Search

BR-102025017946-A2 - METHOD AND SYSTEM FOR DOWNLOADING FINANCIAL CERTIFICATE AND FINANCIAL KEY

BR102025017946A2BR 102025017946 A2BR102025017946 A2BR 102025017946A2BR-102025017946-A2

Abstract

The present invention discloses a method and system for downloading a financial certificate and a financial key. The method comprises: performing a session key negotiation between the terminal of the key distribution host and the terminal of the key receiving device, using an ECDH key negotiation algorithm, to obtain a first session key; sending, from the terminal of the key receiving device, a request to download a financial certificate to the terminal of the key distribution host; generating, from the terminal of the key distribution host, a financial certificate and sending it to the terminal of the key receiving device; performing another session key negotiation between the terminal of the key distribution host and the terminal of the key receiving device, based on the financial certificate, to obtain a second session key; sending, from the terminal of the key receiving device, a request to download a financial key to the terminal of the key distribution host; and generating, from the terminal of the key distribution host, a financial key and sending it to the terminal of the key receiving device.

Inventors

  • Hui Huang

Assignees

  • FUJIAN WISBO DIGITAL TECHNOLOGY CO., LTD

Dates

Publication Date
20260310
Application Date
20250825
Priority Date
20240903

Claims (10)

  1. 1) “FINANCIAL CERTIFICATE AND FINANCIAL KEY DOWNLOAD METHOD”, characterized by comprising the following steps: - performing a session key negotiation between the key distribution host terminal and the key receiver device terminal using an Elliptic Curve Diffie-Hellman (ECDH) key negotiation algorithm to obtain a first session key, in order to establish a financial security channel between the distribution host terminal and the receiver device terminal; - sending, from the key receiver device terminal, a financial certificate download request to the key distribution host terminal, based on the first session key; - generating, from the key distribution host terminal, a financial certificate based on the financial certificate download request and sending the financial certificate to the key receiver device terminal; - performing a session key negotiation between the key distribution host terminal and the key receiver device terminal using the ECDH key negotiation algorithm based on the financial certificate, to obtain a second session key, in order to establish a secure financial channel between the The key distribution host terminal and the key receiving device terminal; send, via the key receiving device terminal, a financial key download request to the key distribution host terminal based on the second session key and the financial certificate; and generate, via the key distribution host terminal, a financial key based on the financial key download request and send the financial certificate to the key receiving device terminal.
  2. 2) “METHOD FOR DOWNLOADING FINANCIAL CERTIFICATE AND FINANCIAL KEY” according to claim 1, characterized by further comprising, before the step of performing a session key negotiation between the key distribution host terminal and the key receiver device terminal using an ECDH key negotiation algorithm to obtain a first session key: - sending, from the key distribution host terminal, a certificate signing request file creation instruction to the key receiver device terminal; - generating, from the key receiver device terminal, a first Elliptic Curve Cryptography (ECC) public and private key pair according to the creation instruction; - storing, from the key receiver device terminal, the first ECC public and private key pair as a temporary variable and generating a certificate signing request file according to the first ECC public and private key pair; - sending, from the key receiver device terminal, the certificate signing request file to the key distribution host terminal; - sending, from the terminal From the key distribution host, the certificate signing request file is sent to a certification authority (CA); - the key distribution host terminal receives a digital certificate generated by the CA according to the certificate signing request file and sends the digital certificate to the key receiving device terminal; and - the key receiving device terminal obtains a chain of signing certificates according to the digital certificate and stores it as a temporary variable.
  3. 3) “METHOD FOR DOWNLOADING FINANCIAL CERTIFICATE AND FINANCIAL KEY” according to claim 2, characterized by the first pair of ECC public and private keys comprising a first ECC private key: - the step of performing a session key negotiation between the key distribution host terminal and the key receiving device terminal using an ECDH key negotiation algorithm to obtain a first session key, in order to establish a financial security channel between the distribution host terminal and the receiving device terminal, comprises: - generating, by the key receiving device terminal, a first random number and sending the first random number to the key distribution host terminal; - saving, by the key distribution host terminal, the first random number and generating a second random number; - generating, by the key distribution host terminal, a first pair of temporary ECC public and private keys, wherein the first pair of temporary ECC public and private keys includes a first temporary ECC public key and a first temporary ECC private key; - generating, by the distribution host terminal From the key distribution host terminal, a first message is generated according to the first temporary ECC public key, a predefined signing certificate chain, the first random number, and the second random number. The first message is then signed using a private key from the signing certificate in the predefined signing certificate chain to obtain a signature of the first message. The first message and the signature of the first message are then sent from the key distribution host terminal to the key receiving device terminal. A session key negotiation is then performed by the key receiving device terminal using the ECDH key negotiation algorithm based on the first message and the signature of the first message to obtain a first session key from the key receiving device terminal. The temporary certificate chain is then obtained by the key receiving device terminal, and a first key verification value is calculated using the first session key from the key receiving device terminal. A second message is then generated by the key receiving device terminal according to the second temporary ECC public key, the temporary certificate chain, and the first key verification value, and the second message is signed using the first ECC private key. in order to obtain a signature of the second message; - send, via the key receiving device terminal, the second message, the second random number, and the signature of the second message to the key distribution host terminal; - perform, via the key distribution host terminal, a session key negotiation using the ECDH key negotiation algorithm based on the second random number, the second message, and the signature of the second message, in order to obtain a first session key from the key distribution host terminal; - calculate, via the key distribution host terminal, a second key verification value using the first session key from the key distribution host terminal, and compare the second key verification value with the first key verification value in the second message, and generate, via the key distribution host terminal, a first integrated message according to the first random number, the first message, the signature of the first message, the second message, and the signature of the second message, if the result of the comparison is consistent; - Perform, via the key distribution host terminal, the calculation of the message authentication code (MAC) on the first embedded message using the first session key of the key distribution host terminal, in order to obtain a first MAC result and send the first MAC result to the key receiving device terminal; - Generate, via the key receiving device terminal, a second embedded message according to the first random number, the first message, the signature of the first message, the second message and the signature of the second message and perform the MAC calculation on the second embedded message using the first session key of the key receiving device terminal to obtain a second MAC result; and - Compare, via the key receiving device terminal, the second MAC result with the first MAC result and determine that the establishment of the financial security channel between the key distribution host terminal and the key receiving device terminal was successful if the comparison result is consistent.
