiving the first response, respectively generating a session key with the smart card; and communicating with the smart card through the session key.
10. The system according to claim 9, wherein the first information is key information in a key agreement operation process between the card reader and the smart card, and the first response is a key information response generated after processing the key information; the preset duration is the time length of the smart card for processing the key information.
11. The system of claim 10,
the key information includes: data to be signed; the key information response includes: signing the data to be signed; or
The key information includes: data to be verified; the key information response includes: a verification result for verifying the data to be verified, or data to be transmitted generated after the data to be verified passes the verification; or
The key information includes: data to be calculated; the key information response includes: a response generated after processing the data to be calculated, or
The key information includes: a key hopping instruction; the key information response includes: a response to the key hopping instruction.
12. The system according to claim 9, wherein the first message is a first message sent by the card reader to the smart card, and the first response is a last message response generated after the card reader and the smart card perform data interaction during a key agreement operation; the preset time length is the time length for the intelligent card to carry out data interaction and generate the last information response; the transmission duration is calculated according to the distance between the intelligent card and the card reader and the interaction times.
13. The system according to any one of claims 9 to 12,
the smart card is further configured to start timing after receiving the first information and before generating a first response, determine whether the first information is preset information or determine whether the first information carries an identifier; and the smart card judges that the first information is preset information or the first information carries an identifier.
14. The system according to any one of claims 9 to 12, wherein the session key is plural;
the card reader and the intelligent card respectively generate a session key in the following way:
and under the condition that the key information comprises a key hopping instruction and the key information response comprises a response to the key hopping instruction, the card reader and the smart card determine one session key from the plurality of session keys according to the key hopping instruction in a preset mode.
15. The system of claim 9,
the preset duration is obtained by negotiation between the card reader and the intelligent card; or
The preset duration is pre-stored in the card reader and the smart card; or
The first information comprises a duration identification, and the preset duration is the duration corresponding to the duration identification acquired by the intelligent card according to the duration identification.
16. The system of claim 9,
the card reader and the intelligent card are respectively timed in the following modes:
the card reader and the intelligent card are respectively timed by utilizing a built-in clock; or
The card reader and the intelligent card are respectively timed through the period of a communication signal; or
The card reader and the intelligent card are respectively timed through phases of communication signals; or
The card reader and the intelligent card are respectively timed through the modulated pulse signals of the communication signals.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011427084.9A CN112688774A (en) | 2020-12-09 | 2020-12-09 | Secure communication method and system for protecting key negotiation by using timing communication |
| PCT/CN2021/136413 WO2022121938A1 (en) | 2020-12-09 | 2021-12-08 | Secure communication method and system for protecting key negotiation by using timing communication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011427084.9A CN112688774A (en) | 2020-12-09 | 2020-12-09 | Secure communication method and system for protecting key negotiation by using timing communication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112688774A true CN112688774A (en) | 2021-04-20 |
Family
ID=75446506
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011427084.9A Pending CN112688774A (en) | 2020-12-09 | 2020-12-09 | Secure communication method and system for protecting key negotiation by using timing communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112688774A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022121938A1 (en) * | 2020-12-09 | 2022-06-16 | 天地融科技股份有限公司 | Secure communication method and system for protecting key negotiation by using timing communication |
| CN114710286A (en) * | 2022-03-11 | 2022-07-05 | 北京邮电大学 | Method for setting endogenous safe transmission state of synchronous optical communication system and related equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120249296A1 (en) * | 2009-12-23 | 2012-10-04 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method of protection in a contactless radiofrequency communication |
| CN107688749A (en) * | 2016-08-05 | 2018-02-13 | 李明 | A kind of safety communicating method and system |
| CN107689946A (en) * | 2016-08-05 | 2018-02-13 | 李明 | A kind of data communication method and data communication system |
| CN107707527A (en) * | 2017-09-01 | 2018-02-16 | 清华大学 | A kind of detection method, read-write terminal and the system of smart card relay attack |
| CN108989016A (en) * | 2017-05-30 | 2018-12-11 | 恩智浦有限公司 | Prevent the relay attack in whitepack embodiment |
| US20190342751A1 (en) * | 2016-08-05 | 2019-11-07 | Tendyron Corporation | Data communication method and data communication system |
-
2020
- 2020-12-09 CN CN202011427084.9A patent/CN112688774A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120249296A1 (en) * | 2009-12-23 | 2012-10-04 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method of protection in a contactless radiofrequency communication |
| CN102754106A (en) * | 2009-12-23 | 2012-10-24 | 原子能和辅助替代能源委员会 | Method of protection in a contactless radiofrequency communication |
| CN107688749A (en) * | 2016-08-05 | 2018-02-13 | 李明 | A kind of safety communicating method and system |
| CN107689946A (en) * | 2016-08-05 | 2018-02-13 | 李明 | A kind of data communication method and data communication system |
| US20190342751A1 (en) * | 2016-08-05 | 2019-11-07 | Tendyron Corporation | Data communication method and data communication system |
| CN108989016A (en) * | 2017-05-30 | 2018-12-11 | 恩智浦有限公司 | Prevent the relay attack in whitepack embodiment |
| CN107707527A (en) * | 2017-09-01 | 2018-02-16 | 清华大学 | A kind of detection method, read-write terminal and the system of smart card relay attack |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022121938A1 (en) * | 2020-12-09 | 2022-06-16 | 天地融科技股份有限公司 | Secure communication method and system for protecting key negotiation by using timing communication |
| CN114710286A (en) * | 2022-03-11 | 2022-07-05 | 北京邮电大学 | Method for setting endogenous safe transmission state of synchronous optical communication system and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7512236B1 (en) | System and method for secure mobile commerce | |
| CN104954130B (en) | A kind of method for authenticating entities and device | |
| US10609552B2 (en) | System and method for data communication protection | |
| Radu et al. | Practical EMV relay protection | |
| CN106027250A (en) | Identity card information safety transmission method and system | |
| WO2018024241A1 (en) | Data communication method and system | |
| CN112688774A (en) | Secure communication method and system for protecting key negotiation by using timing communication | |
| CN112713991A (en) | Secure communication method and system for protecting key negotiation by using timing communication | |
| CN107690133B (en) | Data communication method and system | |
| JP6698880B2 (en) | Safe communication method and system | |
| CN107690144A (en) | A kind of data communications method and system | |
| CN107689946B (en) | Data communication method and data communication system | |
| CN106022140B (en) | Identity card read method and system | |
| CN107688749B (en) | Secure communication method and system | |
| CN107690143B (en) | Data communication method and system | |
| EP3496441B1 (en) | Data communication method and system | |
| CN107688760B (en) | Data communication method and data communication system | |
| WO2022121938A1 (en) | Secure communication method and system for protecting key negotiation by using timing communication | |
| CN106372557A (en) | Method, device and system for acquiring certificate card information | |
| CN108573157B (en) | Data interaction method and system | |
| CN107690141B (en) | Data communication method and system | |
| CN107688761B (en) | Data communication method and data communication system | |
| EP4513375A1 (en) | Proximity check for communication devices | |
| CN108574665B (en) | Safe transmission method and system | |
| CN108574663B (en) | Safe transmission method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210420 |