CN100576796C - Carry out the system and method for safety identification authentication on the net in the banking system - Google Patents

Carry out the system and method for safety identification authentication on the net in the banking system Download PDF

Info

Publication number
CN100576796C
CN100576796C CN200710120049A CN200710120049A CN100576796C CN 100576796 C CN100576796 C CN 100576796C CN 200710120049 A CN200710120049 A CN 200710120049A CN 200710120049 A CN200710120049 A CN 200710120049A CN 100576796 C CN100576796 C CN 100576796C
Authority
CN
China
Prior art keywords
time
dynamic password
terminal apparatus
client terminal
coordinate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN200710120049A
Other languages
Chinese (zh)
Other versions
CN101119202A (en
Inventor
伊劲松
熊俊
张建平
曾凯
文卫华
王凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN200710120049A priority Critical patent/CN100576796C/en
Publication of CN101119202A publication Critical patent/CN101119202A/en
Application granted granted Critical
Publication of CN100576796C publication Critical patent/CN100576796C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention discloses the method for carrying out safety identification authentication in a kind of banking system on the net, comprising: service generator dynamic password coordinate for the first time returns to client terminal apparatus; Client terminal apparatus is to the security service device input dynamic password first time, and whether dynamic password is correct for the first time for the judgement of security service device, if correct, passes through information to the service generator transmission verifying dynamic password first time; The service generator receives that for the first time verifying dynamic password is by information, and the dynamic password coordinate returns to client terminal apparatus for the second time, and client terminal apparatus is to security service device input dynamic password for the second time; The security service device judges whether the dynamic password second time of client terminal apparatus input is correct, if correct, then sends authenticating passing information to client terminal apparatus.The present invention discloses the system that carries out safety identification authentication in a kind of banking system on the net.Utilize the present invention, improved the fail safe of bank system of web.

Description

Carry out the system and method for safety identification authentication on the net in the banking system
Technical field
The present invention relates to identity identifying technology field in the information system, relate in particular to the system and method that carries out safety identification authentication in a kind of banking system on the net.
Background technology
Along with developing rapidly of Web bank, the client is also more and more higher to the requirement of internet bank trade security.The present method that improves internet bank trade security has varied, and dynamic password card is exactly a kind of mode wherein comparatively commonly used.
As shown in Figure 1, Fig. 1 is the schematic diagram of present dynamic password card.Dynamic password card is equivalent to a kind of dynamic Web bank password, form with matrix on the dynamic password card is printed on some character strings, the client is when using payment transactions such as Web bank externally transfers accounts, B2C does shopping, pay the fees, bank system of web generally can provide two password card coordinates at random, for example password card coordinate A1 and B2, A1 correspondence " 223 " wherein, B2 correspondence " 334 ", the client finds password combination " 223 " and " 334 " according to password card coordinate A1 and B2 from dynamic password card, and is input in the bank system of web.Have only when password combination " 223 " and " 334 " and all import when correct, the client just can finish relationship trading.
This password combination is dynamic change, and the password of input was all different when the user used at every turn, promptly loses efficacy after the closing the transaction, thereby can stop the lawless person by stealing client's static password theft of funds, ensures Web bank's safety.
Along with constantly popularizing and the continuous development of network technology of dynamic password card, the part lawless person utilizes client's awareness of safety weakness at present, be unfamiliar with weakness such as bank paying flow process, gain client's dynamic password card information by cheating, make clients fund have potential safety hazard by means such as false websites.Present dynamic password cassette implementation faces following risk:
(1) attacks by continuing to refresh the password card coordinate.The lawless person is at first by extracting the login of client's Net silver card number, login password and some groups of dynamic password coordinate figures on false website, on true website, constantly refresh the dynamic password coordinate then, until the dynamic password coordinate figure corresponding dynamic password coordinate that on true website, occurs defrauding of with it, the dynamic password coordinate figure input client Net silver account of then it being defrauded of realizes the rogue attacks to client's Net silver account.For example, after the client signs in to false website, can allow the client import two coordinate figures of A1, B2, the lawless person signs in to true website (prerequisite is login card number and the login password that the lawless person has obtained the client) more then, constantly refresh coordinate, occurring requiring the coordinate of input up to the page is A1, B2, then with two coordinate figure inputs of A1, B2 Net silver system of defrauding of.
(2) the go-between website is attacked.The lawless person makes false e-commerce website, and lure the client access fraudulent website, after stealing Web bank's login password of client, login client Net silver obtains one group of current dynamic password coordinate (for example A1, B2), and this coordinate is placed in the fraudulent website, require the client to input corresponding password card coordinate password (being the dynamic password coordinate figure), behind the password card coordinate password that obtains client's input, lawless person's immediate operation client Net silver is transferred accounts at short notice, causes the client to lose.
Therefore, the mode of at present carrying out safety identification authentication by the dynamic password card mode is badly in need of transforming.
Summary of the invention
(1) technical problem that will solve
In view of this, one object of the present invention is to provide the system that carries out safety identification authentication in a kind of banking system on the net, carries out the low deficiency of fail safe that authentication exists to overcome present dynamic password card mode, improves the fail safe of bank system of web.
Another object of the present invention is to provide the method for carrying out safety identification authentication in a kind of banking system on the net, carries out the low deficiency of fail safe that authentication exists to overcome present dynamic password card mode, improves the fail safe of bank system of web.
(2) technical scheme
For reaching an above-mentioned purpose, the invention provides the system that carries out safety identification authentication in a kind of banking system on the net, this system comprises at least:
Data administrator is used for the service data base management system, deposits Web bank's dynamic password card secure data and authentication information, and is responsible for the client access management after authentication is passed through;
The service generator be used for obtaining dynamic password coordinate for the first time according to the transaction request that is received from client terminal apparatus from data administrator, and the dynamic password coordinate first time that will obtain returns to client terminal apparatus; And obtain for the second time dynamic password coordinate from data administrator at the verifying dynamic password first time that receives security service device input after by information, and the dynamic password coordinate second time that will obtain returns to client terminal apparatus;
The security service device, be used to receive the dynamic password and the dynamic password for the second time first time of client terminal apparatus input, judge client terminal apparatus input for the first time dynamic password and for the second time time of dynamic password whether overtime, and judge for the first time dynamic password and whether dynamic password is correct for the second time according to the dynamic password that obtains from data administrator, send for the first time to the service generator when confirming that dynamic password is correct for the first time verifying dynamic password sends authenticating passing information to client terminal apparatus by information when confirming that dynamic password is correct for the second time;
Network security device is used to protect the safety of Intranet, prevents that disabled user in the public network is to the visit and the attack of internal network;
Client terminal apparatus is used for being connected to service generator or security service device by network security device, realizes the mutual of service generator or security service device and client.
In the such scheme, described data administrator, service generator and security service device are connected in network security device by internal network;
Described internal network is Ethernet Ethernet, or is LAN Fiber Distributed Data Interface FDDI or token ring Token-Ring, is used to realize described data administrator, serves the communication between generator and the security service device.
In the such scheme, described network security device is a fire compartment wall, is connected with client terminal apparatus by public network; Described public network is the Internet or extranet network.
In the such scheme, described service generator is when the first time that will obtain, the dynamic password coordinate returned to client terminal apparatus, be further used for sending a timing start information to the security service device, the security service device picks up counting after receiving this timing start information, if timing reaches dynamic password coordinate effective time predefined first time, client terminal apparatus still the dynamic password first time of input dynamic password or client terminal apparatus input for the first time be still wrong, then overtime to client terminal apparatus prompting transaction, and to service generator transmission instruction, indication service generator sends the new dynamic password coordinate first time to client terminal apparatus again, the dynamic password coordinate first time before this new dynamic password coordinate first time is different from, the service generator obtains this new dynamic password coordinate first time according to the instruction that receives from data administrator, and this new dynamic password coordinate first time that will obtain returns to client terminal apparatus; If at predefined this of dynamic password coordinate in effective time, the security service device receives the correct dynamic password first time of client terminal apparatus input new first time, then sending for the first time to the service generator, verifying dynamic password passes through information.
In the such scheme, described security service device is further used for setting the threshold value of client terminal apparatus to the security service device input dynamic password number of times first time, if the security service device judges that the dynamic password first time of client terminal apparatus input is incorrect, then allow client terminal apparatus to import the dynamic password first time of described prescribed threshold number of times, if the errors number of input reaches the number of times of described prescribed threshold, then lock the trading privilege of client Web bank on the same day, and automatically terminated locking at second day.
In the such scheme, when the second time that described service generator will obtain, the dynamic password coordinate returned to client terminal apparatus, be further used for sending a timing start information to the security service device, the security service device picks up counting after receiving this timing start information, if timing reaches dynamic password coordinate effective time predefined second time, client terminal apparatus still the dynamic password second time of input dynamic password or client terminal apparatus input for the second time be still wrong, then overtime to client terminal apparatus prompting transaction, and to service generator transmission instruction, indication service generator sends the new dynamic password coordinate first time to client terminal apparatus again, the dynamic password coordinate first time before this new dynamic password coordinate first time is different from, the service generator obtains this new dynamic password coordinate first time according to the instruction that receives from data administrator, and this new dynamic password coordinate first time that will obtain returns to client terminal apparatus; If at predefined second time of dynamic password coordinate in effective time, the security service device receives the correct dynamic password second time of client terminal apparatus input, then sends authenticating passing information to client terminal apparatus.
In the such scheme, described security service device is further used for setting the threshold value of client terminal apparatus to the security service device input dynamic password number of times second time, if the security service device judges that the dynamic password second time of client terminal apparatus input is incorrect, then allow client terminal apparatus to import the dynamic password second time of described prescribed threshold number of times, if the errors number of input reaches the number of times of described prescribed threshold, then lock the trading privilege of client Web bank on the same day, and automatically terminated locking at second day.
For reaching above-mentioned another purpose, the invention provides the method for carrying out safety identification authentication in a kind of banking system on the net, carry out the system of safety identification authentication in the banking system on the net that is applied to comprise data administrator at least, serve generator, security service device and client terminal apparatus, this method comprises:
A, client terminal apparatus send transaction request to the service generator, and the service generator obtains dynamic password coordinate for the first time according to the transaction request that receives from data administrator;
The dynamic password coordinate first time that B, service generator will obtain returns to client terminal apparatus, and client terminal apparatus is imported dynamic password for the first time according to the dynamic password coordinate first time that receives to the security service device;
C, security service device judge whether the dynamic password first time of client terminal apparatus input is correct, if correct, then sending for the first time to the service generator, verifying dynamic password passes through information;
D, service generator receive for the first time, and verifying dynamic password obtain dynamic password coordinate for the second time from data administrator, and the dynamic password coordinate second time that will obtain returns to client terminal apparatus by information;
E, client terminal apparatus are imported dynamic password for the second time according to the dynamic password coordinate second time that receives to the security service device;
F, security service device judge whether the dynamic password second time of client terminal apparatus input is correct, if correct, then send authenticating passing information to client terminal apparatus.
In the such scheme, preestablish for the first time dynamic password coordinate effective time, described in the step B service generator will obtain the first time, the dynamic password coordinate returned to client terminal apparatus the time, further send a timing start information to the security service device, this method further comprises: the security service device picks up counting after receiving this timing start information, if timing reaches dynamic password coordinate effective time predefined first time, client terminal apparatus still the dynamic password first time of input dynamic password or client terminal apparatus input for the first time be still wrong, then overtime to client terminal apparatus prompting transaction, and to service generator transmission instruction, indication service generator sends the new dynamic password coordinate first time to client terminal apparatus again, the dynamic password coordinate first time before this new dynamic password coordinate first time is different from, the service generator obtains this new dynamic password coordinate first time according to the instruction that receives from data administrator, and transfers execution in step B; If at predefined this of dynamic password coordinate in effective time new first time, the security service device receives the correct dynamic password first time of client terminal apparatus input, then sends for the first time to the service generator that verifying dynamic password passes through information described in the execution in step C.
In the such scheme, further set the threshold value of client terminal apparatus to the security service device input dynamic password number of times first time, if the security service device judges that the dynamic password first time of client terminal apparatus input is incorrect among the step C, then allow client terminal apparatus to import the dynamic password first time of described prescribed threshold number of times, if the errors number of input reaches the number of times of described prescribed threshold, then lock the trading privilege of client Web bank on the same day, and automatically terminated locking at second day.
In the such scheme, preestablish for the second time dynamic password coordinate effective time, described in the step D service generator will obtain the second time, the dynamic password coordinate returned to client terminal apparatus the time, further send a timing start information to the security service device, this method further comprises: the security service device picks up counting after receiving this timing start information, if timing reaches dynamic password coordinate effective time predefined second time, client terminal apparatus still the dynamic password second time of input dynamic password or client terminal apparatus input for the second time be still wrong, then overtime to client terminal apparatus prompting transaction, and to service generator transmission instruction, indication service generator sends the new dynamic password coordinate first time to client terminal apparatus again, the dynamic password coordinate first time before this new dynamic password coordinate first time is different from, the service generator obtains this new dynamic password coordinate first time according to the instruction that receives from data administrator, and transfers execution in step B; If at predefined second time of dynamic password coordinate in effective time, the security service device receives the correct dynamic password second time of client terminal apparatus input, then sends authenticating passing information to client terminal apparatus described in the execution in step F.
In the such scheme, further set the threshold value of client terminal apparatus to the security service device input dynamic password number of times second time, if the security service device judges that the dynamic password second time of client terminal apparatus input is incorrect in the step F, then allow client terminal apparatus to import the dynamic password second time of described prescribed threshold number of times, if the errors number of input reaches the number of times of described prescribed threshold, then lock the trading privilege of client Web bank on the same day, and automatically terminated locking at second day.
(3) beneficial effect
From technique scheme as can be seen, the present invention has following beneficial effect:
1, carries out the system and method for safety identification authentication in this banking system on the net provided by the invention, on the basis of the present dynamic password card implementation of further investigation, by present dynamic password card implementation is improved, adopt the mode of secondary challenge, avoided continuing to refresh attack of password card coordinate and the attack of go-between website, improved Web bank's safety in utilization greatly.
2, carry out the system and method for safety identification authentication in this banking system on the net provided by the invention, can defend to continue to refresh the coordinate attack pattern, promoted the fail safe that dynamic password card uses effectively.The present invention increases by the expectation coordinate probability possibility that challenge for the first time appears in the mode that refreshes the password card coordinate, but after correct input is challenged coordinate for the first time, the hacker can't obtain another expectation coordinate again by the mode that refreshes coordinate, if the coordinate of challenge is not in the hacker grasps scope for the second time, at second password card coordinate in effective time, the hacker can't finish transaction, overtime after, restart to carry out the process of another secondary challenge.
3, carry out the system and method for safety identification authentication in this banking system on the net provided by the invention, can defend go-between website attack pattern, promoted the fail safe that dynamic password card uses effectively.At present the attack means that adopts of hacker is that mode and client with the fake site customer service gets in touch, the client can not show correct password card coordinate when comprising the password card coordinate payment page in the login fraudulent website usually immediately, " contact staff " revises the password card coordinate of website after obtaining information after, require the client to refresh the payment page again, gain user's input and intercepting by cheating.And adopt secondary challenge scheme provided by the invention can require to carry out the challenge response second time, increased complexity, " contact staff " of fraudulent website need intercepting client input in the extremely short time (being generally 2 minutes) the input of password card password, the coordinate that obtains challenge for the second time, change fraudulent website webpage, gain the client by cheating and input once more, obtain just can finish once after secondary challenge password and the input and conclude the business, the difficulty that manual type is finished is bigger, therefore threatens less relatively.
4, carry out the system and method for safety identification authentication in this banking system on the net provided by the invention, cheap to present bank system of web improvement cost, compatible strong, need not carry out great change to the existing once dynamic password card implementation of challenge, realize that cost is low.
5, carry out the system and method for safety identification authentication in this banking system on the net provided by the invention, do not need the medium of password card is redesigned, can use the dynamic password card media of once challenging mode fully, use with the dynamic password card of existing once challenge is compatible.
Description of drawings
Fig. 1 is the schematic diagram of present dynamic password card;
Fig. 2 is for carrying out the structured flowchart of safety identification authentication system in the banking system on the net provided by the invention;
Fig. 3 is for carrying out the method flow diagram of safety identification authentication in the banking system on the net provided by the invention;
Fig. 4 is for carrying out the method flow diagram of safety identification authentication on the net in the banking system according to the embodiment of the invention;
Fig. 5 is the interface schematic diagram of step 408 among Fig. 4.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with specific embodiment, and with reference to accompanying drawing, the present invention is described in more detail.
The present invention is on the basis of the present dynamic password card implementation of further investigation, by present dynamic password card implementation is improved, adopt the mode of secondary challenge, avoided continuing to refresh attack of password card coordinate and the attack of go-between website, improved Web bank's safety in utilization greatly.
As shown in Figure 2, Fig. 2 is for carrying out the structured flowchart of safety identification authentication system in the banking system on the net provided by the invention, and this system comprises data administrator 1, service generator 2, security service device 3, network security device 4 and client terminal apparatus 5.
Wherein, data administrator 1 is used for the service data base management system, deposits Web bank's dynamic password card secure data and authentication information, and is responsible for the client access management after authentication is passed through.Data administrator 1 can be a PC server or main frame, the card number that Net silver dynamic password card secure data of depositing and authentication information comprise the dynamic password card at least, deck mark sequence number, deck scale value etc.
Service generator 2 is used for obtaining dynamic password coordinate for the first time according to the transaction request that is received from client terminal apparatus 5 from data administrator 1, and the dynamic password coordinate first time that will obtain returns to client terminal apparatus 5; And obtain for the second time dynamic password coordinate from data administrator 1 at the verifying dynamic password first time that receives security service device 3 input after by information, and the dynamic password coordinate second time that will obtain returns to client terminal apparatus 5.Service generator 2 can be a Web Application Server, carries out alternately with the client.
Security service device 3 is used to receive the dynamic password and the dynamic password for the second time first time of client terminal apparatus 5 inputs, judge client terminal apparatus 5 input for the first time dynamic passwords and for the second time time of dynamic password whether overtime, and judge for the first time dynamic password and whether dynamic password is correct for the second time according to the dynamic password that obtains from data administrator 1, send for the first time to service generator 2 when confirming that dynamic password is correct for the first time verifying dynamic password sends authenticating passing information to client terminal apparatus 5 by information when confirming that dynamic password is correct for the second time.Security service device 4 can be a Security Authentication Service device, is used to judge whether the dynamic password that the client imports is correct.
Network security device 4 is used to protect the safety of Intranet, prevents that disabled user in the public network is to the visit and the attack of internal network.
Client terminal apparatus 5 is used for being connected to service generator 2 or security service device 3 by network security device 4, realizes the mutual of service generator 2 or security service device 3 and client.
Above-mentioned data administrator, service generator and security service device are connected in network security device by internal network.Internal network can be Ethernet (Ethernet), or is Fiber Distributed Data Interface (FDDI) or token ring LAN such as (Token-Ring), is used to realize described data administrator, serves the communication between generator and the security service device.
Above-mentioned network security device is a fire compartment wall, is connected with client terminal apparatus by public network.Described public network can be the Internet or extranet network etc.
Above-mentioned service generator is when the first time that will obtain, the dynamic password coordinate returned to client terminal apparatus, be further used for sending a timing start information to the security service device, the security service device picks up counting after receiving this timing start information, if timing reaches dynamic password coordinate effective time predefined first time, client terminal apparatus still the dynamic password first time of input dynamic password or client terminal apparatus input for the first time be still wrong, then overtime to client terminal apparatus prompting transaction, and to service generator transmission instruction, indication service generator sends the new dynamic password coordinate first time to client terminal apparatus again, the dynamic password coordinate first time before this new dynamic password coordinate first time is different from, the service generator obtains this new dynamic password coordinate first time according to the instruction that receives from data administrator, and this new dynamic password coordinate first time that will obtain returns to client terminal apparatus; If at predefined this of dynamic password coordinate in effective time, the security service device receives the correct dynamic password first time of client terminal apparatus input new first time, then sending for the first time to the service generator, verifying dynamic password passes through information.
Above-mentioned security service device is further used for setting the threshold value of client terminal apparatus to the security service device input dynamic password number of times first time, if the security service device judges that the dynamic password first time of client terminal apparatus input is incorrect, then allow client terminal apparatus to import the dynamic password first time of described prescribed threshold number of times, if the errors number of input reaches the number of times of described prescribed threshold, then lock the trading privilege of client Web bank on the same day, and automatically terminated locking at second day.
When the second time that above-mentioned service generator will obtain, the dynamic password coordinate returned to client terminal apparatus, be further used for sending a timing start information to the security service device, the security service device picks up counting after receiving this timing start information, if timing reaches dynamic password coordinate effective time predefined second time, client terminal apparatus still the dynamic password second time of input dynamic password or client terminal apparatus input for the second time be still wrong, then overtime to client terminal apparatus prompting transaction, and to service generator transmission instruction, indication service generator sends the new dynamic password coordinate second time to client terminal apparatus again, the dynamic password coordinate second time before this new dynamic password coordinate second time is different from, the service generator obtains this new dynamic password coordinate second time according to the instruction that receives from data administrator, and this new dynamic password coordinate second time that will obtain returns to client terminal apparatus; If at predefined this of dynamic password coordinate in effective time, the security service device receives the correct dynamic password second time of client terminal apparatus input, then sends authenticating passing information to client terminal apparatus new second time.
Above-mentioned security service device is further used for setting the threshold value of client terminal apparatus to the security service device input dynamic password number of times second time, if the security service device judges that the dynamic password second time of client terminal apparatus input is incorrect, then allow client terminal apparatus to import the dynamic password second time of described prescribed threshold number of times, if the errors number of input reaches the number of times of described prescribed threshold, then lock the trading privilege of client Web bank on the same day, and automatically terminated locking at second day.
Based on the structured flowchart that carries out the safety identification authentication system in the banking system on the net shown in Figure 2, the method for carrying out safety identification authentication in the banking system on the net provided by the invention is elaborated below in conjunction with Fig. 3.
As shown in Figure 3, Fig. 3 is for carrying out the method flow diagram of safety identification authentication in the banking system on the net provided by the invention, and this method may further comprise the steps:
Step 301: client terminal apparatus sends transaction request to the service generator, and the service generator obtains dynamic password coordinate for the first time according to the transaction request that receives from data administrator;
Step 302: the dynamic password coordinate first time that the service generator will obtain returns to client terminal apparatus, and client terminal apparatus is imported dynamic password for the first time according to the dynamic password coordinate first time that receives to the security service device;
Step 303: the security service device judges whether the dynamic password first time of client terminal apparatus input is correct, if correct, then sending for the first time to the service generator, verifying dynamic password passes through information;
Step 304: the service generator receives for the first time that verifying dynamic password obtain dynamic password coordinate for the second time from data administrator, and the dynamic password coordinate second time that will obtain returns to client terminal apparatus by information;
Step 305: client terminal apparatus is imported dynamic password for the second time according to the dynamic password coordinate second time that receives to the security service device;
Step 306: the security service device judges whether the dynamic password second time of client terminal apparatus input is correct, if correct, then sends authenticating passing information to client terminal apparatus.
In the method for carrying out safety identification authentication shown in Figure 3, the present invention can also preestablish for the first time dynamic password coordinate effective time, at this moment, described in the step 302 service generator will obtain the first time, the dynamic password coordinate returned to client terminal apparatus the time, further send a timing start information to the security service device, this method further comprises: the security service device picks up counting after receiving this timing start information, if timing reaches dynamic password coordinate effective time predefined first time, client terminal apparatus still the dynamic password first time of input dynamic password or client terminal apparatus input for the first time be still wrong, then overtime to client terminal apparatus prompting transaction, and to service generator transmission instruction, indication service generator sends the new dynamic password coordinate first time to client terminal apparatus again, the dynamic password coordinate first time before this new dynamic password coordinate first time is different from, the service generator obtains this new dynamic password coordinate first time according to the instruction that receives from data administrator, and transfers execution in step 302; If at predefined first time of dynamic password coordinate in effective time, the security service device receives the correct dynamic password first time of client terminal apparatus input, then sends for the first time to the service generator that verifying dynamic password passes through information described in the execution in step 303.
In the method for carrying out safety identification authentication shown in Figure 3, perhaps in the method for the above-mentioned safety identification authentication that preestablishes dynamic password coordinate for the first time effective time, the present invention can also further set the threshold value of client terminal apparatus to the security service device input dynamic password number of times first time, if the security service device judges that the dynamic password first time of client terminal apparatus input is incorrect in the step 303, then allow client terminal apparatus to import the dynamic password first time of described prescribed threshold number of times, if the errors number of input reaches the number of times of described prescribed threshold, then lock the trading privilege of client Web bank on the same day, and automatically terminated locking at second day.
In the method for carrying out safety identification authentication shown in Figure 3, the present invention can also preestablish for the second time dynamic password coordinate effective time, described in the step 304 service generator will obtain the second time, the dynamic password coordinate returned to client terminal apparatus the time, further send a timing start information to the security service device, this method further comprises: the security service device picks up counting after receiving this timing start information, if timing reaches dynamic password coordinate effective time predefined second time, client terminal apparatus still the dynamic password second time of input dynamic password or client terminal apparatus input for the second time be still wrong, then overtime to client terminal apparatus prompting transaction, and to service generator transmission instruction, indication service generator sends the new dynamic password coordinate second time to client terminal apparatus again, the service generator obtains this new dynamic password coordinate second time according to the instruction that receives from data administrator, and transfers execution in step 302; If at predefined this of dynamic password coordinate in effective time new second time, the security service device receives the correct dynamic password second time of client terminal apparatus input, then sends authenticating passing information to client terminal apparatus described in the execution in step 306.
In the method for carrying out safety identification authentication shown in Figure 3, perhaps in the method for the above-mentioned safety identification authentication that preestablishes dynamic password coordinate for the second time effective time, the present invention can also further set the threshold value of client terminal apparatus to the security service device input dynamic password number of times second time, if the security service device judges that the dynamic password second time of client terminal apparatus input is incorrect in the step 306, then allow client terminal apparatus to import the dynamic password second time of described prescribed threshold number of times, if the errors number of input reaches the number of times of described prescribed threshold, then lock the trading privilege of client Web bank on the same day, and automatically terminated locking at second day.
Based on the method flow diagram that carries out safety identification authentication in the described banking system on the net of Fig. 3, the method that the present invention carries out safety identification authentication on the net in the banking system is further described below in conjunction with specific embodiment.
Embodiment
In the present embodiment, sending the IP packet that receives with the base station is example, further specifies detailed method and step that the base station obtains management connecting identification of wireless station in conjunction with the accompanying drawings.
As shown in Figure 4, Fig. 4 is for carrying out the method flow diagram of safety identification authentication on the net in the banking system according to the embodiment of the invention, and this method may further comprise the steps:
Step 400: client terminal apparatus sends transaction request to the service generator, and the service generator receives the transaction request from client terminal apparatus;
Step 401: the service generator is checked processing to legitimacy, if legal, webpage representation is sent to client terminal apparatus;
Step 402: client terminal apparatus represents the page, reminds the client to import the payment card number;
Step 403: the service generator checks according to the payment card number of client's input whether the client is Net silver client and customer type;
Step 404: the service generator confirms that this client is the dynamic password card client, obtain dynamic password coordinate for the first time according to the transaction request that receives from data administrator, and the dynamic password coordinate first time that will obtain returns to client terminal apparatus;
Step 405: client terminal apparatus prompting client imports first dynamic password coordinate figure, after the client imports first dynamic password coordinate figure, client terminal apparatus is submitted to the security service device with first dynamic password coordinate figure of client's input, if the client is input at the appointed time not, the security service device is judged overtime, send instruction to the service generator, indication service generator sends the new dynamic password coordinate first time to client terminal apparatus again, the service generator obtains this new dynamic password coordinate first time from data administrator once more according to the instruction that receives, this new dynamic password coordinate first time that obtains is returned to client terminal apparatus, and execution in step 405 once more; If the client has imported dynamic password for the first time at the appointed time, then execution in step 406;
Step 406: the security service device judges whether the dynamic password first time of client terminal apparatus input is correct, if correct, then sends for the first time verifying dynamic password by information to the service generator, and execution in step 407; Otherwise, send instruction to the service generator, indication service generator sends dynamic password coordinate for the first time to client terminal apparatus again, the service generator obtains dynamic password coordinate for the first time from data administrator once more according to the instruction that receives, the dynamic password coordinate first time that obtains is returned to client terminal apparatus, and execution in step 405 once more;
Step 407: the service generator receives for the first time that verifying dynamic password obtain dynamic password coordinate for the second time from data administrator, and the dynamic password coordinate second time that will obtain returns to client terminal apparatus by information;
Step 408: client terminal apparatus prompting client imports second dynamic password coordinate figure at the appointed time and submits to the security service device, if the client is input at the appointed time not, the security service device is judged overtime, send instruction to the service generator, indication service generator sends the new dynamic password coordinate second time to client terminal apparatus again, the service generator obtains this new dynamic password coordinate second time from data administrator once more according to the instruction that receives, this new dynamic password coordinate second time that obtains is returned to client terminal apparatus, and execution in step 405 once more; If the client has imported dynamic password for the second time at the appointed time, then execution in step 409;
Step 409: the security service device judges whether second dynamic password of client terminal apparatus input be correct, if correct, then sends authenticating passing information to client terminal apparatus; Otherwise the authentication failure sends the safety identification authentication failure information to client terminal apparatus.
Fig. 5 is the interface schematic diagram of step 408 among Fig. 4, specifies as follows below:
Carry out the method for safety identification authentication in the banking system on the net provided by the invention, be also referred to as Web bank's password card secondary challenge method, can be divided into challenge for the first time and challenge two steps for the second time, the client has only two steps to reply successfully, could pay successfully.
At first, in challenge first time process, when the client carries out the payment of individual Web bank, system points out the password of input validation sign indicating number and first password card coordinate A correspondence at random, this moment, coordinate B did not have coordinate information (promptly second password coordinate do not show), if the client the password of defeated identifying code and password card coordinate A correspondence all correct, system shows second password coordinate.At first password card coordinate in effective time, if the client password input error then requires the client to re-enter; If surpass effective time, then point out the client " the password card password is overtime, please re-enter the password card password ", if the client proceeds transaction, will produce another new coordinate A at random, and the prompting client inputs corresponding password card coordinate A password.
Secondly, in challenge second time process, after challenge is passed through for the first time, system shows second password coordinate, and the prompting client inputs corresponding password card password once more, if password is correct and in the effective time of this password card coordinate, a subnormal authentication is finished in then secondary challenge success.At second password card coordinate in effective time, if the client password input error then points out the client to re-enter; If surpass effective time, then point out the client " the password card password is overtime; please re-enter password ", if the client proceeds transaction, will restart the process of a secondary challenge/reply, system will produce another new coordinate A at random, returns the process of challenge for the first time, carries out challenge first time process again.After challenge was passed through for the first time, system just showed second password coordinate, can effectively defend the attack of go-between website.
Secondary challenge method for challenge for the first time the password errors number, for the first time the challenge time overtime, challenge for the second time the password errors number, for the second time the challenge time overtime and for the second time the refreshing frequency limit carry out following control:
When (1) client challenges the number of times of inputing password by mistake for the first time and reaches stipulated number, this client's internet bank trade authority locking on the same day, second day automatic unlocking; When exceeding schedule time, the client inputs password again, system prompt client " it is overtime to conclude the business, and please resubmit ", and the client refreshes the page after determining, produces new coordinate at random.
When (2) client challenges the number of times of inputing password by mistake for the second time and reaches stipulated number, this client's internet bank trade authority locking on the same day, second day automatic unlocking; When exceeding schedule time, the client inputs password again, system prompt client " it is overtime to conclude the business, and please resubmit ", and system gets back to and for the first time challenges the page and refresh, and produces new coordinate at random.
(3) client challenges for the second time and does not input password and refresh coordinate continuously when surpassing stipulated number, and system lock client's login and trading privilege need be carried out password to the cabinet face by the client and be reset and can unlock.So just can defend to continue to refresh the password card coordinate attacks.
Above-described specific embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is specific embodiments of the invention; be not limited to the present invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (12)

1, carry out the system of safety identification authentication in a kind of banking system on the net, it is characterized in that this system comprises at least:
Data administrator is used for the service data base management system, deposits Web bank's dynamic password card secure data and authentication information, and is responsible for the client access management after authentication is passed through;
The service generator be used for obtaining dynamic password coordinate for the first time according to the transaction request that is received from client terminal apparatus from data administrator, and the dynamic password coordinate first time that will obtain returns to client terminal apparatus; And obtain for the second time dynamic password coordinate from data administrator at the verifying dynamic password first time that receives security service device input after by information, and the dynamic password coordinate second time that will obtain returns to client terminal apparatus;
The security service device, be used to receive the dynamic password and the dynamic password for the second time first time of client terminal apparatus input, judge client terminal apparatus input for the first time dynamic password and for the second time time of dynamic password whether overtime, and judge for the first time dynamic password and whether dynamic password is correct for the second time according to the dynamic password that obtains from data administrator, send for the first time to the service generator when confirming that dynamic password is correct for the first time verifying dynamic password sends authenticating passing information to client terminal apparatus by information when confirming that dynamic password is correct for the second time;
Network security device is used to protect the safety of Intranet, prevents that disabled user in the public network is to the visit and the attack of internal network;
Client terminal apparatus is used for being connected to service generator or security service device by network security device, realizes the mutual of service generator or security service device and client.
2, carry out the system of safety identification authentication in the banking system on the net according to claim 1, it is characterized in that, described data administrator, service generator and security service device are connected in network security device by internal network;
Described internal network is Ethernet Ethernet, or is LAN Fiber Distributed Data Interface FDDI or token ring Token-Ring, is used to realize described data administrator, serves the communication between generator and the security service device.
3, carry out the system of safety identification authentication in the banking system on the net according to claim 1, it is characterized in that, described network security device is a fire compartment wall, is connected with client terminal apparatus by public network; Described public network is the Internet or extranet network.
4, carry out the system of safety identification authentication in the banking system on the net according to claim 1, it is characterized in that, described service generator is when the first time that will obtain, the dynamic password coordinate returned to client terminal apparatus, be further used for sending a timing start information to the security service device, the security service device picks up counting after receiving this timing start information, if timing reaches dynamic password coordinate effective time predefined first time, client terminal apparatus still the dynamic password first time of input dynamic password or client terminal apparatus input for the first time be still wrong, then overtime to client terminal apparatus prompting transaction, and to service generator transmission instruction, indication service generator sends the new dynamic password coordinate first time to client terminal apparatus again, the dynamic password coordinate first time before this new dynamic password coordinate first time is different from, the service generator obtains this new dynamic password coordinate first time according to the instruction that receives from data administrator, and this new dynamic password coordinate first time that will obtain returns to client terminal apparatus; If at predefined this of dynamic password coordinate in effective time, the security service device receives the correct dynamic password first time of client terminal apparatus input new first time, then sending for the first time to the service generator, verifying dynamic password passes through information.
5, carry out the system of safety identification authentication in the banking system on the net according to claim 1, it is characterized in that, described security service device is further used for setting the threshold value of client terminal apparatus to the security service device input dynamic password number of times first time, if the security service device judges that the dynamic password first time of client terminal apparatus input is incorrect, then allow client terminal apparatus to import the dynamic password first time of described prescribed threshold number of times, if the errors number of input reaches the number of times of described prescribed threshold, then lock the trading privilege of client Web bank on the same day, and automatically terminated locking at second day.
6, carry out the system of safety identification authentication in the banking system on the net according to claim 1, it is characterized in that, when the second time that described service generator will obtain, the dynamic password coordinate returned to client terminal apparatus, be further used for sending a timing start information to the security service device, the security service device picks up counting after receiving this timing start information, if timing reaches dynamic password coordinate effective time predefined second time, client terminal apparatus still the dynamic password second time of input dynamic password or client terminal apparatus input for the second time be still wrong, then overtime to client terminal apparatus prompting transaction, and to service generator transmission instruction, indication service generator sends the new dynamic password coordinate first time to client terminal apparatus again, the dynamic password coordinate first time before this new dynamic password coordinate first time is different from, the service generator obtains this new dynamic password coordinate first time according to the instruction that receives from data administrator, and this new dynamic password coordinate first time that will obtain returns to client terminal apparatus; If at predefined second time of dynamic password coordinate in effective time, the security service device receives the correct dynamic password second time of client terminal apparatus input, then sends authenticating passing information to client terminal apparatus.
7, carry out the system of safety identification authentication in the banking system on the net according to claim 1, it is characterized in that, described security service device is further used for setting the threshold value of client terminal apparatus to the security service device input dynamic password number of times second time, if the security service device judges that the dynamic password second time of client terminal apparatus input is incorrect, then allow client terminal apparatus to import the dynamic password second time of described prescribed threshold number of times, if the errors number of input reaches the number of times of described prescribed threshold, then lock the trading privilege of client Web bank on the same day, and automatically terminated locking at second day.
8, carry out the method for safety identification authentication in a kind of banking system on the net, carry out the system of safety identification authentication in the banking system on the net that is applied to comprise data administrator at least, serve generator, security service device and client terminal apparatus, it is characterized in that this method comprises:
A, client terminal apparatus send transaction request to the service generator, and the service generator obtains dynamic password coordinate for the first time according to the transaction request that receives from data administrator;
The dynamic password coordinate first time that B, service generator will obtain returns to client terminal apparatus, and client terminal apparatus is imported dynamic password for the first time according to the dynamic password coordinate first time that receives to the security service device;
C, security service device judge whether the dynamic password first time of client terminal apparatus input is correct, if correct, then sending for the first time to the service generator, verifying dynamic password passes through information;
D, service generator receive for the first time, and verifying dynamic password obtain dynamic password coordinate for the second time from data administrator, and the dynamic password coordinate second time that will obtain returns to client terminal apparatus by information;
E, client terminal apparatus are imported dynamic password for the second time according to the dynamic password coordinate second time that receives to the security service device;
F, security service device judge whether the dynamic password second time of client terminal apparatus input is correct, if correct, then send authenticating passing information to client terminal apparatus.
9, carry out the method for safety identification authentication in the banking system on the net according to claim 8, it is characterized in that, preestablish for the first time dynamic password coordinate effective time, described in the step B service generator will obtain the first time, the dynamic password coordinate returned to client terminal apparatus the time, further send a timing start information to the security service device, this method further comprises:
The security service device picks up counting after receiving this timing start information, if timing reaches dynamic password coordinate effective time predefined first time, client terminal apparatus still the dynamic password first time of input dynamic password or client terminal apparatus input for the first time be still wrong, then overtime to client terminal apparatus prompting transaction, and to service generator transmission instruction, indication service generator sends the new dynamic password coordinate first time to client terminal apparatus again, the dynamic password coordinate first time before this new dynamic password coordinate first time is different from, the service generator obtains this new dynamic password coordinate first time according to the instruction that receives from data administrator, and transfers execution in step B; If at predefined this of dynamic password coordinate in effective time new first time, the security service device receives the correct dynamic password first time of client terminal apparatus input, then sends for the first time to the service generator that verifying dynamic password passes through information described in the execution in step C.
10, according to Claim 8 or carry out the method for safety identification authentication in the 9 described banking systems on the net, it is characterized in that, this method is further set the threshold value of client terminal apparatus to the security service device input dynamic password number of times first time, if the security service device judges that the dynamic password first time of client terminal apparatus input is incorrect among the step C, then allow client terminal apparatus to import the dynamic password first time of described prescribed threshold number of times, if the errors number of input reaches the number of times of described prescribed threshold, then lock the trading privilege of client Web bank on the same day, and automatically terminated locking at second day.
11, carry out the method for safety identification authentication in the banking system on the net according to claim 8, it is characterized in that, preestablish for the second time dynamic password coordinate effective time, described in the step D service generator will obtain the second time, the dynamic password coordinate returned to client terminal apparatus the time, further send a timing start information to the security service device, this method further comprises:
The security service device picks up counting after receiving this timing start information, if timing reaches dynamic password coordinate effective time predefined second time, client terminal apparatus still the dynamic password second time of input dynamic password or client terminal apparatus input for the second time be still wrong, then overtime to client terminal apparatus prompting transaction, and to service generator transmission instruction, indication service generator sends the new dynamic password coordinate first time to client terminal apparatus again, the dynamic password coordinate first time before this new dynamic password coordinate first time is different from, the service generator obtains this new dynamic password coordinate first time according to the instruction that receives from data administrator, and transfers execution in step B; If at predefined second time of dynamic password coordinate in effective time, the security service device receives the correct dynamic password second time of client terminal apparatus input, then sends authenticating passing information to client terminal apparatus described in the execution in step F.
12, according to Claim 8 or carry out the method for safety identification authentication in the 11 described banking systems on the net, it is characterized in that, this method is further set the threshold value of client terminal apparatus to the security service device input dynamic password number of times second time, if the security service device judges that the dynamic password second time of client terminal apparatus input is incorrect in the step F, then allow client terminal apparatus to import the dynamic password second time of described prescribed threshold number of times, if the errors number of input reaches the number of times of described prescribed threshold, then lock the trading privilege of client Web bank on the same day, and automatically terminated locking at second day.
CN200710120049A 2007-08-08 2007-08-08 Carry out the system and method for safety identification authentication on the net in the banking system Active CN100576796C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200710120049A CN100576796C (en) 2007-08-08 2007-08-08 Carry out the system and method for safety identification authentication on the net in the banking system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200710120049A CN100576796C (en) 2007-08-08 2007-08-08 Carry out the system and method for safety identification authentication on the net in the banking system

Publications (2)

Publication Number Publication Date
CN101119202A CN101119202A (en) 2008-02-06
CN100576796C true CN100576796C (en) 2009-12-30

Family

ID=39055158

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200710120049A Active CN100576796C (en) 2007-08-08 2007-08-08 Carry out the system and method for safety identification authentication on the net in the banking system

Country Status (1)

Country Link
CN (1) CN100576796C (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101119209A (en) 2007-09-19 2008-02-06 腾讯科技(深圳)有限公司 Virtual pet system and virtual pet chatting method, device
CN101304422B (en) * 2008-06-30 2011-05-18 北京飞天诚信科技有限公司 Method for improving identification authentication security based on password card
CN101304316B (en) * 2008-06-30 2010-11-03 北京飞天诚信科技有限公司 Method for improving identification authentication security based on password card
CN101296241B (en) * 2008-06-30 2011-12-28 飞天诚信科技股份有限公司 Method for improving identity authentication security based on password card
CN101304315B (en) * 2008-06-30 2010-11-03 北京飞天诚信科技有限公司 Method for improving identification authentication security based on password card
CN101626291B (en) * 2008-07-07 2012-08-22 上海众人网络安全技术有限公司 ECC algorithm-based identity authentication system and identity authentication method
CN101547098B (en) * 2009-04-30 2010-11-10 太原理工大学 Method and system for security certification of public network data transmission
CN102013064A (en) * 2009-09-04 2011-04-13 宁波国际物流发展股份有限公司 Online payment method based on electronic commerce platform
US8819437B2 (en) * 2010-09-30 2014-08-26 Microsoft Corporation Cryptographic device that binds an additional authentication factor to multiple identities
CN101980233B (en) * 2010-10-15 2013-11-06 上海聚力传媒技术有限公司 Method and equipment for authenticating service based on equipment identifier
CN103117854A (en) * 2012-12-10 2013-05-22 涂国坚 Safe internet bank implementation method
CN104753886B (en) * 2013-12-31 2018-10-19 中国科学院信息工程研究所 It is a kind of to the locking method of remote user, unlocking method and device
CN103699829A (en) * 2014-01-12 2014-04-02 汪风珍 Password card
CN106790029A (en) * 2016-12-15 2017-05-31 宝德科技集团股份有限公司 A kind of big data acquisition methods and system based on identifying code
CN109462501B (en) * 2018-10-29 2021-02-02 北京芯盾时代科技有限公司 Authentication process control method and system
CN110351261B (en) * 2019-06-28 2021-10-08 深圳市永达电子信息股份有限公司 Method and system for connecting security server based on two-factor authentication management equipment
CN112052485A (en) * 2020-09-07 2020-12-08 深圳市亿道信息股份有限公司 One-key self-destruction method and system with false touch prevention function

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
动态口令认证技术. 姚鹏,杨珍.电子商务. 2006
动态口令认证技术. 姚鹏,杨珍.电子商务. 2006 *
基于OTP技术的网上银行安全身份认证应用研究. 邓婧.对外经济贸易大学硕士学位论文. 2006
基于OTP技术的网上银行安全身份认证应用研究. 邓婧.对外经济贸易大学硕士学位论文. 2006 *

Also Published As

Publication number Publication date
CN101119202A (en) 2008-02-06

Similar Documents

Publication Publication Date Title
CN100576796C (en) Carry out the system and method for safety identification authentication on the net in the banking system
US11832099B2 (en) System and method of notifying mobile devices to complete transactions
EP1922632B1 (en) Extended one-time password method and apparatus
CA2297323C (en) Personal device, terminal, server and methods for establishing a trustworthy connection between a user and a terminal
EP1829281B1 (en) Authentication device and/or method
US8079082B2 (en) Verification of software application authenticity
US20110142234A1 (en) Multi-Factor Authentication Using a Mobile Phone
CN101335619B (en) Authorized using method of disposal dynamic cipher telephone or short message
CN102739638B (en) Establishing privileges through claims of valuable assets
CN105357186B (en) A kind of secondary authentication method based on out-of-band authentication and enhancing OTP mechanism
CN101390126A (en) Transaction authentication by a token, contingent on personal presence
CN105431843A (en) Network identity authentication using communication device identification code
KR20120046913A (en) Method of paying with unique key value and apparatus thereof
JP2007094874A (en) Financial service providing system
CN101207483A (en) Bidirectional double factor authentication method
CN111949952B (en) Method for processing verification code request and computer-readable storage medium
US20020032874A1 (en) System and method for identity verification
US20200143382A1 (en) Method of transaction without physical support of a security identifier and without token, secured by the structural decoupling of the personal and service identifiers
WO2005022474A1 (en) A method of, and a system for, inhibiting fraudulent online transactions
JP6511409B2 (en) Transaction locking system and transaction locking method in financial institution
CN114244628B (en) Authorization method and system
CN114186209B (en) Identity verification method and system
JP6689917B2 (en) Personal authentication method at financial institutions
CN117557377A (en) Identity authentication method and system for digital person and digital asset transaction
CN115423456A (en) Zero-trust digital RMB payment system and safety protection method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant