Summary of the invention
One of purpose of the present invention is to provide a kind of method of physical certifying, can be according to the employed key of different operational orders, come definite physical certifying mode that needs, realization is to the authentication of user's legal identity, thereby is that legal user is being engaged in legal transaction when guaranteeing network trading.
The method of this physical certifying comprises step:
S1, the corresponding relation of key, operational order and physical certifying mode is set in the device of physical certifying;
The device of S2, described physical certifying receives the operational order that client sends;
The device of S3, described physical certifying is according to the key identification that is comprised in the operational order, know the employed key of operational order, key in the device of key identification and physical certifying is corresponding one by one, according to the corresponding relation of described key, operational order and physical certifying mode, determine the pairing physical certifying mode of this operational order;
S4, user initiate physical certifying information according to described physical certifying mode to the device of described physical certifying, the device of described physical certifying receives physical certifying information, and whether more described physical certifying information is consistent with the corresponding physics authentication information of storage, if unanimity then physical certifying pass through, enter step S5, otherwise, process ends;
The device of S5, described physical certifying is carried out described operational order.
Wherein, described key is two or more, and the corresponding relation of described key, operational order and physical certifying mode constitutes two-dimensional operation control tabulation.
In step S2, described operational order comprises safe computing order or reading and writing data order.
In step S3, determine also to comprise the step that sends the physical certifying information to the user after the pairing physical certifying mode of operational order.
In step S4, described user initiates physical certifying information according to described physical certifying mode to the device of described physical certifying, the device of described physical certifying receives physical certifying information, and the corresponding physics authentication information of more described physical certifying information and storage whether consistent process is:
The user initiates physical certifying information to the physical certifying actuator of the device of described physical certifying;
Physical certifying actuator receives described physical certifying information, and whether more described physical certifying information is consistent with the corresponding physics authentication information of storage.
The advantage of the method for physical certifying of the present invention is: by the corresponding relation of key, operational order and physical certifying mode is set, according to the employed key of different operational orders, come definite physical certifying mode that needs, realization is to the authentication of user's legal identity, thereby it is legal not only concluding the business when guaranteeing network trading, and dealer's identity also is legal.
For in an equipment, using under the situation of a plurality of keys, adopt this method, can be according to the employed different keys of operational order, specify the physical certifying mode that needs respectively, realized the flexibility of many keys uses and the flexibility of physical certifying, made things convenient for and realized different physical certifyings when in an equipment, using different key easily.
Another object of the present invention is to provide a kind of device of physical certifying, can be according to the employed key of different operational orders, come definite physical certifying mode that needs, realization is to the authentication of user's legal identity, thereby is that legal user is being engaged in legal transaction when guaranteeing network trading.
The device of this physical certifying links to each other with client, and the device of this physical certifying comprises:
The corresponding relation module is controlled in operation, is provided with the corresponding relation of key, operational order and physical certifying mode;
Processing module, be used for receiving the operation instruction information that client sends by communication interface modules, according to the key identification that is comprised in the operational order, know the employed key of operational order, key identification is corresponding one by one with the key that operation is controlled in the corresponding relation module, according to described key, the corresponding relation of operational order and physical certifying mode, determine the pairing physical certifying mode of this operational order, and the authentication result of reception physical certifying module transmission, send the order of carrying out associative operation to the operation module, and receive the execution result that the operation mould is determined;
The physical certifying module links to each other with processing module, is used to receive the physical certifying information of user's input, and the physical certifying information of user's input and the physical certifying information of storage are compared, and draws authentication result, and authentication result is sent to processing module;
The operation module links to each other with processing module, is used for the executable operations instruction;
Data memory module links to each other with processing module, is used to preserve user data and application data;
Communication interface modules links to each other with processing module, is used for carrying out between processing module and the client information interaction.
Wherein, described operation control corresponding relation module comprises:
The list storage module is controlled in operation, stores the corresponding relation of key, operational order and physical certifying mode;
Operation control list query module, the request according to processing module sends sends query requests to operation control list storage module, and described Query Result is sent to processing module.
The physical certifying module comprises physical certifying actuator and authentication comparison module; Physical certifying actuator is used to receive the physical certifying information that the user imports, and described physical certifying information is sent to described authentication comparison module; Described authentication comparison module is used for the physical certifying information of user's input and the physical certifying information of storage are compared, and draws authentication result.
Described physical certifying module comprises biological characteristic recognition module or/and the operating characteristics identification module.
The device of this physical certifying also comprises the physical certifying operation indicating module that links to each other with processing module, is used to point out the user to carry out physical certifying on the physical certifying module.
The advantage of the device of physical certifying of the present invention is: by the corresponding relation of key, operational order and physical certifying mode is set in operation control corresponding relation module; The processing module query manipulation instructs employed key, according to the corresponding relation of described key, operational order and physical certifying mode, determines the pairing physical certifying mode of operational order; The physical certifying module, physical certifying operation the carrying out physical certifying that the user is initiated according to described physical certifying mode, realization is to the authentication of user's legal identity, be legal thereby not only conclude the business when guaranteeing network trading, and dealer's identity also is legal.
For in an equipment, using under the situation of a plurality of keys, adopt this device, can be according to the employed different keys of operational order, specify the physical certifying mode that needs respectively, realized the flexibility of many keys uses and the flexibility of physical certifying, made things convenient for and realized different physical certifyings when in an equipment, using different key easily.
Embodiment
Below in conjunction with accompanying drawing the specific embodiment of the present invention is described.
By the corresponding relation of key, operational order and physical certifying mode is set; Query manipulation instructs employed key, according to the corresponding relation of described key, operational order and physical certifying mode, determines the pairing physical certifying mode of operational order; Physical certifying operation the carrying out physical certifying that the user initiates according to described physical certifying mode is realized the authentication to user's legal identity.For in an equipment, using under the situation of a plurality of keys, can specify the physical certifying mode that needs respectively according to the employed different keys of operational order, realized the flexibility of many keys uses and the flexibility of physical certifying.
See also the structure chart of the device of Fig. 1 physical certifying of the present invention.The device 300 of physical certifying of the present invention links to each other with client, and the device 300 of this physical certifying comprises:
Corresponding relation module 310 is controlled in operation, is provided with the corresponding relation of key, operational order and physical certifying mode;
Processing module 320, be used to receive the operation instruction information that client sends, inquire about the employed key of this operational order, corresponding relation according to described key, operational order and physical certifying mode, know the pairing physical certifying mode of this operational order, and receive the authentication result that physical certifying module 330 sends, send the order of carrying out associative operation to operation module 340, and receive the execution result of operation module;
Physical certifying module 330 links to each other with processing module, is used for physical certifying is carried out in the physical certifying operation that the user initiates according to described physical certifying mode, and authentication result is sent to processing module 320;
Operation module 340 links to each other with processing module 320, is used for the executable operations instruction;
Data memory module 350 links to each other with processing module 320, is used to preserve user data and application data.
Described operation control corresponding relation module 310 comprises:
Operation control list storage module 3101, link to each other with processing module, it can be firmware memory, as ROM, EPROM, EEPROM or nonvolatile memory (NAND FLASH), but be not limited to these memories, can be intelligent card chip also, be used to store the operation control tabulation of carrying out the safety certification operation;
Operation control list query module 3102 links to each other with processing module, and the request according to processing module 320 sends sends query requests to operation control list storage module 3101, and described Query Result is sent to processing module 320.
For guaranteeing communicating by letter of described processing module 320 and client, the device 300 of this physical certifying also comprises the communication interface modules 360 that links to each other with processing module 320, is used for carrying out between processing module 320 and the client information interaction.
Described communication interface modules 360 can be USB (universal serial bus) module, HSSI High-Speed Serial Interface module, parallel interface module or live wire (IEE1394) interface module etc.
Described physical certifying module 330 comprises physical certifying actuator 3301 and authentication comparison module 3302;
Described physical certifying actuator 3301, comprise fingerprint capturer, iris capturing device, key device, toggle switch device etc., link to each other with processing module, be used to receive the physical certifying information of user's input, and described physical certifying information is sent to described authentication comparison module;
Described authentication comparison module 3302 is used for the physical certifying information of user's input and the physical certifying information of storage are compared, and draws authentication result.
Described physical certifying module 330 comprises biological characteristic recognition module or/and the operating characteristics identification module.
For ease of reminding user's input authentication information, the device 300 of this physical certifying also comprises the physical certifying operation indicating module 370 that links to each other with processing module, is used to point out the user to carry out physical certifying on the physical certifying module.
Described physical certifying operation indicating module 370 comprises one of following content or combination:
Sound-producing device, light-emitting device, vibrating device.
Sound-producing device can be buzzer or voice device etc., and light-emitting device can be a light-emitting diode.
Described data memory module 350 links to each other with processing module, for EPROM, EEPROM, intelligent card chip, nonvolatile memory (NAND FLASH), hard disk or portable hard drive etc., is used for storaging user data and application data.In the device of the present invention, list query module 3102 is controlled in communication interface modules 360, operation control list storage module 3101, operation, operation module 340 can be partly or entirely in processing module, and physical certifying operation indicating module 370 also can be deleted according to the physical certifying operation indicating mode of describing in the operation control tabulation.
The following describes the embodiment of the method for a kind of physical certifying of the present invention.
In order to realize the binding between legal user and the physical certifying device, the operation control tabulation that the present invention proposes, as shown in table 1.
Table 1 operation control list structure
Key identification |
Operational order |
The physical certifying operation |
The valid function judgment rule |
Biological characteristic comparison information memory location |
The maximum delay stand-by period |
Effective closing date |
Physical certifying operation indicating pattern |
0x01 |
Data encryption |
Press button |
Touch potential=N time (N 〉=1) |
/ |
M millisecond (M 〉=1) |
YY-MM-DD |
Client |
0x01 |
Data decryption |
Stir position switch |
The B point is pulled out from the A point in the position of the switch, pulls out the A point again |
/ |
M millisecond (M 〉=1) |
YY-MM-DD |
Light flash |
0x02 |
Digital signature |
Fingerprint comparison |
The comparison consistency |
EF10 file in the intelligent card chip |
M millisecond (M 〉=1) |
YY-MM-DD |
Auditory tone cues |
0x03 |
Data decryption |
Press button |
Touch potential=N time (N 〉=1) |
/ |
M millisecond (M 〉=1) |
YY-MM-DD |
Client |
0x04 |
The read operation of SCSI regulation |
Press button |
Touch potential=N time (N 〉=1) |
/ |
M millisecond (M 〉=1) |
YY-MM-DD |
Client |
0x05 |
The write operation of SCSI regulation |
Press button |
Touch potential=N time (N 〉=1) |
/ |
M millisecond (M 〉=1) |
YY-MM-DD |
Client |
Comprise key identification, operational order content and corresponding physical authentication mode in table 1, operational order comprises safe computing and reading and writing data.Safe operation content can be data encryption, data decryption, digital signature, digital digest etc.; The reading and writing data content can be the read/write operation of SCSI regulation etc.The physical certifying mode comprises operating characteristics identification authentication, living things feature recognition authentication or the combination of the two; Wherein, operating characteristics identification authentication comprises that button stirs position switch; The living things feature recognition authentication comprises fingerprint comparison, pupil comparison, the authentication of lip feature etc.
Also comprise physical certifying efficient in operation judgment rule in this table 1, such as touch potential etc.
Also comprise biological characteristic comparison information memory location in this table 1, as EF10 file in the intelligent card chip etc.
Also comprise maximum delay stand-by period or effective deadline in this table 1.
Illustrate the concrete application of table 1 below.
In effective time, when client requires the physical certifying device to use key 0x01 to finish the data encryption computing, the physical certifying device is only received 1 effective button operation of legal user in 500 milliseconds after, could carry out the operation of data cryptographic calculation, and operation result is returned client;
Similarly, in effective time, when client requires the physical certifying device to use key 0x01 to finish the data decryption computing, after the physical certifying device is only received in 500 milliseconds and is effectively stirred the position switch operation for 1 time of legal user, could carry out the operation of data decrypt operation, and operation result is returned client;
In effective time, when client requires the physical certifying device to use key 0x02 to finish the data signature computing, the physical certifying device is only finished fingerprint collecting and the contrast to legal user in 1000 milliseconds, and compare legal after, could carry out the data signature arithmetic operation, and operation result is returned client.
Table 1 only is the applicating example of operation control tabulation, and the corresponding relation that the physical certifying that to be not safe computing that the physical certifying device is realized provide with legal user is operated is defined in this.
As shown in table 1, when different keys carries out identical operations, its physical certifying mode can be different, the 0x01 key is different with the physical certifying mode that the 0x03 key is arranged when carrying out data decryption, also can set in actual applications when a key carries out data manipulation has specific physical certifying mode, and other key does not require physical certifying when carrying out identical data manipulation.Such as, when the dialing logon,, online takes place because relating to expense, can exert an influence to the user, so the login of this moment needs user's physical certifying, logining to determine validated user; And the login shopping website is when browsing commodity, and not relating to expense this moment takes place, less to the influence that the user produces, and is convenient user's login, and the physical certifying that do not need the user this moment carries out physical certifying again when doing shopping payment.
Figure 2 shows that the schematic flow sheet of the method for physical certifying of the present invention, be applicable to that client passes through the system of the device executable operations instruction of physical certifying, comprise step:
100, the corresponding relation of key, operational order and physical certifying mode is set in the device of physical certifying;
101, client transmit operation instruction; The device of described physical certifying receives the operational order that client sends;
102, the device of described physical certifying is determined the pairing physical certifying mode of this operational order; Detailed process is: the device query manipulation of physical certifying instructs employed key, according to the corresponding relation of described key, operational order and physical certifying mode, determines the pairing physical certifying mode of this operational order.
Query manipulation instructs the method for employed key to be: according to the key identification that is comprised in the operational order, know the employed key of operational order, key in the device of key identification and physical certifying is corresponding one by one, for example among the RSA private key signature instruction CLA INS P1 P2 Lc DATA Le, P1P2 represents the identifier of private key, can determine the key that needs use according to this identifier, thereby determine the corresponding physical authentication mode.
Code |
Length (byte) |
Value (Hex) |
Describe |
CLA |
?1 |
?80 |
Instruction code |
INS |
?1 |
?C2 |
Instruction code |
P1P2 |
?2 |
?XXXX |
The private key file identifier |
Lc |
?1 |
?XX |
The data length of signing |
DATA |
?XX |
?XX...XX |
The data that need signature |
Le |
?1 |
?80 |
The response data length of expectation |
103, the user initiates the physical certifying operation according to described physical certifying mode to physical certifying mechanism;
104, do you judge that described physical certifying passes through? if physical certifying passes through, enter step 105, otherwise, process ends;
105, the device of described physical certifying is carried out described operational order;
106, saving result withdraws from, process ends.
Described key is two or more, and the corresponding relation of described key, operational order and physical certifying mode constitutes two-dimensional operation control tabulation; In described operation control tabulation, key, operational order content and corresponding physical authentication mode are set.
Described operation control tabulation is two-dimensional table, the row of two-dimensional table correspond respectively to key, with corresponding operational order of key and physical certifying mode; The row of two-dimensional table corresponds respectively to different keys, with corresponding operational order of variant key and physical certifying mode.
In the described operation control tabulation, also comprise physical certifying efficient in operation judgment rule.
In the described operation control tabulation, also comprise maximum delay stand-by period or effective deadline of physical certifying operation.
In the step 101, described operational order comprises safe computing order or/and the reading and writing data order;
Described safe computing order comprises data encryption, data decryption, digital signature, digital digest;
Described reading and writing data order comprises the read write command of SCSI (Small Computer Systems Interface small computer system interface) regulation.
In the described step 102 and 103, described physical certifying mode comprises biological characteristic authentication or/and the operating characteristics authentication.
Described biological characteristic authentication comprises fingerprint characteristic authentication, the authentication of pupil feature or the authentication of lip feature.
Described operating characteristics authentication comprises the operation of button operation or toggle switch.
Described step 103 further may further comprise the steps:
1031, the user initiates physical certifying information to physical certifying actuator;
1032, physical certifying actuator receives described physical certifying information, and whether more described physical certifying information is consistent with the corresponding physics authentication information of storage, if consistent, enters step 1033, if inconsistent, enters step 1034;
1033, user's physical certifying passes through;
1034, refusing user's is passed through physical certifying.
For ease of reminding user's input authentication information, in the described step 102, also comprise the step that sends the physical certifying information to the user.
Described physical certifying information is auditory tone cues information, sense of touch information or visual cues information.
Safe operational order operating process below in conjunction with the device of concrete physical certifying illustrates the solution of the present invention.
Embodiment 1:
As shown in Figure 3, be the schematic flow sheet of embodiment 1, this flow chart has been demonstrated the process that the user uses the computing of the invention process safety, as seen from the figure, mainly may further comprise the steps:
S11, client send safe operational order to the device of physical certifying;
The device of S12, physical certifying is according to the employed cipher key lookup operation of safety operational order control tabulation;
Does the device of S13, physical certifying judge that this key has corresponding operation controlling recording? if, enter step S14, if not, enter step S17;
The device of S14, physical certifying is extracts physical authentication mode information from the operation controlling recording;
The device of S15, physical certifying returns to client with physical certifying information, and the Client-Prompt user carries out corresponding physical certifying;
Does the device of S16, physical certifying judge that physical certifying passes through? if, enter step S17, if not, enter step S19;
The device of S17, physical certifying is carried out safe operational order;
The device of S18, physical certifying returns operation result and gives client, finishes;
The device of S19, physical certifying returns error message and gives client, finishes.
In actual use, can make amendment to operation control tabulation as required, add or deletion, so that more flexibly physical certifying is controlled.Only make brief description below with regard to the process of retouching operation control tabulation.
Figure 4 shows that the schematic flow sheet of retouching operation control tabulation.
As seen from the figure, retouching operation control tabulation mainly may further comprise the steps:
S201, trusted servers generate and comprise the packet of specifying key, assigned operation instruction and specifying the physics authentication mode, and encrypt;
S202, trusted servers send to encrypted packets the device of physical certifying by special instruction;
The packet retouching operation control tabulation that the device deciphering of S203, physical certifying is received;
The device of S204, physical certifying generates response data packet, and encrypts;
The device of S205, physical certifying sends to trusted servers with encrypted packets by special instruction;
S206, trusted servers are received packet, judge whether and the packet that sends meets, and the trust state of the device of this physical certifying is set;
S207, retouching operation control end of list (EOL).