  4. 4) “METHOD FOR DOWNLOADING FINANCIAL CERTIFICATE AND FINANCIAL KEY” according to claim 3, characterized by the step of performing, by the terminal of the key receiving device, a session key negotiation using the ECDH key negotiation algorithm based on the first message and the signature of the first message, in order to obtain a first session key from the terminal of the key receiving device, comprising: - performing, by the terminal of the key receiving device, a first check on the first random number in the first message and saving the second random number if the result of the first check is successful; - performing, by the terminal of the key receiving device, a second check on the predefined signing certificate chain in the first message, performing a third check on the signature of the first message using the predefined signing certificate chain if the result of the second check is successful, and generating a second pair of temporary ECC public and private keys if the result of the third check is successful, wherein the second pair of temporary ECC public and private keys includes a second temporary ECC private key and a second Temporary ECC public key; and - perform, by the terminal of the key receiving device, a session key negotiation using the ECDH key negotiation algorithm based on the second temporary ECC private key and the first temporary ECC public key in the first message, in order to obtain the first session key from the terminal of the key receiving device.
  5. 5) “METHOD FOR DOWNLOADING FINANCIAL CERTIFICATE AND FINANCIAL KEY” according to claim 3, characterized by the step of performing, by the key distribution host terminal, a session key negotiation using the ECDH key negotiation algorithm based on the second random number, in the second message and the signature of the second message, in order to obtain a first session key from the key distribution host terminal, comprising: - performing, by the key distribution host terminal, a first check on the second random number, performing a second check on the signature of the second message using the temporary certificate chain if the result of the first check is successful and performing a session key negotiation using the ECDH key negotiation algorithm based on the first temporary ECC private key and the second temporary ECC public key in the second message if the result of the second check is successful, in order to obtain the first session key from the key distribution host terminal.
  6. 6) “METHOD FOR DOWNLOADING FINANCIAL CERTIFICATE AND FINANCIAL KEY” according to claim 3, characterized by the step of sending, by the terminal of the key receiver device, a request to download a financial certificate to the terminal of the key distribution host, based on the session key, comprising: - generating, by the terminal of the key receiver device, a third random number and configuration information of the certificate request and generating a financial certificate download request according to the second random number, the third random number and the configuration information of the certificate request; and - performing, by the terminal of the key receiver device, the calculation of the MAC on the financial certificate download request using the first session key of the terminal of the key receiver device, in order to obtain a third MAC result, and sending the third MAC result to the terminal of the key distribution host.
  7. 7) “METHOD FOR DOWNLOADING FINANCIAL CERTIFICATE AND FINANCIAL KEY” according to claim 6, characterized by the step of generating, by the key distribution host terminal, a financial certificate based on the financial certificate download request, and sending the financial certificate to the key receiver device terminal, comprising: - verifying, by the key distribution host terminal, the second random number in the third MAC result, saving the third random number in the third MAC result if the verification result is successful and generating a financial certificate according to the configuration information of the certificate request in the third MAC result in a first predefined format; - sending, by the key distribution host terminal, the financial certificate and the third random number to the key receiver device terminal; - after the step of generating, by the key distribution host terminal, a financial certificate based on the financial certificate download request and sending the financial certificate to the key receiver device terminal, it further comprises: - verifying, by the key receiver device terminal, the third random number and saving the financial certificate if the verification result is successful.
  8. 8) “METHOD FOR DOWNLOADING FINANCIAL CERTIFICATE AND FINANCIAL KEY” according to claim 3, characterized by the step of sending, by the terminal of the key receiver device, a financial key download request to the terminal of the key distribution host, based on the second session key and the financial certificate, comprising: - generating, by the terminal of the key receiver device, a fourth random number; - generating, by the terminal of the key receiver device, a financial key download request according to the second random number, the fourth random number, a key identifier (ID) in the financial certificate and a key system number, and performing the MAC calculation on the financial key download request based on the second session key to obtain a fourth MAC result; and - sending, by the terminal of the key receiver device, the MAC result to the terminal of the key distribution host.
  9. 9) “METHOD FOR DOWNLOADING FINANCIAL CERTIFICATE AND FINANCIAL KEY” according to claim 8, characterized by the step of generating, by the key distribution host terminal, a financial certificate based on the financial key download request, and sending the financial key to the key receiver device terminal, comprising: - verifying, by the key distribution host terminal, the second random number in the fourth MAC result, saving the fourth random number in the fourth MAC result if the verification result is successful and generating a financial key according to the key ID and the key system number in the fourth MAC result, in a second predefined format; - sending, by the key distribution host terminal, the financial key and the fourth random number to the key receiver device terminal; - After the step of generating, by the key distribution host terminal, a financial key based on the financial key download request and sending the financial certificate to the key receiving device terminal, it also includes: - verifying, by the key receiving device terminal, the fourth random number and saving the financial key if the verification result is successful.
  10. 10) “FINANCIAL CERTIFICATE AND FINANCIAL KEY DOWNLOAD SYSTEM”, according to the method described in any one of claims 1 to 9, characterized by comprising a key distribution host terminal and a key receiver device terminal, wherein the key distribution host terminal includes a first memory, a first processor, and a first computer program stored in the first memory and operable on the first processor, and the key receiver device terminal includes a second memory, a second processor, and a second computer program stored in the second memory and operable on the second processor, characterized in that the first processor, when executing the first computer program, performs the steps performed by the key distribution host terminal in the financial certificate and financial key download method; and the second processor, when executing the second computer program, performs the steps performed by the key receiver device terminal in the financial certificate and financial key download method.

