CN101414909B - System, method and mobile communication terminal for verifying network application user identification - Google Patents

System, method and mobile communication terminal for verifying network application user identification Download PDF

Info

Publication number
CN101414909B
CN101414909B CN200810226984XA CN200810226984A CN101414909B CN 101414909 B CN101414909 B CN 101414909B CN 200810226984X A CN200810226984X A CN 200810226984XA CN 200810226984 A CN200810226984 A CN 200810226984A CN 101414909 B CN101414909 B CN 101414909B
Authority
CN
China
Prior art keywords
user
authentication password
key
checking
network application
Prior art date
Application number
CN200810226984XA
Other languages
Chinese (zh)
Other versions
CN101414909A (en
Inventor
王伟珣
王斌
Original Assignee
中国移动通信集团公司
中国移动通信集团上海有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信集团公司, 中国移动通信集团上海有限公司 filed Critical 中国移动通信集团公司
Priority to CN200810226984XA priority Critical patent/CN101414909B/en
Publication of CN101414909A publication Critical patent/CN101414909A/en
Application granted granted Critical
Publication of CN101414909B publication Critical patent/CN101414909B/en

Links

Abstract

The invention discloses a network application user authentication system, a method and a mobile communication terminal; and the invention is used for improving the generality for the network application user authentication. In the embodiment of the invention, by the mobile communication terminal equipment which is an equipment storage identity digital certificate and is carried by more and more people, equipment without dynamic network is provided, and a dynamic password authentication technology is achieved, thus improving the safety of an application system by low cost greatly.

Description

Verifying network application user identification system, method and mobile communication terminal

Technical field

The present invention relates to the network application technology, particularly a kind of verifying network application user identification technology.

Background technology

In the highly developed epoch of informatization and network, mobile e-business class business field is also paid close attention to by everybody more and more and is used.The form that current most of E-business applications, e-banking system all adopt traditional number of the account to add user cipher is carried out subscriber authentication, password in this mode might be stolen because of reasons such as the not concealed characteristic information with the user of input environment are relevant, has potential safety hazard.

The scheme that solves the user cipher safety problem at present comprises following three kinds:

One, USB key hardware identity digital certificate scheme

This scheme is generally adopted by enterprise at present, USB Key is a kind of hardware device of USB interface, the double strong factor certification mode that adopts software and hardware to combine, built-in single-chip microcomputer or intelligent card chip, can store user's password or digital certificate, utilize the built-in password of USB Key to learn the checking of algorithm realization user identity.But USB Key can only use on the equipment that the USB socket is arranged, and has limited the scope of application.Owing to must connect computer, under the situation that corresponding trojan horse occurs, still there is the stolen potential safety hazard of USBKey password or certificate in addition.

Two, dynamic password token (One-time Password Token)

This technology is meant user's password according to time or the continuous dynamic change of access times, and each password only uses once.This technology is the solution commonly used of current safety authentication.

Existing dynamic password token technology uses built-in power, high precision clock, password to generate the specialized hardware of chip and display screen, password generates the special password generating algorithm of chip operation, generates current electronics password and is presented on the display screen according to current time or access times.Authentication server adopts the identical current effective password of algorithm computation.Because each electronics password that uses must be produced by dynamic password token, has only validated user just to hold this token hardware, as long as verifying dynamic password passes through, system just can think that this user's identity is reliable.The technology of this class dynamic password token and the shortcoming of method are that great majority need accurately relevant with the time, therefore need the specialized hardware of high precision clock, cause the hardware cost height, and the specialized hardware token also carries inconvenience, and versatility is bad.

Three, mobile communication terminal note verification technique

The mobile communication terminal note verification technique is issued user with dynamic verification code with the form of note by system before each transaction, thereby realizes the function of dynamic password.This mode is more safe than dynamic password token mode, but the expressly transmission in not secret mobile communications network of secret dynamic password informational needs, and send the cost that note need be certain, in addition, there is possible delay issue in short message mode.

Summary of the invention

The embodiment of the invention provides a kind of verifying network application user identification system, method and mobile communication terminal, is used to improve the versatility of verifying network application user identification.

A kind of verifying network application user identification system comprises:

Key and user management subsystem are used to generate and preserve the identity digital certificate that the user uses network application; When receiving the checking request that comprises the identity digital certificate, generate random information and output according to this checking request, and utilize set algorithm to be created on and set effectively user rs authentication password information and output in the duration, the calculating parameter of described user rs authentication password information comprises: identity digital certificate that comprises in the checking request and the random information that generates according to this checking request;

Mobile communication terminal is used for obtaining user's identity digital certificate from key and user management subsystem, and when the user carries out the authentication of network application, this identity digital certificate is exported to network application and checking subsystem; Receive the described key of user's input and the random information that user management subsystem generates, utilize described set algorithm to generate the subscription authentication password, the calculating parameter of described subscription authentication password comprises: the random information of user's input and the identity digital certificate of preservation;

Network application and checking subsystem are used for obtaining the identity digital certificate from mobile communication terminal when the authentication of network application is carried out in user's request, generate described checking request and send to key and user management subsystem; Receive the random information of described key and user management subsystem output, receive the subscription authentication password of user's input, receive the user rs authentication password information of described key and user management subsystem output, and obtain the checking result according to described subscription authentication password and user rs authentication password information.

Preferable, described network application and checking subsystem specifically comprise:

The webserver, be used to provide the interactive interface of network application and checking subsystem and when the user carries out the authentication of network application by this interactive interface request, establish a communications link with described mobile communication terminal and obtain the identity digital certificate, generate described checking request and forwarding by described communicating to connect from mobile communication terminal; Receive described random information and by using and the interactive interface of checking subsystem is shown to the user, receive the user by using and the subscription authentication password of the interactive interface input of checking subsystem and transmitting, and the Receipt Validation result;

The verifying dynamic password server is used to receive the checking request of described webserver output and be transmitted to key and user management subsystem, receives the random information of described key and user management subsystem output and is transmitted to the webserver; Receive the subscription authentication password of described webserver forwarding and the user rs authentication password information of key and user management subsystem output, and obtain the checking result, and described checking result is sent to the webserver according to described subscription authentication password and user rs authentication password information.

Further: described key and user management subsystem also are used to receive the user and preserve by key and the user cipher of user management subsystem interactive interface input and the identity digital certificate of respective user; And when utilizing described set algorithm to be created on to set in the duration effectively the user rs authentication password information, the calculating parameter of described user rs authentication password information also comprises the user cipher that the user imports; And described mobile communication terminal also is used to receive the user cipher of user by the input of mobile communication terminal interactive interface, and when utilizing described set algorithm to generate the subscription authentication password, the calculating parameter of described subscription authentication password also comprises the user cipher that the user imports.

Further: described key and user management subsystem also are used for safeguarding first sequence number of identifying user checking number of times aggregate-value according to setting rule, and when utilizing described set algorithm to be created on to set in the duration effectively the user rs authentication password information, the calculating parameter of described user rs authentication password information also comprises: described first sequence number; And described mobile communication terminal also is used for safeguarding second sequence number of identifying user requests verification number of times aggregate-value according to setting rule, and when utilizing described set algorithm to generate the subscription authentication password, the calculating parameter of described subscription authentication password also comprises: described second sequence number.

And, the effective user rs authentication password information in setting duration that described key and user management subsystem utilize described set algorithm to generate comprises: utilize each in setting several first sequence number value that comprise the described first sequence number currency, respectively one group of user rs authentication password of corresponding generation; And described verifying dynamic password server is according to described subscription authentication password and user rs authentication password information, when the subscription authentication password is consistent with in one group of user rs authentication password any, obtains the result that checking is passed through, otherwise obtains the result of authentication failed.

Described mobile communication terminal and network application and checking subsystem are by the identity digital certificate of the transmission user that establishes a communications link, and described establishing a communications link specifically comprises:

Wired connection by USB interface foundation; Perhaps

Wireless connections by bluetooth foundation; Perhaps

Wireless connections by the foundation of infrared ray emulation serial ports.

A kind of verifying network application user identification method comprises:

When mobile communication terminal carries out the authentication of network application the user, export from the user's of key and user management subsystem acquisition identity digital certificate to network application and checking subsystem;

Network application and checking subsystem are when receiving user's identity digital certificate, and generation comprises the checking request of identity digital certificate and sends to key and user management subsystem;

Key and user management subsystem are according to the checking request that receives, generate random information and utilize set algorithm to be created on effective user rs authentication password information in the setting duration, and described random information and user rs authentication password information exported to network application and checking subsystem, the calculating parameter of described user rs authentication password information comprises: the identity digital certificate that comprises in the checking request and according to the random information of this checking request generation;

Network application and checking subsystem receive the random information and the user rs authentication password information of key and user management subsystem output, receive the subscription authentication password of user's input, the described subscription authentication password random information that to be mobile communication terminal generate according to the described key of user's input and user management subsystem also utilizes described set algorithm to generate and is shown to the user, and the calculating parameter of described subscription authentication password comprises: the random information of user's input and the identity digital certificate of preservation;

Network application and checking subsystem according to described subscription authentication password and in setting duration effective user rs authentication password information, user identity is verified.

A kind of mobile communication terminal comprises:

Be used for from the unit of key and user management subsystem acquisition user's identity digital certificate;

Be used for when the user carries out the authentication of network application, with network application and the checking subsystem establish a communications link and by communicate to connect output this identity digital certificate the unit;

Be used to receive the user and pass through the described key of mobile communication terminal interactive interface input and the unit of the random information that user management subsystem generates;

The unit that is used to utilize set algorithm to generate the subscription authentication password and shown by the mobile communication terminal interactive interface, the calculating parameter of described subscription authentication password comprise the random information that the user imports and the identity digital certificate of preservation.

In the embodiment of the invention, by this device storage identity digital certificate of being carried by more and more people of mobile communication terminal device, when being provided, checking work need not dynamically to connect the general media of the Internet and high precision clock, realize digital certificates verifying dynamic password technology, thereby significantly improved the versatility and the portability of network application authentication mechanism with low cost.

Description of drawings

The realization principle schematic of the verifying network application user identification system that Fig. 1 provides for the embodiment of the invention;

A kind of concrete network architecture schematic diagram of the verifying network application user identification system that Fig. 2 provides for the embodiment of the invention;

In the user ID authentication method that Fig. 3 provides for the embodiment of the invention, the schematic flow sheet of opening an account of network application user;

In the user ID authentication method that Fig. 4 provides for the embodiment of the invention, network application user downloads to schematic flow sheet on the mobile communication terminal with the identity digital certificate;

Fig. 5 provides in the user ID authentication method for the embodiment of the invention, activates the schematic flow sheet of mobile communication terminal upper body umber word certificate;

The schematic flow sheet that the use identity digital certificate that Fig. 6 provides for the embodiment of the invention carries out authentication.

Embodiment

PKI (Public Key Infrastructure) is a public key architecture, it is a kind of key management platform of following set standard, can use cryptographic service and necessary key and certificate management systems such as encryption and digital signature are provided for all-network, in simple terms, PKI is exactly the infrastructure that security service is provided of utilizing the PKI theory and technology to set up.The PKI technology is the core of information security technology, also is the key and the basic technology of ecommerce.In the PKI system, CA (Certificate Authority) authentication center is the certification authority with authority, can sign and issue the digital certificate of unique identify label to the user, and and the equipment of network application provider the digital certificate authentication mechanism is provided together.

As shown in Figure 1, the embodiment of the invention is based on the dynamic password technology of PKI mechanism, a kind of verification system of realizing subscriber authentication is provided, utilization has the identity digital certificate that CA issued of authoritative institution, user identity to network application is realized legitimate verification, this verification system mainly comprises: mobile communication terminal 12, the webserver 13, verifying dynamic password server 14 and key and user management subsystem 11, wherein:

Key and user management subsystem 11, equipment as CA in the PKI system, be used for the issuing of identity digital certificate, management work, and and mobile communication terminal 12, application management server, and verifying dynamic password server 14 is finished the checking of user identity together; The identity digital certificate is actually the user related information record that is kept on key and the user management subsystem 11, also can regard a statement of signing and issuing as, the only corresponding relation of the PKI that is comprised in certification main body (the certificate request person promptly becomes the certificate main body after having had the identity digital certificate) and the certificate by CA.The digital signature of the identity digital certificate comprises certificate request person's title and relevant information, applicant's PKI, the CA of grant a certificate and the contents such as the term of validity of certificate.If the user need upgrade the identity digital certificate, can go through the formalities to CA again.

Mobile communication terminal 12, be used for downloading the identity digital certificate that is presented to network application user from key and user management subsystem 11, and when the user need carry out authentication, USB mouth by mobile communication terminal 12, bluetooth or infrared simulation serial ports, the identity digital certificate is transferred to the webserver 13, to show the identity of network application user, and and the webserver 13, verifying dynamic password server 14, and key and user management subsystem 11 are together, utilize the identity digital certificate, be reserved in that user cipher on key and the user management subsystem 11 and key and user management subsystem 11 provide in setting duration effectively random information finish the checking of user identity;

The webserver 13 and verifying dynamic password server 14, equipment as network application provider, form network application and checking subsystem, for the user provides the network application interactive interface, and and mobile communication terminal 12 and key and user management subsystem 11 finish the checking of user identity together.

Before the user's download identity digital certificate, according to different network applications, need carry out account-opening by the sales counter of CA, comprise to CA and reserve user basic information and user cipher, CA is saved in user basic information and the user cipher that the user reserves in key and the user management subsystem, key and user management subsystem provide unique identity digital certificate and produce corresponding digital certificate active coding for the user of application digital certificate, CA offers the user with the digital certificate active coding, the user downloads on the client of mobile communication terminal 12 by the identity digital certificate of authentication server with oneself, and utilizes active coding to activate the identity digital certificate.

Still referring to shown in Figure 1, in the embodiment of the invention, the detailed process that mobile communication terminal 12 utilizes the identity digital certificate to finish the checking of user identity comprises the steps:

When S101, mobile communication terminal 12 carry out the authentication of network application the user, establish a communications link with the webserver 13 and by communicating to connect the user's that output obtains from key and user management subsystem 11 identity digital certificate;

S102, the webserver 13 generate the checking request that comprises the identity digital certificate and send verifying dynamic password server 14 when receiving user's identity digital certificate;

S103, verifying dynamic password server 14 will verify that request is transmitted to key and user management subsystem 11;

S104, key and user management subsystem 11 are according to the checking request that receives, generate random information and utilize set algorithm to be created on effective user rs authentication password information in the setting duration, and random information and user rs authentication password information exported to verifying dynamic password server 14, the calculating parameter of user rs authentication password information comprises the identity digital certificate that comprises in the checking request and according to the random information of this checking request generation;

S105, verifying dynamic password server 14 are transmitted to the webserver 13 with random information, and preserve the user rs authentication password information;

S106, the webserver 13 show random information by using interactive interface to the user;

S107, user can see random information by using interactive interface, and by the interactive interface of mobile communication terminal 12 random information be imported mobile communication terminal 12;

S108, mobile communication terminal 12 generate the subscription authentication password according to the random information and the user identity certificate of user's input, and the subscription authentication password are shown on the interactive interface of mobile communication terminal 12;

The subscription authentication password that shows on S109, the interactive interface of user with mobile communication terminal 12 is input in the webserver 13;

S110, the webserver 13 are transmitted to verifying dynamic password server 14 with the subscription authentication password;

S111, verifying dynamic password server 14 are verified user identity according to the subscription authentication password of the webserver 13 forwardings and the effective user rs authentication password information in setting duration of preserving before.

S112, verifying dynamic password server 14 return the checking result to the webserver 13.

In above-mentioned proof procedure, the calculating parameter of subscription authentication password and user rs authentication password information comprises user's identity digital certificate and random information, user's identity digital certificate is user's a unique identification, thereby with user binding, as long as the user guarantees the safety of individual personal umber word certificate, then can guarantee to verify result's fail safe.And random information is interim the generation, have ageing, key and user management subsystem 11 are ageing according to random information, for the user rs authentication password information that generates is set effective duration, guaranteed that the subscription authentication password and the user rs authentication password information that are used to each time verify are when time effective dynamic password, thus the fail safe that has improved authentication mechanism.

General, the webserver 13 comprises that the user can be by the foreground equipment of interactive interface operation, for example computer, game machine, ATM, POS machine etc., verifying dynamic password server 14 is carried out concrete verification operation as background devices, for security consideration, should divide to be arranged.But lower to some security requirements, perhaps networking is simply used, and also can merge to be set to a network application and checking subsystem, bears the mutual and authentication function of network application jointly.

For the mobile communication terminal 12 and the webserver 13, the scheme that needs respectively to provide according to the embodiment of the invention is installed special-purpose client, for the user provides corresponding interactive interface, and the execution user is by the associative operation of interactive interface input, the technical scheme that provides according to the embodiment of the invention, the development of relevant interactive interface is well known to those skilled in the art, and is not described in detail here.

In the embodiment of the invention, random information can be random number or numeral and alphabetical combination etc., and the generation method is pseudo random number generating algorithm etc. for example, and the generating technique of random information also is well known to those skilled in the art, and is not described in detail here.

In the embodiment of the invention, by this device storage identity digital certificate of being carried by more and more people of mobile communication terminal device, when being provided, checking work need not dynamically to connect the general media of the Internet and high precision clock, realize digital certificates verifying dynamic password technology, thereby significantly improved the versatility and the portability of network application authentication mechanism with low cost.

In the embodiment of the invention, the irreversible hash algorithm of the general employing of the algorithm of password is as SHA1, MD5 etc.

Further for increasing the fail safe of authentication mechanism, in the embodiment of the invention, the user can also reserve user cipher at key and user management subsystem 11, and at input random information time input user cipher, from when calculating the user rs authentication password information, calculating parameter may further include: the user is kept at the user cipher in key and the user management subsystem 11 in advance; And when calculating the subscription authentication password, calculating parameter also may further include: the user receives the input random information by mobile communication terminal 12 interactive interfaces.

Further, for increasing the fail safe of authentication mechanism, in the embodiment of the invention, mobile communication terminal 12 is according to setting rule, for example each advances 1 accumulative total method, trigger the aggregate-value of checking request the local maintenance user, key and user management subsystem 11 are according to identical setting rule, upgrade aggregate-value when receiving the checking request each time and generating random information and user rs authentication password information, the cumulative number that both sides will safeguard separately is as the calculating of a parameter participating user authentication password and user rs authentication password information, for preventing misoperation of users, the user rs authentication password information that key and user management subsystem 11 calculate comprises respectively with current aggregate-value and one group of user rs authentication password calculating greater than the several values of current aggregate-value, as long as the subscription authentication password is consistent with in one group of user rs authentication password any, then can obtain to verify the result who passes through, otherwise obtain the result of authentication failed.

The concrete framework of a kind of network application Verification System that the embodiment of the invention provides is referring to shown in Figure 2, wherein:

Key and user management subsystem specifically comprise: subscriber management server, CA server, user information database and mobile communication terminal software download, wherein: subscriber management server can connect counter terminal, be mainly used in issuing and management work of personal digital certificate, comprise and receive user basic information, the user cipher that the user reserves when subscription network is used, for the user generates identity digital certificate and active coding, and when carrying out authentication, user's request generates random information and checking password information etc.User information database is mainly as each user's of database storage relevant informations such as identity digital certificate.Mobile communication terminal client downloads server provides the related software of diverse network applications client for the user, the user can login the client that network application was downloaded or upgraded to this server, push the address to user's mobile communication terminal in the mode that can adopt WapPush under the situation of carrier network support, the user also can be directly by mobile communication terminal wireless sign in on the server download, certainly, also can be preloaded onto on the SIM/USIM module of terminal equipment or terminal equipment by mobile communication terminal device manufacturer.

Network application and checking subsystem specifically comprise: service terminal, network (WEB) server, verifying dynamic password server and service application service device etc., wherein: service terminal provides the interactive interface of network application, the webserver provides the login management of network application, the verifying dynamic password server is carried out password authentication, and the user that checking is passed through can enter the service application service device and carry out concrete professional.

Below in conjunction with accompanying drawing, each flow process that the present invention relates to is elaborated with preferred embodiment.

One, user's flow process of opening an account

As shown in Figure 3, the user is before using network application, and the sales counter application that at first will arrive CA provides is opened an account, and the concrete flow process of opening an account comprises the steps:

S301, user oneself or teller replace the user to fill in application form, and the teller need comprise user's essential information typing key and user management subsystem: the telephone number phone_num of the mobile communication terminal that identification card number id_num and user use etc.;

S302, user are with user cipher passwd typing key and the user management subsystem selected, and user cipher can participate in the authentication password as user cipher and verify the calculating of password, further strengthens the fail safe of authentication mechanism;

Further, can also call cryptographic system and revise the password flow process, for the user's modification password.

S303, key and user management subsystem generate identity digital certificate and active coding thereof;

The generating mode of identity digital certificate is a lot, can generate according to identification card number, telephone number, user cipher or other essential information, and those skilled in the art can select generating mode as required flexibly.

The generating mode of the active coding of identity digital certificate is also a lot, can generate according to user cipher or other essential information, and those skilled in the art can select other active coding generating mode as required flexibly, and the embodiment of the invention provides following specific implementation:

Key and user management subsystem are passed through non-reversible algorithm f with passwd SaveCalculate the file layout save_pass of original password, wherein: calculating parameter comprises passwd and phone_num etc.:

save_pass=f save(passwd,phone_num)

With phone_num is index stores save_pass.The key management subsystem is not directly preserved user password, is non-reversible algorithm owing to what adopt, can't be by the anti-passwd that solves of save_pass yet.

Key and user management subsystem are by non-reversible algorithm f ActGenerate active coding act_key:

act_key=f act(passwd,phone_num,id_num)

Print phone_num/act_key and granting at last to the user, finish the flow process of opening an account.

Two, the identity digital certificate is downloaded flow process

As shown in Figure 4, after user applies is opened an account and finished, obtain active coding, and by the Download Server in key and the user management subsystem identity digital certificate is downloaded on the mobile communication terminal, idiographic flow may further comprise the steps:

The webpage of S401, login download site;

S402, user are at the Subscriber Number of the inputting interface input mobile communication terminal of webpage, and user identity card number (if selection) and active coding send request to the mobile communication terminal software download, request identity digital certificate License '.The mobile communication terminal software download is extracted the identity digital certificate according to user identity card number (if selection) and active coding from the CA server, and sends on the mobile communication terminal according to the Subscriber Number of mobile communication terminal;

License’=f lic(passwd,phone_num,id_num,act_key)。

S403, mobile communication terminal are operated according to the user, are that the identity digital certificate installed in index with phone_num.

Three, activate the identity digital certificate that downloads on the mobile communication terminal

Just can use after the identity digital certificate is activated, and in activation, can finish the Subscriber Number of use mobile communication terminal and the binding of personal digital certificate simultaneously, as shown in Figure 5, specifically comprise the steps:

S501, user import the mobile communication terminal card number phone_num that needs to use this function on mobile communication terminal, mobile communication terminal will be preserved this card number;

The user cipher passwd that S502, user reserve when the mobile communication terminal input is opened an account;

The user basic information that S503, user reserve when the mobile communication terminal input is opened an account: ID card No. id_num (optional);

S504, the mobile communication terminal employing non-reversible algorithm f identical with key and user management subsystem ActCalculate act_key ':

act_key’=f act(passwd,phone_num,id_num)

S505, user import active coding act_key, activate failure if act_key ' and act_key are inconsistent.

S506, will use mobile communication terminal and personal digital certificate to bind at key and user management subsystem.

The embodiment of the invention provides a kind of concrete binding procedure:

With the mobile communication terminal characteristic information as phone_mask, for example the IMEI number of mobile communication terminal is as phone_mask, if the further feature information (as current free memory capacity) that IMEI number can't be got then with mobile communication terminal be that random information of seed generation is as phone_mask.Phone_mask is used to distinguish different mobile communication terminals, so that specific mobile communication terminal is bound;

Adopt non-reversible algorithm f BindBind calculation sign indicating number bind_key also is kept on the mobile communication terminal:

bind_key=f bind(phone_num,phone_mask)

By non-reversible algorithm f SaveCalculate the file layout save_pass (save_pass does not preserve, and only is used for key bind_key is carried out encrypted transmission, to guarantee having only validated user just can finish binding) of original password herein:

save_pass=f save(passwd,phone_num)

Send to key and user management subsystem with save_pass for secret key encryption phone_num/bind_key;

Key and user management subsystem obtain bind_key with the save_pass deciphering;

Get random information as synchronous code syn;

The initialization server end calculates order seq_svr=0;

With phone_num is index stores bind_key/syn/seq_svr;

Key and user management subsystem are returned syn and are given mobile communication terminal;

Mobile communication terminal storage syn;

Initialization of mobile communication terminal calculates order seq_mob=0;

Need to prove, user cipher, when synchronous code syn can verify in the later stage as the parameter of calculating checking password and authentication password, thereby further strengthen the fail safe of authentication mechanism.

Activate successfully.

By open an account, download and activation process, mobile communication terminal has successfully obtained user's identity digital certificate.

Four, checking flow process

The user finishes the flow process of opening an account, and after obtaining the identity digital certificate, daily use flow process is more convenient, and the checking flow process in the concrete use comprises the steps: as shown in Figure 6

When S601, user's logging in network server use network application, the webserver at first asks the user to show the identity digital certificate, the webserver and mobile communication terminal establish a communications link, according to user's operation, mobile communication terminal is transferred to the webserver with user's identity digital certificate;

S602, the webserver generate the checking request of the identity digital certificate that comprises the user and send to key and user management subsystem by the verifying dynamic password server, and receive the random information that key and user management subsystem are returned, and, for example adopt the pattern form of anti-identification automatically to show in case the mode of machine recognition shows random information challenge;

Key and user management subsystem are also according to current calculating order seq_svr, seq_svr+1...seq_svr+N-1 simultaneously, amount to n sequence number, calculate the checking password " valid window " that n disposable checking password OTP ' forms respectively, and will verify that password " valid window " sends to the verifying dynamic password server:

OTP’ i=f OTP(save_pass,syn,seq_svr+i,bind_key,challenge):i=1...n

S603, mobile communication terminal calculate subscription authentication password OTP;

Mobile communication terminal is according to user cipher passwd, the challenge of user's input, and the user cipher of user's input is only effective when this calculates, not in the mobile communication terminal storage, not in transmission over networks, is not stolen with assurance.And mobile communication terminal does not connect the Internet yet in the process of compute authentication password.

Software is by non-reversible algorithm f on the mobile communication terminal SaveCalculate the file layout save_pass of user cipher:

save_pass=f save(passwd,card_num)

Mobile communication terminal adopts the non-reversible algorithm f consistent with background system according to syn, current calculating order seq_mob and user cipher passwd and challenge OTPCalculate on its this subscription authentication password and the interactive interface, and current calculating order increased progressively mobile communication terminal under the demonstration of authentication password:

OTP=f OTP(save_pass,syn,seq_mob,bind_key,challenge)

S604, password authentication process.

The user imports OTP on the application interactive interface of the webserver, the webserver is transferred to the verifying dynamic password server with OTP, if the verifying dynamic password server is determined OTP and the some OTP ' that verify in the password " valid window " iUnanimity, then this checking is passed through, otherwise authentication failed, and will verify that the result returns to the webserver and key and user management subsystem, the webserver continues subsequent treatment according to the checking result.

In the embodiment of the invention, by this device storage identity digital certificate of being carried by more and more people of mobile communication terminal device, provide and need not the dynamically media of networking, realize the verifying dynamic password technology, thereby significantly improved the versatility and the portability of network application authentication mechanism with low cost.

Obviously, those skilled in the art can carry out various changes and modification to the embodiment of the invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.

Claims (11)

1. a verifying network application user identification system is characterized in that, comprising:
Key and user management subsystem are used to generate and preserve the identity digital certificate that the user uses network application; When receiving the checking request that comprises the identity digital certificate, generate random information and output according to this checking request, and utilize set algorithm to be created on and set effectively user rs authentication password information and output in the duration, the calculating parameter of described user rs authentication password information comprises: identity digital certificate that comprises in the checking request and the random information that generates according to this checking request;
Mobile communication terminal is used for obtaining user's identity digital certificate from key and user management subsystem, and when the user carries out the authentication of network application, this identity digital certificate is exported to network application and checking subsystem; Receive the described key of user's input and the random information that user management subsystem generates, utilize described set algorithm to generate the subscription authentication password, the calculating parameter of described subscription authentication password comprises: the random information of user's input and the identity digital certificate of preservation;
Network application and checking subsystem are used for obtaining the identity digital certificate from mobile communication terminal when the authentication of network application is carried out in user's request, generate described checking request and send to key and user management subsystem; Receive the random information of described key and user management subsystem output, receive the subscription authentication password of user's input, receive the user rs authentication password information of described key and user management subsystem output, and obtain the checking result according to described subscription authentication password and user rs authentication password information.
2. the system as claimed in claim 1 is characterized in that, described network application and checking subsystem specifically comprise:
The webserver, be used to provide the interactive interface of network application and checking subsystem and when the user carries out the authentication of network application by this interactive interface request, establish a communications link with described mobile communication terminal and obtain the identity digital certificate, generate described checking request and forwarding by described communicating to connect from mobile communication terminal; Receive described random information and the interactive interface by network application and checking subsystem is shown to the user, receive the user by the interactive interface input of network application and checking subsystem the subscription authentication password and transmit and Receipt Validation result;
The verifying dynamic password server is used to receive the checking request of described webserver output and be transmitted to key and user management subsystem, receives the random information of described key and user management subsystem output and is transmitted to the webserver; Receive the subscription authentication password of described webserver forwarding and the user rs authentication password information of key and user management subsystem output, and obtain the checking result, and described checking result is sent to the webserver according to described subscription authentication password and user rs authentication password information.
3. system as claimed in claim 2 is characterized in that:
Described key and user management subsystem also are used to receive the user and preserve by key and the user cipher of user management subsystem interactive interface input and the identity digital certificate of respective user; And when utilizing described set algorithm to be created on to set in the duration effectively the user rs authentication password information, the calculating parameter of described user rs authentication password information also comprises the user cipher that the user imports; And
Described mobile communication terminal also is used to receive the user cipher of user by the input of mobile communication terminal interactive interface, and when utilizing described set algorithm to generate the subscription authentication password, the calculating parameter of described subscription authentication password also comprises the user cipher that the user imports.
4. as claim 2 or 3 described systems, it is characterized in that:
Described key and user management subsystem also are used for safeguarding first sequence number of identifying user checking number of times aggregate-value according to setting rule, and when utilizing described set algorithm to be created on to set in the duration effectively the user rs authentication password information, the calculating parameter of described user rs authentication password information also comprises: described first sequence number; And
Described mobile communication terminal also is used for safeguarding second sequence number of identifying user requests verification number of times aggregate-value according to setting rule, and when utilizing described set algorithm to generate the subscription authentication password, the calculating parameter of described subscription authentication password also comprises: described second sequence number.
5. system as claimed in claim 4, it is characterized in that, the effective user rs authentication password information in setting duration that described key and user management subsystem utilize described set algorithm to generate comprises: utilize each in setting several first sequence number value that comprise the described first sequence number currency, respectively one group of user rs authentication password of corresponding generation; And
Described verifying dynamic password server is according to described subscription authentication password and user rs authentication password information, when the subscription authentication password is consistent with in one group of user rs authentication password any, obtains the result that checking is passed through, otherwise obtains the result of authentication failed.
6. as claim 1,2 or 3 arbitrary described systems, it is characterized in that described mobile communication terminal and network application and checking subsystem are by the identity digital certificate of the transmission user that establishes a communications link, described establishing a communications link specifically comprises:
Wired connection by USB interface foundation; Perhaps
Wireless connections by bluetooth foundation; Perhaps
Wireless connections by the foundation of infrared ray emulation serial ports.
7. a verifying network application user identification method is characterized in that, comprising:
When mobile communication terminal carries out the authentication of network application the user, export from the user's of key and user management subsystem acquisition identity digital certificate to network application and checking subsystem;
Network application and checking subsystem are when receiving user's identity digital certificate, and generation comprises the checking request of identity digital certificate and sends to key and user management subsystem;
Key and user management subsystem are according to the checking request that receives, generate random information and utilize set algorithm to be created on effective user rs authentication password information in the setting duration, and described random information and user rs authentication password information exported to network application and checking subsystem, the calculating parameter of described user rs authentication password information comprises: the identity digital certificate that comprises in the checking request and according to the random information of this checking request generation;
Network application and checking subsystem receive the random information and the user rs authentication password information of key and user management subsystem output, receive the subscription authentication password of user's input, the described subscription authentication password random information that to be mobile communication terminal generate according to the described key of user's input and user management subsystem also utilizes described set algorithm to generate and is shown to the user, and the calculating parameter of described subscription authentication password comprises: the random information of user's input and the identity digital certificate of preservation;
Network application and checking subsystem according to described subscription authentication password and in setting duration effective user rs authentication password information, user identity is verified.
8. method as claimed in claim 7 is characterized in that:
The calculating parameter of described user rs authentication password information also comprises: the user is kept at the user cipher in key and the user management subsystem in advance; And
The calculating parameter of described subscription authentication password also comprises: during random information that the user generates by mobile communication terminal interactive interface input key and user management subsystem, and Shu Ru user cipher also.
9. as claim 7 or 8 described methods, it is characterized in that:
The calculating parameter of described user rs authentication password information also comprises: key and user management subsystem are according to setting first sequence number that is used for identifying user checking number of times aggregate-value that rule is safeguarded; And
The calculating parameter of described subscription authentication password also comprises: mobile communication terminal is according to described second sequence number that is used for identifying user requests verification number of times aggregate-value of setting the rule maintenance.
10. method as claimed in claim 9 is characterized in that, described user rs authentication password information comprises: utilize each in setting several first sequence number value that comprise the described first sequence number currency, the corresponding respectively one group of user rs authentication password that generates; And
Described network application and checking subsystem are according to subscription authentication password and user rs authentication password information, user identity verified specifically comprise: when the subscription authentication password is consistent with in described one group of user rs authentication password any, obtain the result that checking is passed through, otherwise obtain the result of authentication failed.
11. a mobile communication terminal is characterized in that, comprising:
Be used for from the unit of key and user management subsystem acquisition user's identity digital certificate;
Be used for when the user carries out the authentication of network application, with network application and the checking subsystem establish a communications link and by communicate to connect output this identity digital certificate the unit;
Be used to receive the user and pass through the described key of mobile communication terminal interactive interface input and the unit of the random information that user management subsystem generates;
The unit that is used to utilize set algorithm to generate the subscription authentication password and shown by the mobile communication terminal interactive interface, the calculating parameter of described subscription authentication password comprise the random information that the user imports and the identity digital certificate of preservation.
CN200810226984XA 2008-11-28 2008-11-28 System, method and mobile communication terminal for verifying network application user identification CN101414909B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810226984XA CN101414909B (en) 2008-11-28 2008-11-28 System, method and mobile communication terminal for verifying network application user identification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810226984XA CN101414909B (en) 2008-11-28 2008-11-28 System, method and mobile communication terminal for verifying network application user identification

Publications (2)

Publication Number Publication Date
CN101414909A CN101414909A (en) 2009-04-22
CN101414909B true CN101414909B (en) 2010-12-01

Family

ID=40595242

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810226984XA CN101414909B (en) 2008-11-28 2008-11-28 System, method and mobile communication terminal for verifying network application user identification

Country Status (1)

Country Link
CN (1) CN101414909B (en)

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101765108B (en) * 2009-07-01 2012-05-30 北京华胜天成科技股份有限公司 Safety certification service platform system, device and method based on mobile terminal
CN101997824B (en) * 2009-08-20 2016-08-10 中国移动通信集团公司 Identity identifying method based on mobile terminal and device thereof and system
CN102026171B (en) 2009-09-17 2013-06-12 国基电子(上海)有限公司 Method for safely controlling remote wireless equipment
CN102377759B (en) * 2010-08-25 2014-10-08 中国移动通信有限公司 Service processing system, user identity identification method and related devices
CN101957958A (en) 2010-09-19 2011-01-26 中兴通讯股份有限公司 Method and mobile phone terminal for realizing network payment
CN102780674A (en) * 2011-05-09 2012-11-14 同方股份有限公司 Method and system for processing network service by utilizing multifactor authentication method
CN103167491B (en) * 2011-12-15 2016-03-02 上海格尔软件股份有限公司 A kind of mobile terminal uniqueness authentication method based on software digital certificate
CN103179564B (en) * 2011-12-22 2016-04-06 上海格尔软件股份有限公司 Based on the network application login method of mobile terminal authentication
CN102932244B (en) * 2012-10-25 2015-08-12 中国航天科工集团第二研究院七〇六所 Based on the trusted access gateway of two-way Trusting eBusiness
CN104349313B (en) * 2013-07-23 2018-12-07 阿里巴巴集团控股有限公司 Business authorization method, equipment and system
CN103618605B (en) * 2013-11-26 2017-07-14 中国联合网络通信集团有限公司 The generation method and server of time-varying access token
CN105099680B (en) * 2014-05-05 2019-02-12 中国电子信息产业发展研究院 A kind of method and device according to digital certificate authentication user identity
CN104113556A (en) * 2014-07-31 2014-10-22 国家超级计算深圳中心(深圳云计算中心) Network logon authentication method and system, mobile terminal and application server
CN104601593B (en) * 2015-02-04 2017-12-01 公安部第三研究所 The method that anti-tracking in network electronic authentication procedures is realized based on challenge mode
CN104991748A (en) * 2015-07-08 2015-10-21 李昕 Remote three-dimensional printing system and method thereof
CN105281913B (en) * 2015-09-17 2019-01-15 杭州猿人数据科技有限公司 Electronic evidence processing method, system and dynamic code service system for electronic signature
CN105610822A (en) * 2015-12-28 2016-05-25 东软熙康健康科技有限公司 Credit verifying method and device
CN107274182B (en) * 2016-04-06 2020-06-16 阿里巴巴集团控股有限公司 Service processing method and device
CN106656993B (en) * 2016-11-04 2019-12-06 中国银联股份有限公司 Dynamic verification code verification method and device
CN107231343B (en) * 2017-04-25 2019-10-11 广东网金控股股份有限公司 A kind of U-shield Activiation method, client and system
CN109600223A (en) * 2017-09-30 2019-04-09 腾讯科技(深圳)有限公司 Verification method, Activiation method, device, equipment and storage medium
CN108737112A (en) * 2018-06-04 2018-11-02 北京艾丕科技有限责任公司 A kind of system for the shield that Activates Phone

Also Published As

Publication number Publication date
CN101414909A (en) 2009-04-22

Similar Documents

Publication Publication Date Title
US10594498B2 (en) Method and service-providing server for secure transmission of user-authenticating information
CN104662864B (en) The convenient authentication method of user and device that mobile authentication is applied are used
US9444809B2 (en) Secure and efficient authentication using plug-in hardware compatible with desktops, laptops and/or smart mobile communication devices such as iPhones™
US10033701B2 (en) Enhanced 2CHK authentication security with information conversion based on user-selected persona
US9264232B2 (en) Cryptographic device that binds an additional authentication factor to multiple identities
Tiwari et al. A multi-factor security protocol for wireless payment-secure web authentication using mobile devices
AU2013272182B2 (en) Enterprise triggered 2CHK association
US7188360B2 (en) Universal authentication mechanism
US8151326B2 (en) Using audio in N-factor authentication
EP2160864B8 (en) Authentication system and method
CN101207482B (en) System and method for implementation of single login
CN101978675B (en) System and method for securely issuing subscription credentials to communication devices
US20140298412A1 (en) System and Method for Securing a Credential via User and Server Verification
EP1769419B1 (en) Transaction & payment system securing remote authentication/validation of transactions from a transaction provider
CN107231351A (en) The management method and relevant device of electronic certificate
US8869253B2 (en) Electronic system for securing electronic services
CA2391246C (en) Terminal communication system
US8572377B2 (en) Method for authentication
CN102202300B (en) A kind of based on twin-channel dynamic cipher authentication system and method
US9240891B2 (en) Hybrid authentication
CN102143482B (en) Method and system for authenticating mobile banking client information, and mobile terminal
CN103581108B (en) Login authentication method, login authentication client, login authentication server and login authentication system
CN101183932B (en) Security identification system of wireless application service and login and entry method thereof
CN101051908B (en) Dynamic cipher certifying system and method
CN104994114B (en) A kind of identity authorization system and method based on electronic ID card

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant