CN103905457B - Server, client, Verification System and user authentication and data access method - Google Patents

Server, client, Verification System and user authentication and data access method Download PDF

Info

Publication number
CN103905457B
CN103905457B CN201410143759.5A CN201410143759A CN103905457B CN 103905457 B CN103905457 B CN 103905457B CN 201410143759 A CN201410143759 A CN 201410143759A CN 103905457 B CN103905457 B CN 103905457B
Authority
CN
China
Prior art keywords
authentication information
information
user
client
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410143759.5A
Other languages
Chinese (zh)
Other versions
CN103905457A (en
Inventor
孟祥雨
王欣
张雨佳
顾思阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sumavision Technologies Co Ltd
Original Assignee
Sumavision Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sumavision Technologies Co Ltd filed Critical Sumavision Technologies Co Ltd
Priority to CN201410143759.5A priority Critical patent/CN103905457B/en
Publication of CN103905457A publication Critical patent/CN103905457A/en
Application granted granted Critical
Publication of CN103905457B publication Critical patent/CN103905457B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses a kind of server, client, Verification System and user authentication and data access method.Wherein, the user authen method includes:Receive the first message of the user for asking Authentication Client that client sends, first message carries the first authentication information corresponding with user and the second authentication information, wherein, the first authentication information includes the input information of user, and the second authentication information includes the card using information of user;Judge whether the first authentication information matches with the second authentication information;If the first authentication information is matched with the second authentication information, sent for representing successful second message of certification to client.The present invention solves the technical problem of the security deficiency of existing user authentication scheme.

Description

Server, client, Verification System and user authentication and data access method
Technical field
The present invention relates to internet security field, in particular to a kind of server, client, Verification System and use Family certification and data access method.
Background technology
To provide user authentication function, in currently existing scheme, it will usually using the backstage clothes of corresponding equipment such as bank Business device or database server add the mode that the combination of password is verified to the ID of client upload to realize to user Certification, this mode on the one hand avoid client locally user is authenticated may caused safety issue, separately On the one hand back-stage management can be facilitated.But in the application scenarios higher of the level requirement to security protection, rely solely on use Family ID adds the combination of password to be still difficult to ensure that safety and reliability, such as exist and ID and password are cracked using enumerative technique Third party's instrument, and such as user be accidentally lost record have the notepad or mobile phone of ID and password in the case of, ID and password are likely to compromised by all means in itself.To solve this problem, a kind of existing scheme is employed The mobile phone or mailbox registered to user by cordless communication network from the background server of corresponding equipment such as bank are sent to be tested Card code simultaneously confirms the successful mode of user authentication again after the identical identifying code being input into receiving user to client, so And this mode is still present potential safety hazard, that is, when user is accidentally lost the mobile phone as above-mentioned client, if the hand The ID and password for certification are preserved on machine, then other people, still can only by being somebody's turn to do when pickup is to the mobile phone lost Mobile phone complete user authentication, and certification user and nonregistered user.For above-mentioned problem, not yet propose at present effective Solution.
The content of the invention
A kind of server, client, Verification System and user authentication and data access method are the embodiment of the invention provides, With the technical problem that the security at least solving existing user authentication scheme is not enough.
A kind of one side according to embodiments of the present invention, there is provided user authen method, including:Client is received to send The user for asking the above-mentioned client of certification first message, above-mentioned first message carries corresponding with above-mentioned user One authentication information and the second authentication information, wherein, above-mentioned first authentication information includes the input information of above-mentioned user, above-mentioned second Authentication information includes the card using information of above-mentioned user;Judge above-mentioned first authentication information and above-mentioned second authentication information whether Match somebody with somebody;If above-mentioned first authentication information is matched with above-mentioned second authentication information, to above-mentioned client send for represent certification into Second message of work(.
Another aspect according to embodiments of the present invention, additionally provides a kind of data access method, including:Client needs to visit When asking target data, the first authentication information corresponding with the user of above-mentioned client and the second authentication information are obtained, wherein, it is above-mentioned First authentication information includes the input information of above-mentioned user, and above-mentioned second authentication information includes the card using information of above-mentioned user;To Server sends the first message for asking the above-mentioned user of certification, above-mentioned first message carry above-mentioned first authentication information and Above-mentioned second authentication information, for making above-mentioned server judge above-mentioned first authentication information with above-mentioned second authentication information Timing, returns for representing successful second message of certification to above-mentioned client;When above-mentioned second message is received, to correspondence Equipment send message for asking to access above-mentioned target data.
Another aspect according to embodiments of the present invention, additionally provides a kind of server, including:First receiving unit, is used for Receive client send the user for asking the above-mentioned client of certification first message, above-mentioned first message carry with it is upper Corresponding first authentication information of user and the second authentication information are stated, wherein, above-mentioned first authentication information includes that above-mentioned user's is defeated Enter information, above-mentioned second authentication information includes the card using information of above-mentioned user;Judging unit, for judging above-mentioned first certification letter Whether breath matches with above-mentioned second authentication information;First transmitting element, for recognizing with above-mentioned second in above-mentioned first authentication information During card information matches, sent for representing successful second message of certification to above-mentioned client.
Another aspect according to embodiments of the present invention, additionally provides a kind of client, including:First acquisition unit, is used for When access target data are needed, the first authentication information corresponding with the user of above-mentioned client and the second authentication information are obtained, Wherein, above-mentioned first authentication information includes the input information of above-mentioned user, and above-mentioned second authentication information includes the brush of above-mentioned user Card information;First transmitting element, for sending the first message for asking the above-mentioned user of certification to server, above-mentioned first disappears Breath carries above-mentioned first authentication information and above-mentioned second authentication information, for making above-mentioned server judge that above-mentioned first recognizes When card information is matched with above-mentioned second authentication information, returned for representing successful second message of certification to above-mentioned client;The Two transmitting elements, for when above-mentioned second message is received, being sent for asking to access above-mentioned number of targets to corresponding equipment According to message.
Another aspect according to embodiments of the present invention, additionally provides a kind of Verification System, including:Above-mentioned server;One Or there is data cube computation between how above-mentioned client, with above-mentioned server.
In embodiments of the present invention, the first authentication information and the second certification letter for judging that client sends on the one hand are employed Whether the mode matched between breath realizes the certification to the user of client, on the other hand, employs client and leads to respectively Different acquisition of information channels are crossed to obtain the mode of the first authentication information and the second authentication information, specifically, certificate server The first received authentication information can be the input information that user is input into client, such as ID, password, Quick Response Code, Fingerprint etc., the second received authentication information can be the card using information acquired in the swiping card that client passes through user, The static data stored such as in IC-card or button card.Through the above way, because user is by the movement as client When terminal is authenticated, card using information is it is also required to provide in addition to input information, therefore overcomes user and be accidentally lost the shifting The safety issue faced after dynamic terminal, improves the safety and reliability of Verification System, and then solve existing The not enough technical problem of the security of user authentication scheme.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes the part of the application, this hair Bright schematic description and description does not constitute inappropriate limitation of the present invention for explaining the present invention.In the accompanying drawings:
Fig. 1 is the schematic diagram of a kind of optional user authen method according to embodiments of the present invention;
Fig. 2 is the schematic diagram of a kind of optional data access method according to embodiments of the present invention;
Fig. 3 is the schematic diagram of a kind of optional server according to embodiments of the present invention;
Fig. 4 is the schematic diagram of a kind of optional client according to embodiments of the present invention;
Fig. 5 is the schematic diagram of a kind of optional Verification System according to embodiments of the present invention;
Fig. 6 is the interactive schematic diagram of a kind of optional Verification System according to embodiments of the present invention.
Specific embodiment
Describe the present invention in detail below with reference to accompanying drawing and in conjunction with the embodiments.It should be noted that not conflicting In the case of, the feature in embodiment and embodiment in the application can be mutually combined.
Embodiment 1
According to embodiments of the present invention, there is provided a kind of user authen method, as shown in figure 1, the method includes:
S102:The first message of the user for asking Authentication Client that client sends is received, first message is carried There are the first authentication information corresponding with user and the second authentication information, wherein, the first authentication information includes the input information of user, Second authentication information includes the card using information of user;
S104:Judge whether the first authentication information matches with the second authentication information;
S106:If matching, sends for representing successful second message of certification to client.
It will be clear that one of embodiment of the present invention problem to be solved is to provide a kind of method, in order to visitor Family end or its user are authenticated, wherein, the client can be used to reference and be connected to server and recognize to server request Card and the physical equipment of related service, the PC for example as fixed terminal or the intelligent hand as mobile terminal Machine, panel computer etc., its may also be used for refer on above-mentioned physical equipment and its system run client application, such as by Banking system is handed down to login client of user etc., and this has no effect on the understanding and implementation and its skill to technical solution of the present invention The realization of art effect, the present invention is also not construed as limiting to this.
It is worth noting that, in embodiments of the present invention, the targeted object on ordinary meaning of above-mentioned authentication method can Being the user of the client, that is to say, that in actual applications, be not limited to by the authentication processing performed by the method A certain specific client device or client application, can select any feasible equipment or answer as the user of certification object For completing certification.
Further, in embodiments of the present invention, above-mentioned authentication processing can be generally combined in a certain more complete behaviour Make in flow, such as operating process can be complete payment process, and need to add authentication department in the payment process Reason is used as one of step, or the operating process can also be directed to the login process of shielded website, and Need to add authentication processing in the login process as one of step etc..Generally speaking, the present invention can't limit root The concrete application scene of the above-mentioned authentication method provided according to embodiment, in fact, in embodiments of the present invention, based on step The interactive interface that S102 and step S106 is each provided, can easily design in above-mentioned complete operating process and recognize with this The authentication result that the front and rear execution logic that card method is adapted is drawn with utilization by the method, it is, therefore, appreciated that base It is regarded as within protection scope of the present invention in the similar implementation method of the embodiment of the present invention.
To provide above-mentioned authentication function, in currently existing scheme, in general, corresponding equipment such as bank can be used Background server or database server add the mode that the combination of password is verified to the ID of client upload to realize On the one hand certification to user, this mode avoids the security caused by client is locally authenticated possibility to user and asks Topic, on the other hand can facilitate back-stage management.But in the application scenarios higher of the level requirement to security protection, individually according to Combination by ID plus password is still difficult to ensure that safety and reliability, such as exist cracked using enumerative technique ID and Third party's instrument of password, and the notepad or the situation of mobile phone for recording and having ID and password are accidentally lost in such as user Under, ID and password are likely to compromised by all means in itself.To solve this problem, a kind of existing scheme is used The mobile phone or mailbox registered to user by cordless communication network from the background server of corresponding equipment such as bank are sent Identifying code simultaneously confirms the successful mode of user authentication again after the identical identifying code being input into receiving user to client, But this mode is still present potential safety hazard, that is, when user is accidentally lost the mobile phone as above-mentioned client, if should The ID and password for certification are preserved on mobile phone, then other people still can only pass through when pickup is to the mobile phone lost The mobile phone complete user authentication, and certification user and nonregistered user.
Based on above mentioned problem, in embodiments of the present invention, the first certification letter for judging that client sends on the one hand is employed Whether breath realizes the certification to the user of client with the mode matched between the second authentication information, on the other hand, uses Client respectively different acquisition of information channels come by way of obtaining the first authentication information and the second authentication information, specifically Ground, the first authentication information received by certificate server can be the input information that user is input into client, such as ID, Password, Quick Response Code, fingerprint etc., the second received authentication information can be acquired in the swiping card that client passes through user Card using information, such as in IC-card or button card store static data.Through the above way, because user is by being used as visitor When the mobile terminal at family end is authenticated, card using information is it is also required to provide in addition to input information, therefore overcome user not It is careful to lose the safety issue faced after the mobile terminal, the safety and reliability of Verification System is improve, and then solve The not enough technical problem of the security of existing user authentication scheme of having determined.
Technical solution of the present invention and its operation principle are described below with reference to drawings and Examples.
The authentication method for providing according to embodiments of the present invention, in step s 102, certificate server can receive client The first message of the user for asking Authentication Client for sending.
On the whole, in embodiments of the present invention, both can be by data management for providing the server of authentication service The provider of service, such as banking system are set, and wherein the data management service represents client and its user authentication success Data, services of required request afterwards, additionally, the certificate server can also be such as special to provide by as third-party operator The partner of the banking system of authentication service provides, wherein, the partner can also be flat with more than one bank or data Platform cooperation, and authentication service is provided for multi-party, this is not limited by the present invention.
On the other hand, the server can both separately provide authentication service, it is also possible to reference to distributed data management Mode, authentication service is provided with reference to multiple node servers jointly, and this is with the process resource taken needed for authentication service and deposits Storage resource number it is relevant.For example, for the less Verification System of scale, the quantity of the client that server is connected and The quantity of the user of its service is relatively fewer, and the quantity of the authentication information of required management is also relatively limited, therefore authentication information Storage and the treatment of authentication information can be completed by same server, and be come for larger Verification System Say, the quantity of the quantity of the client that server is connected and its user of service is relatively more, the authentication information of required management Quantity it is also more huge, in this situation, the disposal ability and storage resource that server can be provided have deficiency, So as to authentication service can also be provided by distributed framework, wherein, the server with client direct interaction can be There is the data warehouse server of metadata information, and then deposited in multiple data to storing by data warehouse server realization The access of the authentication information in storage node, but this is not limited by the present invention.
On the other hand, in embodiments of the present invention, the client generally can be mobile terminal, such as smart mobile phone or Panel computer etc., due to the portable characteristics of mobile terminal, user can whenever and wherever possible by the mobile terminal as client Reach the purpose with server interaction, it is possible to certification and the follow-up access to target data are completed by mobile terminal, And then subsequent operation is carried out according to the authentication result and/or data access result presented in the user interface of mobile terminal.But This is not meant to constitute the present invention restriction, for example, in some embodiments of the invention, user can also be by fixation Terminal completes the access to target data, such as in the scene that user carries out online payment by PC, to user's The access of the related data of certification and payment platform can be completed by the PC as client, this not shadow Ring the implementation of technical solution of the present invention and its realization of technique effect, it should be appreciated that similar belonging to is of the invention equivalent The implementation method of conversion or obvious modification is regarded as within protection scope of the present invention.
Additionally, in embodiments of the present invention, the first message can generally be embodied in HTTP http (Hypertext Transfer Protocol)Message, but the present invention is not limited in any way to this, for example, of the invention In some embodiments, the first message can also be embodied in FTP ftp(File Transfer Protocol)Message, or other it is feasible meet message or message of File Transfer form etc., can correctly be known with server Not first message and its entrained information content is defined.Correspondingly, the second message, the 3rd described in the embodiment of the present invention Message ... is waited and is applied to similar explanation, and the present invention does not make tired stating herein.Still need to it is noted that in the embodiment of the present invention Alleged " first ", " second " ... etc., only as the differentiation in statement, in order to the understanding of the present invention, without that should twist To be that multiple key elements are made with the restriction on the attributes of a relation such as order, position, significance level.
On the basis of above description, as described in step S102, the first message can carry corresponding with user One authentication information and the second authentication information, wherein, first authentication information can include the input information of user, second certification Information can include the card using information of user.
Specifically, in embodiments of the present invention, the first authentication information can be the input information of user.Wherein, the input Information can include the information content of at least one of:ID, password, identifying code, finger print information, voice messaging, face Topographical information etc., additionally, the carrier of the input information can also have various, for example can including letter, numeral, character string etc. text This information, it is also possible to the graphical information such as including Quick Response Code, can also include people intrinsic some physiological characteristics such as fingerprint, sound Line, interpupillary distance, face contour etc., accordingly, in client be used for obtain the input information input block can include it is following At least one:Mouse, keyboard, touch-screen, scanner, camera, fingerprint sensor, speech transducer etc., the present invention are equal to this It is not limited in any way.
On the other hand, in embodiments of the present invention, the second authentication information can be the card using information of user.Wherein, the brush Card information can also include various, and for example most typically, the card using information can also include input letter as described above The breath information content to be included, its difference is that the card using information comes from IC-card, button card, the radio frequency that user is held Chip etc. " swipe " can go out the wherein stored information carrier of institute wirelessly, and accordingly, swipe information is used Specific communication mode can also be selected from various ways known to those skilled in the art, and for example most typically, it can be with Using near-field communication NFC(Near Field Communication)Or other radio frequency discrimination RFIDs(Radio Frequency Identification)Technology etc., the present invention is not limited in any way to this.In general, in embodiments of the present invention, providing During towards banking system authentication service, it is possible to use the card using information both deposited in the IC-card that banking system is issued, for example for Employ static data certification SDA(Static Data Authentication)For the IC-card of authentication mode, deposited in IC-card Some information can include IC-card user profile to be verified, static data and credit card issuer public key index etc., wherein it is possible to select One or more in these information having in IC-card participate in recognizing shown in the embodiment of the present invention as the second authentication information In card treatment.
Under above-mentioned scene, because client obtains the first authentication information and the second certification by different channels respectively Information, therefore limit only by single channel acquisition authentication information risk that may be present, and then by right in step S104 Matching judgment between first authentication information and the second authentication information, just can draw more structurally sound authentication result, so as to carry The safety and reliability of Verification System high.Further, in embodiments of the present invention, other be can be combined with for this area skill Feasible technological means known to art personnel, further to improve Information Security, for example, in the clothes as described in step S102 During business device receives the first message that client sends, SSL SSL can be combined(Secure Sockets Layer)Agreement or Transport Layer Security TSL(Transport Layer Security)Agreement improves the security of data transfer And reliability.It should be appreciated that the similar extension to the embodiment of the present invention still should be regarded as in protection of the invention with extension Within the scope of.
On the basis of above description, the authentication method for providing according to embodiments of the present invention, in step S104, Ke Yi After receiving the first authentication information and the second authentication information by step S102, further judge first authentication information with Whether second authentication information matches, and then by step S106, in the case of judging to match therebetween, it can be determined that It is certification success, otherwise may determine that authentification failure.If thering is payment to use for example, user lost record on mobile phone and mobile phone Name in an account book and password, however needed for not losing certification, the IC-card corresponding with the username and password bound in advance by user, then For traditional certificate scheme, either directly using username and password by way of payment authentication, or combine Mobile phone identifying code is come by way of payment authentication, cannot avoid the authentication result of factual error from occurring, but for using For the Verification System of the authentication method of the embodiment of the present invention, even other people are picked up to the mobile phone lost, and still cannot be led to User authentication is crossed, this provides for improved the security and the reliability of Verification System of user profile.
Specifically, in embodiments of the present invention, described in step S104 to the first authentication information and the second authentication information Whether the specific judgment mode for matching can have various.Usually, in embodiments of the present invention, above-mentioned steps S104 can be wrapped Include:
S2:Data record corresponding with the first authentication information is searched in the record that prestores;
S4:If the data record for finding is identical with the second authentication information or corresponding, the first authentication information is judged Match with the second authentication information.
Such as by taking payment authentication as an example, in one embodiment, can as the input information of the user of the first authentication information Can be paying bank as the card using information of the second authentication information to be the ID of paying bank by user input to client The name of the registered user stored in the IC-card for issuing, then in step s 2, can search and ID in the record that prestores Address name in corresponding data record, and then in step s 4, compare the surname of the address name and IC-card storage for finding Whether name is identical, and certification success is may determine that if identical, otherwise judges authentification failure.
Certainly, this is a kind of example, the present invention can't be constituted and limited.For example, in some embodiments of the present invention In, it is also possible to the first authentication information and the second certification letter are not judged by the way of above-mentioned searching data is recorded and is compared Breath whether match, such as can also using agreement operator or key the first authentication information is calculated or decryption processing and The mode being compared between the first authentication information and the second authentication information after calculating or decryption, etc..
Still optionally further, it is contemplated that the requirement of greater security, in embodiments of the present invention, above-mentioned steps S104 may be used also To include:
S6:The first authentication information and/or the second authentication information are verified according to preset rules;
S8:If being proved to be successful, judge whether the first authentication information matches with the second authentication information.
That is, in embodiments of the present invention, can judge whether the first authentication information matches it with the second authentication information Before, first the first authentication information and/or the second authentication information are verified, and carry out matching judgment again after being proved to be successful.Its In, used as a kind of feasible verification mode, in embodiments of the present invention, above-mentioned steps S6 can include:
S10:The 3rd authentication information is decrypted from first message using preset-key;If the 3rd authentication information for decrypting It is identical or corresponding with the first authentication information and/or the second authentication information, then judge the first authentication information and/or the second certification Information Authentication success;Or
S12:The first authentication information and/or the second authentication information are decrypted using preset-key;If the first certification after decryption The second authentication information after information and/or decryption is identical or corresponding with fourth authentication information of the carrying in first message, then Judge that the first authentication information and/or the second authentication information are proved to be successful.
In embodiments of the present invention, can be by the way of similar to SDA certifications come to first authentication information and/or Two authentication informations are verified, for example, the script as the second authentication information stores bank's use in the IC-card that bank issues As a example by the checking of family information, first can index to decrypt the bank using the credit card issuer public key carried in the lump in first message transmission User profile, wherein, specifically manner of decryption can be:1)According to the authentication center CA in public key index(Certificate Authority)The credit card issuer public key that public key decryptions go out in public key index;2)Believed according to credit card issuer public key decryptions bank-user Breath.Wherein, credit card issuer public key index can also be considered as a part for the card using information as the second authentication information, Ye Ji Three authentication informations are carried in first message in can also being included in the first or second authentication information, but the present invention does not make to this Limit.
Certainly, this is one of feasible mode, and the unique implementation method of non-invention.For example, similarly, in this hair In bright embodiment, Dynamic Data Authentication DDA can also be used(Dynamic Data Authentication)Mode come to One authentication information and/or the second authentication information are verified that the present invention does not make tired stating herein.
Still optionally further, in embodiments of the present invention, before above-mentioned steps S104, above-mentioned authentication method can also be wrapped Include:
S14:The 3rd message for asking binding sent including any client including client is received, the 3rd disappears Breath carries the first authentication information and the second authentication information;
S16:The first authentication information and the second authentication information obtained from the 3rd message are stored, and store first is recognized Card information is with the second authentication information labeled as corresponding.
Through the above way, user can complete the first authentication information and the second authentication information beforehand through any client In the binding of server side, wherein, server can in receiving for the 3rd message for asking binding, obtain and by this The first authentication information and the second authentication information storage in three message arrives local, and by the two labeled as correspondence, so that user During subsequent use, provide first authentication information by same client or another client and believe with second certification After breath, server just may determine that the two is matched, and then the successful result of return authentication.
Still optionally further, in embodiments of the present invention, after step s 14, and before step S102, the above method Can also include:
S18:The 4th message for asking registered user is sent to corresponding equipment, the 4th message carries the first certification Information and/or the second authentication information;
S20:Receive and send the registering result that corresponding equipment is returned to client.
In some embodiments of the invention, client can be in once asking and responding while completing in authentication service The binding of device side and the registration in corresponding equipment, wherein, in step S18, server can be received for asking to tie up After the 3rd fixed message, by carry the first authentication information and/or the second authentication information for being noted to corresponding device request 4th message of the volume user is transmitted to the corresponding equipment, and the registration knot that corresponding equipment is returned is received in step S20 Really, and then registering result can also be transmitted to client, so as to complete the binding of user's registration and authentication information in the lump.
By above example, technical solution of the present invention is schematically described, it should be understood that, this The specific embodiment of invention is not limited in the mode that above-described embodiment is provided.For example, for user to corresponding equipment For the flow of registration, above-mentioned steps S18 and S20 it is not necessary to, such as, in some embodiments of the invention, client End directly can also interact to complete registration with corresponding equipment, then notify certification by client or the corresponding equipment The user profile and card using information of server binding registration, or, in further embodiments, after server is obtained and authorized, Above-mentioned configured information can not also be carried in above-mentioned 3rd message, but after the bind request for receiving client transmission certainly It is dynamic to proceed registration operation, and then the server can be using the first authentication information and/or the second authentication information as corresponding The data is activation that equipment is trusted is completed to register and return the result of registration to corresponding equipment by corresponding equipment.Should Understand, similar implementation method can't influence the realization of the implementation and its technique effect of technical solution of the present invention, this hair It is bright that this is not also limited in any way.
Embodiment 2
According to embodiments of the present invention, a kind of data access method is additionally provided, as shown in Fig. 2 the method includes:
S202:When client needs access target data, obtain corresponding with the user of client the first authentication information and Second authentication information, wherein, the first authentication information includes the input information of user, and the second authentication information includes the letter of swiping the card of user Breath;
S204:The first message for asking certification user is sent to server, first message carries the first certification letter Breath and the second authentication information, for making server when judging that the first authentication information is matched with the second authentication information, to client End is returned for representing successful second message of certification;
S206:When the second message is received, the message for asking access target data is sent to corresponding equipment.
It will be clear that one of embodiment of the present invention problem to be solved is to provide a kind of method, in order to make visitor Family end can be authenticated to its user, and then the target data to access needed for user conducts interviews after the authentication has been successful, its In, the target data generally falls into the data content being protected, and specifically, it can be stored on web page server Webpage, it is also possible to be stored in the data record on database server, or be stored in be linked into it is corresponding in network Other data resources in equipment etc., accordingly, the operation of user's client access target data in other words can be with specific manifestation For Website login, confirm payment or access-in resource etc., the present invention is not limited in any way to this.
Specifically, in embodiments of the present invention, above-mentioned client can be used to reference and be connected to server and to server Request certification and the physical equipment of related service, the PC for example as fixed terminal or the intelligence as mobile terminal Energy mobile phone, panel computer etc., it may also be used for referring to the client application run on above-mentioned physical equipment and its system, than The login client of user is such as handed down to by banking system, this have no effect on to the understanding of technical solution of the present invention with implement and The realization of its technique effect, the present invention is also not construed as limiting to this.Accordingly, in embodiments of the present invention, above-mentioned server can be with The physical equipment for being used for that above-mentioned certification and related service are provided to client and its user is represented, the present invention will not equally limit this The specific manifestation form of equipment and its with above-mentioned client outside equipment between annexation, for example, outside authentication service, should As the client of other business, and can also there is data cube computation with other servers for providing other business in server.
It is worth noting that, in embodiments of the present invention, the certification object in above-mentioned access method generally can be the visitor The user at family end, that is to say, that in actual applications, is not limited to a certain specific by the authentication processing performed by the method Client device or client application, any feasible equipment or application can be selected to complete as the user of certification object Certification.
To provide above-mentioned authentication function when access number is occupied, in currently existing scheme, in general, can use corresponding The background server or database server of equipment such as bank add the combination of password to verify the ID of client upload Mode realize the certification to user, on the one hand this mode avoid and locally user be authenticated to lead in client The safety issue of cause, on the other hand can facilitate back-stage management.But in the application higher of the level requirement to security protection In scene, the combination for relying solely on ID plus password is still difficult to ensure that safety and reliability, such as exist and utilize enumerative technique To crack third party's instrument of ID and password, and the account for recording and having ID and password is accidentally lost in such as user In the case of this or mobile phone, ID and password are likely to compromised by all means in itself.To solve this problem, it is a kind of Existing scheme employs what is registered to user by cordless communication network from the background server of corresponding equipment such as bank Mobile phone or mailbox send identifying code and confirm that user recognizes again after the identical identifying code being input into receiving user to client Successful mode is demonstrate,proved, but this mode is still present potential safety hazard, that is, when user is accidentally lost as above-mentioned client During mobile phone, if the ID and password for certification are preserved on the mobile phone, then other people pickup to loss mobile phone when, still So can only by the mobile phone complete user authentication, and certification user and nonregistered user.
Based on above mentioned problem, in embodiments of the present invention, the first certification letter for judging that client sends on the one hand is employed Whether breath realizes the certification to the user of client with the mode matched between the second authentication information, and right after the authentication has been successful Target data conducts interviews, and on the other hand, employs client and obtains first by different acquisition of information channels respectively The mode of authentication information and the second authentication information, specifically, the first authentication information received by certificate server can be used The input information that family is input into client, such as ID, password, Quick Response Code, fingerprint, the second received authentication information can Being client by the card using information acquired in the swiping card of user, the static data stored such as in IC-card or button card Deng.Through the above way, because user by the mobile terminal as client when being authenticated, in addition to input information also Need to provide card using information, therefore overcome the safety issue that user is faced after the mobile terminal is accidentally lost, carry The safety and reliability of Verification System high, and then solve the not enough technology of the security of existing user authentication scheme and ask Topic and the target data that is further resulted in of this problem problem under proteciton.
Technical solution of the present invention and its operation principle are described below with reference to drawings and Examples.
The access method for providing according to embodiments of the present invention, in step S202, when client needs access target data When, the client can obtain the first authentication information corresponding with its user and the second authentication information, wherein, the first authentication information The input information of user can be included, the second authentication information can include the card using information of user.
In embodiments of the present invention, the client generally can be mobile terminal, such as smart mobile phone or panel computer etc., Due to the portable characteristics of mobile terminal, user can be reached and server by the mobile terminal as client whenever and wherever possible Interactive purpose, it is possible to certification and the follow-up access to target data are completed by mobile terminal, and then according to movement The authentication result and/or data access result presented in the user interface of terminal carry out subsequent operation.But this is not meant to Restriction is constituted to the present invention, for example, in some embodiments of the invention, user can also be completed to mesh by fixed terminal Mark the access of data, such as in the scene that user carries out online payment by PC, certification and payment to user The access of the related data of platform can be completed by the PC as client, and this has no effect on the technology of the present invention The implementation of scheme and its realization of technique effect, it should be appreciated that similar belongs to equivalents of the invention or substantially change The implementation method of type is regarded as within protection scope of the present invention.
Specifically, in embodiments of the present invention, the first authentication information can be the input information of user.Wherein, the input Information can include the information content of at least one of:ID, password, identifying code, finger print information, voice messaging, face Topographical information etc., additionally, the carrier of the input information can also have various, for example can including letter, numeral, character string etc. text This information, it is also possible to the graphical information such as including Quick Response Code, can also include people intrinsic some physiological characteristics such as fingerprint, sound Line, interpupillary distance, face contour etc., accordingly, in client be used for obtain the input information input block can include it is following At least one:Mouse, keyboard, touch-screen, scanner, camera, fingerprint sensor, speech transducer etc., the present invention are equal to this It is not limited in any way.
Additionally, in embodiments of the present invention, the second authentication information can be the card using information of user.Wherein, the letter of swiping the card Breath can also include various, and for example most typically, the card using information can also include input information institute as described above The information content that can include, its difference is that the card using information comes from IC-card, button card, the radio frequency chip that user is held Etc. " swipe " can going out the wherein stored information carrier of institute wirelessly, accordingly, it is specific that swipe information is used Communication mode can also be selected from various ways known to those skilled in the art, and for example most typically, it can be used NFC or other RFID techniques etc., the present invention are not limited in any way to this.In general, in embodiments of the present invention, in the face of offer During to banking system authentication service, it is possible to use the card using information both deposited in the IC-card that banking system is issued, such as adopting For IC-card with SDA authentication modes, the information having in IC-card can include IC-card user profile, static number to be verified According to credit card issuer public key index etc., wherein it is possible to one or more in these information having in selecting IC-card are used as second Authentication information is participated in the authentication processing shown in the embodiment of the present invention.
Under above-mentioned scene, because client obtains the first authentication information and the second certification by different channels respectively Information, therefore limit only by single channel acquisition authentication information risk that may be present, and then subsequently entered by server It is capable that more structurally sound authentication result just can be drawn to the matching judgment between the first authentication information and the second authentication information, So as to improve the safety and reliability of Verification System.
On the basis of above description, the access method for providing according to embodiments of the present invention, in step S204, Ke Yixiang Server sends the first message for asking certification user, the first message can carry first authentication information and this Two authentication informations, so that server is returned for representing that certification successful second disappears when the two matching is judged to client Breath, and then by step S206, client just can be sent for asking to visit when the second message is received to corresponding equipment The message of above-mentioned target data is asked, wherein, this message can also carry the first authentication information and/or the second authentication information, Then corresponding equipment can also based on the first certification message and/or the second certification message come further to client and its The access rights of user are identified, so that client successful access target data.
For example, it is assumed that user lost record on mobile phone and mobile phone payment username and password, but certification is not lost IC-card corresponding with the username and password that is required, being bound in advance by user, then for traditional certificate scheme, nothing By being directly to be come by payment authentication by way of payment authentication, or with reference to mobile phone identifying code using username and password Mode, cannot avoid the authentication result of factual error from occurring, and then carries out payment affirmation with causing client error, but right For the Verification System of access method of the embodiment of the present invention is employed, even other people pick up the mobile phone to loss, still Conduct this provides for improved the security and the reliability of Verification System of user profile, and cannot be improve by user authentication The security of the payment related data of target data, reduces the security risk of user.
Specifically, in embodiments of the present invention, the first message can generally be embodied in http message, but this hair It is bright that this is not limited in any way, for example, in some embodiments of the invention, the first message can also be embodied in ftp Message, or other it is feasible meet message or message of File Transfer form etc., with server can correctly recognize this first Message and its entrained information content are defined.Correspondingly, described in the embodiment of the present invention the second message, the 3rd message ... It is of the invention not make tired stating herein Deng similar explanation is applied to.Still need to it is noted that alleged in the embodiment of the present invention " first ", " second " ... etc., only as the differentiation in statement, in order to the understanding of the present invention, without that should be misinterpreted as being right Multiple key elements make the restriction on the attributes of a relation such as order, position, significance level.
It should be noted that in embodiments of the present invention, the server for providing authentication service both can be by data The provider of management service, such as banking system are set, and wherein the data management service represents client and its user authentication The data, services of required request after success, additionally, the certificate server can also be by as third-party operator, such as specially The partner for providing the banking system of authentication service provides, wherein, the partner can also be with more than one bank or number According to platform cooperation, and authentication service is provided for multi-party, this is not limited by the present invention.
On the other hand, the server can both separately provide authentication service, it is also possible to reference to distributed data management Mode, authentication service is provided with reference to multiple node servers jointly, and this is with the process resource taken needed for authentication service and deposits Storage resource number it is relevant.For example, for the less Verification System of scale, the quantity of the client that server is connected and The quantity of the user of its service is relatively fewer, and the quantity of the authentication information of required management is also relatively limited, therefore authentication information Storage and the treatment of authentication information can be completed by same server, and be come for larger Verification System Say, the quantity of the quantity of the client that server is connected and its user of service is relatively more, the authentication information of required management Quantity it is also more huge, in this situation, the disposal ability and storage resource that server can be provided have deficiency, So as to authentication service can also be provided by distributed framework, wherein, the server with client direct interaction can be There is the data warehouse server of metadata information, and then deposited in multiple data to storing by data warehouse server realization The access of the authentication information in storage node, but this is not limited by the present invention.
Further, in embodiments of the present invention, other be can be combined with known to those skilled in the art feasible Technological means, further to improve Information Security, for example, receive client in the server as described in step S202 sending First message during, ssl protocol or TSL agreements can be combined to improve the safety and reliability of data transfer.Should When understanding, the similar extension to the embodiment of the present invention still should be regarded as within protection scope of the present invention with extension.
Specifically, in embodiments of the present invention, whether server matches to the first authentication information and the second authentication information Specific judgment mode can have various.Usually, in embodiments of the present invention, the judgement operation performed by the server can be wrapped Include:
S22:Data record corresponding with the first authentication information is searched in the record that prestores;
S24:If the data record for finding is identical with the second authentication information or corresponding, the first authentication information is judged Match with the second authentication information.
Such as by taking payment authentication as an example, in one embodiment, can as the input information of the user of the first authentication information Can be paying bank as the card using information of the second authentication information to be the ID of paying bank by user input to client The name of the registered user stored in the IC-card for issuing, then in step s 2, can search and ID in the record that prestores Address name in corresponding data record, and then in step s 4, compare the surname of the address name and IC-card storage for finding Whether name is identical, and certification success is may determine that if identical, otherwise judges authentification failure.
Certainly, this is a kind of example, the present invention can't be constituted and limited.For example, in some embodiments of the present invention In, it is also possible to the first authentication information and the second certification letter are not judged by the way of above-mentioned searching data is recorded and is compared Breath whether match, such as can also using agreement operator or key the first authentication information is calculated or decryption processing and The mode being compared between the first authentication information and the second authentication information after calculating or decryption, etc..
Still optionally further, it is contemplated that the requirement of greater security, in embodiments of the present invention, above-mentioned steps S204 may be used also To include:
S26:Threeth identical or corresponding with the first authentication information and/or the second authentication information is encrypted using preset-key Authentication information;
S28:The first message of the 3rd authentication information after carrying encryption is sent to server.
That is, in embodiments of the present invention, client can will be corresponding with the first authentication information and/or the second authentication information The 3rd authentication information carry server is sent in first message in the lump, in order to make server believe judging the first certification Before whether breath matches with the second authentication information, can be first according to the 3rd authentication information to the first authentication information and/or second Authentication information is verified, and carries out matching judgment again after being proved to be successful.Accordingly, as a kind of feasible verification mode, Verification operation performed by server can include:
S30:The 3rd authentication information is decrypted from first message using preset-key;If the 3rd authentication information for decrypting It is identical or corresponding with the first authentication information and/or the second authentication information, then judge the first authentication information and/or the second certification Information Authentication success;Or
S32:The first authentication information and/or the second authentication information are decrypted using preset-key;If the first certification after decryption The second authentication information after information and/or decryption is identical or corresponding with fourth authentication information of the carrying in first message, then Judge that the first authentication information and/or the second authentication information are proved to be successful.
In embodiments of the present invention, can be by the way of similar to SDA certifications come to first authentication information and/or Two authentication informations are verified, for example, the script as the second authentication information stores bank's use in the IC-card that bank issues As a example by the checking of family information, first can index to decrypt the bank using the credit card issuer public key carried in the lump in first message transmission User profile, wherein, specifically manner of decryption can be:1)CA public key decryptions in public key index go out in public key index Credit card issuer public key;2)According to credit card issuer public key decryptions bank-user information.Wherein, credit card issuer public key index can also be considered as It is a part for the card using information as the second authentication information, namely the 3rd authentication information can also be included in first or second and recognize Carried in first message in card information, but this is not limited by the present invention.
Certainly, this is one of feasible mode, and the unique implementation method of non-invention.For example, similarly, in this hair In bright embodiment, the first authentication information and/or the second authentication information can also be verified by the way of DDA, this hair It is bright not make tired stating herein.
Still optionally further, in embodiments of the present invention, before above-mentioned steps S202, above-mentioned access method can also be wrapped Include:
S34:The first authentication information and the second authentication information are obtained including any client including above-mentioned client;
S36:Any client sends the 3rd message for asking binding to server, and the 3rd message carries first Authentication information and the second authentication information.
Through the above way, user can complete the first authentication information and the second authentication information beforehand through any client In the binding of server side, wherein, server can after receiving for the 3rd message for asking binding, obtain and by this The first authentication information and the second authentication information storage in three message arrives local, and by the two labeled as correspondence, so that user During subsequent use, provide first authentication information by same client or another client and believe with second certification After breath, server just may determine that the two is matched, and then the successful result of return authentication.
Still optionally further, in embodiments of the present invention, above-mentioned steps S36 can also include:
S38:The 3rd message for carrying configured information is sent to server, wherein, the configured information is used to make server The 4th message for asking registered user is sent to corresponding equipment;Wherein,
After step S36, above-mentioned access method can also include:
S40:Any client receives the registering result returned by server and/or corresponding equipment.
In some embodiments of the invention, client can be in once asking and responding while completing in authentication service The binding of device side and the registration in corresponding equipment, wherein, by step S38, server can be received for asking to tie up After the 3rd fixed message, by carry the first authentication information and/or the second authentication information for being noted to corresponding device request 4th message of the volume user is transmitted to the corresponding equipment, then receives registering result that corresponding equipment returns and is transmitted to Client, then client the registration knot returned by server and/or corresponding equipment can be received by step S40 Really, so as to complete the binding of user's registration and authentication information in the lump.
By above example, technical solution of the present invention is schematically described, it should be understood that, this The specific embodiment of invention is not limited in the mode that above-described embodiment is provided.For example, for user to corresponding equipment For the flow of registration, above-mentioned steps S38 and S40 it is not necessary to, such as, in some embodiments of the invention, client End directly can also interact to complete registration with corresponding equipment, then notify certification by client or the corresponding equipment The user profile and card using information of server binding registration, or, in further embodiments, after server is obtained and authorized, Above-mentioned configured information can not also be carried in above-mentioned 3rd message, but after the bind request for receiving client transmission certainly It is dynamic to proceed registration operation, and then the server can be using the first authentication information and/or the second authentication information as corresponding The data is activation that equipment is trusted is completed to register and return the result of registration to corresponding equipment by corresponding equipment.Should Understand, similar implementation method can't influence the realization of the implementation and its technique effect of technical solution of the present invention, this hair It is bright that this is not also limited in any way.
Embodiment 3
According to embodiments of the present invention, a kind of clothes for implementing user authen method as described in Example 1 are additionally provided Business device, as shown in figure 3, the server includes:
1)First receiving unit 302, for receiving the user for asking Authentication Client that client sends first Message, first message carries the first authentication information corresponding with user and the second authentication information, wherein, the first authentication information bag The input information of user is included, the second authentication information includes the card using information of user;
2)Judging unit 304, for judging whether the first authentication information matches with the second authentication information;
3)First transmitting element 306, for when the first authentication information is matched with the second authentication information, being sent to client For representing successful second message of certification.
It will be clear that one of embodiment of the present invention problem to be solved is to provide a kind of server, in order to right Client or its user are authenticated, wherein, the client can be used to reference and be connected to server and to server request Certification and the physical equipment of related service, the PC for example as fixed terminal or the intelligent hand as mobile terminal Machine, panel computer etc., its may also be used for refer on above-mentioned physical equipment and its system run client application, such as by Banking system is handed down to login client of user etc., and this has no effect on the understanding and implementation and its skill to technical solution of the present invention The realization of art effect, the present invention is also not construed as limiting to this.
It is worth noting that, in embodiments of the present invention, the targeted object on ordinary meaning of above-mentioned authentication processing can Being the user of the client, that is to say, that in actual applications, do not limited to by the authentication processing performed by the server In a certain specific client device or client application, as the user of certification object can select any feasible equipment or Using completing certification.
Further, in embodiments of the present invention, above-mentioned authentication processing can be generally combined in a certain more complete behaviour Make in flow, such as operating process can be complete payment process, and need to add authentication department in the payment process Reason is used as one of step, or the operating process can also be directed to the login process of shielded website, and Need to add authentication processing in the login process as one of step etc..Generally speaking, the present invention can't limit root The above-mentioned server provided according to embodiment or the concrete application environment for implementing the functional module of above-mentioned authentication processing, In fact, in embodiments of the present invention, based on the first receiving unit 302 and the first transmitting element 306, each interacting for offer connects Mouthful, can easily be designed in above-mentioned complete operating process and be held before and after being adapted with the server or the functional module Row logic is with using the authentication result drawn described in above-mentioned authentication processing, it is, therefore, appreciated that being based on the embodiment of the present invention Similar implementation method be regarded as within protection scope of the present invention.
To provide above-mentioned authentication function, in currently existing scheme, in general, corresponding equipment such as bank can be used Background server or database server add the mode that the combination of password is verified to the ID of client upload to realize On the one hand certification to user, this mode avoids the security caused by client is locally authenticated possibility to user and asks Topic, on the other hand can facilitate back-stage management.But in the application scenarios higher of the level requirement to security protection, individually according to Combination by ID plus password is still difficult to ensure that safety and reliability, such as exist cracked using enumerative technique ID and Third party's instrument of password, and the notepad or the situation of mobile phone for recording and having ID and password are accidentally lost in such as user Under, ID and password are likely to compromised by all means in itself.To solve this problem, a kind of existing scheme is used The mobile phone or mailbox registered to user by cordless communication network from the background server of corresponding equipment such as bank are sent Identifying code simultaneously confirms the successful mode of user authentication again after the identical identifying code being input into receiving user to client, But this mode is still present potential safety hazard, that is, when user is accidentally lost the mobile phone as above-mentioned client, if should The ID and password for certification are preserved on mobile phone, then other people still can only pass through when pickup is to the mobile phone lost The mobile phone complete user authentication, and certification user and nonregistered user.
Based on above mentioned problem, in embodiments of the present invention, the first certification letter for judging that client sends on the one hand is employed Whether breath realizes the certification to the user of client with the mode matched between the second authentication information, on the other hand, uses Client respectively different acquisition of information channels come by way of obtaining the first authentication information and the second authentication information, specifically Ground, the first authentication information received by certificate server can be the input information that user is input into client, such as ID, Password, Quick Response Code, fingerprint etc., the second received authentication information can be acquired in the swiping card that client passes through user Card using information, such as in IC-card or button card store static data.Through the above way, because user is by being used as visitor When the mobile terminal at family end is authenticated, card using information is it is also required to provide in addition to input information, therefore overcome user not It is careful to lose the safety issue faced after the mobile terminal, the safety and reliability of Verification System is improve, and then solve The not enough technical problem of the security of existing user authentication scheme of having determined.
Technical solution of the present invention and its operation principle are described below with reference to drawings and Examples.
The server for providing according to embodiments of the present invention, by the first receiving unit 302, certificate server can receive visitor The first message of the user for asking Authentication Client that family end sends.
On the whole, in embodiments of the present invention, both can be by data management for providing the server of authentication service The provider of service, such as banking system are set, and wherein the data management service represents client and its user authentication success Data, services of required request afterwards, additionally, the certificate server can also be such as special to provide by as third-party operator The partner of the banking system of authentication service provides, wherein, the partner can also be flat with more than one bank or data Platform cooperation, and authentication service is provided for multi-party, this is not limited by the present invention.
On the other hand, the server can both separately provide authentication service, it is also possible to reference to distributed data management Mode, authentication service is provided with reference to multiple node servers jointly, and this is with the process resource taken needed for authentication service and deposits Storage resource number it is relevant.For example, for the less Verification System of scale, the quantity of the client that server is connected and The quantity of the user of its service is relatively fewer, and the quantity of the authentication information of required management is also relatively limited, therefore authentication information Storage and the treatment of authentication information can be completed by same server, and be come for larger Verification System Say, the quantity of the quantity of the client that server is connected and its user of service is relatively more, the authentication information of required management Quantity it is also more huge, in this situation, the disposal ability and storage resource that server can be provided have deficiency, So as to authentication service can also be provided by distributed framework, wherein, the server with client direct interaction can be There is the data warehouse server of metadata information, and then deposited in multiple data to storing by data warehouse server realization The access of the authentication information in storage node, but this is not limited by the present invention.
On the other hand, in embodiments of the present invention, the client generally can be mobile terminal, such as smart mobile phone or Panel computer etc., due to the portable characteristics of mobile terminal, user can whenever and wherever possible by the mobile terminal as client Reach the purpose with server interaction, it is possible to certification and the follow-up access to target data are completed by mobile terminal, And then subsequent operation is carried out according to the authentication result and/or data access result presented in the user interface of mobile terminal.But This is not meant to constitute the present invention restriction, for example, in some embodiments of the invention, user can also be by fixation Terminal completes the access to target data, such as in the scene that user carries out online payment by PC, to user's The access of the related data of certification and payment platform can be completed by the PC as client, this not shadow Ring the implementation of technical solution of the present invention and its realization of technique effect, it should be appreciated that similar belonging to is of the invention equivalent The implementation method of conversion or obvious modification is regarded as within protection scope of the present invention.
Additionally, in embodiments of the present invention, the first message can generally be embodied in http message, but of the invention This is not limited in any way, for example, in some embodiments of the invention, the first message can also be embodied in ftp and disappear Breath, or other it is feasible meet message or message of File Transfer form etc., can correctly recognize that this first disappears with server Breath and its entrained information content are defined.Correspondingly, described in the embodiment of the present invention the second message, the 3rd message ... etc. It is applied to similar explanation, the present invention does not make tired stating herein.Still need to it is noted that alleged in the embodiment of the present invention " the One ", " second " ... etc., only as the differentiation in statement, in order to the understanding of the present invention, without that should be misinterpreted as being to multiple Key element makes the restriction on the attributes of a relation such as order, position, significance level.
On the basis of above description, as described in the first receiving unit 302, the first message can be carried and user Corresponding first authentication information and the second authentication information, wherein, first authentication information can include the input information of user, should Second authentication information can include the card using information of user.
Specifically, in embodiments of the present invention, the first authentication information can be the input information of user.Wherein, the input Information can include the information content of at least one of:ID, password, identifying code, finger print information, voice messaging, face Topographical information etc., additionally, the carrier of the input information can also have various, for example can including letter, numeral, character string etc. text This information, it is also possible to the graphical information such as including Quick Response Code, can also include people intrinsic some physiological characteristics such as fingerprint, sound Line, interpupillary distance, face contour etc., accordingly, in client be used for obtain the input information input block can include it is following At least one:Mouse, keyboard, touch-screen, scanner, camera, fingerprint sensor, speech transducer etc., the present invention are equal to this It is not limited in any way.
On the other hand, in embodiments of the present invention, the second authentication information can be the card using information of user.Wherein, the brush Card information can also include various, and for example most typically, the card using information can also include input letter as described above The breath information content to be included, its difference is that the card using information comes from IC-card, button card, the radio frequency that user is held Chip etc. " swipe " can go out the wherein stored information carrier of institute wirelessly, and accordingly, swipe information is used Specific communication mode can also be selected from various ways known to those skilled in the art, and for example most typically, it can be with Using NFC or other RFID techniques etc., the present invention is not limited in any way to this.In general, in embodiments of the present invention, carrying It is during for towards banking system authentication service, it is possible to use the card using information both deposited in the IC-card that banking system is issued, such as right For the IC-card for employing SDA authentication modes, the information having in IC-card can include IC-card user profile to be verified, quiet State data and credit card issuer public key index etc., wherein it is possible to one or more conducts in these information having in selecting IC-card Second authentication information is participated in the authentication processing shown in the embodiment of the present invention.
Under above-mentioned scene, because client obtains the first authentication information and the second certification by different channels respectively Information, therefore limit authentication information risk that may be present is only obtained by single channel, and then by judging unit 304 pairs Matching judgment between first authentication information and the second authentication information, just can draw more structurally sound authentication result, so as to carry The safety and reliability of Verification System high.Further, in embodiments of the present invention, other be can be combined with for this area skill Feasible technological means known to art personnel, further to improve Information Security, for example, in such as the first receiving unit 302 During described server receives the first message that client sends, can ssl protocol or TSL agreements be combined to improve number According to the safety and reliability of transmission.It should be appreciated that the similar extension to the embodiment of the present invention still should be regarded as with extension Within protection scope of the present invention.
On the basis of above description, the server for providing according to embodiments of the present invention, by judging unit 304, can be with After the first authentication information and the second authentication information is received by the first receiving unit 302, further judge this first Whether authentication information matches with second authentication information, and then by the first transmitting element 306, is judging to match therebetween In the case of, it can be determined that it is certification success, otherwise may determine that authentification failure.If for example, user lost mobile phone and hand Record has a payment username and password on machine, however needed for not losing certification, bound in advance by user with the user name and The corresponding IC-card of password, then for traditional certificate scheme, either directly recognized using username and password by payment The mode of card, or come by way of payment authentication with reference to mobile phone identifying code, cannot avoid the authentication result of factual error Occur, but for employing the Verification System of server of the embodiment of the present invention, even other people are picked up to loss Mobile phone, still cannot be by user authentication, this provides for improved the security and the reliability of Verification System of user profile.
Specifically, in embodiments of the present invention, believing the first authentication information and the second certification described in judging unit 304 The specific judgment mode whether breath matches can have various.Usually, in embodiments of the present invention, above-mentioned judging unit 304 can To include:
1)Submodule is searched, for searching data record corresponding with the first authentication information in the record that prestores;
2)3rd judging submodule, for when the data record for finding is identical with the second authentication information or corresponding, Judge that the first authentication information matches with the second authentication information.
Such as by taking payment authentication as an example, in one embodiment, can as the input information of the user of the first authentication information Can be paying bank as the card using information of the second authentication information to be the ID of paying bank by user input to client The name of the registered user stored in the IC-card for issuing, then by the lookup submodule, can prestore record in search with Address name in the corresponding data record of ID, and then by the 3rd judging submodule, compare the user's surname for finding Whether name is identical with the name that IC-card is stored, and certification success is may determine that if identical, otherwise judges authentification failure.
Certainly, this is a kind of example, the present invention can't be constituted and limited.For example, in some embodiments of the present invention In, it is also possible to the first authentication information and the second certification letter are not judged by the way of above-mentioned searching data is recorded and is compared Breath whether match, such as can also using agreement operator or key the first authentication information is calculated or decryption processing and The mode being compared between the first authentication information and the second authentication information after calculating or decryption, etc..
Still optionally further, it is contemplated that the requirement of greater security, in embodiments of the present invention, above-mentioned judging unit 304 Can also include:
1)Authentication module, for being verified to the first authentication information and/or the second authentication information according to preset rules;
2)Judge module, for when being proved to be successful, judging whether the first authentication information matches with the second authentication information.
That is, in embodiments of the present invention, can judge whether the first authentication information matches it with the second authentication information Before, first the first authentication information and/or the second authentication information are verified, and carry out matching judgment again after being proved to be successful.Its In, used as a kind of feasible verification mode, in embodiments of the present invention, above-mentioned authentication module can include:
1)First decryption submodule, for decrypting the 3rd authentication information from first message using preset-key;
2)First judging submodule, for recognizing in the 3rd authentication information for decrypting and the first authentication information and/or second When card information is identical or corresponding, judge that the first authentication information and/or the second authentication information are proved to be successful.
Or, used as another feasible verification mode, the authentication module can also include:
1)Second decryption submodule, for decrypting the first authentication information and/or the second authentication information using preset-key;
2)Second judging submodule, for the second authentication information after the first authentication information after decryption and/or decryption With carry the 4th authentication information in first message it is identical or corresponding when, judge the first authentication information and/or second recognize Card Information Authentication success.
In embodiments of the present invention, can be by the way of similar to SDA certifications come to first authentication information and/or Two authentication informations are verified, for example, the script as the second authentication information stores bank's use in the IC-card that bank issues As a example by the checking of family information, first can index to decrypt the bank using the credit card issuer public key carried in the lump in first message transmission User profile, wherein, specifically manner of decryption can be:1)CA public key decryptions in public key index go out in public key index Credit card issuer public key;2)According to credit card issuer public key decryptions bank-user information.Wherein, credit card issuer public key index can also be considered as It is a part for the card using information as the second authentication information, namely the 3rd authentication information can also be included in first or second and recognize Carried in first message in card information, but this is not limited by the present invention.
Certainly, this is one of feasible mode, and the unique implementation method of non-invention.For example, similarly, in this hair In bright embodiment, the first authentication information and/or the second authentication information can also be verified by the way of DDA, this hair It is bright not make tired stating herein.
Still optionally further, in embodiments of the present invention, above-mentioned server can also include:
1)Second receiving unit, for receiving including any client transmission including client for asking binding 3rd message, the 3rd message carries the first authentication information and the second authentication information;
2)Memory cell, for storing the first authentication information and the second authentication information that are obtained from the 3rd message, and will First authentication information of storage is with the second authentication information labeled as corresponding.
Through the above way, user can complete the first authentication information and the second authentication information beforehand through any client In the binding of server side, wherein, server can in receiving for the 3rd message for asking binding, obtain and by this The first authentication information and the second authentication information storage in three message arrives local, and by the two labeled as correspondence, so that user During subsequent use, provide first authentication information by same client or another client and believe with second certification After breath, server just may determine that the two is matched, and then the successful result of return authentication.
Still optionally further, in embodiments of the present invention, above-mentioned server can also include:
1)Second transmitting element, for sending the 4th message for asking registered user to corresponding equipment, the 4th disappears Breath carries the first authentication information and/or the second authentication information;
2)3rd receiving unit, for receiving and sends the registering result that corresponding equipment is returned to client.
In some embodiments of the invention, client can be in once asking and responding while completing in authentication service The binding of device side and the registration in corresponding equipment, wherein by second transmitting element, server can receive for After asking the 3rd message of binding, by carry the first authentication information and/or the second authentication information for corresponding equipment The 4th message that the user is registered in request is transmitted to the corresponding equipment, and receives corresponding equipment by the 3rd receiving unit The registering result of return, and then registering result can also be transmitted to client, so as to complete user's registration in the lump believe with certification The binding of breath.
By above example, technical solution of the present invention is schematically described, it should be understood that, this The specific embodiment of invention is not limited in the mode that above-described embodiment is provided.For example, for user to corresponding equipment For the flow of registration, above-mentioned second transmitting element and the 3rd receiving unit it is not necessary to, such as, more of the invention In embodiment, client directly can also interact to complete registration with corresponding equipment, then by client or the correspondence Equipment notify certificate server binding registration user profile and card using information, or, in further embodiments, service Device is obtained after authorizing, and above-mentioned configured information can not also be carried in above-mentioned 3rd message, but receiving client transmission Registration operation is automatically continued with after bind request, and then the server can be by the first authentication information and/or the second certification The data is activation that information is trusted as corresponding equipment is completed to register and return to note to corresponding equipment by corresponding equipment The result of volume.It should be appreciated that similar implementation method can't influence the implementation of technical solution of the present invention and its technology to imitate The realization of fruit, the present invention is not also limited in any way to this.
Embodiment 4
According to embodiments of the present invention, a kind of clothes for implementing data access method as described in Example 2 are additionally provided Business device, as shown in figure 4, the client includes:
1)First acquisition unit 402, for when access target data are needed, obtains corresponding with the user of client the One authentication information and the second authentication information, wherein, the first authentication information includes the input information of user, and the second authentication information includes The card using information of user;
2)First transmitting element 404, for sending the first message for asking certification user, first message to server The first authentication information and the second authentication information are carried, for making server judge the first authentication information and the second certification letter During breath matching, returned for representing successful second message of certification to client;
3)Second transmitting element 406, for when the second message is received, being sent for asking to access to corresponding equipment The message of target data.
It will be clear that one of embodiment of the present invention problem to be solved is to provide a kind of client, in order to make The client can be authenticated to its user, and then the target data to access needed for user is visited after the authentication has been successful Ask, wherein, the target data generally falls into the data content being protected, and specifically, it can be stored in web service Webpage on device, it is also possible to be stored in the data record on database server, or be stored in and be linked into network Other data resources in corresponding equipment etc., accordingly, the operation of user's client access target data in other words can have Body shows as Website login, confirms payment or access-in resource etc., and the present invention is not limited in any way to this.
Specifically, in embodiments of the present invention, above-mentioned client can be used to reference and be connected to server and to server Request certification and the physical equipment of related service, the PC for example as fixed terminal or the intelligence as mobile terminal Energy mobile phone, panel computer etc., it may also be used for referring to the client application run on above-mentioned physical equipment and its system, than The login client of user is such as handed down to by banking system, this have no effect on to the understanding of technical solution of the present invention with implement and The realization of its technique effect, the present invention is also not construed as limiting to this.Accordingly, in embodiments of the present invention, above-mentioned server can be with The physical equipment for being used for that above-mentioned certification and related service are provided to client and its user is represented, the present invention will not equally limit this The specific manifestation form of equipment and its with above-mentioned client outside equipment between annexation, for example, outside authentication service, should As the client of other business, and can also there is data cube computation with other servers for providing other business in server.
It is worth noting that, in embodiments of the present invention, the certification object of above-mentioned authentication processing generally can be the client The user at end, that is to say, that in actual applications, is not limited to by the authentication processing performed by the client and server A certain specific client device or client application, can select any feasible equipment or answer as the user of certification object For completing certification.
To provide above-mentioned authentication function when access number is occupied, in currently existing scheme, in general, can use corresponding The background server or database server of equipment such as bank add the combination of password to verify the ID of client upload Mode realize the certification to user, on the one hand this mode avoid and locally user be authenticated to lead in client The safety issue of cause, on the other hand can facilitate back-stage management.But in the application higher of the level requirement to security protection In scene, the combination for relying solely on ID plus password is still difficult to ensure that safety and reliability, such as exist and utilize enumerative technique To crack third party's instrument of ID and password, and the account for recording and having ID and password is accidentally lost in such as user In the case of this or mobile phone, ID and password are likely to compromised by all means in itself.To solve this problem, it is a kind of Existing scheme employs what is registered to user by cordless communication network from the background server of corresponding equipment such as bank Mobile phone or mailbox send identifying code and confirm that user recognizes again after the identical identifying code being input into receiving user to client Successful mode is demonstrate,proved, but this mode is still present potential safety hazard, that is, when user is accidentally lost as above-mentioned client During mobile phone, if the ID and password for certification are preserved on the mobile phone, then other people pickup to loss mobile phone when, still So can only by the mobile phone complete user authentication, and certification user and nonregistered user.
Based on above mentioned problem, in embodiments of the present invention, the first certification letter for judging that client sends on the one hand is employed Whether breath realizes the certification to the user of client with the mode matched between the second authentication information, and right after the authentication has been successful Target data conducts interviews, and on the other hand, employs client and obtains first by different acquisition of information channels respectively The mode of authentication information and the second authentication information, specifically, the first authentication information received by certificate server can be used The input information that family is input into client, such as ID, password, Quick Response Code, fingerprint, the second received authentication information can Being client by the card using information acquired in the swiping card of user, the static data stored such as in IC-card or button card Deng.Through the above way, because user by the mobile terminal as client when being authenticated, in addition to input information also Need to provide card using information, therefore overcome the safety issue that user is faced after the mobile terminal is accidentally lost, carry The safety and reliability of Verification System high, and then solve the not enough technology of the security of existing user authentication scheme and ask Topic and the target data that is further resulted in of this problem problem under proteciton.
Technical solution of the present invention and its operation principle are described below with reference to drawings and Examples.
The client for providing according to embodiments of the present invention, in first acquisition unit 402, when user's client in other words When needing access target data, the client can obtain the first authentication information corresponding with its user and the second authentication information, Wherein, the first authentication information can include the input information of user, and the second authentication information can include the card using information of user.
In embodiments of the present invention, the client generally can be mobile terminal, such as smart mobile phone or panel computer etc., Due to the portable characteristics of mobile terminal, user can be reached and server by the mobile terminal as client whenever and wherever possible Interactive purpose, it is possible to certification and the follow-up access to target data are completed by mobile terminal, and then according to movement The authentication result and/or data access result presented in the user interface of terminal carry out subsequent operation.But this is not meant to Restriction is constituted to the present invention, for example, in some embodiments of the invention, user can also be completed to mesh by fixed terminal Mark the access of data, such as in the scene that user carries out online payment by PC, certification and payment to user The access of the related data of platform can be completed by the PC as client, and this has no effect on the technology of the present invention The implementation of scheme and its realization of technique effect, it should be appreciated that similar belongs to equivalents of the invention or substantially change The implementation method of type is regarded as within protection scope of the present invention.
Specifically, in embodiments of the present invention, the first authentication information can be the input information of user.Wherein, the input Information can include the information content of at least one of:ID, password, identifying code, finger print information, voice messaging, face Topographical information etc., additionally, the carrier of the input information can also have various, for example can including letter, numeral, character string etc. text This information, it is also possible to the graphical information such as including Quick Response Code, can also include people intrinsic some physiological characteristics such as fingerprint, sound Line, interpupillary distance, face contour etc., accordingly, in client be used for obtain the input information input block can include it is following At least one:Mouse, keyboard, touch-screen, scanner, camera, fingerprint sensor, speech transducer etc., the present invention are equal to this It is not limited in any way.
Additionally, in embodiments of the present invention, the second authentication information can be the card using information of user.Wherein, the letter of swiping the card Breath can also include various, and for example most typically, the card using information can also include input information institute as described above The information content that can include, its difference is that the card using information comes from IC-card, button card, the radio frequency chip that user is held Etc. " swipe " can going out the wherein stored information carrier of institute wirelessly, accordingly, it is specific that swipe information is used Communication mode can also be selected from various ways known to those skilled in the art, and for example most typically, it can be used NFC or other RFID techniques etc., the present invention are not limited in any way to this.In general, in embodiments of the present invention, in the face of offer During to banking system authentication service, it is possible to use the card using information both deposited in the IC-card that banking system is issued, such as adopting For IC-card with SDA authentication modes, the information having in IC-card can include IC-card user profile, static number to be verified According to credit card issuer public key index etc., wherein it is possible to one or more in these information having in selecting IC-card are used as second Authentication information is participated in the authentication processing shown in the embodiment of the present invention.
Under above-mentioned scene, because client obtains the first authentication information and the second certification by different channels respectively Information, therefore limit only by single channel acquisition authentication information risk that may be present, and then subsequently entered by server It is capable that more structurally sound authentication result just can be drawn to the matching judgment between the first authentication information and the second authentication information, So as to improve the safety and reliability of Verification System.
On the basis of above description, the client for providing according to embodiments of the present invention, by the first transmitting element 404, First message for asking certification user can be sent to server, the first message can carry first authentication information With second authentication information so that server is returned for representing certification successful the when the two matching is judged to client Two message, and then by the second transmitting element 406, client just can be sent out when the second message is received to corresponding equipment The message for asking to access above-mentioned target data is sent, wherein, this message can also carry the first authentication information and/or the Two authentication informations, then corresponding equipment can also be based on the first certification message and/or the second certification message come further Access rights to client and its user are identified, so that client successful access target data.
For example, it is assumed that user lost record on mobile phone and mobile phone payment username and password, but certification is not lost IC-card corresponding with the username and password that is required, being bound in advance by user, then for traditional certificate scheme, nothing By being directly to be come by payment authentication by way of payment authentication, or with reference to mobile phone identifying code using username and password Mode, cannot avoid the authentication result of factual error from occurring, and then carries out payment affirmation with causing client error, but right For the Verification System of client of the embodiment of the present invention is employed, even other people pick up to lose mobile phone, still without Method this provides for improved the security and the reliability of Verification System of user profile, and is improve as mesh by user authentication The security of the payment related data of data is marked, the security risk of user is reduced.
Specifically, in embodiments of the present invention, the first message can generally be embodied in http message, but this hair It is bright that this is not limited in any way, for example, in some embodiments of the invention, the first message can also be embodied in ftp Message, or other it is feasible meet message or message of File Transfer form etc., with server can correctly recognize this first Message and its entrained information content are defined.Correspondingly, described in the embodiment of the present invention the second message, the 3rd message ... It is of the invention not make tired stating herein Deng similar explanation is applied to.Still need to it is noted that alleged in the embodiment of the present invention " first ", " second " ... etc., only as the differentiation in statement, in order to the understanding of the present invention, without that should be misinterpreted as being right Multiple key elements make the restriction on the attributes of a relation such as order, position, significance level.
It should be noted that in embodiments of the present invention, the server for providing authentication service both can be by data The provider of management service, such as banking system are set, and wherein the data management service represents client and its user authentication The data, services of required request after success, additionally, the certificate server can also be by as third-party operator, such as specially The partner for providing the banking system of authentication service provides, wherein, the partner can also be with more than one bank or number According to platform cooperation, and authentication service is provided for multi-party, this is not limited by the present invention.
On the other hand, the server can both separately provide authentication service, it is also possible to reference to distributed data management Mode, authentication service is provided with reference to multiple node servers jointly, and this is with the process resource taken needed for authentication service and deposits Storage resource number it is relevant.For example, for the less Verification System of scale, the quantity of the client that server is connected and The quantity of the user of its service is relatively fewer, and the quantity of the authentication information of required management is also relatively limited, therefore authentication information Storage and the treatment of authentication information can be completed by same server, and be come for larger Verification System Say, the quantity of the quantity of the client that server is connected and its user of service is relatively more, the authentication information of required management Quantity it is also more huge, in this situation, the disposal ability and storage resource that server can be provided have deficiency, So as to authentication service can also be provided by distributed framework, wherein, the server with client direct interaction can be There is the data warehouse server of metadata information, and then deposited in multiple data to storing by data warehouse server realization The access of the authentication information in storage node, but this is not limited by the present invention.
Further, in embodiments of the present invention, other be can be combined with known to those skilled in the art feasible Technological means, further to improve Information Security, for example, being received in the server as described in first acquisition unit 402 During the first message that client sends, ssl protocol or TSL agreements can be combined improve data transfer security and Reliability.It should be appreciated that the similar extension to the embodiment of the present invention still should be regarded as in protection model of the invention with extension Within enclosing.
Specifically, in embodiments of the present invention, whether server matches to the first authentication information and the second authentication information Specific judgment mode can have various.Usually, in embodiments of the present invention, the server can include:
1)Submodule is searched, for searching data record corresponding with the first authentication information in the record that prestores;
2)3rd judging submodule, for when the data record for finding is identical with the second authentication information or corresponding, Judge that the first authentication information matches with the second authentication information.
Such as by taking payment authentication as an example, in one embodiment, can as the input information of the user of the first authentication information Can be paying bank as the card using information of the second authentication information to be the ID of paying bank by user input to client The name of the registered user stored in the IC-card for issuing, then in step s 2, can search and ID in the record that prestores Address name in corresponding data record, and then in step s 4, compare the surname of the address name and IC-card storage for finding Whether name is identical, and certification success is may determine that if identical, otherwise judges authentification failure.
Certainly, this is a kind of example, the present invention can't be constituted and limited.For example, in some embodiments of the present invention In, it is also possible to the first authentication information and the second certification letter are not judged by the way of above-mentioned searching data is recorded and is compared Breath whether match, such as can also using agreement operator or key the first authentication information is calculated or decryption processing and The mode being compared between the first authentication information and the second authentication information after calculating or decryption, etc..
Still optionally further, it is contemplated that the requirement of greater security, in embodiments of the present invention, above-mentioned first transmitting element 404 can also include:
1)Encrypting module, for using preset-key encrypt it is identical with the first authentication information and/or the second authentication information or The 3rd corresponding authentication information;
2)Second sending module, the first message for sending the 3rd authentication information after carrying encryption to server.
That is, in embodiments of the present invention, client can will be corresponding with the first authentication information and/or the second authentication information The 3rd authentication information carry server is sent in first message in the lump, in order to make server believe judging the first certification Before whether breath matches with the second authentication information, can be first according to the 3rd authentication information to the first authentication information and/or second Authentication information is verified, and carries out matching judgment again after being proved to be successful.Accordingly, as a kind of feasible verification mode, The server being connected with client data can include:
1)First decryption submodule, for decrypting the 3rd authentication information from first message using preset-key;
2)First judging submodule, for recognizing in the 3rd authentication information for decrypting and the first authentication information and/or second When card information is identical or corresponding, judge that the first authentication information and/or the second authentication information are proved to be successful.
Or, used as another feasible verification mode, the server can also include:
1)Second decryption submodule, for decrypting the first authentication information and/or the second authentication information using preset-key;
2)Second judging submodule, for the second authentication information after the first authentication information after decryption and/or decryption With carry the 4th authentication information in first message it is identical or corresponding when, judge the first authentication information and/or second recognize Card Information Authentication success.
In embodiments of the present invention, can be by the way of similar to SDA certifications come to first authentication information and/or Two authentication informations are verified, for example, the script as the second authentication information stores bank's use in the IC-card that bank issues As a example by the checking of family information, first can index to decrypt the bank using the credit card issuer public key carried in the lump in first message transmission User profile, wherein, specifically manner of decryption can be:1)CA public key decryptions in public key index go out in public key index Credit card issuer public key;2)According to credit card issuer public key decryptions bank-user information.Wherein, credit card issuer public key index can also be considered as It is a part for the card using information as the second authentication information, namely the 3rd authentication information can also be included in first or second and recognize Carried in first message in card information, but this is not limited by the present invention.
Certainly, this is one of feasible mode, and the unique implementation method of non-invention.For example, similarly, in this hair In bright embodiment, the first authentication information and/or the second authentication information can also be verified by the way of DDA, this hair It is bright not make tired stating herein.
Still optionally further, in embodiments of the present invention, before above-mentioned first acquisition unit 402, above-mentioned client is also Can include:
1)Second acquisition unit, for obtaining the first authentication information and the second authentication information in advance;
2)3rd transmitting element, for sending the 3rd message for asking binding to server, the 3rd message is carried First authentication information and the second authentication information.
Through the above way, user can complete the first authentication information and the second authentication information beforehand through any client In the binding of server side, wherein, server can after receiving for the 3rd message for asking binding, obtain and by this The first authentication information and the second authentication information storage in three message arrives local, and by the two labeled as correspondence, so that user During subsequent use, provide first authentication information by same client or another client and believe with second certification After breath, server just may determine that the two is matched, and then the successful result of return authentication.
Still optionally further, in embodiments of the present invention, above-mentioned 3rd transmitting element can also include:
1)First sending module, the 3rd message of configured information is carried for being sent to server, wherein, instruction letter Cease for making server that the 4th message for asking registered user is sent to corresponding equipment;Wherein,
Above-mentioned client can also include:
1)Receiving unit, for receiving the registering result returned by server and/or corresponding equipment.
In some embodiments of the invention, client can be in once asking and responding while completing in authentication service The binding of device side and the registration in corresponding equipment, wherein, by first sending module in client, server can be with Receive for after the 3rd message for asking binding, by carry the first authentication information and/or the second authentication information for The 4th message that corresponding device request registers the user is transmitted to the corresponding equipment, then receives what corresponding equipment was returned Registering result is simultaneously transmitted to client, then client can be received by server and/or corresponding equipment by receiving unit Registering result for being returned, so as to complete the binding of user's registration and authentication information in the lump.
By above example, technical solution of the present invention is schematically described, it should be understood that, this The specific embodiment of invention is not limited in the mode that above-described embodiment is provided.For example, for user to corresponding equipment For the flow of registration, above-mentioned first sending module and receiving unit it is not necessary to, such as, in some implementations of the invention In example, client directly can also interact to corresponding equipment complete registration, then by client or this corresponding set The user profile and card using information of standby notice certificate server binding registration, or, in further embodiments, taken in server After must authorizing, above-mentioned configured information can not also be carried in above-mentioned 3rd message, but receiving the binding of client transmission Registration operation is automatically continued with after request, and then the server can be by the first authentication information and/or the second authentication information The data is activation trusted as corresponding equipment is completed to register and return to registration to corresponding equipment by corresponding equipment As a result.It should be appreciated that similar implementation method can't influence implementation and its technique effect of technical solution of the present invention Realize, the present invention is not also limited in any way to this.
Embodiment 5
According to embodiments of the present invention, a kind of Verification System is additionally provided, as shown in figure 5, the system includes:
1)Server as described in Example 3;
2)There is data cube computation between one or more clients as described in Example 4, with the server.
In embodiments of the present invention, when one or more in client 504,506,508 need access target data, can To send the first message for asking the respective user of certification to server 502 respectively, and then server 502 can be by docking The matching judgment between the first authentication information and the second authentication information from the first message of client 504 is received, to client 504 user is authenticated, and after the authentication has been successful to the return authentication result of client 504 with so that client 504 is successfully visited Target data is asked, and the authentication processing to the respective user of server 506 and 508 can be completed by the processing mode being similar to.
Further, for convenience of to server 502 in response to the first message from multiple client management and treatment The lifting of efficiency, can distinguish each certification request from multiple client and from same client by session identification code Front and rear multiple certification requests at end, wherein, each in these different certification requests is assigned with unique session identification Code, in order to avoid there is errored response.
Additionally, in embodiments of the present invention, the system can also include server 510, the server 510 can be for The data server of management objectives data, to distinguish over the server 502 for providing authentication service.It should be noted that this Invention is not limited in any way to the concrete form of server 502 and 510 and client 504,506 and 508, and it is interpreted as tool The arbitrary equipment of standby above-mentioned functions.
As can be seen here, in embodiments of the present invention, on the one hand employ judge client send the first authentication information with Whether the mode matched between second authentication information realizes the certification to the user of client, and after the authentication has been successful to target Data conduct interviews, and on the other hand, employ client and obtain the first certification by different acquisition of information channels respectively The mode of information and the second authentication information, specifically, the first authentication information received by certificate server can be user to The input information of client input, such as ID, password, Quick Response Code, fingerprint, the second received authentication information can be The card using information acquired in swiping card that client passes through user, the static data stored such as in IC-card or button card.It is logical Aforesaid way is crossed, because user by the mobile terminal as client when being authenticated, is also needed in addition to input information Card using information is provided, therefore overcomes the safety issue that user is faced after the mobile terminal is accidentally lost, improve The safety and reliability of Verification System, so solve the not enough technical problem of the security of existing user authentication scheme with And the target data that is further resulted in of this problem problem under proteciton.
Below with reference to Fig. 6 and one more specifically embodiment to the server in above-mentioned Verification System and the system, Client and interaction therein are described in detail.
As shown in fig. 6, in the present embodiment, mobile phone can have been run in the operating system of the smart mobile phone that user is used Bank application, and the Mobile banking application both can be used for provide authentication service assistant authentification it is preposition interact, also may be used Interacted with for providing the Mobile banking backstage of data access service, in order to allow user to be answered by Mobile banking For completing certification and paying the access process of related data, namely complete mobile-phone payment.Wherein, Mobile banking's application can be transported On the smart mobile phone as client, assistant authentification is preposition can be maintained on the server of third party's offer row, mobile phone silver Row backstage can be maintained on the Mobile banking backstage of bank's offer.Wherein, the financial IC card shown in Fig. 6 can be by the bank There is provided, and the IC-card and Mobile banking backstage directly can use using existing financial IC card and its credit card issuer are existing respectively Mobile banking backstage.
Specifically, in the present embodiment, when user wants to complete to pay by smart mobile phone, run in each equipment and equipment Each application between specific interaction can be realized by below scheme:
S602:Mobile banking's application obtains the log-on message on the Mobile banking backstage of user input, and points out user card punching;
S604:User selects to read card record in Mobile banking applies, the card in making smart mobile phone read financial IC card Information;
S606:Mobile phone reads card verification management CVM using NFC function from the financial IC card for pressing close to the smart mobile phone (Card Verification Management)The data of information, credit card issuer public key index and participation SDA;
S608:Mobile banking applies the SDA data is activations for obtaining the log-on message and Card Reader of user input to auxiliary Certification is preposition;
S610:Assistant authentification is preposition to be verified to SDA data, and the card number in SDA data are obtained after being proved to be successful;
S612:The card number bound when judging whether the card number is user's registration according to log-on message, if then certification success, Otherwise authentification failure;
S614:Assistant authentification is preposition to return to Mobile banking's application by authentication result;
S616:Mobile banking, if supporting, jumps to step using judging whether financial IC card supports DDA according to CVM information Rapid S618, if not supporting, jumps to step S628;
S618:DDA certifications are asked to financial IC card;
S620:Mobile phone reads the authentication data for participating in DDA using NFC function from IC-card;
S622:Mobile banking applies that authentication data is uploaded into assistant authentification is preposition;
S624:Assistant authentification is preposition to decrypt IC-card certificate according to credit card issuer certificate, and verifies DDA authentication datas;
S626:Assistant authentification is preposition to return to DDA authentication results to Mobile banking's application;
S628:If authentication result is successfully, log-on message is sent to Mobile banking backstage;
S630:Mobile banking backstage returns to login response result to Mobile banking's application.
Further the present invention is explained the invention provides some preferred embodiments, but it is noticeable It is that the preferred embodiment is intended merely to the preferably description present invention, does not constitute and the present invention is improperly limited.
The preferred embodiments of the present invention are the foregoing is only, is not intended to limit the invention, for the skill of this area For art personnel, the present invention can have various modifications and variations.It is all within the spirit and principles in the present invention, made any repair Change, equivalent, improvement etc., should be included within the scope of the present invention.

Claims (21)

1. a kind of user authen method, it is characterised in that including:
The first message of the user for asking client described in certification that client sends is received, the first message is carried The first authentication information corresponding with the user and the second authentication information, wherein, first authentication information includes the user Input information, the card using information of second authentication information including the user;
Judge whether first authentication information matches with second authentication information;
If first authentication information is matched with second authentication information, to the client send for represent certification into Second message of work(,
Wherein, the input information of the user includes the information content of at least one of:ID, password, identifying code, fingerprint Information, voice messaging, facial topographical information, the card using information of the user include what the input information of the user to be included The information content, the card using information of the user comes from IC-card, button card, radio frequency chip that the user is held, by nothing Line mode " swipe " goes out the wherein stored information carrier of institute.
2. method according to claim 1, it is characterised in that judgement first authentication information is recognized with described second Card information whether match including:
First authentication information and/or second authentication information are verified according to preset rules;
If being proved to be successful, judge whether first authentication information matches with second authentication information.
3. method according to claim 2, it is characterised in that it is described according to default rule to first authentication information And/or second authentication information carries out checking and includes:
The 3rd authentication information is decrypted from the first message using preset-key;If the 3rd authentication information for decrypting It is identical or corresponding with first authentication information and/or second authentication information, then judge first authentication information And/or second authentication information is proved to be successful;Or,
First authentication information and/or second authentication information are decrypted using preset-key;If after decryption described first Second authentication information after authentication information and/or decryption is identical with fourth authentication information of the carrying in the first message Or it is corresponding, then judge that first authentication information and/or second authentication information are proved to be successful.
4. method according to claim 1, it is characterised in that judge first authentication information and described second described Before whether authentication information matches, methods described also includes:
The 3rd message for asking binding sent including any client including the client is received, the described 3rd disappears Breath carries first authentication information and second authentication information;
Store first authentication information and second authentication information obtained from the 3rd message, and the institute that will be stored The first authentication information is stated with second authentication information labeled as corresponding.
5. method according to claim 4, it is characterised in that in the reception and store including including the client It is described to receive the use that client sends after first authentication information and second authentication information of any client transmission Before the first message of the user of client described in request certification, methods described also includes:
The 4th message for asking the registration user is sent to corresponding equipment, the 4th message carries described first Authentication information and/or second authentication information;
Receive and send the registering result that the corresponding equipment is returned to the client.
6. method according to any one of claim 1 to 5, it is characterised in that judgement first authentication information With second authentication information whether match including:
Data record corresponding with first authentication information is searched in the record that prestores;
If the data record for finding is identical or corresponding with second authentication information, first certification is judged Information matches with second authentication information.
7. a kind of data access method, it is characterised in that including:
When client needs access target data, obtain the first authentication information corresponding with the user of the client and second and recognize Card information, wherein, first authentication information includes the input information of the user, and second authentication information includes the use The card using information at family;
The first message for asking user described in certification is sent to server, the first message carries first certification Information and second authentication information, for making the server judge first authentication information with second certification During information matches, returned for representing successful second message of certification to the client;
When second message is received, the message for asking the access target data is sent to corresponding equipment,
Wherein, the input information of the user includes the information content of at least one of:ID, password, identifying code, fingerprint Information, voice messaging, facial topographical information, the card using information of the user include what the input information of the user to be included The information content, the card using information of the user comes from IC-card, button card, radio frequency chip that the user is held, by nothing Line mode " swipe " goes out the wherein stored information carrier of institute.
8. method according to claim 7, it is characterised in that the client need to access the target data it Before, methods described also includes:
First authentication information and second authentication information are obtained including any client including the client;
Any client sends the 3rd message for asking binding to the server, and the 3rd message is carried State the first authentication information and second authentication information.
9. method according to claim 8, it is characterised in that
Any client sends to the server to be included for the 3rd message for asking to bind:Sent to the server The 3rd message of configured information is carried, wherein, the configured information is used to make the server corresponding be set to described Preparation send the 4th message for asking the registration user;
After any client sends for the 3rd message for asking binding to the server, methods described is also wrapped Include:Any client receives the registering result returned by the server and/or the corresponding equipment.
10. the method according to any one of claim 7 to 9, it is characterised in that
First authentication information corresponding with the user of the client and the second authentication information of obtaining includes:In the client When end needs to access the target data, to the user prompting input first authentication information and/or second certification Information;Obtain first authentication information and/or second authentication information of input;And/or,
It is described to be sent for asking the first message of user described in certification to include to server:Using preset-key encrypt with it is described First authentication information and/or the 3rd identical or corresponding authentication information of second authentication information;Sent to the server Carry the first message of the 3rd authentication information after encryption;And/or,
Described transmission to corresponding equipment includes for the message for asking to access the target data:Sent out to the corresponding equipment The message for carrying first authentication information and/or second authentication information is sent, for making the client successful access The target data.
A kind of 11. servers, it is characterised in that including:
First receiving unit, the first message of the user for asking client described in certification for receiving client transmission, The first message carries the first authentication information corresponding with the user and the second authentication information, wherein, described first recognizes Card information includes the input information of the user, and second authentication information includes the card using information of the user;
Judging unit, for judging whether first authentication information matches with second authentication information;
First transmitting element, for when first authentication information is matched with second authentication information, to the client Send for representing successful second message of certification,
Wherein, the input information of the user includes the information content of at least one of:ID, password, identifying code, fingerprint Information, voice messaging, facial topographical information, the card using information of the user include what the input information of the user to be included The information content, the card using information of the user comes from IC-card, button card, radio frequency chip that the user is held, by nothing Line mode " swipe " goes out the wherein stored information carrier of institute.
12. servers according to claim 11, it is characterised in that the judging unit includes:
Authentication module, for being verified to first authentication information and/or second authentication information according to preset rules;
Judge module, for when being proved to be successful, judging whether first authentication information matches with second authentication information.
13. servers according to claim 12, it is characterised in that the authentication module includes:
First decryption submodule, for decrypting the 3rd authentication information from the first message using preset-key;First sentences Disconnected submodule, for believing with first authentication information and/or second certification in the 3rd authentication information for decrypting When manner of breathing is same or corresponding, judge that first authentication information and/or second authentication information are proved to be successful;Or
Second decryption submodule, for decrypting first authentication information and/or second authentication information using preset-key; Second judging submodule, for first authentication information after decryption and/or decryption after second authentication information with Carry the 4th authentication information in the first message it is identical or corresponding when, judge first authentication information and/or Second authentication information is proved to be successful.
14. servers according to claim 11, it is characterised in that also include:
Second receiving unit, for receive include that any client including the client sends for ask to bind the Three message, the 3rd message carries first authentication information and second authentication information;
Memory cell, for storing first authentication information and second certification letter that are obtained from the 3rd message Breath, and first authentication information and second authentication information that will store are labeled as corresponding.
15. servers according to claim 14, it is characterised in that also include:
Second transmitting element, for sending the 4th message for asking the registration user, the described 4th to corresponding equipment Message carries first authentication information and/or second authentication information;
3rd receiving unit, for receiving and sends the registering result that the corresponding equipment is returned to the client.
16. server according to any one of claim 11 to 15, it is characterised in that the judging unit described is sentenced Disconnected module includes:
Submodule is searched, for searching data record corresponding with first authentication information in the record that prestores;
3rd judging submodule, for identical or corresponding with second authentication information in the data record for finding When, judge that first authentication information matches with second authentication information.
A kind of 17. clients, it is characterised in that including:
First acquisition unit, recognizes for when access target data are needed, obtaining corresponding with the user of the client first Card information and the second authentication information, wherein, first authentication information includes the input information of the user, second certification Information includes the card using information of the user;
First transmitting element, for sending the first message for asking user described in certification, the first message to server First authentication information and second authentication information are carried, for making the server judge first certification When information is matched with second authentication information, returned for representing successful second message of certification to the client;
Second transmitting element, for when second message is received, being sent for asking to access described to corresponding equipment The message of target data,
Wherein, the input information of the user includes the information content of at least one of:ID, password, identifying code, fingerprint Information, voice messaging, facial topographical information, the card using information of the user include what the input information of the user to be included The information content, the card using information of the user comes from IC-card, button card, radio frequency chip that the user is held, by nothing Line mode " swipe " goes out the wherein stored information carrier of institute.
18. clients according to claim 17, it is characterised in that the client also includes:
Second acquisition unit, for obtaining first authentication information and second authentication information in advance;
3rd transmitting element, for sending the 3rd message for asking binding to the server, the 3rd message is carried There are first authentication information and second authentication information.
19. clients according to claim 18, it is characterised in that
3rd transmitting element includes:First sending module, the institute of configured information is carried for being sent to the server The 3rd message is stated, wherein, the configured information is used to make the server be sent for asking to register to the corresponding equipment 4th message of the user;
The client also includes:Receiving unit, for receiving what is returned by the server and/or the corresponding equipment Registering result.
20. client according to any one of claim 17 to 19, it is characterised in that
The first acquisition unit includes:Display module, for when the client needs to access the target data, to institute State user prompting input first authentication information and/or second authentication information;Acquisition module, the institute for obtaining input State the first authentication information and/or second authentication information;And/or,
First transmitting element includes:Encrypting module, for using preset-key encrypt with first authentication information and/or The 3rd identical or corresponding authentication information of second authentication information;Second sending module, for being sent to the server Carry the first message of the 3rd authentication information after encryption;And/or,
Second transmitting element includes:3rd sending module, described first is carried for being sent to the corresponding equipment The message of authentication information and/or second authentication information, for making target data described in the client successful access.
A kind of 21. Verification Systems, it is characterised in that including:
Server as any one of claim 11 to 16;
There is data company between one or more clients as any one of claim 17 to 20, with the server Connect.
CN201410143759.5A 2014-04-10 2014-04-10 Server, client, Verification System and user authentication and data access method Active CN103905457B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410143759.5A CN103905457B (en) 2014-04-10 2014-04-10 Server, client, Verification System and user authentication and data access method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410143759.5A CN103905457B (en) 2014-04-10 2014-04-10 Server, client, Verification System and user authentication and data access method

Publications (2)

Publication Number Publication Date
CN103905457A CN103905457A (en) 2014-07-02
CN103905457B true CN103905457B (en) 2017-06-27

Family

ID=50996611

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410143759.5A Active CN103905457B (en) 2014-04-10 2014-04-10 Server, client, Verification System and user authentication and data access method

Country Status (1)

Country Link
CN (1) CN103905457B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104113552B (en) * 2014-07-28 2017-06-16 百度在线网络技术(北京)有限公司 A kind of platform authorization method, platform service end and applications client and system
CN104113549B (en) * 2014-07-28 2017-07-18 百度在线网络技术(北京)有限公司 A kind of platform authorization method, platform service end and applications client and system
CN104268755A (en) * 2014-09-04 2015-01-07 郑遥 Portable fingerprint card swiping payment system and method
CN105138882B (en) * 2015-07-30 2019-04-09 Oppo广东移动通信有限公司 A kind of terminal unlock method and device
CN105471884B (en) 2015-12-21 2019-05-31 联想(北京)有限公司 A kind of authentication method, server
CN105654295A (en) * 2015-12-29 2016-06-08 中国建设银行股份有限公司 Transaction control method and client
CN108540433B (en) * 2017-03-06 2020-10-27 华为技术有限公司 User identity verification method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101561953A (en) * 2009-05-26 2009-10-21 中山大学 Safe ATM system and operation method thereof
CN101615322A (en) * 2008-06-25 2009-12-30 上海富友网络技术有限公司 Realization has the mobile terminal payment method and system of magnetic payment function
CN101770670A (en) * 2009-01-07 2010-07-07 深圳市江波龙电子有限公司 Mobile payment device and method utilizing mobile payment device to distribute card and realize mobile payment
CN101923660A (en) * 2010-09-07 2010-12-22 谈剑锋 Dynamic password identity authorization system and method based on RFID
CN102103683A (en) * 2009-12-17 2011-06-22 中兴通讯股份有限公司 Method and device for realizing card simulation application of NFC mobile terminal
CN102737308A (en) * 2012-06-08 2012-10-17 中兴通讯股份有限公司 Mobile terminal and method and system for inquiring information of intelligent card
CN102930470A (en) * 2012-09-18 2013-02-13 深圳一卡通新技术有限公司 Mobile phone position based bank card transaction safety pre-warning method
CN103049957A (en) * 2012-12-13 2013-04-17 江苏新彩软件有限公司 NFC-based mobile phone lottery secure transaction and awarding method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101615322A (en) * 2008-06-25 2009-12-30 上海富友网络技术有限公司 Realization has the mobile terminal payment method and system of magnetic payment function
CN101770670A (en) * 2009-01-07 2010-07-07 深圳市江波龙电子有限公司 Mobile payment device and method utilizing mobile payment device to distribute card and realize mobile payment
CN101561953A (en) * 2009-05-26 2009-10-21 中山大学 Safe ATM system and operation method thereof
CN102103683A (en) * 2009-12-17 2011-06-22 中兴通讯股份有限公司 Method and device for realizing card simulation application of NFC mobile terminal
CN101923660A (en) * 2010-09-07 2010-12-22 谈剑锋 Dynamic password identity authorization system and method based on RFID
CN102737308A (en) * 2012-06-08 2012-10-17 中兴通讯股份有限公司 Mobile terminal and method and system for inquiring information of intelligent card
CN102930470A (en) * 2012-09-18 2013-02-13 深圳一卡通新技术有限公司 Mobile phone position based bank card transaction safety pre-warning method
CN103049957A (en) * 2012-12-13 2013-04-17 江苏新彩软件有限公司 NFC-based mobile phone lottery secure transaction and awarding method

Also Published As

Publication number Publication date
CN103905457A (en) 2014-07-02

Similar Documents

Publication Publication Date Title
CN103905457B (en) Server, client, Verification System and user authentication and data access method
US10708257B2 (en) Systems and methods for using imaging to authenticate online users
US9741033B2 (en) System and method for point of sale payment data credentials management using out-of-band authentication
US9053304B2 (en) Methods and systems for using derived credentials to authenticate a device across multiple platforms
CN105959287A (en) Biological feature based safety certification method and device
CN107690788B (en) Identification and/or authentication system and method
US20110103586A1 (en) System, Method and Device To Authenticate Relationships By Electronic Means
CN105144670A (en) Wireless networking-enabled personal identification system
CN108604338A (en) Verify the online access to safety device function
EP3138265B1 (en) Enhanced security for registration of authentication devices
CN106716960A (en) Method and system for authenticating a user
US20130312073A1 (en) Methods and systems for authentication of multiple sign-in accounts
CN104361493A (en) Electronic payment method on basis of biological characteristics
CN101589569A (en) Secure password distribution to a client device of a network
CN107689944A (en) Identity identifying method, device and system
CN106716918A (en) Method and system for authenticating a user
CN106416336A (en) Identification and/or authentication system and method
CN105635164B (en) The method and apparatus of safety certification
CA2962163A1 (en) Secure remote password retrieval
US20130151411A1 (en) Digital authentication and security method and system
US9124571B1 (en) Network authentication method for secure user identity verification
JP2013009052A (en) Server device, agent authentication method and agent authentication system
CN106797390A (en) The system and method for authentication center
US10742414B1 (en) Systems and methods for data access control of secure memory using a short-range transceiver
KR20130102899A (en) Method for providing authentication and payment services using user identification code

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Meng Xiangyu

Inventor after: Wang Xin

Inventor after: Zhang Yujia

Inventor after: Gu Siyang

Inventor after: Liu Zhichao

Inventor before: Meng Xiangyu

Inventor before: Wang Xin

Inventor before: Zhang Yujia

Inventor before: Gu Siyang