CN104063650A - Secret key storage device and application method thereof - Google Patents
Secret key storage device and application method thereof Download PDFInfo
- Publication number
- CN104063650A CN104063650A CN201410254187.8A CN201410254187A CN104063650A CN 104063650 A CN104063650 A CN 104063650A CN 201410254187 A CN201410254187 A CN 201410254187A CN 104063650 A CN104063650 A CN 104063650A
- Authority
- CN
- China
- Prior art keywords
- information
- key
- authentication
- module
- authentication information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a secret key storage device and an application method thereof, and is used for improving the safety of secret key storage and application so as to improve the safety of an authentication process. The secret key storage device comprises a safety module, an operation module and a secret key interaction module, wherein the safety module is used for storing secret keys used for verifying a user identity; the operation module is used for generating identity verification information when the identity verification is required; the identity verification information at least comprises torrent information obtained after the processing of torrent information through utilizing the secret key stored in the safety module; the torrent information can process any information for a computer system; the secret key interaction module is used for interacting authentication information with an external device.
Description
Technical field
The present invention relates to field of information security technology, relate in particular to a kind of key storage device and using method thereof.
Background technology
Along with the develop rapidly of Internet technology especially development of Mobile Internet technology, the internet, applications providing by internet is more and more.User is in the time of these internet, applications of access, and as access Email, the application of access instant messaging, access websites etc., for the security that ensures that user accesses, the provider of each internet, applications need to verify user identity conventionally in the time that user logins.
At present, the most frequently used auth method comprises password, key, certificate etc., password is made up of upper and lower case letter, numeral, the symbol that can input etc. conventionally, file or character string that key normally generates according to special algorithm, certificate is also the special file that particular organization is issued, above method is all identical in essence, verifies litigant's identity by a unique data of only having litigant to know or to hold, and these data can be referred to as key.In the internet, applications higher to security requirement, as Web bank, on-line payment application etc., conventionally also can use other auxiliary authentication means, common are mobile phone identifying code, RSASecurID dual factors checking token and smart card etc.
In existing identity validation technology, because Password Length has certain restriction, password setting is too short, simple simon says too, is easily cracked, and oversizely too complicatedly remembers with being not easy to.And password, in the time inputting by keyboard, is easily stolen by the malicious code in terminal device, thereby reduce the security of authentication.
If mobile phone identifying code is as auxiliary authentication means, because smart mobile phone is easy to implanted malicious code, it can tackle the mobile phone identifying code that network side issues, thereby also cannot ensure the security of authentication.And smart card is due to hardware constraints, be difficult to universal and versatility is not strong.As for RSA SecurID dual factors checking token, it is widely used in important information system all over the world, but because it is to adopt 6 bit digital to verify, is only suitable for using as identifying code, and can not serve as user name and the main password of identity verification.And the method intelligence, cannot be general independently using in infosystem, and user need to hold multiple different securid tokens conventionally.
As can be seen here, the security that how to improve authentication process itself becomes one of technical matters urgently to be resolved hurrily in prior art.
Summary of the invention
The embodiment of the present invention provides a kind of key storage device and using method thereof, for improving the security of key storage and use, and then the security that improves authentication process itself.
The embodiment of the present invention provides a kind of key storage device, comprising:
Security module, for storage key, described key is for identifying user identity;
Computing module, for generate authentication information in the time that needs carry out authentication, in described authentication information, at least comprise and utilize the key of described security module storage seed information to be processed to the seed information after treatment obtaining, described seed information is arbitrary information that computer system can be processed;
Cipher key interaction module, for the mutual described authentication information of external device.
The embodiment of the present invention provides a kind of using method based on above-mentioned key storage device, comprising:
Described computing module generates authentication information in the time that needs carry out authentication, in described authentication information, at least comprise and utilize the key of described security module storage seed information to be processed to the seed information after treatment obtaining, described seed information is arbitrary information that computer system can be processed;
Described cipher key interaction module is after described computing module generates described authentication information, with the mutual described authentication information of external device.
The key storage device that the embodiment of the present invention provides and using method thereof, in the time that carrying out authentication, needs generate authentication information, this authentication information at least comprises the seed information after treatment obtaining after computing module utilizes the key of security module storage to process seed information, and by cipher key interaction module, the authentication information of generation is offered to external device for carrying out authentication.The key storage device that the embodiment of the present invention provides and using method thereof, after using the key of key storage device utilization storage to process seed information, generate in real time authentication information, and offer the external device for authentication, therefore, remember username and password and input by keyboard without user, when having simplified user's operation, the safety issue that the password that causes of having avoided being stolen while inputting password by keyboard uses, on the other hand, authentication information is to generate according to seed information after treatment, the password that its complexity can be remembered higher than the mankind, and it is unique and unrepeatable, therefore, also cannot reuse and forge even monitored midway, thereby the security that has improved password storage and used, and then can improve the security of authentication.
Other features and advantages of the present invention will be set forth in the following description, and, partly from instructions, become apparent, or understand by implementing the present invention.Object of the present invention and other advantages can be realized and be obtained by specifically noted structure in write instructions, claims and accompanying drawing.
Brief description of the drawings
Accompanying drawing described herein is used to provide a further understanding of the present invention, forms a part of the present invention, and schematic description and description of the present invention is used for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is in the embodiment of the present invention, the structural representation of key storage device;
Fig. 2 is in the embodiment of the present invention, the schematic flow sheet of key storage device using method;
Fig. 3 is in the embodiment of the present invention, the structural representation of key storage device the first application system;
Fig. 4 is in the embodiment of the present invention, the using method schematic flow sheet based on the first application system;
Fig. 5 is in the embodiment of the present invention, the structural representation of key storage device the second application system;
Fig. 6 is in the embodiment of the present invention, the using method schematic flow sheet based on the second application system.
Embodiment
In order to improve the security of key storage and use, and then the security that improves authentication process itself, the embodiment of the present invention provides a kind of key storage device and using method thereof.
Below in conjunction with Figure of description, the preferred embodiments of the present invention are described, be to be understood that, preferred embodiment described herein is only for description and interpretation the present invention, be not intended to limit the present invention, and in the situation that not conflicting, the feature in embodiment and embodiment in the present invention can combine mutually.
Embodiment mono-
As shown in Figure 1, the structural representation of the key storage device providing for the embodiment of the present invention, comprising:
Security module 11, for storage key, described key is for identifying user identity.
Computing module 12, for generating authentication information in the time that needs carry out authentication.
Wherein, in the authentication information that computing module 12 generates, at least comprise and utilize the key that security module 11 is stored seed information to be processed to the seed information after treatment obtaining, this seed information is arbitrary information that computer system can be processed, fix information (such as name, fixing numeral etc.), random number, time, summary counter etc. as is known, as long as can use information that key processes all can, the present invention does not limit this.Preferably, while specifically enforcement, seed information can be the current time of key storage device.
Cipher key interaction module 13, for the mutual authentication information of external device.
When concrete enforcement, cipher key interaction module 13 can comprise display sub-module 131 and/or communicator module 132, wherein:
Display sub-module 131 can be for the authentication information that shows that computing module 12 generates, and external device can carry out authentication by the authentication information of obtaining this demonstration.Preferably, the authentication information that display sub-module 131 shows can be graphic code, this graphic code can be one dimension code (bar code) and Quick Response Code, wherein, Quick Response Code comprises that standard Quick Response Code and non-standard Quick Response Code (are the Quick Response Code of some distortion, as circular two-dimensional code, color 2 D code etc.), the present invention does not limit this.Like this, the authentication information that external device can show by scanning display sub-module 131 is obtained this authentication information.
Communicator module 132, can be for establishing a communications link with external device, and authentication information computing module 12 being generated by the communication connection of setting up is transferred to external device.Preferably, communicator module 132, can be, but not limited to for establishing a communications link according to following either type and described external device: earphone interface, bluetooth, infrared, NFC (near-field communication), WIFI (Wireless Fidelity), USB (USB (universal serial bus)) or OTG (data transmission interface).
When concrete enforcement, the key that computing module 12 can be, but not limited to utilize in accordance with the following methods security module 11 to store is processed seed information: utilize key that security module 11 stores to seed information be encrypted, signature or Hash operation obtain corresponding cryptographic hash.Concrete, computing module 12 can utilize the key that security module 11 is stored to be encrypted and to obtain the cipher-text information that this seed information is corresponding seed information; Or computing module also can utilize the key that security module 11 is stored to sign and obtain the seed information after signature seed information, can also carry out Hash operation to seed information and obtain corresponding cryptographic hash.
Based on same inventive concept, a kind of using method of key storage device is also provided in the embodiment of the present invention, because the principle that said method is dealt with problems is similar to key storage device, therefore the enforcement of said method can be referring to the enforcement of key storage device, repeats part and repeat no more.
Embodiment bis-
Based on the above-mentioned key storage device providing, the embodiment of the present invention also provides a kind of its corresponding using method, as shown in Figure 2, can comprise the following steps:
S21, computing module generate authentication information in the time that needs carry out authentication.
Wherein, at least comprise and utilize the key of described security module storage seed information to be processed to the seed information after treatment obtaining in authentication information, this seed information is arbitrary information that computer system can be processed.
S22, cipher key interaction module are after described computing module generates described authentication information, with the mutual described authentication information of external device.
When concrete enforcement, in step S22, cipher key interaction module can adopt following either type and the mutual authentication information of external device:
The display sub-module that mode one, cipher key interaction module comprise shows the authentication information that computing module generates.
Communicator module and external device that mode two, cipher key interaction module comprise establish a communications link, and authentication information computing module being generated by the communication connection of setting up is transferred to external device.
When concrete enforcement, the key storage device that the embodiment of the present invention provides can be applied to following three kinds of application scenarioss that need to carry out authentication, and its respectively corresponding three kinds of different embodiments below describe respectively.
Embodiment tri-
The first embodiment,
As shown in Figure 3, the structural representation of the key storage device the first application system providing for the embodiment of the present invention, comprises key storage device and Authentication server, wherein:
Key storage device, for generate subscriber authentication information in the time that needs carry out authentication, wherein, subscriber authentication information at least comprises utilizes the key of storage seed information to be processed to the seed information after treatment obtaining;
Authentication server, the authentication request sending for receiving terminal apparatus, in authentication request, carry seed information after treatment, wherein seed information after treatment is to obtain the subscriber authentication information obtained from key storage device of terminal device; The key of storing from self, search key corresponding to key of storing in key storage device; The key recovery that utilization finds and/or verify seed information after treatment; Determine one's identity to verify whether pass through according to reduction result or the result.
For convenience of explanation, the current time taking seed information as key storage device is example.Like this, Authentication server can be for the interval between current time and the current time of self determining the key storage device that restores within Preset Time interval time, determines one's identity and is verified; Can also be used for determining being verified of current time to key storage device time, determine one's identity and be verified.
Preferably, the authentication information that key storage device generates can be, but not limited to as graphic code, in the time that needs carry out authentication, key storage device can generate this graphic code in accordance with the following methods: computing module utilizes the pre-stored key of security module to process and obtain seed information after treatment seed information.Computing module utilizes seed information after treatment (cipher-text information obtained above or the seed information of having signed or cryptographic hash) generate a graphic code and show by display sub-module.Like this, thus terminal device can by scanning display sub-module show graphic code obtain the seed information after treatment comprising in this graphic code.The seed information after treatment obtaining is carried at the Authentication server that sends to network side in authentication request by terminal device, the key that Authentication server is stored from self, search the corresponding key of key of this key storage device storage and use the key recovery finding and/or verify seed information after treatment, determining one's identity to verify whether pass through according to reduction result or the result.
Preferably, while specifically enforcement, the authentication system that the embodiment of the present invention provides can adopt symmetric key encryption system, also can adopt asymmetric-key encryption system.If adopt symmetric key encryption system, the key of security module storage is identical with the key of Authentication server storage.If adopt asymmetric-key encryption system, can be random one group of PKI and private key, the security module storage private key of key storage device, the Authentication server storage of public keys of generating of each key storage device.Than symmetric key encryption mechanism, asymmetric-key encryption mechanism can further improve the security of authentication system, and in this case, even if Authentication server is invaded, assailant also cannot forge user's login.
Concrete, in the time using asymmetric-key encryption technology, if key storage device is used private key to sign to seed information, the PKI of Authentication server storage can be for verifying the seed information of having signed; If key storage device is used private key to be encrypted seed information, the PKI of Authentication server storage can, for the seed information of encrypting is decrypted, obtain seed information.If use symmetric key encryption technology, if key storage device is used the key of storage to sign to seed information, the key of Authentication server storage can be for verifying the seed information of having signed; If key storage device is used the key of storage to be encrypted seed information, the key of Authentication server storage both can be for being decrypted and obtaining verifying after seed information again the seed information of encryption, also can not reduce direct checking ciphertext; If key storage device is used hash algorithm to carry out Hash operation to seed information and obtains cryptographic hash, Authentication server can be for verifying the cryptographic hash obtaining.
Current time taking seed information as key storage device is example, if the time interval (as being set to the extremely short time interval) within Preset Time interval between the current time of key storage device and the current time of Authentication server that reduction obtains, determine one's identity and be verified, otherwise the checking that determines one's identity is not passed through; Or while determining being verified of current time to key storage device, determine one's identity and be verified, otherwise the checking that determines one's identity is not passed through.
In said method, Authentication server, after receiving the authentication request of terminal device, need to be searched the key recovery that the key stored in key storage device is corresponding and/or verify seed information after treatment from all keys of self storage.Concrete, Authentication server can be attempted each key that self stores successively, until it can reduce and/or verify seed information after treatment.
Preferably, the efficiency of reducing and/or verifying seed information after treatment in order to improve Authentication server, in the embodiment of the present invention, in the authentication information that key storage device generates, can also comprise the device identification of this key storage device, like this, terminal device can obtain this device identification from authentication information, and be carried at together with seed information after treatment and in authentication request, send in the lump Authentication server, Authentication server can directly be searched key corresponding to this device identification according to device identification from the corresponding relation of pre-stored device identification and key, set it as key corresponding to key of storing in key storage device.
Embodiment tetra-
Embodiment for a better understanding of the present invention, information interaction flow process during below in conjunction with authentication describes the specific implementation process of the embodiment of the present invention, for convenience of explanation, the embodiment of the present invention is accessed Web bank taking user and is described as example, the flow process of user's logging in to online banks as shown in Figure 4, can comprise the following steps:
S41, key storage device generate and show for Quick Response Code that user is carried out to authentication.
When concrete enforcement, user may access Web bank by following two kinds of modes:
Mode one,
User uses the terminal device access Web bank that obtains subscriber authentication information, and for example, user uses mobile phone access Web bank, uses this mobile phone to obtain the subscriber authentication information that key storage device generates simultaneously.In this case, the login page of the Web bank that user accesses need to provide the application programming interfaces of the use auth method that the embodiment of the present invention provides encapsulation, in the time that user needs logging in to online banks, triggers the authentication to user by calling these application programming interfaces.
Mode two,
User uses the other-end device access Web bank beyond the terminal device that obtains subscriber authentication information, and for example user uses computer to access Web bank, uses the mobile phone of oneself to obtain the subscriber authentication information that key storage device generates.In this case, the proving program that the auth method that Web bank's login page need to embed the embodiment of the present invention to be provided encapsulates, and show with the form of graphic code (can be, but not limited to as Quick Response Code) at login page, in the time that user needs logging in to online banks, directly scan this Quick Response Code and just can trigger the authentication to user.
After triggering user's authentication, user generates subscriber authentication information by triggering one's own key storage device (this equipment offers user by bank can register bank account for user time), concrete grammar can, referring to the description in above-described embodiment one, repeat no more here.
Preferably, the risk of bringing for fear of user's Lost Security Key memory device, in the embodiment of the present invention, key storage device can also be identified user identity before generating subscriber authentication information, for example, can identify by fingerprint, the password that also can set in advance by user is identified user, here do not limit, corresponding, key storage device can also comprise digital keys or fingerprint acquisition device.
The Quick Response Code that S42, terminal device scanning key storage device generate, obtains the device identification of current time information after treatment and key storage device.
When concrete enforcement, for mode one, the subscriber authentication information that the authentication application program that the auth method that it can directly call provides according to the embodiment of the present invention is realized generates key storage device scans.For mode two, the authentication application program of the auth method providing according to the embodiment of the present invention realization of installing in terminal device is provided user voluntarily, and the subscriber authentication information that key storage device is generated scans.
S43, terminal device send authentication request to the Authentication server of network side.
Wherein, in authentication request, carry the seed information after treatment that obtains and the device identification of key storage device.In addition, terminal device also need to carry application identities or Apply Names and the unique identification of this internet, applications in global scope of the internet, applications of user's access in authentication request, this unique identification is a coding that the overall situation is unique, on different internet, applications, different terminal device, different time, does not repeat.Preferably, this unique identification can be, but not limited to (the Universally UniqueIdentifier into UUID, general unique identifier) or GUID (Globally Unique Identifier, Globally Unique Identifier), can certainly be the mark adopting in the global scope that similar techniques realizes, describe as an example of UUID example below for convenience of description.
If user by above-mentioned first kind of way access internet, applications, terminal device can directly obtain the application identities of the current internet, applications of accessing of user or Apply Names and corresponding UUID thereof and send in the lump Authentication server; If user is by above-mentioned second way access internet, applications, comprise application identities or Apply Names and the UUID corresponding to this internet, applications of internet, applications at the graphic code that generates login page demonstration, like this, terminal device just can obtain application identities or Apply Names and UUID corresponding to this internet, applications by scanning this graphic code, sends in the lump Authentication server with the seed information after treatment obtaining the Quick Response Code generating from key storage device and the device identification of key storage device.
When concrete enforcement, terminal device can pass through cable network, wireless network and mobile communications network etc. and send authentication request to the Authentication server of network side.
S44, Authentication server are searched corresponding key according to the device identification of carrying in authentication request.
The key recovery that S45, Authentication server utilization find and/or verify current time information after treatment.
S46, Authentication server carry out authentication.
When concrete enforcement, with key storage device, current time is encrypted as to example, the current time of the key storage device that Authentication server relatively restores and the current time of self, if the time interval is no more than the default time interval, determines and be verified, otherwise, determine that checking do not pass through.
S47, Authentication server send the result to the application server that internet, applications is provided.
When concrete enforcement, Authentication server provides the result according to the application identities of carrying in authentication request or Apply Names to this application identities or application server corresponding to Apply Names, and in the result sending, carries the UUID of the internet, applications of user's current accessed.
S48, application server send the response message of permission/denied access to terminal device.
When concrete enforcement, application server determines that according to UUID user accesses terminal device and the application program of internet, applications, and sends the response message of permission/denied access to this terminal device according to the result.
In security system due to existing employing encryption mechanism, the security of asymmetric-key encryption technology has obtained abundant theoretical proof, and is widely used.But its topmost shortcoming is that key is oversize, the mankind cannot directly remember and input, and user need to, by key storage in computer document or hardware device, import when use conventionally, like this, just has the risk of Key Exposure, and use very inconvenience.And in the embodiment of the present invention, because graphic code is as one machine automatic identification technology easily, can be used for representing cipher-text information, and be easily identified and transmit and then decipher.It is oversize that this has solved in existing asymmetric-key encryption mechanism key, is not easy to the problem directly using.In addition, in the embodiment of the present invention, use separate hardware to generate graphic code, can avoid private key be stolen, copy and distort, with the internet, applications physical isolation that user uses, fundamentally avoided suffering the possibility of hacker attacks, there is high security.Simultaneously, while using asymmetric-key encryption mechanism in the embodiment of the present invention, private key is stored in authorization information and generates in the security module of equipment, PKI is stored in Authentication server, even if Authentication server suffers hacker attacks, PKI is all revealed, and assailant also cannot forge any user's identity and verify, thereby does not form any threat.Finally, because length and the intensity of key are enough, therefore can directly use the device identification (can be its unique numbering) of authorization information generation equipment as user name, the cipher-text information that encryption generates to seed information at every turn or the information of having signed are carried out authentication as password, realize one-time pad, and the password that password complexity arranges higher than the common mankind far away, security and convenience all improve greatly.
The second embodiment,
As shown in Figure 5, the structural representation of the key storage device the second application system providing for the invention process, comprises key storage device, Authentication server and terminal device, wherein:
Terminal device, in the time that access internet, applications need to be carried out authentication, establishes a communications link with authorization information generation equipment; Be verified alternately after the authentication information of information generating device generation by communication connection and the authorization information generation equipment set up, send authentication request to Authentication server, in authentication request, carry authentication information; Authorization information generates equipment, be used for generating authentication information, and by with terminal device set up communication connection and the mutual authentication information of terminal device, authentication information at least comprises the seed information after treatment obtaining after the first key of utilization storage is processed seed information, and seed information is arbitrary information that computer system can be processed; Authentication server, for after receiving authentication request, uses the seed information after treatment comprising in second key recovery corresponding to the first key of self storage and/or identity verification authorization information; Determine one's identity to verify whether pass through according to reduction result or the result.
When concrete enforcement, when user is in the time that access internet, applications need to be carried out authentication, can trigger the communication connection of setting up between terminal device and authorization information generation equipment.Preferably, in the embodiment of the present invention, between terminal device and authorization information generation equipment, can be, but not limited to adopt following either type to establish a communications link: earphone interface, bluetooth, infrared, NFC (near-field communication), WIFI (Wireless Fidelity), USB (USB (universal serial bus)) or OTG (data transmission interface) etc.
When concrete enforcement, after establishing a communications link, authorization information generates equipment can be by communication connection and the mutual authentication information self generating of terminal device set up.When specific implementation, can initiatively read from authorization information the authentication information that authorization information generation equipment generates for terminal device, also can send to terminal device for the authentication information that authorization information generation equipment initiatively generates self.The embodiment of the present invention does not limit this.Wherein, in the authentication information that authorization information generation equipment generates, at least comprise the seed information after treatment obtaining after the first key that authorization information generates equipment utilization storage is processed seed information.
For convenience of explanation, taking seed information as authorization information, the current time of generation equipment is example.Like this, Authentication server can be for determining that the authorization information that restores generates interval between current time and the current time of self of equipment within Preset Time interval time, determines one's identity and is verified; Can also be used for determining when authorization information is generated to being verified of current time of equipment, determine one's identity and be verified.
In the time that needs carry out authentication, authorization information generates equipment can generate authentication information in accordance with the following methods:
Computing module utilizes the pre-stored key of security module (i.e. the first key) to process and obtain seed information after treatment seed information.When concrete enforcement, computing module can utilize the key of security module storage to be encrypted and to obtain the cipher-text information that this seed information is corresponding seed information; Or computing module also can utilize the key of security module storage to sign and obtain the seed information after signature seed information, can also carry out Hash operation to seed information and obtain corresponding cryptographic hash.
The seed information after treatment that communicator module obtains computing module is carried at and in authentication information, sends to terminal device, or also can initiatively obtain to communicator module the authentication information that comprises seed information after treatment by terminal device.The seed information after treatment obtaining is carried at the Authentication server that sends to network side in authentication request by terminal device, the key that Authentication server is stored from self, search the corresponding key of key (i.e. the second key) of this authorization information generation device storage and use the key recovery finding and/or verify seed information after treatment, determining one's identity to verify whether pass through according to reduction result or the result.
Preferably, while specifically enforcement, the interactive authentication system that the embodiment of the present invention provides can adopt symmetric key encryption system, also can adopt asymmetric-key encryption system.If adopt symmetric key encryption system, the key of the security module storage of authorization information generation equipment is identical with the key of Authentication server storage.If adopt asymmetric-key encryption system, can generate random one group of PKI and the private key of generating of equipment for each authorization information, authorization information generates the security module storage private key of equipment, Authentication server storage of public keys.Than symmetric key encryption mechanism, asymmetric-key encryption mechanism can further improve the security of authentication system, and in this case, even if Authentication server is invaded, assailant also cannot forge user's login.
When concrete enforcement, in the time using asymmetric-key encryption technology, if authorization information generation equipment uses private key to sign to seed information, the PKI of Authentication server storage can be for verifying the seed information of having signed; If authorization information generation equipment uses private key to be encrypted seed information, the PKI of Authentication server storage can, for the seed information of encrypting is decrypted, obtain seed information.If use symmetric key encryption technology, if authorization information generation equipment uses the key of storage to sign to seed information, the key of Authentication server storage can be for verifying the seed information of having signed; If authorization information generation equipment uses the key of storage to be encrypted seed information, the key of Authentication server storage both can be for being decrypted and obtaining verifying after seed information again the seed information of encrypting, and also can not reduce direct checking ciphertext; If authorization information generation equipment uses hash algorithm to carry out Hash operation to seed information and obtains cryptographic hash, Authentication server can be for verifying the cryptographic hash obtaining.
The current time that generates equipment taking seed information as authorization information is example, if the authorization information that reduction obtains generates the time interval (as being set to the extremely short time interval) within Preset Time interval between the current time of equipment and the current time of Authentication server, determine one's identity and be verified, otherwise the checking that determines one's identity is not passed through; Or determine when authorization information is generated to being verified of current time of equipment, determine one's identity and be verified, otherwise the checking that determines one's identity is not passed through.
In said method, Authentication server, after receiving the authentication request of terminal device, need to be searched the key recovery that the key stored in authorization information generation equipment is corresponding and/or verify seed information after treatment from all keys of self storage.Concrete, Authentication server can be attempted each key that self stores successively, until it can reduce and/or verify seed information after treatment.
Preferably, the efficiency of reducing and/or verifying seed information after treatment in order to improve Authentication server, in the embodiment of the present invention, authorization information generates equipment in the time generating authentication information, can also comprise the device identification that this authorization information generates equipment, like this, terminal device can obtain this device identification from the authentication information receiving, and be carried at together with seed information after treatment and in authentication request, send in the lump Authentication server, Authentication server can directly be searched key corresponding to this device identification according to device identification from the corresponding relation of pre-stored device identification and key, set it as key corresponding to key of storing in authorization information generation equipment.
When concrete enforcement, terminal device can also be used for before sending authentication request to Authentication server, obtain the application identities of the internet, applications that user accesses, and the application identities of obtaining is carried at and in authentication request, sends to Authentication server.So that Authentication server is after obtaining authentication result, notify the application server corresponding to this application identities by the authentication result obtaining.Concrete, Authentication server can be searched application server identifier corresponding to described application identities from the corresponding relation of pre-stored application identities and application server identifier, according to the application server identifier finding, authentication result is sent to the application server that this application server identifier is corresponding.
When concrete enforcement, because user may use the terminal device access internet, applications of carrying out authentication, also may be by other terminal device access internet, applications, therefore, during the embodiment of the present invention is converged, terminal device can obtain according to any in following two kinds of modes application identities of the internet, applications that user accesses:
If mode one user is while using the terminal device access internet, applications of carrying out authentication, terminal device can be provided by the interface that calls internet, applications and provide by the application identities of this internet, applications; If when user uses other terminal device access internet, applications, the graphic code (can be, but not limited to as Quick Response Code) that it can use terminal device to scan this internet, applications provides obtains the application identities of this internet, applications.
When concrete enforcement, in order to improve the security of internet, applications access, terminal device is after the communication connection of setting up between authorization information generation equipment, terminal device can also obtain the application identification code of the internet, applications that user accesses, and send to authorization information to generate equipment the application identification code of obtaining, after the first key of authorization information generation equipment utilization self storage is processed this application identification code, be carried at and in authentication information, sent to terminal device, terminal device will receive application identification code after treatment and be carried at and in authentication request, send to Authentication server.When concrete enforcement, the mode that terminal device obtains application identification code is identical with the mode that above-mentioned terminal device obtains application identities, repeats no more here.
Preferably, application identification code is a coding that the overall situation is unique, on different internet, applications, different terminal device, different time, does not repeat.Preferably, this application identification code can be, but not limited to (the Universally Unique Identifier into UUID, general unique identifier) or GUID (GloballyUnique Identifier, Globally Unique Identifier), can certainly be the mark adopting in the global scope that similar techniques realizes, describe as an example of UUID example below for convenience of description.
Authentication server is after receiving application identification code after treatment, if authorization information generates equipment, this application identification code is carried out to encryption, Authentication server need to utilize self storage the second secret key pair its send in the lump corresponding application server with authentication result after being decrypted, application server can determine that according to the application identification code receiving user accesses the terminal device of internet, applications, and the authentication result sending according to Authentication server sends the response message of permission/denied access to this terminal device.
Embodiment six
Embodiment for a better understanding of the present invention, information interaction flow process during below in conjunction with authentication describes the specific implementation process of the embodiment of the present invention, for convenience of explanation, the embodiment of the present invention is accessed Web bank taking user and is described as example, the flow process of user's logging in to online banks as shown in Figure 6, can comprise the following steps:
When S61, user access internet, applications, set up the communication connection between terminal device and authorization information generation equipment.
When concrete enforcement, user may access Web bank by following two kinds of modes:
Mode one,
User uses the terminal device access Web bank that obtains authentication information, and for example, user uses mobile phone access Web bank, uses this mobile phone to obtain the authentication information that authorization information generation equipment generates simultaneously.In this case, the login page of the Web bank that user accesses need to provide the application programming interfaces of the use auth method that the embodiment of the present invention provides encapsulation, in the time that user needs logging in to online banks, triggers the authentication to user by calling these application programming interfaces.
Mode two,
User uses the other-end device access Web bank beyond the terminal device that obtains authentication information, and for example user uses computer to access Web bank, uses the mobile phone of oneself to obtain the authentication information that authorization information generation equipment generates.In this case, the proving program that the auth method that Web bank's login page need to embed the embodiment of the present invention to be provided encapsulates, and show with the form of graphic code (can be, but not limited to as Quick Response Code) at login page, in the time that user needs logging in to online banks, directly scan this Quick Response Code and just can trigger the authentication to user.
S62, authorization information generation equipment generate authentication information.
After triggering user's authentication, user generates equipment (this equipment offers user by bank can register bank account for user time) generation authentication information by triggering one's own authorization information, for example, the button that user provides by authorization information generation equipment triggers authorization information generation equipment and generates authentication information, the concrete grammar that authorization information generation equipment generates authentication information can, referring to the description in above-described embodiment one, repeat no more here.
Preferably, lose for fear of user the risk that authorization information generation equipment brings, in the embodiment of the present invention, authorization information generates equipment and can also before generating authentication information, identify user identity, for example, can identify by fingerprint, the password that also can set in advance by user is identified user, here do not limit, corresponding, authorization information generates equipment can also comprise digital keys or fingerprint acquisition device.
When concrete enforcement, step S62 also can carry out prior to step S61, and authorization information generates equipment and first generates authentication information, then establishes a communications link with terminal device, and the two also can carry out simultaneously, and the embodiment of the present invention does not limit this.
S63, authorization information generate equipment and the mutual authentication information self generating of terminal device.
When concrete enforcement, authorization information generates the key of equipment utilization self storage seed information is processed and obtained seed information after treatment, the device identification of seed information after treatment and self is carried at and in authentication information, sends to terminal device, or also can initiatively obtain to communicator module the authentication information that comprises seed information after treatment by terminal device.
S64, terminal device send authentication request to the Authentication server of network side.
Wherein, in authentication request, carry the seed information after treatment that obtains and authorization information and generate the device identification of equipment.
It should be noted that, terminal device can also obtain application identification code and the application identities of the internet, applications that user accesses, and is carried at and in authentication request, sends in the lump Authentication server.
When concrete enforcement, terminal device can obtain the application identities of the internet, applications that user accesses before establishing a communications link with authorization information generation equipment, also can after establishing a communications link with authorization information generation equipment, obtain the application identities of the internet, applications that user accesses, also can after receiving authentication information, obtain again the application identities of the internet, applications that user accesses, as long as send obtain before authentication request all can, the present invention does not limit this.
For example, if user by above-mentioned first kind of way access internet, applications, terminal device can directly obtain the application identities of the current internet, applications of accessing of user or Apply Names and corresponding UUID thereof and send in the lump Authentication server; If user is by above-mentioned second way access internet, applications, comprise application identities or Apply Names and the UUID corresponding to this internet, applications of internet, applications at the graphic code that generates login page demonstration, like this, terminal device just can obtain application identities or Apply Names and UUID corresponding to this internet, applications by scanning this graphic code, and the device identification that generates equipment with the seed information after treatment obtaining the Quick Response Code generating from authorization information generation equipment and authorization information sends to Authentication server in the lump.
Preferably, in order to improve the security of data transmission, terminal device can send to the UUID obtaining after authorization information generation equipment processes, then sends to Authentication server, to prevent that it is tampered in transmitting procedure.Be to be understood that, if when terminal device sends to authorization information generation equipment to process UUID, it need to obtain UUID and application identities or obtain UUID and application identities connecting before receiving authentication information after communicating by letter before establishing a communications link.So that authorization information generates equipment UUID after treatment is carried at and sends in the lump terminal device in authentication information.
When concrete enforcement, terminal device can pass through cable network, wireless network and mobile communications network etc. and send authentication request to the Authentication server of network side.
S65, Authentication server are searched corresponding key according to the device identification of carrying in authentication request.
The key recovery that S66, Authentication server utilization find and/or verify current time information after treatment.
S67, Authentication server carry out authentication.
When concrete enforcement, generate equipment with authorization information current time is encrypted as to example, the authorization information that Authentication server relatively restores generates the current time of equipment and the current time of self, if the time interval is no more than the default time interval, determines and be verified, otherwise, determine that checking do not pass through.
S68, Authentication server send the result to the application server that internet, applications is provided.
When concrete enforcement, Authentication server provides the result according to the application identities of carrying in authentication request or Apply Names to this application identities or application server corresponding to Apply Names, and in the result sending, carries the UUID of the internet, applications of user's current accessed.
S69, application server send the response message of permission/denied access to terminal device.
When concrete enforcement, application server determines that according to UUID user accesses terminal device and the application program of internet, applications, and sends the response message of permission/denied access to this terminal device according to the result.
In security system due to existing employing encryption mechanism, the security of asymmetric-key encryption technology has obtained abundant theoretical proof, and is widely used.But its topmost shortcoming is that key is oversize, the mankind cannot directly remember and input, and user need to, by key storage in computer document or hardware device, import when use conventionally, like this, just has the risk of Key Exposure, and use very inconvenience.And in the embodiment of the present invention, because graphic code is as one machine automatic identification technology easily, can be used for representing cipher-text information, and be easily identified and transmit and then decipher.It is oversize that this has solved in existing asymmetric-key encryption mechanism key, is not easy to the problem directly using.In addition, in the embodiment of the present invention, use separate hardware to generate authentication information, can avoid private key be stolen, copy and distort, there is high security.Simultaneously, while using asymmetric-key encryption mechanism in the embodiment of the present invention, private key is stored in authorization information and generates in the security module of equipment, PKI is stored in Authentication server, even if Authentication server suffers hacker attacks, PKI is all revealed, and assailant also cannot forge any user's identity and verify, thereby does not form any threat.Finally, because length and the intensity of key are enough, therefore can directly use the device identification (can be its unique numbering) of authorization information generation equipment as user name, the cipher-text information that encryption generates to seed information at every turn or the information of having signed are carried out authentication as password, realize one-time pad, and the password that password complexity arranges higher than the common mankind far away, security and convenience all improve greatly.
The third embodiment,
The authentication system that the embodiment of the present invention provides can also be used for enterprise's gate control system, be that enterprise only needs installation diagram shape code scanister (can be for example camera), and be equipped with a key storage device for each employee, the subscriber authentication information that can generate by scanning key storage device in the time entering is verified it, enter by allowing, meanwhile, can also record the information such as an opening time.
When concrete enforcement, the authentication system that the embodiment of the present invention provides can provide a key storage device for different internet, applications, also can provide independent key storage device as Web bank, on-line payment etc. for the high internet, applications of safety requirements, now, Authentication server need to be safeguarded the corresponding relation between the application identities of internet, applications and device identification and the key of its corresponding key storage device, to provide authentication to different internet, applications.
It should be noted that, the terminal device relating in the embodiment of the present invention can be the mobile terminal devices such as mobile phone, panel computer, PDA (personal digital assistant), intelligent watch, also can be the equipment such as PC (PC), as long as the terminal device that camera head or scanister is installed, can scans the graphic code that obtains key storage device generation all can.
In addition, the internet, applications relating in the embodiment of the present invention comprises website, the application client etc. that can conduct interviews by internet/mobile Internet.
Therefore, with respect to traditional auth method, the auth method security that the embodiment of the present invention provides is higher, has realized password and the one-time pad of high complexity, the risk of having avoided password to be stolen.And the auth method that the embodiment of the present invention provides, more convenient and quicker, user is without memory and input various username and password, and directly scintigram shape code can complete authentication process itself fast.
6 pure digi-tal that the password that Password Length in the auth method providing due to the embodiment of the present invention and strength ratio domestic consumer arrange and existing RSA SecurID two-factor authentication token use are high a lot, therefore, can directly carry out authentication as main password.
Those skilled in the art should understand, embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt complete hardware implementation example, completely implement software example or the form in conjunction with the embodiment of software and hardware aspect.And the present invention can adopt the form at one or more upper computer programs of implementing of computer-usable storage medium (including but not limited to magnetic disk memory, CD-ROM, optical memory etc.) that wherein include computer usable program code.
The present invention is with reference to describing according to process flow diagram and/or the block scheme of the method for the embodiment of the present invention, equipment (system) and computer program.Should understand can be by the flow process in each flow process in computer program instructions realization flow figure and/or block scheme and/or square frame and process flow diagram and/or block scheme and/or the combination of square frame.Can provide these computer program instructions to the processor of multi-purpose computer, special purpose computer, Embedded Processor or other programmable data processing device to produce a machine, the instruction that makes to carry out by the processor of computing machine or other programmable data processing device produces the device for realizing the function of specifying at flow process of process flow diagram or multiple flow process and/or square frame of block scheme or multiple square frame.
These computer program instructions also can be stored in energy vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work, the instruction that makes to be stored in this computer-readable memory produces the manufacture that comprises command device, and this command device is realized the function of specifying in flow process of process flow diagram or multiple flow process and/or square frame of block scheme or multiple square frame.
These computer program instructions also can be loaded in computing machine or other programmable data processing device, make to carry out sequence of operations step to produce computer implemented processing on computing machine or other programmable devices, thereby the instruction of carrying out is provided for realizing the step of the function of specifying in flow process of process flow diagram or multiple flow process and/or square frame of block scheme or multiple square frame on computing machine or other programmable devices.
Although described the preferred embodiments of the present invention, once those skilled in the art obtain the basic creative concept of cicada, can make other change and amendment to these embodiment.So claims are intended to be interpreted as comprising preferred embodiment and fall into all changes and the amendment of the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification and not depart from the spirit and scope of the present invention the present invention.Like this, if these amendments of the present invention and within modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention is also intended to comprise these changes and modification interior.
Claims (10)
1. a key storage device, is characterized in that, comprising:
Security module, for storage key, described key is for identifying user identity;
Computing module, for generate authentication information in the time that needs carry out authentication, in described authentication information, at least comprise and utilize the key of described security module storage seed information to be processed to the seed information after treatment obtaining, described seed information is arbitrary information that computer system can be processed;
Cipher key interaction module, for the mutual described authentication information of external device.
2. equipment as claimed in claim 1, is characterized in that, described cipher key interaction module comprises display sub-module;
Described display sub-module, specifically for showing described authentication information.
3. equipment as claimed in claim 1 or 2, is characterized in that, described authentication information is graphic code.
4. equipment as claimed in claim 1, is characterized in that, described cipher key interaction module comprises communicator module;
Described communicator module, specifically for establishing a communications link with described external device, and is transferred to described external device by the communication connection of setting up by described authentication information.
5. equipment as claimed in claim 4, is characterized in that,
Described communicator module, specifically for establishing a communications link according to following either type and described external device: earphone interface, bluetooth, infrared, near-field communication NFC, Wireless Fidelity WIFI, USB (universal serial bus) USB or data transmission interface OTG.
6. the equipment as described in claim as arbitrary in claim 1~5, is characterized in that, described seed information comprises the current time of described equipment.
7. the equipment as described in claim as arbitrary in claim 1, is characterized in that,
Described computing module, specifically for the key that utilizes in accordance with the following methods described security module storage, seed information is processed: the key that utilizes described security module storage to seed information be encrypted, signature or Hash operation.
8. the using method based on key storage device described in claim 1, is characterized in that, comprising:
Described computing module generates authentication information in the time that needs carry out authentication, in described authentication information, at least comprise and utilize the key of described security module storage seed information to be processed to the seed information after treatment obtaining, described seed information is arbitrary information that computer system can be processed;
Described cipher key interaction module is after described computing module generates described authentication information, with the mutual described authentication information of external device.
9. method as claimed in claim 8, is characterized in that, the mutual described authentication information of described cipher key interaction module and external device, specifically comprises:
The display sub-module that described cipher key interaction module comprises shows described authentication information.
10. method as claimed in claim 8, is characterized in that, the mutual described authentication information of described cipher key interaction module and external device, specifically comprises:
Communicator module and described external device that described cipher key interaction module comprises establish a communications link, and by the communication connection of setting up, described authentication information are transferred to described external device.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410254187.8A CN104063650B (en) | 2014-06-09 | 2014-06-09 | A kind of key storage device and using method thereof |
| PCT/CN2014/082518 WO2015188424A1 (en) | 2014-06-09 | 2014-07-18 | Key storage device and method for using same |
| US14/902,396 US20170085561A1 (en) | 2014-06-09 | 2014-07-18 | Key storage device and method for using same |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410254187.8A CN104063650B (en) | 2014-06-09 | 2014-06-09 | A kind of key storage device and using method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104063650A true CN104063650A (en) | 2014-09-24 |
| CN104063650B CN104063650B (en) | 2015-08-19 |
Family
ID=51551358
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410254187.8A Expired - Fee Related CN104063650B (en) | 2014-06-09 | 2014-06-09 | A kind of key storage device and using method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104063650B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104579675A (en) * | 2014-10-15 | 2015-04-29 | 深圳市金溢科技股份有限公司 | Safety module, data reading-writing system for parking lot and safety setting method |
| WO2016045520A1 (en) * | 2014-09-28 | 2016-03-31 | 中国银联股份有限公司 | Token-based mobile payment method and mobile payment system |
| CN105844315A (en) * | 2016-03-14 | 2016-08-10 | 广州赛莱拉干细胞科技股份有限公司 | Sample source data management method and apparatus |
| CN107947931A (en) * | 2017-12-29 | 2018-04-20 | 北京海泰方圆科技股份有限公司 | A kind of method and system of key agreement, bluetooth equipment |
| CN108234412A (en) * | 2016-12-15 | 2018-06-29 | 腾讯科技(深圳)有限公司 | Auth method and device |
| CN112884960A (en) * | 2019-11-29 | 2021-06-01 | 北京小米移动软件有限公司 | Key verification method, device and storage medium |
| US20210281415A1 (en) * | 2018-06-26 | 2021-09-09 | Japan Communications Inc. | Online Service Providing System, IC Chip, and Application Program |
| CN108737080B (en) * | 2017-04-18 | 2021-11-02 | 阿里巴巴集团控股有限公司 | Password storage method, device, system and equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1614924A (en) * | 2004-11-26 | 2005-05-11 | 王小矿 | Identity certifying system based on intelligent card and dynamic coding |
| CN101013942A (en) * | 2007-01-24 | 2007-08-08 | 北京飞天诚信科技有限公司 | System and method for improving the safety of intelligent key equipment |
-
2014
- 2014-06-09 CN CN201410254187.8A patent/CN104063650B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1614924A (en) * | 2004-11-26 | 2005-05-11 | 王小矿 | Identity certifying system based on intelligent card and dynamic coding |
| CN101013942A (en) * | 2007-01-24 | 2007-08-08 | 北京飞天诚信科技有限公司 | System and method for improving the safety of intelligent key equipment |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016045520A1 (en) * | 2014-09-28 | 2016-03-31 | 中国银联股份有限公司 | Token-based mobile payment method and mobile payment system |
| CN104579675B (en) * | 2014-10-15 | 2018-09-07 | 深圳市金溢科技股份有限公司 | Security module, parking lot data read-write system and security setting method |
| CN104579675A (en) * | 2014-10-15 | 2015-04-29 | 深圳市金溢科技股份有限公司 | Safety module, data reading-writing system for parking lot and safety setting method |
| CN105844315B (en) * | 2016-03-14 | 2019-03-22 | 广州赛莱拉干细胞科技股份有限公司 | A kind of sample source data information management method and apparatus |
| CN105844315A (en) * | 2016-03-14 | 2016-08-10 | 广州赛莱拉干细胞科技股份有限公司 | Sample source data management method and apparatus |
| CN108234412A (en) * | 2016-12-15 | 2018-06-29 | 腾讯科技(深圳)有限公司 | Auth method and device |
| CN108737080B (en) * | 2017-04-18 | 2021-11-02 | 阿里巴巴集团控股有限公司 | Password storage method, device, system and equipment |
| CN107947931B (en) * | 2017-12-29 | 2018-12-21 | 北京海泰方圆科技股份有限公司 | A kind of method and system of key agreement, bluetooth equipment |
| CN107947931A (en) * | 2017-12-29 | 2018-04-20 | 北京海泰方圆科技股份有限公司 | A kind of method and system of key agreement, bluetooth equipment |
| US20210281415A1 (en) * | 2018-06-26 | 2021-09-09 | Japan Communications Inc. | Online Service Providing System, IC Chip, and Application Program |
| US11863681B2 (en) * | 2018-06-26 | 2024-01-02 | Japan Communications Inc. | Online service providing system, IC chip, and application program |
| CN112884960A (en) * | 2019-11-29 | 2021-06-01 | 北京小米移动软件有限公司 | Key verification method, device and storage medium |
| CN112884960B (en) * | 2019-11-29 | 2022-12-27 | 北京小米移动软件有限公司 | Key verification method, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104063650B (en) | 2015-08-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104065653B (en) | A kind of interactive auth method, device, system and relevant device | |
| CN104065652B (en) | A kind of auth method, device, system and relevant device | |
| CN104063650B (en) | A kind of key storage device and using method thereof | |
| US8751794B2 (en) | System and method for secure nework login | |
| US8112787B2 (en) | System and method for securing a credential via user and server verification | |
| EP2166697B1 (en) | Method and system for authenticating a user by means of a mobile device | |
| CN109981561A (en) | Monomer architecture system moves to the user authen method of micro services framework | |
| US9338164B1 (en) | Two-way authentication using two-dimensional codes | |
| CN104767616B (en) | A kind of information processing method, system and relevant device | |
| US20130185210A1 (en) | Method and System for Making Digital Payments | |
| US20170085561A1 (en) | Key storage device and method for using same | |
| CN104767617A (en) | Message processing method, system and related device | |
| TW201545526A (en) | Method, apparatus, and system for providing a security check | |
| US9137224B2 (en) | System and method for secure remote access | |
| JP2012530311A5 (en) | ||
| WO2019226115A1 (en) | Method and apparatus for user authentication | |
| WO2021190197A1 (en) | Method and apparatus for authenticating biometric payment device, computer device and storage medium | |
| CN104426659A (en) | Dynamic password generating method, authentication method, authentication system and corresponding equipment | |
| Sain et al. | A survey on the security in cyber physical system with multi-factor authentication | |
| Abdelrazig Abubakar et al. | Blockchain-based identity and authentication scheme for MQTT protocol | |
| Binu et al. | A mobile based remote user authentication scheme without verifier table for cloud based services | |
| CN114788226B (en) | Unmanaged tool for building decentralized computer applications | |
| CN204046622U (en) | A kind of cipher key storage device | |
| CN102780812A (en) | Method and system for achieving safe input by using mobile terminal | |
| CA2805539C (en) | System and method for secure remote access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING SHIDUN TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: HAN SHENG Effective date: 20141120 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100107 CHAOYANG, BEIJING TO: 100081 HAIDIAN, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20141120 Address after: 100081, room 1008, Qingyun contemporary building, No. 43 West Third Ring Road, Haidian District, Beijing Applicant after: Beijing Shidun Technology Co., Ltd. Address before: 100107 Beijing city Chaoyang District Village Building 6, room 2807 of the day in the park Applicant before: Han Cheng |
|
| ASS | Succession or assignment of patent right |
Owner name: HAN SHENG Free format text: FORMER OWNER: BEIJING SHIDUN TECHNOLOGY CO., LTD. Effective date: 20141128 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100081 HAIDIAN, BEIJING TO: 100107 CHAOYANG, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20141128 Address after: 100107 Beijing city Chaoyang District Village Building 6, room 2807 of the day in the park Applicant after: Han Cheng Address before: 100081, room 1008, Qingyun contemporary building, No. 43 West Third Ring Road, Haidian District, Beijing Applicant before: Beijing Shidun Technology Co., Ltd. |
|
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 430063, Wuchang District, Hubei, Wuhan province talent street, run road, Vanke long court, A, building 3007 Applicant after: Han Cheng Address before: 100107 Beijing city Chaoyang District Village Building 6, room 2807 of the day in the park Applicant before: Han Cheng |
|
| ASS | Succession or assignment of patent right |
Owner name: BEIJING SHIDUN TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: HAN SHENG Effective date: 20150422 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 430063 WUHAN, HUBEI PROVINCE TO: 100086 HAIDIAN, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20150422 Address after: 100086, room 1008, Qingyun contemporary building, No. 43 West Third Ring Road, Haidian District, Beijing Applicant after: Beijing Shidun Technology Co., Ltd. Address before: 430063, Wuchang District, Hubei, Wuhan province talent street, run road, Vanke long court, A, building 3007 Applicant before: Han Cheng |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150819 Termination date: 20180609 |