Data processing method and device and computer readable storage medium
1. A method of data processing, the method comprising:
step 101, the card reader waits for receiving a data packet sent by a host, and when the data packet which is sent by the host and accords with a first data structural formula is received, step 102 is executed;
102, analyzing the received data packet by the card reader, judging whether a first preset field in the data packet is the same as the address of the card reader or not, if so, executing a step 103, otherwise, returning to the step 101;
103, the card reader determines a data packet checking mode according to a second preset field in the data packet, checks the data packet according to the data packet checking mode, if the data packet checking mode passes, the step 104 is executed, and if the data packet checking mode does not pass, the step 101 is returned to;
step 104, the card reader determines whether a data packet contains safety data according to the second preset field, if so, step 105 is executed, otherwise, step 107 is executed;
step 105, the card reader obtains first encrypted data and a first encrypted data check value according to a fifth preset field in a data packet, obtains a stored first check key, a stored first message authentication key, a stored second message authentication key and a stored first data key, calculates the first check key, the stored first message authentication key, the stored second message authentication key, the stored first encrypted data and the stored first data key according to a first preset algorithm to obtain a second encrypted data check value, judges whether the second encrypted data check value is the same as the first encrypted data check value, calculates the first check key according to a second preset algorithm to obtain a third check key if the second encrypted data check value is the same as the first encrypted data check value, calculates the first encrypted data according to the third check key, the stored first data check key and the stored first message authentication key and obtains plaintext data according to the third preset algorithm, executing step 106, otherwise, returning to step 101;
step 106, the card reader determines a command type according to a fourth preset field in a data packet, executes corresponding operation according to the command type and the plaintext data, returns a response data packet conforming to a first data structural formula to the host, and returns to the step 101;
and 107, the card reader determines the command type according to a fourth preset field in the data packet, executes corresponding operation according to the command type, returns a response data packet which accords with the first data structural formula to the host, and returns to the step 101.
2. The method according to claim 1, wherein in step 107, the command types include a setup secure channel command; the executing the corresponding operation according to the command type comprises: and the card reader acquires a basic key according to a sixth preset field in the data packet and stores the basic key.
3. The method according to claim 2, wherein in step 107, the command types further include a session key agreement command;
the executing the corresponding operation according to the command type comprises: the card reader acquires a first random number according to a sixth preset field in a data packet, generates a second random number, generates and stores a first data key, a first message authentication key and a second message authentication key according to the first random number, the second random number and a stored basic key, generates a first host key and a first card reader key according to the first random number, the second random number and the first data key, acquires a card reader identifier, and organizes a reply code corresponding to the card reader identifier, the second random number, the first card reader key and a session key negotiation command to obtain a response data packet conforming to a first data structure.
4. The method according to claim 3, wherein in step 107, the command types further include an authentication key command;
the executing the corresponding operation according to the command type specifically includes: the card reader obtains a second host key according to a sixth preset field in a data packet, judges whether the second host key is the same as a first host key generated by the card reader, generates and stores a first verification key according to the first message authentication key, the second message authentication key and the first host key if the second host key is the same as the first host key generated by the card reader, and organizes the first verification key and a reply code corresponding to a verification key command to obtain a response data packet conforming to a first data structure.
5. The method according to claim 1, wherein said step 106 of performing a corresponding operation according to said command type and said plaintext data, and returning a response packet conforming to a first data structure formula to the host specifically comprises:
the card reader executes corresponding operation according to the command type and the plaintext data to obtain first result data, a second encrypted data check value is used as a fifth check key, the fifth check key is calculated according to a second preset algorithm to obtain a seventh check key, the first result data and the first result data length are calculated according to the seventh check key and the first data key to obtain second encrypted data, a third encrypted data check value is calculated according to the fifth check key, a third message authentication key, a fourth message authentication key, the second encrypted data and the second encrypted data length, and a response data packet which accords with a first data structural formula is obtained according to the third encrypted data check value, the second encrypted data and a reply code organization corresponding to the operation command.
6. The method of claim 5, wherein organizing the response packet according to the first data structure formula according to the third encrypted data check value, the second encrypted data and the reply code corresponding to the operation command comprises:
the card reader obtains mark data and a data head, a card reader address is used as a first preset field, the length value obtained by calculating the length of a response data packet is used as a data packet length field, a control field is used as a second preset field, a third encrypted data check value and second encrypted data are used as fifth preset fields, the data length of the fifth preset field is calculated as a safety data length field, a reply code corresponding to an operation command is used as a fourth preset field, the check value of the response data packet is obtained by calculation, the check value is used as a third preset field, and the data packet which accords with a first data structural formula is obtained by organizing the mark data, the data head, the first preset field, the data packet length field, the second preset field, the third preset field, the fourth preset field, the fifth preset field and the safety data length field according to a preset mode.
7. The method according to claim 1, wherein the determining the packet verification manner according to the second preset field in the packet specifically comprises: the card reader obtains a first preset bit in a second preset field, and judges a data packet checking mode according to the first preset bit.
8. The method according to claim 1, wherein the verifying the data packet according to the data packet verifying manner specifically comprises: and the card reader calculates the data packet according to the determined data packet check mode to obtain a data packet check value, judges whether the calculated data packet check value is the same as a third preset field in the data packet, if so, executes the step 104, otherwise, returns response data including error information to the host, and returns to the step 101.
9. The method according to claim 1, wherein the card reader determining whether the data packet contains the security data according to the second preset field specifically comprises: and the card reader acquires a second preset bit in a second preset field and judges whether the data packet contains the safety data or not according to the second preset bit.
