CN101163011A - Safety authentication method of internet bank system - Google Patents
Safety authentication method of internet bank system Download PDFInfo
- Publication number
- CN101163011A CN101163011A CNA2007101878615A CN200710187861A CN101163011A CN 101163011 A CN101163011 A CN 101163011A CN A2007101878615 A CNA2007101878615 A CN A2007101878615A CN 200710187861 A CN200710187861 A CN 200710187861A CN 101163011 A CN101163011 A CN 101163011A
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- digital certificate
- mobile phone
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides the security authentication method of a online bank system, which applies the security mode of mobile phone based dynamic authentication and a digital certificate, wherein, in the mechanism of mobile phone based dynamic authentication, after a mobile phone number is bound when a customer opens an account, a system sends a randomly generated dynamic authentication code to the customer by the way of short messages in order to realize the identification of the customer identity, the digital certificate is issured by an authoritative, just third-party organization, and a encryption technology based on the digital certificate can carry out encryption and decryption, digital signation and signature verification in respect of information transmitted on a network. The security authentication method of the online bank systsem of the invention increases the security level of an online bank, effectively reduces risks and provides a safe, hight-efficiency online bank system for customers.
Description
Technical field
The present invention relates to a kind of safety certifying method of bank system of web, more specifically relate to mobile phone dynamic authentication and the two methods of using in a kind of bank system of web that authenticate of digital certificate and have the bank system of web that different stage is provided with.
Background technology
Flourish along with Email and ecommerce, people are faced with the huge challenge that how to carry out security information exchange, the continuous expansion of bank system of web range of application, network security become particularly important, particularly technology such as Xiang Guan digital signature or different encryption mechanisms.
The user need realize the security information exchanges data, satisfies commercial affairs to confidentiality, integrality, and 4 demands for security of authenticity and non-repudiation, its formation mainly comprises hardware, software, personnel, guideline and method.
Bank system of web takes the mobile phone dynamic authentication to add trading password usually, or digital certificate adds the authentication mode of trading password.Two kinds of authentication modes respectively have the merits and demerits of oneself.The safety certification pattern that at present domestic most of bank system of web adopt mainly is following several:
1) user name encrypted code authentication:, be eliminated substantially at present because the fail safe of this method can't ensure.
2) mobile phone dynamic authentication encrypted code: the phone number of binding when opening an account by the user, the dynamic authentication codes that system will generate at random sends to the identification that the client realizes client identity by the form of note, implements conveniently, only need possess a mobile phone and get final product.
3) digital certificate adds trading password: digital certificate is to be that sign and issue at the CA center by the just third-party institution of authority, the encryption technology that with the digital certificate is core can be carried out encryption and decryption, digital signature and signature verification to the information of transmission over networks, guarantee to transmit confidentiality, the integrality of information on the net, and the authenticity of transaction entity identities, the non-repudiation of signing messages, thereby the fail safe of guarantee network application.
Digital certificate adopts public-key cryptosystem, promptly utilizes a pair of key that matches each other to encrypt, decipher.Each user has one and only is the private cipher key (private key) that I grasped, and is decrypted and signs with it.Have a public keys (PKI) simultaneously and also can externally disclose, be used for encrypting and certifying signature.When sending a classified document, transmit leg uses recipient's PKI that data are encrypted, and the recipient then uses the private key deciphering of oneself, like this, information just can arrive the destination safe and punctually, even intercepted and captured by the third party, owing to do not have corresponding private key, can't be decrypted yet.Means by numeral guarantee that ciphering process is an irreversible process, promptly have only with private cipher key and could decipher.In public-key encryptosystem, commonly used a kind of be the RSA system.
The user also can adopt the private key of oneself that information is handled, because key has so just produced the file that others can't generate only for I own, has also just formed digital signature.Adopt digital signature, can confirm following 2 points:
(1) guarantee information is sent by signer oneself signature, and signer can not be denied or be difficult to denying;
(2) guarantee information had not been done any modification Zi signing and issuing the back till receiving, the file of signing and issuing is an authentic document.
Digital certificate can be used for: send internet safe electronic transactions such as safety E-mail, access security website, Internet securities, online bid and purchase, online signatory, online working, Online Payment, the online tax and handle and the secure electronic transaction activity.
The form of digital certificate generally adopts X.509 international standard.At present, several types certificates such as safety E-mail certificate, individual and enterprise identity certificate, server certificate and code signature certificate are are mainly signed and issued at the digital certificate authentication center.
Above-mentioned prior art all exists some potential safety hazards and inconvenient part at present, and for example: mobile phone dynamic authentication technology is lost or network when obstructed when mobile phone, all can influence user's use.Digital certificate is safest a kind of mode in theory, but still exists medium to lose, the danger that password is revealed, and therefore how further strengthening user identity identification is safe important assurance.
Online banking system safety authentication method of the present invention has improved Web bank's level of security, effectively reduces risk, for the user provides a bank system of web safely and efficiently.
Summary of the invention
The invention provides a kind of method of online banking system safety authentication, it is characterized in that adopting two authentication security patterns of mobile phone dynamic authentication and digital certificate, wherein the mobile phone dynamic authentication is the phone number of time binding of opening an account by the user, the dynamic authentication codes that system will generate at random sends to the identification that the client realizes client identity by the form of note, digital certificate is to be signed and issued by the just third-party institution of authority, with the digital certificate is the encryption technology of core, and it can carry out encryption and decryption, digital signature and signature verification to the information of transmission over networks.
Method of the present invention provides the degree of risk of transaction further according to bank system of web, set different level of securitys, and the corresponding relevant user of Web bank, described level of security comprises two authenticated user of the non-contracted user, mobile phone dynamic authentication user, digital certificate authentication user and mobile phone dynamic authentication and the digital certificate authentication that use general password.
Method of the present invention also has login control and cryptoguard measure.
Method of the present invention also has the authentication measure, and whether this measure comprises for the user that client numeral certificate is arranged, in the time of login, need the employed digital certificate of checking user legal effective.
Method of the present invention also has the digital signature identification measure, and it is signed to the private key in the client numeral certificate, ensures integrality, consistency and the non-repudiation of transaction data.
Method of the present invention also has the control of account transfer limit and repeats to submit to control measure.
Description of drawings
Fig. 1 shows digital certificate signature of the present invention and proof procedure flow chart;
Fig. 2 shows the identification processing module structure chart of digital certificate signature of the present invention;
Fig. 3 shows mobile phone identifying procedure figure of the present invention;
Fig. 4 shows digital certificate network topology structure figure of the present invention;
Fig. 5 shows RA utilization architecture figure of the present invention.
Embodiment
According to the safety feature of WebSphere (the WEB server of IBM Corporation) and the characteristics of bank system of web, provide in the banking system on the net reinforcement, safety assurance mechanism targetedly:
1, login control comprises following aspect:
(1) many factors security control: must import Web bank's user name, Web bank's login password and dynamic password during user's logging in to online banks system, as be that certificate user also needs in conjunction with client certificate, the client identity authentication is finished in the various factors unified certification;
(2) account policy:, then force this user (be provided with by bank blanking time) after a period of time just can login again if the several times login is unsuccessful continuously at short notice for the client;
(3) first login control: for the user of first logging in to online banks system, system's force users is revised its Web bank's login password;
2, cryptoguard comprises following content:
(1) Web bank's login, trading password: use independently login password and trading password in the bank system of web, be different from the inquiry of user account itself or the password of withdrawing the money;
(2) password storage: employed login of bank system of web and trading password, through being stored into Web bank's Database Systems after the one-way Hash algorithm processing;
(3) password rule: system checks the password of customer selecting, avoids the user to adopt too simple password.
3, client certificate is used and is comprised following several respects:
In the present invention, SSL (Secure Sockets Layer "; Chinese by name " secure socket layer protocol layer ") to shake hands be that the NASE (letter is pacified the SSL Gateway Server in century) of client (browser) and service end finishes; shake hands finish after, the communication data between client and the bank system of web will adopt the SSL of 128 of standards to carry out encrypted transmission.
(1) authentication
For the user that client certificate is arranged, in the time of login, need the employed certificate of checking user whether legal, the process of checking mainly comprises: 1, the institute CIF that deposits number and whether number consistent with the relative recording deposited in the bank system of web in the certificate.2, whether this certificate is effective status but not waste paper, state such as frozen.
(2) digital signature and authentication
Referring to shown in Figure 1, crucial transaction, as transfer accounts, the private key in the transaction employing client certificate such as mandate signs, and effectively ensures integrality and the consistency and the non-repudiation of transaction data.
Referring to Fig. 2 is the identification processing module structure chart of signature.Wherein, session (Session) management is within a certain period of time, if the user without any operation, is changed to inefficacy with this user's session status, the prompting user needs login again could use Web bank.
Resource (function) access control policy comprises that the resource of bank system of web is divided into two-layer managing, and ground floor is CIF level (user class), is distributed according to user's CAMEL-Subscription-Information by bank; The second layer is operator's level, promptly the spendable resource of each operator (function) is distributed in the resource of CIF level again and controls, and bank's end on the net also is included in the resource allocation of operator's level; The operator is set by the on-line bank background management system for the operating right of account, and the control here comprises the control that can operate account, and to the control of the operating right (inquiring about/transfer accounts) of account.
The limit of transferring accounts control comprises the contracted user's (personal user, CIF level) for no certificate, is subjected to the unified limit control of transferring accounts of bank (single transfer accounts limit, the limit of day transferring accounts); For the account (enterprise/individual) of hang the system of Web bank, can set single, the every day limit of transferring accounts.
Repeat to submit to control to comprise to adopt transaction Token control transaction repeat submit to, the user uses and refreshes key or click again and submit the key class transaction of initiating to transfer accounts to when avoiding network speed slow, thereby causes repeating to detain account.
Licensing scheme comprises that transaction auditing is multistage, is decided to be three grades of audits as the systematic unity; A plurality of auditors in same audit level do not need to be provided with less than order;
Transaction auditing is provided with rule and comprises following content:
The setting of account authority comprises that can account transfer accounts, the single limit, the same day accumulative total limit;
The setting of operator's authority comprises to account, to function group, audit level;
The auditing flow setting comprises by function group, amount of money section, every grade of audit number and being provided with;
The strategy that audit is provided with is determined that by client oneself client can according to function group and amount of money section, freely select configuration according to the characteristics of self.Each auditor can only belong to an audit level, and audit is provided with amount of money section and comprises principle for lower limit, only need fill in the initial amount of money, is defaulted as " 0 to infinity ".When audit is provided with, judge whether client's same level audit number satisfies, to client's prompting, when audit was provided with, when being provided with for the transaction auditing of no amount of money class, amount of money section was defaulted as " 0 ".
The user of Web bank who founds different level of securitys according to user's application can be divided into following a few class: two authenticated user of using non-contracted user, mobile phone authenticated user, digital certificate authentication user, mobile phone authentication and the digital certificate authentication of general password.
Provide the degree of risk of transaction according to bank system of web, set different level of securitys, and the corresponding relevant user of Web bank.
Inquiry | Financing | Bill payment | Transfer accounts | The user is provided with | |
Use the non-contracted user of general password | √ | × | × | × | × |
Mobile phone dynamic authentication user | √ | √ | × | √ | × |
The certificate verification user | √ | √ | √ | √ | √ |
Two authenticated user of mobile phone dynamic authentication and certificate verification | √ | √ | √ | √ | √ |
Referring to Fig. 3 is mobile phone identifying procedure figure of the present invention: short message communication is a kind of in the communication mode interface, revises the configuration information of communication according to different environment.When quoting short message service in concrete transaction, all configuration informations of initialization start service.To the information sets bag, short message service sends information, return results according to the interface packets form.
Referring to Fig. 4 is network topology structure figure of the present invention.Wherein RA (certification authority) the CA system that system connected is the 863CA system of CFCA, and the RA system of bank connects CFCA by Internet.RA (certificate issued examining department) Web server is in Beijing farming firm bank system of web, and the Web end of RA is incorporated in the on-line bank background administration interface, and therefore, the Web server of RA will be shared on Web bank's Web server.The RA application server deployment on bank's application server, is physically shared an application server with bank system of web on the net.The RA database server is shared Web bank's database server, sets up the relevant tables of data of RA on the net in the banking data base, manages and operates.The RA office terminal is the PC of Windows operating system.The visit channel of RA comprises Web mode and cabinet face mode, and wherein, the Web mode is incorporated in the on-line bank background management function interface.
Referring to Fig. 5 is application system Organization Chart of the present invention.
Passed through by special embodiment content description the present invention above, but those skilled in the art also can recognize the multiple possibility of modification and optional embodiment, for example, by making up and/or change the feature of single embodiment.Therefore, be understandable that these modification and optional embodiment will be considered as included among the present invention, only enclosed patent claims of scope of the present invention and coordinate restriction thereof.
Claims (6)
1. the method for online banking system safety authentication, it is characterized in that adopting two authentication security patterns of mobile phone dynamic authentication and digital certificate, wherein the mobile phone dynamic authentication is the phone number of time binding of opening an account by the user, the dynamic authentication codes that system will generate at random sends to the identification that the client realizes client identity by the form of note, digital certificate is to be signed and issued by the just third-party institution of authority, with the digital certificate is the encryption technology of core, and it can carry out encryption and decryption, digital signature and signature verification to the information of transmission over networks.
2. the method for claim 1, it is characterized in that providing the degree of risk of transaction according to bank system of web, set different level of securitys, and the corresponding relevant user of Web bank, described level of security comprises two authenticated user of the non-contracted user, mobile phone dynamic authentication user, digital certificate authentication user and mobile phone dynamic authentication and the digital certificate authentication that use general password.
3. method as claimed in claim 2 is characterized in that also having login control and cryptoguard measure.
4. as each described method of claim 1-3, it is characterized in that also having the authentication measure, whether this measure comprises for the user that client numeral certificate is arranged, in the time of login, need the employed digital certificate of checking user legal effective.
5. method as claimed in claim 4 is characterized in that also having the digital signature identification measure, and it is signed to the private key in the client numeral certificate, ensures integrality, consistency and the non-repudiation of transaction data.
6. method as claimed in claim 5 is characterized in that also having the control of account transfer limit and repeats to submit to control measure.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2007101878615A CN101163011A (en) | 2007-11-15 | 2007-11-15 | Safety authentication method of internet bank system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2007101878615A CN101163011A (en) | 2007-11-15 | 2007-11-15 | Safety authentication method of internet bank system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101163011A true CN101163011A (en) | 2008-04-16 |
Family
ID=39297850
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA2007101878615A Pending CN101163011A (en) | 2007-11-15 | 2007-11-15 | Safety authentication method of internet bank system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101163011A (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101795196A (en) * | 2010-03-10 | 2010-08-04 | 宇龙计算机通信科技(深圳)有限公司 | Authentication method and authentication system for logging in to online banks |
WO2011082604A1 (en) * | 2010-01-07 | 2011-07-14 | 华为终端有限公司 | Method, equipment and mobile terminal for fingerprint identification |
CN101631305B (en) * | 2009-07-28 | 2011-12-07 | 交通银行股份有限公司 | Encryption method and system |
CN102510337A (en) * | 2011-12-15 | 2012-06-20 | 复旦大学 | Quantitative risk and income self-adaptive dynamic multiple-factor authentication method |
CN103581907A (en) * | 2012-08-03 | 2014-02-12 | 北京中创智信科技有限公司 | Mobile electronic signature method, service platform, equipment and system |
CN104363217A (en) * | 2014-11-03 | 2015-02-18 | 深圳市远行科技有限公司 | CA digital signature authentication system and method of Web system |
CN106209923A (en) * | 2015-04-29 | 2016-12-07 | 中国电信股份有限公司 | A kind of utilize Cellular Networks realize testing vehicle register authentication method, Apparatus and system |
CN106651318A (en) * | 2016-12-28 | 2017-05-10 | 中国建设银行股份有限公司 | Enterprise-level flow setting method and system |
CN106790051A (en) * | 2016-12-19 | 2017-05-31 | 杭州信雅达数码科技有限公司 | A kind of Mobile banking's security protocol based on MB connections |
US20170262853A1 (en) * | 2016-03-14 | 2017-09-14 | Mastercard International Incorporated | Method and system for biometric confirmation of suspect transactions |
CN108075893A (en) * | 2016-11-12 | 2018-05-25 | 张仁平 | A kind of safety-type verification code system |
CN108446898A (en) * | 2018-02-26 | 2018-08-24 | 深圳前海微众银行股份有限公司 | Transfer account method, terminal and computer readable storage medium |
CN110363533A (en) * | 2019-06-26 | 2019-10-22 | 山东普惠共享经济技术开发有限公司 | A kind of real-name authentication system and method |
CN111861355A (en) * | 2019-04-30 | 2020-10-30 | 富金通金融信息服务(上海)有限公司 | Full online enterprise internet real name authentication method |
CN112532640A (en) * | 2020-12-02 | 2021-03-19 | 北京天融信网络安全技术有限公司 | Authentication method, authentication device, electronic equipment and computer-readable storage medium |
-
2007
- 2007-11-15 CN CNA2007101878615A patent/CN101163011A/en active Pending
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101631305B (en) * | 2009-07-28 | 2011-12-07 | 交通银行股份有限公司 | Encryption method and system |
WO2011082604A1 (en) * | 2010-01-07 | 2011-07-14 | 华为终端有限公司 | Method, equipment and mobile terminal for fingerprint identification |
CN101795196A (en) * | 2010-03-10 | 2010-08-04 | 宇龙计算机通信科技(深圳)有限公司 | Authentication method and authentication system for logging in to online banks |
CN102510337A (en) * | 2011-12-15 | 2012-06-20 | 复旦大学 | Quantitative risk and income self-adaptive dynamic multiple-factor authentication method |
CN102510337B (en) * | 2011-12-15 | 2014-07-09 | 复旦大学 | Quantitative risk and income self-adaptive dynamic multiple-factor authentication method |
CN103581907A (en) * | 2012-08-03 | 2014-02-12 | 北京中创智信科技有限公司 | Mobile electronic signature method, service platform, equipment and system |
CN103581907B (en) * | 2012-08-03 | 2016-08-03 | 北京中创智信科技有限公司 | Mobile electronic signature method, service platform, equipment and system |
CN104363217A (en) * | 2014-11-03 | 2015-02-18 | 深圳市远行科技有限公司 | CA digital signature authentication system and method of Web system |
CN106209923A (en) * | 2015-04-29 | 2016-12-07 | 中国电信股份有限公司 | A kind of utilize Cellular Networks realize testing vehicle register authentication method, Apparatus and system |
CN106209923B (en) * | 2015-04-29 | 2019-05-21 | 中国电信股份有限公司 | A kind of method, apparatus and system for realizing vehicle identification authentication using Cellular Networks |
US20170262853A1 (en) * | 2016-03-14 | 2017-09-14 | Mastercard International Incorporated | Method and system for biometric confirmation of suspect transactions |
CN108075893A (en) * | 2016-11-12 | 2018-05-25 | 张仁平 | A kind of safety-type verification code system |
CN106790051A (en) * | 2016-12-19 | 2017-05-31 | 杭州信雅达数码科技有限公司 | A kind of Mobile banking's security protocol based on MB connections |
CN106651318A (en) * | 2016-12-28 | 2017-05-10 | 中国建设银行股份有限公司 | Enterprise-level flow setting method and system |
CN108446898A (en) * | 2018-02-26 | 2018-08-24 | 深圳前海微众银行股份有限公司 | Transfer account method, terminal and computer readable storage medium |
CN111861355A (en) * | 2019-04-30 | 2020-10-30 | 富金通金融信息服务(上海)有限公司 | Full online enterprise internet real name authentication method |
CN110363533A (en) * | 2019-06-26 | 2019-10-22 | 山东普惠共享经济技术开发有限公司 | A kind of real-name authentication system and method |
CN112532640A (en) * | 2020-12-02 | 2021-03-19 | 北京天融信网络安全技术有限公司 | Authentication method, authentication device, electronic equipment and computer-readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101163011A (en) | Safety authentication method of internet bank system | |
CN108270571B (en) | Internet of Things identity authorization system and its method based on block chain | |
US7725723B2 (en) | Data certification method and apparatus | |
US5956404A (en) | Digital signature with auditing bits | |
CN1689297B (en) | Method of preventing unauthorized distribution and use of electronic keys using a key seed | |
CN100566250C (en) | A kind of point to point network identity identifying method | |
CN109660485A (en) | A kind of authority control method and system based on the transaction of block chain | |
CN1439136A (en) | System and method for managing trust between clients and servers | |
AU2002355593A1 (en) | Data certification method and apparatus | |
CN101216923A (en) | A system and method to enhance the data security of e-bank dealings | |
CN113393225A (en) | Digital currency encryption payment method and system | |
Hsu et al. | Intranet security framework based on short-lived certificates | |
KR100926153B1 (en) | System For Wireless Public Certification Service Using Electronic Signature With Mobile Terminal and Method For Providing said Service | |
JP2001134534A (en) | Authentication delegate method, authentication delegate service system, authentication delegate server device, and client device | |
Boontaetae et al. | RDI: Real digital identity based on decentralized PKI | |
Kuntze et al. | Trusted ticket systems and applications | |
CN107403310A (en) | Payment system and its method of payment under quantum Metropolitan Area Network (MAN) | |
CN111539032B (en) | Electronic signature application system resistant to quantum computing disruption and implementation method thereof | |
Lee et al. | Traceability of double spending in secure electronic cash system | |
Yau et al. | Anonymous service usage and payment in service-based systems | |
JP4794939B2 (en) | Ticket type member authentication apparatus and method | |
KR100842838B1 (en) | System and method for wireless public certification service with mobile terminal using mpg system | |
Sood et al. | Cloudbank: A secure anonymous banking cloud | |
Jevans et al. | Travel Rule Information Sharing Architecture for Virtual Asset Service Providers (TRISA) Version 6 June 12, 2020. | |
Venkataiahgari et al. | Secure e-commerce transactions for multicast services |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20080416 |
|
C20 | Patent right or utility model deemed to be abandoned or is abandoned |