CN107358441B - Payment verification method and system, mobile device and security authentication device - Google Patents
Payment verification method and system, mobile device and security authentication device Download PDFInfo
- Publication number
- CN107358441B CN107358441B CN201710495709.7A CN201710495709A CN107358441B CN 107358441 B CN107358441 B CN 107358441B CN 201710495709 A CN201710495709 A CN 201710495709A CN 107358441 B CN107358441 B CN 107358441B
- Authority
- CN
- China
- Prior art keywords
- data
- equipment
- digital certificate
- random number
- mobile
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3821—Electronic credentials
- G06Q20/38215—Use of certificates or encrypted proofs of transaction rights
Abstract
The invention is suitable for the technical field of wireless communication, and provides a payment verification method, a payment verification system, mobile equipment and security authentication equipment, wherein the method comprises the following steps: the mobile equipment sends first data to the security authentication equipment; the mobile equipment receives second data sent by the security authentication equipment, wherein the second data is generated by processing the first data or the first data and an equipment digital certificate by the security authentication equipment; and the mobile equipment processes the second data to obtain a verification result. According to the embodiment of the invention, when the transaction is carried out, the safety authentication equipment is not operated, the transaction time is short, the user experience is good, and compared with the traditional short message verification scheme and other schemes, the security is high, the problem that the payment verification method provided by the prior art cannot give consideration to both the safety and the user experience is solved, and both the safety and the user experience can be taken into consideration.
Description
Technical Field
The invention belongs to the technical field of wireless communication, and particularly relates to a payment verification method and system, mobile equipment and security authentication equipment.
Background
In the mobile network era, more and more people carry out financial activities such as transaction, payment and the like on mobile equipment, and the method greatly facilitates the carrying out of various financial activities.
However, the currently commonly used mobile payment schemes have advantages and disadvantages, for example, the scheme using short message authentication has weak security; the scheme of using the security authentication device to perform transaction signature needs to carry and operate the security authentication device, the transaction time is long, and the user experience is poor.
Disclosure of Invention
In view of this, embodiments of the present invention provide a payment verification method, a mobile device, and a security authentication device, so as to solve the problem that security and user experience cannot be considered simultaneously in the payment verification method provided in the prior art.
A first aspect of an embodiment of the present invention provides a method for payment verification, where the method includes:
the mobile equipment sends first data to the security authentication equipment;
the mobile equipment receives second data sent by the security authentication equipment, wherein the second data is generated by processing the first data or the first data and an equipment digital certificate by the security authentication equipment;
and the mobile equipment processes the second data to obtain a verification result.
Further, the first data is a random number plaintext, the second data is a random number ciphertext generated by the security authentication device encrypting the random number plaintext,
the mobile device processes the second data, and obtaining a verification result comprises:
encrypting the random number plaintext by the mobile equipment by using a symmetric key or a key derived from the symmetric key to generate a locally stored random number ciphertext, and comparing the random number ciphertext with the locally stored random number ciphertext to obtain a verification result; or
The mobile equipment decrypts the random number ciphertext by using the symmetric key or the key derived from the symmetric key, and compares the random number obtained by decryption with the random number plaintext stored locally to obtain a verification result;
the mobile device and the security authentication device adopt the same or corresponding keys.
Further, the secure authentication device and the mobile device perform bluetooth pairing or negotiate to generate the symmetric key in the process of establishing connection between the secure authentication device and the mobile device.
Further, the first data includes an instruction for requesting the security authentication device to provide a device digital certificate, the second data includes a device digital certificate original and a signature result obtained by signing the first data with a private key,
the mobile device processes the second data, and obtaining a verification result comprises:
the mobile equipment verifies the equipment digital certificate according to the locally stored root public key;
and the mobile equipment extracts a public key from the digital certificate and verifies the signature result by using the public key.
Further, the first data further includes third data, and the third data is a plaintext of a random number or a time stamp.
Further, before the mobile device sends the first data to the security authentication device, the method further comprises:
the mobile equipment is bound with the safety certification equipment, and the safety certification equipment is requested to verify the user identity of the mobile equipment while the mobile equipment is bound with the safety certification equipment.
A second aspect of an embodiment of the present invention provides a method for payment verification, where the method includes:
the method comprises the steps that a security authentication device receives first data sent by a mobile device;
and the security authentication equipment processes the first data or the first data and the equipment digital certificate to generate second data, sends the second data to the mobile equipment, and processes the second data by the mobile equipment to obtain a verification result.
Further, the processing of the first data by the security authentication device includes:
the security authentication equipment encrypts the random number plaintext to generate a random number ciphertext;
and the security authentication equipment sends the random number ciphertext to the mobile equipment.