10. A data processing apparatus, characterized in that the apparatus comprises:
the receiving and analyzing module is used for receiving the data packet sent by the host and analyzing the received data packet;
the judging module is used for judging whether the first preset field in the data packet is the same as the address of the card reader or not;
the verification module is used for determining a data packet verification mode according to a second preset field in the data packet and verifying the data packet according to the data packet verification mode;
the first determining module is used for determining whether the data packet contains the safety data or not according to the second preset field;
the processing module is used for acquiring encrypted data and a first encrypted data check value according to a fifth preset field in a data packet, acquiring a stored first check key, a stored first message authentication key, a stored second message authentication key and a stored first data key, calculating the first check key, the stored first message authentication key, the stored second message authentication key, the stored encrypted data and the encrypted data length according to a preset algorithm to obtain a second encrypted data check value, judging whether the second encrypted data check value is the same as the first encrypted data check value, if so, calculating the first check key according to the preset algorithm to obtain a third check key, and calculating the encrypted data and the encrypted data length according to the third check key and the stored first data key;
the second determining module is used for determining a command type according to a fourth preset field in the data packet, executing corresponding operation according to the command type and the plaintext data to obtain first result data, and returning a response data packet conforming to the first data structure formula to the host;
and the third determining module is used for determining the command type according to the fourth preset field in the data packet, executing corresponding operation according to the command type and returning a response data packet which accords with the first data structural formula to the host.
11. An electronic device, comprising: a memory for storing non-transitory computer readable instructions; and a processor for executing the computer readable instructions such that the computer readable instructions, when executed by the processor, implement the data processing method of any one of claims 1 to 9.
12. A computer-readable storage medium storing non-transitory computer-readable instructions which, when executed by a computer, cause the computer to perform the data processing method of any one of claims 1 to 9.
Background
In the prior art, a card reader in an access control system needs to communicate with a host, but communication protocols adopted by existing card reader manufacturers are different, the existing communication protocols are open, and transmission data in the communication process of the card reader and the host are transmitted in plaintext, so that the data can be easily monitored and stolen, and therefore, how to ensure the security of the data transmitted in the communication process of the card reader and the host becomes a problem to be solved urgently.
Disclosure of Invention
In order to solve the problems in the prior art, embodiments of the present application provide a data processing method, an apparatus, and a computer-readable storage medium, which can effectively prevent communication data from being monitored, stolen, and tampered, thereby ensuring the security of transmission data.
In one aspect, a data processing method provided in an embodiment of the present application includes:
step 101, the card reader waits for receiving a data packet sent by a host, and when the data packet which is sent by the host and accords with a first data structural formula is received, step 102 is executed;
102, analyzing the received data packet by the card reader, judging whether a first preset field in the data packet is the same as the address of the card reader or not, if so, executing a step 103, otherwise, returning to the step 101;
103, the card reader determines a data packet checking mode according to a second preset field in the data packet, checks the data packet according to the data packet checking mode, if the data packet checking mode passes, the step 104 is executed, and if the data packet checking mode does not pass, the step 101 is returned to;
step 104, the card reader determines whether a data packet contains safety data according to the second preset field, if so, step 105 is executed, otherwise, step 107 is executed;
step 105, the card reader obtains first encrypted data and a first encrypted data check value according to a fifth preset field in a data packet, obtains a stored first check key, a stored first message authentication key, a stored second message authentication key and a stored first data key, calculates the first check key, the stored first message authentication key, the stored second message authentication key, the stored first encrypted data and the stored first data key according to a first preset algorithm to obtain a second encrypted data check value, judges whether the second encrypted data check value is the same as the first encrypted data check value, calculates the first check key according to a second preset algorithm to obtain a third check key if the second encrypted data check value is the same as the first encrypted data check value, calculates the first encrypted data according to the third check key, the stored first data check key and the stored first message authentication key and obtains plaintext data according to the third preset algorithm, executing step 106, otherwise, returning to step 101;
step 106, the card reader determines a command type according to a fourth preset field in a data packet, executes corresponding operation according to the command type and the plaintext data, returns a response data packet conforming to a first data structural formula to the host, and returns to the step 101;
and 107, the card reader determines the command type according to a fourth preset field in the data packet, executes corresponding operation according to the command type, returns a response data packet which accords with the first data structural formula to the host, and returns to the step 101.
On the other hand, an embodiment of the present application provides a data processing apparatus, including:
the receiving and analyzing module is used for receiving the data packet sent by the host and analyzing the received data packet;
the judging module is used for judging whether a first preset field in a data packet is the same as the address of the card reader or not;
the verification module is used for determining a data packet verification mode according to a second preset field in the data packet and verifying the data packet according to the data packet verification mode;
the first determining module is used for determining whether the data packet contains the safety data or not according to the second preset field;
the processing module is used for acquiring the first encrypted data and the first encrypted data check value according to a fifth preset field in the data packet, acquiring a stored first check key, a stored first message authentication key, a stored second message authentication key and a stored first data key, calculating the first check key, the first message authentication key, the second message authentication key, the first encrypted data and the first encrypted data length according to a first preset algorithm to obtain a second encrypted data check value, judging whether the second encrypted data check value is the same as the first encrypted data check value, if so, calculating the first check key according to a second preset algorithm to obtain a third check key, calculating the first encrypted data according to the third verification key, the first data key and the first encrypted data length to obtain plaintext data;
the second determining module is used for determining the command type according to a fourth preset field in the data packet, executing corresponding operation according to the command type and the plaintext data, and returning a response data packet which accords with the first data structural formula to the host;
and the third determining module is used for determining the command type according to the fourth preset field in the data packet, executing corresponding operation according to the command type and returning a response data packet which accords with the first data structural formula to the host.
In another aspect, an embodiment of the present application provides an electronic device, including: a memory for storing non-transitory computer readable instructions; and a processor for executing the computer readable instructions such that the computer readable instructions, when executed by the processor, implement operations of a data processing method.
Embodiments of the present application also provide a computer-readable storage medium for storing non-transitory computer-readable instructions, which, when executed by a computer, cause the computer to perform operations of a data processing method.
The technical scheme provided by the embodiment of the application has the beneficial effects that: according to the data encryption method and device, communication transmission is carried out between the card reader and the host through transmission of the data which accord with the preset data structural formula, encryption processing can be carried out on the data through the data key in the communication process, meanwhile, the encrypted data are verified according to the verification key, the communication data can be effectively prevented from being monitored, stolen and tampered, and therefore the safety of the transmitted data is guaranteed.
Drawings
Fig. 1 is a flowchart of a data processing method provided in embodiment 1 of the present application;
fig. 2 and fig. 3 are flowcharts of a data processing method provided in embodiment 2 of the present application;
fig. 4 is a block diagram of a data processing apparatus according to embodiment 3 of the present application.
Detailed Description
In order to make the purpose, technical solutions and advantages of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Example 1
The embodiment of the application provides a data processing method, which is suitable for an access control system comprising a card reader, a host and a card, wherein the number of the card readers communicating with the host can be multiple;
as shown in fig. 1, the method includes:
step 101, the card reader waits for receiving a data packet sent by a host, and when the data packet which is sent by the host and accords with a first data structural formula is received, step 102 is executed;
in this embodiment, the data packet received by the card reader conforms to a first data structure format;
specifically, the first data structure format at least includes a data header, a first preset field, a data length field, a second preset field, a third preset field, and a fourth preset field;
the first preset field represents a physical address of the card reader;
the data length field indicates the length of bytes included in the data packet;
the second preset field represents a control information field;
the third preset field represents a data packet check value;
the fourth preset field represents a command code;
optionally, the first data structure format may further include a fifth preset field and a sixth preset field; wherein the fifth preset field represents a ciphertext data block; the sixth preset field represents a plaintext data block;
for example, the length and value of the above fields are specifically:
the data header is 1 byte, and the corresponding value is 0x 53;
the physical address of the card reader is 1 byte, and the range of the corresponding value of the physical address comprises 0x00-0x 7E;
the data length field is 2 bytes;
the control information field is 1 byte, wherein the control information field comprises three parts of data, wherein the first bit and the second bit of the byte are message sequence numbers which are used for message transmission confirmation and error check; the third bit of the byte is a check mode, and the check mode comprises a checksum mode and a CRC check mode; the fourth bit of the byte is a security setting item;
the command code is specifically used for polling requests, obtaining card reader equipment information requests, obtaining card reader function requests, local state report requests, card reader input/output state report requests, anti-disassembly state report requests, output control, controlling card reader LEDs, controlling buzzers, card reader communication configuration requests, establishing secure channel requests, session key negotiation requests, verification key requests, scanning and sending biological identification data requests, scanning and comparing biological identification data requests, setting maximum bytes which can be received by a host and expanding data writing requests;
step 102, the card reader analyzes the received data packet, whether a first preset field in the data packet is the same as the address of the card reader is judged, if yes, step 103 is executed, and if not, step 101 is returned to;
in this embodiment, the specific steps of the card reader analyzing the received data packet include: the card reader divides the data in the data packet from the high order to the low order according to the byte, takes the first byte as the marking data, the second byte as the data head, the third byte as the first preset field, the fourth byte as the high order of the data length, the fifth byte as the low order of the data length, the sixth byte as the second preset field, the seventh byte as the length of the safety data, the eighth byte as the type of the safety data, determining the byte occupied by the fifth preset field according to the seventh byte, wherein the byte occupied by the fifth preset field is behind the eighth byte, and taking a first byte of the fifth preset field as a ninth byte, taking a byte behind the byte occupied by the fifth preset field as a fourth preset field, taking a byte behind the byte occupied by the fourth preset field as a sixth preset field, and taking two bytes behind the byte occupied by the sixth preset field as a third preset field.
Step 103, the card reader determines a data packet checking mode according to a second preset field in the data packet, checks the data packet according to the determined data packet checking mode, if the data packet checking mode passes the step 104, otherwise, the step 101 is returned to;
in this embodiment, optionally, the determining, according to the second preset field in the data packet, the data packet checking method specifically includes: the card reader acquires a first preset bit in a second preset field and judges a data packet checking mode according to the first preset bit;
optionally, the verifying the data packet according to the determined data packet verifying method specifically includes: and the card reader calculates the data packet according to the determined data packet check mode to obtain a data packet check value, judges whether the calculated data packet check value is the same as a third preset field in the data packet, if so, executes the step 104, otherwise, returns response data including error information to the host, and returns to the step 101.
Step 104, the card reader determines whether the data packet contains safety data according to a second preset field, if so, step 105 is executed, otherwise, step 110 is executed;
in this embodiment, optionally, the determining, by the card reader according to the second preset field, whether the data packet includes the security data specifically includes: and the card reader acquires a second preset bit in the second preset field and judges whether the data packet contains the safety data or not according to the second preset bit.
105, the card reader acquires first encrypted data and a first encrypted data check value according to a fifth preset field in the data packet, and acquires a stored first check key, a stored first message authentication key, a stored second message authentication key and a stored first data key;
in this embodiment, the first encrypted data and the first encrypted data check value are generated by the host.
Step 106, the card reader calculates a first verification key, a first message authentication key, a second message authentication key, first encrypted data and a first encrypted data length according to a first preset algorithm to obtain a second encrypted data verification value;
in this embodiment, the first preset algorithm specifically includes: AES encryption and decryption algorithm.
Step 107, the card reader judges whether the second encrypted data check value is the same as the first encrypted data check value, if so, step 108 is executed, otherwise, step 101 is returned;
step 108, the card reader calculates the first verification key according to a second preset algorithm to obtain a third verification key, calculates the first encrypted data and the first encrypted data length according to the third verification key and the first data key to obtain plaintext data, and executes step 109;
in this embodiment, the preset algorithm specifically includes: performing inverse calculation;
optionally, the step of calculating the sum of the first encrypted data according to the third verification key, the first data key, and the first encrypted data length to obtain plaintext data specifically includes: the card reader decrypts the first encrypted data through the third verification key, the first data key and the first encrypted data length according to a first preset algorithm to obtain plaintext data;
in this embodiment, the first preset algorithm specifically includes: AES encryption and decryption algorithm.
Step 109, the card reader determines the command type according to the fourth preset field in the data packet, executes corresponding operation according to the command type and the plaintext data, returns a response data packet conforming to the first data structural formula to the host, and returns to step 101;
optionally, the command type is specifically extended write data;
specifically, the corresponding operations executed according to the command type and the plaintext data are specifically: the card reader writes the plaintext data into the card.
In this embodiment, the specific steps of executing corresponding operations according to the command type and the plaintext data, and returning a response packet conforming to the first data structure format to the host include: the card reader executes corresponding operation according to the command type and the plaintext data to obtain first result data, a second encrypted data check value is used as a fifth check key, the fifth check key is calculated according to a second preset algorithm to obtain a seventh check key, the first result data and the first result data length are calculated according to the seventh check key and the first data key to obtain second encrypted data, a third encrypted data check value is calculated according to the fifth check key, a third message authentication key, a fourth message authentication key, the second encrypted data and the second encrypted data length, and a response data packet which accords with the first data structural formula is organized according to the third encrypted data check value, the second encrypted data and a reply code corresponding to the operation command.
Specifically, organizing and obtaining the response data packet conforming to the first data structural formula according to the third encrypted data check value, the second encrypted data and the reply code corresponding to the operation command specifically includes: the card reader obtains mark data and a data head, a card reader address is used as a first preset field, the length value obtained by calculating the length of a response data packet is used as a data packet length field, a control field is used as a second preset field, a third encrypted data check value and second encrypted data are used as a fifth preset field, the data length of the fifth preset field is calculated as a safety data length field, a reply code corresponding to an operation command is used as a fourth preset field, the check value of the response data packet is obtained by calculation, the check value is used as a third preset field, and the data packet which accords with a first data structural formula is obtained by organizing the mark data, the data head, the first preset field, the data packet length field, the second preset field, the third preset field, the fourth preset field, the fifth preset field and the safety data length field according to a preset mode.
And step 110, the card reader determines the command type according to the fourth preset field in the data packet, executes corresponding operation according to the command type, returns a response data packet which accords with the first data structural formula to the host, and returns to the step 101.
In this embodiment, the fourth preset field is specifically a command code;
wherein the command types include: polling request, corresponding to command code 0x 60; acquiring a card reader equipment information request, wherein the corresponding command code is 0x 61; acquiring a function request of a card reader, wherein the corresponding command code is 0x 62; a local status report request, the corresponding command code being 0x 64; the card reader inputs a status report request, and the corresponding command code is 0x 65; the card reader outputs a status report request, and the corresponding command code is 0x 66; the card reader anti-detachment state report request is that the corresponding command code is 0x 67; outputting a control command, wherein the corresponding command code is 0x 68; wherein, the output control command comprises: a data block; the data block specifically comprises a number corresponding to the output, a control code corresponding to the control mode and timing time; controlling the card reader LED command, wherein the corresponding value of the command code is 0x 69; controlling a buzzer command, wherein the corresponding value of the command code is 0x 6A; the card reader communication configuration command has a value of 0x6E corresponding to the command code; establishing a secure channel command, wherein the value corresponding to the command code is 0X 75; a session key negotiation command, wherein the corresponding value of the command code is 0x 76; a verification key command, the command code corresponding to a value of 0x 77; scanning and sending a biometric data command, the command code corresponding to a value of 0x 73; scanning and comparing the biometric data command, wherein the value corresponding to the command code is 0x 74; setting the host to receive the maximum byte command, wherein the command code corresponds to a value of 0x 7B; the data writing command is expanded, and the value corresponding to the command code is 0xA 1;
in this embodiment, executing the corresponding operation according to the command type, and returning the data packet conforming to the first data structure format to the host specifically includes: the card reader executes corresponding operation according to the command type to obtain first result data, mark data and a data head are obtained, the address of the card reader is used as a first preset field, the length of a data packet is calculated to obtain a length value which is used as a length field of the data packet, a control field is used as a second preset field, a reply code corresponding to the operation command is used as a fourth preset field, the first result data is used as a sixth preset field, a check value of the data packet is obtained through calculation, the check value is used as a third preset field, and the data packet which accords with a first data structural formula is obtained through organization according to the mark data, the data head, the first preset field, the length field of the data packet, the second preset field, the third preset field, the fourth preset field and the sixth preset field in a preset mode;
optionally, organizing according to the flag data, the data header, the first preset field, the data packet length field, the second preset field, the third preset field, the fourth preset field, and the sixth preset field in a preset manner to obtain a data packet conforming to the first data structural formula specifically includes: taking the mark data as a first byte, taking the data head as a second byte, taking the first preset field as a third byte, taking the high bit of the data length as a fourth byte, taking the low bit of the data length as a fifth byte, taking the second preset field as a sixth byte, taking the fourth preset field as a tenth byte, taking the sixth preset field as an eleventh byte, setting 0 in the seventh byte to the ninth byte and the twelfth byte to the sixteenth byte, and sequentially splicing the first byte to the sixteenth byte to obtain the data packet which accords with the first data structural formula. Returning a data packet conforming to the first data structure format to the host;
specifically, the first data structure format at least includes a data header, a first preset field, a data length field, a second preset field, a third preset field, and a fourth preset field;
the fourth preset field is specifically a response code;
the response code is specifically used for polling request response, card reader equipment information response, card reader function response, local state report response, card reader output/input state report response, anti-disassembly state report response, output control response, card reader LED response control, buzzer response control, card reader communication configuration response, secure channel establishment response, session key negotiation response, key verification response, biological identification data scanning and sending response, biological identification data scanning and comparing response, and maximum byte response receivable by the host computer;
wherein the response types include: polling request response, the corresponding response code is: 0x 40; the card reader equipment identification responds, and the corresponding response code is as follows: 0x 45; the function of the card reader responds, and the corresponding response code is as follows: 0x 46; the local status report responses, the corresponding response code is: 0x 48; and the output/input status report responses, wherein the corresponding response codes are as follows: 0x49/0x 4A; the card reader communication configuration response, the corresponding response code is: 0x 54; establishing a secure channel response, wherein the corresponding response code is as follows: 0x 40; and session key negotiation response, wherein the corresponding response code is as follows: 0x 76; the verification key responses are corresponding, and the corresponding response code is as follows: 0x 78;
optionally, in this embodiment, in step 110, the command type is specifically a command for establishing a secure channel;
preferably, executing the corresponding operation according to the command type specifically includes: and the card reader acquires the basic key according to the fifth preset field in the data packet and stores the basic key.
Optionally, in this embodiment, in step 110, the command type is specifically a session key agreement command;
preferably, executing the corresponding operation according to the command type specifically includes: the card reader acquires a first random number according to a fifth preset field, generates a second random number, generates a first data key, a first message authentication key and a second message authentication key according to the first random number, the second random number and a basic key, generates a first host key and a first card reader key according to the first random number, the second random number and the first data key, acquires a card reader identifier, and organizes the card reader identifier, the second random number, the first card reader key and a reply code corresponding to a session key negotiation command to obtain a response data packet conforming to a first data structure.
Optionally, in this embodiment, in step 110, the command type is specifically an authentication key command;
preferably, executing the corresponding operation according to the command type specifically includes: and the card reader acquires a second host key according to the fifth preset field, judges whether the second host key is the same as the first host key generated by the card reader, generates a first verification key according to the first message authentication key, the second message authentication key and the first host key if the second host key is the same as the first host key generated by the card reader, and organizes the first verification key and a reply code corresponding to the verification key command to obtain a response data packet conforming to the first data structure.
Specifically, in this embodiment, after the card reader and the host generate the data key, the card reader and the host respectively store the same verification key, and hereinafter, the verification key in the card reader is used as the first verification key, and the verification key in the host is used as the second verification key; in the subsequent communication process, the host and the card reader can obtain a current verification key according to the verification key stored by the host and the card reader, encrypt and decrypt data according to the generated data key, and digest the encrypted data through the verification key to obtain a verification value so that a receiver can verify the data.
Example 2
The embodiment of the application provides a data processing method, which is suitable for an access control system comprising a card reader, a host and a card, wherein the number of the card readers communicating with the host can be multiple;
as shown in fig. 2 and 3, the method includes:
step 201, the card reader waits for receiving a data packet sent by the host, and executes step 202 when receiving the data packet which is sent by the host and accords with a first data structural formula;
step 202, the card reader analyzes the received data packet, judges whether a first preset field in the data packet is the same as the address of the card reader or not, if so, step 203 is executed, otherwise, the step 201 is returned;
in this embodiment, the data packet received by the card reader conforms to a first data structure format;
specifically, the first data structure format at least includes a data header, a first preset field, a data length field, a second preset field, a third preset field, and a fourth preset field;
the value corresponding to the first preset field represents a physical address of the card reader;
the value corresponding to the data length field represents the byte length included in the data packet;
the value corresponding to the second preset field represents a control information field;
the value corresponding to the third preset field represents a data packet check value;
the value corresponding to the fourth preset field represents a command code;
optionally, the first data structure format may further include a fifth preset field and a sixth preset field; the value corresponding to the fifth preset field represents a safety data block; the value corresponding to the sixth preset field represents a plaintext data block;
for example, the length and value of the above fields are specifically: the data header is 1 byte, and the corresponding value is 0x 53;
the physical address of the card reader is 1 byte, and the range of the corresponding value of the physical address comprises 0x00-0x 7E;
the data length field is 2 bytes;
the control information field is 1 byte, wherein the control information field comprises three parts of data, wherein the first bit and the second bit of the byte are message sequence numbers which are used for message transmission confirmation and error check; the third bit of the byte is a check mode, and the check mode comprises a checksum mode and a CRC check mode; the fourth bit of the byte is a secure data setting item;
in this embodiment, the command types include:
the first command is a polling request; the corresponding command code is 0x 60;
the second command is a request for acquiring information of the card reader equipment; the corresponding command code is 0x 61;
the third command is a request for acquiring the function of the card reader; the corresponding command code is 0x 62;
the fourth command is a local status report request; the corresponding command code is 0x 64;
the fifth command is a status report request input by the card reader; the corresponding command code is 0x 65;
the sixth command is a status report request output by the card reader; the corresponding command code is 0x 66;
the seventh command is a card reader status report request; the corresponding command code is 0x 67;
the eighth command is an output control command; the corresponding command code is 0x 68; wherein, the output control command comprises: a data block; the data block specifically comprises a number corresponding to the output, a control code corresponding to the control mode and timing time;
the ninth command is a command for controlling the card reader LED; the command code corresponds to a value of 0x 69;
the tenth command is a command for controlling the buzzer; the command code corresponds to a value of 0x 6A;
the eleventh command is a card reader communication configuration command; the command code corresponds to a value of 0x 6E;
the twelfth command is a command for establishing a secure channel; the command code corresponds to a value of 0X 75;
the thirteenth command is a session key agreement command, and the value corresponding to the command code is 0x 76;
the fourteenth command is an authentication key command; the command code corresponds to a value of 0x 77;
the fifteenth command is a scan and send biometric data command; the command code corresponds to a value of 0x 73;
the sixteenth command is a command for scanning and comparing the biological identification data; the command code corresponds to a value of 0x 74;
the seventeenth command is to set the maximum byte command that the host can receive; the command code corresponds to a value of 0x 7B;
the command code is specifically used for polling requests, obtaining card reader device information requests, obtaining card reader function requests, local status report requests, card reader input/output status report requests, tamper status report requests, output control, controlling card reader LEDs, controlling buzzers, card reader communication configuration requests, establishing secure channels requests, session key negotiation requests, verifying key requests, scanning and sending biometric data requests, scanning and comparing biometric data requests, and setting the maximum byte receivable by the host.
Step 203, the card reader determines a data packet checking mode according to a second preset field in the data packet, checks the data packet according to the determined data packet checking mode, if the data packet checking mode passes the step 204, otherwise, the step 201 is returned;
in this embodiment, optionally, the determining, according to the second preset field in the data packet, the data packet checking method specifically includes: the card reader acquires a first preset bit in a second preset field and judges a data packet checking mode according to the first preset bit;
optionally, the verifying the data packet according to the determined data packet verifying method specifically includes: the card reader calculates the data packet according to the determined data packet check mode to obtain a data packet check value, obtains a third preset field in the data packet, judges whether the calculated data packet check value is the same as the obtained third preset field, if yes, step 204 is executed, otherwise, response data including error information is returned to the host, and the step 201 is returned;
for example, a first preset bit in the second preset field is 1, which indicates that the data packet checking method is the checksum method, and a first preset bit in the second preset field is 0, which indicates that the data packet checking method is the CRC checking method.
Step 204, the card reader determines whether the data packet contains safety data according to a second preset field, if not, step 205 is executed, and if yes, step 206 is executed;
in this embodiment, step 204 specifically includes: the card reader acquires a preset bit in a second preset field and judges whether the data packet contains safety data or not according to a value corresponding to the preset bit;
for example, a value of 1 corresponding to a preset bit in the second preset field indicates that the safety data is contained, and a value of 0 corresponding to a preset bit in the second preset field indicates that the safety data is contained;
step 205, the card reader determines the command type according to the fourth preset field in the data packet, executes corresponding operation according to the command type, returns a response data packet conforming to the first data structural formula to the host, and returns to step 201;
in this embodiment, before executing step 205, the method further includes: the card reader judges whether the data packet contains a sixth preset field, if so, data in the sixth preset field is obtained, the command type is determined according to the fourth preset field in the data packet, corresponding operation is executed according to the command type and the data in the sixth preset field, a response data packet which accords with the first data structure formula is returned to the host, the step 201 is returned, and if not, the step 205 is executed;
in this embodiment, optionally, when the command type is specifically a command for establishing a secure channel, executing corresponding operations according to the command type specifically includes: acquiring and storing data in a sixth preset field; specifically, the data in the sixth preset field is the basic key.
For example, the command code corresponding to the command for establishing the secure channel is: 0x 75;
the basic key is: 0x 300 x 310 x 320 x 330 x 340 x 350 x 360 x 370 x 380 x 390 x3a 0x3b 0x3c 0x3d 0x3e 0x3 f;
specifically, the basic key is generated by the host; further, the host computer organizes according to the basic secret key and the command code to obtain a response data packet which accords with the first data structure formula and sends the response data packet to the card reader.
In this embodiment, optionally, when the command type is specifically a session key agreement command, executing corresponding operations according to the command type specifically includes: acquiring a first random number in a sixth preset field, generating a second random number, generating a first data key, a first message authentication key and a second message authentication key according to the first random number, the second random number and a basic key, generating a first host key and a first card reader key according to the first random number, the second random number and the first data key, acquiring a card reader identifier, and organizing a card reader identifier, the second random number, the first card reader key and a reply code corresponding to a session key negotiation command to obtain a response data packet conforming to a first data structure.
For example, the command code corresponding to the session key agreement command is: 0x 76;
the reply code corresponding to the session key agreement command is as follows: 0x 76;
for example, the first random number is: 0x 400 xC 00x 9F 0x 610 xCC 0x6E 0x 090 x 0A;
the second random number is: 0x1B 0x 220 x 480 xD 30 xD 00x 3C 0xB 60 x 04;
a set of keys generated from the first random number, the second random number, and the base key includes:
the first data key is: 0x 230 x0F 0x 0xA 40 x1F 0xCD 0x 490 x1D 0xB 40 xD 20 xEF 0x 860 x1A 0x9A 0x 840 xC 50 x 81;
first message authentication key: 0xE 40 x 070 xA 00x 890 x 350 x 960 x7B 0xD 30 x 330 xD 10 x6E 0x 980 xA 10 xA 40 xF 50 x 61;
second message authentication key: 0xB 70 xAD 0x 750 xBB 0xF 40 x 130 xF 50 x5D 0x 150 x 590 x 400 x 600 xFF 0x 940 x 860 x 5B;
first host key: 0x 380 xDA 0x 670 xF 10 xD 50 x5A 0x 140 x 060 xD 30 xC 50 xB 80 x 840 x 530 x 050 x9B 0 xCC;
first reader key: 0x 640 xBC 0xE 00x 2E 0xAB 0xF 10 x 890 xB 50 x8A 0x0D 0x 860 x8C 0x 900 x 670 x 520 xDF;
specifically, the first random number is generated by the host; further, the host organizes according to the first random number and the command code to obtain a response data packet which accords with a first data structural formula and sends the response data packet to the card reader;
furthermore, after receiving a response packet corresponding to the session key agreement command sent by the card reader, the host further includes: the host generates a second data key, a third message authentication key and a fourth message authentication key according to the first random number, the second random number and the basic key, generates a second host key and a second card reader key according to the first random number, the second random number and the second data key, organizes a response data packet conforming to the first data structure according to the second host key and a command code corresponding to the verification key command, and sends the response data packet to the card reader.
For example, the second data key is: 0x 230 x0F 0x 0xA 40 x1F 0xCD 0x 490 x1D 0xB 40 xD 20 xEF 0x 860 x1A 0x9A 0x 840 xC 50 x 81;
third message authentication key: 0xE 40 x 070 xA 00x 890 x 350 x 960 x7B 0xD 30 x 330 xD 10 x6E 0x 980 xA 10 xA 40 xF 50 x 61;
fourth message authentication key: 0xB 70 xAD 0x 750 xBB 0xF 40 x 130 xF 50 x5D 0x 150 x 590 x 400 x 600 xFF 0x 940 x 860 x 5B;
the second host key: 0x 380 xDA 0x 670 xF 10 xD 50 x5A 0x 140 x 060 xD 30 xC 50 xB 80 x 840 x 530 x 050 x9B 0 xCC;
second reader key: 0x 640 xBC 0xE 00x 2E 0xAB 0xF 10 x 890 xB 50 x8A 0x0D 0x 860 x8C 0x 900 x 670 x 520 xDF;
in this embodiment, optionally, when the command type is specifically an authentication key command, executing corresponding operations according to the command type specifically includes: and acquiring a second host key in a sixth preset field, judging whether the second host key is the same as a first host key generated by the second host key, if so, generating a first verification key according to the first message authentication key, the second message authentication key and the first host key, and organizing the first verification key and a reply code corresponding to the verification key command to obtain a response data packet conforming to the first data structure.
For example, the command code corresponding to the verification key command is: 0x 77;
generating a first verification key according to the first message authentication key, the second message authentication key and the first host key, wherein the first verification key is generated by: 0x 390 x 970 x2F 0x9F 0x3F 0x 560 x 280 x 360 x 910 x 710 x5F 0x 270 x 480 xAC 0x 710 x 60;
the reply code corresponding to the verification key command is as follows: 0x 78;
specifically, the second host key is specifically generated by the host; further, after receiving the verification key command response data packet sent by the card reader, the host further includes: and the host acquires the first check key in the data packet, generates a second check key according to the third message authentication key, the fourth message authentication key and the second host key, judges whether the second check key is the same as the first check key or not, and stores the second check key if the second check key is the same as the first check key.
For example, generating the second check key according to the third message authentication key, the fourth message authentication key, and the second host key is: 0x 390 x 970 x2F 0x9F 0x3F 0x 560 x 280 x 360 x 910 x 710 x5F 0x 270 x 480 xAC 0x 710 x 60;
specifically, in this embodiment, after the card reader and the host generate the data key, the card reader and the host respectively store the same verification key, and hereinafter, the verification key in the card reader is used as the first verification key, and the verification key in the host is used as the second verification key; in the subsequent communication process, the host and the card reader can obtain a current verification key according to the verification key stored by the host and the card reader, encrypt and decrypt data according to the generated data key, and digest the encrypted data through the verification key to obtain a verification value so that a receiver can verify the data.
In this embodiment, the response data returned to the host by the card reader is a data packet conforming to the first data structure formula;
specifically, the first data structure format at least includes a data header, a first preset field, a data length field, a second preset field, a third preset field, and a fourth preset field, where the fourth preset field indicates a response code;
wherein, the polling request response corresponds to the following values: 0x 40;
the card reader device identification response corresponds to a value of: 0x 45;
the card reader function response corresponds to the following values: 0x 46;
the local status report response corresponds to the values: 0x 48;
the output/input status report response corresponds to the values: 0x49/0x 4A;
the card reader communication configuration response corresponds to the following values: 0x 54;
the value corresponding to the response of establishing the secure channel is: 0x 40;
the corresponding value of the session key negotiation response is: 0x 76;
the corresponding value of the authentication key response is: 0x 78;
the response code is specifically used for polling request response, card reader device information response, card reader function response, local status report response, card reader output/input status report response, tamper status report response, output control response, control card reader LED response, control buzzer response, card reader communication configuration response, secure channel establishment response, session key agreement response, authentication key response, scanning and sending biological identification data response, scanning and comparing biological identification data response, and setting the maximum byte response which can be received by the host.
Step 206, the card reader obtains a stored first verification key, a first message authentication key, a second message authentication key and a first data key, and obtains first encrypted data and a first encrypted data verification value in a fifth preset field in the data packet;
in this embodiment, the first encrypted data and the first encrypted data check value are produced by the host;
specifically, the host acquires a stored second check key, a stored third message authentication key, a stored fourth message authentication key and a stored second data key, calculates the second check key according to a preset algorithm to obtain a fourth check key, calculates the length of data to be encrypted and the length of the data to be encrypted according to the fourth check key and the second data key to obtain first encrypted data, calculates the first encrypted data check value according to the second check key, the stored third message authentication key, the stored fourth message authentication key and the stored second data key, organizes the first encrypted data according to the first encrypted data check value, the first encrypted data and the first encrypted data length to obtain a data packet conforming to a first data structure according to the first encrypted data check value, the first encrypted data and the first encrypted data length, and sends the data packet to the card reader;
for example, the stored first verification key is: 0x6A 0x 920 x 870 xB 8;
the first message authentication key is: 0xE 40 x 070 xA 00x 890 x 350 x 960 x7B 0xD 30 x 330 xD 10 x6E 0x 980 xA 10 xA 40 xF 50 x 61;
the second message authentication key is: 0xB 70 xAD 0x 750 xBB 0xF 40 x 130 xF 50 x5D 0x 150 x 590 x 400 x 600 xFF 0x 940 x 860 x 5B;
the first data key is: 0x 230 x0F 0x 0xA 40 x1F 0xCD 0x 490 x1D 0xB 40 xD 20 xEF 0x 860 x1A 0x9A 0x 840 xC 50 x 81;
the first encrypted data is: 0xAD 0x 230 x6F 0x 280 xB 60 xE 90 x7B 0x 970 x 470 x0F 0xA 20 xC 10 x9A 0x 960 xC 10 x3C 0x 080 x 270 x1D 0x 880 xEF 0x4E 0xD 60 x 980 xE 40 x8F 0x4E 0x4C 0x6A 0x 310 x 300 x 6B.
Step 207, the card reader calculates a first verification key, a first message authentication key, a second message authentication key, encrypted data and the length of the encrypted data according to a first preset algorithm to obtain a second encrypted data verification value;
for example, the encrypted data length is: 32 bytes;
and calculating to obtain a second encrypted data check value as follows: 0x6A 0x 920 x 870 xB 8.
Step 208, the card reader judges whether the second encrypted data check value is the same as the first encrypted data check value, if so, step 209 is executed, otherwise, step 201 is returned;
step 209, the card reader calculates the first verification key according to a second preset algorithm to obtain a third verification key, calculates the first encrypted data according to the third verification key, the first data key and the first encrypted data length to obtain plaintext data, and executes step 210;
for example, the plaintext data obtained by calculation is: 0x 010 x 100 xEA 0x5B 0x 590 x 870 x 850 x000 xDB 0x 730 xAD 0x 600 xF 90 x9A 0xD 50 xB 90 x 940 x 950 x 800 x000x000x000x000x000x000x000x000x000x000x000x 00.
Step 210, the card reader determines a command type according to a fourth preset field in the data packet, executes corresponding operation according to the command type and the plaintext data to obtain first result data, and executes step 211;
step 211, the card reader takes the second encrypted data verification value as a fifth verification key, and calculates the fifth verification key according to a second preset algorithm to obtain a seventh verification key;
in this embodiment, the second preset algorithm specifically includes: performing inverse calculation;
for example, the fifth verification key is: 0x6A 0x 920 x 870 xB 8;
the seventh verification key is: 0x3C 0xBA 0x 410 xE 0.
Step 212, the card reader calculates the first result data and the length of the first result data according to the seventh verification key and the first data key to obtain second encrypted data;
step 213, the card reader calculates according to the fifth verification key, the third message authentication key, the fourth message authentication key, the second encrypted data and the second encrypted data length to obtain a third encrypted data verification value;
step 214, the card reader organizes the third encrypted data check value, the second encrypted data and the reply code corresponding to the operation command to obtain a data packet conforming to the first data structure, sends the data packet to the host, and returns to step 201.
In this embodiment, organizing the data packet conforming to the first data structure specifically includes: the method comprises the steps that a card reader obtains mark data and a data head, the address of the card reader is used as a first preset field, the length value of a data packet is calculated to be used as a data packet length field, a control field is used as a second preset field, a third encrypted data check value and second encrypted data are used as a fifth preset field, the data length of the fifth preset field is calculated to be used as a safety data length field, a reply code corresponding to an operation command is used as a fourth preset field, the check value of the data packet is calculated to be used as a third preset field, and the data packet conforming to a first data structure formula is obtained according to organization of the mark data, the data head, the first preset field, the data packet length field, the second preset field, the third preset field, the fourth preset field, the fifth preset field and the safety data length field in a preset mode;
optionally, the step of organizing according to the flag data, the data header, the first preset field, the data packet length field, the second preset field, the third preset field, the fourth preset field, the fifth preset field, and the security data length field in a preset manner to obtain the data packet conforming to the first data structural formula specifically includes: taking the mark data as a first byte, taking the data head as a second byte, taking the first preset field as a third byte, taking the high order of the data length as a fourth byte, taking the low order of the data length as a fifth byte, taking the second preset field as a sixth byte, taking the length of the safety data as a seventh byte, taking the type of the safety data as an eighth byte, taking the fifth preset field as a ninth byte, taking the fourth preset field as a cross section, setting the eleventh byte to the sixteenth byte to 0, and sequentially splicing the first byte to the sixteenth byte to obtain the data packet conforming to the first data structural formula.
In this embodiment, specifically, after the host receives the data packet sent by the card reader, the method further includes: the host computer obtains second encrypted data and a third encrypted data check value in the data packet, the stored first encrypted data check value is used as a sixth check key, a third message authentication key, a fourth message authentication key and a second data key are obtained, the sixth check key, the third message authentication key, the fourth message authentication key, the second encrypted data and the second encrypted data length are obtained according to a first preset algorithm, a fourth encrypted data check value is obtained, whether the fourth encrypted data check value and the third encrypted data check value are the same or not is judged, if yes, an eighth check key is obtained by calculating the sixth check key according to the preset algorithm, and plaintext data is obtained by calculating the second encrypted data according to the eighth check key, the second data key and the second encrypted data length.
According to the data encryption and decryption method and device, communication transmission is carried out between the card reader and the host through transmission of the data which accord with the preset data structural formula, encryption and decryption processing can be carried out on the data through the data key in the communication process, meanwhile, the encryption and decryption data are verified according to the verification key, the communication data can be effectively prevented from being monitored, stolen and tampered, and therefore the safety of data transmission is guaranteed.
Example 3
Based on the above technical solution of the data processing method provided by the present application, the present application correspondingly provides a schematic structural diagram of a data processing apparatus, as shown in fig. 4, a data processing apparatus 300 of the present application may include:
a receiving and analyzing module 301, configured to receive a data packet sent by a host and analyze the received data packet;
the judging module 302 is configured to judge whether a first preset field in the data packet is the same as an address of the card reader;
the checking module 303 is configured to determine a data packet checking mode according to a second preset field in the data packet, and check the data packet according to the data packet checking mode;
a first determining module 304, configured to determine whether the data packet includes security data according to a second preset field;
a processing module 305, configured to obtain first encrypted data and a first encrypted data check value according to a fifth preset field in the data packet, obtain a stored first check key, a stored first message authentication key, a stored second message authentication key, and a stored first data key, calculate the first check key, the stored first message authentication key, the stored second message authentication key, the stored first encrypted data, and the stored first data key according to a first preset algorithm to obtain a second encrypted data check value, determine whether the second encrypted data check value is the same as the first encrypted data check value, if yes, calculate the first check key according to a second preset algorithm to obtain a third check key, and calculate the first encrypted data according to the third check key, the stored first data key, the stored second message authentication key, the stored second encrypted data authentication key, and the stored first encrypted data check value;
a second determining module 306, configured to determine a command type according to a fourth preset field in the data packet, perform corresponding operation according to the command type and the plaintext data to obtain first result data, and return a response data packet conforming to the first data structure to the host;
a third determining module 307, configured to determine the command type according to the fourth preset field in the data packet, execute a corresponding operation according to the command type, and return a response data packet conforming to the first data structure to the host.
An embodiment of the present application provides an electronic device, including: a memory for storing non-transitory computer readable instructions; and a processor for executing the computer readable instructions such that the computer readable instructions, when executed by the processor, implement operations of a data processing method.
A computer-readable storage medium is provided for storing non-transitory computer-readable instructions that, when executed by a computer, cause the computer to perform operations of a data processing method.
The computer-readable storage medium provided in the present application is applicable to any embodiment of the data processing method, and is not described herein again.
The foregoing detailed description has provided a data processing method, apparatus and readable storage medium, and the present application has applied specific examples to explain the principles and embodiments of the present application, and the descriptions of the foregoing examples are only used to help understand the method and core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present application should not be construed as a limitation to the present invention.