CN104202167B - The system and method for authentication is realized based on external authentication module and personal identification number - Google Patents

The system and method for authentication is realized based on external authentication module and personal identification number Download PDF

Info

Publication number
CN104202167B
CN104202167B CN201410476460.1A CN201410476460A CN104202167B CN 104202167 B CN104202167 B CN 104202167B CN 201410476460 A CN201410476460 A CN 201410476460A CN 104202167 B CN104202167 B CN 104202167B
Authority
CN
China
Prior art keywords
authentication
module
identification number
personal identification
security module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410476460.1A
Other languages
Chinese (zh)
Other versions
CN104202167A (en
Inventor
胥怡心
胡永涛
屈新春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Third Research Institute of the Ministry of Public Security
Original Assignee
Third Research Institute of the Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Third Research Institute of the Ministry of Public Security filed Critical Third Research Institute of the Ministry of Public Security
Priority to CN201410476460.1A priority Critical patent/CN104202167B/en
Publication of CN104202167A publication Critical patent/CN104202167A/en
Application granted granted Critical
Publication of CN104202167B publication Critical patent/CN104202167B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The present invention relates to a kind of system that authentication is realized based on external authentication module and personal identification number, the system includes authentication management client, security module and external authentication module;The invention further relates to a kind of method that authentication is realized based on external authentication module and personal identification number, check results that external authentication module that authentication management client forwards according to security module is drawn optionally order described security module and external authentication module is bound, certification and unbinding.Using the system and method that authentication is realized based on external authentication module and personal identification number of the present invention, authentication is carried out by means of the safe encryption mechanism of external authentication module high intensity, avoid the stolen existing security risk of password, even if PIN code is stolen, there is no special-shaped smart card to activate SE modules, it is ensured that the account safety of user, to be provided a great convenience to carry out authentication on the mobile apparatus, using simplicity, there is wider application.

Description

The system and method for authentication is realized based on external authentication module and personal identification number
Technical field
The present invention relates to authentication field on information security field, more particularly to the equipment of near field communication (NFC) function, specifically Refer to a kind of method that authentication is realized based on external authentication module and personal identification number.
Background technology
As mobile Internet develops rapidly and NFC (Near Field Communication, near-field communication) technology Maturation, such as intelligent mobile communication terminal, smart mobile phone turn into the near field means of payment that people are commonly used.The shifting of prior art Dynamic payment transaction follows 13.56MHZ wireless communication protocol standards mostly, is used to adapt to different user, chip manufacturer opens NFC-SIM (the Subscriber Identity of band hardware security module (SE modules, Security Module) are sent out Module, user identity identification) card or NFC block entirely.The safety of existing Mobile payment terminal equipment is dependent on the hardware in terminal Security module (SE modules), this SE modules can use SIM (Subscriber Identity Module, user identity identification) The forms such as the independent safety chip on card or embedded terminal mainboard.
SE modules when user is paid using the smart mobile phone with NFC function on mobile phone need to carry out body to user Part identification and checking, currently a popular authentication mode are all based on greatly that " what you know " authentication mode, i.e., user is in APP PIN code (Personal Identification Number, personal identity number are inputted in (Application, application program) Code) or gesture password be authenticated the identity of user because SE modules are constantly in state of activation, once APP is held as a hostage, it is black Visitor can shift the transfer of initiation fund at any time, and loss is brought to user.
The content of the invention
The purpose of the present invention is the shortcomings that overcoming above-mentioned prior art, there is provided one kind can be achieved with outside and recognize The safe encryption mechanism of card module high intensity carries out authentication, avoids the stolen existing security risk of password, ensures user's Account safety, the method that authentication is realized based on external authentication module and personal identification number with broader applications scope.
To achieve these goals, the system of the invention that authentication is realized based on external authentication module and personal identification number And method has following form:
This realizes the system of authentication based on external authentication module and personal identification number, and it is mainly characterized by, and described is System includes:
Authentication management client, to send personal identification number checking instruction to security module, and according to described safe mould The check results of block forwarding optionally order described security module and external authentication module is bound, certification and releasing are tied up It is fixed;
Security module, described personal identification number checking instruction is forwarded into external authentication module, and will be described it is outer The check results of portion's authentication module feedback are forwarded to described authentication management client;
External authentication module, to verify described personal identification number checking instruction and described check results are fed back into institute The security module stated.
Further, described external authentication module includes certification memory cell, certification execution unit and certification communication unit Member, wherein:
Described certification memory cell, to store apparatus figure certificate and personal identification number for certification;
Described certification execution unit, to personal close described in the personal identification number verification in described memory cell Code checking instruction, and instructed according to the certification of described authentication management client and be authenticated with described security module;
Described certification communication unit, to be communicated with described security module.
Further, described security module includes secure storage unit, performs authentication unit and secure communication unit, its In:
Described secure storage unit, to store the apparatus figure certificate that described external authentication module is sent;
Described execution authentication unit, to according to the certification of described authentication management client instruction and described outside Authentication module is authenticated;
Described secure communication unit, to be communicated with described external authentication module.
Further, described authentication management client includes information acquisition unit and interface display unit, wherein:
Described information acquisition unit, to obtain the personal identification number information and authentication interface operation information of user's input;
Described interface display unit, to show authentication interface and all kinds of promptings.
Wherein, communicated between described security module and external authentication module by NFC technique, described outside is recognized Demonstrate,prove the special-shaped card that module is ring shape..
In addition, the present invention also provides a kind of identity binding method realized based on external authentication module and personal identification number, its It is mainly characterized by, described method comprises the following steps:
(1) the authentication management client described in sends described personal identification number checking instruction to described security module;
(2) described personal identification number checking instruction is forwarded to described external authentication module by the security module described in;
(3) the personal identification number checking described in the verification of external authentication module described in instructs and feeds back described check results To described security module;
(4) described check results are forwarded to described authentication management client by the security module described in;
(5) the authentication management client described in is according to described check results optionally by described security module and institute The external authentication module stated is bound.
Further, described authentication management client according to described check results optionally by described safe mould Block and described external authentication module are bound, and are comprised the following steps:
(5.1) the authentication management client described in judges whether described check results are personal identification number authentication failed;
(5.2) if a determination be made that check results are personal identification number authentication failed, then continue step (5.3), otherwise after Continuous step (5.4);
(5.3) the authentication management client described in shows the prompt message of personal identification number input error;
(5.4) the authentication management client described in sends digital certificate and reads instruction to described security module;
(5.5) described digital certificate is read instruction and is forwarded to described external authentication module by the security module described in;
(5.6) external authentication module described in is by the described number for reading apparatus figure certificate corresponding to digital certificate instruction According to transmission to described security module;
(5.7) security module described in is by the data forwarding of described apparatus figure certificate to described authentication management client End;
(5.8) the authentication management client described in writes the data of described apparatus figure certificate described safe mould Block.
In addition, the present invention also provides a kind of identity identifying method realized based on external authentication module and personal identification number, its It is mainly characterized by, described method comprises the following steps:
(a) the authentication management client described in sends described personal identification number checking instruction to described security module;
(b) described personal identification number checking instruction is forwarded to described external authentication module by the security module described in;
(c) the personal identification number checking described in the verification of external authentication module described in instructs and feeds back described check results To described security module;
(d) described check results are forwarded to described authentication management client by the security module described in;
(e) authentication management client described according to described check results optionally order described security module with Described external authentication module is authenticated.
Further, described authentication management client optionally orders described safety according to described check results Module is authenticated with described external authentication module, is comprised the following steps:
(e.1) the authentication management client described in judges whether described check results are personal identification number authentication failed;
(e.2) if a determination be made that check results are personal identification number authentication failed, then continue step (e.3), otherwise after Continuous step (e.4);
(e.3) the authentication management client described in shows the prompt message of personal identification number input error;
(e.4) the authentication management client described in sends certification and instructed to described security module;
(e.5) described certification instruction is forwarded to described external authentication module by the security module described in;
(e.6) the external authentication module described in sends authentication data corresponding to described certification instruction to described safety Module;
(e.7) the apparatus figure certificate that the security module described in has been bound according to inside verifies described authentication data;
(e.8) security module described in optionally activates secure payment function according to check results.
Further, described security module optionally activates secure payment function according to check results, including with Lower step:
(e.8.1) security module described in judges whether described check results are user authentication success, if it is, after Continuous step (e.8.2), otherwise continues step (e.8.3);
(e.8.2) the security module activation secure payment function described in;
(e.8.3) security module described in sends the information of user authentication failure to described authentication management client;
(e.8.4) the authentication management client described in shows the prompt message of user authentication failure.
Further, it is further comprising the steps of before described step (a):
Security module described in (0.a) judges to whether there is described external authentication module in default scoping, if Then continue step (0.b), otherwise repeat step (0.a);
Security module described in (0.b) sends display interface instruction to described authentication management client;
Authentication management client described in (0.c) shows described authentication interface.
Further, it is further comprising the steps of after described step (e):
(f) security module described in judges described external authentication module in default scoping whether also be present, if it is, Then repeat step (f), otherwise continue step (g);
(g) security module described in is sent interface instructions are closed to described authentication management client;
(h) the authentication management client described in closes described authentication interface.
Meanwhile the present invention also provides a kind of unbinding method realized based on external authentication module and personal identification number, its It is mainly characterized by, described method comprises the following steps:
(A) the authentication management client described in sends described unbinding instruction to described security module;
(B) data of security module apparatus figure certificate according to corresponding to deleting described unbinding instruction described in.
The system and method that authentication is realized based on external authentication module and personal identification number in the invention is employed, is had Have the advantages that:
(1) in order to which the security hidden trouble for overcoming the above-mentioned modules of SE in the prior art " often online " and drawing, the present invention carry The auth method of NFC mobile phone double factor is realized based on external authentication module and personal identification number (PIN code) for one kind, wherein wrapping Include the subscriber authentication that personal identification number (PIN) verification mode is carried out to described external authentication module.Password authentification by rear, Security module (SE) inside NFC smart mobile phones to described external authentication module, (mark by such as special-shaped contactless smart card or RFID Label) it is authenticated using challenge responses mode (using symmetrically or non-symmetrically AES), when the certification for completing the two steps After could complete authentication, the payment function of NFC mobile phone internal security module is activated, by means of external authentication module high intensity Safe encryption mechanism carry out authentication, avoid the stolen existing security risk of personal identification number, even if PIN code is stolen, do not have There is special-shaped smart card to activate SE modules, it is ensured that the account safety of user.
(2) for the ease of carrying, external authentication module can be encapsulated in the form of special-shaped card, and the present invention, which uses, recognizes outside Card module is encapsulated in ring, during using logging in APP during the present invention, as long as being stopped with the holding with the special-shaped card of ring intelligence Machine, input PIN code can complete authentication, it is not necessary to extra " swiping the card " action, be tested to carry out identity on the mobile apparatus Card provides a great convenience, and has wider application.
Brief description of the drawings
Fig. 1 is the structure chart of the system that authentication is realized based on external authentication module and personal identification number of the present invention.
Fig. 2 is the flow chart of identity binding method of the realization based on external authentication module and personal identification number of the present invention.
Fig. 3 is the flow chart of identity identifying method of the realization based on external authentication module and personal identification number of the present invention.
Fig. 4 is the knot of the embodiment of the system that authentication is realized based on external authentication module and personal identification number of the present invention Composition.
Fig. 5 is the external authentication module of the present invention and the binding flow chart of mobile phone SE modules.
Fig. 6 is the double factor flow for authenticating ID figure of the present invention.
Embodiment
In order to more clearly describe the technology contents of the present invention, carried out with reference to specific embodiment further Description.
Referring to Fig. 1, in one embodiment, it is of the invention that identity is realized based on external authentication module and personal identification number The system of checking includes:
Authentication management client, to send personal identification number checking instruction to security module, and according to described safe mould The check results of block forwarding optionally order described security module and external authentication module is bound, certification and releasing are tied up It is fixed;
Security module, described personal identification number checking instruction is forwarded into external authentication module, and will be described it is outer The check results of portion's authentication module feedback are forwarded to described authentication management client;
External authentication module, to verify described personal identification number checking instruction and described check results are fed back into institute The security module stated.
In a preferred embodiment, described external authentication module includes certification memory cell, certification performs list Member and certification communication unit, wherein:
Described certification memory cell, to store apparatus figure certificate and personal identification number for certification;
Described certification execution unit, to personal close described in the personal identification number verification in described memory cell Code checking instruction, and instructed according to the certification of described authentication management client and be authenticated with described security module;
Described certification communication unit, to be communicated with described security module.
In a preferred embodiment, described security module include secure storage unit, perform authentication unit and Secure communication unit, wherein:
Described secure storage unit, to store the apparatus figure certificate that described external authentication module is sent;
Described execution authentication unit, to according to the certification of described authentication management client instruction and described outside Authentication module is authenticated;
Described secure communication unit, to be communicated with described external authentication module.
In a preferred embodiment, described authentication management client includes information acquisition unit and interface display Unit, wherein:
Described information acquisition unit, to obtain the personal identification number information and authentication interface operation information of user's input;
Described interface display unit, to show authentication interface and all kinds of promptings.
Wherein, communicated between described security module and external authentication module by NFC technique, described outside is recognized Demonstrate,prove the special-shaped card that module is ring shape..
In addition, the present invention also provides a kind of identity binding method realized based on external authentication module and personal identification number, such as Shown in Fig. 2, it is mainly characterized by, and described method comprises the following steps:
(1) the authentication management client described in sends described personal identification number checking instruction to described security module;
(2) described personal identification number checking instruction is forwarded to described external authentication module by the security module described in;
(3) the personal identification number checking described in the verification of external authentication module described in instructs and feeds back described check results To described security module;
(4) described check results are forwarded to described authentication management client by the security module described in;
(5) the authentication management client described in is according to described check results optionally by described security module and institute The external authentication module stated is bound.
In a preferred embodiment, described authentication management client according to described check results optionally Described security module and described external authentication module are bound, comprised the following steps:
(5.1) the authentication management client described in judges whether described check results are personal identification number authentication failed;
(5.2) if a determination be made that check results are personal identification number authentication failed, then continue step (5.3), otherwise after Continuous step (5.4);
(5.3) the authentication management client described in shows the prompt message of personal identification number input error;
(5.4) the authentication management client described in sends digital certificate and reads instruction to described security module;
(5.5) described digital certificate is read instruction and is forwarded to described external authentication module by the security module described in;
(5.6) external authentication module described in is by the described number for reading apparatus figure certificate corresponding to digital certificate instruction According to transmission to described security module;
(5.7) security module described in is by the data forwarding of described apparatus figure certificate to described authentication management client End;
(5.8) the authentication management client described in writes the data of described apparatus figure certificate described safe mould Block.
In addition, the present invention also provides a kind of identity identifying method realized based on external authentication module and personal identification number, such as Shown in Fig. 3, it is mainly characterized by, and described method comprises the following steps:
(a) the authentication management client described in sends described personal identification number checking instruction to described security module;
(b) described personal identification number checking instruction is forwarded to described external authentication module by the security module described in;
(c) the personal identification number checking described in the verification of external authentication module described in instructs and feeds back described check results To described security module;
(d) described check results are forwarded to described authentication management client by the security module described in;
(e) authentication management client described according to described check results optionally order described security module with Described external authentication module is authenticated.
In a preferred embodiment, described authentication management client according to described check results optionally The described security module of order is authenticated with described external authentication module, is comprised the following steps:
(e.1) the authentication management client described in judges whether described check results are personal identification number authentication failed;
(e.2) if a determination be made that check results are personal identification number authentication failed, then continue step (e.3), otherwise after Continuous step (e.4);
(e.3) the authentication management client described in shows the prompt message of personal identification number input error;
(e.4) the authentication management client described in sends certification and instructed to described security module;
(e.5) described certification instruction is forwarded to described external authentication module by the security module described in;
(e.6) the external authentication module described in sends authentication data corresponding to described certification instruction to described safety Module;
(e.7) the apparatus figure certificate that the security module described in has been bound according to inside verifies described authentication data;
(e.8) security module described in optionally activates secure payment function according to check results.
In a kind of preferred embodiment, described security module optionally activates safety support according to check results Function is paid, is comprised the following steps:
(e.8.1) security module described in judges whether described check results are user authentication success, if it is, after Continuous step (e.8.2), otherwise continues step (e.8.3);
(e.8.2) the security module activation secure payment function described in;
(e.8.3) security module described in sends the information of user authentication failure to described authentication management client;
(e.8.4) the authentication management client described in shows the prompt message of user authentication failure.
In a preferred embodiment, it is further comprising the steps of before described step (a):
Security module described in (0.a) judges to whether there is described external authentication module in default scoping, if Then continue step (0.b), otherwise repeat step (0.a);
Security module described in (0.b) sends display interface instruction to described authentication management client;
Authentication management client described in (0.c) shows described authentication interface.
It is further comprising the steps of after described step (e) in a kind of preferred embodiment:
(f) security module described in judges described external authentication module in default scoping whether also be present, if it is, Then repeat step (f), otherwise continue step (g);
(g) security module described in is sent interface instructions are closed to described authentication management client;
(h) the authentication management client described in closes described authentication interface.
Meanwhile the present invention also provides a kind of unbinding method realized based on external authentication module and personal identification number, its It is mainly characterized by, described method comprises the following steps:
(A) the authentication management client described in sends described unbinding instruction to described security module;
(B) data of security module apparatus figure certificate according to corresponding to deleting described unbinding instruction described in.
The present invention relates to user, whether checking user's identity closes on the Intelligent mobile equipment for supporting near field communication (NFC) function The field of method, especially relate to the technical fields such as NFC mechanicss of communication, cryptography, information security field.
To achieve these goals, in actual applications, authentication management client is to be installed on intelligent mobile terminal Application software, provide a user personal identification number inputting interface and the mobile phone application of external authentication module management function is provided;Safety Module is to support NFC technique and need that to the completion certification of outside authentication module the mobile payment security certification core used could be activated Piece, it is arranged in the circuit board of intelligent mobile terminal, more preferably, card reader pattern and snap gauge simulation models can be supported simultaneously and can be with Switch between two patterns;External authentication module is the contactless smart chip based on NFC technique, can be encapsulated into ring In the special-shaped card of profile, it is easy to user to carry and use.
Wherein, the external authentication module includes:Certification memory cell, pass through on-chip memory storage certification number of devices Word certificate and individual subscriber password;Certification execution unit, for performing personal identification number checking and being recognized each other with security module Card;Certification communication unit, for supporting that the intelligent mobile terminal of NFC technique is communicated.
The security module includes:Secure communication unit, for sending instruction to the external authentication module of support NFC technique And receive its response;Authentication unit is performed, for performing the certification to outside authentication module;Secure storage unit, by piece Memory storage certification key (the apparatus figure certificate after encrypting).
The authentication management client includes:Information module is obtained, obtains the personal identification number and menu setecting of user's input Operation;User's display module, for showing external authentication module management menu and authentication result, certification is successfully to show successfully, Authentification failure is prompted accordingly according to the error situation code of return to user.
The method that authentication is realized based on external authentication module and personal identification number, it is main to include binding and two portions of certification Point, more preferably, unbinding part can be included again, idiographic flow is as follows:
1) bind
User runs the authentication management client on mobile phone, and selects bindings;
Authentication management client prompts the personal identification number that user inputs external authentication module in personal identification number inputting interface;
NFC communication interface (the i.e. secure communication that personal identification number checking instruction is passed through security module by authentication management client The NFC communication interface of unit) it is sent to external authentication module;
The personal identification number and back-checking result that the verification of external authentication module receives;
If personal identification number verification failure, authentication management Client-Prompt individual subscriber Password Input mistake;
If personal identification number verifies successfully, authentication management client will read digital certificate instruction and pass through security module NFC communication interface is sent to external authentication module;
External authentication module returns to the apparatus figure certificate issued by publisher;
The apparatus figure certificate of external authentication module is write security module by authentication management client, and binding procedure terminates.
2) certification
When the communication unit of security module detects external authentication module close to intelligent mobile terminal, activating and authenticating management The personal identification number inputting interface of client, user is prompted to input the personal identification number of external authentication module;
Personal identification number checking instruction is sent to outside by the NFC communication interface of security module and recognized by authentication management client Demonstrate,prove module;
The personal identification number and back-checking result that the verification of external authentication module receives;
If personal identification number verification failure, authentication management Client-Prompt individual subscriber Password Input mistake;
If personal identification number verifies successfully, certification is instructed and connect by the NFC communication of security module by authentication management client Mouth is sent to external authentication module;
External authentication module receives certification instruction return authentication data;
Security module verifies authentication data using the digital certificate of the external authentication module of binding;
If authentification failure, authentication management Client-Prompt user authentication failure;
If certification success, activate the mobile security payment function of security module and prompt to use in authentication management client Family certification success.
Wherein, when the communication module of security module detects external authentication module not in the range of NFC action of radio, no matter Whether transaction is completed, and stops current payment transaction process and closes payment function, customer transaction is prompted in authentication management client Stop.
3) it is unbinding
User runs the authentication management client on mobile phone, and selects unbinding operation;
More preferably, it is necessary to first complete identifying procedure, if certification success, security module are deleted and are stored in its storage inside mould Apparatus figure certificate in block, release the binding with external authentication module.
In order that present invention solves the technical problem that, embodiment, advantage become apparent from, with reference to system example and The above method is described in detail, the system provided by the invention that authentication is realized based on external authentication module and personal identification number Embodiment as shown in figure 4, system includes external authentication module, mobile phone safe module (i.e. security module) and external authentication module Management client applies (authentication authorization and accounting management client).
External authentication module is the contactless smart chip based on NFC technique, including:Memory cell, by being deposited on piece Reservoir authentication storage apparatus figure certificate, device private and individual subscriber password, memory space are no more than 2K bytes;Certification Execution unit, including cipher code arithmetic assisting processor and CPU (Central Processing Unit, central processing unit), are used for Perform personal identification number checking and be authenticated with mobile phone safe module;Communication unit, including support ISO14443 is non-to connect smart card The interface and antenna of communication protocol, antenna receive radiofrequency field caused by NFC device in addition to for transmitting corresponding data (RF-field) powered for digital processing, ensure that the encryption of information and NFC communication units send reception in external authentication module The complete procedure of data.
As long as user is held when being authenticated using external authentication module with the hand with ring shape external authentication module Mobile phone can be operated, and the characteristic such as distinctive safe and efficient convenience of NFC near-field communications ensure that Consumer's Experience.
Said external authentication module management client application is a kind of mobile APP softwares for running on Android platform, bag Data obtaining module and user's display module are included, wherein, data obtaining module is used for the personal identification number and dish for obtaining user's input Single selection operation;User's display module, for showing external authentication module management menu and authentication result, certification is successfully display Success;Authentification failure is prompted accordingly according to the error situation code of return to user.
In embodiment, the method for realizing authentication based on external authentication module and personal identification number includes two critical flows Journey:
1st, the binding flow of external authentication module and mobile phone SE modules is as follows referring to Fig. 5, step:
(1) user starts cell phone application (i.e. external authentication module management client application);
(2) user card punching is prompted;
(3) PIN (Personal Identification Number) code (i.e. personal identification number) of user's input is verified;
(4) if external authentication module checking PIN code is by into next step;If PIN code mistake and mistake more than 6 It is secondary, prompt Bind Failed;
(5) device certificate in external authentication module is read;
(6) device certificate is saved in mobile phone SE;
(7) binding flow terminates.
2nd, double factor flow for authenticating ID such as Fig. 6, step are as follows:
(1) user starts cell phone application;
(2) user card punching is prompted;
(3) PIN code of user's input is verified;
(4) if external authentication module checking PIN code is by into next step;If PIN code mistake and mistake more than 6 It is secondary, prompt authentification failure;
(5) certification instruction is sent to outside authentication module, the initial data for certification is included in instruction;
(6) external authentication module is digitally signed with the internal private key preserved to the certification initial data received;
(7) mobile phone SE verifies the digital signature of external authentication module, if the verification passes then certification success, and otherwise certification is lost Lose;
(8) authentication flow terminates.
The system and method that authentication is realized based on external authentication module and personal identification number in the invention is employed, is had Have the advantages that:
(1) in order to which the security hidden trouble for overcoming the above-mentioned modules of SE in the prior art " often online " and drawing, the present invention carry The auth method of NFC mobile phone double factor is realized based on external authentication module and personal identification number (PIN code) for one kind, wherein wrapping Include the subscriber authentication that personal identification number (PIN) verification mode is carried out to described external authentication module.Password authentification by rear, Security module (SE) inside NFC smart mobile phones to described external authentication module, (mark by such as special-shaped contactless smart card or RFID Label) it is authenticated using challenge responses mode (using symmetrically or non-symmetrically AES), when the certification for completing the two steps After could complete authentication, the payment function of NFC mobile phone internal security module is activated, by means of external authentication module high intensity Safe encryption mechanism carry out authentication, avoid the stolen existing security risk of personal identification number, even if PIN code is stolen, do not have There is special-shaped smart card to activate SE modules, it is ensured that the account safety of user.
(2) for the ease of carrying, external authentication module can be encapsulated in the form of special-shaped card, and the present invention, which uses, recognizes outside Card module is encapsulated in ring, during using logging in APP during the present invention, as long as being stopped with the holding with the special-shaped card of ring intelligence Machine, input PIN code can complete authentication, it is not necessary to extra " swiping the card " action, be tested to carry out identity on the mobile apparatus Card provides a great convenience, and has wider application.

Claims (12)

  1. A kind of 1. system that authentication is realized based on external authentication module and personal identification number, it is characterised in that described system Including:
    Authentication management client, turn to send personal identification number checking instruction to security module, and according to described security module The check results of hair optionally order described security module and external authentication module is bound, certification and unbinding;
    Security module, described personal identification number checking instruction is forwarded into external authentication module, and described outside is recognized The check results of card module feedback are forwarded to described authentication management client;
    External authentication module, to verify described personal identification number checking instruction and feed back to described check results described Security module,
    Described security module includes secure storage unit, performs authentication unit and secure communication unit, wherein:
    Described secure storage unit, to store the apparatus figure certificate that described external authentication module is sent;
    Described execution authentication unit, to according to the certification of described authentication management client instruction and described external authentication Module is authenticated;
    Described secure communication unit, to be communicated with described external authentication module.
  2. 2. the system according to claim 1 that authentication is realized based on external authentication module and personal identification number, its feature It is, described external authentication module includes certification memory cell, certification execution unit and certification communication unit, wherein:
    Described certification memory cell, to store apparatus figure certificate and personal identification number for certification;
    Described certification execution unit, to personal close described in the personal identification number verification in described certification memory cell Code checking instruction, and instructed according to the certification of described authentication management client and be authenticated with described security module;
    Described certification communication unit, to be communicated with described security module.
  3. 3. the system according to claim 1 that authentication is realized based on external authentication module and personal identification number, its feature It is, described authentication management client includes information acquisition unit and interface display unit, wherein:
    Described information acquisition unit, to obtain the personal identification number information and authentication interface operation information of user's input;
    Described interface display unit, to show authentication interface and all kinds of promptings.
  4. 4. according to any one of claim 1 to 3 realize authentication based on external authentication module and personal identification number System, it is characterised in that communicated between described security module and external authentication module by NFC technique.
  5. 5. the system according to claim 4 that authentication is realized based on external authentication module and personal identification number, its feature It is, described external authentication module is the special-shaped card of ring shape.
  6. 6. a kind of system using any one of claims 1 to 33 is realized based on external authentication module and personal identification number Identity binding method, it is characterised in that described method comprises the following steps:
    (1) the authentication management client described in sends described personal identification number checking instruction to described security module;
    (2) described personal identification number checking instruction is forwarded to described external authentication module by the security module described in;
    (3) the personal identification number checking described in the verification of external authentication module described in instructs and described check results is fed back into institute The security module stated;
    (4) described check results are forwarded to described authentication management client by the security module described in;
    (5) authentication management client described in is according to described check results optionally by described security module and described External authentication module is bound.
  7. 7. identity binding method of the realization based on external authentication module and personal identification number according to claim 6, its feature It is, described authentication management client is according to described check results optionally by described security module and described outer Portion's authentication module is bound, and is comprised the following steps:
    (5.1) the authentication management client described in judges whether described check results are personal identification number authentication failed;
    (5.2) if a determination be made that check results are personal identification number authentication failed, then continue step (5.3), otherwise continue to walk Suddenly (5.4);
    (5.3) the authentication management client described in shows the prompt message of personal identification number input error;
    (5.4) the authentication management client described in sends digital certificate and reads instruction to described security module;
    (5.5) described digital certificate is read instruction and is forwarded to described external authentication module by the security module described in;
    (5.6) data that the external authentication module described in reads described digital certificate in apparatus figure certificate corresponding to instruction are sent out Deliver to described security module;
    (5.7) security module described in is by the data forwarding of described apparatus figure certificate to described authentication management client;
    (5.8) the authentication management client described in writes the data of described apparatus figure certificate described security module.
  8. 8. a kind of method using described in claim 6 realizes the authentication side based on external authentication module and personal identification number Method, it is characterised in that described method comprises the following steps:
    (a) the authentication management client described in sends described personal identification number checking instruction to described security module;
    (b) described personal identification number checking instruction is forwarded to described external authentication module by the security module described in;
    (c) the personal identification number checking described in the verification of external authentication module described in instructs and described check results is fed back into institute The security module stated;
    (d) described check results are forwarded to described authentication management client by the security module described in;
    (e) authentication management client described according to described check results optionally order described security module with it is described External authentication module be authenticated;
    Described authentication management client according to described check results optionally order described security module with it is described External authentication module is authenticated, and is comprised the following steps:
    (e.1) the authentication management client described in judges whether described check results are personal identification number authentication failed;
    (e.2) if a determination be made that check results are personal identification number authentication failed, then continue step (e.3), otherwise continue to walk Suddenly (e.4);
    (e.3) the authentication management client described in shows the prompt message of personal identification number input error;
    (e.4) the authentication management client described in sends certification and instructed to described security module;
    (e.5) described certification instruction is forwarded to described external authentication module by the security module described in;
    (e.6) the external authentication module described in sends authentication data corresponding to described certification instruction to described safe mould Block;
    (e.7) the apparatus figure certificate that the security module described in has been bound according to inside verifies described authentication data;
    (e.8) security module described in optionally activates secure payment function according to the check results of authentication data.
  9. 9. identity binding method of the realization based on external authentication module and personal identification number according to claim 8, its feature It is, described security module optionally activates secure payment function, including following step according to the check results of authentication data Suddenly:
    (e.8.1) security module described in judges whether the check results of described authentication data are user authentication success, if It is then to continue step (e.8.2), otherwise continues step (e.8.3);
    (e.8.2) the security module activation secure payment function described in;
    (e.8.3) security module described in sends the information of user authentication failure to described authentication management client;
    (e.8.4) the authentication management client described in shows the prompt message of user authentication failure.
  10. 10. identity binding method of the realization based on external authentication module and personal identification number according to claim 8, its feature It is, it is further comprising the steps of before described step (a):
    Security module described in (0.a) judges to whether there is described external authentication module in default scoping, if it is after Continue step (0.b), otherwise repeat step (0.a);
    Security module described in (0.b) sends display interface instruction to described authentication management client;
    Authentication management client described in (0.c) shows described authentication interface.
  11. 11. identity binding method of the realization based on external authentication module and personal identification number according to claim 10, it is special Sign is, further comprising the steps of after described step (e):
    (f) security module described in judges described external authentication module in default scoping whether also be present, if it is, weight Multiple step (f), otherwise continues step (g);
    (g) security module described in is sent interface instructions are closed to described authentication management client;
    (h) the authentication management client described in closes described authentication interface.
  12. 12. a kind of method using described in claim 8 realizes the unbinding side based on external authentication module and personal identification number Method, it is characterised in that described method comprises the following steps:
    (A) the authentication management client described in sends unbinding instruction to described security module;
    (B) data of security module apparatus figure certificate according to corresponding to deleting described unbinding instruction described in.
CN201410476460.1A 2014-09-18 2014-09-18 The system and method for authentication is realized based on external authentication module and personal identification number Active CN104202167B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410476460.1A CN104202167B (en) 2014-09-18 2014-09-18 The system and method for authentication is realized based on external authentication module and personal identification number

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410476460.1A CN104202167B (en) 2014-09-18 2014-09-18 The system and method for authentication is realized based on external authentication module and personal identification number

Publications (2)

Publication Number Publication Date
CN104202167A CN104202167A (en) 2014-12-10
CN104202167B true CN104202167B (en) 2018-04-06

Family

ID=52087397

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410476460.1A Active CN104202167B (en) 2014-09-18 2014-09-18 The system and method for authentication is realized based on external authentication module and personal identification number

Country Status (1)

Country Link
CN (1) CN104202167B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721164A (en) * 2016-02-18 2016-06-29 四川长虹电器股份有限公司 Mobile phone identity authentication system and method of sim card
CN112669043A (en) * 2021-03-17 2021-04-16 中国银联股份有限公司 Card binding method, terminal device, authentication server and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102497465A (en) * 2011-10-26 2012-06-13 潘铁军 High-secrecy mobile information safety system and safety method for distributed secret keys
CN103501191A (en) * 2013-08-21 2014-01-08 王越 Mobile payment device and method thereof based on NFC technology
CN103745254A (en) * 2013-12-20 2014-04-23 北京握奇数据系统有限公司 Mobile payment intelligent card
CN103945381A (en) * 2014-04-28 2014-07-23 公安部第三研究所 System and method for achieving identity verification based on external security module in mobile terminal

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2509322A (en) * 2012-12-28 2014-07-02 Securenvoy Plc Time-based two factor authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102497465A (en) * 2011-10-26 2012-06-13 潘铁军 High-secrecy mobile information safety system and safety method for distributed secret keys
CN103501191A (en) * 2013-08-21 2014-01-08 王越 Mobile payment device and method thereof based on NFC technology
CN103745254A (en) * 2013-12-20 2014-04-23 北京握奇数据系统有限公司 Mobile payment intelligent card
CN103945381A (en) * 2014-04-28 2014-07-23 公安部第三研究所 System and method for achieving identity verification based on external security module in mobile terminal

Also Published As

Publication number Publication date
CN104202167A (en) 2014-12-10

Similar Documents

Publication Publication Date Title
CN101615322B (en) Mobile terminal payment method and mobile terminal payment system for realizing magnetic payment function
US20130311313A1 (en) Nfc transaction processing systems and methods
US20150339599A1 (en) System, mobile device and method for electronic ticket peer to peer secure transferring by near field communication (nfc) technology
CN101809977A (en) Updating mobile devices with additional elements
JP5385419B2 (en) Mobile terminal authentication system and method
KR101272600B1 (en) Method and System for Mobile Payment by Using Near Field Communication
CN105868978A (en) NFC mobile payment method and system thereof
CN101256694A (en) Method for automatically charging for electronic purse of near-field communication terminal
KR20090109979A (en) Method for Processing Payment Statement of Wholesale Affilate Store, Wholesale Affilate Store Payment Terminal and Recording Medium
CN106355385B (en) The novel two dimensional code method of payment for electronic scale
CN109714297A (en) Safe verification method, system and user terminal and application platform
CN104202167B (en) The system and method for authentication is realized based on external authentication module and personal identification number
WO2013016962A1 (en) Method, system, and device for sharing ic card information
CN106779672A (en) The method and device that mobile terminal safety pays
EP2850572A1 (en) Nfc transaction processing systems and methods
KR20180006602A (en) Method for Providing Asynchronous Reverse Direction Payment based on Application Interlocking by using Radio Signal Device
KR20180001647A (en) Method for Providing Asynchronous Reverse Direction Payment based on Application Interlocking by using Radio Signal Device
CN106254378A (en) The method of controlling security of a kind of short-range communication NFC mobile terminal and system
KR101445001B1 (en) Method and System for Providing End-To-End Security Payment by using Near Field Communication
KR102179428B1 (en) Method for Accumulating a Value Data in Reverse by using Near Field Communication
KR102149550B1 (en) Method for Providing Duplex Interchange of Information by using Near Field Communication
KR20180006601A (en) Method for Providing Asynchronous Reverse Direction Payment based on Application Interlocking by using Radio Signal Device
KR20180001651A (en) Method for Providing Asynchronous Reverse Direction Payment based on Application Interlocking by using Radio Signal Device
KR20180001649A (en) Method for Providing Asynchronous Reverse Direction Payment based on Application Interlocking by using Radio Signal Device
KR20180001653A (en) Method for Providing Asynchronous Reverse Direction Payment based on Application Interlocking by using Radio Signal Device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant