A kind of dynamic mobile signature system and method thereof
Technical field
The present invention relates to a kind of information security certification technology of mobile terminal, comprehensive utilization computer, the webserver, information coding and mobile communication technology are realized, can be applicable on mobile terminal to carry out with the validation of information of wealth contact or apps server and system and the field that need to carry out identity validation such as log in, be specifically related to a kind of dynamic mobile signature system and its implementation.
Background technology
In November, 2007, Google has issued the software platform Android towards intelligent terminal.More than 5 years, Android system relies on that it is efficient, increases income, the easy technical characterstic such as expansion, becomes rapidly most widely used platform on intelligent movable equipment.Yet, in recent years malicious code along with the market expansion of Android system rapid spread, the safety problem exposing in Android system is more and more outstanding, endangers more and more serious.Within 2010, Kaspersky finds the Malware for Android system first, is the SMS wooden horse of a Trojan-SMS.AndroidOS.FakePlayer.a by name.In March, 2011, Android trojan horse DroidDream reported in Symantec, and this wooden horse has been found to implant in 58 sections of application software in Google official software market, and virus has been reached 50,000 times by download before killing, and the equipment of impact is over 200,000.And Lookout Mobile Security moves the prediction of antivirus software company: within 2013, will there be 1,800 ten thousand Android equipment of surpassing to suffer malware attacks.The Malwares such as domestic statistics also shows at present, day by day serious for the rogue program harm of Android platform, and rogue promotes, privacy of user is deducted fees, stolen to malice increase especially rapid.
Along with the develop rapidly of network and communications technology, the transformation of business model is day by day accelerated, and ecommerce has become indispensable a kind of consumption orientation and trend in people's life.Particularly in recent years, mobile Internet high speed development, increasing e-commerce initiative launches based on mobile device, and here, transaction security performance is related industry technical bottleneck the most deeply concerned.Particularly at Android platform, because system is increased income, increased the invaded risk of system, and in recent years Android user's quantity at rapid growth, various Android application are also permeated in the dribs and drabs of people's daily life, unfortunately current mobile terminal equipment cannot be evaded leak and the wooden horse of invading emerges in an endless stream completely, is threatening constantly system safety and the prior property safety of user of customer mobile terminal.
Smart mobile phone has incorporated people's life now completely, and deposit card that can be relevant to Personal Finance by smart phone user, credit card or other card type are bound mutually.Mobile terminal has diversified application form, and smart mobile phone is main flow wherein, and its security performance is being related to trust each other of people and to social trust.
In e-commerce field, existing trade confirmation mode is generally, and trading server sends authentication password to corresponding smart mobile phone in the mode of note, and authenticates differentiation after being inputted by user, thereby completes transaction.But due to day by day progressing greatly of trojan horse program, in the process of this move transaction, all can carry the note of authentication password and be kidnapped by wooden horse, even whole process of exchange and terminal equipment are kidnapped, allow to this transaction, but buried after this unsafe factor.Same situation also can occur in such as on Internet bank USB key or password card.
Trace it to its cause, the mode of trade confirmation is too single, curing before, this type of cipher authentication mode exists risk except password acquisition process, the hardware of its cipher authentication and software program are all relatively curing, easily be held as a hostage, destroy rewriting, even if the so-called driving of Internet bank USB key regular update, all cannot avoid the misfortune of being held as a hostage, the mode of above-mentioned those hardware enciphers checkings cannot adapt to trend and the demand of current E-commerce develop rapidly.
Summary of the invention
The present invention is directed to the awkward situation of prior art, proposed a kind of dynamic mobile signature system and method thereof, to providing a kind of authentication mode more flexible, more safe and reliable message authentication technical solution.
Above-mentioned first object of the present invention, a kind of dynamic mobile signature system, the application system that relates to trade company, user's mobile terminal and dynamic signature service platform, it is characterized in that: described dynamic signature service platform respectively with application system, mobile terminal is connected by independent channel communication, described dynamic mobile signature system comprises the device id generation unit based on mobile terminal, binding unit, information signature unit and the authentication ' unit based on dynamic signature service platform, wherein said device id generation unit is that mobile terminal distinguishes and identify the also solidified cell of unique distributing equipment ID based on device attribute, described device attribute comprises software attributes, hardware attributes and equipment behavior attribute,
Described binding unit solidifies in user's registration of mobile terminal, and for user name and device id foundation are shone upon one to one and bound, and encrypted transmission is stored in dynamic signature service platform;
Described information signature unit solidifies in mobile terminal, for receiving treating signing messages, calling message encryption algorithm based on device id and sign and send and return to dynamic signature service platform of dynamic signature service platform;
Described authentication ' unit is the solidified cell of judgement Mobile terminal signature process legitimacy, consistency authentication based on signature authentication rule to device id that store, respective user name in the device id of making signature action and dynamic signature service platform, and the application system rule that legal signature is returned to trade company is for fractionation or resend and treat signing messages;
Described message encryption algorithm and signature authentication rule are for splitting and that combining objects is variable, the synchronous dynamic programming of upgrading.
Further, described dynamic signature service platform is cloud server, and described cloud server and mobile terminal form enclosed communication construction system, and the application system of cloud server and trade company is open communication construction system.
Above-mentioned second object of the present invention, a kind of dynamic mobile endorsement method, the application system that relates to trade company, user's mobile terminal and dynamic signature service platform, and application system, mobile terminal communicates to connect dynamic signature service platform by independent channel respectively, it is characterized in that: described dynamic mobile endorsement method comprises that device id generates, user registers binding, the sub-step of information signature and authentication, wherein said device id is generated as mobile terminal and based on device attribute, distinguishes and identify the also process of unique distributing equipment ID, described device attribute comprises software attributes, hardware attributes and equipment behavior attribute,
Described user's registration is bound user and is used mobile terminal to register, and mobile terminal shines upon user name and device id foundation one to one and binds, and is stored in dynamic signature service platform with the form encrypted transmission of key-value pair;
Described information signature is that mobile terminal receives treating signing messages, calling message encryption algorithm based on device id and sign and send and return to dynamic signature service platform of dynamic signature service platform;
Described authentication is the process of judgement Mobile terminal signature process legitimacy, based on signature authentication rule, the consistency of device id that store, respective user name in the device id of making signature action and dynamic signature service platform is authenticated, and legal signature is returned to the application system of trade company or resends and treat signing messages;
Described message encryption algorithm and signature authentication rule are for splitting and the variable dynamic programming of combining objects, and synchronously renewal.
Further, described dynamic signature service platform is cloud server, described cloud server and mobile terminal form enclosed communication construction system, the signature only completing on the mobile terminal of binding mutually with user has legitimacy, and only on server, complete signature authentication beyond the clouds, and cloud server sends to the application system of trade company by the signature after authentication by open communication construction system.
Apply the technical scheme of dynamic mobile signature of the present invention, the deficiency of hardware signature has been carried out to effective improvement, realize the Signature Verification of software levels, greatly improved mobile terminal in the flexibility that participates in e-commerce transaction validation of information, by the dynamic signature algorithm of constantly updating based on cloud server, produce signature and verification process, and to carrying out perfect for carrying out the system hardware of this dynamic mobile signature in mobile terminal, can effectively resist the invasion of trojan horse, significantly improve the security performance of mobile device validation of information.
Accompanying drawing explanation
Fig. 1 is the system block diagram of dynamic mobile signature of the present invention.
Fig. 2 is the operational flow diagram of dynamic mobile signature of the present invention.
Embodiment
The present invention is directed to the demand for security of existing mobile payment and ecommerce develop rapidly, innovation has proposed a kind of system scheme of dynamic mobile signature, for the E-Payment between user and trade company provides safe and reliable trading environment.
First, from this dynamic mobile signature system of hardware structure, relate to the application system of trade company, user's mobile terminal and dynamic signature service platform three parts.As shown in Figure 1, this dynamic signature service platform is communicated by letter and is connected by independent channel with application system, mobile terminal respectively, and whole dynamic mobile signature system comprises device id generation unit, binding unit, information signature unit and these four basic modules of the authentication ' unit based on dynamic signature service platform based on mobile terminal, details are as follows respectively.
Device id generation unit is that mobile terminal distinguishes and identify the also process of unique distributing equipment ID based on device attribute, and described device attribute comprises software attributes, hardware attributes and equipment behavior attribute.Here the conceptive escape of device id is opened the fuselage numbering of general mobile terminal, but the generation of various software and hardware integrated information after gathering distribution equipment is played to symbol or the character string of unique identification effect, for the registration after mobile terminal, information signature etc.
Binding unit solidifies in user's registration of mobile terminal, and for user name and device id foundation are shone upon one to one and bound, and encrypted transmission is stored in dynamic signature service platform.
Information signature unit solidifies in mobile terminal the display screen based on it, input equipment to be realized, for receiving treating signing messages, calling message encryption algorithm based on device id and sign and send and return to dynamic signature service platform of dynamic signature service platform.
Authentication ' unit is to be integrated in the solidified cell that judges Mobile terminal signature process legitimacy in dynamic signature service platform, consistency authentication based on signature authentication rule to device id that store, respective user name in the device id of making signature action and dynamic signature service platform, and the application system rule that legal signature is returned to trade company is for fractionation or resend and treat signing messages.Above-mentioned message encryption algorithm and signature authentication rule are for splitting and that combining objects is variable, the synchronous dynamic programming of upgrading.And this dynamic signature service platform is cloud server, cloud server and mobile terminal form enclosed communication construction system, and the application system of cloud server and trade company is open communication construction system.
Moreover from this dynamic mobile endorsement method of software architecture, it comprises that device id generates, user registers binding, information signature and authentication four sub-steps as shown in Figure 2, details are as follows respectively.
This device id is generated as mobile terminal and based on self software and hardware attribute, distinguishes and identify and the process of unique distributing equipment ID, and described software and hardware attribute comprises operation system information, application message and the hardware information of mobile terminal.
This user's registration is bound user and is used mobile terminal to register, and mobile terminal shines upon user name and device id foundation one to one and binds, and is stored in dynamic signature service platform with the form encrypted transmission of key-value pair.
This information signature is that mobile terminal receives treating signing messages, calling message encryption algorithm based on device id and sign and send and return to dynamic signature service platform of dynamic signature service platform.
This authentication is the process of judgement Mobile terminal signature process legitimacy, based on signature authentication rule, the consistency of device id that store, respective user name in the device id of making signature action and dynamic signature service platform is authenticated, and legal signature is returned to the application system of trade company or resends and treat signing messages.
Described message encryption algorithm and signature authentication rule are for splitting and the variable dynamic programming of combining objects, and synchronously renewal.
Further in depth, this dynamic signature service platform is cloud server, this cloud server and mobile terminal form enclosed communication construction system, the signature only completing on the mobile terminal of binding mutually with user has legitimacy, and only on server, complete signature authentication beyond the clouds, and cloud server sends to the application system of trade company by the signature after authentication by open communication construction system.
From one embodiment of the present invention, further understand.Whole system is mainly divided into client (being mobile terminal CA) and management service platform (being dynamic signature service platform), and as another important terminal (the platform AP of trade company) though not as the component part of system, but the demand that systemic-function realizes and must designing, which comprises at least electric business, mobile phone operators, game developer etc. and by electronic channel, obtains the plateform system of income.The executable program of client wherein, user's operations such as completing user registration login, device id (or being referred to as device-fingerprint) obtain, apparatus bound, cryptography key information, after user completes registration, user name (for example telephone number) and the binding of device-fingerprint finishing equipment.Afterwards, the message that Transaction Information etc. need protection is encrypted and is sent on customer mobile terminal by propelling movement interface or short message interface, and user uses device-fingerprint to carry out enciphering/deciphering as encrypt/decrypt factor pair message.Management service platform, as the core of this system, has vital status, except high secret ground memory device binding relationship, receiving Transaction Information and encrypt according to apparatus bound situation also can a large amount of resource of desintegration sending; Such as integration equipment finger print management system, integrate charging that BOSS/CRM is relevant etc., in this external device-fingerprint management system, also realized the vital tasks such as role assignments, rights management.
Management service platform is to provide the entity of dynamic mobile Digital signature service, between user and AP, between CA, major function is as follows: when AP needs user to sign transaction data, first transaction data is sent to management service platform, by management service platform, use device-fingerprint to encrypt and be pushed to user as encrypting the factor transaction data again, user receives that the device-fingerprint of mobile terminal based on self after PUSH message is presented on message on the display of mobile terminal and browses transaction data for user, and data are signed, then signature result is authenticated on management service platform, by management service platform, send legal signature to AP.It should be noted that: above-mentioned dynamic signature service platform (management service platform) can be cloud server, this cloud server and mobile terminal form enclosed communication construction system, the signature only completing on the mobile terminal of binding mutually with user has legitimacy, and only on server, complete signature authentication beyond the clouds, and cloud server sends to the application system of trade company by the signature after authentication by open communication construction system.Therefore, after the signature that mobile terminal returns, data authenticate obstructed out-of-dately beyond the clouds, sign illegal.So dynamic signature service platform neither can send signed data to AP, can again will treat that signature information is pushed to the mobile terminal of respective user name again, has concluded the business guaranteeing, as shown in Figure 2.
Visible in sum, apply the technical scheme of dynamic mobile signature of the present invention, the deficiency of hardware signature has been carried out to effective improvement, realize the Signature Verification of software levels, greatly improved mobile terminal in the flexibility that participates in e-commerce transaction validation of information, by the dynamic signature algorithm of constantly updating based on cloud server, produce signature and verification process, and to carrying out perfect for carrying out the system hardware of this dynamic mobile signature in mobile terminal, can effectively resist the invasion of trojan horse, significantly improve the security performance of mobile device validation of information.