CN104077690B - Method and device for generating one-time password, authentication method and authentication system - Google Patents
Method and device for generating one-time password, authentication method and authentication system Download PDFInfo
- Publication number
- CN104077690B CN104077690B CN201410287503.1A CN201410287503A CN104077690B CN 104077690 B CN104077690 B CN 104077690B CN 201410287503 A CN201410287503 A CN 201410287503A CN 104077690 B CN104077690 B CN 104077690B
- Authority
- CN
- China
- Prior art keywords
- user
- time password
- user interface
- transmission code
- transaction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 230000005540 biological transmission Effects 0.000 claims abstract description 128
- 238000012795 verification Methods 0.000 claims abstract description 40
- 238000004891 communication Methods 0.000 claims abstract description 7
- 238000013475 authorization Methods 0.000 claims description 37
- 238000010295 mobile communication Methods 0.000 claims description 10
- 238000010586 diagram Methods 0.000 description 6
- 238000012546 transfer Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
Abstract
The invention discloses a method and a device for generating a one-time password, an authentication method and an authentication system. The authentication method comprises the following steps: receiving transaction information input by a user through a first user interface and a self-set transmission code; generating a One Time Password (OTP) corresponding to the transmission information according to the transaction information and the transmission code; transmitting the one-time password to a second user interface of the user and displaying the one-time password; receiving a one-time password returned by a user; and determining whether to authorize the transaction by judging whether the returned one-time password is correct. The generated OTP has a random number set by a verification end such as a bank and the like and also contains a transmission code of non-transaction information set by a user, so that the stealing of account data and the tampering of the transaction information in a network and the bank are avoided. And the sending OTP can be carried out through a communication link different from the Internet, thereby ensuring the security of the user account during network transaction.
Description
Technical Field
The invention relates to the technical field of network information security, in particular to a one-time password authentication method and an authentication system.
Background
With the development and the gradual popularization of network applications, network shopping and network transaction become indispensable parts in daily life. The user can make transactions such as payment for shopping or transfer accounts through a shopping website or an internet bank through a computer or other intelligent networking equipment. When the transaction is carried out, the user needs to input some personal data, such as a bank account, a user password and the like, and simultaneously, the transaction information is input, and the personal information and the transaction information can be confirmed by departments such as banks and the like to complete the transaction. Therefore, through network operation, the trouble that a user has to go to a counter for handling is avoided, and great convenience is brought to the user. But the money circulation through the network also brings great potential safety hazard to the user account. Once someone intercepts information such as an account and a password of a user by using a network, the fund loss of the user may be caused.
Therefore, how to provide convenience for users and ensure the safety of user account funds is an urgent problem to be solved.
Disclosure of Invention
Therefore, it is necessary to provide a one-time password authentication method and an authentication system for performing authorization authentication on a transaction, aiming at the problem that the user account data information is easy to cause fund loss after being leaked from a network.
The invention provides a one-time password authentication method for realizing the aim, which comprises the following steps:
receiving transaction information input by a user through a first user interface and a self-set transmission code;
generating a one-time password corresponding to the transmission information according to the transaction information and the transmission code;
transmitting the one-time password to a second user interface of the user and displaying the one-time password;
receiving the one-time password returned by the user;
and determining whether to authorize the transaction by judging whether the returned one-time password is correct.
As an implementation manner of the one-time password authentication method, the user transmits information through the first user interface by using the internet;
transmitting the one-time password to a second user interface of the user through a mobile communication network.
As an implementation manner of the one-time password authentication method, the one-time password is transmitted to the second user interface through a non-internet network of short message, fax or voice.
As an implementation manner of the one-time password authentication method, the transmission code is a number, a word or a combination of the number and the word.
As an implementation manner of the one-time password authentication method, the user returns the one-time password through the first user interface.
As an implementation manner of the one-time password authentication method, before the step of receiving the one-time password returned by the user, the method further includes the step of transmitting the transaction information and the transmission code to a third user interface;
and the user returns the one-time password through another third user interface.
As an implementation manner of the one-time password authentication method, the one-time password is valid for a preset time.
As an implementable manner of the one-time password authentication method, the one-time password is transmitted to the second user interface by a short message.
In an embodiment of the one-time password authentication method, the one-time password is transmitted to a second user interface of the user, and the transmission code is also transmitted to the second user interface and displayed on the second user interface.
As an implementation manner of the one-time password authentication method, a one-time password corresponding to the transmission information is generated through a logic operation according to the transaction information, the transmission code and system data.
As an implementation manner of the one-time password authentication method, the transaction information according to which the logic operation is based includes one or a combination of two or more of a transaction type, a transaction account, a transaction amount, and a transaction time.
The invention relates to a one-time password authentication system based on the same inventive concept, which comprises a first user interface, a network server, an authentication server and a second user interface which are sequentially connected through a network;
the hardware security module is in communication connection with the authentication server;
the authentication server comprises an information receiving module which is used for receiving transaction information input by a user through a first user interface and a self-set transmission code through a network server;
the authentication server or the hardware security module comprises a password generation module used for generating a one-time password corresponding to the transmission information according to the transaction information and the transmission code;
the authentication server also comprises an information sending module which is used for transmitting the one-time password to a second user interface of the user and displaying the one-time password on the second user interface;
the hardware security module also comprises a verification module which is used for judging whether the returned one-time password is correct or not and transmitting the result to an authentication server, and the authentication server determines whether to carry out transaction authorization or not according to the result.
In an embodiment of the one-time password authentication system, the user returns the one-time password to the authentication server through the first user interface.
As an implementation manner of the one-time password authentication system, the system further includes a third user interface, and the user returns the one-time password to the authentication server through the third user interface.
As an implementation manner of the one-time password authentication system, the authentication server is connected to a mobile communication transmission server, and transmits a short message including the one-time password to the second user interface through the mobile communication transmission server.
Also provided is a method for generating a one-time password, comprising the following steps:
receiving a transaction authorization request of a user;
analyzing the transaction authorization request sent by the user to obtain transaction information and a transmission code input by the user;
and generating a one-time password corresponding to the transmission information according to the transaction information and the transmission code.
As an implementation manner of the method for generating a one-time password, before analyzing the transaction authorization request sent by the user and obtaining the transaction information and the transmission code input by the user, the method further includes the following steps:
judging whether the received transaction authorization request contains a transmission code;
if yes, performing the next operation, and analyzing the transaction authorization request;
if not, returning request authorization failure information.
As an embodiment of the method for generating a one-time password, the step of returning the request authorization failure information includes the following steps:
saving the transaction information;
sending a request for inputting a transmission code to a client of a user, and waiting for receiving return information of the client.
Still provide a disposable password generating device, including information receiving module, analysis module and password generation module, wherein:
the information receiving module is used for receiving a transaction authorization request of a user;
the analysis module is used for analyzing the transaction authorization request sent by the user to obtain the transaction information and the transmission code input by the user;
and the password generation module is used for generating a one-time password corresponding to the transmission information according to the transaction information and the transmission code.
The device for generating the one-time password can be implemented by further comprising a transmission code judging module and a failure information returning module, wherein:
the judging module is used for judging whether the received transaction authorization request contains a transmission code;
if yes, the analysis module is executed to analyze the transaction authorization request;
if not, the failure information returning module is executed, and the request authorization failure information is returned.
The beneficial effects of the invention include:
the invention provides a method and a device for generating a one-time password, an authentication method and an authentication system, wherein the generation method uses transaction information and a transmission code which is personally set by a user as an information source for generating the one-time password, so that the generated OTP has a random number set by a verification end such as a bank and the like and simultaneously contains the transmission code of non-transaction information set by the user, and the stealing of account data and the tampering of the transaction information in the network and the bank are avoided. The security of the user account in the network end and the verification end is ensured. In the authentication method and the authentication system, a one-time password (OTP) is generated according to the transaction information input by the user and the self-set transmission code thereof, the OTP is sent to another display interface of the user for displaying, and the user manually inputs the OTP for transaction verification. And the sending OTP can be carried out through a communication link different from the Internet, thereby ensuring the security of the user account during network transaction. So that illegal persons cannot directly obtain all information of user transaction through network access, thereby being incapable of performing unauthorized transaction.
Drawings
FIG. 1 is a flowchart of an embodiment of a one-time password authentication method of the present invention;
FIG. 2 is a flowchart of another embodiment of a one-time password authentication method according to the present invention;
FIG. 3 is a system diagram of a one-time password authentication system according to an embodiment of the present invention;
FIG. 4 is a system diagram of a one-time password authentication system according to another embodiment of the present invention;
FIG. 5 is a system diagram of a one-time password authentication system according to yet another embodiment of the present invention;
FIG. 6 is a diagram illustrating a hardware connection of an exemplary one-time password authentication system according to the present invention;
FIG. 7 is a flowchart of a method for one-time password generation according to an embodiment of the present invention;
FIG. 8 is a block diagram of an exemplary embodiment of a one-time password generation apparatus according to the present invention;
fig. 9 is a schematic structural diagram of an apparatus for generating a one-time password according to another embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clearly understood, specific embodiments of the one-time password authentication method and the authentication system of the present invention are described below with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, a One Time Password (OTP) authentication method according to an embodiment of the present invention includes the following steps:
and S100, receiving the transaction information input by the user through the first user interface and the self-set transmission code. When a user inputs transaction information through equipment such as a computer and the like which communicates through the internet as a first user interface, a verification end which provides authorization verification receives the transaction information input by the user. The transaction information includes but is not limited to transaction category, transaction account, transaction amount, transaction time, and the like. The transaction information may be some personal authentication information entered by the user, such as when the user is initially registered.
The self-set transmission code input by the user is input by the user as a single input message before or after the user inputs the transaction message. This transmission code is made up of numbers, letters, or a combination of both, and may be 123xyz, for example. The length of the transmission code can be set according to requirements, can be set to 6 characters, and can also be set to other numbers of characters. Meanwhile, the length of the character is not set, and the user can input the character randomly according to the preference of the user. However, it should be noted that this transmission code cannot be null. Which serves as a reference parameter for subsequent authentications.
And S200, generating a one-time password corresponding to the transmission information according to the transaction information and the transmission code. After receiving the information input by the user, the verifying end for performing transaction authorization verification generates a unique and exclusive OTP corresponding to the input transaction information by using one or a combination of more than two of transaction types, transaction accounts, transaction amounts, transaction time and the like in the transaction information and a transmission code set by the user.
It should be noted that, the OTP generated in the embodiment of the present invention also includes a component that is combined with the transmission code that is set by the user. The transmission code set by the user is randomly set by the user, so that the randomness of the generated OTP is enhanced, and the safety factor is improved. And the self-set transmission code is convenient for the user to identify, and meanwhile, the generation and return of the verification terminal are not needed, so that the information transmission quantity between the verification terminal and the user is reduced.
And S300, transmitting the one-time password to a second user interface of the user and displaying the one-time password. The verification end transmits information with the first user interface through the internet and transmits the generated OTP to the second user interface through a transmission path different from the internet. Such as transmitting the one-time password to the second user interface by text message, fax or voice.
As an implementation, the second user interface may be a mobile phone. The verification terminal can transmit the generated verification code to the intelligent terminal in a short message mode. It should be noted here that the verifying end sends the OTP to a server of an operator (such as mobile, internet or telecommunications) through a server connected to the operator of the mobile network, and then the operator sends the information to a mobile phone specified by the user through a dedicated network. The number of the mobile phone is provided to the verifying terminal by the user in advance, and is stored in the database as system information by the verifying terminal. The user can store the mobile phone number to the verification end in a counter handling mode by carrying the valid identity document, and can also set the mobile phone number for receiving the OTP during registration in a network preset mode on the premise of acceptance of the verification end.
Preferably, the OTP is transmitted by a short message and the transmission code and some transaction information are also transmitted to the second user interface. And the user inputs the OTP correspondingly according to the transmission code, so that misuse of the OTP during multiple transactions is avoided. The transmission of the transaction information allows the user to reconcile the transaction information, reducing the probability of error.
Preferably, the OTP transmitted to the second interface of the user may have a certain time period, and after a certain time period, the current OTP is disabled, and if the transaction is to be continued, a new OTP is applied again.
S400, receiving the one-time password returned by the user through the first user interface. After receiving the OTP from the verification end, the user can input the OTP through a first user interface for inputting transaction information and then transmits the OTP to the verification end for authorization application.
And S500, determining whether to authorize the transaction by judging whether the returned one-time password is correct. The verification end determines whether the transaction can be continued by judging whether the returned OTP and the transmission code are matched and matched. It should be noted that, when the OTP is generated, the corresponding transaction is uniquely determined, and when the user returns the OTP, the verifying end may search the stored transaction information according to the transmission code, and determine whether the OTP is consistent with the OTP corresponding to the previously stored transmission code, if so, the transaction may be continued by authorization; if not, returning transaction failure information. The transaction failure information includes OTP error, OTP timeout, transaction timeout, etc.
In one embodiment, as shown in FIG. 2, the method comprises the following steps:
s101, receiving transaction information input by a user through a first user interface and a self-set transmission code. This step is substantially the same as the step S100 described above, and the user inputs transaction information to be transacted through a first user interface, and if the user transfers a certain account number, the input transaction information may include the account number to be billed, the transfer amount, and other information. And the self-set transmission code, namely the self-set transaction code of the transaction is input in an independent input box, and the self-set transmission code can be used as a keyword of the transaction. After the user inputs the transaction information and the transmission code on the first user interface, the user can click a button for acquiring the one-time password on the first user interface to connect with the communication of the verification terminal, and the one-time password is acquired from the verification terminal.
And S102, backing up the transaction information, the account corresponding to the transaction information and the self-set transmission code. The verifying end is provided with a database for storing user data and a data storage unit, and after receiving the transaction information sent by the user, the verifying end stores the information so as to generate a one-time password for use in subsequent verification.
Preferably, the method further includes a step of the verifying end determining whether the transmission code received by the user end, i.e. the first user interface, is empty before the step S102, and if the transmission code is empty, returning an authentication failure message to the first user interface to remind the user of inputting the transmission code. Therefore, the one-time password authentication method provided by the embodiment of the invention can generate the one-time password by using the transmission code set by the user.
And S103, generating a one-time password corresponding to the transmission information according to the transaction information and the transmission code.
And S104, transmitting the one-time password to a second user interface of the user and displaying the one-time password.
S105, when detecting that the user logs in the account by using a third user interface, copying and transmitting the transaction information and the transmission code to the third user interface.
S106, receiving the one-time password returned by the user by using a third user interface. The user can return the one-time password through the first user interface, and can also input the OTP by using the same account or account number through another third user interface for verification, for example, a computer is used as the first user interface, and an intelligent terminal is used as the third user interface. However, when the third user interface is used, the verification end needs to synchronize transaction operations to the third user interface according to the account information in step S104, so that the user can continue the transaction that the user did not complete in the first user interface in the third user interface.
And S107, determining whether to authorize the transaction by judging whether the returned one-time password is correct. If the verification result is correct, the transaction operation can be continued, otherwise, OTP verification failure information is returned to the third user interface. And reminding the user to acquire the OTP again for operation.
In one embodiment of the one-time-password authentication method, in step S200, the one-time password corresponding to the transmission information is generated according to the transaction information and the transmission code, and the one-time password corresponding to the transmission information is generated through a logic operation according to the transaction information, the transmission code and system data. The system data refers to some data used by the verifying end itself to generate the one-time password, such as variables used by the verifying end to generate the one-time password by using the system random function through operation. And the variables can be automatically adjusted according to the requirement and the batch.
Based on the same inventive concept, the invention also provides a one-time password authentication system, and as the problem solving principle of the system is similar to that of the one-time password authentication method, the implementation of the system can be realized according to the specific steps of the method, and repeated parts are not repeated.
In one embodiment of the one-time password authentication system, as shown in fig. 3, the system includes a first user interface 100, a web server 200, an authentication server 300, and a second user interface 400 sequentially connected to a network, and further includes a hardware security module 500 communicatively connected to the authentication server 300.
The authentication server 300 includes an information receiving module 310, a password generating module 320, and an information sending module 330. The information receiving module 310 is configured to receive, through the network server, the transaction information and the self-set transmission code input by the user through the first user interface; a password generating module 320, configured to generate a one-time password corresponding to the transmission information according to the transaction information and the transmission code; the information sending module 330 is configured to transmit the one-time password to a second user interface of the user, and display the one-time password on the second user interface.
The hardware security module 500 includes a verification module 510, configured to determine whether the returned one-time password is correct, and transmit the result to the authentication server, where the authentication server determines whether to authorize the transaction according to the result. The hardware security module 500 is provided with an information transmission unit for transmitting information with the authentication server, and is configured to transmit the OTP confirmation information and the OTP generated by itself or the authentication server. Correspondingly, a hardware security module connection unit corresponding to the information transmission unit in the hardware security module 500 is also provided in the authentication server, and is used for performing information communication with the hardware security module 500.
The one-time password authentication system of the embodiment of the invention generates a one-time password (OTP) according to the transaction information input by the user and the self-set transmission code thereof, sends the OTP to another display interface of the user for display, and manually inputs the OTP by the user for transaction verification. And the sending OTP can be carried out through a communication link different from the Internet, thereby ensuring the security of the user account during network transaction. So that illegal persons cannot directly obtain all information of user transaction through network access, thereby being incapable of performing unauthorized transaction.
In another embodiment of the one-time password authentication system, as shown in fig. 4, the system includes a first user interface 100, a web server 200, an authentication server 300, and a second user interface 400 sequentially connected to a network, and further includes a hardware security module 500 communicatively connected to the authentication server 300.
The authentication server 300 includes an information receiving module 310 and an information sending module 330. The information receiving module 310 is configured to receive, through the network server, the transaction information and the self-set transmission code input by the user through the first user interface; the information sending module 330 is configured to transmit the one-time password to a second user interface of the user, and display the one-time password on the second user interface.
The hardware security module 500 includes a password generation module 520 and an authentication module 510. A password generating module 520, configured to generate a one-time password corresponding to the transmission information according to the transaction information and the transmission code; the verification module 510 is configured to determine whether the returned one-time password is correct, transmit the result to the authentication server, and the authentication server determines whether to authorize the transaction according to the result.
In the embodiment of the present invention, the password generation module 520 in the hardware security module 500 is used to generate the one-time password, and the password generation module 520 and the password generation module 320 may use the same password generation logic operation or different password generation logic operations. Generating the OTP by hardware security module 500 may further improve the security of the OTP. The method has the advantages that the OTP leakage inside verification ends such as banks and the like is limited while the network stealing is prevented.
In one embodiment, the user transmits the one-time password back to the authentication server 300 through the first user interface 100.
In one embodiment, as shown in fig. 5, the system further includes a third user interface 600, and the user transmits the one-time password back to the authentication server 300 through the third user interface 600.
As a way of transmitting the OTP, the authentication server 400 is connected to a mobile communication transmission server, and transmits a short message including the one-time password to the second user interface 400 through the mobile communication transmission server. As shown in fig. 6, after a user sends a transaction and transmission information through the first user interface 100, the transaction information is transmitted to the authentication server 300 through the web server 200, the authentication server 300 generates an OTP, or transmits the transaction information and the transmission code to the hardware security module 500, the hardware security module generates an OTP, the Hardware Security Module (HSM)500 generates an OTP and then transmits the OTP back to the authentication server 300, the authentication server 300 is connected to a mobile communication server (not shown), and finally sends the OTP to the second user interface 400 through the mobile network transmission terminal 600, and the user manually inputs the OTP to complete authentication. This is the complete process of authentication using the present one-time password authentication system. By utilizing a Hardware Security Module (HSM) to generate the OTP, the generated OTP is directly packaged and then transmitted to a client user by an authentication server, other people cannot know the OTP information except for the client user, particularly, third parties are prevented from tampering and stealing the information through a shared broadband wireless link, the client user is prevented from obtaining account and transaction information of the client, better guarantee is provided, no one can know the transaction verification code OTP information except for the trusted HSM for generating the OTP as far as possible, the transaction verification code OTP information comprises intermediate servers such as a network and an application server, the session replay attack can be prevented, and the password brute force cracking by utilizing a GPUs technology is prevented.
The process of generating an OTP by HSM is detailed below:
step A1, packaging the OTP into a data packet with an R + S + P structure;
wherein: r is a random number with fixed length generated by HSM each time of encryption; s is an access element used in the access; p is the OTP itself or the OTP in the hash, which is specified by the specific configuration.
It should be noted that the access element refers to a combination of some parameter or parameters in the transaction information submitted by the user when performing transaction access and information such as a self-set transmission code. The hash algorithm mentioned is SHA256, or SM 3.
Step B1, the OTP of R + S + P structure is encrypted by using symmetric KEY encryption method. This encryption method uses the 256-bit AES key algorithm, or uses the SM1 or SM4 algorithm.
Step C1, saving the encrypted OTP to the database.
When the authentication server sends the generated OTP to a second user interface of the user, the OTP is decrypted firstly, and then the OTP is sent to a mobile phone number appointed by the user through a private line by the mobile communication server after decryption.
Based on the same inventive concept, a method for generating a one-time password is provided at an authentication end, which is generally a service end of a bank, as shown in fig. 7, and includes the following steps, and the following steps are all performed at a server at the authentication end.
S201, receiving a transaction authorization request of a user. Before the user carries out transaction, the user inputs a transaction authorization request through a terminal such as a computer and the like, namely, the input transaction information is authenticated. And after receiving a transaction authorization request sent by a user, the verification terminals such as the bank and the like perform authorization and authentication on the transaction, and the transaction can be continued only after the transaction is authenticated, so that the transaction is finally completed, and operations such as transfer payment and the like are realized. Any transaction that may result in a change in the user's account funds that is not authenticated cannot be conducted.
And S202, analyzing the transaction authorization request sent by the user to obtain the transaction information and the transmission code input by the user. The transaction information sent by the user can be used as a data packet together with account information, client address and the like of the user and sent to a verification terminal of a bank and the like through a network server. After receiving the data packet of the user, the verifying terminal needs to analyze the data packet to obtain the data information, the transaction account, the transaction time and the like required for generating the OTP. The transmission code here is input by the user in a customized manner when the transaction is carried out. Which may be numbers, letters, or a combination of both, and the length of the transmitted code includes, but is not limited to, 6 characters, 4 characters, or 8 characters.
Preferably, the user can input personal data of the user, such as a password, an identification number, reserved information and the like, as the auxiliary authentication information while inputting the transaction information. And the verifying end compares the personal data information input by the user with the account information stored in the verifying end database to authenticate the account information, and if the account information authentication fails, the verifying end directly returns the transaction stopping information to remind the user to authenticate the account again.
It should be noted here that the information in the database at the verifying end is the user holding valid identity documents, such as identity cards, the authentication information of the reserved account handled at the bank counter, or the authentication information of the reserved account provided to the verifying end through the way acknowledged by the verifying end such as other banks.
S203, generating a one-time password corresponding to the transmission information according to the transaction information and the transmission code. The verification end calculates a one-time password by adopting logic operation according to the analyzed transmission code and the transaction information, and sends the one-time password to a user for input authentication as a necessary authentication condition of the transaction authorization authentication in the follow-up process.
The method for generating the one-time password of the embodiment of the invention uses the transaction information and the transmission code which is set by the user, so that the generated OTP has the random number set by the verification terminal such as a bank and the like and simultaneously contains the indefinite parameters set by the user, and the tampering of the transaction information in the network and the bank can be effectively prevented. The security of the user account in the network end and the verification end is ensured.
In one embodiment of the method for generating a one-time password, before analyzing the transaction authorization request sent by the user and obtaining the transaction information and the transmission code input by the user in step S202, the method further includes the following steps:
s2021, judging whether the received transaction authorization request contains a transmission code,
if yes, executing step S202 to analyze the transaction authorization request;
if not, step S2022 is executed to return request authorization failure information.
In this step, it is first determined whether the transaction authorization request includes a transmission code, so as to ensure that the transmission code is not empty when the transmission code is used as a parameter for generating the OTP.
Preferably, in step S2022, the step of returning the request authorization failure information specifically includes the following steps:
firstly, transaction information received from a user side is stored; then sending an input transmission code request to the client of the user, and waiting for receiving the return information of the client. With this step the user is given the opportunity to re-enter the transmission code within a certain time. And after receiving the transmission code input again by the user, the transaction data is combined with the previously stored transaction information to be used as complete account transaction data for generating the OTP.
Corresponding to the method for generating the one-time password, the invention also provides a device for generating the one-time password. As shown in fig. 8, the system includes an information receiving module 101, a parsing module 102 and a password generating module 103. Wherein: the information receiving module 101 is used for receiving a transaction authorization request of a user; the analysis module 102 is configured to analyze the transaction authorization request sent by the user to obtain transaction information and a transmission code input by the user; and the password generating module 103 is configured to generate a one-time password corresponding to the transmission information according to the transaction information and the transmission code.
The device for generating a one-time password of the present invention is mainly applied to transaction verification terminals such as banks, and the aforementioned information receiving module 101, the analysis module 102 and the password generation module 103 may be integrated in one server of the verification terminals, such as an authentication server, or may be respectively located in hardware devices of different verification terminals. Such as the information receiving module 101 and the parsing module 102 may be integrated in one hardware device, and the password generating module 103 may be in another hardware device. The generated OTP contains a transmission code of non-transaction information set by a user, so that parameters generated by the code contain a random number of the transmission code set by the user in addition to a random number of a bank end, and stealing of account data and tampering of transaction information in a network and a bank are avoided.
As shown in fig. 9, in one embodiment, the system further includes a transmission code determination module 104 and a failure information return module 105. Wherein: a transmission code judging module 104, configured to judge whether the received transaction authorization request includes a transmission code; if yes, the analysis module 102 is executed to analyze the transaction authorization request; if not, the failure information returning module 105 is executed to return the request authorization failure information.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (7)
1. A one-time password authentication method is characterized by comprising the following steps:
receiving transaction information input by a user through a first user interface and a self-set transmission code; wherein the transmission code is input by a user as a single input message, and the transmission code cannot be null;
backing up the transaction information, the account corresponding to the transaction information and the self-set transmission code;
generating a one-time password corresponding to the transaction information according to the transaction information and the transmission code;
transmitting the one-time password to a second user interface of the user and displaying the one-time password;
when detecting that the user logs in the account by using a third user interface, copying and transmitting the transaction information and the transmission code to the third user interface;
receiving the one-time password returned by the user through a third user interface;
whether the transaction authorization is carried out is determined by judging whether the returned one-time password is correct or not;
wherein the user transmits information through the first user interface using the internet;
transmitting the one-time password to a second user interface of the user through a mobile communication network; transmitting the transmission code to the second user interface and displaying the transmission code on the second user interface;
wherein the method further comprises:
determining whether the transmission code received by the first user interface is empty;
and if the transmission code is empty, returning authentication failure information to the first user interface to remind the user to input the transmission code again.
2. The method of claim 1, wherein the one-time password is transmitted to the second user interface via a non-internet network such as sms, fax or voice.
3. The one-time password authentication method according to claim 1, wherein said transmission code is a number, an alphabet, or a combination of a number and an alphabet.
4. A method of one-time password authentication according to any of claims 1 to 3, wherein the one-time password is valid for a predetermined time.
5. The one-time password authentication method of claim 1, wherein a one-time password corresponding to the transmission information is generated by a logical operation according to the transaction information, the transmission code and system data.
6. The one-time password authentication method according to claim 5, wherein the transaction information according to which the logic operation is performed includes one or a combination of two or more of a transaction type, a transaction account, a transaction amount, and a transaction time.
7. A disposable password authentication system is characterized by comprising a first user interface, a network server, an authentication server, a second user interface and a third user interface which are sequentially connected through a network;
the hardware security module is in communication connection with the authentication server;
the authentication server comprises an information receiving module which is used for receiving transaction information input by a user through a first user interface and a self-set transmission code through a network server; wherein the transmission code is input by a user as a single input message, and the transmission code cannot be null;
the authentication server or the hardware security module comprises a password generation module used for generating a one-time password corresponding to the transaction information according to the transaction information and the transmission code;
the authentication server also comprises an information sending module which is used for transmitting the one-time password to a second user interface of the user and displaying the one-time password on the second user interface;
a third user interface, configured to enable the user to return the one-time password to the authentication server through the third user interface;
the hardware security module also comprises a verification module which is used for judging whether the returned one-time password is correct or not and transmitting the result to an authentication server, and the authentication server determines whether to carry out transaction authorization or not according to the result;
the authentication server is connected with a mobile communication transmission server, transmits a short message containing the one-time password to the second user interface through the mobile communication transmission server, transmits the transmission code to the second user interface and displays the transmission code on the second user interface;
wherein the authentication server is further configured to:
determining whether the transmission code received by the first user interface is empty;
and if the transmission code is empty, returning authentication failure information to the first user interface to remind the user to input the transmission code again.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410287503.1A CN104077690B (en) | 2014-06-24 | 2014-06-24 | Method and device for generating one-time password, authentication method and authentication system |
| TW103130943A TW201601083A (en) | 2014-06-24 | 2014-09-09 | One-time password generation method and device, authentication method and authentication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410287503.1A CN104077690B (en) | 2014-06-24 | 2014-06-24 | Method and device for generating one-time password, authentication method and authentication system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104077690A CN104077690A (en) | 2014-10-01 |
| CN104077690B true CN104077690B (en) | 2020-08-28 |
Family
ID=51598935
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410287503.1A Active CN104077690B (en) | 2014-06-24 | 2014-06-24 | Method and device for generating one-time password, authentication method and authentication system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN104077690B (en) |
| TW (1) | TW201601083A (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6218184B2 (en) * | 2014-11-13 | 2017-10-25 | 日立オートモティブシステムズ株式会社 | Information processing apparatus and message authentication method |
| TWI596556B (en) * | 2016-07-29 | 2017-08-21 | 臺灣集中保管結算所股份有限公司 | A method and system for authenticating a user with service providers using a universal one time password |
| CN106789079A (en) * | 2016-12-30 | 2017-05-31 | 余仁植 | Identity identifying method, disposal password electronic installation and system |
| TWI731924B (en) * | 2017-01-23 | 2021-07-01 | 香港商斑馬智行網絡(香港)有限公司 | Method and device for processing verification information |
| CN107911350B (en) * | 2017-02-27 | 2022-04-08 | 黄贤杰 | Two-way matching and authentication system for electronic equipment |
| TWI675579B (en) * | 2017-09-30 | 2019-10-21 | 優仕達資訊股份有限公司 | Network authentication system and method |
| CN108683667B (en) * | 2018-05-16 | 2021-12-03 | 深圳市迅雷网络技术有限公司 | Account protection method, device, system and storage medium |
| US10542036B1 (en) * | 2018-10-02 | 2020-01-21 | Capital One Services, Llc | Systems and methods for signaling an attack on contactless cards |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005083610A1 (en) * | 2004-02-23 | 2005-09-09 | Verisign, Inc. | Token authentication system and method |
| CN101651675A (en) * | 2009-08-27 | 2010-02-17 | 北京飞天诚信科技有限公司 | Method and system for enhancing security of network transactions |
| CN101777158A (en) * | 2010-01-13 | 2010-07-14 | 北京飞天诚信科技有限公司 | Method and system for secure transaction |
| CN102202300A (en) * | 2011-06-14 | 2011-09-28 | 上海众人网络安全技术有限公司 | System and method for dynamic password authentication based on dual channels |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101131759A (en) * | 2006-08-24 | 2008-02-27 | 中国信托商业银行股份有限公司 | Method for generating disposal password used for internet trade and its application method and system for performing the same |
| CN103139179A (en) * | 2011-12-01 | 2013-06-05 | 捷而思股份有限公司 | Multi-channel active type network identity verification system and network identity verification device |
-
2014
- 2014-06-24 CN CN201410287503.1A patent/CN104077690B/en active Active
- 2014-09-09 TW TW103130943A patent/TW201601083A/en unknown
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005083610A1 (en) * | 2004-02-23 | 2005-09-09 | Verisign, Inc. | Token authentication system and method |
| CN101651675A (en) * | 2009-08-27 | 2010-02-17 | 北京飞天诚信科技有限公司 | Method and system for enhancing security of network transactions |
| CN101777158A (en) * | 2010-01-13 | 2010-07-14 | 北京飞天诚信科技有限公司 | Method and system for secure transaction |
| CN102202300A (en) * | 2011-06-14 | 2011-09-28 | 上海众人网络安全技术有限公司 | System and method for dynamic password authentication based on dual channels |
Also Published As
| Publication number | Publication date |
|---|---|
| TW201601083A (en) | 2016-01-01 |
| TWI543092B (en) | 2016-07-21 |
| CN104077690A (en) | 2014-10-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104077690B (en) | Method and device for generating one-time password, authentication method and authentication system | |
| US9741033B2 (en) | System and method for point of sale payment data credentials management using out-of-band authentication | |
| US10552828B2 (en) | Multiple tokenization for authentication | |
| US9864987B2 (en) | Account provisioning authentication | |
| RU2648944C2 (en) | Methods, devices, and systems for secure provisioning, transmission and authentication of payment data | |
| US10235672B2 (en) | Securely receiving from a remote user sensitive information and authorization to perform a transaction using the sensitive information | |
| US8060413B2 (en) | System and method for making electronic payments from a wireless mobile device | |
| US20110103586A1 (en) | System, Method and Device To Authenticate Relationships By Electronic Means | |
| EP2733655A1 (en) | Electronic payment method and device for securely exchanging payment information | |
| US10147092B2 (en) | System and method for signing and authenticating secure transactions through a communications network | |
| CN101221641B (en) | On-line trading method and its safety affirmation equipment | |
| JP2013514556A (en) | Method and system for securely processing transactions | |
| EP2962421B1 (en) | Systems, methods and devices for performing passcode authentication | |
| US20120310840A1 (en) | Authentication method, payment authorisation method and corresponding electronic equipments | |
| US20170213220A1 (en) | Securing transactions on an insecure network | |
| KR101644124B1 (en) | Server for transaction using pre-authentication and method thereof | |
| CN101589569A (en) | Secure password distribution to a client device of a network | |
| WO2017190633A1 (en) | Method and device for reliably verifying identity of financial card user | |
| CN110290134A (en) | A kind of identity identifying method, device, storage medium and processor | |
| KR101499906B1 (en) | Smart card having OTP generation function and OTP authentication server | |
| CN103761644A (en) | Ordering processing method for mobile Internet online payment | |
| US20100005519A1 (en) | System and method for authenticating one-time virtual secret information | |
| CN105741116A (en) | Fast payment method, apparatus and system | |
| CN104835038A (en) | Networking payment device and networking payment method | |
| JP5919497B2 (en) | User authentication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231101 Address after: Singapore 750D Caishi Road # 08-01ESR Industrial Park @ Caishi Patentee after: Singapore i-Sprint Technology Co.,Ltd. Address before: Room 1509, Shougang International Building, No. 60, Xizhimen North Street, Haidian District, Beijing 100082 Patentee before: BEIJING ANXUNBEN SCIENCE & TECHNOLOGY Co.,Ltd. |