Further, the requesting a secure authentication device to provide a device digital certificate is performed on the first data, the second data includes the device digital certificate and a signature result obtained by signing the first data with a private key, the processing of the first data and the device digital certificate by the secure authentication device generates second data, and the sending of the second data to the mobile device includes:
acquiring a preset equipment digital certificate and a private key;
signing the instruction requesting the security authentication equipment to provide the equipment digital certificate by using the private key to generate a signature result;
and sending the device digital certificate and the signature result to the mobile device.
Further, before the security authentication device receives the first data sent by the mobile device, the method further includes:
the safety certification equipment is bound with the mobile equipment, and the user identity of the mobile equipment is verified while the safety certification equipment is bound with the mobile equipment.
A third aspect of an embodiment of the present invention provides a mobile device, where the mobile device includes:
the data sending module is used for sending the first data to the security authentication equipment;
the data receiving module is used for receiving second data sent by the security authentication equipment, wherein the second data is generated by processing the first data or the first data and the equipment digital certificate by the security authentication equipment;
and the data processing module is used for processing the second data to obtain a verification result.
Further, the first data is a random number plaintext, the second data is a random number ciphertext, and the random number ciphertext is generated by encrypting the random number plaintext by the security authentication device, and the data processing module includes:
the first data processing unit is used for encrypting the random number plaintext by using a symmetric key or a key derived from the symmetric key, generating a locally stored random number ciphertext, and comparing the random number ciphertext with the locally stored random number ciphertext to obtain a verification result; or
The second data processing unit is used for decrypting the random number ciphertext by using a symmetric key or a key derived from the symmetric key and comparing the random number obtained by decryption with a locally stored random number to obtain a verification result;
the mobile device and the security authentication device adopt the same or corresponding keys.
Further, the first data is an instruction for requesting the security authentication device to provide a device digital certificate, the second data includes the device digital certificate and a signature result obtained by signing the first data with a private key, and the data processing module includes:
the certificate verifying unit is used for verifying the equipment digital certificate according to the locally stored root public key;
and the signature verification unit is used for extracting a public key from the digital certificate and verifying the signature result by using the public key.
A fourth aspect of an embodiment of the present invention provides a security authentication apparatus, including:
the data receiving module is used for receiving first data sent by the mobile equipment;
and the data sending module is used for processing the first data or the first data and the equipment digital certificate to generate second data, sending the second data to the mobile equipment, and processing the second data by the mobile equipment to obtain a verification result.
Further, the first data is a plaintext of a random number, the second data is a ciphertext of the random number, and the data sending module includes:
the encryption unit is used for encrypting the random number plaintext and generating the random number ciphertext;
and the first sending unit is used for sending the random number ciphertext to the mobile equipment.
Further, the first data is an instruction for requesting the security authentication device to provide a device digital certificate, the second data includes the device digital certificate and a signature result obtained by signing the first data with a private key, and the data transmission module includes:
the device comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring a preset device digital certificate and a private key;
the signature unit is used for signing the instruction requesting the security authentication equipment to provide the equipment digital certificate by using the private key and generating a signature result;
and the second sending unit is used for sending the device digital certificate and the signature result to the mobile device.
Further, the security authentication apparatus further includes:
and the binding module is used for binding with the mobile equipment and verifying the user identity of the mobile equipment while binding.
A fifth aspect of the embodiments of the present invention provides a system for payment verification, where the system includes the mobile device according to the third aspect and the secure authentication device according to the fourth aspect.
Compared with the prior art, the embodiment of the invention has the following beneficial effects: when a transaction is carried out, the mobile equipment sends first data to the safety certification equipment, then the safety certification equipment is right, the first data or the second data are processed through the equipment digital certificate, the second data are generated and then sent to the mobile equipment, the mobile equipment only needs to process the second data, a verification result can be obtained, the safety certification equipment is not operated, the transaction time is short, the user experience is good, compared with the traditional short message verification and other schemes, the safety is high, the problem that the payment verification method provided by the prior art cannot give consideration to the safety and the user experience is solved, and the safety and the user experience can be considered simultaneously.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic flow chart of an implementation of a method for payment verification according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of an implementation of a payment verification method provided in the second embodiment of the present invention;
fig. 3 is a schematic block diagram of a mobile device provided in a third embodiment of the present invention;
fig. 4 is a schematic block diagram of a security authentication apparatus provided in the fourth embodiment of the present invention;
fig. 5 is a schematic block diagram of a payment verification system provided in the fifth embodiment of the present invention.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present invention with unnecessary detail.
In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Example one
Referring to fig. 1, which is a schematic flowchart of a method for payment verification according to an embodiment of the present invention, taking a mobile device side as an example for description, as shown in the figure, the method may include the following steps:
step S101, the mobile device sends first data to the security authentication device.
In the embodiment of the present invention, the security authentication device may be a bluetooth security authentication device, or may be a WiFi security authentication device.
The Bluetooth safety certification equipment can be a Bluetooth card shield, a Bluetooth intelligent bracelet, a Bluetooth intelligent watch and the like, and is not limited here.
The first data may be a plaintext of a random number, or may be an instruction of the mobile device to request the security authentication device to provide a device digital certificate.
When the mobile device needs to perform a transaction, the mobile device may send a random number plaintext to the security authentication device, or may send an instruction requesting the security authentication device to provide a device digital certificate to the security authentication device.
Step S102, the mobile device receives second data sent by the security authentication device, wherein the second data is generated by the security authentication device processing the first data or processing the first data and the device digital certificate.
In the embodiment of the invention, the security authentication device encrypts or signs the received first data and sends the encryption or signature result to the mobile device.
If the first data is a random number plaintext, the second data is a random number ciphertext, and the random number ciphertext is generated by encrypting the random number plaintext by the security authentication device, the security authentication device encrypts the random number plaintext after receiving the random number plaintext sent by the mobile device to obtain a random number ciphertext, and sends the random number ciphertext to the security authentication device. The mobile device and the security authentication device adopt the same or corresponding keys.
In an embodiment, the security authentication device may encrypt the random number plaintext with a symmetric key to obtain a random number ciphertext.
Specifically, in the process of performing bluetooth pairing or establishing connection between the security authentication device and the mobile device, a symmetric key may be negotiated between the security authentication device and the mobile device, and then the mobile device encrypts the random number plaintext with the symmetric key or with a key derived from the symmetric key. It will be understood by those skilled in the art that the key derived from the symmetric key is calculated or intercepted based on the symmetric key, and the secure authentication device and the mobile device perform calculation or interception by the same method as preset or generated by negotiation.
In another embodiment, the secure authentication device may also encrypt the nonce plaintext with a public key in the asymmetric key.
If the first data is an instruction for requesting the security authentication equipment to provide the equipment digital certificate, and the second data comprises the equipment digital certificate and a signature result obtained by signing the first data by using a private key, after the security authentication equipment receives the instruction for requesting the security authentication equipment to provide the equipment digital certificate sent by the mobile equipment, the preset equipment digital certificate and the private key are obtained, the private key is used for signing the instruction for requesting the security authentication equipment to provide the equipment digital certificate, a signature result is generated, and the equipment digital certificate and the signature result are sent to the mobile equipment.
The safety certification device is preset with a device digital certificate and a private key, and the device digital certificate is issued by a manufacturer.
The command requesting the secure authentication device to provide the device digital certificate is a cmd command, for example, APDU command CLA INS P1P 2 LC Data satisfying 7816, where the Data may be a random number.
Preferably, the first data further includes third data, and the third data is a plaintext of a random number or a time stamp.
Specifically, after receiving an instruction requesting the security authentication device to provide a device digital certificate, the security authentication device first obtains a preset device digital certificate and a private key, then generates third data, signs the instruction and the third data, and sends the device digital certificate and a signature result to the mobile device.
The third data may be a plaintext of a random number, or may be replaced by a timestamp, and the like, which is not limited in the embodiment of the present invention. Wherein the purpose of introducing said random number plaintext/timestamp is to prevent replay attacks.
And step S103, the mobile equipment processes the second data to obtain a verification result.
In the embodiment of the present invention, if the first data is a random number plaintext and the second data is a random number ciphertext, the mobile device may encrypt the random number plaintext using a symmetric key or a key derived from the symmetric key to generate a locally stored random number ciphertext, and compare the random number ciphertext with the locally stored random number ciphertext to obtain a verification result; the random number cipher text can also be decrypted by using a symmetric key or a key derived from the symmetric key, and the decrypted random number is compared with the random number plain text stored locally to obtain a verification result. The mobile device and the security authentication device adopt the same or corresponding keys.
If the first data is an instruction for requesting the security authentication device to provide the device digital certificate, and the second data includes a device digital certificate original text and a signature result obtained by signing the first data with a private key, the mobile device processes the second data, and the obtained verification result specifically includes:
the mobile equipment verifies the equipment digital certificate according to the locally stored root public key;
and the mobile equipment extracts a public key from the digital certificate and verifies the signature result by using the public key.
Where the mobile device may obtain the root public key from the vendor.