Description

TECHNICAL FIELD [001] The present invention relates to the technical field of information security, particularly to a method and system for downloading financial certificates and financial keys. PREVIOUS TECHNIQUE [002] Point-of-sale (POS) machines are increasingly used, making it necessary to ensure the security of data transmission in the financial transaction process. An existing method for downloading a financial certificate, i.e., private data, involves generating a private key and a certificate through a Key Distribution Host (KDH) and, after the issuance of a public key by a Certification Authority (CA), the KDH downloads the private key and the certificate to the Key Receiving Device (KRD) via a one-way authentication protocol (i.e., the KRD authenticates the KDH). The existing method for downloading the financial key involves generating a temporary session key using the RSA2048 algorithm (an asymmetric cryptography algorithm). Currently, the existing method for downloading financial certificates and financial keys is not sufficiently secure. After the production and delivery of the POS device by the manufacturer, the financial institution must inject a master key and a working key (financial keys) into the POS device. The master key and the working key allow the POS device to perform secure authentication and complete transaction processes. During the insertion of financial keys, the key distribution host must also undergo authentication through a certification authority (CA), typically the UnionPay center, to verify the legitimacy of its identity. SUMMARY OF THE INVENTION [003] The technical problem to be solved by the present invention is to propose a method and system for downloading financial certificates and financial keys, capable of improving the security of downloading financial certificates and financial keys. [004] To solve the above technical problems, the present invention adopts the following technical solution: [005] a method for downloading a financial certificate and financial key, comprising the following steps: - performing a session key negotiation between the key distribution host terminal and the key receiving device terminal using an Elliptic Curve Diffie-Hellman (ECDH) key negotiation algorithm to obtain a first session key, in order to establish a secure financial channel between the distribution host terminal and the receiving device terminal; - sending, by the receiving device terminal, a financial certificate download request to the key distribution host terminal, based on the first session key; - generating, by the key distribution host terminal, a financial certificate based on the financial certificate download request and sending the financial certificate to the receiving device terminal; - performing a session key negotiation between the key distribution host terminal and the receiving device terminal using the ECDH key negotiation algorithm based on the financial certificate to obtain a second session key, in order to establish a secure financial channel between the key distribution host terminal and the receiving device terminal. keys; - send, via the key receiving device terminal, a financial key download request to the key distribution host terminal, based on the second session key and the financial certificate; and generate, via the key distribution host terminal, a financial key based on the financial key download request and send the financial key to the key receiving device terminal. [006] To solve the above technical problems, the present invention adopts another technical solution: - a financial certificate and financial key download system, including a key distribution host terminal and a key receiver device terminal, wherein the key distribution host terminal includes a first memory, a first processor and a first computer program stored in the first memory and operable on the first processor, and the key receiver device terminal includes a second memory, a second processor and a second computer program stored in the second memory and operable on the second processor, wherein the first processor, when executing the first computer program, performs the steps performed by the key distribution host terminal in the financial certificate and financial key download method described above; and - the second processor, when executing the second computer program, performs the steps performed by the key receiver device terminal in the financial certificate and financial key download method described above. [007] The advantageous effect of the present invention is that, by performing a session key negotiation between the terminal of the key distribution host and the terminal of the key receiving device using an ECDH key negotiation algorithm to obtain a first session key, a financial security channel is established between them; sending, by the terminal of the key receiving device, a request to download a financial certificate to the terminal of the key distribution h