CN102184354A - Method for preventing data from being falsified and hijacked in online payment - Google Patents
Method for preventing data from being falsified and hijacked in online payment Download PDFInfo
- Publication number
- CN102184354A CN102184354A CN2011100841959A CN201110084195A CN102184354A CN 102184354 A CN102184354 A CN 102184354A CN 2011100841959 A CN2011100841959 A CN 2011100841959A CN 201110084195 A CN201110084195 A CN 201110084195A CN 102184354 A CN102184354 A CN 102184354A
- Authority
- CN
- China
- Prior art keywords
- user
- transaction data
- payment
- key
- application software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a method for preventing data from being falsified and hijacked in online payment. The method comprises the following steps that: 1, a user is required by payment application software to provide user characteristic information such as user relevant characteristic questions, key-stroking frequency and a handwritten signature, wherein the information is used for distinguishing whether the transaction data of the user is initiated by the payment application software or falsified by a malicious program so as to prevent the transaction data from being falsified by the malicious program; and 2, the transaction data is encrypted and transmitted between the payment application software and terminal hardware so as to prevent the key transaction data from being falsified and hijacked by the malicious program. The method solves the problem that malicious software on a general computing platform falsifies and hijacks the online payment transaction data, and is relatively effective for the terminal hardware without a display screen or an acknowledgement button.
Description
Affiliated technical field
The present invention prevents the method that data are forged and kidnap about the data security field of online payment especially in regard to a kind of online payment.
Background technology
General internet usage and universal computing platform are used in online payment, as PC, mobile phone etc.Owing to connect the opening of internet and universal computing platform self, have more security threat on the universal computing platform, as rogue programs such as virus, wooden horses.Rogue program can be stolen from the static password of keyboard input, and is used for carrying out the malice payment; Perhaps distort crucial transaction data, as the number of the account and go into account name and replace of keeping accounts that the client is transferred accounts, to seek illegal profit.
Publication number be CN101267311A patent disclosure a kind of method of preventing network bank from hijacking data, device and system, when it shows confirmation in ebanking server, utilize figure to show key business data and require the numeral in the tablet pattern to confirm, trojan horse program is easier to discern and distort the key business data of textual form, but figure of difficult identification, therefore this has significantly reduced the possibility that key business data is discerned and distorted by rogue programs such as wooden horses in client, but problem is if rogue program copies this graphic screen and send to the personnel that do not need professional skill that employ to be discerned, and reaches identification in the same old way and forges the purpose that ebanking server is cheated in transaction.
Publication number be CN1556449A patent disclosure a kind of USBKey of utilization method that Web bank's data are encrypted and authenticated.It is at first according to the digital certificate of user profile generation at this user; Then described digital certificate is deposited among the USBKey that distributes to this user, when user's logging in to online banks carries out data processing, confirm user identity or digital signature by described USB Key.Because each USBKey has a unique sequence number, and private key can not go out internal memory, confirming just to carry out online transaction behind the user identity, can prevent that therefore rogue program from pretending to be the user to carry out malice and paying, can prevent that also transaction data is maliciously tampered in transmission course.
The method that this class is encrypted and authenticated transaction data based on terminal hardware is being used in a lot of payment scheme, as in the mobile payment based on the payment of smart card.But still there are following two problems in it, 1, the rogue program on the universal computing platform under the unwitting situation of user, illegally call the transaction that terminal hardware carries out a forgery.2, the rogue program on the universal computing platform is distorted after the transaction data abduction to user's submission under the unwitting situation of user.
Publication number be CN101183456A patent disclosure a kind of USBKey encryption device and the System and method for that utilizes this USBKey encryption device to encrypt, authenticate, this USBKey device comprises visual screen, when being used to use described USBKey device to carry out digital signature, described USBKey device will treat that signing messages is presented on the screen.Described USBKey device also comprises one or more buttons, is used for treating signing messages and confirms operations such as cancellation.Prevent rogue program forgery or abduction transaction data such as wooden horse like this.This class prevents that the method for transaction data abduction is except the problems such as information inconsistency for the treatment of signing messages and actual user concern, maximum shortcoming is can not onset for the terminal that does not have display screen and ACK button, and also have the terminal that does not have display screen and ACK button in a large number at present, therefore can not in fact take precautions against the online payment transaction data and be held as a hostage.
Summary of the invention
For overcoming Malware forgery on the universal computing platform and the problem of kidnapping the online payment transaction data, the method that payment application on a kind of universal computing platform requires the user user's characteristic information to be provided and to pay encrypted transmission transaction data between application software and the terminal hardware is proposed, to prevent being forged and kidnapping of online payment transaction data.
The technical solution adopted for the present invention to solve the technical problems is: be responsible for generating transaction data with user interactions for the payment application software on the universal computing platform, transaction data is encrypted or signed and protect the online payment system of transaction security by terminal hardware, based on following two key steps, first, the payment application software requires the user that user's characteristic information is provided, as user's correlated characteristic problem, keystroke frequency, information such as handwritten signature, distinguishing the user still is the transaction data that rogue program is forged by the initiation of payment application software, prevents rogue program forgery transaction data; Second: encrypted transmission transaction data between payment application software and terminal hardware; Prevent the rogue program abduction and distort crucial transaction data.
To an improvement of the present invention is by requiring the user to answer the registered essential information problem of user that background system provides at payment application software interface, as the N position of user identity card number, distinguishing transaction data from user or rogue program.
To an improvement of the present invention is by requiring the user in certain section letter and number combination that input backstage, payment application software interface payment system provides, extract the user keystroke pattern feature, distinguishing transaction data from user or rogue program.
To an improvement of the present invention is by requiring the combination of some words that the user provides in payment handwriting input backstage, application software interface payment system, distinguishing transaction data from user or rogue program.
To an improvement of the present invention is that the encryption key negotiation is based on the public private key pair and the certificate of terminal hardware between terminal hardware and the payment application software, and it may further comprise the steps:
1) terminal hardware provides the terminal certificate of oneself to paying application software, comprising its PKI.
2) the payment application software verifies whether this terminal certificate is effective, as its public key encryption dynamic key of effective use, with this dynamic key transaction data and user's characteristic information are encrypted then, dynamic key, transaction data and user's characteristic information after encrypting are all sent to terminal hardware.
3) terminal hardware uses own private key to decipher this dynamic key, deciphers and obtain transaction data and user's characteristic information with this dynamic key then, terminal hardware to transaction data and user's characteristic information encrypt with integrity protection after send to background system.
To an improvement of the present invention is that encryption key also obtains to backstage payment system application by the payment client software between terminal hardware and the payment client software, the terminal key that this dynamic key is shared by terminal hardware and backstage payment system disperses, and it may further comprise the steps:
1) the payment application software sends terminal hardware information such as unique terminal number to the backstage payment system, and the application dynamic key.
2) the backstage payment system sends dynamic key to the payment application software, and the terminal key that this dynamic key is shared by terminal hardware and backstage payment system disperses.
3) the payment application software uses this dynamic key to encrypt transaction data and user's characteristic information, and dynamic key, transaction data and user's characteristic information after encrypting are all sent to terminal hardware.
4) terminal hardware calculates dynamic key, then with the deciphering of this dynamic key and obtain transaction data and user's characteristic information, terminal hardware to transaction data and user's characteristic information encrypt with integrity protection after send to the backstage payment system.
The invention has the beneficial effects as follows, the anti-method of kidnapping of a kind of online payment transaction data has been proposed, require the user that user's characteristic information is provided by the payment application software, and paying encrypted transmission transaction data between application software and the terminal hardware, prevent that rogue program from forging or transaction data is distorted in abduction, this method is more effective for the existing numerous terminal hardwares that do not have display screen and ACK button.
Description of drawings
Below in conjunction with drawings and Examples the utility model is further specified.
Fig. 1 is the schematic block diagram that the manner is suitable for payment system
Fig. 2 is the process flow diagram of this method specific embodiment one
Fig. 3 is the process flow diagram of this method specific embodiment two
Embodiment one
Below use, the method that prevents that transaction data is forged and kidnaps is described with more common Net silver.Shown in figure one, the 101st, terminal hardware is the USBkey that is not with display screen and confirms button in the present embodiment; The 102nd, the payment application software is the Net silver client in the present embodiment, and it operates on the PC; The 103rd, payment background server is the Net silver background system in the present embodiment.
Step 201: the user is at the enterprising line operate of Net silver client software, such as selecting account and generating the particular content of money transfer transactions, according to the prompting of Net silver client, inserts USBkey then.
Step 202: the Net silver client sends to the Net silver background system with the unique terminal number of USBkey and the characteristic information of PC.
Step 203: the Net silver background system sends to the Net silver client according to one section letter and number combination of PC design of pairing user of USBkey and use at present.
Step 204: the user imports the combination of this section letter and number according to the Net silver Client-Prompt.
Step 205: the Net silver client software extracts keystroke characteristic information, and according to dynamic key of transaction data generation, and use this dynamic key that transaction data and this keystroke characteristic information are encrypted, obtain the public key certificate of USBkey, use the public key encryption dynamic key of USBkey, dynamic key after will encrypting then, Transaction Information and keystroke characteristic information send to USBkey.
Step 206:USBkey uses the private key deciphering of own storage, obtains dynamic key, then with dynamic key deciphering acquisition Transaction Information and keystroke characteristic information, use oneself private key it is encrypted or sign after send to the Net silver background system.
Step 207: Net silver background system checking keystroke characteristic information is judged the possibility of this transaction data from the user, and possibility is higher than the risk control threshold values and then carries out the arm's length transaction processing, not so refusal transaction.
Embodiment two
Below use, the method that prevents that transaction data is forged and kidnaps is described with more common mobile-phone payment based on smart card.Shown in figure one, the 101st, terminal hardware is the smart card of not being with display screen and confirming button in the present embodiment, it has certain arithmetic capability; The 102nd, the payment application software is the mobile-phone payment client in the present embodiment, and it operates on the mobile phone; The 103rd, payment background server is the mobile-phone payment background system in the present embodiment.Between smart card and mobile-phone payment background system, share a symmetric key.
Step 301: user's free choice of goods and select account to generate transaction data in the mobile-phone payment client software.
Step 302: the mobile-phone payment client sends to the payment background system with unique termination number of smart card.
Step 303: the mobile-phone payment background system will produce a random user problem according to the pairing user of unique termination number, and generate a random number, according to random number from smart card and payment the dynamic key that sheds of the shared symmetric key branch between the background system, this dynamic key, random number, user characteristics problem are sent to the mobile-phone payment client by the escape way between mobile-phone payment client and the mobile-phone payment backstage.
Step 304: mobile-phone payment Client-Prompt user answers this user characteristics problem, and uses the dynamic key of receiving to encrypt transaction data and problem answers, and the additional random number sends to smart card.
Step 305: smart card uses the shared key of own storage and random number according to fixing algorithm generation dynamic key; obtain transaction data and problem answers with the dynamic key deciphering then, will send to the mobile-phone payment background system behind transaction data and problem answers encryption and the integrity protection.
Step 306: whether the answer of mobile-phone payment background system validation problem is correctly to judge the possibility of this transaction data from the user, and possibility is higher than the risk control threshold values and then carries out the arm's length transaction processing, not so refusal transaction.
Claims (6)
1. an online payment prevents the method that data are forged and kidnap, and it is characterized in that, comprises following two key steps:
A, payment application software require the user that user's characteristic information is provided, as user's correlated characteristic problem, keystroke frequency, information such as handwritten signature, distinguishing the user still is the transaction data that rogue program is forged by the initiation of payment application software, prevents rogue program forgery transaction data;
B, between payment application software and terminal hardware the encrypted transmission transaction data; Prevent the rogue program abduction and distort crucial transaction data.
2. the method shown in claim 1, it is characterized in that, steps A also comprises: answer the registered essential information problem of user that background system provides by requiring the user at payment application software interface, as the N position of user identity card number, distinguish transaction data from user or rogue program.
3. the method shown in claim 1, it is characterized in that, steps A also comprises: by requiring the user in certain section letter and number combination that input backstage, payment application software interface payment system provides, extract the user keystroke pattern feature, distinguish transaction data from user or rogue program.
4. the method shown in claim 1 is characterized in that, steps A also comprises: by requiring the combination of some words that the user provides in payment handwriting input backstage, application software interface payment system, distinguish transaction data from user or rogue program.
5. the method shown in claim 1 is characterized in that, step B also comprises: encryption key is consulted public private key pair and the certificate based on terminal hardware between terminal hardware and the payment application software, and it may further comprise the steps:
1) terminal hardware provides the terminal certificate of oneself to paying application software, comprising its PKI.
2) the payment application software verifies whether this terminal certificate is effective, as its public key encryption dynamic key of effective use, with this dynamic key transaction data and user's characteristic information are encrypted then, dynamic key, transaction data and user's characteristic information after encrypting are all sent to terminal hardware.
3) terminal hardware uses own private key to decipher this dynamic key, deciphers and obtain transaction data and user's characteristic information with this dynamic key then, terminal hardware to transaction data and user's characteristic information encrypt with integrity protection after send to background system.
6. the method shown in claim 1, it is characterized in that, step B also comprises: encryption key also obtains to backstage payment system application by the payment client software between terminal hardware and the payment client software, the terminal key that this dynamic key is shared by terminal hardware and backstage payment system disperses, and it may further comprise the steps:
1) the payment application software sends terminal hardware information such as unique terminal number to the backstage payment system, and the application dynamic key.
2) the backstage payment system sends dynamic key to the payment application software, and the terminal key that this dynamic key is shared by terminal hardware and backstage payment system disperses.
3) the payment application software uses this dynamic key to encrypt transaction data and user's characteristic information, and dynamic key, transaction data and user's characteristic information after encrypting are all sent to terminal hardware.
4) terminal hardware calculates dynamic key, then with the deciphering of this dynamic key and obtain transaction data and user's characteristic information, terminal hardware to transaction data and user's characteristic information encrypt with integrity protection after send to the backstage payment system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100841959A CN102184354A (en) | 2011-04-02 | 2011-04-02 | Method for preventing data from being falsified and hijacked in online payment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100841959A CN102184354A (en) | 2011-04-02 | 2011-04-02 | Method for preventing data from being falsified and hijacked in online payment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102184354A true CN102184354A (en) | 2011-09-14 |
Family
ID=44570529
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100841959A Pending CN102184354A (en) | 2011-04-02 | 2011-04-02 | Method for preventing data from being falsified and hijacked in online payment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102184354A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103139163A (en) * | 2011-11-29 | 2013-06-05 | 阿里巴巴集团控股有限公司 | Data access method, server and terminal |
| CN103475466A (en) * | 2013-09-10 | 2013-12-25 | 上海动联信息技术股份有限公司 | USBKey bus protection implementation method |
| CN105989486A (en) * | 2015-02-15 | 2016-10-05 | 广州市动景计算机科技有限公司 | Payment security processing method, device and system |
| CN108200014A (en) * | 2017-12-18 | 2018-06-22 | 北京深思数盾科技股份有限公司 | The method, apparatus and system of server are accessed using intelligent key apparatus |
-
2011
- 2011-04-02 CN CN2011100841959A patent/CN102184354A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103139163A (en) * | 2011-11-29 | 2013-06-05 | 阿里巴巴集团控股有限公司 | Data access method, server and terminal |
| CN103139163B (en) * | 2011-11-29 | 2016-01-13 | 阿里巴巴集团控股有限公司 | Data access method, server and terminal |
| CN103475466A (en) * | 2013-09-10 | 2013-12-25 | 上海动联信息技术股份有限公司 | USBKey bus protection implementation method |
| CN105989486A (en) * | 2015-02-15 | 2016-10-05 | 广州市动景计算机科技有限公司 | Payment security processing method, device and system |
| CN108200014A (en) * | 2017-12-18 | 2018-06-22 | 北京深思数盾科技股份有限公司 | The method, apparatus and system of server are accessed using intelligent key apparatus |
| CN108200014B (en) * | 2017-12-18 | 2020-10-09 | 北京深思数盾科技股份有限公司 | Method, device and system for accessing server by using intelligent key device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9992194B2 (en) | System and method of notifying mobile devices to complete transactions | |
| CN108012268B (en) | SIM card for ensuring safe use of application software on mobile phone terminal | |
| CN102880960B (en) | Based on the payment by using short messages method and system of fingerprint recognition mobile phone | |
| CN101334884B (en) | Improve the method and system of account transfer safety | |
| CN109039652B (en) | Digital certificate generation and application method | |
| CN105357186B (en) | A kind of secondary authentication method based on out-of-band authentication and enhancing OTP mechanism | |
| CN106027501B (en) | A kind of system and method for being traded safety certification in a mobile device | |
| WO2018133674A1 (en) | Method of verifying and feeding back bank payment permission authentication information | |
| CN202854880U (en) | SMS payment system based on fingerprint identification mobile phone | |
| CN101340294A (en) | Cipher keyboard apparatus and implementing method thereof | |
| CN105553926A (en) | Authentication method, server, and terminal | |
| CN102945526A (en) | Device and method for improving online payment security of mobile equipment | |
| CN104573547A (en) | Information interaction safety protection system and operation realization method thereof | |
| CN107592308A (en) | A kind of two server multiple-factor authentication method towards mobile payment scene | |
| CN102147662A (en) | Input terminal with keyboard and encryption module | |
| CN102201137A (en) | Network security terminal, and interaction system and method based on terminal | |
| CN102184353A (en) | Method for preventing online payment data from being intercepted | |
| KR20150011293A (en) | Biometric authentication Electronic Signature Service methods Using an instant messenger | |
| CN106911722A (en) | A kind of intelligent cipher signature identity differentiates mutual authentication method and system | |
| CN101222334B (en) | Cipher token safety authentication method adopting picture interference | |
| CN101594354B (en) | Method and system for improving account transfer safety | |
| CN102184354A (en) | Method for preventing data from being falsified and hijacked in online payment | |
| CN202206419U (en) | Network security terminal and interactive system based on terminal | |
| KR101078705B1 (en) | Letter message security service system and the use method | |
| US10051468B2 (en) | Process for authenticating an identity of a user |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110914 |