CN103731266A - Method and system for authenticating electronic certificate - Google Patents
Method and system for authenticating electronic certificate Download PDFInfo
- Publication number
- CN103731266A CN103731266A CN201210385748.9A CN201210385748A CN103731266A CN 103731266 A CN103731266 A CN 103731266A CN 201210385748 A CN201210385748 A CN 201210385748A CN 103731266 A CN103731266 A CN 103731266A
- Authority
- CN
- China
- Prior art keywords
- authentication
- terminal
- verify data
- message
- user terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention relates to a method for authenticating an electronic certificate in a communication network. The method further includes the steps that an authentication terminal generates first authentication data related to the electronic certificate of a user terminal; digital-to-analog conversion is carried out on the first authentication data to generate first audio signals; the first audio signals are transmitted to the user terminal through an audio communication channel; the user terminal converts the first audio signals into the first authentication data through digital-to-analog conversion, and second authentication data are generated on the basis of the first authentication data, an identifier of the user terminal and the electronic certificate; the second authentication data are transmitted to an authentication server; the authentication server carries out authentication on the electronic certificate according to the first authentication data in the second authentication data and the identifier of the user terminal to generate an original authentication reply message, the original authentication reply message is encrypted according to an encryption algorithm and the encrypted authentication reply message is sent to the user terminal.
Description
Technical field
Usually, the present invention relates to the communications field, and relate more specifically to utilize audio signal to carry out the method and system of terminal equipment electronic certificate authentication in communication network.
Background technology
The present communication epoch have brought wired and tremendous expansion wireless network.Inter-machine communication is because its growth potential has become the field that technological innovation is all paid close attention to.Due to inter-machine communication for connecting the potentiality of the equipment of many different objects, inter-machine communication also makes many users and developer feel excited, and different objects are for example electronic certificate, intelligent authentication, network authentication, Smart Home, intelligent electric meter, fleet management, tele-medicine, access network operation management and many other uses.
Inter-machine communication typically relates to being connected of equipment or equipment group and remote server or computer system, and described connection can realize the remote reporting of remote authentication or information.In some cases, inter-machine communication relates to the use of one or more terminal equipments or other node or equipment, to collect, can be passed to via the gateway device of some forms the information of network or computing equipment.At present, near field voice communication is applied to the technical field of inter-machine communication.Sound wave is a kind of analog signal originally, is difficult to communicate with smart mobile phone or other electronic equipment.But coding and debugging through certain, utilize specific loud speaker digital signal can be converted into sound wave analog signal.Mode by sound wave sends out these analog signals, and the microphone of digital device receives the information that sound wave can carry analog signal again and is converted into digital signal.Thereby realized the communication between different digital equipment.Sound wave has the feature of Decay Rate, surpasses certain distance miscellaneous equipment and just cannot accept, and only effective in compared with short distance, this has guaranteed the fail safe of short-range communication to a great extent.
Due to the wide overlay area that cellular communication system provides at present, inter-machine communication application can utilize cellular communication system and remote authentication system to communicate.Typical endpoint device in inter-machine communication system is the equipment with the relatively little battery operation of relatively low transmit power capabilities.Therefore, by carrying out interface with near the mobile terminal that can be connected to cellular communication system, endpoint device can using low power run and by mobile terminal as mobile Internet IAD, such as by cellular network access etc., information can be offered to telecomputing or memory device.Although in these cases, be clearly to provide the connection between gateway and access point by cellular network resource, as the mobile terminal of gateway and the connection between end points, be that more typical short squares are from communication.Therefore, for some inter-machine communications of past normally, need to carry out short square from communication between two equipment of mobile terminal and endpoint device, two equipment access mobile Internet by cellular based communication respectively, therefore endpoint device is not typically the equipment of smaller batteries operation, but more powerful machine.
Therefore, in prior art, exist and utilize near field voice communication technology to realize single gateway accessing, realize the demand of original function.
Summary of the invention
According to an aspect of the present invention, a kind of method for electronic certificate being authenticated at communication network is provided, wherein said communication network comprises user terminal, certificate server and authentication terminal, and described method further comprises: authentication terminal generates the first relevant verify data to the electronic certificate of user terminal; Described the first verify data is carried out to digital-to-analogue conversion, to generate the first audio signal; Via voice communication channel, described the first audio signal is sent to user terminal; Described user terminal is converted to the first verify data through analog-to-digital conversion by described the first audio signal, and the identifier based on described the first verify data, user terminal and electronic certificate generate the second verify data; Described the second verify data is sent to certificate server; And certificate server accords with electronic certificate is authenticated according to the first verify data in described the second verify data and user terminal identification, and the original authentication of generation indication authentication success or authentification failure is replied message, according to cryptographic algorithm, original authentication reply message is encrypted and the authentication reply message after encrypting is sent to user terminal.
According to a further aspect in the invention, a kind of system for electronic certificate being authenticated at communication network is provided, described system comprises: authentication terminal, generate the first relevant verify data to the electronic certificate of user terminal, described the first verify data is carried out to digital-to-analogue conversion, to generate the first audio signal, via voice communication channel, described the first audio signal is sent to user terminal; User terminal, is converted to the first verify data through analog-to-digital conversion by described the first audio signal, and identifier and electronic certificate based on described the first verify data, user terminal generate the second verify data, and described the second verify data is sent to certificate server; And certificate server, according to the first verify data in described the second verify data and user terminal identification, accord with electronic certificate is authenticated, and the original authentication of generation indication authentication success or authentification failure is replied message, according to cryptographic algorithm, original authentication reply message is encrypted and the authentication reply message after encrypting is sent to user terminal.
