CN104077690A - One-time password generation method and device, authentication method and authentication system - Google Patents
One-time password generation method and device, authentication method and authentication system Download PDFInfo
- Publication number
- CN104077690A CN104077690A CN201410287503.1A CN201410287503A CN104077690A CN 104077690 A CN104077690 A CN 104077690A CN 201410287503 A CN201410287503 A CN 201410287503A CN 104077690 A CN104077690 A CN 104077690A
- Authority
- CN
- China
- Prior art keywords
- user
- disposal password
- information
- user interface
- transaction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 230000005540 biological transmission Effects 0.000 claims abstract description 135
- 238000013475 authorization Methods 0.000 claims abstract description 54
- 238000004891 communication Methods 0.000 claims abstract description 10
- 238000012795 verification Methods 0.000 claims description 28
- 238000010295 mobile communication Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 7
- 238000012546 transfer Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000015572 biosynthetic process Effects 0.000 description 2
- 239000012141 concentrate Substances 0.000 description 2
- 240000007643 Phytolacca americana Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a one-time password generation method and device, an authentication method and an authentication system. The authentication method comprises the first step of receiving transaction information and a self-setting transmission code input by a user through a first user interface, the second step of generating a one-time password (OTP) corresponding to transmission information according to the transaction information and the transmission code, the third step of transmitting the OTP to a second user interface of the user and displaying the OTP, the fourth step of receiving the OTP sent back by the user, and the fifth step of determining whether transaction authorization can be carried out by judging whether the OTP sent back is correct. The generated OTP has self-setting random numbers of a bank and other authentication terminals and simultaneously contains the transmission code, set by the user, of non-transaction information, so that steal of account data and tampering of the transaction information in a network and the bank are avoided; the OTP can be transmitted through a communication link different from the Internet, so that the safety of user accounts in the networked transaction process is ensured.
Description
Technical field
The present invention relates to network information security technology field, relate in particular to a kind of disposal password authentication method and Verification System.
Background technology
Along with the development of network application and progressively universal, shopping at network and network trading have become indispensable part in daily life.User can be by computer or other intelligent networking equipment by shopping website or the Internet bank do shopping payment or the transaction such as transfer accounts.When transaction, user need to input some personal informations, as bank account, user cipher etc., inputs Transaction Information simultaneously again, and personal information and Transaction Information can complete transaction after the departments such as bank confirm.So, by network operation, remove the trouble that user must go sales counter to handle in person from, beaten and bring great convenience to user.But also bring great user account potential safety hazard by the flow of fund of network.Once have people to use network to tackle user's the information such as account and password, likely cause user's fund loss.
Therefore, how provide for user easy-to-use in, ensure that the safety of user account fund is a problem demanding prompt solution.
Summary of the invention
Based on this, be necessary easily to cause after being leaked by network for user account data information the problem of fund loss, a kind of disposal password authentication method and Verification System of transaction being carried out to authorization identifying is provided.
A kind of disposal password authentication method providing for realizing the object of the invention, comprises the following steps:
Receive the transmission code that user passes through the Transaction Information of the first user interface input and certainly sets;
Generate the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code;
Described disposal password is transferred to the second user interface of described user, and shows;
Receive the described disposal password of described user's passback;
Whether the described disposal password returning by judgement correctly determines whether to carry out Trading Authorization.
As a kind of embodiment of disposal password authentication method, described user uses world-wide web to pass through described the first user interface transmission information;
Transmit the second user interface of described disposal password to described user by mobile communications network.
As a kind of embodiment of disposal password authentication method, transmit described disposal password to described the second user interface by the non-world-wide web of note, fax or voice.
As a kind of embodiment of disposal password authentication method, described transmission code is the combination of numeral, word or numeral and word.
As a kind of embodiment of disposal password authentication method, described user returns described disposal password by described the first user interface.
As a kind of embodiment of disposal password authentication method, receive the described disposal password of described user's passback in described step before, also comprise the step at the described Transaction Information of transmission and described transmission code to the three user interfaces;
Described user returns described disposal password by another the 3rd user interface.
As a kind of embodiment of disposal password authentication method, described disposal password is effective in Preset Time.
As a kind of embodiment of disposal password authentication method, transmit described disposal password to described the second user interface by note.
As a kind of embodiment of disposal password authentication method, when described disposal password is transferred to the second user interface of described user, also described transmission code is transferred to described the second user interface, and in described second user's interface display.
As a kind of embodiment of disposal password authentication method, according to described Transaction Information, described transmission code and system documentation, generate the disposal password corresponding with described transmission information by logical operation.
As a kind of embodiment of disposal password authentication method, the described Transaction Information of described logical operation institute foundation comprises the one or more kinds of combinations in type of transaction, trading account, dealing money and exchange hour.
Based on a kind of disposal password Verification System of identical inventive concept, comprise network connects successively the first user interface, the webserver, certificate server and the second user interface;
Also comprise the hardware security module being connected with described certificate server communication;
Described certificate server comprises information receiving module, the transmission code that passes through the Transaction Information of the first user interface input and certainly set for receive user by the webserver;
Described certificate server or described hardware security module comprise password generation module, for generating the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code;
In described certificate server, also comprise information sending module, for described disposal password being transferred to the second user interface of described user, and show on described the second user interface;
In described hardware security module, also comprise authentication module, whether correct for judging the described disposal password of passback, and result is transferred to certificate server, determine whether to carry out Trading Authorization by certificate server according to described result.
As a kind of embodiment of disposal password Verification System, described user returns described disposal password to described certificate server by described the first user interface.
As a kind of embodiment of disposal password Verification System, also comprise one the 3rd user interface, described user returns described disposal password to described certificate server by described the 3rd user interface.
As a kind of embodiment of disposal password Verification System, described certificate server is connected with mobile communication transmission server, arrives described the second user interface by described mobile communication transmission server transmission package containing the note of described disposal password.
A kind of method that also provides disposal password to generate, comprises the following steps:
Receive user's transaction authorization request;
Resolve the transaction authorization request that described user sends, obtain Transaction Information and the transmission code of user's input;
Generate the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code.
The embodiment of a kind of method generating as disposal password, the transaction authorization request that the described user of described parsing sends, before obtaining the Transaction Information and transmission code of user's input, further comprising the steps of:
Judge in received described transaction authorization request and whether comprise transmission code;
If so, carry out next step operation, resolve described transaction authorization request;
If not, return to request authorization failure information.
The embodiment of a kind of method generating as disposal password, described in return to request authorization failure information step comprise the following steps:
Preserve described Transaction Information;
Send the client of input transmission code request to user, and wait for the return message that receives described client.
The device that also provides a kind of disposal password to generate, comprises information receiving module, parsing module and password generation module, wherein:
Described information receiving module, for receiving user's transaction authorization request;
Described parsing module, the transaction authorization request sending for resolving described user, obtains Transaction Information and transmission code that user inputs;
Described password generation module, for generating the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code.
The device embodiment generating as a kind of disposal password, also comprises that transmission code judge module and failure information return to module, wherein:
Described judge module, for judging whether received described transaction authorization request comprises transmission code;
If so, turn and carry out described parsing module, resolve described transaction authorization request;
If not, turn the described failure information of execution and return to module, return to request authorization failure information.
Beneficial effect of the present invention comprises:
Method, device and authentication method, Verification System that a kind of disposal password provided by the invention generates, the information source that wherein generation method is used Transaction Information to generate as disposal password from the transmission code of setting in conjunction with individual subscriber, make the OTP generating there is the transmission code of the nontransaction information that comprises user self setting when the verifying ends such as bank self are set random number, avoid network and bank inside to stealing of account data and distorting Transaction Information.Ensure the safety of user account in network-side and verifying end inside.And in authentication method and Verification System, generate disposal password (OTP) according to the transmission code of the Transaction Information of user's input and setting certainly thereof, and another display interface that OTP sends to user is shown, manually input OTP by user and carry out transaction verification.And sending OTP can be undertaken by differing from world-wide web communication link, the security of user account while having ensured network trading.Make illegal molecule can not directly obtain by network path all information of customer transaction, thereby can not carry out the transaction without subscriber authorisation.
Brief description of the drawings
Fig. 1 is the process flow diagram of a specific embodiment of a kind of disposal password authentication method of the present invention;
Fig. 2 is the process flow diagram of another specific embodiment of a kind of disposal password authentication method of the present invention;
Fig. 3 is the system architecture schematic diagram of a specific embodiment of a kind of disposal password Verification System of the present invention;
Fig. 4 is the system architecture schematic diagram of another specific embodiment of a kind of disposal password Verification System of the present invention;
Fig. 5 is the system architecture schematic diagram of a specific embodiment again of a kind of disposal password Verification System of the present invention;
Fig. 6 is the hardware connection diagram of a specific embodiment of a kind of disposal password Verification System of the present invention;
Fig. 7 is the process flow diagram of a specific embodiment of the method for a kind of disposal password generation of the present invention;
Fig. 8 is the structural representation of a specific embodiment of the device of a kind of disposal password generation of the present invention;
Fig. 9 is the structural representation of another specific embodiment of the device of a kind of disposal password generation of the present invention.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing, the embodiment of disposal password authentication method of the present invention and Verification System is described.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
Disposal password (One Time Password, the OTP) authentication method of one embodiment of the invention, as shown in Figure 1, comprises the following steps:
S100, receives the transmission code that user passes through the Transaction Information of the first user interface input and certainly sets.In the time that user inputs Transaction Information by the equipment of world-wide web communication as the first user interface by computer etc., provide the verifying end of authority checking to receive the Transaction Information of user's input.Described Transaction Information includes but not limited to the information such as type of transaction, trading account, dealing money, exchange hour.As user in the time starting to register, described Transaction Information can be some personal verification's information of user input.
Wherein, the transmission code of certainly setting of user input, or after Transaction Information, is inputted by user as an independent input message by user before input Transaction Information.This transmission code is made up of numeral, letter or both combinations, as being 123xyz.The length of transmission code can be set according to demand, can be set as 6 characters, also can be set as the character of other quantity., also can not set the length of character meanwhile, be inputted at random according to the hobby of oneself by user.But, it should be noted that, this transmission code can not be empty.Its as of subsequent authentication with reference to parameter.
S200, generates the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code.The verifying end of carrying out Trading Authorization checking is receiving after the information of user's input, utilize the one or more kinds of combinations in type of transaction in Transaction Information, trading account, dealing money, exchange hour etc., and user generates the unique exclusive OTP of the Transaction Information of corresponding input from the transmission code of setting.
It should be noted that herein, when the user account information of the OTP combination generating in the embodiment of the present invention, Transaction Information, also comprise to finish and share the composition of family from the transmission code of setting.Because user is set by user self at random from the transmission code of setting, strengthen the randomness of the OTP generating, improve safety coefficient.And when the transmission code of certainly setting is convenient to user's identification, produces and pass back without verifying end, reducing the transinformation between verifying end and user.
S300, is transferred to described disposal password at the second user interface of described user, and shows.Wherein, verifying end, by world-wide web and the first user interface transmission information, is transmitted the OTP generating to the second user interface by being different from the transmission channel of world-wide web.As can pass through as described in note, fax or voice transfer disposal password to as described in the second user interface.
As a kind of embodiment, the second user interface can be mobile phone.The identifying code that verifying end can be transmitted generation by the mode of note is to intelligent terminal.It should be noted that, verifying end sends to OTP by connecting the server of Mobile Network Operator (as movement, UNICOM or telecommunications) server of operator herein, then send information to by privately-owned network the mobile phone that user specifies by operator.The number of mobile phone offers verifying end in advance by user, and is stored in data bank as system information by verifying end.User can adopt and carry mode memory mobile phone number that effective identity certificate handles to sales counter to verifying end, use the default mode of network phone number to be set for receiving OTP under the prerequisite that also can accept in verifying end in the time of registration.
Preferably, in the transmission OTP by note, also send transmission code and some Transaction Informations to the second user interface.User inputs OTP accordingly according to transmission code, the misuse of OTP while avoiding multiple transaction.The transmission of Transaction Information makes user can again check Transaction Information, reduces error probability.
Preferably, the OTP that is transferred to user's second contact surface also can have certain timeliness, exceedes after certain timeliness, and current OTP lost efficacy, if need proceed transaction, need again apply for new OTP.
S400, receives described user by the described disposal password of the first user interface passback.User receives after the OTP of verifying end, after the first user interface input OTP that can use by input Transaction Information and be transferred to verifying end application mandate.
S500, whether the described disposal password returning by judgement correctly determines whether to carry out Trading Authorization.Whether the OTP that verifying end returns by judgement and transmission code mate, coincide, and determine whether transaction can be proceeded.It should be noted that, while generating OTP, corresponding transaction is unique to be determined herein, when user passes OTP back, verifying end can be searched the Transaction Information of having stored according to transmission code, and judges that whether the OTP that OTP is corresponding with the transmission code of earlier stored is consistent, if so, authorizing can continuous business; If not, return to Fail Transaction information.Described Fail Transaction information comprises that OTP mistake, OTP are overtime, it is overtime etc. to conclude the business.
In an embodiment, as shown in Figure 2, comprise the following steps therein:
S101, receives the transmission code that user passes through the Transaction Information of the first user interface input and certainly sets.This step and aforesaid step S100 are basic identical, and user inputs the Transaction Information that will conclude the business by one first user interface, as a certain account of transferring accounts, and the Transaction Information of input can be included in the account of account, the account producing, the information such as the amount of money of transferring accounts.And the transmission code that input is set certainly in independent input frame, the transaction code of this transaction of also oneself setting, this can be used as the key word of transaction.User, after described the first user interface input Transaction Information and transmission code, can click the button connection of " obtaining " disposal password on the first user interface and the communication of verifying end, obtains disposal password to verifying end.
S102, backs up account and the described transmission code from setting that described Transaction Information, described Transaction Information are corresponding.Verifying end is provided with database and the data poke unit of storage subscriber data, and verifying end receives after the Transaction Information of user's transmission, and information is stored, and uses so that subsequent authentication generates disposal password.
Preferably, before step S102, also comprise that verifying end judges by user side, whether the transmission code that also the first user interface receives is empty step, if transmission code is empty, return authentication failure information is to the first user interface, and reminding user is inputted transmission code.Thereby the disposal password authentication method user who ensures the embodiment of the present invention generates disposal password from the transmission code of setting.
S103, generates the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code.
S104, is transferred to described disposal password at the second user interface of described user, and shows.
S105, detects when user uses the 3rd user interface to login described account, copies and transmits described Transaction Information and described transmission code sends to described the 3rd user interface.
S106, receives the described disposal password that described user uses the 3rd user interface to return.User can be by the first user interface passback disposal password, also can adopt another the 3rd user interface to use identical account or account input OTP to verify, as use computer as the first user interface, use intelligent terminal as the 3rd user interface.But while using the 3rd user interface, need in step S104, operate the 3rd described user interface by verifying end according to accounts information isochronous transaction, make user continue user in the first uncompleted transaction in user interface at the 3rd user interface, so, flexible operation, more can meet user's demand.
S107, whether the described disposal password returning by judgement correctly determines whether to carry out Trading Authorization.If correct, can proceed transaction operation, otherwise, return to OTP authentication failed information to the three user interfaces.Reminding user again obtains OTP and operates.
Therein in the embodiment of a disposal password authentication method, step S200, generate the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code, be according to described Transaction Information, described transmission code and system documentation, generate the disposal password corresponding with described transmission information by logical operation.Wherein, system documentation refers to that verifying end self is for generating some data of disposal password, as verifying end utilize system random number function through computing produce for generating the parameter of disposal password.And described parameter can be according to demand according to a batch adjustment automatically.
Based on same inventive concept, the present invention also provides a kind of disposal password Verification System, because the principle that this system is dealt with problems is similar to aforementioned a kind of disposal password authentication method, therefore, the enforcement of this system can realize according to the concrete steps of preceding method, repeats part and repeats no more.
Therein in the embodiment of a disposal password Verification System, as shown in Figure 3, comprise network connects successively the first user interface 100, the webserver 200, certificate server 300 and the second user interface 400, also comprise the hardware security module 500 being connected with described certificate server 300 communications.
Wherein, certificate server 300 comprises information receiving module 310, password generation module 320 and information sending module 330.Information receiving module 310, the transmission code that passes through the Transaction Information of the first user interface input and certainly set for receive user by the webserver; Password generation module 320, for generating the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code; Information sending module 330 for described disposal password being transferred to the second user interface of described user, and shows on described the second user interface.
Whether hardware security module 500 comprises authentication module 510, correct for judging the described disposal password of passback, and result is transferred to certificate server, determines whether to carry out Trading Authorization by certificate server according to described result.It should be noted that, in hardware security module 500, be provided with the information transfer unit that carries out information transmission with certificate server, the OTP generating for transmitting OTP confirmation and self generation or certificate server.Corresponding, in certificate server, be also provided with the hardware security module linkage unit corresponding with information transfer unit in hardware security module 500, for carrying out information communication with hardware security module 500.
The disposal password Verification System of the embodiment of the present invention, generate disposal password (OTP) according to the transmission code of the Transaction Information of user's input and setting certainly thereof, and another display interface that OTP sends to user is shown, manually input OTP by user and carry out transaction verification.And sending OTP can be undertaken by differing from world-wide web communication link, the security of user account while having ensured network trading.Make illegal molecule can not directly obtain by network path all information of customer transaction, thereby can not carry out the transaction without subscriber authorisation.
In the embodiment of another disposal password Verification System, as shown in Figure 4, comprise network connects successively the first user interface 100, the webserver 200, certificate server 300 and the second user interface 400, also comprise the hardware security module 500 being connected with described certificate server 300 communications.
Wherein, certificate server 300 comprises information receiving module 310 and information sending module 330.Information receiving module 310, the transmission code that passes through the Transaction Information of the first user interface input and certainly set for receive user by the webserver; Information sending module 330 for described disposal password being transferred to the second user interface of described user, and shows on described the second user interface.
Hardware security module 500 comprises password generation module 520 and authentication module 510.Password generation module 520, for generating the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code; Authentication module 510, whether correct for judging the described disposal password of passback, and result is transferred to certificate server, determine whether to carry out Trading Authorization by certificate server according to described result.
In the embodiment of the present invention, use the password generation module 520 in hardware security module 500 to generate disposal password, this password generation module 520 can adopt identical password formation logic computing also can adopt different password formation logic computings from aforesaid password generation module 320.Generate OTP and can further improve the confidentiality of OTP by hardware security module 500.Prevent from when network from stealing also the inner OTP of the verifying ends such as bank being leaked and playing restriction.
In an embodiment, user returns described disposal password to certificate server 300 by described the first user interface 100 therein.
In an embodiment, as shown in Figure 5, also comprise one the 3rd user interface 600 therein, user returns disposal password to certificate server 300 by described the 3rd user interface 600.
As a kind of mode of transmitting OTP, certificate server 400 is connected with mobile communication transmission server, and the note that contains described disposal password by described mobile communication transmission server transmission package is to the second user interface 400.As shown in Figure 6, after user sends transaction and transmission information by the first user interface 100, Transaction Information is transferred to certificate server 300 by the webserver 200, certificate server 300 generates OTP, or Transaction Information and transmission code are transferred to hardware security module 500, generate OTP by hardware security module, after generating OTP, hardware security module (HSM) 500 again OTP is transmitted back to certificate server 300, certificate server 300 connects mobile telecommunication service device (not shown), OTP sends to the second user interface 400 by mobile network's transmitting terminal 600 the most at last, there is again user manually to input OTP and complete certification.This complete procedure for using this disposal password Verification System to authenticate.By utilizing hardware security module (HSM) to generate OTP, it directly passes to client user by certificate server after encapsulation after generating, except client user, other people have no way of learning OTP information, particularly prevent that third party from distorting and stealing information by sharing broadband wireless link, prevent that them from can obtain account and the Transaction Information of client, and provide good guarantee, guarantee as far as possible the HSM being trusted except generating OTP, nobody can know transaction verification code OTP information, including the middle tier server such as network and application server, and can prevent session Replay Attack, and prevent from utilizing GPUs technology to carry out password Brute Force.
Describe the process that is generated OTP by HSM below in detail:
Steps A 1, is packaged as OTP the packet of R+S+P structure;
Wherein: R is exactly the random number of the each encryption of the HSM regular length that can produce; S is exactly an access elements of using in access; P is exactly the OTP in OTP itself or the hash of specifying by concrete configuration.
It should be noted that, the access elements of mentioning is concluded the business in the Transaction Information that when access submits to certain or some parameters and the combination of the information such as the transmission code certainly set for user.The hashing algorithm of mentioning is SHA256, or SM3.
Step B1, uses the encryption method of symmetrical KEY that the OTP of R+S+P structure is encrypted.This encryption method is used 256 AES key algorithms, or uses SM1 or SM4 algorithm.
Step C1, is saved in the OTP after encrypting in database.
In the time that the OTP of generation is sent to the second user interface of user by certificate server, first OTP is decrypted, after deciphering, by special line, OTP is sent to the phone number that user specifies by mobile communication server again.
Based on identical inventive concept, in verifying end, be generally the service end of bank, a kind of method that provides disposal password to generate, as shown in Figure 7, comprise the following steps, and following steps is all to carry out on the server of verifying end.
S201, reception user's transaction authorization request.User, can be by the terminal input transaction authorization request such as computer, the certification of the Transaction Information of also inputting before concluding the business.The verifying ends such as bank receive after the transaction authorization request of user's transmission, and transaction is carried out to authorization identifying, only have the transaction after certification just can proceed, and finally complete transaction, realize the operations such as accounting payment.May not make the transaction that user's account fund changes all can not carry out through any of certification.
S202, resolves the transaction authorization request that described user sends, and obtains Transaction Information and the transmission code of user's input.The Transaction Information that user sends can together send to user's account information, client address etc. the verifying end of bank etc. by the webserver as a packet.Verifying end is received after user's packet, need to resolve packet, parses the required data message of generation OTP and trading account, exchange hour etc.Transmission code is herein by user's self-defined input in the time concluding the business.It can be numeral, letter or both combinations, and the length of transmission code includes but not limited to 6 characters, 4 characters or 8 characters.
Better, user also can input user's personal information in input Transaction Information, if password, ID (identity number) card No., obligate information etc. are as assistant authentification information.Verifying end is compared according to the accounts information of storing in the personal information information of user's input and verifying end database, accounts information is authenticated, if accounts information authentification failure, directly returns to the information of shutting the book, reminding user re-starts the certification of account.
It should be noted that herein, information in verifying end database is held effective identity certificate for user, as I.D., the reserved account authentication information of handling to bank counter, or the approach of admitting by certification ends such as other banks offers the reserved account authentication information of verifying end.
S203, generates the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code.Verifying end adopts logical operation to calculate a disposal password according to the transmission code parsing and Transaction Information, and must send to user for input authentication by authentication condition follow-up as one of Trading Authorization certification.
The method that the disposal password of the embodiment of the present invention generates, the information source that uses Transaction Information to generate as disposal password from the transmission code of setting in conjunction with individual subscriber, make the OTP generating there is the indefinite parameter that comprises user self setting when the verifying ends such as bank self are set random number, can effectively prevent network and bank inside distorting Transaction Information.Ensure the safety of user account in network-side and verifying end inside.
In the embodiment of the method for a disposal password generation, at step S202, resolve the transaction authorization request that user sends therein, before obtaining the Transaction Information and transmission code of user's input, further comprising the steps of:
S2021, judges in received described transaction authorization request whether comprise transmission code,
If so, perform step S202, resolve described transaction authorization request;
If not, perform step S2022, return to request authorization failure information.
In this step, first judge whether comprising transmission code in transaction authorization request, to using transmission code when generating the parameter of OTP, ensure that transmission code be sky.
Preferably, step S2022, returns to request authorization failure information, specifically can comprise following steps:
First preserve the Transaction Information receiving from user side; And then send the client of input transmission code request to user, and wait for the return message that receives described client.Adopt this step can re-enter within a certain period of time the chance of transmission code to user.And merge as complete account trading data for generating OTP with the Transaction Information of preserving above receiving after the transmission code that user inputs again.
The device corresponding with the method that aforesaid disposal password generates, the present invention also provides a kind of disposal password to generate.It comprises information receiving module 101 as shown in Figure 8, parsing module 102 and password generation module 103.Wherein: information receiving module 101, for receiving user's transaction authorization request; Parsing module 102, the transaction authorization request sending for resolving described user, obtains Transaction Information and transmission code that user inputs; Password generation module 103, for generating the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code.
The device that disposal password of the present invention generates is mainly used in the transaction verification ends such as bank, aforesaid information receiving module 101, parsing module 102 and password generation module 103 can concentrate in a server of verifying end, in certificate server, also can be respectively in the hardware device of different verifying ends.As information receiving module 101 and parsing module 102 can concentrate in a hardware, and password generation module 103 can be in another hardware device.In the OTP of its generation, comprise the transmission code of user from the nontransaction information of setting, in the parameter that code is generated, comprise except the random number of bank's end, also comprise that user, from the transmission code random number of setting, avoids network and bank inside to stealing of account data and distorting Transaction Information.
As shown in Figure 9, in an embodiment, also comprise that transmission code judge module 104 and failure information return to module 105 therein.Wherein: transmission code judge module 104, for judging whether received described transaction authorization request comprises transmission code; If so, turn and carry out described parsing module 102, resolve described transaction authorization request; If not, turn the described failure information of execution and return to module 105, return to request authorization failure information.
The above embodiment has only expressed several embodiment of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection domain of patent of the present invention should be as the criterion with claims.
Claims (20)
1. a disposal password authentication method, is characterized in that, comprises the following steps:
Receive the transmission code that user passes through the Transaction Information of the first user interface input and certainly sets;
Generate the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code;
Described disposal password is transferred to the second user interface of described user, and shows;
Receive the described disposal password of described user's passback;
Whether the described disposal password returning by judgement correctly determines whether to carry out Trading Authorization.
2. disposal password authentication method according to claim 1, is characterized in that, described user uses world-wide web to pass through described the first user interface transmission information;
Transmit the second user interface of described disposal password to described user by mobile communications network.
3. disposal password authentication method according to claim 1, is characterized in that, transmits described disposal password to described the second user interface by the non-world-wide web of note, fax or voice.
4. disposal password authentication method according to claim 1, is characterized in that, described transmission code is the combination of numeral, word or numeral and word.
5. according to the disposal password authentication method described in claim 1 to 4 any one, it is characterized in that, described user returns described disposal password by described the first user interface.
6. according to the disposal password authentication method described in claim 1 to 4 any one, it is characterized in that, receive the described disposal password of described user's passback in described step before, also comprise the step at the described Transaction Information of transmission and described transmission code to the three user interfaces;
Described user returns described disposal password by another the 3rd user interface.
7. according to the disposal password authentication method described in claim 1 to 4 any one, it is characterized in that, described disposal password is effective in Preset Time.
8. disposal password authentication method according to claim 2, is characterized in that, transmits described disposal password to described the second user interface by note.
9. disposal password authentication method according to claim 2, it is characterized in that, when described disposal password is transferred to the second user interface of described user, also described transmission code is transferred to described the second user interface, and in described second user's interface display.
10. disposal password authentication method according to claim 1, is characterized in that, according to described Transaction Information, described transmission code and system documentation, generates the disposal password corresponding with described transmission information by logical operation.
11. disposal password authentication methods according to claim 10, is characterized in that, the described Transaction Information of described logical operation institute foundation comprises the one or more kinds of combinations in type of transaction, trading account, dealing money and exchange hour.
12. 1 kinds of disposal password Verification Systems, is characterized in that, comprise network connects successively the first user interface, the webserver, certificate server and the second user interface;
Also comprise the hardware security module (HSM) being connected with described certificate server communication;
Described certificate server comprises information receiving module, the transmission code that passes through the Transaction Information of the first user interface input and certainly set for receive user by the webserver;
Described certificate server or described hardware security module comprise password generation module, for generating the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code;
In described certificate server, also comprise information sending module, for described disposal password being transferred to the second user interface of described user, and show on described the second user interface;
In described hardware security module, also comprise authentication module, whether correct for judging the described disposal password of passback, and result is transferred to certificate server, determine whether to carry out Trading Authorization by certificate server according to described result.
13. disposal password Verification Systems according to claim 12, is characterized in that, described user returns described disposal password to described certificate server by described the first user interface.
14. disposal password Verification Systems according to claim 12, is characterized in that, also comprise one the 3rd user interface, and described user returns described disposal password to described certificate server by described the 3rd user interface.
15. according to claim 12 to the disposal password Verification System described in 14 any one, it is characterized in that, described certificate server is connected with mobile communication transmission server, arrives described the second user interface by described mobile communication transmission server transmission package containing the note of described disposal password.
16. 1 kinds of methods that disposal password generates, is characterized in that, comprise the following steps:
Receive user's transaction authorization request;
Resolve the transaction authorization request that described user sends, obtain Transaction Information and the transmission code of user's input;
Generate the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code.
The method that 17. disposal passwords according to claim 16 generate, is characterized in that, the transaction authorization request that the described user of described parsing sends is before obtaining the Transaction Information and transmission code of user's input, further comprising the steps of:
Judge in received described transaction authorization request and whether comprise transmission code;
If so, carry out next step operation, resolve described transaction authorization request;
If not, return to request authorization failure information.
The method that 18. disposal passwords according to claim 17 generate, is characterized in that, described in return to request authorization failure information step comprise the following steps:
Preserve described Transaction Information;
Send the client of input transmission code request to user, and wait for the return message that receives described client.
19. 1 kinds of devices that disposal password generates, is characterized in that, comprise information receiving module, parsing module and password generation module, wherein:
Described information receiving module, for receiving user's transaction authorization request;
Described parsing module, the transaction authorization request sending for resolving described user, obtains Transaction Information and transmission code that user inputs;
Described password generation module, for generating the disposal password corresponding with described transmission information according to described Transaction Information and described transmission code.
The device that 20. disposal passwords according to claim 19 generate, is characterized in that, also comprises that transmission code judge module and failure information return to module, wherein:
Described judge module, for judging whether received described transaction authorization request comprises transmission code;
If so, turn and carry out described parsing module, resolve described transaction authorization request;
If not, turn the described failure information of execution and return to module, return to request authorization failure information.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410287503.1A CN104077690B (en) | 2014-06-24 | 2014-06-24 | Method and device for generating one-time password, authentication method and authentication system |
| TW103130943A TW201601083A (en) | 2014-06-24 | 2014-09-09 | One-time password generation method and device, authentication method and authentication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410287503.1A CN104077690B (en) | 2014-06-24 | 2014-06-24 | Method and device for generating one-time password, authentication method and authentication system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104077690A true CN104077690A (en) | 2014-10-01 |
| CN104077690B CN104077690B (en) | 2020-08-28 |
Family
ID=51598935
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410287503.1A Active CN104077690B (en) | 2014-06-24 | 2014-06-24 | Method and device for generating one-time password, authentication method and authentication system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN104077690B (en) |
| TW (1) | TW201601083A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106789079A (en) * | 2016-12-30 | 2017-05-31 | 余仁植 | Identity identifying method, disposal password electronic installation and system |
| CN107005412A (en) * | 2014-11-13 | 2017-08-01 | 日立汽车系统株式会社 | Information processor, message authentication method |
| CN107911350A (en) * | 2017-02-27 | 2018-04-13 | 黄贤杰 | A kind of electronic equipment bi-directional matching and Verification System |
| CN108683667A (en) * | 2018-05-16 | 2018-10-19 | 深圳市网心科技有限公司 | Account protection method, device, system and storage medium |
| CN112639785A (en) * | 2018-10-02 | 2021-04-09 | 第一资本服务有限责任公司 | System and method for signaling potential attacks on contactless cards |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI596556B (en) * | 2016-07-29 | 2017-08-21 | 臺灣集中保管結算所股份有限公司 | A method and system for authenticating a user with service providers using a universal one time password |
| TWI731924B (en) * | 2017-01-23 | 2021-07-01 | 香港商斑馬智行網絡(香港)有限公司 | Method and device for processing verification information |
| TWI675579B (en) * | 2017-09-30 | 2019-10-21 | 優仕達資訊股份有限公司 | Network authentication system and method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005083610A1 (en) * | 2004-02-23 | 2005-09-09 | Verisign, Inc. | Token authentication system and method |
| CN101131759A (en) * | 2006-08-24 | 2008-02-27 | 中国信托商业银行股份有限公司 | Method for generating disposal password used for internet trade and its application method and system for performing the same |
| CN101651675A (en) * | 2009-08-27 | 2010-02-17 | 北京飞天诚信科技有限公司 | Method and system for enhancing security of network transactions |
| CN101777158A (en) * | 2010-01-13 | 2010-07-14 | 北京飞天诚信科技有限公司 | Method and system for secure transaction |
| CN102202300A (en) * | 2011-06-14 | 2011-09-28 | 上海众人网络安全技术有限公司 | System and method for dynamic password authentication based on dual channels |
| CN103139179A (en) * | 2011-12-01 | 2013-06-05 | 捷而思股份有限公司 | Multi-channel active type network identity verification system and network identity verification device |
-
2014
- 2014-06-24 CN CN201410287503.1A patent/CN104077690B/en active Active
- 2014-09-09 TW TW103130943A patent/TW201601083A/en unknown
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005083610A1 (en) * | 2004-02-23 | 2005-09-09 | Verisign, Inc. | Token authentication system and method |
| CN101131759A (en) * | 2006-08-24 | 2008-02-27 | 中国信托商业银行股份有限公司 | Method for generating disposal password used for internet trade and its application method and system for performing the same |
| CN101651675A (en) * | 2009-08-27 | 2010-02-17 | 北京飞天诚信科技有限公司 | Method and system for enhancing security of network transactions |
| CN101777158A (en) * | 2010-01-13 | 2010-07-14 | 北京飞天诚信科技有限公司 | Method and system for secure transaction |
| CN102202300A (en) * | 2011-06-14 | 2011-09-28 | 上海众人网络安全技术有限公司 | System and method for dynamic password authentication based on dual channels |
| CN103139179A (en) * | 2011-12-01 | 2013-06-05 | 捷而思股份有限公司 | Multi-channel active type network identity verification system and network identity verification device |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107005412A (en) * | 2014-11-13 | 2017-08-01 | 日立汽车系统株式会社 | Information processor, message authentication method |
| CN107005412B (en) * | 2014-11-13 | 2020-04-07 | 日立汽车系统株式会社 | Information processing apparatus, message authentication method, and program |
| CN106789079A (en) * | 2016-12-30 | 2017-05-31 | 余仁植 | Identity identifying method, disposal password electronic installation and system |
| CN107911350A (en) * | 2017-02-27 | 2018-04-13 | 黄贤杰 | A kind of electronic equipment bi-directional matching and Verification System |
| WO2018153252A1 (en) * | 2017-02-27 | 2018-08-30 | 黄贤杰 | Electronic device bidirectional matching and authentication system |
| CN107911350B (en) * | 2017-02-27 | 2022-04-08 | 黄贤杰 | Two-way matching and authentication system for electronic equipment |
| CN108683667A (en) * | 2018-05-16 | 2018-10-19 | 深圳市网心科技有限公司 | Account protection method, device, system and storage medium |
| CN108683667B (en) * | 2018-05-16 | 2021-12-03 | 深圳市迅雷网络技术有限公司 | Account protection method, device, system and storage medium |
| CN112639785A (en) * | 2018-10-02 | 2021-04-09 | 第一资本服务有限责任公司 | System and method for signaling potential attacks on contactless cards |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104077690B (en) | 2020-08-28 |
| TW201601083A (en) | 2016-01-01 |
| TWI543092B (en) | 2016-07-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109150548B (en) | Digital certificate signing and signature checking method and system and digital certificate system | |
| CN104077690A (en) | One-time password generation method and device, authentication method and authentication system | |
| CN102215221B (en) | Methods and systems for secure remote wake, boot, and login to a computer from a mobile device | |
| EP1807966B1 (en) | Authentication method | |
| CN103747012B (en) | Safe verification method, the apparatus and system of network trading | |
| CN108270571A (en) | Internet of Things identity authorization system and its method based on block chain | |
| DK2481230T3 (en) | A method for authentication, method of payment authorization, and similar electronic devices | |
| US20090187980A1 (en) | Method of authenticating, authorizing, encrypting and decrypting via mobile service | |
| CN102075327B (en) | Method, device and system for unlocking electronic key | |
| JP2013514556A (en) | Method and system for securely processing transactions | |
| US10147092B2 (en) | System and method for signing and authenticating secure transactions through a communications network | |
| KR101644124B1 (en) | Server for transaction using pre-authentication and method thereof | |
| US10504109B2 (en) | Method for the mutual authentication of entities having previously initiated an online transaction | |
| CN101897165A (en) | Method of authentication of users in data processing systems | |
| WO2017190633A1 (en) | Method and device for reliably verifying identity of financial card user | |
| CN105827620A (en) | Data transmission system and method thereof | |
| CN101944216A (en) | Two-factor online transaction safety authentication method and system | |
| US20100005519A1 (en) | System and method for authenticating one-time virtual secret information | |
| CN104301288B (en) | Online identity certification, online transaction checking, the method and system of online verification protection | |
| CN105741116A (en) | Fast payment method, apparatus and system | |
| CN107609878A (en) | A kind of safety certifying method and system of shared automobile | |
| KR101187414B1 (en) | System and method for authenticating card issued on portable terminal | |
| TW201101215A (en) | Two-factor authentication method and system for securing online transactions | |
| KR20180029932A (en) | Method and apparatus for providing encryption security message | |
| KR101577059B1 (en) | Method for Processing Server type OTP |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231101 Address after: Singapore 750D Caishi Road # 08-01ESR Industrial Park @ Caishi Patentee after: Singapore i-Sprint Technology Co.,Ltd. Address before: Room 1509, Shougang International Building, No. 60, Xizhimen North Street, Haidian District, Beijing 100082 Patentee before: BEIJING ANXUNBEN SCIENCE & TECHNOLOGY Co.,Ltd. |