It should be noted that, if the first data is an instruction for requesting the security authentication device to provide the device digital certificate, and the second data includes a device digital certificate original and a signature result obtained by signing the first data with a private key, the following steps may be further included:
the transfer device acquires the unique identifier of the safety authentication device and verifies the user identity of the safety authentication device.
In addition, if the unique identifier of the secure authentication device is embedded in the device digital certificate, the user identity of the secure authentication device may also be verified when the mobile device processes the second data in step S103. In the embodiment of the invention, the mode for verifying the user identity of the safety certification equipment is not limited.
In addition, before the mobile device is used, the user account of the mobile device and the user security authentication device are bound, binding information is stored in the mobile device, and the user identity of the mobile device needs to be verified by requesting the security authentication device through a transaction password and the like while the mobile device is bound.
Through the steps, when a user conducts transaction, whether the user is free from secret payment is judged, if yes, whether the bound safety authentication equipment and the mobile equipment are within a safe distance is determined, and if yes, the transaction is allowed directly; otherwise, prompting the user to input a transaction password and carrying out payment transaction in a non-secret-free mode.
According to the embodiment of the invention, when a transaction is carried out, the mobile equipment sends the first data to the security authentication equipment, then the security authentication equipment processes the first data or processes the first data and the equipment digital certificate, generates the second data and then sends the second data to the mobile equipment, the mobile equipment only needs to process the second data to obtain a verification result, the security authentication equipment is not operated, the transaction time is short, the user experience is good, and compared with the traditional schemes such as short message verification, the security is high, and the problem that the payment verification method provided by the prior art cannot give consideration to both the security and the user experience is solved.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
Example two
Referring to fig. 2, which is a schematic flowchart of a payment verification method provided in the second embodiment of the present invention, taking a secure authentication device as an example for description, as shown in the figure, the method may include the following steps:
step S201, the security authentication device receives first data sent by the mobile device.
Step S202, the security authentication device processes the first data or processes the first data and the device digital certificate to generate second data, and sends the second data to the mobile device, and the mobile device processes the second data to obtain a verification result.
In this embodiment of the present invention, if the first data is a random number plaintext and the second data is a random number ciphertext, the processing, by the security authentication device, of the first data includes:
step 1, the security authentication equipment encrypts the random number plaintext to generate the random number ciphertext;
and 2, the security authentication equipment sends the random number ciphertext to the mobile equipment.
If the first data is an instruction for requesting the security authentication device to provide the device digital certificate, and the second data comprises the device digital certificate and a signature result obtained by signing the first data by using a private key, the security authentication device processes the first data and the device digital certificate to generate second data, and sends the second data to the mobile device, and the method comprises the following steps:
step 11, acquiring a preset equipment digital certificate and a private key;
step 12, signing the instruction requesting the security authentication device to provide the device digital certificate by using the private key to generate a signature result;
and step 13, sending the device digital certificate and the signature result to the mobile device.
Preferably, before the security authentication device receives the first data sent by the mobile device, the following steps may be further included:
the safety certification equipment is bound with the mobile equipment, and the user identity of the mobile equipment is verified while the safety certification equipment is bound with the mobile equipment.
The payment verification method provided by the embodiment of the present invention can be applied to the corresponding method embodiment one, and for details, reference is made to the description of the embodiment one, and details are not repeated here.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
EXAMPLE III
Fig. 3 shows a schematic block diagram of the mobile device 3 provided in the second embodiment of the present invention, and only the parts related to the second embodiment of the present invention are shown for convenience of illustration. The mobile device 3 includes: a data transmitting module 31, a data receiving module 32 and a data processing module 33.
The data sending module 31 is configured to send first data to the security authentication device;
a data receiving module 32, configured to receive second data sent by a security authentication device, where the second data is generated by processing the first data or the first data and a device digital certificate by the security authentication device;
and the data processing module 33 is configured to process the second data to obtain a verification result.
Specifically, the first data is a random number plaintext, the second data is a random number ciphertext, and the random number ciphertext is generated by encrypting the random number plaintext by the security authentication device, where the data processing module 33 includes:
the first data processing unit is used for encrypting the random number plaintext by using a symmetric key or a key derived from the symmetric key, generating a locally stored random number ciphertext, and comparing the random number ciphertext with the locally stored random number ciphertext to obtain a verification result; or
The second data processing unit is used for decrypting the random number ciphertext by using a symmetric key or a key derived from the symmetric key and comparing the random number obtained by decryption with a locally stored random number to obtain a verification result;
the mobile device and the security authentication device adopt the same or corresponding keys.
Specifically, the first data is an instruction for requesting the security authentication device to provide a device digital certificate, the second data includes the device digital certificate and a signature result obtained by signing the first data with a private key, and the data processing module 33 includes:
the certificate verifying unit is used for verifying the equipment digital certificate according to the locally stored root public key;
and the signature verification unit is used for extracting a public key from the digital certificate and verifying the signature result by using the public key.
The mobile device provided in the embodiment of the present invention can be applied to the first corresponding method embodiment, and for details, reference is made to the description of the first embodiment, and details are not repeated here.
Example four
Fig. 4 shows a schematic block diagram of the security authentication device 4 provided in the third embodiment of the present invention, and for convenience of explanation, only the part related to the third embodiment of the present invention is shown. The security authentication apparatus 4 includes: a data receiving module 41 and a data transmitting module 42.
The data receiving module 41 is configured to receive first data sent by a mobile device;
and the data sending module 42 is configured to process the first data or the first data and the device digital certificate to generate second data, send the second data to the mobile device, and process the second data by the mobile device to obtain a verification result.
Specifically, the first data is a plaintext of random number, the second data is a ciphertext of random number, and the data sending module 42 includes:
the encryption unit is used for encrypting the random number plaintext and generating the random number ciphertext;
and the first sending unit is used for sending the random number ciphertext to the mobile equipment.
Specifically, the first data is an instruction for requesting the security authentication device to provide a device digital certificate, the second data includes the device digital certificate and a signature result obtained by signing the first data with a private key, and the data sending module 42 includes:
the device comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring a preset device digital certificate and a private key;
the signature unit is used for signing the instruction requesting the security authentication equipment to provide the equipment digital certificate by using the private key and generating a signature result;
and the second sending unit is used for sending the device digital certificate and the signature result to the mobile device.
Preferably, the secure authentication device 4 further includes:
and the binding module is used for binding with the mobile equipment and verifying the user identity of the mobile equipment while binding.
The security authentication device provided in the embodiment of the present invention may be applied to the first corresponding method embodiment, and for details, refer to the description of the first embodiment, which is not described herein again.
EXAMPLE five
Fig. 5 shows a schematic block diagram of a system 5 for payment verification provided by the fourth embodiment of the present invention, and for convenience of explanation, only the parts related to the embodiment of the present invention are shown. The system 5 for payment verification comprises a mobile device 3 according to the third embodiment and a secure authentication device 4 according to the fourth embodiment.
The payment verification system provided in the embodiment of the present invention can be applied to the first corresponding method embodiment, and for details, refer to the description of the first embodiment, which is not described herein again.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus/terminal device and method may be implemented in other ways. For example, the above-described embodiments of the apparatus/terminal device are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated modules/units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. . Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain other components which may be suitably increased or decreased as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media which may not include electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.
Claims (11)
1. A method of payment verification, comprising:
the mobile equipment sends first data to the security authentication equipment;
the mobile equipment receives second data sent by the security authentication equipment, wherein the second data is generated by processing the first data or the first data and an equipment digital certificate by the security authentication equipment;
the mobile equipment processes the second data to obtain a verification result;
wherein the first data is a random number plaintext or an instruction requesting the security authentication device to provide a device digital certificate; if the first data comprises an instruction for requesting the security authentication equipment to provide the equipment digital certificate, the second data comprises an equipment digital certificate original text and a signature result obtained by signing the first data by using a private key, and the equipment digital certificate is issued by a manufacturer; the mobile device processes the second data, and obtaining a verification result comprises: the mobile equipment verifies the equipment digital certificate according to the locally stored root public key; the mobile equipment extracts a public key from the digital certificate and verifies the signature result by using the public key;
before the mobile device sends the first data to the secure authentication device, the method further comprises:
the mobile equipment is bound with the safety certification equipment, and the safety certification equipment is requested to verify the user identity of the mobile equipment while the mobile equipment is bound; when the user conducts transaction, whether the user is free from secret payment is judged, if yes, whether the bound safety authentication equipment and the mobile equipment are within a safety distance is determined, and if yes, the transaction is allowed directly; otherwise, prompting the user to input a transaction password and carrying out payment transaction in a non-secret-free mode.
2. The method of claim 1, wherein if the first data is a nonce plaintext, the second data is a nonce ciphertext, the nonce ciphertext is generated by a secure authentication device encrypting the nonce plaintext, and the processing of the second data by the mobile device to obtain the verification result comprises:
encrypting the random number plaintext by the mobile equipment by using a symmetric key or a key derived from the symmetric key to generate a locally stored random number ciphertext, and comparing the random number ciphertext with the locally stored random number ciphertext to obtain a verification result; or
The mobile equipment decrypts the random number ciphertext by using the symmetric key or the key derived from the symmetric key, and compares the random number obtained by decryption with the random number plaintext stored locally to obtain a verification result;
the mobile device and the security authentication device adopt the same or corresponding keys.
3. The method of claim 2, wherein the symmetric key is generated by negotiation during bluetooth pairing between the secure authentication device and the mobile device or connection establishment between the secure authentication device and the mobile device.
4. The method of claim 1, wherein the first data further comprises third data, the third data being either a nonce, a timestamp.
5. A method of payment verification, the method comprising:
the method comprises the steps that a security authentication device receives first data sent by a mobile device;
the security authentication equipment processes the first data or the first data and the equipment digital certificate to generate second data, the second data is sent to the mobile equipment, and the mobile equipment processes the second data to obtain a verification result;
wherein the first data is a random number plaintext or an instruction requesting the security authentication device to provide a device digital certificate; if the first data is an instruction for requesting the security authentication device to provide the device digital certificate, the second data includes the device digital certificate and a signature result obtained by signing the first data with a private key, the security authentication device processes the first data and the device digital certificate to generate second data, and sending the second data to the mobile device includes: acquiring a preset equipment digital certificate and a private key, wherein the equipment digital certificate is issued by a manufacturer; signing the instruction requesting the security authentication equipment to provide the equipment digital certificate by using the private key to generate a signature result; sending the device digital certificate and the signature result to a mobile device;
before the security authentication device receives the first data sent by the mobile device, the method further comprises:
the safety certification equipment is bound with the mobile equipment, and the user identity of the mobile equipment is verified while the safety certification equipment is bound with the mobile equipment; when the user conducts transaction, whether the user is free from secret payment is judged, if yes, whether the bound safety authentication equipment and the mobile equipment are within a safety distance is determined, and if yes, the transaction is allowed directly; otherwise, prompting the user to input a transaction password and carrying out payment transaction in a non-secret-free mode.
6. The method of claim 5, wherein if the first data is a nonce plaintext and the second data is a nonce ciphertext, the processing of the first data by the secure authentication device comprises:
the security authentication equipment encrypts the random number plaintext to generate a random number ciphertext;
and the security authentication equipment sends the random number ciphertext to the mobile equipment.
7. A mobile device, characterized in that the mobile device comprises:
the data sending module is used for sending first data to the security authentication equipment, wherein the first data is a random number plaintext or an instruction for requesting the security authentication equipment to provide an equipment digital certificate; before the mobile equipment sends first data to the safety certification equipment, the mobile equipment is bound with the safety certification equipment, and the safety certification equipment is requested to verify the user identity of the mobile equipment while the mobile equipment is bound;
the data receiving module is used for receiving second data sent by the security authentication equipment, wherein the second data is generated by processing the first data or the first data and the equipment digital certificate by the security authentication equipment;
the data processing module is used for processing the second data to obtain a verification result;
if the first data is an instruction for requesting the security authentication device to provide the device digital certificate, the second data includes the device digital certificate and a signature result obtained by signing the first data with a private key, and the data processing module includes: the certificate verification unit is used for verifying the equipment digital certificate according to a root public key stored locally, wherein the equipment digital certificate is issued by a manufacturer;
the signature verification unit is used for extracting a public key from the digital certificate and verifying the signature result by using the public key;
the mobile device is further configured to: when a user conducts transaction, whether the user is free from secret payment is judged, if yes, whether the bound safety authentication equipment and the mobile equipment are within a safe distance is determined, and if yes, the transaction is directly allowed; otherwise, prompting the user to input a transaction password and carrying out payment transaction in a non-secret-free mode.
8. The mobile device of claim 7, wherein if the first data is a nonce plaintext, the second data is a nonce ciphertext, the nonce ciphertext generated by the secure authentication device encrypting the nonce plaintext, the data processing module comprising:
the first data processing unit is used for encrypting the random number plaintext by using a symmetric key or a key derived from the symmetric key, generating a locally stored random number ciphertext, and comparing the random number ciphertext with the locally stored random number ciphertext to obtain a verification result; or
The second data processing unit is used for decrypting the random number ciphertext by using a symmetric key or a key derived from the symmetric key and comparing the random number obtained by decryption with a locally stored random number to obtain a verification result;
the mobile device and the security authentication device adopt the same or corresponding keys.
9. A secure authentication device, the secure authentication device comprising:
the system comprises a data receiving module, a data sending module and a data receiving module, wherein the data receiving module is used for receiving first data sent by mobile equipment, and the first data is a random number plaintext or an instruction for requesting security authentication equipment to provide an equipment digital certificate;
the data sending module is used for processing the first data or the first data and the equipment digital certificate to generate second data, sending the second data to the mobile equipment, and processing the second data by the mobile equipment to obtain a verification result;
the binding module is used for binding with the mobile equipment and verifying the user identity of the mobile equipment while binding;
if the first data is an instruction for requesting the security authentication device to provide the device digital certificate, the second data includes the device digital certificate and a signature result obtained by signing the first data with a private key, and the data sending module includes:
the device comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring a preset device digital certificate and a private key;
the signature unit is used for signing the instruction requesting the security authentication equipment to provide the equipment digital certificate by using the private key and generating a signature result;
a second sending unit, configured to send the device digital certificate and the signature result to a mobile device;
the secure authentication device is further configured to: when a user conducts transaction, whether the user is free from secret payment is judged, if yes, whether the safety authentication equipment and the mobile equipment are within a safety distance is determined, and if yes, the transaction is directly allowed; otherwise, prompting the user to input a transaction password and carrying out payment transaction in a non-secret-free mode.
10. The security authentication apparatus according to claim 9, wherein if the first data is a random number plaintext and the second data is a random number ciphertext, the data transmitting module comprises:
the encryption unit is used for encrypting the random number plaintext and generating the random number ciphertext;
and the first sending unit is used for sending the random number ciphertext to the mobile equipment.
11. A system for payment verification, the system comprising a mobile device according to claims 7 to 8 and a secure authentication device according to claims 9 to 10.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710495709.7A CN107358441B (en) | 2017-06-26 | 2017-06-26 | Payment verification method and system, mobile device and security authentication device |
| PCT/CN2018/081369 WO2019001061A1 (en) | 2017-06-26 | 2018-03-30 | Payment verification method and system, and mobile device and security authentication device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710495709.7A CN107358441B (en) | 2017-06-26 | 2017-06-26 | Payment verification method and system, mobile device and security authentication device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107358441A CN107358441A (en) | 2017-11-17 |
| CN107358441B true CN107358441B (en) | 2020-12-18 |
Family
ID=60272503
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710495709.7A Active CN107358441B (en) | 2017-06-26 | 2017-06-26 | Payment verification method and system, mobile device and security authentication device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107358441B (en) |
| WO (1) | WO2019001061A1 (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107358441B (en) * | 2017-06-26 | 2020-12-18 | 北京明华联盟科技有限公司 | Payment verification method and system, mobile device and security authentication device |
| CN107766961A (en) * | 2017-11-28 | 2018-03-06 | 携程计算机技术(上海)有限公司 | Hotel's order processing method and system of OTA websites |
| CN109345245B (en) * | 2018-09-25 | 2020-11-03 | 全链通有限公司 | Short message verification method, device, network and storage medium based on block chain |
| CN109636393A (en) * | 2018-12-28 | 2019-04-16 | 易票联支付有限公司 | A kind of processing system and method for oiling payment data |
| CN111080845B (en) * | 2019-10-29 | 2022-04-01 | 深圳市汇顶科技股份有限公司 | Temporary unlocking method, system, door lock, administrator terminal and readable storage medium |
| CN111510214B (en) * | 2020-04-23 | 2021-11-12 | 京东方科技集团股份有限公司 | Optical communication device, optical communication system, and communication connection establishment method |
| CN112036883A (en) * | 2020-08-31 | 2020-12-04 | 深圳市兆珑科技有限公司 | Safety device |
| CN114648333A (en) * | 2020-12-21 | 2022-06-21 | 花瓣云科技有限公司 | Identity verification method, device and system |
| CN112887409B (en) * | 2021-01-27 | 2022-05-17 | 珠海格力电器股份有限公司 | Data processing system, method, device, equipment and storage medium |
| CN112910887A (en) * | 2021-01-29 | 2021-06-04 | 中国电力科学研究院有限公司 | Method and system for verifying identity of lockset testing equipment |
| CN114022259B (en) * | 2021-11-11 | 2023-08-25 | 陕西华春网络科技股份有限公司 | Bidding method and device based on public key assignment and identity verification |
| CN117376035B (en) * | 2023-12-08 | 2024-02-23 | 中汽智联技术有限公司 | Vehicle data transmission method, system, equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101420687A (en) * | 2007-10-24 | 2009-04-29 | 中兴通讯股份有限公司 | Identity verification method based on mobile terminal payment |
| CN103714639A (en) * | 2013-03-15 | 2014-04-09 | 福建联迪商用设备有限公司 | Method and system enabling safe operation of POS terminal to be achieved |
| CN105162607A (en) * | 2015-10-12 | 2015-12-16 | 武汉瑞纳捷电子技术有限公司 | Authentication method and system of payment bill voucher |
| CN105812134A (en) * | 2014-12-30 | 2016-07-27 | 北京握奇智能科技有限公司 | Digital signature method, digital signature verification method, security authentication device and security authentication apparatus |
| CN105939194A (en) * | 2015-11-11 | 2016-09-14 | 天地融科技股份有限公司 | Backup method and backup system for private key of electronic key device |
| CN106169993A (en) * | 2016-06-28 | 2016-11-30 | 北京华大领创智能科技有限公司 | A kind of safety certifying method, equipment and server |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102831519A (en) * | 2012-07-27 | 2012-12-19 | 郑州信大捷安信息技术股份有限公司 | Security intelligent cryptosystem for Apple mobile devices and internet-banking transaction method thereof |
| CN103685211B (en) * | 2012-09-26 | 2017-02-08 | 凤凰云科技(北京)有限公司 | Mobile terminal plug-in secure payment authentication device, mobile terminal secure payment authentication system and mobile terminal secure payment authentication method |
| CN105721413B (en) * | 2015-09-08 | 2018-05-29 | 腾讯科技(深圳)有限公司 | Method for processing business and device |
| CN107358441B (en) * | 2017-06-26 | 2020-12-18 | 北京明华联盟科技有限公司 | Payment verification method and system, mobile device and security authentication device |
-
2017
- 2017-06-26 CN CN201710495709.7A patent/CN107358441B/en active Active
-
2018
- 2018-03-30 WO PCT/CN2018/081369 patent/WO2019001061A1/en active Application Filing
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101420687A (en) * | 2007-10-24 | 2009-04-29 | 中兴通讯股份有限公司 | Identity verification method based on mobile terminal payment |
| CN103714639A (en) * | 2013-03-15 | 2014-04-09 | 福建联迪商用设备有限公司 | Method and system enabling safe operation of POS terminal to be achieved |
| CN105812134A (en) * | 2014-12-30 | 2016-07-27 | 北京握奇智能科技有限公司 | Digital signature method, digital signature verification method, security authentication device and security authentication apparatus |
| CN105162607A (en) * | 2015-10-12 | 2015-12-16 | 武汉瑞纳捷电子技术有限公司 | Authentication method and system of payment bill voucher |
| CN105939194A (en) * | 2015-11-11 | 2016-09-14 | 天地融科技股份有限公司 | Backup method and backup system for private key of electronic key device |
| CN106169993A (en) * | 2016-06-28 | 2016-11-30 | 北京华大领创智能科技有限公司 | A kind of safety certifying method, equipment and server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107358441A (en) | 2017-11-17 |
| WO2019001061A1 (en) | 2019-01-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107358441B (en) | Payment verification method and system, mobile device and security authentication device | |
| CN101828357B (en) | Credential provisioning method and device | |
| CN109150548B (en) | Digital certificate signing and signature checking method and system and digital certificate system | |
| CN108566381A (en) | A kind of security upgrading method, device, server, equipment and medium | |
| CN106227503A (en) | Safety chip COS firmware update, service end, terminal and system | |
| WO2010048829A1 (en) | Key distribution method and system | |
| US10044684B2 (en) | Server for authenticating smart chip and method thereof | |
| CN106162537B (en) | A kind of method, wireless telecom equipment and the terminal of safety certification connection | |
| CN103546289A (en) | USB (universal serial bus) Key based secure data transmission method and system | |
| CN102801730A (en) | Information protection method and device for communication and portable devices | |
| CN106571915A (en) | Terminal master key setting method and apparatus | |
| CN101783800A (en) | Embedded system safety communication method, device and system | |
| CN102123027A (en) | Information security processing method and mobile terminal | |
| CN112766962A (en) | Method for receiving and sending certificate, transaction system, storage medium and electronic device | |
| CN107707562B (en) | Method and device for encrypting and decrypting algorithm of asymmetric dynamic token | |
| US20120124378A1 (en) | Method for personal identity authentication utilizing a personal cryptographic device | |
| CN105142134A (en) | Parameter obtaining and transmission methods/devices | |
| KR101792220B1 (en) | Method, mobile terminal, device and program for providing user authentication service of combining biometric authentication | |
| CN114331456A (en) | Communication method, device, system and readable storage medium | |
| CN107493281A (en) | encryption communication method and device | |
| CN115801232A (en) | Private key protection method, device, equipment and storage medium | |
| US20150302506A1 (en) | Method for Securing an Order or Purchase Operation Means of a Client Device | |
| CN114186292A (en) | Card type certificate secret key initialization method, cipher module, initialization device and system | |
| KR101146509B1 (en) | Internet banking transaction system and the method that use maintenance of public security card to be mobile | |
| CN102457374A (en) | Safety authentication method of mobile terminal and system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |