CN103220148B - The method of electronic signature token operation response request, system and electronic signature token - Google Patents
The method of electronic signature token operation response request, system and electronic signature token Download PDFInfo
- Publication number
- CN103220148B CN103220148B CN201310114431.6A CN201310114431A CN103220148B CN 103220148 B CN103220148 B CN 103220148B CN 201310114431 A CN201310114431 A CN 201310114431A CN 103220148 B CN103220148 B CN 103220148B
- Authority
- CN
- China
- Prior art keywords
- electronic signature
- signature token
- response
- system server
- background system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
Abstract
The invention provides the method for a kind of electronic signature token operation response request, system and electronic signature token, wherein method comprises: steps A, electronic signature token perform the flow process that comes into force; Step B, electronic signature token perform activation process; Step C, electronic signature token perform first Application flow process, electronic signature token according to the operation requests received, the action type corresponding to determination operation request and/or operate rank; The strategy that electronic signature token uses according to action type and/or the request of operation rank determination operation response; Electronic signature token is according to the policy response operation requests obtained.The invention provides the method for a kind of electronic signature token operation response request, system and electronic signature token, ensure that electronic signature token is under offline condition, still can realize banking by dynamic password CMOS macro cell dynamic password; The business realized is classified and classification simultaneously, improve the fail safe of business realizing.
Description
Technical field
The present invention relates to a kind of electronic technology field, particularly relate to the method for a kind of electronic signature token operation response request, system and electronic signature token.
Background technology
The existing electronic signature token being applied to bank, comprise the signature devices such as U shield, UKey, it only comprises the function of electronic signature, and electronic signature token needs to be connected with terminal by USB interface or other interfaces, just can realize object signed data being sent to bank, thus complete the related service that bank provides, such as to transfer accounts, transaction etc.
And user when it come to arrives electronic signature token when using when off line, then cannot complete related service.Such as: when user uses Mobile banking, mobile phone does not provide the interface of access electronic signature token, now, user cannot complete related service; When user uses ATM, because ATM does not provide the interface of access electronic signature token, user cannot complete related service equally; When the user holding electronic signature token acts on behalf of execution related service by other people, owing to holding the user of electronic signature token not in terminal, agent does not have electronic signature token, and electronic signature token cannot be connected with terminal, thus cannot related service be performed, but electronic signature token is given agent by the user holding electronic signature token, then cannot learn that agent specifically performs how many business, causes unsafe hidden danger.
Therefore, although existing electronic signature token can ensure the safety of business realizing, can not off line use.
Summary of the invention
The present invention be intended to solve electronic signature token can not off line use problem/one of.
Main purpose of the present invention is the method providing the request of a kind of electronic signature token operation response;
Another object of the present invention is to provide a kind of electronic signature token;
Another object of the present invention is the system providing the request of a kind of electronic signature token operation response.
For achieving the above object, technical scheme of the present invention is specifically achieved in that
One aspect of the present invention provides the method for a kind of electronic signature token operation response request, comprise the steps: that steps A, electronic signature token perform the flow process that comes into force, comprise the steps: that described electronic signature token receives open command, perform open operation according to described open command;
Described electronic signature token obtains validation request instruction, and obtains validation request code according to described validation request instruction;
Described electronic signature token at least generates validation request information according to described validation request code; Described electronic signature token utilizes the private key of described electronic signature token to sign to described validation request information, generates the first signed data; Described electronic signature token, after described first signed data of generation, generates the first request data package according to described first signed data and described validation request information; Described first request data package, after generation first request data package, is sent to background system server by described electronic signature token; Described background system server, after receiving described first request data package, obtains described first signed data and described validation request information from described first request data package received; Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to verify described first signed data; Described background system server after described first signed data passes through in checking, at least obtains described validation request code from described validation request information, at least to come into force feedback information according to described validation request code; Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to be encrypted the described feedback information that comes into force, and obtains the feedback data packet that comes into force, and the described feedback data packet that comes into force is sent to described electronic signature token; Come into force described in described electronic signature token receives feedback data packet, and utilize the private key of described electronic signature token to be decrypted the described feedback data packet that comes into force, obtain the feedback information that comes into force, come into force described in preservation feedback information; Described electronic signature token generates the first response data packet, and described first response data packet is sent to described background system server; After described background system server receives described first response data packet, respond the operation that comes into force; Step B, electronic signature token perform activation process, comprise the steps: that described electronic signature token receives activation request instruction, and obtain activation request code according to described activation request instruction; Described electronic signature token utilizes the private key of described electronic signature token to sign to described activation request code, generates the second signed data, and generates the second request data package according to described activation request code and described second signed data; Described second request data package, after described second request data package of generation, is sent to background system server by described electronic signature token; After described background system server receives described second request data package, from the second request data package, obtain described activation request code and described second signed data, and utilize the PKI corresponding with described electronic signature token private key to verify described second signed data; Described background system server, after described second signed data of checking passes through, generates active coding according to described activation request code; After described background system server generates described active coding, utilize the PKI corresponding with described electronic signature token private key to be encrypted described active coding, obtain ciphering activation code, and ciphering activation code is sent to described electronic signature token; After described electronic signature token receives described ciphering activation code, the private key of described electronic signature token is utilized to obtain the active coding after deciphering to described ciphering activation code deciphering; Described electronic signature token is verified the active coding after described deciphering; Described electronic signature token generates the second response data packet after being verified the active coding after described deciphering, and described second response data packet is sent to described background system server; After described background system server receives described second response data packet, response activation manipulation; Step C, electronic signature token perform first Application flow process, comprise the steps: that described electronic signature token is according to the operation requests received, and determine the action type corresponding to described operation requests and/or operation rank; Described electronic signature token determines to respond according to described action type and/or operation rank the strategy that described operation requests uses; Described electronic signature token is operation requests according to the policy response obtained.
In addition, the step that described electronic signature token at least generates validation request information according to described validation request code comprises: the classification setting table of the corresponding described action type of described electronic signature token acquisition and other classification of the described operation level of correspondence arrange at least one table in table; Described electronic signature token shows according at least one setting in table of the classification setting table got and classification and described validation request code generates validation request information; Described background system server is after described first signed data of checking passes through, at least from described validation request information, obtain described validation request code, at least comprise according to the come into force step of feedback information of described validation request code: described background system server, after described first signed data of checking passes through, obtains classification setting table and classification and arranges at least one table and described validation request code in table from described validation request information; Described background system server is at least shown according at least one setting in table of classification setting table and classification and the feedback information that comes into force described in the generation of described validation request code.
In addition, the feedback information that comes into force described in comprises: described classification setting table and described classification arrange the mapping relations of at least one table and each table correspondence in table; Wherein: the mapping relations of described classification setting table are the mapping relations of action type in described classification setting table and key seed, and key seed corresponding to any two action types is different between two; The mapping relations that described classification arranges table are the mapping relations that described classification arranges operation rank in table and event factor, and event factor corresponding to any two operation ranks are different between two.
In addition, described electronic signature token determines to respond according to described action type and/or operation rank the strategy that described operation requests uses, the step of described electronic signature token operation requests according to the policy response obtained comprises: described electronic signature token is according to described action type, determine and the key seed that described action type is mated, at least generate dynamic password value according to described key seed and default event factor; Or described electronic signature token is according to described operation rank, determine and the event factor that described operation rank is mated, at least generate dynamic password value according to the key seed preset and described event factor; Or described electronic signature token is according to described action type, determine and the key seed that described action type is mated, according to described operation rank, determine and the event factor that described operation rank is mated, at least generate dynamic password value according to described key seed and described event factor.
In addition, the described step at least generating dynamic password value according to described key seed and the event factor preset comprises: described electronic signature token obtains challenge code; Described electronic signature token generates dynamic password value according to the described challenge code got and described key seed with the event factor preset; The step that the key seed that described at least basis is preset and described event factor generate dynamic password value comprises: described electronic signature token obtains challenge code; Described electronic signature token generates dynamic password value according to the described challenge code got and default key seed and described event factor; The described step at least generating dynamic password value according to described key seed and described event factor comprises: described electronic signature token obtains challenge code; Described electronic signature token generates dynamic password value according to the described challenge code got and described key seed and described event factor.
In addition, after described electronic signature token operation requests according to the policy response obtained, described method also comprises: described electronic signature token upgrades the event factor be kept in described electronic signature token; Described background system server verifies described dynamic password value after receiving the described dynamic password value of input, and after being verified, upgrades the event factor be kept in described background system server.
In addition, described electronic signature token generates the first response data packet, and the step that described first response data packet is sent to described background system server is comprised: described electronic signature token generates the first response message, utilize the private key of described electronic signature token to sign to the first response message, obtain the first response signed data; Described electronic signature token, after the described first response signed data of generation, generates the first response data packet according to described first response signed data and described first response message; Described first response data packet, after generation first response data packet, is sent to background system server by described electronic signature token; After described background system server receives described first response data packet, the step responding the operation that comes into force comprises: after described background system server receives the first response data packet, obtains described first response signed data and described first response message according to the first response data packet; Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to respond signed data to described first and verifies, and after being verified, responds according to described first response message the operation that comes into force.
In addition, after described electronic signature token is verified the active coding after described deciphering, generate the second response data packet, and the step that described second response data packet is sent to described background system server is comprised: after described electronic signature token is verified the active coding after described deciphering, described electronic signature token generates the second response message, utilize the private key of described electronic signature token to sign to the second response message, obtain the second response signed data; Described electronic signature token, after the described second response signed data of generation, generates the second response data packet according to described second response signed data and described second response message; Described second response data packet, after generation second response data packet, is sent to background system server by described electronic signature token; After described background system server receives described second response data packet, the step of response activation manipulation comprises: after described background system server receives the second response data packet, obtains described second response signed data and described second response message according to the second response data packet; Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to respond signed data to described second and verifies, and after being verified, according to described second response message response activation manipulation.
In addition, described electronic signature token comprises the step that the active coding after described deciphering is verified: after the active coding of described electronic signature token after receiving described deciphering, utilizes the activation identifying code generating algorithm of described electronic signature token to generate and activates identifying code; Active coding after deciphering described in described electronic signature token comparison and described activation identifying code, verify the active coding after described deciphering; Or when described ciphering activation code is sent to described electronic signature token by described background system server together with described active coding, described electronic signature token is decrypted described ciphering activation code according to the private key of electronic signature token, obtain the active coding after deciphering, the described active coding that active coding after deciphering described in comparison and described background system server are sent, verifies the active coding after described deciphering.
In addition, described electronic signature token again performs application flow and comprises the steps: that described electronic signature token receives open command, performs open operation according to described open command; Described electronic signature token, after open operation, performs the flow process of described step C.
In addition, described electronic signature token receives open command, and the step performing open operation according to described open command comprises: described electronic signature token receives start-up command, performs power-on operation according to described start-up command; After powering, what receive outside input enters dynamic password mode instruction to described electronic signature token, enters dynamic password mode instruction, enter dynamic password pattern according to described.
In addition, described method also comprises: step D, electronic signature token perform synchronous flow process, comprises the steps: that described electronic signature token obtains synchronization request instruction, and obtains synchronization request code according to described synchronization request instruction; Described electronic signature token at least generates synchronization request information according to described synchronization request code; Described electronic signature token utilizes the private key of described electronic signature token to sign to described synchronization request information, generates the 3rd signed data; Described electronic signature token, after described 3rd signed data of generation, generates the 3rd request data package according to described 3rd signed data and described synchronization request information; Described 3rd request data package, after generation the 3rd request data package, is sent to background system server by described electronic signature token; Described background system server, after receiving described 3rd request data package, obtains described 3rd signed data and described synchronization request information from described 3rd request data package received; Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to verify described 3rd signed data; Described background system server, after described 3rd signed data of checking passes through, at least obtains described synchronization request code from described synchronization request information, at least generates synchro feedback information according to described synchronization request code; Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to be encrypted described synchro feedback information, obtains synchronous feedback packet, and by described synchronous feedback Packet Generation to described electronic signature token; Described electronic signature token receives described synchronous feedback packet, utilizes the private key of described electronic signature token to be decrypted described synchronous feedback packet, obtains synchro feedback information, preserves described synchro feedback information; Described electronic signature token generates the 3rd response data packet, and described 3rd response data packet is sent to described background system server; After described background system server receives described 3rd response data packet, response simultaneous operation.
In addition, described electronic signature token generates the 3rd response data packet, and the step that described 3rd response data packet is sent to described background system server is comprised: described electronic signature token generates the 3rd response message, utilize the private key of described electronic signature token to sign to the 3rd response message, obtain the 3rd response signed data; Described electronic signature token, after the described 3rd response signed data of generation, generates the 3rd response data packet according to described 3rd response signed data and described 3rd response message; Described 3rd response data packet, after generation the 3rd response data packet, is sent to background system server by described electronic signature token; After described background system server receives described 3rd response data packet, the step of response simultaneous operation comprises: after described background system server receives the 3rd response data packet, obtains described 3rd response signed data and described 3rd response message according to the 3rd response data packet; Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to respond signed data to the described 3rd and verifies, and after being verified, according to described 3rd response message response simultaneous operation.
The present invention provides a kind of electronic signature token on the other hand, comprising: input module, dynamic password generation module, signature blocks, transport module, memory module and authentication module; Wherein: described input module receives open command, obtain validation request instruction, receive activation request instruction, receive operation requests; Described dynamic password generation module performs open operation according to described open command, obtains validation request code according to described validation request instruction, at least generates validation request information according to described validation request code; Activation request code is obtained according to described activation request instruction; According to the operation requests received, determine the action type corresponding to described operation requests and/or operation rank, determine to respond according to described action type and/or operation rank the strategy that described operation requests uses, operation requests according to the policy response obtained; Described signature blocks utilizes the private key of described electronic signature token to sign to described validation request information, generate the first signed data, after described first signed data of generation, generate the first request data package according to described first signed data and described validation request information; Utilize the private key of described electronic signature token to be decrypted the feedback data packet that comes into force, obtain the feedback information that comes into force; Generate the first response data packet; Utilize the private key of described electronic signature token to sign to described activation request code, generate the second signed data, and generate the second request data package according to described activation request code and described second signed data; After receiving described ciphering activation code, utilize the private key of described electronic signature token to obtain the active coding after deciphering to described ciphering activation code deciphering, after described authentication module is verified the active coding after described deciphering, generate the second response data packet; Described first request data package that described dynamic password generation module generates, after signature blocks generates the first request data package, is sent to background system server by described transport module; And receive the feedback data packet that comes into force of background system server transmission; Described first response data packet described signature blocks generated is sent to described background system server; After signature blocks generates described second request data package, described second request data package is sent to background system server; Receive the ciphering activation code that described background system server sends; Described second response data packet described signature blocks generated is sent to described background system server; Come into force described in described memory module preservation feedback information; Described authentication module is deciphered to signature blocks the decoded active coding obtained and is verified.
In addition, the classification setting table of the corresponding described action type of described dynamic password generation module acquisition and other classification of the described operation level of correspondence arrange at least one table in table, show and described validation request code generation validation request information according at least one setting in table of the classification setting table got and classification.
In addition, described dynamic password generation module, according to described action type, is determined and the key seed that described action type is mated, and at least generates dynamic password value according to described key seed and default event factor; Or according to described operation rank, determine and the event factor that described operation rank is mated, at least generate dynamic password value according to the key seed preset and described event factor; Or according to described action type, determine and the key seed that described action type is mated, according to described operation rank, determine and the event factor that described operation rank is mated, at least generate dynamic password value according to described key seed and described event factor.
In addition, described input module also obtains challenge code; The described challenge code that described dynamic password generation module gets according to described input module and described key seed and the event factor preset generate dynamic password value; Or the described challenge code to get according to described input module and default key seed and described event factor generate dynamic password value; Or the described challenge code to get according to described input module and described key seed and described event factor generate dynamic password value.
In addition, described electronic signature token also comprises: update module, and described update module upgrades the event factor be kept in described memory module.
In addition, described signature blocks generates the first response message, the private key of described electronic signature token is utilized to sign to the first response message, obtain the first response signed data, after the described first response signed data of generation, generate the first response data packet according to described first response signed data and described first response message.
In addition, after described signature blocks is verified the active coding after described deciphering, generate the second response message, the private key of described electronic signature token is utilized to sign to the second response message, obtain the second response signed data, after the described second response signed data of generation, generate the second response data packet according to described second response signed data and described second response message.
In addition, after the active coding of described authentication module also after described signature blocks deciphers described ciphering activation code acquisition deciphering, utilize the activation identifying code generating algorithm of described electronic signature token to generate and activate identifying code, active coding after deciphering described in comparison and described activation identifying code, verify the active coding after described deciphering; Or when described ciphering activation code is sent to described electronic signature token by described background system server together with described active coding, described signature blocks is decrypted described ciphering activation code according to the private key of electronic signature token, obtain the active coding after deciphering, the described active coding that active coding after deciphering described in described authentication module comparison and described background system server are sent, verifies the active coding after described deciphering.
In addition, what described input module also received start-up command and received outside input enters dynamic password mode instruction.
In addition, described input module also obtains synchronization request instruction; Described dynamic password generation module also obtains synchronization request code according to described synchronization request instruction, at least generates synchronization request information according to described synchronization request code; Described signature blocks also utilizes the private key of described electronic signature token to sign to described synchronization request information, generate the 3rd signed data, after described 3rd signed data of generation, generate the 3rd request data package according to described 3rd signed data and described synchronization request information; After receiving synchronous feedback packet, utilize the private key of described electronic signature token to be decrypted described synchronous feedback packet, obtain synchro feedback information; Generate the 3rd response data packet;
Described 3rd request data package also, after described signature blocks generates the 3rd request data package, is sent to background system server by described transport module; Receive described synchronous feedback packet; After described signature blocks generates described 3rd response data packet, described 3rd response data packet is sent to described background system server; Described memory module also preserves described synchro feedback information.
In addition, described signature blocks generates the 3rd response message, the private key of described electronic signature token is utilized to sign to the 3rd response message, obtain the 3rd response signed data, after the described 3rd response signed data of generation, generate the 3rd response data packet according to described 3rd response signed data and described 3rd response message.
The present invention has the system providing the request of a kind of electronic signature token operation response on the one hand, comprising: background system server and above-mentioned electronic signature token, described background system server receives the first request data package that described electronic signature token sends, described first signed data and described validation request information is obtained from described first request data package received, the PKI corresponding with the private key of described electronic signature token is utilized to verify described first signed data, after described first signed data of checking passes through, at least from described validation request information, obtain described validation request code, at least to come into force feedback information according to described validation request code, the PKI corresponding with the private key of described electronic signature token is utilized to be encrypted the described feedback information that comes into force, acquisition comes into force feedback data packet, and the described feedback data packet that comes into force is sent to described electronic signature token, receive the first response data packet that electronic signature token sends, respond the operation that comes into force, receive the second request data package that electronic signature token sends, described activation request code and described second signed data is obtained from the second request data package, and utilize the PKI corresponding with described electronic signature token private key to verify described second signed data, after described second signed data of checking passes through, active coding is generated according to described activation request code, the PKI corresponding with described electronic signature token private key is utilized to be encrypted described active coding, obtain ciphering activation code, and ciphering activation code is sent to described electronic signature token, receive the second response data packet that electronic signature token sends, response activation manipulation.
In addition, described background system server is after described first signed data of checking passes through, from described validation request information, obtain classification setting table and classification at least one table and described validation request code in table be set, at least according to classification setting table and classification arrange at least one table in table and described validation request code generate described in come into force feedback information.
In addition, described background system server receives the dynamic password value of outside input, verifies described dynamic password value, and after being verified, upgrades the event factor be kept in described background system server.
In addition, after described background system server receives the first response data packet, described first response signed data and described first response message is obtained according to the first response data packet, utilize the PKI corresponding with the private key of described electronic signature token to respond signed data to described first to verify, and after being verified, respond according to described first response message the operation that comes into force.
In addition, after described background system server receives the second response data packet, described second response signed data and described second response message is obtained according to the second response data packet, utilize the PKI corresponding with the private key of described electronic signature token to respond signed data to described second to verify, and after being verified, according to described second response message response activation manipulation.
In addition, described background system server receives the 3rd request data package that electronic signature token sends, described 3rd signed data and described synchronization request information is obtained from described 3rd request data package received, the PKI corresponding with the private key of described electronic signature token is utilized to verify described 3rd signed data, after described 3rd signed data of checking passes through, at least from described synchronization request information, obtain described synchronization request code, at least generate synchro feedback information according to described synchronization request code, the PKI corresponding with the private key of described electronic signature token is utilized to be encrypted described synchro feedback information, obtain synchronous feedback packet, and by described synchronous feedback Packet Generation to described electronic signature token, receive the 3rd response data packet that electronic signature token sends, response simultaneous operation.
In addition, described background system server receives the 3rd response data packet that electronic signature token sends, described 3rd response signed data and described 3rd response message is obtained according to the 3rd response data packet, described background system server utilizes the PKI corresponding with the private key of described electronic signature token to respond signed data to the described 3rd and verifies, and after being verified, according to described 3rd response message response simultaneous operation.
As seen from the above technical solution provided by the invention, the invention provides the method for a kind of electronic signature token operation response request, system and electronic signature token, ensure that electronic signature token is under offline condition, still can realize banking by dynamic password CMOS macro cell dynamic password; The business realized is classified and classification simultaneously, improve the fail safe of business realizing.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
The flow chart of the method for the electronic signature token operation response request that Fig. 1 provides for the embodiment of the present invention 1;
The electronic signature token that Fig. 2 provides for the embodiment of the present invention 1 performs the flow chart of the flow process that comes into force;
The flow chart of the electronic signature token execution activation process that Fig. 3 provides for the embodiment of the present invention 1;
The flow chart of the electronic signature token execution first Application flow process that Fig. 4 provides for the embodiment of the present invention 1;
The flow chart of the method for the electronic signature token execution corresponding operating request that Fig. 5 provides for the embodiment of the present invention 2;
Fig. 6 performs the flow chart of synchronous flow process for electronic signature token that the embodiment of the present invention 2 provides;
The structured flowchart of the system of the electronic signature token operation response request that Fig. 7 provides for the embodiment of the present invention 3.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on embodiments of the invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to protection scope of the present invention.
In describing the invention, it will be appreciated that, term " " center ", " longitudinal direction ", " transverse direction ", " on ", D score, " front ", " afterwards ", " left side ", " right side ", " vertically ", " level ", " top ", " end ", " interior ", orientation or the position relationship of the instruction such as " outward " are based on orientation shown in the drawings or position relationship, only the present invention for convenience of description and simplified characterization, instead of indicate or imply that the device of indication or element must have specific orientation, with specific azimuth configuration and operation, therefore limitation of the present invention can not be interpreted as.In addition, term " first ", " second " only for describing object, and can not be interpreted as instruction or hint relative importance or quantity or position.
In describing the invention, it should be noted that, unless otherwise clearly defined and limited, term " installation ", " being connected ", " connection " should be interpreted broadly, and such as, can be fixedly connected with, also can be removably connect, or connect integratedly; Can be mechanical connection, also can be electrical connection; Can be directly be connected, also indirectly can be connected by intermediary, can be the connection of two element internals.For the ordinary skill in the art, concrete condition above-mentioned term concrete meaning in the present invention can be understood.
Below in conjunction with accompanying drawing, the embodiment of the present invention is described in further detail.
Embodiment 1
The embodiment of the present invention 1 provides the method for electronic signature token operation response request, and see Fig. 1, the method for electronic signature token operation response request, comprises the steps:
Step S101, electronic signature token performs the flow process that comes into force;
Concrete, after electronic signature token is dispatched from the factory, all perform the flow process that comes into force of dynamic password pattern for each electronic signature token, in the different electronic signature token of each sequence number, namely write the strategy that dynamic password value generates.Certainly, this strategy can each electronic signature token identical, also can each electronic signature token different.Make the strategy of each electronic signature token generation dynamic password value all different, the randomness of each electronic signature token can be ensured, improve the fail safe generating dynamic password value.
Certainly, electronic signature token default action of the present invention is electronic signature pattern, the electronic signature functionality of the electronic signature token namely used in prior art, dynamic password pattern is set in electronic signature token of the present invention, can select to enter dynamic password pattern by user, to ensure that the off line of electronic signature token uses.
Step S102, electronic signature token performs activation process;
Concrete, after electronic signature token comes into force, need to activate the dynamic password pattern of electronic signature token, so that user can use the dynamic password pattern of this electronic signature token.
Step S103, electronic signature token performs first Application flow process.
Concrete, after electronic signature token has carried out coming into force and activate, the flow process of the first Application of dynamic password pattern can be performed, even electronic signature token off line is applied to the related service that bank provides, such as, transfer accounts, transaction etc.Certainly, after electronic signature token performs first Application, the follow-up application flow that again can perform dynamic password pattern according to the selection of user.
On the basis of Fig. 1, Fig. 2 provides the flow chart that electronic signature token performs the flow process that comes into force, and see Fig. 2, electronic signature token performs the flow process come into force, and comprises the steps:
Step S201, electronic signature token receives open command, performs open operation according to open command;
Concrete, after electronic signature token only enters dynamic password pattern, just can perform the flow process that comes into force of dynamic password pattern.
Such as: electronic signature token can perform open operation in the following way: electronic signature token receives start-up command, power-on operation is performed according to start-up command, electronic signature token after powering, what receive outside input enters dynamic password mode instruction, according to entering dynamic password mode instruction, enter dynamic password pattern.
Certainly, in the present invention, the start-up command that electronic signature token receives can be press by user the starting key be arranged in electronic signature token to generate; The dynamic password mode instruction that enters of the outside input that electronic signature token receives can be pressed by user to be arranged on mode switching key in electronic signature token and to generate, also can be user pass through to enter select this pattern in the menu of electronic signature token after press and confirm that button generates.
The dynamic password pattern of electronic signature token of the present invention can be event mode, or event challenge type, namely generates dynamic password according to event factor and key seed, or generates dynamic password according to event factor, challenge code and key seed.
Step S202, electronic signature token obtains validation request instruction, and obtains validation request code according to validation request instruction;
Concrete, validation request instruction can be press by user the button that comes into force be arranged in electronic signature token to generate, also can be user pass through to enter in the menu of electronic signature token select to come into force after press and confirm that button generates, can also receive from terminal by connecting terminal.
Can to be electronic signature token generate according to validation request instruction validation request code, also can be that the validation request code that user by selecting that electronic signature token receives is pre-stored in electronic signature token obtains.
Step S203, electronic signature token at least generates validation request information according to validation request code;
Concrete, electronic signature token only can generate validation request information according to validation request code, also validation request information can together be generated according to other information of electronic signature token and validation request code, such as, the information such as the sequence number of electronic signature token and validation request code together can be generated validation request information.
Certainly, electronic signature token at least can also generate validation request information according to validation request code in the following way: the classification of classification setting table and respective operations rank that electronic signature token obtains respective operations type arranges at least one table in table, shows and validation request code generation validation request information according at least one setting in table of the classification setting table got and classification.
By arranging at least one table in table to background system server transmission classification setting table and classification, the individual demand that can meet user is arranged; In addition, by above-mentioned two tables, at least one generates validation request information jointly with validation request code, make the personal settings of user come into force with electronic signature token together with perform, reduce information interaction times, raising treatment effeciency.
Wherein, the classification that classification setting table can be arranged in electronic signature token for user, comprising: log in, transfer accounts, conclude the business, the various action type such as inquiry; Classification is arranged shows the classification that can arrange in electronic signature token for user, comprising: the grade classification of the amount of money of transfer accounts, concluding the business, such as: within 100,100 to 1000,1000 to 5000, the operation rank of 5000 to 10000.
Certainly, if generate validation request information according to classification setting table and validation request code, and when the dynamic password pattern of electronic signature token of the present invention is event challenge type, the challenge code input policing that various action type is corresponding can also in classification setting table, be comprised;
If arrange table and validation request code generation validation request information according to classification, and when the dynamic password pattern of electronic signature token of the present invention is event challenge type, classification arranges in table and can also comprise challenge code input policing corresponding to various operation rank.
If according to classification setting table, classification arranges table and validation request code generates validation request information, and the dynamic password pattern of electronic signature token of the present invention is when being event challenge type, only table can be set in classification and comprises challenge code input policing corresponding to various operation rank.Such as: within 100, input which kind of challenge code, 100 to 1000 which kind of challenge code of input etc.
Step S204, electronic signature token utilizes the private key of electronic signature token to sign to validation request information, generates the first signed data;
Concrete, electronic signature token can realize the object of signing to validation request information by the signature blocks performing existing electronic signature functionality, thus the algorithm arranged in electronic signature token can be saved, improve the utilance of each module in electronic signature token.
Step S205, electronic signature token, after generation first signed data, generates the first request data package according to the first signed data and validation request information;
Concrete, in order to improve the fail safe of validation request information transmission, in this step, after can also being encrypted validation request information, generate the first request data package together with the first signed data.
Step S206, the first request data package, after generation first request data package, is sent to background system server by electronic signature token;
Concrete, electronic signature token can connect terminal by USB interface, and the first request data package is sent to background system server; Also can connect terminal by audio interface, the first request data package is sent to background system server; Can also by wireless communication module wirelessly (such as bluetooth, NFC, infrared etc.) by terminal, the first request data package is sent to background system server, or directly the first request data package is sent to background system server.Wherein, background system server is bank server, ensure that the safety of data transmission link.
Step S207, background system server, after receiving the first request data package, obtains the first signed data and validation request information from the first request data package received;
Concrete, background system server is after receiving the first request data package, the first signed data and validation request information can be obtained from this first request data package, if the validation request information in the first request data package is encrypted, now can also be decrypted to encryption validation request information the plaintext obtaining validation request information.
Step S208, background system server utilizes the PKI corresponding with the private key of electronic signature token to verify the first signed data;
Concrete, store the PKI corresponding with the private key of electronic signature token in background system server, to ensure that the data can signed to the private key through electronic signature token carry out sign test, prevent from denying.
Step S209, background system server, after checking first signed data passes through, at least obtains validation request code from validation request information, at least to come into force feedback information according to validation request code;
Concrete, corresponding with step S203, in this step, background system server is after checking first signed data passes through, classification setting table and classification can be obtained from validation request information at least one table and validation request code in table are set, and at least at least one table in table and validation request code are set according to classification setting table and classification and come into force feedback information.
Wherein, the feedback information that comes into force comprises: classification setting table and described classification arrange the mapping relations of at least one table and each table correspondence in table; Wherein: the mapping relations of classification setting table are the mapping relations of action type in classification setting table and key seed, and key seed corresponding to any two action types is different between two; The mapping relations that classification arranges table are the mapping relations that classification arranges operation rank in table and event factor, and event factor corresponding to any two operation ranks are different between two.Can ensure that each action type all adopts different key seed like this, each operation rank all adopts different event factor, improves the fail safe that dynamic password value generates.
Certainly, if include the action type logged in classification setting table, then without the need to this action type mapping key seed and event factor.
Wherein, each action type in classification setting table, classification arrange in table each operation rank, at least one key seed, at least one event factor mapping relations can include but not limited to following relation:
Such as: a generic operation type of classification setting table is for transferring accounts, key seed corresponding to the action type of transferring accounts is one, and the progressive operation corresponding from it comprises: within 100,100 to 1000,1000 to 5000,5000 to 10,000 four operate rank corresponding different event factor respectively.
Certainly, if validation request information generates according to classification setting table and validation request code, and the dynamic password pattern of electronic signature token of the present invention is when being event challenge type, the challenge code input policing that various action type is corresponding in classification setting table, can also be comprised;
If validation request information arranges table according to classification and validation request code generates, and when the dynamic password pattern of electronic signature token of the present invention is event challenge type, classification arranges in table and can also comprise challenge code input policing corresponding to various operation rank.
If validation request information arranges table and validation request code generation life according to classification setting table, classification, and the dynamic password pattern of electronic signature token of the present invention is when being event challenge type, only table can be set in classification and comprises challenge code input policing corresponding to various operation rank.Such as: a generic operation type of classification setting table is for transferring accounts, key seed corresponding to the action type of transferring accounts is one, the progressive operation corresponding from it comprises: within 100,100 to 1000,1000 to 5000,5000 to 10,000 four operate rank respectively corresponding different event factor, which kind of challenge code is inputted within 100, such as: this challenge code can be last position etc. of the other side's account, 100 to 1000 which kind of challenge code of input, such as: this challenge code can be latter two of the other side's account.
Step S210, background system server utilizes the PKI corresponding with the private key of electronic signature token to be encrypted the feedback information that comes into force, and obtain the feedback data packet that comes into force, and the feedback data packet that will come into force is sent to electronic signature token;
By being encrypted the feedback information that comes into force, improve the fail safe of the transmission of feedback information that comes into force.
Step S211, electronic signature token receives the feedback data packet that comes into force, and utilizes the private key of electronic signature token to be decrypted the feedback data packet that comes into force, and obtains the feedback information that comes into force, and preserves the feedback information that comes into force;
Concrete, electronic signature token deciphering acquisition comes into force after feedback information, the feedback information that this come into force is preserved, to ensure that the feedback information that comes into force in electronic signature token is identical with the feedback information that comes into force of background system server, thus ensure that the dynamic password value of the follow-up generation of electronic signature token can be undertaken verifying by background system server and pass through to verify.
Step S212, electronic signature token generates the first response data packet, and the first response data packet is sent to background system server;
Concrete, after electronic signature token successfully saves the feedback information that comes into force, electronic signature token can generate the first response message, the private key of electronic signature token is utilized to sign to the first response message, obtain the first response signed data, generate the first response data packet according to the first response signed data and the first response message, the first response data packet is sent to background system server.Thus the non repudiation of response message can be ensured, in addition, electronic signature token notifies background system server, and it completes the flow process that comes into force, and sends the first response data packet to background system server, so that background system server knows that this electronic signature token completes the flow process that comes into force.
Step S213, after background system server receives the first response data packet, responds the operation that comes into force.
Concrete, after background system server receives the first response data packet, the first response signed data and the first response message is obtained according to the first response data packet, utilize the PKI corresponding with the private key of electronic signature token to respond signed data to first to verify, and after being verified, respond according to the first response message the operation that comes into force.Now by PKI, sign test is carried out to the first response signed data, ensure that the non repudiation of the first response signed data, in addition, after background system server obtains the first response data packet, related procedure after response comes into force, such as can entering into force for this electronic signature token of mark.
On the basis of Fig. 1, Fig. 3 provides the flow chart that electronic signature token performs activation process, and see Fig. 3, electronic signature token performs the flow process activated, and comprises the steps:
Step S301, electronic signature token receives activation request instruction, and obtains activation request code according to activation request instruction;
Concrete, the activation request instruction that electronic signature token receives can be press by user the activation button be arranged in electronic signature token to generate, also can be user pass through to enter in the menu of electronic signature token select to activate after press and confirm that button generates, can also receive from terminal by connecting terminal.
Can to be electronic signature token generate according to activation request instruction activation request code, also can be that the activation request code that user by selecting that electronic signature token receives is pre-stored in electronic signature token obtains.
Step S302, electronic signature token utilizes the private key of electronic signature token to sign to activation request code, generates the second signed data, and generates the second request data package according to activation request code and the second signed data;
Concrete, electronic signature token can realize the object of signing to activation request code by the signature blocks performing existing electronic signature functionality, thus can save the algorithm arranged in electronic signature token, improves the utilance of each module in electronic signature token.
Certainly, in order to improve the fail safe of activation request code transmission, in this step, after can also being encrypted activation request code, the second request data package is generated together with the second signed data.
Step S303, the second request data package, after generation second request data package, is sent to background system server by electronic signature token;
Concrete, electronic signature token can connect terminal by USB interface, and the second request data package is sent to background system server; Also can connect terminal by audio interface, the second request data package is sent to background system server; Can also by wireless communication module wirelessly (such as bluetooth, NFC, infrared etc.) by terminal, the second request data package is sent to background system server, or directly the second request data package is sent to background system server.Wherein, background system server is bank server, ensure that the safety of data transmission link.
Step S304, after background system server receives the second request data package, obtains activation request code and the second signed data from the second request data package, and utilizes the PKI corresponding with electronic signature token private key to verify the second signed data;
Concrete, background system server is after receiving the second request data package, the second signed data and activation request code can be obtained from this second request data package, if the activation request code in the second request data package is encrypted, now can also be decrypted to ciphering activation request code the plaintext obtaining activation request code.
Store the PKI corresponding with the private key of electronic signature token in background system server, and according to this PKI, the second signed data is verified, to ensure that the data can signed to the private key through electronic signature token carry out sign test, prevent from denying.
Step S305, background system server, after checking second signed data passes through, generates active coding according to activation request code;
Concrete, background system server is after checking second signed data passes through, can generate active coding according to activation request code, such as, the ciphertext of the summary that can pass through calculating activation request code or the MAC calculating activation request code or the acquisition of ciphering activation request code is as active coding.Certainly, active coding can also be generated, to ensure the randomness of active coding by inserting the modes such as random number in the optional position of activation request code.
Step S306, after background system server generates active coding, utilizes the PKI corresponding with electronic signature token private key to be encrypted active coding, obtains ciphering activation code, and ciphering activation code is sent to electronic signature token;
By being encrypted active coding, improve the fail safe of active coding transmission.
Step S307, after electronic signature token receives ciphering activation code, utilizes the private key pair encryption active coding of electronic signature token to decipher and obtains the active coding after deciphering;
Be decrypted by the private key pair encryption active coding of electronic signature token and obtain decoded active coding, so that follow-up, active coding after deciphering is verified.
Step S308, electronic signature token is verified the active coding after deciphering;
Concrete, after the active coding of electronic signature token after receiving deciphering, decoded active coding can be verified in the following way: utilize the activation identifying code generating algorithm of electronic signature token to generate and activate identifying code, active coding after comparison deciphering and activation identifying code, active coding after checking deciphering, and comparison deciphering after active coding and activate identifying code consistent after, verify decipher after active coding pass through; Now, the activation identifying code generating algorithm that electronic signature token has prestored identical with background system server active coding generating algorithm, to verify the active coding after deciphering.
Or
When step S306, ciphering activation code can also be sent to electronic signature token by background system server together with active coding, electronic signature token is decrypted according to the private key pair encryption active coding of electronic signature token, obtain the active coding after deciphering, the active coding that active coding after comparison deciphering and background system server are sent, the active coding after checking deciphering.
Step S309, electronic signature token generates the second response data packet, and the second response data packet is sent to background system server after being verified the active coding after deciphering;
Concrete, after electronic signature token is verified the active coding after deciphering, electronic signature token can generate the second response message, the private key of electronic signature token is utilized to sign to the second response message, obtain the second response signed data, generate the second response data packet according to the second response signed data and the second response message, the second response data packet is sent to background system server.Thus the non repudiation of response message can be ensured, in addition, electronic signature token notifies background system server, and it completes activation process, sends the second response data packet to background system server, so that background system server knows that this electronic signature token completes the flow process that comes into force.
Step S310, after background system server receives the second response data packet, response activation manipulation.
Concrete, after background system server receives the second response data packet, the second response signed data and the second response message is obtained according to the second response data packet, utilize the PKI corresponding with the private key of electronic signature token to respond signed data to second to verify, and after being verified, according to the second response message response activation manipulation.Now by PKI, sign test is carried out to the second response signed data, ensure that the non repudiation of the second response signed data, in addition, after background system server obtains the second response data packet, related procedure after response activates can be such as the activation etc. of this electronic signature token of mark.
On the basis of Fig. 1, Fig. 4 provides the flow chart that electronic signature token performs first Application flow process, and see Fig. 3, electronic signature token performs the flow process of first Application, comprises the steps:
Step S401, electronic signature token according to the operation requests received, the action type corresponding to determination operation request and/or operation rank;
Concrete, electronic signature token can according to the operation requests received, the action type that determination operation request is corresponding; Or the operation rank that determination operation request is corresponding; Or the action type that determination operation request is corresponding and operation rank; Thus ensure that electronic signature token can determine the strategy used according to the content determined.
Step S402, the strategy that electronic signature token uses according to action type and/or the request of operation rank determination operation response;
Concrete, electronic signature token determines action type, then according to action type, determine the key seed of mating with action type;
Electronic signature token determines operation rank, then electronic signature token is according to operation rank, determines and the event factor that operation rank is mated;
Electronic signature token determines action type and operation rank, then electronic signature token is according to action type, determines the key seed of mating with action type, and electronic signature token, according to operation rank, is determined and the event factor that operation rank is mated.
As can be seen here, the confirmable Different Strategies of this step, so that follow-up according to different strategy generating dynamic password values, ensure that the randomness that dynamic password value generates.
Step S403, electronic signature token is according to the policy response operation requests obtained.
Concrete, electronic signature token, according to action type, determines the key seed of mating with action type, at least generates dynamic password value according to key seed and default event factor; Certainly, if dynamic password pattern is event challenge type, then electronic signature token also obtains challenge code, generates dynamic password value according to the challenge code got and key seed with the event factor preset;
Electronic signature token, according to operation rank, is determined and the event factor that operation rank is mated, is at least generated dynamic password value according to the key seed preset and event factor; Certainly, if dynamic password pattern is event challenge type, then electronic signature token also obtains challenge code, generates dynamic password value according to the challenge code got and default key seed and event factor;
Electronic signature token determines action type and operation rank, then electronic signature token is according to action type, determines the key seed of mating with action type, according to operation rank, determine and the event factor that operation rank is mated, at least generate dynamic password value according to key seed and event factor.Certainly, if dynamic password pattern is event challenge type, then electronic signature token also obtains challenge code, generates dynamic password value according to the challenge code got and key seed and event factor.
Wherein, challenge code by electronic signature token being key-press input, also can being inputted by terminal and be obtained by electronic signature token.
The dynamic password value generated can be shown by the display screen of electronic signature token, so that this dynamic password value can be inputed to terminal by user, and is sent to background system server via terminal.
In addition, in the present embodiment, when electronic signature token performs application flow again, first can receive open command, perform open operation according to open command, and after open operation, perform the flow process of above-mentioned steps 103, specifically see step 301 to step 303, can not repeat them here.
Certainly, no matter electronic signature token performs application flow first or again performs application flow, electronic signature token is according to after the policy response operation requests obtained, electronic signature token all can upgrade the event factor be kept in electronic signature token, so that each event factor is all different, even if again produce identical business, also can not produce identical dynamic password value, improve randomness and the fail safe of dynamic password value.
Certainly, after background system server receives the dynamic password value of input at every turn, checking dynamic password value, and after being verified, also the event factor be kept in background system server is upgraded, thus ensure that background system server can be identical with the event factor of electronic signature token, ensure the correctness of subsequent authentication.
As can be seen here, electronic signature token have employed the method for operation response request of the present invention, ensure that electronic signature token is under offline condition, still can realize banking by dynamic password CMOS macro cell dynamic password; The business realized is classified and classification simultaneously, improve the fail safe of business realizing.
Embodiment 2
The embodiment of the present invention 2 provides the another kind of method of electronic signature token operation response request, and see Fig. 5, the method for electronic signature token operation response request, comprises the steps:
Step S501, electronic signature token performs the flow process that comes into force;
Step S502, electronic signature token performs activation process;
Step S503, electronic signature token performs first Application flow process;
Above-mentioned steps S501 to step S503 is identical with step S101 to S103, and its idiographic flow is if above-mentioned steps S201 is to step S213, and step S301 is to step S310, and step S401, to step S403, does not repeat them here.
Step S504, electronic signature token performs synchronous flow process.
Concrete, because electronic signature token and background system server are when each finishing service, all event factor can be upgraded, therefore, electronic signature token needs to ensure the synchronous of event factor with background system server, each dynamic password value generated just can be made to be passed through by background system server certification, ensure carrying out smoothly of banking.
On the basis of Fig. 5, Fig. 6 provides the flow chart that electronic signature token performs synchronous flow process, and see Fig. 6, electronic signature token performs synchronous flow process, comprises the steps:
Step S601, electronic signature token obtains synchronization request instruction, and obtains synchronization request code according to synchronization request instruction;
Concrete, synchronization request instruction can be press by user the synchronous button be arranged in electronic signature token to generate, also can be user pass through to enter select in the menu of electronic signature token synchronous after press and confirm that button generates, can also terminal receive from terminal by connecting.
Can to be electronic signature token generate according to synchronization request instruction synchronization request code, also can be that the synchronization request code that user by selecting that electronic signature token receives is pre-stored in electronic signature token obtains.
Step S602, electronic signature token at least generates synchronization request information according to synchronization request code;
Concrete, electronic signature token only can generate synchronization request information according to synchronization request code, also synchronization request information can together be generated according to other information of electronic signature token and synchronization request code, such as, the information such as the sequence number of electronic signature token and synchronization request code together can be generated synchronization request information.
Step S603, electronic signature token utilizes the private key of electronic signature token to sign to synchronization request information, generates the 3rd signed data;
Concrete, electronic signature token can realize the object of signing to synchronization request information by the signature blocks performing existing electronic signature functionality, thus the algorithm arranged in electronic signature token can be saved, improve the utilance of each module in electronic signature token.
Step S604, electronic signature token, after generation the 3rd signed data, generates the 3rd request data package according to the 3rd signed data and synchronization request information;
Concrete, in order to improve the fail safe of synchronization request information transmission, in this step, after can also being encrypted synchronization request information, generate the 3rd request data package together with the 3rd signed data.
Step S605, the 3rd request data package, after generation the 3rd request data package, is sent to background system server by electronic signature token;
Concrete, electronic signature token can connect terminal by USB interface, and the 3rd request data package is sent to background system server; Also can connect terminal by audio interface, the 3rd request data package is sent to background system server; Can also by wireless communication module wirelessly (such as bluetooth, NFC, infrared etc.) by terminal, the 3rd request data package is sent to background system server, or directly the 3rd request data package is sent to background system server.Wherein, background system server is bank server, ensure that the safety of data transmission link.
Step S606, background system server, after receiving the 3rd request data package, obtains the 3rd signed data and synchronization request information from the 3rd request data package received;
Concrete, background system server is after receiving the 3rd request data package, the 3rd signed data and synchronization request information can be obtained from the 3rd request data package, if the synchronization request information in the 3rd request data package is encrypted, now can also be decrypted to encryption synchronisation solicited message the plaintext obtaining synchronization request information.
Step S607, background system server utilizes the PKI corresponding with the private key of electronic signature token to verify the 3rd signed data;
Concrete, store the PKI corresponding with the private key of electronic signature token in background system server, to ensure that the data can signed to the private key through electronic signature token carry out sign test, prevent from denying.
Step S608, background system server, after checking the 3rd signed data passes through, at least obtains synchronization request code from synchronization request information, at least generates synchro feedback information according to synchronization request code;
Concrete, synchro feedback information comprises: the different event factor that each operation rank that background system server stores is corresponding.Namely often the subsynchronous synchronous event factor that only needs can be verified by background system server with the dynamic password value ensureing electronic signature token and generate.
Step S609, background system server utilizes the PKI corresponding with the private key of electronic signature token to be encrypted synchro feedback information, obtains synchronous feedback packet, and by synchronous feedback Packet Generation to electronic signature token;
By being encrypted synchro feedback information, improve the fail safe of synchro feedback information transmission.
Step S610, electronic signature token receives synchronous feedback packet, utilizes the private key of electronic signature token to be decrypted synchronous feedback packet, obtains synchro feedback information, preserves synchro feedback information;
Concrete, after electronic signature token deciphering obtains synchro feedback information, this synchro feedback information is preserved, to ensure that the synchro feedback information in electronic signature token is identical with the synchro feedback information of background system server, thus ensure that the dynamic password value of the follow-up generation of electronic signature token can be undertaken verifying by background system server and pass through to verify.
Step S611, electronic signature token generates the 3rd response data packet, and the 3rd response data packet is sent to background system server; Electronic signature token generates the 3rd response message, utilizes the private key of electronic signature token to sign to the 3rd response message, obtains the 3rd response signed data;
Concrete, after electronic signature token successfully saves synchro feedback information, electronic signature token can generate the 3rd response message, the private key of electronic signature token is utilized to sign to the 3rd response message, obtain the 3rd response signed data, generate the 3rd response data packet according to the 3rd response signed data and the 3rd response message, the 3rd response data packet is sent to background system server.Thus the non repudiation of response message can be ensured, in addition, electronic signature token notifies background system server, and it completes synchronous flow process, sends the 3rd response data packet to background system server, so that background system server knows that this electronic signature token completes synchronous flow process.
Step S612, after background system server receives the 3rd response data packet, response simultaneous operation.
Concrete, after background system server receives the 3rd response data packet, the 3rd response signed data and the 3rd response message is obtained according to the 3rd response data packet, utilize the PKI corresponding with the private key of electronic signature token to respond signed data to the 3rd to verify, and after being verified, according to the 3rd response message response simultaneous operation.Now by PKI, sign test is carried out to the 3rd response signed data, ensure that the non repudiation of the 3rd response signed data, in addition, after background system server obtains the 3rd response data packet, related procedure after response is synchronous, such as can synchronous etc. for this electronic signature token of mark.
As can be seen here, electronic signature token have employed the method for operation response request of the present invention, ensure that electronic signature token is under offline condition, still can realize banking by dynamic password CMOS macro cell dynamic password; The business realized is classified and classification simultaneously, improve the fail safe of business realizing.
Embodiment 3
The embodiment of the present invention 3 provides the system of electronic signature token operation response request, and see Fig. 7, the system of electronic signature token operation response request, comprising: the electronic signature token 80 of background system server 70 and employing embodiment 1 or embodiment 2; Wherein electronic signature token 80 performs the method for embodiment 1 or embodiment 2, does not repeat them here.
Certainly, in the present invention, electronic signature token 80 includes but not limited to following restriction: input module 801, dynamic password generation module 802, signature blocks 803, transport module 804, memory module 805 and authentication module 806; Some modules wherein can be merged into a module and perform correlation function, and one of them module also can be split as several submodules and perform its function.
Input module 801 receives open command, obtains validation request instruction, receives activation request instruction, receives operation requests;
Dynamic password generation module 802 performs open operation according to open command, obtains validation request code according to validation request instruction, at least generates validation request information according to validation request code; Activation request code is obtained according to activation request instruction; According to the operation requests received, the action type corresponding to determination operation request and/or operation rank, according to the strategy that action type and/or the request of operation rank determination operation response use, according to the policy response operation requests obtained;
Signature blocks 803 utilizes the private key of electronic signature token 80 to sign to validation request information, generates the first signed data, after generation first signed data, generates the first request data package according to the first signed data and validation request information; Utilize the private key of electronic signature token 80 to be decrypted the feedback data packet that comes into force, obtain the feedback information that comes into force; Generate the first response data packet; Utilize the private key of electronic signature token 80 to sign to activation request code, generate the second signed data, and generate the second request data package according to activation request code and the second signed data; After receiving ciphering activation code, utilize the private key pair encryption active coding of electronic signature token 80 to decipher and obtain the active coding after deciphering, after authentication module 806 is verified the active coding after deciphering, generate the second response data packet;
Transport module 804 is after signature blocks 803 generates the first request data package, and the first request data package generated by dynamic password generation module 802 is sent to background system server 70; And receive the feedback data packet that comes into force of background system server 70 transmission; The first response data packet signature blocks 803 generated is sent to background system server 70; After signature blocks 803 generates the second request data package, the second request data package is sent to background system server 70; Receive the ciphering activation code that background system server 70 sends; The second response data packet signature blocks 803 generated is sent to background system server 70;
Memory module 805 preserves the feedback information that comes into force;
Authentication module 806 pairs of signature blocks 803 are deciphered the decoded active coding obtained and are verified.
In addition, the classification of classification setting table and respective operations rank that dynamic password generation module 802 obtains respective operations type arranges at least one table in table, shows and validation request code generation validation request information according at least one setting in table of the classification setting table got and classification.
Dynamic password generation module 802, according to action type, determines the key seed of mating with action type, at least generates dynamic password value according to key seed and default event factor; Or according to operation rank, determine and the event factor that operation rank is mated, at least generate dynamic password value according to the key seed preset and event factor; Or according to action type, determine the key seed of mating with action type, according to operation rank, determine and the event factor that operation rank is mated, at least generate dynamic password value according to key seed and event factor.
Input module 801 also obtains challenge code, and the challenge code that dynamic password generation module 802 gets according to input module 801 and key seed and the event factor preset generate dynamic password value; Or the challenge code to get according to input module 801 and default key seed and event factor generate dynamic password value; Or the challenge code to get according to input module 801 and key seed and event factor generate dynamic password value.
Signature blocks 803 generates the first response message, the private key of electronic signature token 80 is utilized to sign to the first response message, obtain the first response signed data, after generation first responds signed data, generate the first response data packet according to the first response signed data and the first response message.
After signature blocks 803 is verified the active coding after deciphering, generate the second response message, the private key of electronic signature token 80 is utilized to sign to the second response message, obtain the second response signed data, after generation second responds signed data, generate the second response data packet according to the second response signed data and the second response message.
After the active coding of authentication module 806 also after signature blocks 803 enabling decryption of encrypted active coding obtains deciphering, utilize the activation identifying code generating algorithm of electronic signature token 80 to generate and activate identifying code, active coding after comparison deciphering and activation identifying code, the active coding after checking deciphering; Or when ciphering activation code is sent to electronic signature token 80 by background system server 70 together with active coding, signature blocks 803 is decrypted according to the private key pair encryption active coding of electronic signature token 80, obtain the active coding after deciphering, the active coding that active coding after authentication module 806 comparison deciphering and background system server 70 are sent, the active coding after checking deciphering.
What input module 801 also received start-up command and received outside input enters dynamic password mode instruction.
Input module 801 also obtains synchronization request instruction; Dynamic password generation module 802 also obtains synchronization request code according to synchronization request instruction, at least generates synchronization request information according to synchronization request code; Signature blocks 803 also utilizes the private key of electronic signature token 80 to sign to synchronization request information, generates the 3rd signed data, after generation the 3rd signed data, generates the 3rd request data package according to the 3rd signed data and synchronization request information; After receiving synchronous feedback packet, utilize the private key of electronic signature token 80 to be decrypted synchronous feedback packet, obtain synchro feedback information; Generate the 3rd response data packet; 3rd request data package, also after signature blocks 803 generates the 3rd request data package, is sent to background system server 70 by transport module 804; Receive synchronous feedback packet; After signature blocks 803 generates the 3rd response data packet, the 3rd response data packet is sent to background system server 70; Memory module 805 also preserves synchro feedback information.
Signature blocks 803 generates the 3rd response message, the private key of electronic signature token 80 is utilized to sign to the 3rd response message, obtain the 3rd response signed data, after generation the 3rd responds signed data, generate the 3rd response data packet according to the 3rd response signed data and the 3rd response message.
In addition, electronic signature token 80 can also comprise update module 807, and update module 807 upgrades the event factor be kept in memory module 805.
Concrete, the first request data package that the transport module 804 that background system server 70 receives electronic signature token 80 sends, the first signed data and validation request information is obtained from the first request data package received, the PKI corresponding with the private key of electronic signature token 80 is utilized to verify the first signed data, after checking first signed data passes through, at least from validation request information, obtain validation request code, at least to come into force feedback information according to validation request code, the PKI corresponding with the private key of electronic signature token 80 is utilized to be encrypted the feedback information that comes into force, acquisition comes into force feedback data packet, and the feedback data packet that will come into force is sent to electronic signature token 80, the first response data packet that the transport module 804 receiving electronic signature token 80 sends, respond the operation that comes into force, the second request data package that the transport module 804 receiving electronic signature token 80 sends, activation request code and the second signed data is obtained from the second request data package, and utilize the PKI corresponding with electronic signature token 80 private key to verify the second signed data, after checking second signed data passes through, active coding is generated according to activation request code, the PKI corresponding with electronic signature token 80 private key is utilized to be encrypted active coding, obtain ciphering activation code, and ciphering activation code is sent to electronic signature token 80, the second response data packet that the transport module 804 receiving electronic signature token 80 sends, response activation manipulation.
Background system server 70 is after checking first signed data passes through, from validation request information, obtain classification setting table and classification at least one table and validation request code in table are set, at least at least one table in table and validation request code are set according to classification setting table and classification and come into force feedback information.
Background system server 70 receives the dynamic password value of outside input, checking dynamic password value, and after being verified, upgrades the event factor be kept in background system server 70.
After background system server 70 receives the first response data packet, the first response signed data and the first response message is obtained according to the first response data packet, utilize the PKI corresponding with the private key of electronic signature token 80 to respond signed data to first to verify, and after being verified, respond according to the first response message the operation that comes into force.
After background system server 70 receives the second response data packet, the second response signed data and the second response message is obtained according to the second response data packet, utilize the PKI corresponding with the private key of electronic signature token 80 to respond signed data to second to verify, and after being verified, according to the second response message response activation manipulation.
The 3rd request data package that the transport module 804 that background system server 70 receives electronic signature token 80 sends, the 3rd signed data and synchronization request information is obtained from the 3rd request data package received, the PKI corresponding with the private key of electronic signature token 80 is utilized to verify the 3rd signed data, after checking the 3rd signed data passes through, at least from synchronization request information, obtain synchronization request code, at least generate synchro feedback information according to synchronization request code, the PKI corresponding with the private key of electronic signature token 80 is utilized to be encrypted synchro feedback information, obtain synchronous feedback packet, and by synchronous feedback Packet Generation to electronic signature token 80, the 3rd response data packet that the transport module 804 receiving electronic signature token 80 sends, response simultaneous operation.
The 3rd response data packet that the transport module 804 that background system server 70 receives electronic signature token 80 sends, the 3rd response signed data and the 3rd response message is obtained according to the 3rd response data packet, background system server 70 utilizes the PKI corresponding with the private key of electronic signature token 80 to respond signed data to the 3rd and verifies, and after being verified, according to the 3rd response message response simultaneous operation.
As can be seen here, have employed system and the electronic signature token of electronic signature token operation response of the present invention request, ensure that electronic signature token is under offline condition, still can realize banking by dynamic password CMOS macro cell dynamic password; The business realized is classified and classification simultaneously, improve the fail safe of business realizing.
Describe and can be understood in flow chart or in this any process otherwise described or method, represent and comprise one or more for realizing the module of the code of the executable instruction of the step of specific logical function or process, fragment or part, and the scope of the preferred embodiment of the present invention comprises other realization, wherein can not according to order that is shown or that discuss, comprise according to involved function by the mode while of basic or by contrary order, carry out n-back test, this should understand by embodiments of the invention person of ordinary skill in the field.
Should be appreciated that each several part of the present invention can realize with hardware, software, firmware or their combination.In the above-described embodiment, multiple step or method can with to store in memory and the software performed by suitable instruction execution system or firmware realize.Such as, if realized with hardware, the same in another embodiment, can realize by any one in following technology well known in the art or their combination: the discrete logic with the logic gates for realizing logic function to data-signal, there is the application-specific integrated circuit (ASIC) of suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate array (FPGA) etc.
Those skilled in the art are appreciated that realizing all or part of step that above-described embodiment method carries is that the hardware that can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, this program perform time, step comprising embodiment of the method one or a combination set of.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing module, also can be that the independent physics of unit exists, also can be integrated in a module by two or more unit.Above-mentioned integrated module both can adopt the form of hardware to realize, and the form of software function module also can be adopted to realize.If described integrated module using the form of software function module realize and as independently production marketing or use time, also can be stored in a computer read/write memory medium.
The above-mentioned storage medium mentioned can be read-only memory, disk or CD etc.
In the description of this specification, specific features, structure, material or feature that the description of reference term " embodiment ", " some embodiments ", " example ", " concrete example " or " some examples " etc. means to describe in conjunction with this embodiment or example are contained at least one embodiment of the present invention or example.In this manual, identical embodiment or example are not necessarily referred to the schematic representation of above-mentioned term.And the specific features of description, structure, material or feature can combine in an appropriate manner in any one or more embodiment or example.
Although illustrate and describe embodiments of the invention above, be understandable that, above-described embodiment is exemplary, can not be interpreted as limitation of the present invention, those of ordinary skill in the art can change above-described embodiment within the scope of the invention when not departing from principle of the present invention and aim, revising, replacing and modification.Scope of the present invention is by claims and equivalency thereof.
Claims (41)
1. a method for electronic signature token operation response request, is characterized in that, comprises the steps:
Steps A, electronic signature token perform the flow process that comes into force, and comprise the steps:
Described electronic signature token receives open command, performs open operation according to described open command;
Described electronic signature token obtains validation request instruction, and obtains validation request code according to described validation request instruction;
Described electronic signature token at least generates validation request information according to described validation request code;
Described electronic signature token utilizes the private key of described electronic signature token to sign to described validation request information, generates the first signed data;
Described electronic signature token, after described first signed data of generation, generates the first request data package according to described first signed data and described validation request information;
Described first request data package, after generation first request data package, is sent to background system server by described electronic signature token;
Described background system server, after receiving described first request data package, obtains described first signed data and described validation request information from described first request data package received;
Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to verify described first signed data;
Described background system server after described first signed data passes through in checking, at least obtains described validation request code from described validation request information, at least to come into force feedback information according to described validation request code;
Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to be encrypted the described feedback information that comes into force, and obtains the feedback data packet that comes into force, and the described feedback data packet that comes into force is sent to described electronic signature token;
Come into force described in described electronic signature token receives feedback data packet, and utilize the private key of described electronic signature token to be decrypted the described feedback data packet that comes into force, obtain the feedback information that comes into force, come into force described in preservation feedback information;
Described electronic signature token generates the first response data packet, and described first response data packet is sent to described background system server;
After described background system server receives described first response data packet, respond the operation that comes into force;
Step B, electronic signature token perform activation process, comprise the steps:
Described electronic signature token receives activation request instruction, and obtains activation request code according to described activation request instruction;
Described electronic signature token utilizes the private key of described electronic signature token to sign to described activation request code, generates the second signed data, and generates the second request data package according to described activation request code and described second signed data;
Described second request data package, after described second request data package of generation, is sent to background system server by described electronic signature token;
After described background system server receives described second request data package, from the second request data package, obtain described activation request code and described second signed data, and utilize the PKI corresponding with described electronic signature token private key to verify described second signed data;
Described background system server, after described second signed data of checking passes through, generates active coding according to described activation request code;
After described background system server generates described active coding, utilize the PKI corresponding with described electronic signature token private key to be encrypted described active coding, obtain ciphering activation code, and ciphering activation code is sent to described electronic signature token;
After described electronic signature token receives described ciphering activation code, the private key of described electronic signature token is utilized to obtain the active coding after deciphering to described ciphering activation code deciphering;
Described electronic signature token is verified the active coding after described deciphering;
Described electronic signature token generates the second response data packet after being verified the active coding after described deciphering, and described second response data packet is sent to described background system server;
After described background system server receives described second response data packet, response activation manipulation;
Step C, electronic signature token perform first Application flow process, comprise the steps:
Described electronic signature token, according to the operation requests received, determines the action type corresponding to described operation requests and/or operation rank;
Described electronic signature token determines to respond according to described action type and/or operation rank the strategy that described operation requests uses;
Described electronic signature token is operation requests according to the policy response obtained.
2. method according to claim 1, is characterized in that, the step that described electronic signature token at least generates validation request information according to described validation request code comprises:
The classification setting table of the corresponding described action type of described electronic signature token acquisition and other classification of the described operation level of correspondence arrange at least one table in table;
Described electronic signature token shows according at least one setting in table of the classification setting table got and classification and described validation request code generates validation request information;
Described background system server after described first signed data passes through in checking, at least obtains described validation request code from described validation request information, at least comprises according to the come into force step of feedback information of described validation request code:
Described background system server is after in checking, described first signed data passes through, and obtains classification setting table and classification and arrange at least one table and described validation request code in table from described validation request information;
Described background system server is at least shown according at least one setting in table of classification setting table and classification and the feedback information that comes into force described in the generation of described validation request code.
3. method according to claim 2, is characterized in that, described in the feedback information that comes into force comprise:
Described classification setting table and described classification arrange the mapping relations of at least one table and each table correspondence in table; Wherein:
The mapping relations of described classification setting table are the mapping relations of action type in described classification setting table and key seed, and key seed corresponding to any two action types is different between two;
The mapping relations that described classification arranges table are the mapping relations that described classification arranges operation rank in table and event factor, and event factor corresponding to any two operation ranks are different between two.
4. method according to claim 3, it is characterized in that, described electronic signature token determines to respond according to described action type and/or operation rank the strategy that described operation requests uses, and the step of described electronic signature token operation requests according to the policy response obtained comprises:
Described electronic signature token, according to described action type, is determined and the key seed that described action type is mated, and at least generates dynamic password value according to described key seed and default event factor; Or
Described electronic signature token, according to described operation rank, is determined and the event factor that described operation rank is mated, and at least generates dynamic password value according to the key seed preset and described event factor; Or
Described electronic signature token is according to described action type, determine and the key seed that described action type is mated, according to described operation rank, determine and the event factor that described operation rank is mated, at least generate dynamic password value according to described key seed and described event factor.
5. method according to claim 4, is characterized in that, the described step at least generating dynamic password value according to described key seed and the event factor preset comprises: described electronic signature token obtains challenge code; Described electronic signature token generates dynamic password value according to the described challenge code got and described key seed with the event factor preset;
The step that the key seed that described at least basis is preset and described event factor generate dynamic password value comprises: described electronic signature token obtains challenge code; Described electronic signature token generates dynamic password value according to the described challenge code got and default key seed and described event factor;
The described step at least generating dynamic password value according to described key seed and described event factor comprises: described electronic signature token obtains challenge code; Described electronic signature token generates dynamic password value according to the described challenge code got and described key seed and described event factor.
6. the method according to claim 4 or 5, is characterized in that, after described electronic signature token operation requests according to the policy response obtained, described method also comprises:
Described electronic signature token upgrades the event factor be kept in described electronic signature token;
Described background system server verifies described dynamic password value after receiving the described dynamic password value of input, and after being verified, upgrades the event factor be kept in described background system server.
7. method according to claim 1, is characterized in that,
Described electronic signature token generates the first response data packet, and the step that described first response data packet is sent to described background system server is comprised:
Described electronic signature token generates the first response message, utilizes the private key of described electronic signature token to sign to the first response message, obtains the first response signed data;
Described electronic signature token, after the described first response signed data of generation, generates the first response data packet according to described first response signed data and described first response message;
Described first response data packet, after generation first response data packet, is sent to background system server by described electronic signature token;
After described background system server receives described first response data packet, the step responding the operation that comes into force comprises:
After described background system server receives the first response data packet, obtain described first response signed data and described first response message according to the first response data packet;
Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to respond signed data to described first and verifies, and after being verified, responds according to described first response message the operation that comes into force.
8. the method according to claim 1 or 7, is characterized in that,
Described electronic signature token generates the second response data packet after being verified the active coding after described deciphering, and the step that described second response data packet is sent to described background system server is comprised:
After described electronic signature token is verified the active coding after described deciphering, described electronic signature token generates the second response message, utilizes the private key of described electronic signature token to sign to the second response message, obtains the second response signed data;
Described electronic signature token, after the described second response signed data of generation, generates the second response data packet according to described second response signed data and described second response message;
Described second response data packet, after generation second response data packet, is sent to background system server by described electronic signature token;
After described background system server receives described second response data packet, the step of response activation manipulation comprises:
After described background system server receives the second response data packet, obtain described second response signed data and described second response message according to the second response data packet;
Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to respond signed data to described second and verifies, and after being verified, according to described second response message response activation manipulation.
9. method according to claim 1, is characterized in that, described electronic signature token comprises the step that the active coding after described deciphering is verified:
After the active coding of described electronic signature token after receiving described deciphering, utilize the activation identifying code generating algorithm of described electronic signature token to generate and activate identifying code;
Active coding after deciphering described in described electronic signature token comparison and described activation identifying code, verify the active coding after described deciphering; Or
When described ciphering activation code is sent to described electronic signature token by described background system server together with described active coding, described electronic signature token is decrypted described ciphering activation code according to the private key of electronic signature token, obtain the active coding after deciphering, the described active coding that active coding after deciphering described in comparison and described background system server are sent, verifies the active coding after described deciphering.
10. the method according to claim 1 to 5,7 or 9 any one, it is characterized in that, described electronic signature token again performs application flow and comprises the steps:
Described electronic signature token receives open command, performs open operation according to described open command;
Described electronic signature token, after open operation, performs the flow process of described step C.
11. methods according to claim 1 to 5,7 or 9 any one, is characterized in that, described electronic signature token receives open command, and the step performing open operation according to described open command comprises:
Described electronic signature token receives start-up command, performs power-on operation according to described start-up command;
After powering, what receive outside input enters dynamic password mode instruction to described electronic signature token, enters dynamic password mode instruction, enter dynamic password pattern according to described.
12. methods according to claim 1 to 5,7 or 9 any one, it is characterized in that, described method also comprises:
Step D, electronic signature token perform synchronous flow process, comprise the steps:
Described electronic signature token obtains synchronization request instruction, and obtains synchronization request code according to described synchronization request instruction;
Described electronic signature token at least generates synchronization request information according to described synchronization request code;
Described electronic signature token utilizes the private key of described electronic signature token to sign to described synchronization request information, generates the 3rd signed data;
Described electronic signature token, after described 3rd signed data of generation, generates the 3rd request data package according to described 3rd signed data and described synchronization request information;
Described 3rd request data package, after generation the 3rd request data package, is sent to background system server by described electronic signature token;
Described background system server, after receiving described 3rd request data package, obtains described 3rd signed data and described synchronization request information from described 3rd request data package received;
Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to verify described 3rd signed data;
Described background system server, after described 3rd signed data of checking passes through, at least obtains described synchronization request code from described synchronization request information, at least generates synchro feedback information according to described synchronization request code;
Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to be encrypted described synchro feedback information, obtains synchronous feedback packet, and by described synchronous feedback Packet Generation to described electronic signature token;
Described electronic signature token receives described synchronous feedback packet, utilizes the private key of described electronic signature token to be decrypted described synchronous feedback packet, obtains synchro feedback information, preserves described synchro feedback information;
Described electronic signature token generates the 3rd response data packet, and described 3rd response data packet is sent to described background system server;
After described background system server receives described 3rd response data packet, response simultaneous operation.
13. methods according to claim 12, is characterized in that,
Described electronic signature token generates the 3rd response data packet, and the step that described 3rd response data packet is sent to described background system server is comprised:
Described electronic signature token generates the 3rd response message, utilizes the private key of described electronic signature token to sign to the 3rd response message, obtains the 3rd response signed data;
Described electronic signature token, after the described 3rd response signed data of generation, generates the 3rd response data packet according to described 3rd response signed data and described 3rd response message;
Described 3rd response data packet, after generation the 3rd response data packet, is sent to background system server by described electronic signature token;
After described background system server receives described 3rd response data packet, the step of response simultaneous operation comprises:
After described background system server receives the 3rd response data packet, obtain described 3rd response signed data and described 3rd response message according to the 3rd response data packet;
Described background system server utilizes the PKI corresponding with the private key of described electronic signature token to respond signed data to the described 3rd and verifies, and after being verified, according to described 3rd response message response simultaneous operation.
14. 1 kinds of electronic signature token, is characterized in that, comprising: input module, dynamic password generation module, signature blocks, transport module, memory module and authentication module; Wherein:
Described input module receives open command, obtains validation request instruction, receives activation request instruction, receives operation requests;
Described dynamic password generation module performs open operation according to described open command, obtains validation request code according to described validation request instruction, at least generates validation request information according to described validation request code; Activation request code is obtained according to described activation request instruction; According to the operation requests received, determine the action type corresponding to described operation requests and/or operation rank, determine to respond according to described action type and/or operation rank the strategy that described operation requests uses, operation requests according to the policy response obtained;
Described signature blocks utilizes the private key of described electronic signature token to sign to described validation request information, generate the first signed data, after described first signed data of generation, generate the first request data package according to described first signed data and described validation request information; Utilize the private key of described electronic signature token to be decrypted the feedback data packet that comes into force, obtain the feedback information that comes into force; Generate the first response data packet; Utilize the private key of described electronic signature token to sign to described activation request code, generate the second signed data, and generate the second request data package according to described activation request code and described second signed data; After receiving ciphering activation code, utilize the private key of described electronic signature token to obtain the active coding after deciphering to described ciphering activation code deciphering, after described authentication module is verified the active coding after described deciphering, generate the second response data packet;
Described first request data package that described dynamic password generation module generates, after signature blocks generates the first request data package, is sent to background system server by described transport module; And receive the feedback data packet that comes into force of background system server transmission; Described first response data packet described signature blocks generated is sent to described background system server; After signature blocks generates described second request data package, described second request data package is sent to background system server; Receive the ciphering activation code that described background system server sends; Described second response data packet described signature blocks generated is sent to described background system server;
Come into force described in described memory module preservation feedback information;
Described authentication module is deciphered to signature blocks the decoded active coding obtained and is verified.
15. electronic signature token according to claim 14, it is characterized in that, the classification setting table of the corresponding described action type of described dynamic password generation module acquisition and other classification of the described operation level of correspondence arrange at least one table in table, show and described validation request code generation validation request information according at least one setting in table of the classification setting table got and classification.
16. electronic signature token according to claim 14, it is characterized in that, described dynamic password generation module, according to described action type, is determined and the key seed that described action type is mated, and at least generates dynamic password value according to described key seed and default event factor; Or
According to described operation rank, determine and the event factor that described operation rank is mated, at least generate dynamic password value according to the key seed preset and described event factor; Or
According to described action type, determine and the key seed that described action type is mated, according to described operation rank, determine and the event factor that described operation rank is mated, at least generate dynamic password value according to described key seed and described event factor.
17. electronic signature token according to claim 16, is characterized in that,
Described input module also obtains challenge code;
The described challenge code that described dynamic password generation module gets according to described input module and described key seed and the event factor preset generate dynamic password value; Or the described challenge code to get according to described input module and default key seed and described event factor generate dynamic password value; Or the described challenge code to get according to described input module and described key seed and described event factor generate dynamic password value.
18. electronic signature token according to claim 16 or 17, it is characterized in that, described electronic signature token also comprises: update module, and described update module upgrades the event factor be kept in described memory module.
19. electronic signature token according to claim 14, it is characterized in that, described signature blocks generates the first response message, the private key of described electronic signature token is utilized to sign to the first response message, obtain the first response signed data, after the described first response signed data of generation, generate the first response data packet according to described first response signed data and described first response message.
20. electronic signature token according to claim 14 or 19, it is characterized in that, after described signature blocks is verified the active coding after described deciphering, generate the second response message, the private key of described electronic signature token is utilized to sign to the second response message, obtain the second response signed data, after the described second response signed data of generation, generate the second response data packet according to described second response signed data and described second response message.
21. electronic signature token according to claim 14, it is characterized in that, after the active coding of described authentication module also after described signature blocks deciphers described ciphering activation code acquisition deciphering, utilize the activation identifying code generating algorithm of described electronic signature token to generate and activate identifying code, active coding after deciphering described in comparison and described activation identifying code, verify the active coding after described deciphering; Or
When described ciphering activation code is sent to described electronic signature token by described background system server together with described active coding, described signature blocks is decrypted described ciphering activation code according to the private key of electronic signature token, obtain the active coding after deciphering, the described active coding that active coding after deciphering described in described authentication module comparison and described background system server are sent, verifies the active coding after described deciphering.
22., according to claim 14 to the electronic signature token described in 17,19 or 21 any one, is characterized in that, what described input module also received start-up command and received outside input enters dynamic password mode instruction.
23. according to claim 14 to the electronic signature token described in 17,19 or 21 any one, and it is characterized in that, described input module also obtains synchronization request instruction;
Described dynamic password generation module also obtains synchronization request code according to described synchronization request instruction, at least generates synchronization request information according to described synchronization request code;
Described signature blocks also utilizes the private key of described electronic signature token to sign to described synchronization request information, generate the 3rd signed data, after described 3rd signed data of generation, generate the 3rd request data package according to described 3rd signed data and described synchronization request information; After receiving synchronous feedback packet, utilize the private key of described electronic signature token to be decrypted described synchronous feedback packet, obtain synchro feedback information; Generate the 3rd response data packet;
Described 3rd request data package also, after described signature blocks generates the 3rd request data package, is sent to background system server by described transport module; Receive described synchronous feedback packet; After described signature blocks generates described 3rd response data packet, described 3rd response data packet is sent to described background system server;
Described memory module also preserves described synchro feedback information.
24. electronic signature token according to claim 23, it is characterized in that, described signature blocks generates the 3rd response message, the private key of described electronic signature token is utilized to sign to the 3rd response message, obtain the 3rd response signed data, after the described 3rd response signed data of generation, generate the 3rd response data packet according to described 3rd response signed data and described 3rd response message.
The system of 25. 1 kinds of electronic signature token operation responses request, is characterized in that, comprising: background system server and the electronic signature token as described in any one of claim 14 to 22;
Described background system server receives the first request data package that described electronic signature token sends, described first signed data and described validation request information is obtained from described first request data package received, the PKI corresponding with the private key of described electronic signature token is utilized to verify described first signed data, after described first signed data of checking passes through, at least from described validation request information, obtain described validation request code, at least to come into force feedback information according to described validation request code, the PKI corresponding with the private key of described electronic signature token is utilized to be encrypted the described feedback information that comes into force, acquisition comes into force feedback data packet, and the described feedback data packet that comes into force is sent to described electronic signature token, receive the first response data packet that electronic signature token sends, respond the operation that comes into force, receive the second request data package that electronic signature token sends, described activation request code and described second signed data is obtained from the second request data package, and utilize the PKI corresponding with described electronic signature token private key to verify described second signed data, after described second signed data of checking passes through, active coding is generated according to described activation request code, the PKI corresponding with described electronic signature token private key is utilized to be encrypted described active coding, obtain ciphering activation code, and ciphering activation code is sent to described electronic signature token, receive the second response data packet that electronic signature token sends, response activation manipulation.
26. systems according to claim 25, it is characterized in that, described background system server is after described first signed data of checking passes through, from described validation request information, obtain classification setting table and classification at least one table and described validation request code in table be set, at least according to classification setting table and classification arrange at least one table in table and described validation request code generate described in come into force feedback information.
27. systems according to claim 26, is characterized in that, described background system server receives the dynamic password value of outside input, verifies described dynamic password value, and after being verified, upgrade the event factor be kept in described background system server.
28. systems according to claim 25, it is characterized in that, after described background system server receives the first response data packet, described first response signed data and described first response message is obtained according to the first response data packet, utilize the PKI corresponding with the private key of described electronic signature token to respond signed data to described first to verify, and after being verified, respond according to described first response message the operation that comes into force.
29. systems according to claim 25 or 28, it is characterized in that, after described background system server receives the second response data packet, described second response signed data and described second response message is obtained according to the second response data packet, utilize the PKI corresponding with the private key of described electronic signature token to respond signed data to described second to verify, and after being verified, according to described second response message response activation manipulation.
The system of 30. 1 kinds of electronic signature token operation responses request, is characterized in that, comprising: background system server and electronic signature token as claimed in claim 23;
Described background system server receives the first request data package that described electronic signature token sends, described first signed data and described validation request information is obtained from described first request data package received, the PKI corresponding with the private key of described electronic signature token is utilized to verify described first signed data, after described first signed data of checking passes through, at least from described validation request information, obtain described validation request code, at least to come into force feedback information according to described validation request code, the PKI corresponding with the private key of described electronic signature token is utilized to be encrypted the described feedback information that comes into force, acquisition comes into force feedback data packet, and the described feedback data packet that comes into force is sent to described electronic signature token, receive the first response data packet that electronic signature token sends, respond the operation that comes into force, receive the second request data package that electronic signature token sends, described activation request code and described second signed data is obtained from the second request data package, and utilize the PKI corresponding with described electronic signature token private key to verify described second signed data, after described second signed data of checking passes through, active coding is generated according to described activation request code, the PKI corresponding with described electronic signature token private key is utilized to be encrypted described active coding, obtain ciphering activation code, and ciphering activation code is sent to described electronic signature token, receive the second response data packet that electronic signature token sends, response activation manipulation.
31. systems according to claim 30, it is characterized in that, described background system server is after described first signed data of checking passes through, from described validation request information, obtain classification setting table and classification at least one table and described validation request code in table be set, at least according to classification setting table and classification arrange at least one table in table and described validation request code generate described in come into force feedback information.
32. systems according to claim 31, is characterized in that, described background system server receives the dynamic password value of outside input, verifies described dynamic password value, and after being verified, upgrade the event factor be kept in described background system server.
33. systems according to claim 30, it is characterized in that, after described background system server receives the first response data packet, described first response signed data and described first response message is obtained according to the first response data packet, utilize the PKI corresponding with the private key of described electronic signature token to respond signed data to described first to verify, and after being verified, respond according to described first response message the operation that comes into force.
34. systems according to claim 30 or 33, it is characterized in that, after described background system server receives the second response data packet, described second response signed data and described second response message is obtained according to the second response data packet, utilize the PKI corresponding with the private key of described electronic signature token to respond signed data to described second to verify, and after being verified, according to described second response message response activation manipulation.
35. systems according to any one of claim 30 to 33, it is characterized in that, described background system server receives the 3rd request data package that electronic signature token sends, described 3rd signed data and described synchronization request information is obtained from described 3rd request data package received, the PKI corresponding with the private key of described electronic signature token is utilized to verify described 3rd signed data, after described 3rd signed data of checking passes through, at least from described synchronization request information, obtain described synchronization request code, at least generate synchro feedback information according to described synchronization request code, the PKI corresponding with the private key of described electronic signature token is utilized to be encrypted described synchro feedback information, obtain synchronous feedback packet, and by described synchronous feedback Packet Generation to described electronic signature token, receive the 3rd response data packet that electronic signature token sends, response simultaneous operation.
36. systems according to claim 35, it is characterized in that, described background system server receives the 3rd response data packet that electronic signature token sends, described 3rd response signed data and described 3rd response message is obtained according to the 3rd response data packet, described background system server utilizes the PKI corresponding with the private key of described electronic signature token to respond signed data to the described 3rd and verifies, and after being verified, according to described 3rd response message response simultaneous operation.
The system of 37. 1 kinds of electronic signature token operation responses request, is characterized in that, comprising: background system server and electronic signature token as claimed in claim 24;
Described background system server receives the first request data package that described electronic signature token sends, described first signed data and described validation request information is obtained from described first request data package received, the PKI corresponding with the private key of described electronic signature token is utilized to verify described first signed data, after described first signed data of checking passes through, at least from described validation request information, obtain described validation request code, at least to come into force feedback information according to described validation request code, the PKI corresponding with the private key of described electronic signature token is utilized to be encrypted the described feedback information that comes into force, acquisition comes into force feedback data packet, and the described feedback data packet that comes into force is sent to described electronic signature token, receive the first response data packet that electronic signature token sends, respond the operation that comes into force, receive the second request data package that electronic signature token sends, described activation request code and described second signed data is obtained from the second request data package, and utilize the PKI corresponding with described electronic signature token private key to verify described second signed data, after described second signed data of checking passes through, active coding is generated according to described activation request code, the PKI corresponding with described electronic signature token private key is utilized to be encrypted described active coding, obtain ciphering activation code, and ciphering activation code is sent to described electronic signature token, receive the second response data packet that electronic signature token sends, response activation manipulation.
38. according to system according to claim 37, it is characterized in that, described background system server is after described first signed data of checking passes through, from described validation request information, obtain classification setting table and classification at least one table and described validation request code in table be set, at least according to classification setting table and classification arrange at least one table in table and described validation request code generate described in come into force feedback information.
39., according to system according to claim 38, is characterized in that, described background system server receives the dynamic password value of outside input, verifies described dynamic password value, and after being verified, upgrade the event factor be kept in described background system server.
40. according to system according to claim 37, it is characterized in that, after described background system server receives the first response data packet, described first response signed data and described first response message is obtained according to the first response data packet, utilize the PKI corresponding with the private key of described electronic signature token to respond signed data to described first to verify, and after being verified, respond according to described first response message the operation that comes into force.
41. systems according to claim 37 or 40, it is characterized in that, after described background system server receives the second response data packet, described second response signed data and described second response message is obtained according to the second response data packet, utilize the PKI corresponding with the private key of described electronic signature token to respond signed data to described second to verify, and after being verified, according to described second response message response activation manipulation.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310114431.6A CN103220148B (en) | 2013-04-03 | 2013-04-03 | The method of electronic signature token operation response request, system and electronic signature token |
| PCT/CN2014/073986 WO2014161436A1 (en) | 2013-04-03 | 2014-03-24 | Electronic signature token, and method and system for electronic signature token to respond to operation request |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310114431.6A CN103220148B (en) | 2013-04-03 | 2013-04-03 | The method of electronic signature token operation response request, system and electronic signature token |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103220148A CN103220148A (en) | 2013-07-24 |
| CN103220148B true CN103220148B (en) | 2015-12-09 |
Family
ID=48817637
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310114431.6A Active CN103220148B (en) | 2013-04-03 | 2013-04-03 | The method of electronic signature token operation response request, system and electronic signature token |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103220148B (en) |
| WO (1) | WO2014161436A1 (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220280A (en) * | 2013-04-03 | 2013-07-24 | 天地融科技股份有限公司 | Dynamic password token and data transmission method and system for dynamic password token |
| CN103220148B (en) * | 2013-04-03 | 2015-12-09 | 天地融科技股份有限公司 | The method of electronic signature token operation response request, system and electronic signature token |
| CN103840943A (en) * | 2014-03-11 | 2014-06-04 | 上海动联信息技术股份有限公司 | Method for achieving multi-service authentication based on challenge-response dynamic passwords |
| CN104519066B (en) * | 2014-12-23 | 2017-11-28 | 飞天诚信科技股份有限公司 | A kind of method for activating mobile terminal token |
| CN105282738A (en) * | 2015-11-24 | 2016-01-27 | 苏州铭冠软件科技有限公司 | Security authentication method for mobile terminal |
| CN106452742B (en) * | 2016-09-23 | 2019-01-25 | 北京海泰方圆科技股份有限公司 | A kind of dynamic code generates and acquisition methods, terminal and system |
| CN110032864B (en) * | 2019-03-08 | 2023-10-17 | 平安科技(深圳)有限公司 | Dynamic code generation method, device, computer equipment and storage medium |
| CN110138746A (en) * | 2019-04-23 | 2019-08-16 | 金卡智能集团股份有限公司 | A method of protection gas meter, flow meter end subscriber privacy and information security |
| CN111126533B (en) * | 2020-01-08 | 2023-06-23 | 牛津(海南)区块链研究院有限公司 | Identity authentication method and device based on dynamic password and dynamic token |
| EP3897019A1 (en) * | 2020-04-17 | 2021-10-20 | Secure Thingz Limited | A provisioning control apparatus, system and method |
| CN113589722B (en) * | 2021-07-21 | 2022-10-28 | 上汽通用五菱汽车股份有限公司 | Vehicle control encryption method, system, device and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1731723A (en) * | 2005-08-19 | 2006-02-08 | 上海林果科技有限公司 | Electron/handset token dynamic password identification system |
| CN201181942Y (en) * | 2008-01-24 | 2009-01-14 | 陕西海基业高科技实业有限公司 | Digital signature authentication system used for remote service |
| CN102477820A (en) * | 2011-09-07 | 2012-05-30 | 贾松仁 | Dynamic password-based electronic lock system and authentication method thereof |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4546105B2 (en) * | 2004-02-03 | 2010-09-15 | 株式会社日立製作所 | Message exchange method and message conversion system |
| EP2355402A1 (en) * | 2010-01-29 | 2011-08-10 | British Telecommunications public limited company | Access control |
| CN102006171B (en) * | 2010-11-24 | 2012-11-07 | 天地融科技股份有限公司 | Method for updating internal clock of dynamic password token, token, authentication equipment and system |
| CN103220280A (en) * | 2013-04-03 | 2013-07-24 | 天地融科技股份有限公司 | Dynamic password token and data transmission method and system for dynamic password token |
| CN103220145B (en) * | 2013-04-03 | 2015-06-17 | 天地融科技股份有限公司 | Method and system for electronic signature token to respond to operation request, and electronic signature token |
| CN103220148B (en) * | 2013-04-03 | 2015-12-09 | 天地融科技股份有限公司 | The method of electronic signature token operation response request, system and electronic signature token |
-
2013
- 2013-04-03 CN CN201310114431.6A patent/CN103220148B/en active Active
-
2014
- 2014-03-24 WO PCT/CN2014/073986 patent/WO2014161436A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1731723A (en) * | 2005-08-19 | 2006-02-08 | 上海林果科技有限公司 | Electron/handset token dynamic password identification system |
| CN201181942Y (en) * | 2008-01-24 | 2009-01-14 | 陕西海基业高科技实业有限公司 | Digital signature authentication system used for remote service |
| CN102477820A (en) * | 2011-09-07 | 2012-05-30 | 贾松仁 | Dynamic password-based electronic lock system and authentication method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103220148A (en) | 2013-07-24 |
| WO2014161436A1 (en) | 2014-10-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103220148B (en) | The method of electronic signature token operation response request, system and electronic signature token | |
| CN103136664B (en) | There is smart card transaction system and the method for electronic signature functionality | |
| US10193700B2 (en) | Trust-zone-based end-to-end security | |
| CN103220145B (en) | Method and system for electronic signature token to respond to operation request, and electronic signature token | |
| US8406735B2 (en) | Method for pairing electronic equipment in a wireless network system | |
| CN107358441B (en) | Payment verification method and system, mobile device and security authentication device | |
| US20190007215A1 (en) | In-vehicle information communication system and authentication method | |
| US20160036808A1 (en) | Otp token, data transmission system and data transmission method for otp token | |
| CN203242029U (en) | An intelligent card containing an electronic signature function and an intelligent card transaction system | |
| CN104243451A (en) | Information interaction method and system and smart key equipment | |
| US11159329B2 (en) | Collaborative operating system | |
| CN104917807A (en) | Resource transfer method, apparatus and system | |
| CN106162537B (en) | A kind of method, wireless telecom equipment and the terminal of safety certification connection | |
| JP6476167B2 (en) | Self-authentication device and self-authentication method | |
| KR102013983B1 (en) | Method and server for authenticating an application integrity | |
| JP2018530036A (en) | Data processing method and system, and wearable electronic device | |
| CN103281183A (en) | Conversion device and display system | |
| CN104243162A (en) | Information interaction method and system and smart key equipment | |
| CA2921718A1 (en) | Facilitating secure transactions using a contactless interface | |
| CN112084521A (en) | Unstructured data processing method, device and system for block chain | |
| CN103198401B (en) | There is smart card method of commerce and the system of electronic signature functionality | |
| CN104835038A (en) | Networking payment device and networking payment method | |
| CN103813333A (en) | Data processing method based on negotiation keys | |
| CN110493265A (en) | The method and storage medium of encryption data | |
| CN114139176A (en) | Industrial internet core data protection method and system based on state secret |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |