Abstract: The present application provides methods for downloading a key, a client, a password device, and a terminal device, in which, the client sends a request for downloading an initial key to a backend server, and receives a server identity certificate delivered by the backend server and forwards the server identity certificate to the password device. The client acquires a device identity ciphertext returned by the password device and sends the device identity ciphertext to the backend server. The client acquires a server identity ciphertext and an initial key ciphertext generated by the backend server, and sends the server identity ciphertext to the password device. After the password device successfully verifies an identity of the backend server, the client sends the initial key ciphertext to the password device.

Abstract: A key download method for a POS terminal, comprising: setting a device authentication key pair and a device encryption key pair in the POS terminal during a production or maintenance phase of the POS terminal; according to a remote authentication key pair set by a remote key server and the device authentication key pair of the POS terminal, the POS terminal and the remote key server authenticating each other; after the authentication succeeds, bounding a certificate of the remote key server to the POS terminal device; according to the device encryption key pair and a temporary transmission key, the POS terminal downloading the master key from the remote key server. The above method can download the master key through a network outside a security center, the security is high, the transportation cost can be saved, and the efficiency is high.

Abstract: Disclosed is a key downloading management method, comprising: a device end authorizing the validity of an RKS server by checking a digital signature of a work certificate public key of the RKS server, and the RKS server generating an authentication token (AT); encrypting by using an identity authentication secondary key DK2 of the device end, and sending the ciphertext to the device end; the device end decrypting the ciphertext by using the identity authentication secondary key DK2 saved thereby, encrypting the ciphertext by using the work certificate public key and then returning same to the RKS server; the RKS server decrypting same by using a work certificate private key thereof and then comparing whether the authentication token (AT) is the same as the generated authentication token (AT) or not, and if so, it is indicated that the device end is valid, thereby achieving bidirectional identity authentication.

Abstract: Disclosed is a key download and management method, comprising: a device end authenticating the validity of an RKS server by checking the digital signature of a public key of an operating certificate of the RKS server; the RKS server generating an authentication token (AT); after being encrypted with a device identity authentication public key of the device end, returning a ciphertext to the device end; after being decrypted by the device end with a device identity authentication private key thereof, encrypting the ciphertext with the public key of the operating certificate and then returning same to a key server; after being decrypted with a private key of the operating certificate, the key server contrasting whether the decrypted authentication token (AT) is the same as the generated authentication token (AT); and if so, indicating that the POS terminal of a device is valid, thereby realizing bidirectional identity authentication.

Abstract: Disclosed is a key downloading management method, comprising: a device end authorizing the validity of an RKS server by checking a digital signature of a work certificate public key of the RKS server, and the RKS server generating an authentication token (AT); encrypting by using an identity authentication secondary key DK2 of the device end, and sending the ciphertext to the device end; the device end decrypting the ciphertext by using the identity authentication secondary key DK2 saved thereby, encrypting the ciphertext by using the work certificate public key and then returning same to the RKS server; the RKS server decrypting same by using a work certificate private key thereof and then comparing whether the authentication token (AT) is the same as the generated authentication token (AT) or not, and if so, it is indicated that the device end is valid, thereby achieving bidirectional identity authentication.

Abstract: Disclosed is a key download and management method, comprising: a device end authenticating the validity of an RKS server by checking the digital signature of a public key of an operating certificate of the RKS server; the RKS server generating an authentication token (AT); after being encrypted with a device identity authentication public key of the device end, returning a ciphertext to the device end; after being decrypted by the device end with a device identity authentication private key thereof, encrypting the ciphertext with the public key of the operating certificate and then returning same to a key server; after being decrypted with a private key of the operating certificate, the key server contrasting whether the decrypted authentication token (AT) is the same as the generated authentication token (AT); and if so, indicating that the POS terminal of a device is valid, thereby realizing bidirectional identity authentication.