A kind of Verification System and method based on the graphical information exchange
Technical field
The present invention relates to Web bank, online payment, network ID authentication, electronic signature field, specifically is a kind of Verification System and method based on the graphical information exchange.
Background technology
In bank, third party's payment and the authentication of diverse network application identity on the net, mainly use two kinds of authentication methods at present.A kind of electronic signature that is based on the PKI asymmetric key algorithm, a kind of dynamic password that is based on symmetric key algorithm.Wherein, based on the electronic signature technology of asymmetric key algorithm, owing to have the characteristic of anti-repudiation, thus its security reliability as authentication is higher.The use of combined with hardware carrier and configuration independently show and the input validation device after, be referred to as senior USB Key, its security reliability is unquestionable.But the use of USB Key require to carry out real-time authentication under online environment, so its range of application is very restricted.Its application at present only is confined under the computer network environment, and the network of the communication network of mobile phone, ATM, POS machine private network and other non-on-line Application environment all is difficult to use USB Key as authentication means.For addressing this problem, be one based on the dynamic password technology of symmetric key algorithm and well replenish.Because the working mechanism of dynamic password technology emphasizes to move under environment off-line, non real-time exactly.Therefore, the dynamic password technology is the authentication means that is fit to be applied in multiple electronic channel, and the popularity of its application has obtained fully certainly.But the greatest drawback of dynamic password product is that its fail safe is a pair of contradiction with controlling convenience.Dynamic password authentication simple to operate, its fail safe is often lower, to such an extent as to can't take precautions against very general phishing attack; The trading signature authentication that fail safe is higher, its Operating Complexity is very high, and in order to guarantee authenticating safety, the user is after having submitted transaction request to, must on dynamic password token, import the various Transaction Informations that transaction request comprises again, as contents such as number of the account, the amount of money.Be further tightening security property, user PIN also needs manual input.So not only greatly reduce the user and use interest, also can cause more typing mistake.Also corresponding raising of equipment cost has further reduced the use popularity rate simultaneously.For the dynamic password product, prior art can't break through above-mentioned bottleneck.
Summary of the invention
Simple to operate in order to solve existing dynamic password authentication, but its fail safe is often lower; And the trading signature authentication security is higher, but the very high problem of its Operating Complexity the invention discloses a kind of Verification System and method based on the graphical information exchange.
Technical scheme of the present invention is as follows: a kind of Verification System based on the graphical information exchange, comprise client and service end, it is characterized in that described client comprises data transmission module, graphical information display module, graphical information scanner and figure dynamic password token:
This data transmission module be used for to receive patterned trading information data that described service end sends and sends information such as trading password to service end;
This graphical information display module is used for the trading information data in the specific region display graphicsization;
This figure dynamic password token for generation of dynamic user PIN, and is presented on the token screen with patterned form;
This graphical information scanner comprises:
Graphical information scanning and conversion identification module, be used for that the graphical information display module is presented at the graphical transaction data of specific region or the graphics data on the figure dynamic password token is identified, and conversion deciphering is general standard character, and may be displayed on the graphical information scanner screen; And:
Position information source is used for providing positional information, as: the IP address of GPS locating information, mobile communication base station location information or mobile Internet etc.; And:
The data encryption computing module is used for location information, Transaction Information, user PIN etc., is encrypted computing by user key, and generates corresponding trading password, and this trading password is carried out graphical treatment and output;
Described service end comprises transaction and graphical information generation module, authentication module:
This transaction and graphical information generation module, be used for the transaction request such as account transfer, payment or inquiry submitted to of bank or payment platform on the net with the user, from general character style, encrypt and convert to patterned trading information data, and these data are sent to client;
This authentication module, be used for receiving the trading password that client is sent, and the residing IP of client address inquired about, while is at the user PIN of service end calling and obtaining user, transaction request content in conjunction with user's submission, algorithm according to identical with client data cryptographic calculation module authenticates trading password.
Described service end transaction and graphical information generation module, the transaction request that the user can be submitted to is encrypted with symmetric encipherment algorithm or rivest, shamir, adelman; Data encrypted can convert general two-dimension code, bar code or other encoding of graphs form to.
Described client graphical information display module, can be on screen display graphics information, or on other media the output print graphical information.
Described client graphical information scanning and conversion identification module can be identified conversion general two-dimension code, bar code, or the non-general dot pattern form of identification conversion, or the data message of identification character form.
Described client graphical information scanning and conversion identification module can scan and identification conversion graphical information at screen, or in other medium scannings and identification conversion graphical information.
Described client graphical information scanning and conversion identification module can obtain and identify encryption or the unencrypted dynamic password that is sent by described figure dynamic password token by mode active or the passive and wireless communication.
Described figure dynamic password token can show dynamic password with patterned form, or shows dynamic password with character style; Can also send and encrypt or unencrypted dynamic password with active or passive wireless communication mode.
Described data encryption computing module after generating trading password, is encrypted the trading password of character style, and converts the dot pattern form to; Can also send and encrypt or unencrypted trading password with active or passive wireless communication mode.
A kind of authentication method based on the graphical information exchange is characterized in that described method comprises:
Step 1: described client terminal data transmission module receives the patterned trading information data that described service end is sent, and patterned trading information data is transmitted to the graphical information display module;
Step 2: the graphical information display module is presented at the specific region with patterned trading information data;
Step 3: the graphical information scanner is aimed at the specific region, and patterned Transaction Information is scanned identification, and the conversion deciphering is general standard character, simultaneously Transaction Information is submitted to the data encryption computing module and is presented on the graphical information scanner screen;
Step 4: the display screen of graphical information scanner alignment patterns dynamic password token, the user PIN of scanning patterization, and be converted to general standard character, simultaneously user PIN is submitted to the data encryption computing module and be presented on the graphical information scanner screen;
Or: the user is manual input user PIN on the graphical information scanner, simultaneously user PIN is submitted to the data encryption computing module;
Step 5: the data encryption computing module reads the positional information that position information source provides;
Step 6: data encryption computing module location information, Transaction Information, user PIN etc. are encrypted computing by user key; Treat the user after the graphical information scanner is confirmed, the data encryption computing module generates corresponding trading password and is presented on the graphical information scanner screen;
Or: the data encryption computing module is encrypted computing to Transaction Information, user PIN etc. by user key; Treat the user after the graphical information scanner is confirmed, the data encryption computing module generates corresponding trading password and is presented on the graphical information scanner screen;
Step 7: the user is with the manual data transmission module that inputs to described client of trading password, and data transmission module sends to described server side authentication module with trading password;
Step 8: the authentication module of described service end is inquired about the residing IP of client address from service end behind the trading password that the reception client is sent;
Step 9: described authentication module is at the user PIN of service end calling and obtaining user;
Step 10: authentication module is to positional information (IP address), the user PIN of client, and the transaction request content of submitting in conjunction with the user, according to the algorithm identical with client data cryptographic calculation module, be encrypted computing by user key, simultaneously to the trading password authentication of comparing;
Or: authentication module is to user PIN, and the transaction request content of submitting in conjunction with the user, and the algorithm according to identical with client data cryptographic calculation module is encrypted computing by user key, simultaneously to the trading password authentication of comparing.
Omit described step 5 or/and step 8.
Verification System and method based on the graphical information exchange provided by the invention embody following beneficial effect:
1, the various Transaction Informations that comprise of the transaction request submitted to of user as contents such as number of the account, the amount of money, no longer need the user to repeat input on dynamic password token, but are finished automatically by graphic scanner.The craft input of user PIN also is to be replaced by graphic scanner.
2, the present invention as one of authentication key element, has solved false website, fishing and man-in-the-middle attack with positional information more targetedly.Because above-mentioned attack is often attacked the user not at same position with quilt.
3, the present invention becomes the dynamical fashion that is produced by dynamic password token with user PIN by common static mode, has further promoted fail safe.
4, because dynamic password token can be used as the hardware carrier of certifying key information, graphic scanner can be realized by software with existing equipment.To under the situation that does not reduce fail safe, reduce cost greatly like this.
Description of drawings
Fig. 1 is the structured flowchart of a kind of Verification System based on graphical information exchange provided by the invention.
Fig. 2 is the flow chart of a kind of authentication method based on graphical information exchange provided by the invention.
Embodiment
In order to make the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with embodiment and accompanying drawing, the present invention is described in further details.At this, exemplary embodiment of the present invention and explanation thereof are used for explaining the present invention, and be not as a limitation of the invention.
The user refers to set up number of the account in bank in the technical scheme that the embodiment of the invention provides, and open the client of Web bank, client comprises the subscriber computer of having networked, dynamic password token and the smart mobile phone that bank provides, and service end is Web bank's server of bank.
Be illustrated in figure 1 as a kind of Verification System structured flowchart based on the graphical information exchange that the embodiment of the invention provides.This system can be the internet bank trade Verification System of bank, also can be the online payment Verification System of third party's payment platform.This system comprises: client 10 and service end 20, client 10 comprise graphic scanner 101, computer 102 and figure dynamic password token 103; Service end 20 comprises transaction and graphical information generation module 201 and authentication module 202.
Wherein, graphic scanner 101 can be realized by smart mobile phone, comprise:
Graphical information scanning and conversion identification module 1011 can realize that graphical information can be made of two-dimension code by the camera function of smart mobile phone, and graphical information scanning is with modular converter 1011 scanning two-dimension codes and be converted to standard character.And:
Data encryption computing module 1012, be installed in the operating system of smart mobile phone, be used for location information, Transaction Information, user PIN etc., be encrypted computing by user key, and generate corresponding trading password, can also carry out graphical treatment and output to this trading password.And:
Position information source 1013, the positioning function by calling smart mobile phone GPS positioning function or mobile communication base station or the IP address of mobile Internet etc. are used for obtaining positional information.
Described graphical information scanning and conversion identification module 1011 can also obtain and identify encryption or the unencrypted figure dynamic password (figure or character data information) that is sent by figure dynamic password token 103 by mode active or the passive and wireless communication.
Described data encryption computing module 1012 is after generating trading password, the trading password of character style is encrypted, and convert the dot pattern form to, and adopt the figure collector camera of data transmission module 1021 (as be connected) that the trading password of this dot pattern form is input to described data transmission module 1021.Data encryption computing module 1012 or with active or passive wireless communication mode will be encrypted or unencrypted trading password sends to data transmission module 1021 or directly sends to authentication module 202 and authenticates.
The subscriber computer of computer 102 for having networked comprises:
Data transmission module 1021 can be the B/S structure, also can be the client functionality of C/S structure, be used for to receive patterned trading information data that described service end sends and sends information such as trading password to service end; And:
Graphical information display module 1022 can be the B/S structure equally, also can be the client functionality of C/S structure, is used for the trading information data in the specific region display graphicsization.
The output of data transmission module 1021 is connected with the input of graphical information display module 1022.
Figure dynamic password token 103 is the authenticating user identification equipment that bank provides, and can show with patterned form (as, two-dimension code) also can character style show dynamic password by dynamic password.Graphical information scanning simultaneously also can show that to this character style dynamic password scans identification with graphics mode with conversion identification module 1011.
Described figure dynamic password token 103 can also send encryption or unencrypted dynamic password to graphical information scanning and conversion identification module 1011 with active or passive wireless communication mode.
Graphical information scanning is connected with the output of figure dynamic password token 103 with graphical information display module 1022 respectively with two inputs of conversion identification module 1011, and graphical information scanning is connected with the different inputs of data encryption computing module 1012 respectively with the output of conversion identification module 1011 and the output of position information source 1013; The output of data encryption computing module 1012 is connected with 1021 inputs of data transmission module of computer 102.
The function of service end 20:
Transaction and graphical information generation module 201, be used for the transaction request such as account transfer, payment or inquiry submitted to of bank or payment platform on the net with the user, from general character style, encrypt and convert to patterned trading information data (as, and these data are sent to another input of the data transmission module 1021 of client 10 two-dimension code).
Authentication module 202, be used for to receive from the output of the data transmission module 1021 of client 10() trading password sent, and the residing IP of client address inquired about, while is at the user PIN of service end calling and obtaining user, transaction request content in conjunction with user's submission, algorithm according to identical with client data cryptographic calculation module authenticates trading password.
Be illustrated in figure 2 as a kind of authentication method flow chart based on the graphical information exchange that the embodiment of the invention provides.The application that the internet bank trade that adopts system shown in Figure 1 to carry out authenticates, this method may further comprise the steps:
Step 1: client 10 data transmission modules 1021 are on subscriber computer 102, receive the service end 20(of Web bank transaction and graphical information generation module 201) the patterned trading information data that sends, and the patterned trading information data that will receive is transmitted to graphical information display module 1022.
Step 2: graphical information display module 1022 is presented at the specific region with patterned trading information data.Concrete outcome is to demonstrate the two-dimension code figure at the subscriber computer screen.
Step 3: the user will aim at shown two-dimension code figure on the subscriber computer screen as the smart mobile phone of graphical information scanner 101, the two-dimension code figure is scanned identification, and (by graphical information scanning and conversion identification module 1011) conversion deciphering is general standard character, simultaneously Transaction Information submitted to data encryption computing module 1012 and is presented on the smart mobile phone screen.
Step 4: the user will be as the display screen of the smart mobile phone alignment patterns dynamic password token 103 of graphical information scanner 101, the user PIN of scanning two-dimension code form, and (by graphical information scanning and conversion identification module 1011) be converted to general standard character, simultaneously user PIN submitted to data encryption computing module 1012 and be presented on the smart mobile phone screen.Perhaps: the user goes up manual input user PIN at graphical information scanner (smart mobile phone), simultaneously user PIN is submitted to data encryption computing module 1012.
Step 5: the data encryption computing module 1012 in the smart mobile phone reads the positional information that position information source 1013 provides.Step 5 also can be omitted.
Step 6: data encryption computing module 1012 location information in the smart mobile phone, Transaction Information, user PIN etc. are encrypted computing by user key.Treat the user after smart mobile phone is confirmed, data encryption computing module 1012 generates corresponding trading password and is presented on the smart mobile phone screen.
Or: 1012 pairs of Transaction Informations of data encryption computing module, user PIN etc. are encrypted computing by user key; Treat the user after graphical information scanner (smart mobile phone) is confirmed, data encryption computing module 1012 generates corresponding trading password and is presented on the screen of graphical information scanner (smart mobile phone).
Step 7: the user is with the manual input of trading password subscriber computer 102, and the data transmission module 1021 in the subscriber computer sends to trading password the authentication module 202 of Web bank's service end 20 after receiving trading password simultaneously.
Step 8: the authentication module 202 of Web bank's service end is inquired about from 20 pairs of clients of service end, 10 residing IP addresses after receiving the trading password that client sends, and is specially the IP address lookup function of calling service end 20, and receives Query Result.Step 8 also can be omitted.
Step 9: the authentication module 202 of Web bank's service end is at the user PIN of service end calling and obtaining user, be specially authentication module 202 to the dynamic password authentication server (prior art of Web bank's service end 20, not shown) user ID is provided, to submit the dynamic password authentication server to user PIN is carried out computing.
Step 10: the positional information of 202 pairs of clients 10 of authentication module (IP address), user PIN, and the transaction request content of submitting in conjunction with the user, according to the algorithm identical with client data cryptographic calculation module 1012, be encrypted computing by user key, simultaneously to the trading password authentication of comparing.Be specially authentication module 202 and continue submit the positional information of client, user's trading information data and trading password to the dynamic password authentication server, and receive success that the dynamic password authentication server returns or the authentication result of failure.
Step 10 or: the transaction request content that authentication module 202 is only submitted in conjunction with the user user PIN, the algorithm according to identical with client data cryptographic calculation module is encrypted computing by user key, simultaneously to the trading password authentication of comparing.
The concrete data processing method that the present invention adopts in each above-mentioned step all adopts routine techniques.
Above-described embodiment further describes purpose of the present invention, technical scheme and beneficial effect.Institute is understood that; the above is the specific embodiment of the present invention only, and is not intended to limit the scope of the invention, and is within the spirit and principles in the present invention all; any modification of making, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.