Preferably, wherein said the first verify data comprises: the identifier of described authentication terminal and the multidate information relevant to authentication.Preferably, wherein comprise at least one in following content to the relevant multidate information of authentication: the License Info of authentication terminal is, the class information of the state information of authentication terminal and authentication terminal.Preferably, wherein, before described the first verify data is carried out to digital-to-analogue conversion, also comprise and use 3DES algorithm to be encrypted described the first verify data; And after described user terminal is converted to the first verify data through analog-to-digital conversion by described the first audio signal, according to 3DES algorithm, described the first verify data is decrypted.Preferably, described user terminal is replied message digital-to-analogue by encrypted authentication and is converted to the second audio signal, described the second audio signal is sent to described authentication terminal, described the second audio signal that described authentication end-on is received is carried out analog-to-digital conversion, to be converted to encrypted authentication, reply message, described encrypted authentication is replied to message and be decrypted to generate original authentication reply message, and utilize output equipment that described original authentication reply message is offered to user.Preferably, wherein said output equipment is display, loud speaker, indicating device or printer, and utilizes output equipment that described original authentication is replied to message to offer user and be specially: utilize display to show that described original authentication replys the content of message, utilizes loud speaker to export described original authentication by sound to reply the content of message, utilize indicating device indicated described original authentication to reply authentication state corresponding to message or utilized original authentication described in printer output to reply the content of message by indicator light mode.Preferably, further comprise, described authentication terminal keeps the time identical with certificate server, and authentication terminal is encrypted and encrypts the factor with the rise time the described time according to cryptographic algorithm, and the described time encryption factor is increased in described the first verify data.Preferably, wherein said authentication terminal is consistent with the retention time regular lock in time by radio communication with described certificate server; And/or described authentication terminal and described certificate server are encrypted the factor by the time and are determined whether the time is consistent.
Accompanying drawing explanation
Generally described the present invention, referring now to accompanying drawing, it is scale according to the rules, wherein:
Fig. 1 shows according to the schematic diagram of the communication system of example embodiment of the present invention;
Fig. 2 shows according to the schematic diagram of the authentication terminal of example embodiment of the present invention;
Fig. 3 shows the schematic diagram of the authentication terminal of another example embodiment according to the present invention;
Fig. 4 shows according to the present invention the schematic diagram of the authentication terminal of an example embodiment again;
Fig. 5 shows the flow chart of the authentication method of example embodiment according to the present invention;
Fig. 6 shows the flow chart of method of the generation electronic certificate of the example embodiment according to the present invention; And
Fig. 7 shows the flow chart of the authentication method of another example embodiment according to the present invention.
Embodiment
Below, with reference to accompanying drawing, more completely describe embodiment of the present invention, in the accompanying drawings, some embodiments of the present invention are shown, and are not all execution modes.Certainly, various embodiment of the present invention can be by many multi-form realizations, and should not be construed as and be restricted to the execution mode of setting forth here; But, provide these execution modes to make described disclosure will meet legitimate claim applicatory.Wherein similarly label represents similar element.Wherein, term " data ", " content ", " information " and the commutative use of similar terms, with the data that represent to send according to embodiment of the present invention, receive and/or store.Therefore, the use of term should not be used to limit the spirit and scope of embodiment of the present invention so arbitrarily.
In addition, as used herein, term " circuit " refers to (a) only hardware circuit scheme (for example using the scheme of analog circuit and/or digital circuit); (b) be included in software and/or the circuit of firmware instructions and the combination of computer program of storing on one or more computer-readable memories, it works so that carrying out one or more functions described here together; And (c) need to for example, for software or the circuit of firmware (even if the non-physics of software or firmware exists), the part for microprocessor or microprocessor operating.This definition of " circuit " is applied at this, comprises any claim, all uses to this term.As other examples, here, term " circuit " also comprises and contains one or more processors and/or its part and follow software and/or the scheme of firmware.As another example, term used herein " circuit " also comprises, for example, for base band integrated circuit or the application processor integrated circuit of mobile phone, or the similar integrated circuit in server, cellular network device, other network equipments and/or other computing equipments.
As definition herein, refer to " computer-readable recording medium " of physical storage medium (for example, volatibility or non-volatile memory devices), may be different from " the computer-readable transmission medium " that refer to electromagnetic signal.
As indicated on, conventionally require machine to machine (M2M, Machine-to-Machine) mobile terminal that serves as gateway device in communication system is used two different radio, especially for example, when when comprising that the transducer of relative low-power (, low transmission power) or the M2M communication system of sensor network are used together.Some embodiments of the present invention can provide a kind of mechanism, by described mechanism, can be that transducer or sensor network distribute concrete wireless network resource by access point, make not need two radio.In some cases, in using the wireless network of cellular network resource, cellular network access point can be the concrete cellular network resource of allocation of communications for example, carrying out between one or more end points machines (, transducer) and access point and gateway device.For example, access point can for from access point to machine and gateway device (or repeater) and machine between down link direction allocation of communications cellular downlink channel resource.So, can come route from machine, to offer the communication of access point by gateway device, and gateway device can carry out these communications of relaying via cellular network uplink resource.
Fig. 1 shows according to the schematic diagram of the communication system of example embodiment of the present invention.As shown in Figure 1, described communication system comprises: certificate server, authentication terminal and user terminal.Preferably, described certificate server is according to verify data the authenticating user terminal receiving from user terminal.Preferably, described authentication can be that the electronic certificate of user terminal (is for example authenticated, user is to the access of website, authentication to user), described authentication can be the authentication (for example, whether user terminal has the access rights to certain application) of the application to moving on user terminal.Preferably, described authentication terminal realizes the authentication to user terminal by send the data relevant to authentication to user terminal.For example, described authentication terminal can be E-seal or point-of-sale terminal (POS machine).Preferably, described user terminal can be any type device that can move and store various application, for example PDA(Personal Digital Assistant), smart mobile phone, flat computer, radio telephone, mobile computing device, camera, video recorder, audio/video player, positioning equipment (for example, global positioning system (GPS) equipment), game station, wireless device or various other similar equipment or its combination.
According to the preferred embodiment of the present invention, by function and/or hardware configuration, divide, described authentication terminal can comprise: clock unit, wireless communication unit, time ciphering unit, audio output unit, audio frequency input unit, output equipment, encrypting and decrypting unit, memory cell, converting unit and modem module.Described clock unit, for generation of the internal clocking of authentication terminal, carries out timing by described internal clocking to the current time of authentication terminal.Preferably, described wireless communication unit comprises for transmitting and receiving the transmitter and receiver of signal, or transceiver.Described wireless communication unit is for the current time of authentication terminal is sent to certificate server, and the current time that receives certificate server from certificate server, thereby realizes the time synchronized between authentication terminal and certificate server.Preferably, described time ciphering unit is used for according to cryptographic algorithm, the current time of authentication terminal being encrypted with the rise time encryption factor, and the described time encryption factor is increased in described the first verify data.Thereby when certificate server receives the first verify data (it is included in the second verify data), can encrypt the factor to the time and be decrypted the current time with access authentication terminal, thereby authentication verification is ageing.Preferably, described the first verify data can comprise: the identifier of authentication terminal, the multidate information relevant to authentication, and/or the time encryption factor.The identifier that wherein authenticates terminal can be device id or the device hardware sign of authentication terminal, and the identifier of described authentication terminal is that the overall situation is unique.Preferably, the described multidate information relevant to authentication comprises at least one in following content: the state information of the License Info of authentication terminal, authentication terminal and the class information of authentication terminal.Preferably, the License Info of authentication terminal can comprise the License Info (for example, tolerance band, license degree etc.) of the electronic certificate of provider's (representing by authentication terminal).Preferably, the state information of described authentication terminal can comprise that provider provides the state (for example, lost efficacy, yet lost efficacy) of related service or mandate, and the identity of authenticating party is, the ID of authenticating party etc., for example, at the ID of ecommerce Zhong Wei provider.Preferably, the class information of described authentication terminal comprises provides the rank of related service or authority levels etc.Preferably, utilize memory cell to come the identifier of authentication storage terminal and the multidate information relevant to authentication.Described memory cell can be volatibility or nonvolatile memory, for example, and random access memory or read-only memory.
Preferably, encrypting and decrypting unit by using 3DES algorithm, triple DEAs (TDEA, Triple Data Encryption Algorithm) block encryption, is encrypted above-mentioned the first verify data.Triple DES, claims again 3DES, is a kind of pattern of des encryption algorithm, and it uses the key of 3 56 to carry out three encryptions to 3DES data.Data encryption standard (DES) is a kind of long-standing encryption standard of the U.S., and it uses symmetric key cryptography, and ANSI to organize standard be ANSIX.3.92.DES is used the method for 56 keys and cryptographic block, and in the method for cryptographic block, text is divided into 64 big or small text block and then is encrypted.Compared with initial DES, 3DES is safer.Preferably, converting unit is carried out digital-to-analogue conversion to the first verify data after encrypting, thereby generates the first audio signal.Preferably, described converting unit is carried out analog-to-digital conversion to the second audio signal, thereby generates relevant digital signal (for example encrypted authentication return information).Preferably, described audio output unit is for the first audio signal is exported to user terminal, and described audio frequency input unit is for receiving the second audio signal from user terminal.Preferably, described audio frequency input unit can be microphone, and described audio output unit can be loud speaker.
According to the preferred embodiment of the present invention, also comprise output equipment, described original authentication is replied to message and offer user.Preferably, described output equipment is display, loud speaker, indicating device or printer, and utilizes output equipment that described original authentication is replied to message to offer user and be specially: utilize display to show that described original authentication replys the content of message, utilizes loud speaker to export described original authentication by sound to reply the content of message, utilize indicating device indicated described original authentication to reply authentication state corresponding to message or utilized original authentication described in printer output to reply the content of message by indicator light mode.Preferably, described display can show authentication success or failed information, for example, shows user terminal identification symbol, electronic certificate and authentication result (success or failure).Preferably, described loud speaker can utilize sound to point out authentication success or failed information, for example, utilizes sound to play user terminal identification symbol, electronic certificate and authentication result (success or failure).Preferably, described indicating device can be indicated authentication success or failed information, and for example indicating device represents authentification failure with redness, with green mark authentication success, and represents not reply with yellow.Preferably, described printer can be said indication authentication success or failed information printout, for example, prints user terminal identification symbol, electronic certificate and authentication result (success or failure).Preferably, also comprise modem module, for signal carry out modulation and demodulation system.
According to the preferred embodiment of the present invention, by function and/or hardware configuration, divide, described user terminal can comprise: wireless communication unit, audio output unit, audio frequency input unit, encrypting and decrypting unit, memory cell, converting unit and modem module.Preferably, described wireless communication unit comprises for transmitting and receiving transmitter and receiver or the transceiver of signal.Preferably, described wireless communication unit is for the second verify data is sent to certificate server by radio communication channel, and message or original authentication reply message are replied in the authentication receiving encrypting from certificate server by radio communication channel.Preferably, described the second verify data comprises identifier and the electronic certificate (for example card number) of the first verify data, user terminal.Wherein, described authentication message indication authentication success or authentification failure.Preferably, encrypting and decrypting unit is decrypted for the first audio signal to through encrypting.Preferably, memory cell is for storing identifier and the electronic certificate of user terminal.Preferably, described electronic certificate is for example the electronic certificate that server, bank server or the third-party server of website issued.Preferably, described converting unit is for being converted to the first verify data by the first audio signal, and to reply message conversion be the second audio signal for the encrypted authentication of indication authentication success or authentification failure being replied to message or original authentication.Preferably, described audio frequency input unit is for receiving the first audio signal from authentication terminal, and described audio output unit sends to described authentication terminal by described the second audio signal.Preferably, described audio frequency input unit can be microphone, and described audio output unit can be loud speaker.Preferably, also comprise modem module, for signal carry out modulation and demodulation system.
According to the preferred embodiment of the present invention, certificate server comprises authentication ' unit, wireless communication unit and clock unit.Preferably, described clock unit, for generation of the internal clocking of certificate server, carries out timing by described internal clocking to the current time of certificate server.Preferably, certificate server regularly carries out clock synchronous with authentication terminal, be specially: authentication terminal definitions sends to certificate server by its internal clocking by wireless communication unit, certificate server determines according to described internal clocking and transmission delay whether the internal clocking of authentication terminal synchronizes with the internal clocking of certificate server.Preferably, the internal clocking of described certificate server can be that gps clock, circuit are used and oscillator clock.Preferably, described wireless communication unit is used for carrying out clock synchronous with authentication terminal, and carries out data interaction with user terminal.
Preferably, the second verify data that described authentication ' unit sends according to user terminal authenticates the electronic certificate of user terminal.For example, the first verify data that authentication ' unit comprises according to the second verify data, the identifier of user terminal authenticate the electronic certificate of user terminal.Preferably, described the first verify data also comprises: the identifier of described authentication terminal, multidate information and/or the time relevant to authentication are encrypted the factor.That is, authentication ' unit authenticates electronic certificate according to the identifier of authentication terminal, the multidate information relevant to authentication, the identifier that the time is encrypted the factor, user terminal.Preferably, the identifier of authentication terminal is used for the identity of ID authentication terminal, and for identifying the authorized party of electronic certificate.Preferably, comprise the information of authenticating party to the relevant multidate information of authentication, such as the information of trade company, the type of electronic certificate, kind etc.Preferably, the time is encrypted the time of factor ID authentication terminal, prevents the electronic certificate that copies or expired electronic certificate.Preferably, the identifier of user terminal is for example the device id of user terminal, for example mobile phone has its unique device coding as user terminal, utilize media interviews to control (MAC, Media Access Control) uniqueness of address and International Mobile Equipment Identity code (IMEI, International Mobile Equipment Identity) definable equipment.Preferably, each installation identifier ID that definable application while applying is installed.In addition, user's log-on message can be bundled in to mobile phone terminal, thereby for user generates unique user identifier UID, and by note check code user bound cell-phone number, guarantee that user identity is truly unique.Preferably, the electronic certificate that user account is corresponding is stored in cloud server, is buffered in mobile phone this locality, by the data communication of mobile phone, mobile phone this locality is downloaded and be updated to electronic certificate corresponding to user identity.
Fig. 2 shows according to the circuit diagram of the authentication terminal of example embodiment of the present invention.Preferably, the authentication terminal shown in Fig. 2 is E-seal.Described E-seal comprises: MCU single-chip microcomputer, the built-in power amplifier of Audio Codec, ISO7816 controller IC, PSAM card, loud speaker, microphone (MIC), reserve battery, RTC controller, 32.768K crystal, main battery, battery conversion and charging circuit.Preferably, MCU chip microcontroller is controlled the integral body of E-seal.The built-in power amplifier of AudioCodec realizes that audio analog signals is converted to digital signal and digital signal is converted to audio analog signals, and realize to volume, noise reduction, echo suppress, the amplification of the audio analog signals of input and output.Preferably, ISO7816 controls IC for setting up communication interface between MCU single-chip microcomputer and PSAM card.Preferably, PSAM(Purchase Secure Access Module) card is a kind of encryptions IC chip, for terminal equipments such as the POS of trade company, site terminal, direct connection terminals, and the safety control of responsible device.Preferably, it supports the many application of a card, separate between each application (many application, firewall functionality).Support multiple file types, comprise binary file, fixed-length record file, variable-length record file, circular file, wallet file.In communication process, support multiple safety protecting mechanism (the confidentiality and integrity protection of information).Support multiple secure access mode and authority (authentication function and password protection).Support Single DES, the Triple DES algorithm of People's Bank of China's approval.Support multistage key dispersal mechanism, produce the MAC1 and the verification MAC2 that in < < China's finance integrated circuit (IC) calliper model > >, define.Available this module realizes other proof of identity of financial security level.
Preferably, loud speaker is for output audio signal.Microphone is for received audio signal.Preferably, main battery user provides electric power for E-seal, and it offers MCU single-chip microcomputer by electric power by power supply conversion.Preferably, charging circuit is used to main battery to charge, thereby guarantees the supply of electric power of main battery.Preferably, be also provided with reserve battery, be used to RTC controller that electric power is provided.Preferably, described RTC controller provides the control to real-time clock for E-seal, thereby keeps the internal time of E-seal.Preferably, described 32.768K crystal is for generation of basic clock pulse, and described RTC controller is controlled real-time clock according to basic clock pulse.
Fig. 3 shows the circuit diagram of the authentication terminal of another example embodiment according to the present invention.Authentication terminal shown in Fig. 3 is authentication terminating machine (for example POS machine for authenticating).The authentication terminal of Fig. 3 has identical parts with the authentication terminal of Fig. 2, in order to simplify and object clearly, only introduces the parts different from the authentication terminal of Fig. 2.Preferably, described adapter is realized the interface conversion between power conversion unit that is input to of external power source (for example alternating current).
Fig. 4 shows according to the present invention the schematic diagram of the authentication terminal of an example embodiment again.Authentication terminal shown in Fig. 4 is authentication terminating machine (for example POS machine for authenticating).The authentication terminal of Fig. 4 has identical parts with the authentication terminal of Fig. 2, in order to simplify and object clearly, only introduces the parts different from the authentication terminal of Fig. 2.Preferably, NFC and antenna are used for realizing near-field communication.Preferably, reserved charging circuit and MT35 battery compartment, for realizing the charging to authentication terminal, are used but equipment is fixed position, so only need external power supply power supply, acquiescence does not configure charging circuit and battery.Preferably, LCD display can show authentication state, for example, and during authentication is carried out, authentication success or authentification failure.Preferably, described character library for digital signal is converted to user's readable character, for example, can be Unicode or GB2312.Preferably, thermal printing head can will print on heat-sensitive paper with user-dependent authentication information, and exports to user.
Fig. 5 shows the flow chart of the authentication method of example embodiment according to the present invention.Preferably, described method is applicable in communication network, electronic certificate be authenticated, and wherein said communication network comprises user terminal, certificate server and authentication terminal.Described method starts at step 500 place.Preferably,
Preferably, at step 501 place, authentication terminal generates the first relevant verify data to the electronic certificate of user terminal, and described the first verify data is carried out to digital-to-analogue conversion, to generate the first audio signal, via voice communication channel, described the first audio signal is sent to user terminal.Preferably, before step 501, also comprise: user terminal is converted to audio signal by electronic certificate through digital-to-analogue conversion, by voice communication channel, send described audio signal to authentication terminal, described authentication terminal received audio signal, and be converted into electronic certificate by analog-to-digital conversion.Preferably, described the first verify data comprises: the identifier of described authentication terminal and the multidate information relevant to authentication.Preferably, the multidate information relevant to authentication comprises at least one in following content: the state information of the License Info of authentication terminal, authentication terminal and the class information of authentication terminal.
Preferably, the described multidate information relevant to authentication comprises at least one in following content: the state information of the License Info of authentication terminal, authentication terminal and the class information of authentication terminal.Preferably, the License Info of authentication terminal can comprise the License Info (for example, tolerance band, license degree etc.) of the electronic certificate of provider's (representing by authentication terminal).Preferably, the state information of described authentication terminal can comprise that provider provides the state (for example, lost efficacy, yet lost efficacy) of related service or mandate, and the identity of authenticating party is, the ID of authenticating party etc., for example, at the ID of ecommerce Zhong Wei provider.Preferably, the class information of described authentication terminal comprises provides the rank of related service or authority levels etc.
Preferably, before described the first verify data is carried out to digital-to-analogue conversion, also comprise and use 3DES algorithm to be encrypted described the first verify data.Alternatively or additionally, the later step in step 501, carries out digital-to-analogue conversion to described the first verify data, to generate the first verify data related in the first audio signal, be the first verify data through encrypting.Preferably, when generating the first verify data, authentication terminal is encrypted with the rise time encryption factor the described time according to cryptographic algorithm, the described time is encrypted to the factor and be increased in described the first verify data.Preferably, described authentication terminal and described certificate server are encrypted the factor by the time and are determined whether the time is consistent.Preferably, when certificate server receives the first verify data (it is included in the second verify data), can encrypt the factor to the time and be decrypted the current time with access authentication terminal, thereby authentication verification is ageing.
Preferably, at step 502 place, described user terminal is converted to the first verify data through analog-to-digital conversion by described the first audio signal, and the identifier based on described the first verify data, user terminal and electronic certificate generate the second verify data.Hence one can see that, and the second verify data comprises: identifier and the electronic certificate of (encrypted or not encrypted) first verify data, user terminal.Preferably, at step 503 place, described the second verify data is sent to certificate server.Preferably, send to certificate server to be undertaken by wireless channel described the second verify data.
Preferably, at step 504 place, certificate server accords with electronic certificate is authenticated according to the first verify data in described the second verify data and user terminal identification, and the original authentication of generation indication authentication success or authentification failure is replied message, according to cryptographic algorithm, original authentication reply message is encrypted and the authentication reply message after encrypting is sent to user terminal.Preferably, described user terminal is replied message digital-to-analogue by encrypted authentication and is converted to the second audio signal, described the second audio signal is sent to described authentication terminal, described the second audio signal that described authentication end-on is received is carried out analog-to-digital conversion, to be converted to encrypted authentication, reply message, described encrypted authentication is replied to message and be decrypted to generate original authentication reply message, and utilize output equipment that described original authentication reply message is offered to user.Preferably, described output equipment is display, loud speaker, indicating device or printer, and utilizes output equipment that described original authentication is replied to message to offer user and be specially: utilize display to show that described original authentication replys the content of message, utilizes loud speaker to export described original authentication by sound to reply the content of message, utilize indicating device indicated described original authentication to reply authentication state corresponding to message or utilized original authentication described in printer output to reply the content of message by indicator light mode.Then, method finishes at step 505 place.
According to the preferred embodiment of the present invention, described authentication terminal keeps the time identical with certificate server.Preferably, described authentication terminal is consistent with the retention time regular lock in time by radio communication with described certificate server.Certificate server regularly carries out clock synchronous with authentication terminal, be specially: authentication terminal definitions sends to certificate server by its internal clocking by wireless communication unit, certificate server determines according to described internal clocking and transmission delay whether the internal clocking of authentication terminal synchronizes with the internal clocking of certificate server.Preferably, the internal clocking of described certificate server can be that gps clock, circuit are used and oscillator clock.
According to another preferred implementation of the present invention, the authentication terminal and the user terminal that carry out voice communication have following fundamental characteristics conventionally: 1) the most general sample rate of sample rate 44.1k(, most authentication terminals and user terminal are supported this sample rate); 2) the carrier frequency 17.6k(mankind are difficult to hear the sound of this frequency); 3) adopt half-duplex mode both-way communication.
Preferably, authentication terminal is sent the flow process of audio signal (communication of sounding): 1) by the device identifier of authentication terminal, and provider's identifier, timestamp is encoded; 2) coded data is carried out to 3DES encryption; 3) calculate the hash value of encrypting rear data, save backup; 4) before enciphered data, add data packet head and flag data, after add that checking data forms packet; 5) packet is carried out to 2ASK(binary system amplitude keying) modulation, obtain audio volume control sampled data; 6) sounding.
Preferably, the flow process of user terminal received audio signal (receiving audio communication): 1) to the filtering of audio volume control sampled data; 2) 2ASK demodulation; 3) judgement packet header and sign; 4) correctness of checking data; 5) the hash value of calculated data bag, saves backup; 6) decoding data out add that user terminal identification symbol and electronic certificate form authentication data packet; 7) encrypting and authenticating packet upload to certificate server.
Preferably, user terminal sends the flow process of audio signal (sending audio communication): 1) user terminal is received the response data packet of certificate server; 2) deciphering; 3) before data, add the hash of data packet head and preservation, after add that checking data forms packet; 4) packet is carried out to 2ASK modulation, obtain audio volume control sampled data; 5) sounding.
Preferably, the flow process of authentication terminal received audio signal (receiving audio communication): 1) to the filtering of audio volume control sampled data; 2) 2ASK demodulation; 3) judge that whether packet header is correct, whether hash is consistent with the hash preserving; 4) correctness of checking data; 5) 3DES deciphering; 6) judge the whether effective response packet of this authentication of packet; 7) decoded data packets obtains the authentication result of certificate server to this authentication; 8) on display, show authentication result (or utilizing printer output authentication result).
Fig. 6 shows the flow chart of method of the generation electronic certificate of the example embodiment according to the present invention.Step 601, authentication end user terminal is provided electronic certificate, utilizes sound wave checking to provide and confirms instruction and key; Step 602, the application of user terminal receives instruction by sound wave, and the identifier of the identifier of user terminal, authentication terminal is sent to server by mobile Internet; Step 603, the device keys of electronic certificate identity verifying system deciphering provider, confirms provider's identity, confirms user identity simultaneously; And step 604, the electronic certificate of electronic certificate content verifying system Jiang Gai provider and the binding of the identifier of user terminal, electronic certificate generates.
Fig. 7 shows according to the present invention the flow chart of the authentication method of an example embodiment again.Step 701, the application of user terminal is upgraded electronic certificate and is sent authentication terminal by server.Step 702, authentication terminal near user terminal, transmits authentication terminal identifier and the authentication terminal key of authentication terminal with sound wave Authentication devices.Step 703, the applying electronic voucher of user terminal is accepted authentication terminal identifier and the key of authentication terminal, and is sent to server.Step 704, electronic certificate identity verifying system decruption key, confirms authentication terminal identity, user terminal identity.Step 705, electronic certificate content verifying system detects this user terminal and whether in this authentication terminal, has corresponding rights and interests, and whether electronic certificate content conforms to, and the electronic certificate that conforms to is proved to be successful.Step 706, server passback data are to user terminal application, and described application shows the change of electronic certificate content.Step 707, described application returns to sound wave Authentication devices by successful information, and sound wave Authentication devices is confirmed to be proved to be successful signal, and prints out related data.
Under the instruction presenting in previous specification and relevant drawings, in the field the present invention relates to, those of ordinary skill will be learnt many modifications of the present invention set forth herein and other execution modes.Therefore, be appreciated that embodiment of the present invention is not limited to specific implementations disclosed herein, and it is revised and other execution modes are also included within the scope of the appended claims.In addition, although above specification and relevant drawings have been described the illustrative embodiments under the environment of some example combinations of element and/or function, it should be understood that the various combination of element and/or function can be provided by alternate embodiment, and do not depart from the scope of claims.In this, for example, as can be set forth in claims, also can imagine except above clear and definite described element and/or the various combination function.Although the particular term adopting here, they can only use by general and descriptive concept, not the object for limiting.
Claims (16)
1. the method for electronic certificate being authenticated at communication network, wherein said communication network comprises user terminal, certificate server and authentication terminal, described method further comprises:
Authentication terminal generates the first relevant verify data to the electronic certificate of user terminal;
Described the first verify data is carried out to digital-to-analogue conversion, to generate the first audio signal;
Via voice communication channel, described the first audio signal is sent to user terminal;
Described user terminal is converted to the first verify data through analog-to-digital conversion by described the first audio signal, and the identifier based on described the first verify data, user terminal and electronic certificate generate the second verify data;
Described the second verify data is sent to certificate server; And
Certificate server accords with electronic certificate is authenticated according to the first verify data in described the second verify data and user terminal identification, and the original authentication of generation indication authentication success or authentification failure is replied message, according to cryptographic algorithm, original authentication reply message is encrypted and the authentication reply message after encrypting is sent to user terminal.
2. method according to claim 1, wherein said the first verify data comprises: the identifier of described authentication terminal and the multidate information relevant to authentication.
3. method according to claim 2, wherein the multidate information relevant to authentication comprises at least one in following content: the License Info of authentication terminal is, the class information of the state information of authentication terminal and authentication terminal.
4. method according to claim 1, wherein, before described the first verify data is carried out to digital-to-analogue conversion, also comprises and uses 3DES algorithm to be encrypted described the first verify data; And after described user terminal is converted to the first verify data through analog-to-digital conversion by described the first audio signal, according to 3DES algorithm, described the first verify data is decrypted.
5. method according to claim 1, described user terminal is replied message digital-to-analogue by encrypted authentication and is converted to the second audio signal, described the second audio signal is sent to described authentication terminal, described the second audio signal that described authentication end-on is received is carried out analog-to-digital conversion, to be converted to encrypted authentication, reply message, described encrypted authentication is replied to message and be decrypted to generate original authentication reply message, and utilize output equipment that described original authentication reply message is offered to user.
6. method according to claim 5, wherein said output equipment is display, loud speaker, indicating device or printer, and utilizes output equipment that described original authentication is replied to message to offer user and be specially: utilize display to show that described original authentication replys the content of message, utilizes loud speaker to export described original authentication by sound to reply the content of message, utilize indicating device indicated described original authentication to reply authentication state corresponding to message or utilized original authentication described in printer output to reply the content of message by indicator light mode.
7. according to the method described in any one in claim 1 to 6, further comprise, described authentication terminal keeps the time identical with certificate server, and authentication terminal is encrypted with the rise time encryption factor the described time according to cryptographic algorithm, the described time is encrypted to the factor and be increased in described the first verify data.
8. method according to claim 7, wherein said authentication terminal is consistent with the retention time regular lock in time by radio communication with described certificate server; And/or described authentication terminal and described certificate server are encrypted the factor by the time and are determined whether the time is consistent.
9. the system for electronic certificate being authenticated at communication network, described system comprises:
Authentication terminal, generates the first relevant verify data to the electronic certificate of user terminal, and described the first verify data is carried out to digital-to-analogue conversion, to generate the first audio signal, via voice communication channel, described the first audio signal is sent to user terminal;
User terminal, is converted to the first verify data through analog-to-digital conversion by described the first audio signal, and identifier and electronic certificate based on described the first verify data, user terminal generate the second verify data, and described the second verify data is sent to certificate server; And
Certificate server, according to the first verify data in described the second verify data and user terminal identification, accord with electronic certificate is authenticated, and the original authentication of generation indication authentication success or authentification failure is replied message, according to cryptographic algorithm, original authentication reply message is encrypted and the authentication reply message after encrypting is sent to user terminal.
10. system according to claim 9, wherein said the first verify data comprises: the identifier of described authentication terminal and the multidate information relevant to authentication.
11. systems according to claim 10, wherein the multidate information relevant to authentication comprises at least one in following content: the state information of the License Info of authentication terminal, authentication terminal and the class information of authentication terminal.
12. systems according to claim 9, wherein also comprise that authentication terminal use 3DES algorithm is encrypted described the first verify data; And user terminal is decrypted described the first verify data according to 3DES algorithm.
13. systems according to claim 9, described user terminal is replied message digital-to-analogue by encrypted authentication and is converted to the second audio signal, described the second audio signal is sent to described authentication terminal, described the second audio signal that described authentication end-on is received is carried out analog-to-digital conversion, to be converted to encrypted authentication, reply message, described encrypted authentication is replied to message and be decrypted to generate original authentication reply message, and utilize output equipment that described original authentication reply message is offered to user
14. systems according to claim 13, wherein said output equipment is display, loud speaker, indicating device or printer, and utilizes output equipment that described original authentication is replied to message to offer user and be specially: utilize display to show that described original authentication replys the content of message, utilizes loud speaker to export described original authentication by sound to reply the content of message, utilize indicating device indicated described original authentication to reply authentication state corresponding to message or utilized original authentication described in printer output to reply the content of message by indicator light mode.
15. according to the system described in any one in claim 9 to 14, further comprise, described authentication terminal keeps the time identical with certificate server, and authentication terminal is encrypted with the rise time encryption factor the described time according to cryptographic algorithm, the described time is encrypted to the factor and be increased in described the first verify data.
16. systems according to claim 15, wherein said authentication terminal is consistent with the retention time regular lock in time by radio communication with described certificate server; And/or described authentication terminal and described certificate server are encrypted the factor by the time and are determined whether the time is consistent.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210385748.9A CN103731266B (en) | 2012-10-12 | 2012-10-12 | Method and system for authenticating electronic certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210385748.9A CN103731266B (en) | 2012-10-12 | 2012-10-12 | Method and system for authenticating electronic certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103731266A true CN103731266A (en) | 2014-04-16 |
| CN103731266B CN103731266B (en) | 2017-05-10 |
Family
ID=50455201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210385748.9A Active CN103731266B (en) | 2012-10-12 | 2012-10-12 | Method and system for authenticating electronic certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103731266B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104802542A (en) * | 2015-03-17 | 2015-07-29 | 杨利泓 | Digital stamping device |
| CN105243542A (en) * | 2015-11-13 | 2016-01-13 | 广西米付网络技术有限公司 | System and method of dynamic electronic certificate authentication |
| CN105516070A (en) * | 2014-09-30 | 2016-04-20 | 华为技术有限公司 | Authentication credential replacing method and authentication credential replacing device |
| CN106161036A (en) * | 2016-08-18 | 2016-11-23 | 福建联迪商用设备有限公司 | The mobile station (MS) state transition method of a kind of credit and system |
| CN106355425A (en) * | 2015-07-15 | 2017-01-25 | 阿里巴巴集团控股有限公司 | Method for generating verification codes of electronic certificates and verification canceling method and device for electronic certificates |
| CN107819766A (en) * | 2017-11-14 | 2018-03-20 | 中国银行股份有限公司 | Safety certifying method, system and computer-readable recording medium |
| CN110667252A (en) * | 2019-11-05 | 2020-01-10 | 珠海优特物联科技有限公司 | Stamp device and stamp device control method |
| CN111614659A (en) * | 2020-05-19 | 2020-09-01 | 杭州英视信息科技有限公司 | Distributed detection method for unknown network flow |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1878329A (en) * | 2006-01-26 | 2006-12-13 | 华为技术有限公司 | System and method for carrying out authentication via cipher |
| CN101110667A (en) * | 2006-07-19 | 2008-01-23 | 华为技术有限公司 | User authentication method and user authentication system |
| US20090177894A1 (en) * | 2008-01-07 | 2009-07-09 | Security First Corporation | Systems and methods for securing data using multi-factor or keyed dispersal |
| CN102223234A (en) * | 2011-06-17 | 2011-10-19 | 飞天诚信科技股份有限公司 | Electronic signature system and method based on audio communication |
| CN102254264A (en) * | 2011-08-17 | 2011-11-23 | 广州广电运通金融电子股份有限公司 | Security control method and security control system of mobile payment |
-
2012
- 2012-10-12 CN CN201210385748.9A patent/CN103731266B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1878329A (en) * | 2006-01-26 | 2006-12-13 | 华为技术有限公司 | System and method for carrying out authentication via cipher |
| CN101110667A (en) * | 2006-07-19 | 2008-01-23 | 华为技术有限公司 | User authentication method and user authentication system |
| US20090177894A1 (en) * | 2008-01-07 | 2009-07-09 | Security First Corporation | Systems and methods for securing data using multi-factor or keyed dispersal |
| CN102223234A (en) * | 2011-06-17 | 2011-10-19 | 飞天诚信科技股份有限公司 | Electronic signature system and method based on audio communication |
| CN102254264A (en) * | 2011-08-17 | 2011-11-23 | 广州广电运通金融电子股份有限公司 | Security control method and security control system of mobile payment |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105516070B (en) * | 2014-09-30 | 2019-01-11 | 华为技术有限公司 | A kind of method and device that Service Ticket substitutes |
| CN105516070A (en) * | 2014-09-30 | 2016-04-20 | 华为技术有限公司 | Authentication credential replacing method and authentication credential replacing device |
| CN104802542A (en) * | 2015-03-17 | 2015-07-29 | 杨利泓 | Digital stamping device |
| CN106355425A (en) * | 2015-07-15 | 2017-01-25 | 阿里巴巴集团控股有限公司 | Method for generating verification codes of electronic certificates and verification canceling method and device for electronic certificates |
| CN105243542A (en) * | 2015-11-13 | 2016-01-13 | 广西米付网络技术有限公司 | System and method of dynamic electronic certificate authentication |
| CN105243542B (en) * | 2015-11-13 | 2021-07-02 | 咪付(广西)网络技术有限公司 | Dynamic electronic certificate authentication method |
| CN106161036A (en) * | 2016-08-18 | 2016-11-23 | 福建联迪商用设备有限公司 | The mobile station (MS) state transition method of a kind of credit and system |
| CN106161036B (en) * | 2016-08-18 | 2019-04-23 | 福建联迪商用设备有限公司 | A kind of mobile station (MS) state transition method and system of credit |
| CN107819766B (en) * | 2017-11-14 | 2020-11-06 | 中国银行股份有限公司 | Security authentication method, system and computer readable storage medium |
| CN107819766A (en) * | 2017-11-14 | 2018-03-20 | 中国银行股份有限公司 | Safety certifying method, system and computer-readable recording medium |
| CN110667252A (en) * | 2019-11-05 | 2020-01-10 | 珠海优特物联科技有限公司 | Stamp device and stamp device control method |
| CN111614659A (en) * | 2020-05-19 | 2020-09-01 | 杭州英视信息科技有限公司 | Distributed detection method for unknown network flow |
| CN111614659B (en) * | 2020-05-19 | 2022-09-23 | 杭州英视信息科技有限公司 | Distributed detection method for unknown network flow |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103731266B (en) | 2017-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103731266B (en) | Method and system for authenticating electronic certificate | |
| CN103501191B (en) | A kind of mobile payment device based on NFC technology and method thereof | |
| US9762567B2 (en) | Wireless communication of a user identifier and encrypted time-sensitive data | |
| US20190165947A1 (en) | Signatures for near field communications | |
| CN101247407B (en) | Network authentication service system and method | |
| US20070257813A1 (en) | Secure network bootstrap of devices in an automatic meter reading network | |
| CN102480713B (en) | Method, system and device for communication between sink node and mobile communication network | |
| US20150372813A1 (en) | System and method for generating a random number | |
| KR20160112895A (en) | Method and apparatus for performing secure bluetooth communication | |
| CN103905204A (en) | Data transmission method and transmission system | |
| CN203104783U (en) | Terminal device for authentication of electronic certificate | |
| WO2010045817A1 (en) | Key distribution method and system | |
| CN101771680B (en) | Method for writing data to smart card, system and remote writing-card terminal | |
| CN112672342B (en) | Data transmission method, device, equipment, system and storage medium | |
| CN104660567A (en) | D2D terminal access authentication method as well as D2D terminal and server | |
| CN103974255A (en) | System and method for vehicle access | |
| CN103731828B (en) | A kind of terminal unit and method for electronic certificate authentication | |
| KR20080052088A (en) | Wireless rfid medical device access control method using wlan security standard technology | |
| CN103731827B (en) | A kind of hand-held audio communication device and method for electronic certificate authentication | |
| CN203289647U (en) | Handheld audio communication equipment for electronic certificate authentication | |
| KR100757685B1 (en) | APDU Delivery Host Authentication Method And System Based on PKI | |
| CN102665204B (en) | A kind of positioning service safety protecting method and system | |
| CN114258013B (en) | Data encryption method, device and storage medium | |
| KR20190115489A (en) | IOT equipment certification system utilizing security technology | |
| KR102381629B1 (en) | Information security method and system for remote meter reading of wireless gas meter |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |