The method and apparatus of user authentication, the method and apparatus for obtaining user number information
Technical field
The application is related to network communication technology field, more particularly to a kind of method and apparatus of user authentication, a kind of acquisition
The method and apparatus of user number information.
Background technology
Mobile phone A pp (application program) is widely used in the application scenarios such as user's registration, identification, secondary checking
Short message check code is used as a kind of checking means.User first reserves phone number in the service end of App, when being verified, clothes
Business end sends short message to the phone number that user reserves, and short message content includes a string check codes being made up of numeral or character.
The check code that user will receive is input in the specified input frame of App, and service end is uploaded to by App, and service end is by comparison
Whether what is passed with the check code for issuing identical is authenticated to user.
The verification mode of said short message check code be present in the prior art.First, investigated according to industry mechanism, by
In reasons such as communication delay, gateway shielding, fail-safe software interceptions, current short message verification code average arrival rate is 93%, that is,
In the case of saying 7% user will because non-self reason cannot by checking;Secondly, in verification process, user needs to switch boundary
Face check short message, remember check code, in check code to be input to the input frame specified, it is cumbersome time-consuming very long, cause
The inconvenience of user.
The content of the invention
In view of this, the application provides a kind of method of user authentication, applies in terminal, including:
Obtain the user number information of this equipment;
Certification request is sent to certificate server, the certification request includes user number information;
The authentication response that certificate server is returned is received, the authentication response is reserved by certificate server according to the user
Service end number information and the user number information matching result generation.
A kind of method of user authentication that the application is provided, applies on certificate server, including:
The certification request that receiving terminal sends, the certification request includes user number information;
The service end number information that the user reserves is obtained, service end number information and the user number information are entered
Row matching;
The authentication response generated according to matching result is sent to the terminal.
Present invention also provides a kind of method for obtaining user number information, apply in terminal, including:
Connection request being sent to Number Service end and setting up connection, the connection request includes that requesting party identifies;
Communication is initiated to the preset interface at Number Service end using the communication mode based on number, Content of Communication includes institute
State requesting party's mark;
Receiving number service end pass through it is described connection return user number information, the user number information according to number
Code the preset interface communication of service end Subscriber Number generation, and in the Content of Communication of the Subscriber Number requesting party mark,
It is identical with the requesting party's mark in the connection request for setting up the connection;The user number information be used in user authentication by
Terminal is supplied to certificate server, is matched in the service end number information that certificate server is reserved with user.
A kind of method of acquisition user number information that the application is provided, applies at Number Service end, including:
The connection request of receiving terminal transmission simultaneously sets up connection, and the connection request includes that requesting party identifies;
The communication that receiving terminal is initiated with the communication mode based on Subscriber Number to the preset interface of this service end, obtains and uses
Requesting party in family number and Content of Communication identifies and sets up the corresponding relation of the two;
User number information is generated according to the Subscriber Number, is marked by with the requesting party corresponding to the Subscriber Number
The connection of knowledge, terminal is returned to by the user number information;The user number information is used in user authentication by terminal
Certificate server is supplied to, is matched in the service end number information that certificate server is reserved with user.
Present invention also provides a kind of device of user authentication, apply in terminal, including:
Number information acquiring unit, the user number information for obtaining this equipment;
Certification request transmitting element, for sending certification request to certificate server, the certification request includes user
Number information;
Authentication response receiving unit, the authentication response for receiving certificate server return, the authentication response is by certification
The matching result generation of service end number information and the user number information that service end is reserved according to the user.
A kind of device of user authentication that the application is provided, applies on certificate server, including:
Certification request receiving unit, for the certification request that receiving terminal sends, the certification request includes user number
Code information;
Number information matching unit, for obtaining the service end number information that the user reserves, believes service end number
Breath and the user number information are matched;
Authentication response transmitting element, for the authentication response generated according to matching result to be sent into the terminal.
Present invention also provides a kind of device for obtaining user number information, apply in terminal, including:
Connection request transmitting element, for sending connection request to Number Service end and setting up connection, the connection request
Include that requesting party identifies;
Unit is initiated in communication based on number, for being connect to the preset of Number Service end using the communication mode based on number
Mouth initiates communication, and Content of Communication includes requesting party's mark;
Number information receiving unit, for the user number information that receiving number service end is returned by the connection, institute
User number information is stated according to the Subscriber Number generation with the preset interface communication in Number Service end, and the Subscriber Number is logical
Requesting party's mark in letter content is identical with the requesting party's mark in the connection request for setting up the connection;The Subscriber Number
Information is used to be supplied to certificate server by terminal in user authentication, the service end number reserved in certificate server with user
Information is matched.
A kind of device of acquisition user number information that the application is provided, applies at Number Service end, including:
Connection request receiving unit, the connection request sent for receiving terminal simultaneously sets up connection, in the connection request
Including requesting party's mark;
Communications reception unit based on number, for receiving terminal with the communication mode based on Subscriber Number to this service end
The communication initiated of preset interface, obtain the correspondence pass that the requesting party in Subscriber Number and Content of Communication identifies and sets up the two
System;
Number information issuance unit, for generating user number information according to the Subscriber Number, by with corresponding to
The connection of requesting party's mark of the Subscriber Number, terminal is returned to by the user number information;The user number information
For being supplied to certificate server by terminal in user authentication, the service end number information reserved in certificate server with user
Matched.
From above technical scheme, in the embodiment of the method and apparatus of the application user authentication, terminal will be obtained
The user number information of this equipment certificate server, the clothes that certificate server is reserved according to user are uploaded in certification request
Whether business end number information matches to be authenticated user with the user number information for uploading so that certificate server is without logical
Cross short message and issue the mode of identifying code Subscriber Number can be certified, it is to avoid the authentification failure that short message communication failure is caused, and
User need not check with input validation code, simplify user operate while accelerate certification speed.
The application obtain user number information method and apparatus embodiment in, terminal be respectively adopted connection and based on number
The communication mode of code is interacted with Number Service end, and end is known in Number Service end by the communication based on number that terminal is initiated
The user number information at end and requesting party are identified, and user number information is returned into the connection with same request side's mark
Initiator so that terminal obtains the user number information of this equipment, after user number information is used for into user authentication process, keeps away
Exempted from certificate server by sending short message check code come certification Subscriber Number, and user need not check with input validation code,
Certification speed is accelerated simplifying while user operates.
Brief description of the drawings
Fig. 1 is that one kind is applied in terminal in the embodiment of the present application one, obtains the flow chart of the method for user number information;
Fig. 2 is that one kind is applied at Number Service end in the embodiment of the present application one, obtains the stream of the method for user number information
Cheng Tu;
Fig. 3 is that one kind is applied in terminal in the embodiment of the present application two, the flow chart of the method for user authentication;
Fig. 4 is that one kind is applied in certificate server in the embodiment of the present application two, the flow chart of the method for user authentication;
Fig. 5 is a kind of schematic network structure of scene where the application application example;
Fig. 6 is a kind of hardware structure diagram of equipment where terminal, Number Service end or equipment where certificate server;
Fig. 7 is that one kind is applied in terminal in the embodiment of the present application, obtains the logical construction of the device of user number information
Figure;
Fig. 8 is that one kind is applied at Number Service end in the embodiment of the present application, obtains the logic of the device of user number information
Structure chart;
Fig. 9 is that one kind is applied in terminal in the embodiment of the present application, the building-block of logic of the device of user authentication;
Figure 10 is that one kind is applied in certificate server in the embodiment of the present application, the building-block of logic of the device of user authentication.
Specific embodiment
During prior art is using the authentication mode of short message verification code, the Subscriber Number reserved to user from certificate server with
Short message sends identifying code in plain text, and the identifying code original text that user will receive is input in application program and is sent to certificate server,
Whether whether certificate server comparison code unanimously determine user's (terminal) by certification.It can be seen that, short message verification code
Whether the fact that unique authentication, is, using the terminal of reserved Subscriber Number in the control of user.And most application scenarios
In, user generally only controls a station terminal, at this moment the fact that actual verification is, runs the user that the terminal of application program is used
Whether number is exactly reserved Subscriber Number.Therefore, in embodiments herein, by terminal when certificate server certification is asked
Active upload user number information, the service end that certificate server is reserved in the user number information for comparing terminal upload with user
Whether whether number information determine user by certification after matching.
In mobile communication system, using IMSI (International Mobile Subscriber
Identification Number, international mobile subscriber identity) uniquely to identify a mobile communication subscriber, IMSI is protected
Exist on Subscriber Identity Module, bound with Subscriber Identity Module.Subscriber Identity Module is used for identifying the user identity in mobile communications network,
Such as SIM (Subscriber Identity Module, subscriber identification module) cards, USIM (Universal Subscriber
Identity Module, universal subscriber identity module) card etc..
After the Subscriber Identity Module of user is arranged in terminal, terminal can be led to using the IMSI bound with it
Letter.And Subscriber Identity Module may be damaged, user need not change its contact method when Subscriber Identity Module is changed for convenience, mobile
One mode of user of another unique mark, MSISDN (Mobile Station are employed in communication system
International Subscriber Directory Number, mobile station international subscriber directory number), it is also called user number
Code.IMSI is stored in the equipment of mobile communications network service provider with the corresponding relation of Subscriber Number, when the terminal of user A
After the communication (such as make a phone call or send short messages) with the terminal of user B being initiated using its IMSI to service provider, mobile radio communication
Network service provider searches Subscriber Number corresponding with the IMSI of the user A, and the Subscriber Number is handed down to the end of user B
End, such user B can learn that to the opposite end of its initiation communication be user A by the Subscriber Number of Correspondent Node.
The usual identification code using terminal in the information exchange between the application program in terminal and its service end is operated in,
As IMEI (International Mobile Equipment Identity, International Terminal identity code) carrys out GC group connector, without
Can using the identification code IMSI (being not based on the communication of Subscriber Number) of user, therefore terminal and its application program service end
The Subscriber Number that the terminal is used can not be all learnt from mutual information interactive process.
In the prior art, Subscriber Identity Module payment user is being used preceding, meeting by some mobile communications network service providers
Subscriber Number is written in Subscriber Identity Module;In such application scenarios, terminal can be by API (Application
Programming Interface, application programming interface) read the user number that the terminal is used from Subscriber Identity Module
Code.Application scenarios to not preserving Subscriber Number in Subscriber Identity Module, terminal can be using the technical side of the embodiment of the present application one
Case obtains the Subscriber Number that it is used.
Embodiments herein one proposes a kind of method for obtaining user number information, terminal respectively by connected mode and
Communication mode based on number, Number Service end is uploaded to by the requesting party of GC group connector mark, and Number Service end will be from being based on
Subscriber Number is obtained in the communication mode of number, generation user number information is handed down to being connected with same request side's mark
Terminal so that terminal directly can upload its user number information when user's checking is carried out to certificate server, so that nothing
Need to issue, be input into and upload the short message verification code i.e. achievable certification to Subscriber Number, it is to avoid caused by short message reception failure
Authentification failure, certification speed is accelerated reducing while user operates.
In embodiments herein one, terminal is entered row information and is handed over by two kinds of different communication modes and Number Service end
Mutually, one of which is the communication based on Subscriber Number, i.e., the communication for being carried out using the IMSI of terminal is such as made a phone call or sent short messages;
Another kind is the communication for being not based on Subscriber Number, i.e., do not use IMSI, but use the mark letter of other GC group connectors or user
The connection that breath is carried out, such as operates in the connection that the application program in terminal is set up with the service end of the application program.
In the present embodiment, terminal can be that any can move setting for communication using above two communication mode
It is standby, such as mobile phone, panel computer, the notebook of SIM or usim card is installed;Number Service end can any can be used
The physically or logically equipment of above two communication mode or be physically or logically equipment combination, do not limit.
In embodiment one, the method for obtaining user number information apply flow in terminal as shown in figure 1, apply number
The flow of code service end is as shown in Figure 2.
In terminal, step 110 sends connection request and sets up connection to Number Service end, and connection request includes please
The side's of asking mark.
At Number Service end, step 210, the connection request of receiving terminal transmission simultaneously sets up connection.
Terminal sends connection request by the way of Subscriber Number is not based on to Number Service end, is carried in connection request
Requesting party identifies.Requesting party's mark can be any user that the terminal or using terminal can be uniquely represented at Number Service end
Identification information, for example, can be the identification code of terminal, such as IMEI of terminal, the UUID (Universally of terminal
Unique Identifier, general unique identifier) etc.;Can be MAC (the Media Access Control, medium of terminal
Access Control) address;Can be the mark of the user account at Number Service end of using terminal, such as user account title, user
Account coding etc..
Number Service end is set up with terminal and is connected after the connection request for receiving terminal.
In terminal, step 120 initiates logical using the communication mode based on number to the preset interface at Number Service end
Letter, Content of Communication includes requesting party's mark of terminal.
At Number Service end, step 220, receiving terminal is with the communication mode based on Subscriber Number to the preset of this service end
The communication that interface is initiated, the requesting party obtained in Subscriber Number and Content of Communication identifies and sets up the corresponding relation of the two.
To the preset interface of open-destination, the preset interface is used for carrying out the communication based on Subscriber Number at Number Service end.Eventually
Hold and initiate the communication based on Subscriber Number to the preset interface at Number Service end, and by the request of this equipment in Content of Communication
Square identification transmission gives Number Service end.Because in the communication based on number, the service provider of mobile communications network will can send
The Subscriber Number at end notifies receiving terminal, when Number Service end receives the communication that terminal is initiated based on Subscriber Number from preset interface,
The Subscriber Number of terminal is can obtain, and the requesting party of the terminal can be obtained from Content of Communication and identified (i.e. corresponding to this
Requesting party's mark of Subscriber Number), so as to the Subscriber Number of the terminal and requesting party's mark are mapped.
For example, Number Service end uses preset Short Message Service Gateway as preset interface, terminal identifies the requesting party of this equipment
Editor in short message content, and by short message sending to Number Service end preset Short Message Service Gateway.Preset Short Message Service Gateway receives short
After letter, Number Service end extracts requesting party's mark from short message content, and using the sender number of short message as user number
Code, sets up the corresponding relation with requesting party mark.
For another example, Number Service end can use predetermined telephonic access interface, and the requesting party of this equipment is identified generation by terminal
Voice, is transferred to the predetermined telephonic access interface at Number Service end in the way of phone.Number Service end identification predetermined telephonic connects
The voice that incoming interface is received, obtains requesting party's mark, and using dial-out side's number of phone as Subscriber Number, sets up and should ask
The corresponding relation of the side's of asking mark.
It should be noted that there is no sequential relationship in terminal between step 110 and step 120, the step of Number Service end
Also without sequential relationship between 210 and 220.
At Number Service end, step 230 generates user number information, by with corresponding to the use according to Subscriber Number
The connection of requesting party's mark of family number, terminal is returned to by the user number information.User number information is used to recognize in user
Certificate server is supplied to by terminal during card, is matched in the service end number information that certificate server is reserved with user.
In terminal, step 130, the user number information that receiving number service end is returned by the connection set up, the use
Family number information according to the preset interface communication in Number Service end Subscriber Number generate, and the Subscriber Number Content of Communication
In requesting party mark it is identical with the requesting party's mark set up in the connection request of the connection.The user number information is used for
Certificate server is supplied to by terminal during user authentication, is carried out in the service end number information that certificate server is reserved with user
Match somebody with somebody.
In embodiments herein, user number information can be it is any be associated with Subscriber Number and can with
Family is used for the data that the reserved number of certification is matched.For example:User number information can be Subscriber Number in itself;Can be
Use pre-defined algorithm Subscriber Number is carried out more to one conversion after the mapping value (Subscriber Number for such as being calculated with predetermined Hash algorithm
Cryptographic Hash);Can also be data (such as user that there is one-to-one relationship with the mapping value of Subscriber Number or Subscriber Number
Number is used for index etc. in the database table for preserve Subscriber Number at Number Service end).It is corresponding, in generation user number information
When, Number Service end can directly using Subscriber Number as user number information;Number Service end can using Subscriber Number as
The input of pre-defined algorithm, and using the output of pre-defined algorithm as user number information;Number Service end can also be searched (as searched
Preserve Subscriber Number database table), calculate (as at random generate and with uniqueness) go out and Subscriber Number or Subscriber Number
Mapping value has the data of one-to-one relationship, and as user number information.
Generate user number information after, Number Service end according to set up corresponding relation, obtain with for generating the use
The corresponding requesting party's mark of Subscriber Number of family number information, searches according to the connection request institute for carrying same request side's mark
The connection of foundation, user number information is sent to the terminal of opposite end by the connection.
Terminal is after user number information is received, you can when user authentication is asked to certificate server, by the user number
Code information is sent to certificate server, is matched to determine for the service end number information that certificate server is reserved with user
Whether user authentication passes through.
Due to the Subscriber Number that the little changes terminal of usual user is used, the user number information that can be received terminal is protected
Store away, so there is no need to all run a flow for above-mentioned acquisition user number information before carrying out user authentication every time.For
The safe coefficient for carrying out using user number information user authentication is improved, the user number information that terminal can be received is preserved
In the safety zone of this equipment, be such as stored in TEE (Trusted Execution Environment, credible performing environment) or
In TE (Secure Element, safety element).
Generally only when the Subscriber Identity Module in terminal is changed, the user number that user's ability changes terminal is used
Code.Therefore, terminal can detect to the state of Subscriber Identity Module, when detecting Subscriber Identity Module and inserting, be taken to number
Business end sends the connection request of carrying requesting party's mark and sets up connection, and is taken to number using the communication mode based on number
The preset interface at business end initiates communication, and requesting party's mark is carried in Content of Communication, re-starts the user of the new insertion of acquisition
The flow of the corresponding Subscriber Number of identification card.When Subscriber Identity Module extraction is detected, terminal can be deleted and be stored in its safety
The user number information in region.
In terminal, the method in embodiment one can be operated in operating system layer, i.e., in the operating system of terminal
The method for realizing embodiment one, can so easily facilitate and the plug of Subscriber Identity Module is detected.As in Android system
Application Framwork (application architecture) layer is realized.
In addition, the security in order to increase user number information acquisition process, can be by Number Service end in generation user
After number information, be digitally signed using the private key at Number Service end, then by user number information and digital signature by with
The connection that terminal room is set up returns to the terminal.Terminal with the connection at Number Service end on receive the user number information of return
After digital signature, sign test is carried out to digital signature using the public key at Number Service end, sign test preserves the use of reception again after passing through
Family number information, sign test failure then abandons the user number information of reception.
It can be seen that, in embodiments herein one, terminal respectively by connected mode and the communication mode based on number with number
Code service end is interacted, and Number Service end will obtain Subscriber Number from the communication mode based on number, generate Subscriber Number
Information is handed down to the terminal for being connected with same request side's mark, so that terminal recognizes user number information for user
Card, it is to avoid certificate server by sending short message check code come certification Subscriber Number, while the use in simplifying verification process
Family operates, and accelerates certification speed.
Embodiments herein two proposes a kind of method of new user authentication, by terminal by the Subscriber Number of this equipment
Information is actively sent to certificate server in certification request, for certificate server compare terminal upload user number information,
Whether whether adaptation determines user by certification to the service end number information reserved with user, thus need not issue and on
To pass check code be that can verify that whether number that terminal used is exactly number that user reserves, it is to avoid because short message communication failure is led
The authentification failure of cause, and user checks the operation with input validation code, and certification is completed with less operation and faster speed
Process, to solve problems of the prior art.
In embodiments herein two, terminal can be accessed mutually with certificate server by mobile communications network.Generally and
Speech, in identifying procedure, the application program operated in terminal is connected with certificate server foundation, is entered with request/response pattern
Information exchange between row and certificate server.Wherein, terminal can any can move communication using Subscriber Number
Equipment, such as mobile phone, panel computer, notebook;Certificate server can be one physically or logically server, or
The physically or logically server of different responsibilities is shared by two or more, mutually cooperate with to realize recognizing in the embodiment of the present application
Demonstrate,prove the various functions of service end.
In the present embodiment, the method for user authentication applies flow in terminal as shown in figure 3, applying in certificate server
Flow it is as shown in Figure 4.
In terminal, step 310 obtains the user number information of this equipment.
If as it was previously stated, with Subscriber Number in the Subscriber Identity Module of terminal, terminal can call offer user number
The interface of code obtains the Subscriber Number that this equipment is used, and according to the Subscriber Number generates user number information.Subscriber Number
Information can be that Subscriber Number carries out more to one or one to one conversion to Subscriber Number in itself, or using pre-defined algorithm
Mapping value (such as cryptographic Hash of Subscriber Number) afterwards.
If the user number information of this equipment cannot be obtained from terminal itself, the side that can be provided using embodiment one
Case from Number Service end obtains user number information.Originally set to the user number information obtained from Number Service end is stored in
Application scenarios in standby safety zone (such as TEE or SE), terminal can read the user number information of storage from the safety zone.
Wherein, the user number information from Number Service end can be Subscriber Number;Can be to Subscriber Number using pre-defined algorithm
Carry out the mapping value after more to one conversion;Can also be to have to correspond with the mapping value of Subscriber Number or Subscriber Number and close
The data of system.
In terminal, step 320 sends certification request to certificate server, and certification request includes user number information.
In certificate server, step 410, the certification request that receiving terminal sends.
Terminal sends certification request to certificate server, and the user number information of this equipment is encapsulated in certification request.Recognize
Card request can start service side in any business procedure to carry out terminal the request of authenticating user identification, and for example logging in please
Ask, pay request etc., do not limit.The certification request of certificate server receiving terminal, therefrom extracts the Subscriber Number of the terminal
Information.
In certificate server, step 420 obtains the service end number information that the user reserves, service end number is believed
Breath and the user number information for receiving are matched.
In the prior art, terminal can be uploaded generally during being connected with certificate server foundation to certificate server
Use the accounts information of the user of the terminal;Or terminal is believed in certification request to the account of certificate server upload user
Breath.That is, certificate server can be learnt and send which user is certification request be.
In the application scenarios of authentication are carried out using Subscriber Number, each user can reserve it and use in service side
Subscriber Number.Service lateral root generates the service end number information of each user according to reserved Subscriber Number, and is stored in predetermined
Storage location.Service end number information can be Subscriber Number in itself, can be that Subscriber Number is carried out using pre-defined algorithm
Mapping value (such as cryptographic Hash of Subscriber Number) after more to one conversion, can also be the mapping with Subscriber Number or Subscriber Number
Value has the data of one-to-one relationship (as carried out the mapping value after one to one mapping using pre-defined algorithm, preserving Subscriber Number
Database table index value, generate and be uniquely corresponding to numerical value for Subscriber Number etc. at random).
After the certification request for receiving terminal, certificate server is stored according to the user for sending the certification request predetermined
The service end number information that the location lookup user reserves, is carried out to service end number information and the user number information for receiving
Match somebody with somebody.Specific matching process determines according to the user number information and service end number information that are used in practical application scene,
Repeat no more.
It should be noted that user number information and service end number information in an application scenarios can with identical,
Can be with difference, as long as certificate server can be matched to the two.In one example, user number information is by user
Number is input into certain predetermined Hash algorithm and obtains cryptographic Hash, and service end number information is Subscriber Number;In matching, authentication service
After end is by the same predetermined Hash algorithm of service end number information input, the cryptographic Hash of output and user number information are compared
It is right, identical then the two matching.In another example, user number information is the rope for servicing the database table that side preserves Subscriber Number
Draw value, service end number information is Subscriber Number;In matching, certificate server user number information is protected as search index
The database table of Subscriber Number is deposited, if the Subscriber Number found is identical with service end number information, the two matching.
In order to increase the security of user authentication process, line number can be entered to certification request using requesting party's private key by terminal
Word is signed, and the certification request with requesting party's mark and digital signature is sent into certificate server.Certificate server is used
Requesting party's public key of terminal carries out sign test to the digital signature in certification request, is not set to matching result if if sign test
Mismatch, sign test obtains the service end number information that the user reserves by rear certificate server, according to service end number information
Matching result is determined with whether user number information matches.
Requesting party's private key and requesting party's public key can be terminal various device keyses, or user it is various close
Key, embodiments herein is not limited.Some manufacturer terminals before terminal is dispatched from the factory, can terminal safety zone (such as TEE or
SE) as the built-in terminal root key (a kind of device private), due to root key relative to other keys more safety and can not
Deny, the certification request for carrying user number information is digitally signed using the root key of terminal, by certificate server
Sign test is carried out using the corresponding public key of the root key of the terminal, security higher is up to.
In certificate server, the authentication response generated according to matching result is sent to the terminal by step 430.
In terminal, step 330 receives the authentication response that certificate server is returned, and the authentication response is by certificate server
Generated after the user service end number information reserved and the user number information for uploading is matched.
Certificate server generates authentication response according to the matching result of service end number information and user number information, is recognizing
The authentication result of certification success or not is carried in card response.If being based only on Subscriber Number to the authentication result of user identity to enter
OK, then when the matching result of service end number information and user number information is for matching, certification success;Matching result is not for
Timing, authentification failure.If the result to authenticating user identification is based not only on Subscriber Number, also based on other authentication sides
Formula, then only when matching result be matching and other identification authentication modes result be by when, certification success, otherwise certification
Failure.
Authentication response is sent to terminal by certificate server, and terminal learns authentication result from authentication response.
It can be seen that, in embodiments herein two, terminal actively sends out the user number information of this equipment in certification request
Give certificate server, certificate server according to user the service end number information reserved and the user number information for uploading whether
Match to be authenticated user, so as to be that can verify that without transmitting short message between terminal and certificate server and upload check code
Whether the Subscriber Number that terminal is used be exactly number that user reserves, it is to avoid the authentification failure that short message communication failure is caused,
And user need not check with input validation code, simplify user operate while accelerate certification speed.
In an application example of the application, terminal obtains the user number of this equipment using the scheme in embodiment one
Code cryptographic Hash (a kind of user number information), and carry out recognizing using the identity of Subscriber Number by the scheme in embodiment two
Card.
Fig. 5 is referred to, in this application example, the production firm of terminal is built-in with for obtaining Subscriber Number letter in the terminal
The software module of breath, operates in the operating system layer of terminal in the form of termination number service;In service side, in number server
Transit number Hash is serviced and short breath gateway, and the application reality is realized as termination number service collaboration on Number Service end and terminal
Apply the scheme of example one.The certificate server for servicing side is implemented as the App cooperative achievements the application on certificate server, with terminal
The scheme of example two.
Specifically, the plugging condition of the termination number service monitoring SIM in terminal.After finding to there is SIM to insert, eventually
End Number Service sends connection request to the number Hash service run in number server, in a connection request carried terminal
IMEI (a kind of requesting party's mark), and be connected with number Hash service foundation.In addition, termination number service is to number server
Short Message Service Gateway sends short message, and short message content is the IMEI of the terminal.
The Short Message Service Gateway of number server receives the short message of terminal transmission, extracts the Subscriber Number and short message of short message sending side
IMEI in content, and the Subscriber Number and the IMEI are mapped.The number Hash of number server is serviced from short message net
Close and obtain corresponding Subscriber Number and terminal IMEI, be input generation Subscriber Number with Subscriber Number using predetermined Hash algorithm
Cryptographic Hash.The connection that number Hash service search is set up according to the connection request for carrying the IMEI corresponding to the Subscriber Number,
The digital signature carried out by the Subscriber Number cryptographic Hash of generation and using the private key of number server is from the linkup transmit to right
The termination number service at end.
The digital signature of reception and Subscriber Number cryptographic Hash are transferred to the TEE of this equipment for termination number service in terminal
Or SE.The TEE or SE of terminal carry out sign test with the public key of number server to the digital signature for receiving, not by then abandoning reception
Subscriber Number cryptographic Hash;The Subscriber Number cryptographic Hash of reception is stored in safety zone if if sign test.
When the SIM of termination number service detection to terminal is extracted, deletion is stored in TEE safety zones or SE places of safety
The Subscriber Number cryptographic Hash in domain.
When the App in terminal will carry out the authentication based on Subscriber Number, App is from the TEE safety zones of this equipment
Or SE safety zones, the Subscriber Number cryptographic Hash and the root key of terminal built-in of reading and saving.App seals Subscriber Number cryptographic Hash
In certification request, certificate server is sent to after being signed to certification request using root key.
Certificate server receives certification request, the corresponding public key of terminal root key for sending the certification request is searched, with this
Public key carries out sign test to the digital signature in certification request.If sign test does not pass through, indicia matched result is to mismatch and raw
Into the authentication response that authentication result is failure is carried, the App is replied to.
If sign test passes through, certificate server finds out Subscriber Number (a kind of service end reserved using the user of the App
Number information).Certificate server services identical predetermined Hash algorithm using the number Hash with number server, with what is reserved
Subscriber Number obtains reserved number cryptographic Hash for input.Certificate server compares Subscriber Number cryptographic Hash in certification request and pre-
Number cryptographic Hash is stayed, is matched if the two is identical, authentication result is successfully;The two difference is then mismatched, and authentication result is mistake
Lose.
Be encapsulated in authentication result in authentication response by certificate server, is sent to App.
Corresponding with the realization of above-mentioned flow, embodiments herein additionally provides a kind of acquisition user number applied in terminal
The device of code information, a kind of the device of the acquisition user number information at Number Service end, one kind is applied to apply in terminal
On user authentication device and a kind of device for applying the user authentication in certificate server.Said apparatus can pass through
Software is realized, it is also possible to realized by way of hardware or software and hardware combining.As a example by implemented in software, as on logical meaning
Device, be by terminal, equipment where Number Service end or CPU (the Central Process of equipment where certificate server
Unit, central processing unit) corresponding computer program instructions are read run in internal memory what is formed.From for hardware view,
In addition to the CPU shown in Fig. 6, internal memory and nonvolatile memory, terminal generally also includes for carrying out wireless signal receipts
Equipment where other hardware such as chip of hair, Number Service end or equipment where certificate server generally also include for realizing net
Other hardware such as board of network communication function.
Fig. 7 show a kind of device of user authentication of the embodiment of the present application offer, applies in terminal, including number letter
Breath acquiring unit, certification request transmitting element and authentication response receiving unit, wherein:Number information acquiring unit is used to obtain this
The user number information of equipment;Certification request transmitting element is used to send certification request, the certification request to certificate server
Include user number information;Authentication response receiving unit is used to receive the authentication response of certificate server return, the certification
Service end number information and the matching result of the user number information that response is reserved by certificate server according to the user
Generation.
Optionally, the number information acquiring unit specifically for:Read user number of the storage in this equipment safety region
Code information.
In one example, also include in the certification request:The digital signature carried out using requesting party's private key;The certification
Response is by certificate server according to the clothes reserved to the sign test result of the digital signature and the user with requesting party's public key
The matching result generation of business end number information and the user number information.
In above-mentioned example, requesting party's private key includes:It is built in the equipment root key in this equipment safety region.
Optionally, the safety zone includes:Credible performing environment TEE or safety element SE.
Optionally, the user number information includes one of following:Subscriber Number, is entered using pre-defined algorithm to Subscriber Number
Mapping value after the conversion of row more to, has in certificate server with the mapping value of Subscriber Number or Subscriber Number and corresponds
The data of relation;The service end number packet includes one below:Subscriber Number, is carried out using pre-defined algorithm to Subscriber Number
Mapping value after more to one conversion, with the data that the mapping value of Subscriber Number or Subscriber Number has one-to-one relationship.
Fig. 8 show a kind of device of user authentication of the embodiment of the present application offer, applies on certificate server, including
Certification request receiving unit, number information matching unit and authentication response transmitting element, wherein:Certification request receiving unit is used for
The certification request that receiving terminal sends, the certification request includes user number information;Number information matching unit is used to obtain
The service end number information that the user reserves is taken, service end number information and the user number information are matched;Recognize
Card response transmitting element is used to for the authentication response generated according to matching result to be sent to the terminal.
In one example, also include in the certification request:The digital signature carried out using requesting party's private key by terminal;Institute
State number information matching unit specifically for:After passing through to the digital signature sign test using requesting party's public key, obtain described
The service end number information that user reserves, matches to service end number information and the user number information.
In above-mentioned example, requesting party's public key includes:The corresponding public key of root key of the terminal.
Optionally, the user number information includes one below:Subscriber Number, is entered using pre-defined algorithm to Subscriber Number
Mapping value after the conversion of row more to, has in certificate server with the mapping value of Subscriber Number or Subscriber Number and corresponds
The data of relation;The service end number packet includes one below:Subscriber Number, is carried out using pre-defined algorithm to Subscriber Number
Mapping value after more to one conversion, with the data that the mapping value of Subscriber Number or Subscriber Number has one-to-one relationship.
Fig. 9 show a kind of device of acquisition user number information of the embodiment of the present application offer, applies in terminal, wraps
Include connection request transmitting element, the communication based on number and initiate unit and number information receiving unit, wherein:Connection request sends
Unit is used to send connection request to Number Service end and set up connection, and the connection request includes that requesting party identifies;It is based on
Unit is initiated in the communication of number to be used to initiate communication to the preset interface at Number Service end using the communication mode based on number, is led to
Letter content includes requesting party's mark;Number information receiving unit is used for receiving number service end and is returned by the connection
User number information, the user number information according to the preset interface communication in Number Service end Subscriber Number generate, and
And requesting party's mark that the requesting party in the Content of Communication of the Subscriber Number identifies and sets up in the connection request of the connection
It is identical;The user number information is used to be supplied to certificate server by terminal in user authentication, with user in authentication service
The reserved service end number information in end is matched.
In one example, described device also includes:Number information storage unit, the user number information for that will receive is protected
In the presence of the safety zone of this equipment.
In above-mentioned example, the number information receiving unit specifically for:Receiving number service end is returned by the connection
The user number information returned and the digital signature carried out using Number Service end private key;The number information storage unit is specifically used
In:After passing through to the digital signature sign test using Number Service end public key, the user number information of reception is stored in this
The safety zone of equipment.
Optionally, the safety zone includes:Credible performing environment TEE or safety element SE.
In a kind of implementation, the connection request transmitting element specifically for:When the Subscriber Identity Module of terminal is inserted,
Connection request is sent to Number Service end and set up connection;
The communication based on number initiate unit specifically for:When the Subscriber Identity Module of terminal is inserted, using being based on
The communication mode of number initiates communication to the preset interface at Number Service end.
In above-mentioned implementation, described device also includes:Number information deletes unit, for when the Subscriber Identity Module of terminal
During extraction, the user number information for preserving is deleted.
Optionally, the communication based on number initiate unit specifically for:To the preset Short Message Service Gateway at Number Service end
Transmission content includes the short message of requesting party's mark.
Optionally, requesting party's mark includes:The mark of user account or the identification code of terminal.
Optionally, the user number information includes one below:Subscriber Number, using pre-defined algorithm to the user number
Code carries out the mapping value after more to one conversion, has with the mapping value of the Subscriber Number or the Subscriber Number and corresponds
The data of relation.
Optionally, described device operates in the operating system layer of terminal.
Figure 10 show a kind of device of acquisition user number information of the embodiment of the present application offer, applies in Number Service
End, including connection request receiving unit, the communications reception unit based on number and number information issuance unit, wherein:Connection please
Receiving unit is sought for the connection request of receiving terminal transmission and connection is set up, the connection request includes that requesting party identifies;
Communications reception unit based on number is connect with the communication mode based on Subscriber Number for receiving terminal to the preset of this service end
The communication that mouth is initiated, the requesting party obtained in Subscriber Number and Content of Communication identifies and sets up the corresponding relation of the two;Number is believed
Breath issuance unit is used to generate user number information according to the Subscriber Number, by with asking corresponding to the Subscriber Number
The connection of the side's of asking mark, terminal is returned to by the user number information;The user number information is used in user authentication
Certificate server is supplied to by terminal, is matched in the service end number information that certificate server is reserved with user.
Optionally, the number information issuance unit specifically for:User number information is generated according to the Subscriber Number,
After being digitally signed using Number Service end private key, by the company identified with the requesting party corresponding to the Subscriber Number
Connect, the user number information is returned into terminal.
Optionally, the preset interface of described service end includes:Preset Short Message Service Gateway;The terminal is with based on Subscriber Number
Preset interface from communication mode to this service end initiate communication, including:The content bag that terminal sends to preset Short Message Service Gateway
Include the short message of requesting party's mark.
Optionally, requesting party's mark includes:The mark of user account or the identification code of terminal.
Optionally, the user number information includes one below:The Subscriber Number, using pre-defined algorithm to the use
Family number carries out the mapping value after more to one conversion, and the mapping value with the Subscriber Number or the Subscriber Number has one by one
The data of corresponding relation.
The preferred embodiment of the application is the foregoing is only, is not used to limit the application, all essences in the application
Within god and principle, any modification, equivalent substitution and improvements done etc. should be included within the scope of the application protection.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net
Network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium
Example.
Computer-readable medium includes that permanent and non-permanent, removable and non-removable media can be by any method
Or technology realizes information Store.Information can be computer-readable instruction, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable
Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM),
Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, the storage of tape magnetic rigid disk or other magnetic storage apparatus
Or any other non-transmission medium, can be used to store the information that can be accessed by a computing device.Defined according to herein, calculated
Machine computer-readable recording medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
Also, it should be noted that term " including ", "comprising" or its any other variant be intended to nonexcludability
Comprising so that process, method, commodity or equipment including a series of key elements not only include those key elements, but also wrapping
Include other key elements being not expressly set out, or also include for this process, method, commodity or equipment is intrinsic wants
Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that wanted including described
Also there is other identical element in process, method, commodity or the equipment of element.
It will be understood by those skilled in the art that embodiments herein can be provided as method, system or computer program product.
Therefore, the application can be using the embodiment in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Form.And, the application can be used to be can use in one or more computers for wherein including computer usable program code and deposited
The shape of the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Formula.