CN1323538C - A dynamic identity certification method and system - Google Patents
A dynamic identity certification method and system Download PDFInfo
- Publication number
- CN1323538C CN1323538C CNB200310111570XA CN200310111570A CN1323538C CN 1323538 C CN1323538 C CN 1323538C CN B200310111570X A CNB200310111570X A CN B200310111570XA CN 200310111570 A CN200310111570 A CN 200310111570A CN 1323538 C CN1323538 C CN 1323538C
- Authority
- CN
- China
- Prior art keywords
- user
- password
- information
- authentication
- handset token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention discloses a method and a system for dynamic identity certification, which comprises the steps: (1) information of a user is input, and a certification request is transmitted to a certification server; (2) the legality of the information of the user is verified after the certification server receives the request, and the legal user is prompted to input a user end code; (3) the user end code is generated by the user through a cell phone token; (4) the user end code is input and transferred to the certification server by the user through a user terminal; (5) identity certification is passed if the code received by the certification server accords with the code generated by the certification server; otherwise, the identity certification is not passed. The system comprises a user terminal, a user information server, a certification server and a cell phone token, wherein the certification server is used for receiving and completing the service request of the user, and the cell phone token is used for generating current synchronous identity certification codes. The present invention has the advantages that the illegal login carried out by peeping or guessing certification codes is effectively prevented, the illegal login carried out by intercepting transmission information is effectively prevented, and thus, the safety of the system is greatly improved.
Description
Technical field
The invention belongs to the information security certification technology, its comprehensive utilization electronic computer, information coding and mobile communication technology are realized, can be applied to system and field that many needs such as bank, security carry out authentication.
Background technology
Authentication is to realize one of important mechanisms of network security, in the network service of safety, the identity that the communication parties that relates to must be verified them by the ID authentication mechanism of certain form with declared whether consistent, could realize access control and record then for different user.As far back as phase earlier 1970s, how International Banks card association carries out authentication to guarantee the problem of security of system to the user with regard to having run into.Along with the fast development of information technology, the listener-in can adopt the rudimentary method of spying on to obtain password; Utilize " Password file " system the conjecture password, analyze agreement and leach password (the control program is smelt in utilization); Monitor and obtain password with TSR (terminal TSR); Break through computer security mechanism with methods such as trojan-horse program intercepting and capturing passwords and carry out unauthorized access; Steal the data and the bank cipher of credit card number, Web bank from computer with computer virus (as: bugbear virus).More effective prevention method adopts the dynamic electronic cipher technology exactly.Its essence is by certain rule and regularly or after each the use change password, the password of input was all inequality when the user visited at every turn, and this has just increased difficulty to electronic theft.
Utilize above-mentioned technology method and system we (00114328.X) propose in two patents of invention in " dynamic electronic cipher formation method " (99116451.2) and " dynamic electronic cipher system ".But, because user cipher card and host computer system mainly is to adopt contactless Clock Synchronization Technology synchronously, may cause the temporal accumulation of error thus, therefore need after a period of time, proofread and correct both sides' clock; In addition, the use of user cipher card has increased user's use burden; And the user cipher card of this band keyboard and LCDs also can damage because of using accidentally.For overcoming above-mentioned shortcoming, we have proposed the patent of invention of " dynamic password radio transmitting method " (99116517.9) again.But because dynamic password transmits with clear-text way in this method, the listener-in can intercept and capture the authentication password very easily.And this method can't guarantee the real-time that authenticates when wireless communication is crowded.
Summary of the invention
The objective of the invention is to overcome above-mentioned defective part, a kind of dynamic identity authentication method is provided, this method adopts widely used mobile phone as identity token, both can effectively take precautions against by spying on or guessing the illegal login that authentication password carries out, can effectively take precautions against again by intercepting and capturing the illegal login that the transmission data are carried out, can increase substantially the fail safe of system, and the dynamic password in the verification process do not need to use wireless network transmissions, guaranteed the real-time of authentication.The present invention also aims to provide the realization system of said method.
A kind of handset token dynamic identity authentication of the present invention method utilizes computer technology and mobile communication technology to realize, the steps include:
(1). the user imports user profile at user terminal, sends ID authentication request to authentication server;
(2). after authentication server receives authentication request, at first verify the legitimacy of user profile.If this user is a validated user, authentication server produces server end dynamic identity authentication password and temporary, and inputs user side dynamic identity authentication password user terminal prompting user;
(3). the application module in user's input handset token starts password, by the authentication of handset token end;
(4). the user produces user side dynamic identity authentication password by handset token, and informs the user by mobile phone;
(5). the user imports and is sent to authentication server with the user side dynamic identity authentication password of being informed by user terminal, waits for authentication;
(6) if. the user side dynamic identity authentication password that authentication server receives is consistent with server end dynamic identity authentication password, then by authentication; Otherwise authentication is not passed through.
When carrying out above-mentioned steps (2),, can the steps include: by handset token application release if validated user finds that the account of oneself is locked
1) user's input handset token client application module starts password, by the authentication of handset token end;
2) user sends " application account number unlocking request " information by handset token to certificate server;
3) certificate server receives authorization information legitimacy after " application account number unlocking request " information;
4) certificate server " User Status " field of this user in User Information Database is set to released state, sends " release of application account number is replied " information to the user then;
5) handset token receives " release of application account number is replied " information, prompting user release success.
When carrying out above-mentioned steps (3), if the user finds not open the dynamic identity authentication service as yet, then should open the dynamic identity authentication service, the steps include:
1) user's input handset token client application module starts password, by the authentication of handset token end;
2) user sends " opening the dynamic identity authentication service request " information by handset token to certificate server;
3) certificate server receives authorization information legitimacy after " open dynamic identity authentication service request " information;
4) certificate server is labeled as the dynamic identity authentication mode with this user's authentication mode in customer data base, sends " opening the dynamic identity authentication service response " information to handset token then;
5) handset token receives " opening the dynamic identity authentication service response " information, and the service of prompting dynamic identity authentication is opened.
In carrying out the authentication process, if validated user finds that the user can use the handset token Request System synchronous, the steps include: by passing through authentication after the correct operation
1) user's input handset token client application module starts password, by the authentication of handset token end;
2) user sends " application system synchronization request " information by handset token to certificate server;
3) certificate server receives authorization information legitimacy after " application system synchronization request " information;
4) certificate server takes out the work at present password of server end from customer data base;
5) certificate server generates " application system syn ack " information, and " side's of the service information " field with in the work at present password writing information of server end sends response message to the user then;
6) handset token receives the work at present password in the information extraction after " application system syn ack " information, and is the work at present password that is extracted in the information with the work at present password setting of handset token end, finishes system synchronization.
In carrying out the authentication process, if the service of cancellation dynamic identity authentication the steps include:
1) user's input handset token client application module starts password, by the authentication of handset token end;
2) user sends " cancellation dynamic identity authentication service request " information by handset token to certificate server;
3) certificate server receives authorization information legitimacy after " cancellation dynamic identity authentication service request " information;
4) certificate server is labeled as the fixed password identification authentication mode with this user's authentication mode in User Information Database, sends " cancellation dynamic identity authentication service response " information to handset token then;
5) handset token receives " cancellation dynamic identity authentication service response " information, and the service of prompting dynamic identity authentication is cancelled.
In carrying out the authentication process,, the steps include: if end the dynamic identity authentication process
1) the predetermined suspended market order of user's input handset token, token system aborts authentication process;
2) user " ends the dynamic identity authentication service request " to authentication server by user terminal input and transmission;
3) after certificate server receives " ending the dynamic identity authentication service request ", end the verification process of server end.
When carrying out above-mentioned steps (3), if validated user is found locked can the steps include: by handset token application release of handset token of oneself
1) user's input handset token log-in password is by the mandate authentication of handset token end;
2) handset token " User Status " field wherein is set to released state, informs user's " release is replied " information by mobile phone then.
A kind of realization system for carrying out said process comprises user terminal, subscriber information server, certificate server and handset token; Wherein,
User terminal is used to import user profile, and it is communicated by letter with authentication server by network;
Subscriber information server is used to deposit the form that sets according to the authentication agreement, and needed each user profile in the verification process is provided, and receives the operation of certificate server;
Certificate server is responsible for receiving and finishing user's service request, wherein is furnished with certificate server end service module, password generation module and communication module; Encryption and decryption, user profile visit and dynamic password that certificate server end service module is used for Network Transmission control, the processing of Verification System security protocol, message transmission obtain with temporary; The password generation module is responsible for producing server end dynamic identity authentication password, and it is communicated by letter with certificate server by server-bus; The information that communication module is responsible for the certificate server end sends and receives, it be handset token with certificate server between the intermediary that communicates by letter;
Handset token is the user mobile phone that is provided with the dynamic identity authentication client application module in the SIM card of mobile phone, dynamic password generation algorithm and identical work at present password that the dynamic identity authentication client application module is identical with the password generation module use in the certificate server, and the synchronous dynamic identity authentication password of independent generation.
Certificate server end service module comprises subscriber information management module, dynamic password access modules, protocol process module, hard core control module, encrypting module and network transmission module;
The subscriber information management module is responsible for finishing the subscriber information management order of hard core control module, comprises setting up new account, revise existing account information, delete expired account information, locking or release user account number and controlling access privilege;
The dynamic password access modules is the access modules of above-mentioned password generation module, and it receives the user key information that the hard core control module provides, and produces the dynamic password in the verification process, and gives the hard core control module with dynamic password and keep in;
Protocol process module is the service processing end of dynamic identity authentication system safety agreement, is used to receive the security protocol information that the hard core control module provides, and result is returned to the hard core control module;
Encrypting module is used to finish the information encryption and decryption request of hard core control module;
Network transmission module is used to finish the message transmission and the reception task of server end, and handles the message transmission request of hard core control module, and different kinds of information is sent in the different communication networks;
The hard core control module is responsible for coordinating correlation and the information transmission between above-mentioned each module.
Dynamic identity authentication client application module in the above-mentioned handset token comprises dynamic password generator, memory, password comparator and controller;
Memory is used to store user ID, user identity card number, log-in password Pr, encryption key Ke, and is responsible for startup password (or the handset token password) Pt of work at present password Ks that storage is used to produce the dynamic identity authentication password, client's application module and inputs the times N t of token access password continuously mistakenly on token; It links to each other with dynamic password generator, password comparator and controller;
The dynamic password generator is used for producing user's current authentication password by work at present password Ks, and this password is corresponding with the server authentication password, and this authentication password is informed the user by the output device of mobile phone;
Password comparator is used for judging whether the cellphone subscriber is legal;
Controller is used to control the co-ordination of above-mentioned each module.
The present invention and patent of invention " add paging system and ensure debt safety of payment method and responding system " (99123882.6) and " dynamic password radio transmitting method " (99116517.9) are different and be on the Internet, user side of the present invention adopts widely used mobile phone as token, the dynamic identity authentication password independently produces at handset token end and authentication server end respectively, do not need to rely on wireless network transmissions, the real-time and the external world that have guaranteed authentication can't intercept and capture password at all, improve the fail safe of system greatly.In addition, do not need communication cost outside user's amount paid in verification process, thereby compare with last two inventions, dynamic identity authentication service cost of use reduces greatly.
Description of drawings
Fig. 1 is Verification System overall structure figure;
Fig. 2 is the certificate server software architecture diagram;
Fig. 3 realizes figure for handset token;
Fig. 4 is the dynamic identity authentication procedure chart, and wherein Fig. 4 .1 is a handset token end implementation, and Fig. 4 .2 is a certificate server end implementation;
Fig. 5 is for starting dynamic identity authentication service process figure, and wherein Fig. 5 .1 is a handset token end implementation, and Fig. 5 .2 is a certificate server end implementation;
Fig. 6 is application system synchronizing process figure, and wherein Fig. 6 .1 is a handset token end implementation, and Fig. 6 .2 is a certificate server end implementation;
Fig. 7 is application user account number releasing process figure, and wherein Fig. 7 .1 is a handset token end implementation, and Fig. 7 .2 is a certificate server end implementation;
Fig. 8 is cancellation dynamic identity authentication service process figure, and wherein Fig. 8 .1 is a handset token end implementation, and Fig. 8 .2 is a certificate server end implementation;
Fig. 9 is a security protocol information format key diagram, and wherein Fig. 9 .1 is a protocol information head form, and Fig. 9 .2 is a service request information physique formula, and Fig. 9 .3 is a service response imformosome form.
Embodiment
Be example with the banking system below, the present invention is further detailed explanation in conjunction with the accompanying drawings.
One, system configuration explanation
Fig. 1 is Verification System overall structure figure, comprises user terminal 6, subscriber information server 1, certificate server 2 and handset token 5.Subscriber information server 1 is the data server in the system, uses the oracle9i Database Systems, wherein deposits the form that sets according to the authentication agreement, and needed each user profile in the verification process is provided.It comprises following field: identification card number, user ID, log-in password Pr, add, sign that decruption key Ke, work at present password Ks (with to store the work at present password in the handset token be identical), account number just are being used (prevent competition from attacking) and cell-phone number etc.Subscriber information server 1 receives operation (inquiry and the modification user profile) request of certificate server 2, and this operation requests is used the OLEDB data-interface.Certificate server 2 is Server ends of whole Verification System, is responsible for receiving and finishing user's service request.Be furnished with service module, password generation module 3, the communication module 4 of certificate server end in the certificate server.Password generation module 3 is responsible for producing the dynamic identity authentication password of server end, is that the hardware of " dynamic electronic cipher generation algorithm " is realized, it uses server-bus to communicate by letter with certificate server 2.Communication module 4 uses com port to communicate by letter with certificate server 2, and handset token 5 is the user mobile phones that can finish the authentication token function, and its SIM card possesses JAVA program running environment.The application module of dynamic identity authentication client is to use the Embedded Application module of JAVA language development, and it is written in the SIM card of handset token 5 by SIM card write device TY311.The dynamic password generation algorithm that the application module of the dynamic identity authentication client in the handset token 5 is identical with password generation module 3 uses in the certificate server, and the synchronous dynamic identity authentication password of independent generation.User terminal 6 (as the ATM terminal) is communicated by letter with authentication server 2 by bank's internal network 7.The user side dynamic identity authentication password of submitting to handset token to produce by the user to certificate server during authentication, certificate server compares the server end dynamic identity authentication password of user side dynamic identity authentication password and oneself generation, and judges that according to comparative result whether the user is by authentication.
Fig. 2 is a certificate server end service module structure chart.Certificate server end service module is that the Server of Verification System holds software, mainly finishes functions such as Network Transmission is controlled, the Verification System security protocol is handled, the encryption and decryption of message transmission, user profile is visited and dynamic password obtains and keep in.Certificate server end service module comprises user profile access modules 8, dynamic password access modules 9, protocol process module 10, hard core control module 11, encrypting module 12 and network transmission module 13.User profile access modules 8 is access modules of rear end subscriber information server, be responsible for finishing the subscriber information management order of hard core control module 11, comprise and set up new account, revise existing account information, delete expired account information, locking or release user account number and control access privilege etc.Dynamic password access modules 9 is access modules of dynamic password generation module in the authentication service, and it receives the user key information that hard core control module 11 provides, and produces the dynamic password in the verification process, and gives hard core control module 11 with dynamic password and keep in.Protocol process module 10 is Server end for process of dynamic identity authentication system safety agreement, and it receives the security protocol information that hard core control module 11 provides, and result is returned to hard core control module 11.Hard core control module 11 is cores of whole certificate server end software, is responsible for correlation and information transmission between other modules of coordination.Encrypting module 12 is mainly finished the information encryption and decryption request of hard core control module 11.Network transmission module 13 is mainly finished the message transmission task of server end, the information of communication module in information of its reception bank proprietary network and the certificate server.It also handles the message transmission request of hard core control module simultaneously, and different kinds of information is sent in the different communication networks.
Fig. 3 is handset token realization figure, the 22nd, and SIM card part-structure figure in the handset token, the 23rd, the interface section structure chart of mobile phone.Dynamic identity authentication client application module in the handset token comprises dynamic password generator 14, memory 15, password comparator 16 and controller 17.Memory 15 is used to store user ID, user identity card number, log-in password Pr, adds, decruption key Ke, and is responsible for startup password (or the handset token password) Pt of work at present password Ks (it is identical storing the work at present password with server) that storage is used for producing current dynamic identity authentication password, client's application module and the continuous times N t that inputs the token access password mistakenly on token.Encryption key Ke and work at present password Ks are when user applies is served, and certificate server distributes for the user mobile phone token; The startup password of client's application module (or handset token password) Pt is provided and is write SIM card by the user.Memory 15 links to each other with dynamic password generator 14, password comparator 16 and controller 17.Dynamic password generator 14 usefulness cause work at present password Ks produce user's current authentication password, can be stream cipher arithmetics such as RC4, and are corresponding with the server authentication password.Dynamic password generator 14 links to each other with display 20 by the display interface 18 of mobile phone, and the password that is produced is presented on the display screen.Password comparator 16 is used for judging whether the cellphone subscriber is legal, and it links to each other with keyboard 21 by keyboard interface 19, and the user compares with startup password (or the handset token password) Pt of client's application module by the password of keyboard input like this.Controller 17 is used for controlling the co-ordination of each module.
Two, verification process
As shown in Figure 4, verification process may further comprise the steps:
(1) user inserts bank card in the ATM terminal, submits user profile to, and sends ID authentication request to authentication server;
(2) after authentication server receives authentication request, at first verify the legitimacy of user profile.If this user is validated user (this user's information has been kept at User Information Database), authentication server produces server end dynamic identity authentication password and temporary, and inputs user side dynamic identity authentication password user terminal prompting user.The detailed process process of this step is as follows:
(2.1) after the network transmission module in the authentication server receives authentication request, submit user's request to the hard core control module.
(2.2) the hard core control module is by user profile access modules searching user's information database, if this user's information not in the User Information Database, hard core control module generation error message, and being transferred to the ATM terminal by network transmission module, terminal is received this message rear line prompting: the user profile mistake.If this user's information is arranged in the User Information Database, the subscriber information management module is returned this user's user profile to the hard core control module so, and check wherein Identification_Mode field value (field value is that 0 expression user uses the static password authentication, is that dynamic cipher verification is used in 1 expression).
(2.3) if Identification_Mode=1, then the hard core control module is inquired about this user's Lock_State field (field value is that 0 expression user is for locked, be that 1 expression user is locked), if Lock_State=1, the hard core control module is to the ATM terminal transmits information, point out this user locked, and withdraw from verification process, otherwise the hard core control module is transmitted this user's work at present password to the dynamic password access modules, the dynamic password generation module produces this dynamic authentication password of this user and returns to the hard core control module according to the work at present password, the hard core control module is temporary with this user's dynamic identity authentication password, and to the ATM terminal transmits information, the prompting user inputs user side dynamic identity authentication password.
If validated user finds that the account of oneself is locked, then can be by handset token application release, the detailed process of release is seen " user applies release " part of dynamic identity authentication security protocol.
(3) user produces user side dynamic identity authentication password by handset token, is presented on the mobile phone screen.
It must be emphasized that the user must be provided by " handset token initialization " and " opening the dynamic identity authentication service " two processes before the dynamic identity authentication service of using bank to provide.The detail of two processes is seen dynamic identity authentication security protocol " handset token initialization " and " opening the dynamic identity authentication service " two parts.
(4) user imports and is sent to authentication server with shown user side dynamic identity authentication password on the mobile phone screen by user terminal, waits for authentication.
(5) if the user side dynamic identity authentication password that authentication server receives is consistent with server end dynamic identity authentication password, then by authentication; Otherwise authentication is not passed through.The detailed process of this step is as follows:
(5.1) the hard core control module of certificate server obtains the user side dynamic identity authentication password that this user submits to from network transmission module;
(5.2) the hard core control module compares user side dynamic identity authentication password and temporary server end dynamic identity authentication password, if both unanimities, then the hard core control module by network transmission module to the ATM terminal transmits information, the success of prompting authentification of user, otherwise, the hard core control module is revised user profile in the User Information Database by user profile network module, WrongPSW_Count field in this user profile is added 1 (this user was with locked when WrongPSW_Count reached critical value), and send row information to the ATM terminal by network transmission module, require the user to restart verification process;
Must be pointed out that if validated user finds that the user can use the handset token Request System synchronous by passing through authentication after the correct operation, synchronizing process is seen " user applies system synchronization " part of dynamic identity authentication security protocol.
Three. the dynamic identity authentication security protocol
Dynamic identity authentication method based on the handset token mode is a kind of authentication method based on synchronous dynamic authentication password, need to guarantee the system synchronization of handset token and certificate server in implementation process, the present invention uses the dynamic identity authentication security protocol to realize this purpose.The dynamic identity authentication security protocol is based on the supporting protocol of the dynamic identity authentication method of handset token mode.It is a kind of interaction protocol based on note, has defined flow process mutual between handset token and the certificate server, mutual information format and the security mechanism (authentication method that comprises interactive information encryption method, encryption key managing method and interactive information) that ensures the reciprocal process fail safe.Security protocol not only provides the system synchronization function of handset token and certificate server end to the user, and supports the user can use handset token to finish dynamic identity authentication service startup, user's release and user and cancel functions such as dynamic identity authentication service.Introduce the basic principle of security protocol below in detail from protocol procedures, security mechanism and information format several respects.
(1) protocol procedures
1. handset token initialization
The handset token initialization procedure is divided into that client application module writes, two links of client application module initialization.Client application module writes and refers to use SIM card write device TY311 to write the embedded dynamic identity authentication client application module based on JAVA in the user mobile phone SIM card.The client application module initialization mainly is that the client application module in the SIM card is carried out the parameter setting, comprise be provided with that subscriber identity information, information add, the application module of decruption key, client starts parameters such as password, work at present password and user login password.The application module of client starts password and log-in password is selected by user oneself, and can revise at any time.The application module of client starts password and is used to guarantee to have only legal handset token user just can use handset token to finish the dynamic identity authentication process.Log-in password is used for guaranteeing to have only validated user just can use handset token to finish " release " and " service of cancellation dynamic identity authentication " function; The work at present password that work at present password and information add, decruption key is divided into the handset token end and the work at present password of certificate server end, the work at present password and the information of certificate server end adds, decruption key also is the part of user profile, and two ends should have that identical work at present password and information add, decruption key.When initialization, produce respectively by tandom number generator that initial work at present password and information add, decruption key, and work at present password, information in the handset token add, work at present password, the information of decruption key and certificate server end add, decruption key is set to this initial work at present password and this information adds, decruption key.
2. the user opens the dynamic identity authentication service
The user opens the dynamic identity authentication service process and is meant that the user uses handset token to send " opening the dynamic identity authentication service request " to the certificate server end, certificate server is received the legitimacy of the user profile of at first verifying this user after this request and is done corresponding processing, sends " opening the dynamic identity authentication service response " to this user then.Detailed process is as follows:
1) user's input handset token client application module starts password (setting during the handset token initialization), by the authentication of handset token end;
2) user sends " opening the dynamic identity authentication service request " information by handset token to certificate server;
3) certificate server receives authorization information legitimacy (user ID in the authorization information and log-in password, this log-in password are to determine) after " open dynamic identity authentication service request " information when user mobile phone is initialized;
4) certificate server is labeled as the dynamic identity authentication mode with this user's authentication mode in user information database, sends " opening the dynamic identity authentication service response " information to handset token then;
5) handset token receives " opening the dynamic identity authentication service response " information, and the service of prompting dynamic identity authentication is opened.
The processing procedure of handset token end and certificate server end was seen Fig. 5 when the user opened the dynamic identity authentication service.
3. user applies system synchronization
The front was mentioned, and the user can be that handset token and certificate server keep system synchronization by the key of certificate server authentication.But make the nonsynchronous abnormal conditions in two ends (for example in the user authentication process mobile phone sudden power etc.) owing to exist, therefore to need to recover the system synchronization state at two ends by " the user applies system synchronization " of carrying out the dynamic identity authentication security protocol.Detailed process is as follows:
1) user's input handset token client application module starts password, by the authentication of handset token end;
2) user sends " application system synchronization request " information by handset token to certificate server;
3) certificate server receives authorization information legitimacy after " application system synchronization request " information (user ID in the authorization information and log-in password, this log-in password are to determine) when user mobile phone is initialized;
4) certificate server takes out the work at present password of server end from user information database;
5) certificate server generates " application system syn ack " information, and " side's of the service information " field with in the work at present password writing information of server end sends response message to the user then;
6) handset token receives the work at present password in the information extraction after " application system syn ack " information, and is the work at present password that is extracted in the information with the dynamic electronic cipher work at present password setting of handset token end, finishes system synchronization.
The processing procedure of handset token end and certificate server end is seen Fig. 6 during the user applies system synchronization.
4. user applies release
If the user finds the account number of oneself and is locked by bank that the user can be by handset token application release.Detailed process is as follows:
1) user's input handset token client application module starts password, by the authentication of handset token end;
2) user sends " application account number unlocking request " information by handset token to certificate server;
3) certificate server receives authorization information legitimacy (user ID in the authorization information and log-in password, this log-in password are to determine) after " application account number unlocking request " information when user mobile phone is initialized;
4) certificate server " User Status " field of this user in User Information Database is set to released state, sends " release of application account number is replied " information to the user then;
5) handset token receives " release of application account number is replied " information, prompting user release success.
The processing procedure of handset token end and certificate server end is seen Fig. 7 during the user applies release.
If validated user finds that the handset token of oneself is locked, can the steps include: by handset token application release
1) user's input handset token log-in password (generally this password is longer than starting password) is by the mandate authentication of handset token end;
2) handset token " User Status " field wherein is set to released state, informs user's " release is replied " information by mobile phone then.
5. the user cancels the dynamic identity authentication service
The user not only can open the dynamic identity authentication service by handset token, and can use the service of handset token cancellation dynamic identity authentication.Detailed process is as follows:
1) user's input handset token client application module starts password, by the authentication of handset token end;
2) user sends " cancellation dynamic identity authentication service request " information by handset token to certificate server;
3) certificate server receives authorization information legitimacy (user ID in the authorization information and log-in password, this log-in password are to determine) after " cancellation dynamic identity authentication service request " information when user mobile phone is initialized;
4) certificate server is labeled as the fixed password identification authentication mode with this user's authentication mode in user information database, sends " cancellation dynamic identity authentication service response " information to handset token then;
5) handset token receives " cancellation dynamic identity authentication service response " information, and the service of prompting dynamic identity authentication is cancelled.
The processing procedure of handset token end and certificate server end was seen Fig. 8 when the user cancelled the dynamic identity authentication service.
6. the user ends the dynamic identity authentication service
In carrying out the authentication process,, the steps include: if end the dynamic identity authentication process
1) the predetermined suspended market order of user's input handset token, token system aborts authentication process;
2) user " ends the dynamic identity authentication service request " to authentication server by user terminal input and transmission;
3) after certificate server receives " ending the dynamic identity authentication service request ", end the verification process of server end.
(2) security mechanism of security protocol
Security protocol according to add, decruption key and DES grouping cryptographic algorithms such as (Data Encryption Standard) add, decipher interactive information.
Agreement has not only defined the adding of interactive information, decryption method, has also stipulated to add accordingly, the decruption key administration detail.Agreement regulation: when the handset token initialization, write add, decruption key; Use is based on the adding of information access times, decruption key update method, also promptly safeguard an information counter at the user mobile phone end, the solicited message number that the statistics handset token sends, when counter reaches threshold value, handset token is provided with the key updating flag bit automatically in interactive information, certificate server is received and just carry that new information adds, decruption key after this information in response message, and handset token just brings into use new cipher key pair information to add, decipher after receiving new key.
(3) security protocol information format
The protocol information form is seen Fig. 9.Information is divided into service request information and serves two kinds of response messages, and each information is divided into information header and imformosome two parts again.Concrete format description is as follows:
(1) protocol information head
Version: the version number of agreement;
Head length: the length of protocol information head;
The side of service ID: use unique ID to identify the service side that each provides the dynamic authentication service;
Total length: the total length of information, why this field is set is because the expansion of imformosome after considering;
(2) service request information body
COS: 1bit specified information type; 2bit indicates whether encrypted request message key updating the or whether key of the renewal of carrying is arranged of client in response message; The 3-8 bit is the information type bit;
Identifying code: information is used byte summation checking;
Sequence number: identify each solicited message, prevent to reply Replay Attack;
User ID: authentification of user account number;
Registration code: the initialization of user mobile phone token is to generate user's private data.Server uses user ID and user rs authentication sign indicating number to user identification confirmation;
(3) service response imformosome
COS: the same;
Identifying code: the same;
Sequence number: the sequence number in the copy request guarantees the one-to-one relationship of replying and asking;
New key: carry the protocol information encrypted new key;
The side's of service information: service side returns to user's response message, for example algorithm work at present password;
Claims (10)
1, a kind of handset token dynamic identity authentication method utilizes computer technology and mobile communication technology to realize, the steps include:
(1) user imports user profile at user terminal, sends ID authentication request to authentication server;
(2) after authentication server receives authentication request, at first verify the legitimacy of user profile; If this user is a validated user, authentication server produces the current dynamic identity authentication password of server end and keeps in, and inputs the current dynamic identity authentication password of user side user terminal prompting user;
(3) application module in user's input handset token starts password, by the authentication of handset token end;
(4) user produces the current dynamic identity authentication password of user side by handset token, and informs the user by mobile phone;
(5) user by the user terminal input and be sent to authentication server, waits for authentication with the current dynamic identity authentication password of the user side of being informed;
(6) if the current dynamic identity authentication password of the user side that authentication server receives is consistent with the current dynamic identity authentication password of server end, then by authentication; Otherwise authentication is not passed through.
2, method according to claim 1 is characterized in that: when carrying out above-mentioned steps (2), if validated user finds that the account of oneself is locked, can the steps include: by handset token application release
1) user's input handset token client application module starts password, by the authentication of handset token end;
2) user sends " application account number unlocking request " information by handset token to certificate server;
3) certificate server receives authorization information legitimacy after " application account number unlocking request " information;
4) certificate server " User Status " field of this user in User Information Database is set to released state, sends " release of application account number is replied " information to the user then;
5) handset token receives " release of application account number is replied " information, prompting user release success.
3, method according to claim 1 and 2 is characterized in that: when carrying out above-mentioned steps (3), if the user finds not open the dynamic identity authentication service as yet, then should open the dynamic identity authentication service, the steps include:
1) user's input handset token client application module starts password, by the authentication of handset token end;
2) user sends " opening the dynamic identity authentication service request " information by handset token to certificate server;
3) certificate server receives authorization information legitimacy after " open dynamic identity authentication service request " information;
4) certificate server is labeled as the dynamic identity authentication mode with this user's authentication mode in customer data base, sends " opening the dynamic identity authentication service response " information to handset token then;
5) handset token receives " opening the dynamic identity authentication service response " information, and the service of prompting dynamic identity authentication is opened.
4, method according to claim 3 is characterized in that: in carrying out the authentication process, if validated user finds that the user can use the handset token Request System synchronous, the steps include: by passing through authentication after the correct operation
1) user's input handset token client application module starts password, by the authentication of handset token end;
2) user sends " application system synchronization request " information by handset token to certificate server;
3) certificate server receives authorization information legitimacy after " application system synchronization request " information;
4) certificate server takes out the dynamic electronic cipher work at present password of server end from User Information Database;
5) certificate server generates " application system syn ack " information, and " side's of the service information " field with in the dynamic electronic cipher work at present password writing information of server end sends response message to the user then;
6) the dynamic electronic cipher work at present password in the information extraction after handset token reception " application system syn ack " information, and the dynamic electronic cipher work at present password value of the handset token end work at present password that is set in the information to be extracted, finish system synchronization.
5, method according to claim 4 is characterized in that: in carrying out the authentication process, if the service of cancellation dynamic identity authentication the steps include:
1) user's input handset token client application module starts password, by the authentication of handset token end;
2) user sends " cancellation dynamic identity authentication service request " information by handset token to certificate server;
3) certificate server receives authorization information legitimacy after " cancellation dynamic identity authentication service request " information;
4) certificate server is labeled as the fixed password identification authentication mode with this user's authentication mode in User Information Database, sends " cancellation dynamic identity authentication service response " information to handset token then;
5) handset token receives " cancellation dynamic identity authentication service response " information, and the service of prompting dynamic identity authentication is cancelled.
6, method according to claim 5 is characterized in that: in carrying out the authentication process, if end the dynamic identity authentication process, the steps include:
1) the predetermined suspended market order of user's input handset token, token system aborts authentication process;
2) user " ends the dynamic identity authentication service request " to authentication server by user terminal input and transmission;
3) after certificate server receives " ending the dynamic identity authentication service request ", end the verification process of server end.
7, method according to claim 6 is characterized in that: when carrying out above-mentioned steps (3), if the user finds that the handset token of oneself is locked, can pass through the handset token release, the steps include:
1) the default log-in password of user's input handset token, by the mandate authentication of handset token end:
2) handset token " User Status " field wherein is set to released state, informs user's " release is replied " information by mobile phone then.
8, a kind of aforesaid right of realizing requires the system of 1 described method, comprises user terminal, subscriber information server, certificate server and handset token; Wherein,
User terminal is used to import user profile, and it is communicated by letter with authentication server by network;
Subscriber information server is used to deposit the form that sets according to the authentication agreement, and needed each user profile in the verification process is provided, and receives the operation of certificate server;
Certificate server is responsible for receiving and finishing user's service request, wherein is furnished with certificate server end service module, password generation module and communication module; Encryption and decryption, user profile visit and dynamic password that certificate server end service module is used for Network Transmission control, the processing of Verification System security protocol, message transmission obtain with temporary; The password generation module is responsible for producing the current dynamic identity authentication password of server end, and it is communicated by letter with certificate server by the bus of server; The information that communication module is responsible for the certificate server end sends and receives, it be handset token with certificate server between the intermediary that communicates by letter;
Handset token is the user mobile phone that is provided with the dynamic identity authentication client application module in the SIM card of mobile phone, dynamic password generation algorithm and identical work at present password that the dynamic identity authentication client application module is identical with the password generation module use in the certificate server, and the synchronous current dynamic identity authentication password of independent generation.
9, system according to claim 8 is characterized in that: certificate server end service module comprises subscriber information management module (8), dynamic password access modules (9), protocol process module (10), hard core control module (11), encrypting module (12) and network transmission module (13);
Subscriber information management module (8) is responsible for finishing the subscriber information management order of hard core control module (11), comprises setting up new account, revise existing account information, delete expired account information, locking or release user account number and controlling access privilege;
Dynamic password access modules (9) is the access modules of above-mentioned password generation module, and it receives the user key information that hard core control module (11) provides, and produces the dynamic password in the verification process, and gives hard core control module (11) with dynamic password and keep in;
Protocol process module (10) is the service processing end of dynamic identity authentication system safety agreement, is used to receive the security protocol information that hard core control module (11) provides, and result is returned to hard core control module (11);
Encrypting module (12) is used to finish the information encryption and decryption request of hard core control module (11);
Network transmission module (13) is used to finish the message transmission task of server end, the information of communication module in the information of reception network and the certificate server, and the message transmission request of processing hard core control module (11), different kinds of information is sent in the different communication networks;
Hard core control module (11) is responsible for correlation and the information transmission between above-mentioned each module of coordination.
10, according to Claim 8 or 9 described systems, it is characterized in that: the dynamic identity authentication client application module in the described handset token comprises dynamic password generator (14), memory (15), password comparator (16) and controller (17);
Memory (15) is used to store user ID, user identity card number, log-in password Pr, encryption key Ke, and is responsible for the startup password or the handset token password Pt of work at present password Ks that storage is used to produce current dynamic identity authentication password, client's application module and inputs the times N t of token access password continuously mistakenly on token; It links to each other with dynamic password generator (14), password comparator (16) and controller (17);
Dynamic password generator (14) is used for producing user's current authentication password by work at present password Ks, and this authentication password is corresponding with the current authentication password of server, and this authentication password is informed the user by the output device of mobile phone;
Password comparator (16) is used for judging whether the cellphone subscriber is legal;
Controller (17) is used to control the co-ordination of above-mentioned each module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200310111570XA CN1323538C (en) | 2003-12-12 | 2003-12-12 | A dynamic identity certification method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200310111570XA CN1323538C (en) | 2003-12-12 | 2003-12-12 | A dynamic identity certification method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1547142A CN1547142A (en) | 2004-11-17 |
| CN1323538C true CN1323538C (en) | 2007-06-27 |
Family
ID=34336197
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200310111570XA Expired - Fee Related CN1323538C (en) | 2003-12-12 | 2003-12-12 | A dynamic identity certification method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1323538C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI412950B (en) * | 2009-06-29 | 2013-10-21 | Hon Hai Prec Ind Co Ltd | Document protection system and method thereof |
Families Citing this family (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100645401B1 (en) * | 2006-05-01 | 2006-11-15 | 주식회사 미래테크놀로지 | Time sync type otp generation device in mobile phone and generation method |
| US8364120B2 (en) * | 2006-08-02 | 2013-01-29 | Motorola Mobility Llc | Identity verification using location over time information |
| CN1953452B (en) * | 2006-10-24 | 2011-07-20 | 中国科学院电工研究所 | A method for dynamic certification and authorization for stream media |
| WO2008126507A1 (en) * | 2007-03-30 | 2008-10-23 | Nec Corporation | User authentication control device, user authentication device, data processing device, and user authentication control method and the like |
| CN101072105B (en) * | 2007-05-21 | 2011-05-11 | 腾讯科技(深圳)有限公司 | Network identity authenticating method and system |
| CN101159542B (en) * | 2007-11-12 | 2010-06-09 | 中兴通讯股份有限公司 | Method and system for saving and/or obtaining authentication parameter on terminal network appliance |
| CN101222334B (en) * | 2008-01-11 | 2010-08-04 | 华中科技大学 | Cipher token safety authentication method adopting picture interference |
| CN101990183B (en) | 2009-07-31 | 2013-10-02 | 国际商业机器公司 | Method, device and system for protecting user information |
| CN101662769B (en) * | 2009-09-22 | 2012-09-05 | 钱袋网(北京)信息技术有限公司 | Method, mobile terminal, server and system of telephone business authentication |
| CN101926675B (en) | 2009-10-30 | 2012-08-08 | 华为技术有限公司 | Method, device and system for remotely acquiring physical detection data of user |
| CN102402746B (en) * | 2010-09-09 | 2016-11-02 | 财付通支付科技有限公司 | A kind of methods, devices and systems of mobile payment security checking |
| CN102085116B (en) * | 2010-12-08 | 2012-08-15 | 华中科技大学 | Multifunctional remote medical care system based on multi-network fusion |
| CN102098313B (en) * | 2011-03-01 | 2017-03-15 | 黄泽鑫 | A kind of waterproof wall system and its verification method |
| CN102098317B (en) * | 2011-03-22 | 2013-12-18 | 浙江中控技术股份有限公司 | Data transmitting method and system applied to cloud system |
| CN102739719B (en) * | 2011-04-13 | 2016-03-30 | 中国移动通信集团公司 | User profile synchronous method and system thereof |
| CN102377570B (en) * | 2011-11-07 | 2014-03-12 | 飞天诚信科技股份有限公司 | Method and device for generating dynamic passwords |
| KR102102179B1 (en) * | 2013-03-14 | 2020-04-21 | 삼성전자 주식회사 | Embedded system, authentication system comprising the same, method of authenticating the system |
| CN103269483B (en) * | 2013-06-03 | 2015-09-23 | 上海众人网络安全技术有限公司 | A kind of OOAC handset token multi-mode activation system and method |
| CN104539785B (en) * | 2014-08-22 | 2017-02-01 | 南京速帕信息科技有限公司 | Implementation method of one-key release mobile phone token |
| CN105516069B (en) * | 2014-09-28 | 2020-10-09 | 腾讯科技(深圳)有限公司 | Data processing method, device and system |
| WO2016134657A1 (en) * | 2015-02-27 | 2016-09-01 | 飞天诚信科技股份有限公司 | Operating method for push authentication system and device |
| CN107317679B (en) * | 2017-06-05 | 2020-01-31 | 国政通科技股份有限公司 | Method and system for preventing fraud after identity cards are lost |
| CN107172436B (en) * | 2017-06-09 | 2019-11-26 | 国政通科技股份有限公司 | A kind of method and system of ID card information transmission protection |
| CN107948156B (en) * | 2017-11-24 | 2021-10-22 | 郑州云海信息技术有限公司 | Identity-based closed key management method and system |
| CN108989346B (en) * | 2018-08-30 | 2021-03-16 | 上海同态信息科技有限责任公司 | Third-party valid identity escrow agile authentication access method based on account hiding |
| TWI725352B (en) * | 2018-11-05 | 2021-04-21 | 緯創資通股份有限公司 | Method for authentication and authorization and authentication server using the same |
| CN110062383A (en) * | 2019-04-24 | 2019-07-26 | 中国联合网络通信集团有限公司 | A kind of authentication method, terminal, certificate server, application server |
| CN110602700B (en) * | 2019-09-23 | 2023-01-17 | 飞天诚信科技股份有限公司 | Seed key processing method and device and electronic equipment |
| CN111711628B (en) * | 2020-06-16 | 2022-10-21 | 北京字节跳动网络技术有限公司 | Network communication identity authentication method, device, system, equipment and storage medium |
| CN113468514A (en) * | 2021-06-28 | 2021-10-01 | 深圳供电局有限公司 | Multi-factor identity authentication method and system in intranet environment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5699507A (en) * | 1995-01-17 | 1997-12-16 | Lucent Technologies Inc. | Method of identifying similarities in code segments |
| US6266525B1 (en) * | 1998-12-17 | 2001-07-24 | Lucent Technologies Inc. | Method for detecting fraudulent use of a communications system |
| JP2001337929A (en) * | 2000-05-26 | 2001-12-07 | Nec Corp | Dynamic password control system |
| CN1086818C (en) * | 1999-04-29 | 2002-06-26 | 华中理工大学 | Method for generating dynamic electronic cipher |
| CN1394067A (en) * | 2001-07-02 | 2003-01-29 | 黄金富 | Network bank pay system using telephone's incoming display as dynamic encrypting code |
| JP2003196238A (en) * | 2001-12-26 | 2003-07-11 | Fujitsu Ltd | Password authenticating device and password authenticating program |
-
2003
- 2003-12-12 CN CNB200310111570XA patent/CN1323538C/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5699507A (en) * | 1995-01-17 | 1997-12-16 | Lucent Technologies Inc. | Method of identifying similarities in code segments |
| US6266525B1 (en) * | 1998-12-17 | 2001-07-24 | Lucent Technologies Inc. | Method for detecting fraudulent use of a communications system |
| CN1086818C (en) * | 1999-04-29 | 2002-06-26 | 华中理工大学 | Method for generating dynamic electronic cipher |
| JP2001337929A (en) * | 2000-05-26 | 2001-12-07 | Nec Corp | Dynamic password control system |
| CN1394067A (en) * | 2001-07-02 | 2003-01-29 | 黄金富 | Network bank pay system using telephone's incoming display as dynamic encrypting code |
| JP2003196238A (en) * | 2001-12-26 | 2003-07-11 | Fujitsu Ltd | Password authenticating device and password authenticating program |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI412950B (en) * | 2009-06-29 | 2013-10-21 | Hon Hai Prec Ind Co Ltd | Document protection system and method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1547142A (en) | 2004-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1323538C (en) | A dynamic identity certification method and system | |
| CN109272606B (en) | Intelligent lock supervision equipment and method based on block chain and storage medium | |
| US11184343B2 (en) | Method for carrying out an authentication | |
| CN108012268B (en) | SIM card for ensuring safe use of application software on mobile phone terminal | |
| EP1801721B1 (en) | Computer implemented method for securely acquiring a binding key for a token device and a secured memory device and system for securely binding a token device and a secured memory device | |
| CN111787530B (en) | Block chain digital identity management method based on SIM card | |
| CN1268157C (en) | A handset used for dynamic identity authentication | |
| CN102215221A (en) | Methods and systems for secure remote wake, boot, and login to a computer from a mobile device | |
| CN101577917A (en) | Safe dynamic password authentication method based on mobile phone | |
| JP2009510644A (en) | Method and configuration for secure authentication | |
| EP1277299A1 (en) | Method for securing communications between a terminal and an additional user equipment | |
| WO1999024895A1 (en) | Tamper resistant method and apparatus | |
| WO2018133674A1 (en) | Method of verifying and feeding back bank payment permission authentication information | |
| CN110190971B (en) | JWT token authentication method based on block chain | |
| CN107864124B (en) | Terminal information security protection method, terminal and Bluetooth lock | |
| CN102187619A (en) | Authentication system | |
| CN110992532B (en) | Temporary authorized unlocking method and system for intelligent door lock | |
| CN104125064B (en) | A kind of dynamic cipher authentication method, client and Verification System | |
| CN106936588A (en) | A kind of trustship method, the apparatus and system of hardware controls lock | |
| CN101599192B (en) | Method for achieving security guard of bank card | |
| CN108768941B (en) | Method and device for remotely unlocking safety equipment | |
| KR20080087917A (en) | System for certify one-time password, system for issue a seed, and method for generating one-time password | |
| CN109003368B (en) | Bluetooth access control system offline password updating method and Bluetooth access control system | |
| KR101202245B1 (en) | System and Method For Transferring Money Using OTP Generated From Account Number | |
| CN105119716A (en) | Secret key negotiation method based on SD cards |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20070627 Termination date: 20111212 |