CN101719250A - Payment authentication method, platform and system - Google Patents

Payment authentication method, platform and system Download PDF

Info

Publication number
CN101719250A
CN101719250A CN200910241838A CN200910241838A CN101719250A CN 101719250 A CN101719250 A CN 101719250A CN 200910241838 A CN200910241838 A CN 200910241838A CN 200910241838 A CN200910241838 A CN 200910241838A CN 101719250 A CN101719250 A CN 101719250A
Authority
CN
China
Prior art keywords
payment
information
public key
client public
payment authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200910241838A
Other languages
Chinese (zh)
Other versions
CN101719250B (en
Inventor
刘明辉
刘红旗
马泽芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN 200910241838 priority Critical patent/CN101719250B/en
Publication of CN101719250A publication Critical patent/CN101719250A/en
Application granted granted Critical
Publication of CN101719250B publication Critical patent/CN101719250B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention provides a payment authentication method, a platform and a system. The payment authentication method comprises the following steps of: receiving payment information ciphertext, transaction information and signature information generated by carrying out hash operations and signature operations on the payment information ciphertext and the transaction information, and validating whether a first reference value generated in such a way that an application user public key carries out signature operations on the signature information is the same as a second reference value generated by carrying out hash operations on the payment information ciphertext and the transaction information, wherein if the first reference value is the same as the second reference value, the payment authentication is successful , and otherwise, and the payment authentication fails. The payment authentication platform comprises a receiving module, a computing module and an authentication module, and the payment authentication system comprises a set-top box and the payment authentication platform. In the embodiment of the invention, encryption operation is carried out on the payment information, thereby the confidentiality of the payment authentication is realized, the hash operations and signature operations are carried out on the payment information ciphertext and the transaction information, and the integrity and the non-repudiation of the payment authentication are realized.

Description

Payment authentication method, platform and system
Technical field
The embodiment of the invention relates to the network interaction technical field, relates in particular to a kind of payment authentication method, platform and system.
Background technology
IPTV (Internet Protocol Television, hereinafter to be referred as IPTV), also be Web TV, it is a kind of broadband cabled television network that utilizes, integrate multiple technologies such as internet, multimedia, communication, provide to the domestic consumer comprise Digital Television, look telecommunications services, the brand-new technology of the multiple interactive services of Karaoke, high definition express delivery.When IPTV user uses the mode of network machine top box and general television set to enjoy the IPTV service, utilize set-top box to realize on-line payment by IPTV, need by set-top box and the mutual identity information of IPTV payment platform before user's payment, the IPTV payment platform just can be finished payment process after user's payment information is confirmed.
The IPTV payment authentication system is made up of set-top box and IPTV authentication module at present, the IPTV authentication module is based on the authentication of symmetric key algorithm realization to set-top box, in set-top box and the IPTV authentication module reciprocal process, the IPTV authentication module writes set-top box ID and the corresponding key of sharing in advance in set-top box, by sharing the mode of key, finish authentication to set-top box.Fig. 1 is a prior art payment authentication method embodiment process flow diagram, as shown in Figure 1:
1, the user sends authentication request information by set-top box to the IPTV business service system;
2, the IPTV authentication module generates random number after receiving described service request, and random number is sent to set-top box;
3, set-top box uses the shared described random number of secret key encryption to generate the first random number ciphertext, and submits to the IPTV authentication module;
4, the IPTV authentication module uses and shares the described random number of secret key encryption, generate the second random number ciphertext, whether the more described first random number ciphertext is identical with the second random number ciphertext, if identical then authentication is passed through, otherwise authentification failure, and authentication result returned to the user by set-top box.
The IPTV payment authentication system is realized on-line payment based on the symmetric key encryption algorithm of sharing at present, realizes the confidentiality of IPTV payment authentication, but does not possess integrality and non-repudiation.
Summary of the invention
The embodiment of the invention provides a kind of payment authentication method, platform and system, in order to solve the defective that Web TV payment authentication in the prior art does not possess integrality and non-repudiation, realizes confidentiality, integrality and the non-repudiation of payment authentication.
The embodiment of the invention provides a kind of payment authentication method, comprising:
The payment request message that payment authentication platform receiving set up box sends, described payment request message is drawn together payment information ciphertext, Transaction Information, signing messages and client public key certificate, described payment information ciphertext by the application data encryption key to payment information carry out that encryption obtains, described signing messages be by use with described client public key certificate in the corresponding private key for user of client public key, the Hash operation result of described payment information ciphertext and Transaction Information signed handles acquisition;
The payment authentication platform is resolved described signing messages according to the client public key in the described client public key certificate, obtains first reference value, and described payment information ciphertext and described Transaction Information are carried out described Hash operation, obtains second reference value;
The payment authentication platform is verified described payment request message according to described first reference value and described second reference value.
The embodiment of the invention provides a kind of payment authentication platform, comprising:
Receiver module, be used for the payment request message that receiving set up box sends, described payment request message is drawn together payment information ciphertext, Transaction Information, signing messages and client public key certificate, described payment information ciphertext by the application data encryption key to payment information carry out that encryption obtains, described signing messages be by use with described client public key certificate in the corresponding private key for user of client public key, the Hash operation result of described payment information ciphertext and Transaction Information signed handles acquisition;
Computing module is used for according to the client public key of described client public key certificate described signing messages being resolved, and obtains first reference value, and described payment information ciphertext and described Transaction Information are carried out described Hash operation, obtains second reference value;
Authentication module is used for according to described first reference value and described second reference value described payment request message being verified.
The embodiment of the invention provides a kind of payment authentication system, comprises set-top box, CA system and aforesaid payment authentication platform.
The payment authentication method of the embodiment of the invention, platform and system, by first reference value of verifying that the user application PKI carries out analytical operation and generates signing messages, whether second reference value that unidirectional irreversible Hash operation generates is identical with payment information ciphertext and Transaction Information are carried out, and realizes payment authentication.The payment authentication method of the embodiment of the invention, platform and system, payment information is encrypted and payment information ciphertext and Transaction Information are carried out Hash operation and signature computing, confidentiality, integrality and the non-repudiation of payment authentication have been realized, the security that has improved payment authentication.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a prior art payment authentication method embodiment process flow diagram;
Fig. 2 is a payment authentication method embodiment process flow diagram of the present invention;
Fig. 3 is the process flow diagram of payment transaction registration embodiment of the present invention;
Fig. 4 is a payment transaction authentication method embodiment process flow diagram of the present invention;
Fig. 5 is payment authentication platform embodiment one structural representation of the present invention;
Fig. 6 is payment authentication platform embodiment two structural representations of the present invention;
Fig. 7 is a payment authentication system example structure synoptic diagram of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Fig. 2 is a payment authentication method embodiment process flow diagram of the present invention, and as shown in Figure 2, described payment authentication method comprises:
Step 101, the payment request message that payment authentication platform receiving set up box sends, described payment request message is drawn together payment information ciphertext, Transaction Information, signing messages and client public key certificate, described payment information ciphertext by the application data encryption key to payment information carry out that encryption obtains, described signing messages be by use with described client public key certificate in the corresponding private key for user of client public key, the Hash operation result of described payment information ciphertext and Transaction Information signed handles acquisition;
When the user carries out business by set-top box, pay to obtain corresponding Service Privileges to the business service of being enjoyed.Before paying, the authentication of at first will paying.The user comprises payment accounts to the set-top box input, the payment information of payment cipher and payment etc. and comprise the initiation trade date, exchange hour, transaction code, currency code, the Transaction Information of accumulative total transaction count and terminal country code etc., the data encryption key that set-top box application is stored is in advance encrypted payment information and is obtained the payment information ciphertext, payment information ciphertext and Transaction Information are carried out unidirectional irreversible Hash operation generation eap-message digest, and generate when the eap-message digest that generates used registration, the private key for user that is stored in the set-top box is signed, generate signing messages, described private key for user is corresponding with the client public key in the described client public key certificate, and described client public key certificate generates and stores when registration.Payment information ciphertext and Transaction Information carried out Hash operation and signature computing, guaranteed the integrality of payment information ciphertext and Transaction Information in the payment authentication; Described Transaction Information comprises the initiation exchange hour, can effectively prevent Replay Attack.
Step 102, the payment authentication platform is resolved described signing messages according to the client public key in the described client public key certificate, obtains first reference value, and described payment information ciphertext and described Transaction Information are carried out described Hash operation, obtains second reference value;
After the payment authentication platform receives above-mentioned payment information ciphertext, Transaction Information, signing messages and client public key certificate, client public key in the user application public key certificate is resolved described signing messages, obtain first reference value, this client public key is corresponding with above-mentioned private key for user; The hash function of payment authentication platform application and set-top box agreement carries out Hash operation to described payment information ciphertext and Transaction Information, obtain second reference value, in described hash function and the above-mentioned steps described payment information ciphertext and Transaction Information are carried out the hash function that Hash operation adopted and made an appointment by payment authentication platform and set-top box, second reference value that described payment authentication platform generates is identical with the eap-message digest of set-top box generation.
Step 103, the payment authentication platform is verified described payment request message according to described first reference value and described second reference value.
Whether more described first reference value is identical with second reference value, if first reference value is identical with second reference value, show that the payment authentication platform is the eap-message digest that set-top box generates to signing messages first reference value that computing generates of signing, then payment request message is proved to be successful, show that described payment information ciphertext and Transaction Information are complete carrying out after Hash operation and the signature computing, do not distorted, the integrality and the non-repudiation of payment authentication have been guaranteed, the payment request message authentication success, the payment authentication platform generates the payment authentication successful information; If first reference value is different with second reference value, the payment request message authentification failure, be that the payment request message authentication finishes, the payment authentication platform returns the payment authentication failure information to set-top box, after set-top box is received described payment authentication failure information, can send payment request message to the payment authentication platform again, payment authentication is again carried out in request.
The payment authentication method that the embodiment of the invention provides, using the private key for user corresponding with client public key signs to handle to the Hash operation result of payment information ciphertext and Transaction Information and obtains signing messages, and whether the result that checking carries out analytical operation to signing messages is identical with the result who payment information ciphertext and Transaction Information is carried out Hash operation, finishes the checking of payment request message.The application data encryption key is encrypted the confidentiality that has realized payment information to payment information, and payment information ciphertext and Transaction Information are carried out Hash operation and signature computing, has realized the integrality and the non-repudiation of payment information.
Further, on the basis of the foregoing description, described described signing messages the parsing according to the client public key in the described client public key certificate comprises: payment authentication platform application CA PKI is resolved the described client public key certificate through the CA private key signature process, obtain described client public key, described CA PKI is corresponding with described CA private key, and the payment authentication platform is resolved described signing messages according to described client public key.
When the client public key in the user application public key certificate is resolved described signing messages, the payment authentication platform is at first checked the validity of client public key certificate, promptly check the client public key certificate whether described client public key certificate generates for the CA private key signature, if the client public key certificate is invalid, return the payment authentication failure information to set-top box, payment authentication finishes, after set-top box receives the payment authentication failure information, can send payment request message to the payment authentication platform again, payment authentication is again carried out in request; If client public key is effective, the CA PKI that the payment authentication platform application is obtained from the CA system, client public key certificate through described CA private key signature process is resolved, obtain described client public key, described CA PKI is corresponding with the CA private key, and the application client public key corresponding with described private key for user resolve described signing messages, obtains first reference value; The hash function of payment authentication platform application and set-top box agreement carries out Hash operation to described payment information ciphertext and Transaction Information, obtains second reference value.
In the above-described embodiments, the client public key that the payment authentication platform will be used in the client public key certificate that set-top box sends carries out analytical operation to the signing messages that receives, wherein, the client public key certificate that set-top box is safeguarded receives when registering before set-top box, introduce register flow path below, Fig. 3 is the process flow diagram of payment transaction registration embodiment of the present invention, and as shown in Figure 3, user's register flow path comprises:
Step 201, the user initiates registration information by set-top box to the payment authentication platform;
Step 202, the payment authentication platform returns application form for registration to set-top box after receiving described registration information;
Step 203, after set-top box receives application form for registration, trigger the user and import user's registration information to set-top box, and generation user public private key pair, private key for user is stored in the secure storage areas of set-top box, and generating the client public key certificate request information that comprises client public key, described user's registration information comprises payment accounts and payment cipher etc.;
Described set-top box has been wholely set smart card, during smart card publishing system distribution smart card, data encryption key is write the secure storage areas of smart card, smart card also can be used as an independent entity in the reality, communicate by smart card of set-top box interface and set-top box, the following examples of the present invention all are wholely set with set-top box and smart card and describe, and promptly set-top box has the secure storage areas of storage data encryption key.Secure storage areas is provided with access rule, could call this data encryption key after having only the corresponding authority of acquisition, can not read and revise, have only the smart card publishing system to read and to revise, guarantee to use the confidentiality of data encryption key the data encryption key.
Client public key certificate request information and user's registration information that step 204, set-top box will comprise client public key are loaded in the application form for registration;
Step 205, the payment authentication platform receives the application form for registration that described set-top box is returned, examine the integrality of described application form for registration, whether client public key certificate request information and the user's registration information promptly examined in the application form for registration be complete, if do not meet described integrality requirement, the payment authentication platform returns registration failure information to set-top box, and register flow path finishes; If meet described integrality requirement, execution in step 206;
Certainly, after set-top box receives registration failure information, can send registration information to the payment authentication platform again, request re-registers.
Step 206, the payment authentication platform sends to the CA system with client public key certificate request information;
Step 207, the described CA private key of CA system applies generate and store the client public key certificate of CA private key signature to the processing of signing of the client public key in the client public key certificate request information that receives;
Step 208, CA system are returned the message that generates the client public key certificate to the payment authentication platform;
After step 209, payment authentication platform received the message of described generation client public key certificate, the announcement machine top box was to the described client public key certificate of CA system downloads.
The payment authentication platform obtains the CA PKI, when being used for payment authentication, using the CA PKI resolves the described client public key certificate through the CA private key signature process, obtain described client public key, described CA private key is corresponding with described CA PKI, and the payment authentication platform is resolved described signing messages according to described client public key; After user's registration information in the application form for registration was used to finish payment authentication, whether the payment cipher in the payment authentication platform validation payment information was identical with payment cipher in the described user's registration information.
After payment transaction register flow path of the present invention finishes, the client public key certificate of the generation CA of CA system private key signature has been downloaded and installed to set-top box, described client public key certificate is used in the payment authentication flow process, uses the CA PKI and described client public key certificate is resolved obtains to be used for client public key that signing messages is carried out analytical operation.The payment authentication platform by obtaining the client public key certificate of CA private key signature, and is resolved the acquisition client public key with the CA PKI to described client public key certificate when payment authentication.
Fig. 4 is a payment transaction authentication method embodiment process flow diagram of the present invention, and as shown in Figure 4, the flow process of embodiment of the invention payment transaction authentication method comprises:
Step 301, the user sends the payment application information to the payment authentication platform by set-top box;
Step 302, payment authentication platform are returned information to set-top box after receiving described payment application information;
Step 303, set-top box is according to described information, obtain the payment information and the Transaction Information of user's input, use data encryption key that described payment information encryption is obtained the payment information ciphertext, and payment information ciphertext and Transaction Information are carried out Hash operation generate eap-message digest, the computing of signing generates signing messages to the user application private key to this eap-message digest; Set-top box sends the payment request message that comprises payment information ciphertext, Transaction Information, signing messages and client public key certificate to the payment authentication platform; Described payment information comprises payment accounts, payment cipher and payment etc., and described Transaction Information comprises initiates trade date, exchange hour, transaction code, currency code, accumulative total transaction count and terminal country code; Described private key for user is stored in the secure storage areas of set-top box;
Set-top box has the secure storage areas of storage data encryption key, secure storage areas is provided with access rule, could call this data encryption key after having only the corresponding authority of acquisition, can not read and revise, have only the smart card publishing system to read and to revise, guarantee to use the confidentiality of data encryption key the data encryption key.
When the payment authentication platform generates the payment authentication successful information, by the data encryption key that the smart card publishing system obtains and set-top box is arranged, with this data encryption key deciphering payment information ciphertext, generate payment information, the data encryption key that is used for set-top box encryption payment information is same data encryption key with the data encryption key that is used for payment authentication platform deciphering payment information ciphertext, has guaranteed that the payment information that the payment authentication platform is deciphered out is that set-top box obtains, the payment information of user's input.
Step 304, set-top box sends payment request message to the payment authentication platform, and described payment request message is drawn together payment information ciphertext, Transaction Information, signing messages and client public key certificate;
Step 305, the payment authentication platform receives above-mentioned payment information ciphertext, Transaction Information, signing messages and client public key certificate, use the CA PKI client public key certificate is resolved the acquisition client public key, the user application PKI carries out analytical operation to the signing messages that receives, generate eap-message digest, described eap-message digest is first reference value; Use the hash function of arranging payment information ciphertext and the Transaction Information that receives carried out Hash operation with set-top box, generate second reference value, relatively whether first reference value is identical with second reference value, if identical, generate the payment authentication successful information, the payment authentication success; Otherwise the payment authentication failure is returned the payment authentication failure information to set-top box, after set-top box is received described payment authentication failure information, can send payment request message to the payment authentication platform again, and payment authentication is again carried out in request;
Step 306 when the payment authentication platform generates the payment authentication successful information, is carried out the business authentication operation, and the described data encryption key of payment authentication platform application is decrypted processing to described payment information ciphertext, obtains described payment information; Be loaded with described user's registration information in the described application form for registration of payment authentication platform application, the payment accounts that comprises in the described payment information and the coupling of payment cipher are verified;
Described data encryption key is that payment authentication platform and set-top box are made an appointment, and the user imports in Registering modules in the user's registration information of application form for registration and comprises payment accounts and payment cipher.When the payment authentication platform generates the payment authentication successful information, the operation of execution business authentication, user application is imported payment accounts and the payment cipher in the user's registration information of application form for registration in Registering modules, payment accounts and payment cipher in the payment information of application data encryption key deciphering are verified, if the payment cipher of deciphering is identical at the payment cipher of Registering modules input with the user, button removes the respective pay amount of money from the payment accounts of payment information, the payment transaction authentication success, record payment transaction Transaction Success information; Otherwise write down payment transaction Fail Transaction information, and the payment transaction Transaction Information is turned back to set-top box, described payment transaction Transaction Information comprises payment transaction Transaction Success information and payment transaction Fail Transaction information;
Step 307, the payment authentication platform returns the payment transaction Transaction Information to set-top box, and described payment transaction Transaction Information comprises payment transaction Transaction Success information and payment transaction Fail Transaction information;
Step 308, set-top box receives the payment transaction Transaction Information, and record payment transaction transaction log, described payment transaction transaction log content comprises information such as payment transaction Transaction Information, initiation trade date, exchange hour, dealing money, transaction code, currency code, accumulative total transaction count and terminal country code.Set-top box recording and statistics payment transaction transaction log are convenient to the management of user inquiring and payment authentication system.
Further again, when the user pays authentication at every turn, payment authentication platform and set-top box synchronous applications dispersion factor carry out dispersion treatment to the data encryption key, generate the payment information ciphertext with payment information being encrypted through the data encryption key of dispersion treatment, and payment information ciphertext and Transaction Information carried out Hash operation, the result that Hash operation the is generated computing of signing generates signing messages; The success of payment authentication platform payment authentication, when carrying out the payment transaction checking, the data encryption key of application equally also is to cross through the dispersion factor dispersion treatment of system.。
Dispersion factor disperses synchronously in the authentication of paying of set-top box and payment authentication platform at every turn, dispersion factor is chosen user's authentication all changes, both sides' data in synchronization of at every turn paying, as the numerical value that can select accumulative total transaction count counter as dispersion factor.Set-top box reduces the risk that data encryption key is cracked with identical dispersion factor dispersion treatment data encryption key synchronously with the payment authentication platform.
After the payment authentication platform obtains payment information, whether the payment cipher of verifying input when payment cipher in the described payment information is registered with the user is identical, if the payment cipher of input was identical when the payment cipher in the payment information was registered with the user, button removes the respective pay amount of money in the payment accounts from payment information, record payment transaction Transaction Success information, otherwise record payment transaction Fail Transaction information; And, be used to write down the payment transaction transaction log with described Transaction Success or failure information transmitter top box, be convenient to the management of user inquiring and payment authentication system.
The payment authentication method that the embodiment of the invention provides, by at set-top box storage data encryption key, and the client public key certificate of storage process CA private key signature, the payment authentication platform receives the payment information ciphertext that the payment information of user's input is encrypted, and realizes the confidentiality of payment authentication; The payment authentication platform receives the payment information ciphertext and Transaction Information carries out Hash operation and the signing messages of the computing of signing, and whether the operation result that the client public key in the checking user application certificate is resolved signing messages is identical with the eap-message digest of payment information ciphertext and Transaction Information being carried out the Hash operation generation, finishes integrality and non-repudiation that the payment transaction checking has realized payment authentication.
Fig. 5 is payment authentication platform embodiment one structural representation of the present invention, and as shown in Figure 5, described Web TV payment authentication platform comprises:
Receiver module 12, be used for the payment request message that receiving set up box sends, described payment request message is drawn together payment information ciphertext, Transaction Information, signing messages and client public key certificate, described payment information ciphertext by the application data encryption key to payment information carry out that encryption obtains, described signing messages be by use with described client public key certificate in the corresponding private key for user of client public key, the Hash operation result of described payment information ciphertext and Transaction Information signed handles acquisition;
Set-top box receives payment information and the Transaction Information of importing when the user pays authentication, described payment information is the sensitive information of user's input, comprise payment accounts, payment cipher and payment etc., described Transaction Information is used for payment transaction authentication finish after record, comprise and initiate trade date, exchange hour, transaction code, currency code, accumulative total transaction count and terminal country code etc., the initiation exchange hour information that comprises in the described Transaction Information can effectively prevent Replay Attack;
Set-top box is encrypted payment information with the data encryption key of storage in advance and is generated the payment information ciphertext, and described data encryption key is stored in the secure storage areas of set-top box, and secure storage areas is provided with access rule, guarantees to use the confidentiality of data encryption key;
Set-top box is carried out unidirectional irreversible Hash operation to described payment information ciphertext and Transaction Information, generate eap-message digest, to the eap-message digest application memory that generates in the computing of signing of the private key for user of set-top box, generate signing messages, client public key in the client public key certificate that described private key for user and when registration generate is corresponding, and the client public key certificate in the payment request message that described set-top box sends generates and is stored in the set-top box when registration;
The payment request message of the Transaction Information of input when set-top box is paid authentication to the described payment information ciphertext of receiver module 12 transmissions, signing messages, client public key certificate and user.
Computing module 13 is used for according to the client public key of described client public key certificate described signing messages being resolved, and obtains first reference value, and described payment information ciphertext and described Transaction Information are carried out described Hash operation, obtains second reference value;
Computing module 13 receives the payment request message that receiver module 12 sends, and the client public key in the user application public key certificate carries out analytical operation to the signing messages of described reception and generates first reference value, described client public key for through the CA private key signature, be stored in the client public key in the client public key certificate, computing module is used the CA PKI that obtains from the CA system to the described client public key certificate acquisition client public key that carries out analytical operation, use described client public key described signing messages is carried out analytical operation, generate first reference value;
The payment information ciphertext of 13 pairs of receptions of computing module and Transaction Information carry out unidirectional irreversible Hash operation, generate second reference value; Described computing module carries out the employed hash function of Hash operation and set-top box and carries out the employed hash function of Hash operation and make an appointment.
Authentication module 14 is used for according to described first reference value and described second reference value described payment request message being verified; Authentication module 14 receives first reference value and second reference value that computing module 13 generates, and verify whether first reference value is identical with second reference value, if it is identical, show that described payment information ciphertext and Transaction Information are complete carrying out after Hash and the signature computing, do not distorted, and show that described user's signature information is effectively, generates the payment authentication successful information; Otherwise the payment authentication failure generates the payment authentication failure information.
The payment authentication platform of the foregoing description, the payment request message that receiving set up box sends, the client public key in the user application public key certificate carries out analytical operation to the signing messages that receives and obtains first reference value; And the payment information ciphertext that receives and Transaction Information are carried out unidirectional irreversible Hash operation obtain second reference value, verify that whether described first reference value is identical with second reference value, finishes payment authentication.The application data encryption keys payment information that the receiver module receiving set up box of this payment authentication platform sends generates the payment information ciphertext, realized the confidentiality of payment information, the payment authentication platform carries out unidirectional irreversible Hash operation to payment information ciphertext and Transaction Information, the computing of signing generates signing messages to the Hash operation result, reduced the data volume of signature computing, accelerate signature speed, realized the integrality and the non-repudiation of payment information in this payment authentication.
Fig. 6 is payment authentication platform embodiment two structural representations of the present invention, as shown in Figure 6, described payment authentication platform comprises receiver module 12, computing module 13 and the authentication module 14 of embodiment record as mentioned above, also comprise Registering modules 11, be used to generate the application form for registration that is loaded with user's registration information and client public key certificate request information, and trigger the CA system and the client public key in the described client public key certificate request information is signed generate the client public key certificate.Registering modules 11 sends to the CA system with described application form for registration, and set-top box is from CA system downloads client public key certificate, and when the payment authentication platform was paid authentication, the client public key of using in the described client public key certificate carried out analytical operation to the signing messages that receives; Payment cipher in the described application form for registration is used for the payment authentication platform and according to this payment cipher the payment cipher of the payment information of the payment information ciphertext generation of parsing is verified.
The payment request message that receiver module 12 receiving set up box send, described payment request message is drawn together payment information ciphertext, Transaction Information, signing messages and client public key certificate;
Client public key in the computing module 13 user application public key certificate carries out analytical operation to the signing messages of described reception and generates first reference value, described client public key for through the CA private key signature, be stored in the client public key in the client public key certificate, computing module 13 is used the CA PKI that obtains from the CA system to the described client public key certificate acquisition client public key that carries out analytical operation, use described client public key described signing messages is carried out analytical operation, generate first reference value; The payment information ciphertext of 13 pairs of receptions of computing module and Transaction Information carry out unidirectional irreversible Hash operation, generate second reference value; Described computing module carries out the employed hash function of Hash operation and set-top box and carries out the employed hash function of Hash operation and make an appointment;
Authentication module 14 is according to described first reference value and described second reference value, described payment request message is verified, if first reference value is identical with second reference value, generate the payment authentication successful information, prop up the request message authentication success, show that described payment information ciphertext and Transaction Information are complete carrying out after Hash and the signature computing, are not distorted, and show that described user's signature information is effectively, generates the payment authentication successful information; Otherwise the payment request message authentification failure generates the payment authentication failure information.
Further again, on the basis of the foregoing description, also comprise payment transaction authentication module 15, be used for after 14 pairs of set-top box authentications of authentication module are passed through, receive the payment information ciphertext, use the data encryption key of making an appointment and decipher described payment information ciphertext acquisition payment information with set-top box, user application is imported payment accounts and the payment cipher in the user's registration information of application form for registration in Registering modules 11, payment accounts and payment cipher in the payment information of deciphering are verified that described log-on message comprises payment accounts and payment cipher.If the payment cipher in the payment information of deciphering is identical with payment cipher in the user's registration information that the user imports in Registering modules, button removes the respective pay amount of money in the payment accounts from payment information, writes down payment transaction Transaction Success information; Otherwise record payment transaction Fail Transaction information, and described payment transaction Transaction Success information or payment transaction Fail Transaction information sent to set-top box, set-top box recording payment transaction transaction log, the content of described payment transaction transaction log comprise information such as initiating trade date, exchange hour, dealing money, transaction code, currency code, accumulative total transaction count and terminal country code.Set-top box recording and statistics payment transaction transaction log are convenient to the management of user inquiring and payment authentication system.
Further again, on the basis of the foregoing description, also comprise dispersed modules 16, be used for the payment authentication platform and set-top box synchronous applications dispersion factor carries out dispersion treatment to described data encryption key, set-top box application is encrypted payment information through the data encryption key of dispersion treatment and is generated the payment information ciphertext, described payment information ciphertext and Transaction Information are carried out Hash operation and signature computing, the authentication of paying, after generating the payment authentication successful information, the payment transaction authentication module 15 of payment platform is used dispersed modules 16 and set-top box and is disperseed the data encryption key that generates, deciphering payment information ciphertext synchronously.
The dispersion factor of dispersed modules 16 is that set-top box and payment authentication platform are made an appointment, and selects that each payment all changes, both sides' data in synchronization as dispersion factor, as the numerical value that can select accumulative total transaction count counter as dispersion factor.Set-top box and payment authentication platform are used the access times that data encryption key that dispersed modules generates can reduce data encryption key respectively, reduce the risk that data encryption key is cracked.
The payment authentication platform of the embodiment of the invention, the payment request message that receiving set up box sends, the client public key in the user application public key certificate carries out analytical operation to the signing messages that receives and obtains first reference value; And the payment information ciphertext that receives and Transaction Information are carried out unidirectional irreversible Hash operation obtain second reference value, verify whether described first reference value is identical with second reference value, if inequality, return the payment authentication failure information, payment authentication finishes; If it is identical, the payment authentication platform generates the payment authentication successful information, user application is imported the user's registration information of application form for registration in Registering modules, the payment cipher in the payment information of application data encryption key deciphering verifies that described log-on message comprises payment cipher.
This payment authentication platform is by carrying out unidirectional irreversible Hash operation generation eap-message digest to payment information ciphertext and Transaction Information, and to described eap-message digest the computing of signing generates signing messages, can reduce the data volume of signature computing, accelerate signature speed, realize the integrality and the non-repudiation of this payment authentication platform payment authentication simultaneously; And use the data encryption key of dispersion factor separate data encryption key generation, can reduce the access times of data encryption key, reduce the risk that data encryption key is cracked, the security that has improved payment authentication.
Fig. 7 is a payment authentication system example structure synoptic diagram of the present invention, as shown in Figure 7, the payment authentication system of the embodiment of the invention comprises the described payment authentication platform 23 of set-top box 22, CA system 21 and the various embodiments described above, set-top box 22 is used for sending payment request message to payment authentication platform 23, and described payment request message is drawn together payment information ciphertext, Transaction Information, signing messages and client public key certificate; Payment authentication platform 23 receives described payment request message, according to the client public key in the described client public key certificate described signing messages is resolved, obtain first reference value, described payment information ciphertext and described Transaction Information are carried out described Hash operation, obtain second reference value, described payment request message is verified according to described first reference value and described second reference value.The payment authentication system of the embodiment of the invention is realized the confidentiality of payment authentication by payment information is encrypted, and payment information ciphertext and Transaction Information are carried out Hash operation and signature computing, realizes the integrality and the non-repudiation of payment authentication.
The set-top box 22 that relates in the present embodiment, CA system 21 and payment authentication platform 23 repeat no more referring to the description of said method and device embodiment herein.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (12)

1. a payment authentication method is characterized in that, comprising:
The payment request message that payment authentication platform receiving set up box sends, described payment request message is drawn together payment information ciphertext, Transaction Information, signing messages and client public key certificate, described payment information ciphertext by the application data encryption key to payment information carry out that encryption obtains, described signing messages be by use with described client public key certificate in the corresponding private key for user of client public key, the Hash operation result of described payment information ciphertext and Transaction Information signed handles acquisition;
The payment authentication platform is resolved described signing messages according to the client public key in the described client public key certificate, obtains first reference value, and described payment information ciphertext and described Transaction Information are carried out described Hash operation, obtains second reference value;
The payment authentication platform is verified described payment request message according to described first reference value and described second reference value.
2. payment authentication method according to claim 1 is characterized in that, described described signing messages the parsing according to the client public key in the described client public key certificate comprises:
Payment authentication platform application CA PKI is resolved the described client public key certificate through the CA private key signature process, obtains described client public key, and described CA private key is corresponding with described CA PKI;
The payment authentication platform is resolved described signing messages according to described client public key.
3. payment authentication method according to claim 1 and 2 is characterized in that, also comprises before the payment request message that described receiving set up box sends:
The payment authentication platform returns information to described set-top box after receiving the payment application of described set-top box transmission;
The payment authentication platform receives the described payment request message that described set-top box is returned according to described information.
4. payment authentication method according to claim 1 and 2 is characterized in that, also comprises before the payment request message that described receiving set up box sends:
The payment authentication platform receives the login request message that described set-top box sends, and returns application form for registration to described set-top box;
The payment authentication platform receives the application form for registration that described set-top box is returned, and comprises described client public key certificate request information and the user's registration information that comprises client public key in the described application form for registration;
The payment authentication platform is examined the integrality of described application form for registration, and client public key certificate request information is sent to the CA system;
Described CA system returns the client public key certificate to described set-top box, and described client public key certificate is that the described CA private key of described CA system applies is signed to handle to the client public key in the described client public key certificate request information and obtained.
5. payment authentication method according to claim 4 is characterized in that, also comprises:
The described data encryption key of payment authentication platform application is decrypted processing to described payment information ciphertext, obtains described payment information;
The described user's registration information that comprises in the described application form for registration of payment authentication platform application is verified the payment cipher that comprises in the described payment information.
6. payment authentication method according to claim 4 is characterized in that, also comprises: described set-top box is from the described client public key certificate of described CA system downloads.
7. payment authentication method according to claim 4 is characterized in that, described payment authentication platform and described set-top box synchronous applications dispersion factor disperse computing to described data encryption key.
8. a payment authentication platform is characterized in that, comprising:
Receiver module, be used for the payment request message that receiving set up box sends, described payment request message is drawn together payment information ciphertext, Transaction Information, signing messages and client public key certificate, described payment information ciphertext by the application data encryption key to payment information carry out that encryption obtains, described signing messages be by use with described client public key certificate in the corresponding private key for user of client public key, the Hash operation result of described payment information ciphertext and Transaction Information signed handles acquisition;
Computing module is used for according to the client public key of described client public key certificate described signing messages being resolved, and obtains first reference value, and described payment information ciphertext and described Transaction Information are carried out described Hash operation, obtains second reference value;
Authentication module is used for according to described first reference value and described second reference value described payment request message being verified.
9. payment authentication platform according to claim 8, it is characterized in that, also comprise Registering modules, be used for generating the application form for registration of the client public key certificate request information that is loaded with user's registration information and comprises client public key and trigger CA system applies CA private key and the client public key of described client public key certificate request information is signed generate the client public key certificate.
10. payment authentication platform according to claim 9, it is characterized in that, also comprise the payment transaction authentication module, be used for using the described user's registration information that described application form for registration comprises, the payment cipher that comprises in the payment information is verified described payment information is used described data encryption key described payment information ciphertext is decrypted the processing acquisition.
11. payment authentication platform according to claim 10 is characterized in that, also comprises dispersed modules, is used for the payment authentication platform and described set-top box synchronous applications dispersion factor disperses computing to described data encryption key.
12. a payment authentication system comprises set-top box, CA system and as the arbitrary described payment authentication platform of claim 8 to 11.
CN 200910241838 2009-12-10 2009-12-10 Payment authentication method, platform and system Active CN101719250B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200910241838 CN101719250B (en) 2009-12-10 2009-12-10 Payment authentication method, platform and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200910241838 CN101719250B (en) 2009-12-10 2009-12-10 Payment authentication method, platform and system

Publications (2)

Publication Number Publication Date
CN101719250A true CN101719250A (en) 2010-06-02
CN101719250B CN101719250B (en) 2013-07-24

Family

ID=42433822

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200910241838 Active CN101719250B (en) 2009-12-10 2009-12-10 Payment authentication method, platform and system

Country Status (1)

Country Link
CN (1) CN101719250B (en)

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102184495A (en) * 2011-04-21 2011-09-14 北京天地融科技有限公司 Network payment method and system
CN102411746A (en) * 2010-09-26 2012-04-11 中国移动通信有限公司 Payment confirming method, and apparatus and service platform device for the same
CN102509047A (en) * 2011-11-09 2012-06-20 北京赛科世纪数码科技有限公司 Method and system for verifying program code in set-top box
CN102542451A (en) * 2010-12-24 2012-07-04 北大方正集团有限公司 Electronic paying method, system and device thereof
CN102610045A (en) * 2012-03-22 2012-07-25 瑞达信息安全产业股份有限公司 Trustable mobile payment system and mobile payment method
CN103107881A (en) * 2011-11-11 2013-05-15 中兴通讯股份有限公司 Access method, device and system of smart card
CN103685211A (en) * 2012-09-26 2014-03-26 凤凰云科技(北京)有限公司 Mobile terminal plug-in secure payment authentication device, mobile terminal secure payment authentication system and mobile terminal secure payment authentication method
CN104486356A (en) * 2014-12-29 2015-04-01 芜湖乐锐思信息咨询有限公司 Data transmission method based on internet online tractions
CN104796771A (en) * 2014-01-22 2015-07-22 中国电信股份有限公司 Control downloading method, system and downloading guiding module
CN105308899A (en) * 2013-06-04 2016-02-03 三菱电机株式会社 Data authentication device, and data authentication method
CN105306490A (en) * 2015-11-23 2016-02-03 小米科技有限责任公司 System, method and device for payment verification
CN105704514A (en) * 2014-11-27 2016-06-22 中国电信股份有限公司 Method for payment safety, set top box and system
CN107153961A (en) * 2017-05-18 2017-09-12 努比亚技术有限公司 A kind of method of payment, paying server, trading server and readable storage medium storing program for executing
CN108322310A (en) * 2017-12-28 2018-07-24 天地融科技股份有限公司 It is a kind of to utilize safety equipment Card Reader login method and Security Login System
CN108322439A (en) * 2017-12-28 2018-07-24 天地融科技股份有限公司 It is a kind of to utilize secure device enrollment method and Accreditation System
CN108322440A (en) * 2017-12-28 2018-07-24 天地融科技股份有限公司 It is a kind of to utilize safety equipment Card Reader login method and Security Login System
CN108701301A (en) * 2015-11-23 2018-10-23 万事达卡国际股份有限公司 For verifying the system and method for being directed to the recidivity of payment account and merchandising
CN110291754A (en) * 2017-03-01 2019-09-27 苹果公司 It is accessed using the system of mobile device
CN112001717A (en) * 2020-10-27 2020-11-27 四川泰立科技股份有限公司 Method, system and storage medium for calculating encryption currency of digital television
CN112016928A (en) * 2019-05-31 2020-12-01 华控清交信息科技(北京)有限公司 Payment method and device for payment
CN112597501A (en) * 2020-12-16 2021-04-02 山东可信云信息技术研究院 Data protection method and system under trusted cloud environment
CN112866987A (en) * 2019-11-08 2021-05-28 佛山市云米电器科技有限公司 Networking verification method, equipment and computer readable storage medium
WO2024041261A1 (en) * 2022-08-25 2024-02-29 中交信息技术国家工程实验室有限公司 User identity mutual verification method and system for very high frequency data exchange system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7693797B2 (en) * 2004-06-21 2010-04-06 Nokia Corporation Transaction and payment system security remote authentication/validation of transactions from a transaction provider
CN101395592A (en) * 2006-03-03 2009-03-25 美国唯美安视国际有限公司 Movie studio-based network distribution system and method

Cited By (38)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102411746A (en) * 2010-09-26 2012-04-11 中国移动通信有限公司 Payment confirming method, and apparatus and service platform device for the same
CN102542451A (en) * 2010-12-24 2012-07-04 北大方正集团有限公司 Electronic paying method, system and device thereof
CN102184495B (en) * 2011-04-21 2016-09-28 天地融科技股份有限公司 A kind of method of network payment and system
CN102184495A (en) * 2011-04-21 2011-09-14 北京天地融科技有限公司 Network payment method and system
CN102509047A (en) * 2011-11-09 2012-06-20 北京赛科世纪数码科技有限公司 Method and system for verifying program code in set-top box
CN103107881A (en) * 2011-11-11 2013-05-15 中兴通讯股份有限公司 Access method, device and system of smart card
CN103107881B (en) * 2011-11-11 2017-02-08 中兴通讯股份有限公司 Access method, device and system of smart card
CN102610045A (en) * 2012-03-22 2012-07-25 瑞达信息安全产业股份有限公司 Trustable mobile payment system and mobile payment method
CN103685211A (en) * 2012-09-26 2014-03-26 凤凰云科技(北京)有限公司 Mobile terminal plug-in secure payment authentication device, mobile terminal secure payment authentication system and mobile terminal secure payment authentication method
CN103685211B (en) * 2012-09-26 2017-02-08 凤凰云科技(北京)有限公司 Mobile terminal plug-in secure payment authentication device, mobile terminal secure payment authentication system and mobile terminal secure payment authentication method
CN105308899A (en) * 2013-06-04 2016-02-03 三菱电机株式会社 Data authentication device, and data authentication method
CN104796771B (en) * 2014-01-22 2018-04-06 中国电信股份有限公司 Control method for down loading and system and downloading guides module
CN104796771A (en) * 2014-01-22 2015-07-22 中国电信股份有限公司 Control downloading method, system and downloading guiding module
CN105704514B (en) * 2014-11-27 2018-06-29 中国电信股份有限公司 It is used to implement method, set-top box and the system of secure payment
CN105704514A (en) * 2014-11-27 2016-06-22 中国电信股份有限公司 Method for payment safety, set top box and system
CN104486356A (en) * 2014-12-29 2015-04-01 芜湖乐锐思信息咨询有限公司 Data transmission method based on internet online tractions
CN108701301B (en) * 2015-11-23 2021-08-20 万事达卡国际股份有限公司 System and method for verifying recurring transactions to a payment account
CN105306490A (en) * 2015-11-23 2016-02-03 小米科技有限责任公司 System, method and device for payment verification
CN105306490B (en) * 2015-11-23 2018-04-24 小米科技有限责任公司 Payment verifying system, method and device
US11797989B2 (en) 2015-11-23 2023-10-24 Mastercard International Incorporated Systems and methods for use in verifying recurring transactions to payment accounts
CN108701301A (en) * 2015-11-23 2018-10-23 万事达卡国际股份有限公司 For verifying the system and method for being directed to the recidivity of payment account and merchandising
US11888594B2 (en) 2017-03-01 2024-01-30 Apple Inc. System access using a mobile device
CN110291754A (en) * 2017-03-01 2019-09-27 苹果公司 It is accessed using the system of mobile device
CN110291754B (en) * 2017-03-01 2022-02-15 苹果公司 System access using mobile devices
CN107153961A (en) * 2017-05-18 2017-09-12 努比亚技术有限公司 A kind of method of payment, paying server, trading server and readable storage medium storing program for executing
CN107153961B (en) * 2017-05-18 2020-11-13 努比亚技术有限公司 Payment method, payment server, transaction server and readable storage medium
CN108322439A (en) * 2017-12-28 2018-07-24 天地融科技股份有限公司 It is a kind of to utilize secure device enrollment method and Accreditation System
CN108322440B (en) * 2017-12-28 2020-12-11 天地融科技股份有限公司 Card reading login method and security login system by using security equipment
CN108322439B (en) * 2017-12-28 2020-12-15 天地融科技股份有限公司 Registration method and registration system by using security equipment
CN108322440A (en) * 2017-12-28 2018-07-24 天地融科技股份有限公司 It is a kind of to utilize safety equipment Card Reader login method and Security Login System
CN108322310A (en) * 2017-12-28 2018-07-24 天地融科技股份有限公司 It is a kind of to utilize safety equipment Card Reader login method and Security Login System
CN112016928A (en) * 2019-05-31 2020-12-01 华控清交信息科技(北京)有限公司 Payment method and device for payment
CN112016928B (en) * 2019-05-31 2024-01-16 华控清交信息科技(北京)有限公司 Payment method and device and payment device
CN112866987A (en) * 2019-11-08 2021-05-28 佛山市云米电器科技有限公司 Networking verification method, equipment and computer readable storage medium
CN112866987B (en) * 2019-11-08 2023-08-04 佛山市云米电器科技有限公司 Networking verification method, networking verification device and computer readable storage medium
CN112001717A (en) * 2020-10-27 2020-11-27 四川泰立科技股份有限公司 Method, system and storage medium for calculating encryption currency of digital television
CN112597501A (en) * 2020-12-16 2021-04-02 山东可信云信息技术研究院 Data protection method and system under trusted cloud environment
WO2024041261A1 (en) * 2022-08-25 2024-02-29 中交信息技术国家工程实验室有限公司 User identity mutual verification method and system for very high frequency data exchange system

Also Published As

Publication number Publication date
CN101719250B (en) 2013-07-24

Similar Documents

Publication Publication Date Title
CN101719250B (en) Payment authentication method, platform and system
CN111970129B (en) Data processing method and device based on block chain and readable storage medium
CN102609841B (en) Remote mobile payment system based on digital certificate and payment method
CN101222333B (en) Data transaction processing method and apparatus
CN101848090B (en) Authentication device and system and method using same for on-line identity authentication and transaction
CN101842795B (en) For carrying out mutual system, the method and apparatus with dynamic security
KR20120017044A (en) System and method for personal certification using a mobile device
CN103107996A (en) On-line download method and system of digital certificate and digital certificate issuing platform
CN101226616A (en) Payment server of webs, payment platform as well as payment method and system of webs
CN101216923A (en) A system and method to enhance the data security of e-bank dealings
CN101409621B (en) Multipart identification authentication method and system base on equipment
TWI591553B (en) Systems and methods for mobile devices to trade financial documents
CN103020825A (en) Safety payment authentication method based on software client
EP2127199A2 (en) Method and device for mutual authentication
CN102238193A (en) Data authentication method and system using same
CN102710611A (en) Network security authentication method and system
CN104883367A (en) Method for auxiliary verification login, system, and application client
CN104182876A (en) Secure payment trading method and secure payment trading system
CN111461799B (en) Data processing method, data processing device, computer equipment and medium
CN112905979A (en) Electronic signature authorization method and device, storage medium and electronic device
CN112073196A (en) Service data processing method and device, electronic equipment and storage medium
CN114390524B (en) Method and device for realizing one-key login service
CN107609878A (en) A kind of safety certifying method and system of shared automobile
CN102208980A (en) Communication method and system
CN102006567B (en) Push-message processing method and system and equipment for implementing push-message processing method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant