CN104240074A - Prepaid card online payment system based on identity authentication and payment method of prepaid card online payment system - Google Patents

Prepaid card online payment system based on identity authentication and payment method of prepaid card online payment system Download PDF

Info

Publication number
CN104240074A
CN104240074A CN201410531823.7A CN201410531823A CN104240074A CN 104240074 A CN104240074 A CN 104240074A CN 201410531823 A CN201410531823 A CN 201410531823A CN 104240074 A CN104240074 A CN 104240074A
Authority
CN
China
Prior art keywords
information
prepaid card
payment
client
management equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410531823.7A
Other languages
Chinese (zh)
Other versions
CN104240074B (en
Inventor
谈剑锋
姜立稳
何江华
王力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai PeopleNet Security Technology Co., Ltd.
Original Assignee
Shanghai Everybody Science And Technology Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Everybody Science And Technology Ltd filed Critical Shanghai Everybody Science And Technology Ltd
Priority to CN201410531823.7A priority Critical patent/CN104240074B/en
Publication of CN104240074A publication Critical patent/CN104240074A/en
Application granted granted Critical
Publication of CN104240074B publication Critical patent/CN104240074B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/22Payment schemes or models
    • G06Q20/28Pre-payment schemes, e.g. "pay before"
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3278RFID or NFC payments by means of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/342Cards defining paid or billed services or quantities
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/351Virtual cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction

Abstract

The invention relates to the field of payment of intelligent terminals, particularly relates to a system for implementing virtualized payment of a physical card by using a client side and a management service platform which work cooperatively, and provides a prepaid card online payment system based on identity authentication. The prepaid card online payment system based on identity authentication specifically comprises a client side, payment management equipment and a management and service platform, wherein a first identity authentication module and a first NFC (near field communication) module are arranged in the client side; the token information is acquired through the first identity authentication module; payment information and the token information are transmitted to the payment management equipment through the first NFC module; a second NFC module is arranged in the payment management equipment; information transmitted from the client side is received through the second NFC module; the payment information and the token information are transmitted to the management and service platform so as to respond to the payment information; a second identity authentication module is arranged in the management and service platform; the management and service platform is used for generating and authenticating the token information; user information and prepaid card information are managed and authenticated through the second identity authentication module; identity authentication in a payment process is realized; the safety performance of the prepaid card online payment system is improved; and applications are extended.

Description

The online payment system of prepaid card of identity-based certification and method of payment thereof
Technical field
The present invention relates to the payment technical field of intelligent terminal, particularly relate to system and method for payment thereof that a kind of client and the cooperation of management service platform realize the virtual payment of entity card.
Background technology
Prepaid card is again stored value card, consumption card, Fu Lika, smart card, accumulating card etc., refers to that card sending mechanism is with specific support and form distribution, can buy the prepaid value of commodity or service outside card sending mechanism, i.e. the card consumed again of a kind of post-pay paystation in fact.Be divided into by whether recording holder's identity information sign prepaid card and blank prepaid card, prepaid card of wherein signing comprises the purchase card etc. provided as supermarket, and blank prepaid card comprises as the SIM card etc. in mobile phone; Magnetic stripe card, chip (IC) is divided into block by information carrier difference.
Prepaid card shopping is the transaction form occurred after credit card, current use the most generally Japan.The use procedure of prepaid card is: consumer pre-pays in the shop in a certain system scope the cash limiting number, obtains this card, can not only rely on this to be stuck in one or many in advance payment in cash and directly do shopping in these shops.
Make no matter to be have a lot of benefits to businessman or consumer in this way.For businessman, use businessman after prepaid card not handle cash, substantially reduce the number the flowing of cash, both can avoid the loss of receiving counterfeit money, can reduce again to rob etc. dangerous; Use prepaid card simultaneously, cash is collected, account revenue and expenditure reduces in a large number, both can raise the efficiency, expense of artificial and equipment etc. can be reduced again; For consumers, only need to bring the prepaid card that very thin, can not be with or be with many cashes less, reduce the stolen and danger of catastrophe, carry also very convenient etc.
Summary of the invention
At present, the platform utilizing prepaid card to carry out paying has had a lot, as silver-colored business's information " virtual prepaid card " platform, in platform, trade company is by own software and third-party platform, as micro-letter, Alipay wallet etc. realize the virtual of existing entity card, simultaneously also can at the pure virtual card of this platform distribution.Use third-party platform to carry out in the process paid, first holder uses mobile phone to generate bar code online, and namely cashier carries out barcode scanning payment by barcode scanning gun to bar code.But, in the payment process of this payment system, also there is a lot of problem, as: bar code is only supported that ruddiness scans and is not supported laser scanning at present; Authentication procedures is lacked: even if user does not pass through third-party platform in payment process in whole payment process, as micro-letter platform, user also directly can generate bar code with computer browser input URL (Uniform Resource Locator: uniform resource locator) and pay; And be that data and password all belong to plaintext transmission in whole process of exchange, be easy to monitored and intercepted and captured.For above problem, the invention provides a kind of online payment system of prepaid card of identity-based certification, it arranges authentication module respectively in the middle of client and management service applicator platform, realizes the authentication in payment process; The information interaction that NFC module realizes between client and payment management equipment is set respectively again in client and payment management equipment, and then improves security performance of the present invention, extend application simultaneously.
The online payment system of prepaid card of identity-based certification, comprising:
Client, payment management equipment, and management service platform;
Built-in first authentication module of described client and a NFC (Near Field Communication, near-field communication) module, and obtain token information by described authentication module, payment information and described token information are sent to described payment management equipment by described NFC module simultaneously;
Built-in second NFC module of described payment management equipment, is received the information of described client transmission, described payment information and described token information is sent to described management service platform, to realize the response of described payment information simultaneously by described second NFC module;
Built-in second authentication module of described management service platform, for generating and token information described in certification, is managed and authenticated information and prepaid card information by described second authentication module simultaneously.
Near-field communication (NFC) technology is by non-contact radio-frequency identification (Radio Frequency Identification, RFID) develop, jointly developed by Philips Semiconductors (Xian Enzhi Pu semiconductor company), Nokia and Sony, its basis is RFID and interconnection technique, it is a kind of radiotelegraphy of short distance high frequency, runs in 20cm distance in 13.56MHz frequency; Transmission speed is divided 106kbit/ second, 212kbit/ second or 424kbit/ second three kinds.Current near-field communication is by becoming ISO/IEC IS 18092 international standard, ECMA-340 standard and ETSI TS 102 190 standard.NFC adopts initiatively and passive two kinds of read modes.NFC technology is combining induction card reader, induction type card and point-to-point function on one chip, to realize carrying out with compatible equipment in short distance identifying and the object of exchanges data.
Authentication is the process confirming user identity in a computer network.Authentication can be divided into the certification between user and client and the certification between client and client, and the certification between user and client can based on one or several factor following: as password, password etc., the information of unique identification user, as credit card etc.; The biological characteristic that user has: such as fingerprint, sound, retina, signature etc.
Preferably, described management service platform comprises: management server, certificate server, and prepaid card management equipment;
Built-in described second authentication module of described management server, receives user profile and the prepaid card information of the transmission of described client, is sent to described certificate server and described prepaid card management equipment respectively;
Described certificate server, before system pays, generates the secret key of session and token information; In payment process, for user profile described in certification and described token information;
Described prepaid card management equipment, for managing and prepaid card information described in certification.
Preferably, described user profile comprises the identification information for unique identification user.
Preferably, described payment management equipment comprises POS, and described POS comprises NFC reader.
The present invention provides a kind of prepaid card online payment method of identity-based certification simultaneously, is applied to the online payment system of prepaid card of above-mentioned identity-based certification, specifically comprises:
The described user profile that S1 obtains based on described client, realizes the mutual certification of described client and described certificate server;
Certificate server described in S2 realizes the legitimacy certification of described prepaid card information, and described prepaid card management equipment realizes the correctness certification of described prepaid card information;
Described in S3, client-requested described in authentication server response generates corresponding token information;
Payment management equipment described in S4 sends described payment request to described client;
Described payment information and described token information are sent to described certificate server via described payment management equipment and described prepaid card management equipment by client described in S5;
Certificate server described in S6 realizes the certification of token information, described authentication result and described payment request is sent to prepaid card management equipment simultaneously;
Described in S7, prepaid card management equipment completes delivery operation, payment response is sent to payment management equipment simultaneously.
Preferably, in step S1, based on the described user profile that described client obtains, realize in the mutual certification of described client and described certificate server: in described client and described certificate server, form identical session key according to described user profile respectively, to realize the information interaction between described client and described management service platform.
The formation of the session key mentioned here mainly user realizes the communication between client and management service platform, to guarantee the security performance of Transaction Information, it is a kind of at OTP (One-time Password, disposable dynamic password) basis on a kind of novel cipher system SOTP (the Strong One-time Password that develops, reinforced disposable dynamic password), SOTP algorithm, except for solving except identification, data encryption, can also verify integrality and the non repudiation of transmission data.
Below SOTP cipher system is described in detail, in whole process, be mainly divided into three phases to realize: registration phase, authentication phase and session stage.
1, registration phase
Before use SOTP, user registers to server first in a secure environment, the initialization of completing user.
At registration phase, first client uses the first algorithm H to be encrypted in conjunction with the identification information uid of unique identification user and user password information pw, as SHA1 algorithm generates the first information; Meanwhile, server generates the first key k and the second key k ' immediately, and the first key k and the second key k ' is sent to client, and is combined with cryptographic algorithm E by the first key k, generates an encryption function E relevant to the first key k k, the second key k ' is combined the decryption function D generating and associate with the second key k ' with decipherment algorithm D k.
At this stage, storage encryption algorithm, decipherment algorithm, the first key, the second key, identification information and the first information in server; The cryptographic algorithm and decipherment algorithm that are sent to by server is stored in client.
2, authentication phase
In authentication procedures, first, user inputs identification information uid and user password information pw in the client, simultaneously in conjunction with current time T uiand user password information pw, use encryption function E kbe encrypted with the first algorithm H, generate the first enciphered message client is again by identification information uid and the first enciphered message subsequently send to server.
Server receives identification information uid and the first enciphered message afterwards, first, judge whether identification information uid is validated user, namely registers in the server, and namely whether identifying user information uid prestores in the list of user totem information in the server.
If after checking, user is validated user, then complete the preliminary certification in server; If find that user is illicit user after preliminary certification, then stop the session between client immediately.
And then, server chooses current time T si, use cryptographic algorithm E and the second key k ' to current time T simultaneously sibe encrypted as E k' (T si); Use decipherment algorithm D and the first key k to receiving subsequently be decrypted and obtain again result (carrying out xor operation), obtains E k(T ui), finally re-use decipherment algorithm D and the first key k to E k(T ui) be decrypted and obtain T ui.
Obtain T uiafterwards, T is calculated siwith T uibetween mistiming, if the mistiming is in Preset Time, within 10min, then server to client certificate success, otherwise server disconnect with client between session.
After completing the authentication of client, server is and then by E k(T ui) negate (bit order and bit polarities) obtains E ' k(T ui), use cryptographic algorithm E and the first key k to E subsequently k(T ui) and E ' k(T ui) be encrypted, obtain session key K i=E k(E k(T ui))+E k(E ' k(T ui)), achieve and original 64bit is expanded in order to 128bit, greatly strengthen the safety of information.
After server obtains session key, with by E k' (T si) send to client.
Client receives E k' (T si) after, use decipherment algorithm D and the second key k ' to be decrypted it, obtain time T si; And then T is calculated siwith T uibetween mistiming, if preset mistiming within, within 10min, then client to server authentication success, otherwise client disconnect with server between session.
After completing the authentication of server, and then by E k(T ui) negate obtains E ' k(T ui), use cryptographic algorithm E and the first key k to E subsequently k(T ui) and E ' k(T ui) be encrypted, obtain session key K i=E k(E k(T ui))+E k(E ' k(T ui)).
3, session stage
After generating session key respectively in client and server, namely establish the session relationship between client and server, the packet in each conversation procedure after this between server and client side all uses session key K iencipherment protection, and the verification carrying out completeness check with the first algorithm H.
Separately, in conversation procedure, the transmit leg of packet and take over party comprise public encrypted transaction data algorithm e and the decipherment algorithm d of correspondence respectively, comprise AES-128.
If the content that transmit leg and take over party conversate is M, then the data packet format that transmit leg sends is: e ki(M)+H (M); After take over party receives packet, information is sent in server corresponding to take over party, after server receives the session data bag of the other side, first uses decipherment algorithm d to information e ki(M) be decrypted and obtain M, M subsequently by obtaining calculates and obtains H (M) by the first algorithm H, finally the H obtained (M) is compared with the H received (M), if identical, explanation packet is legal, otherwise termination session, so far completes the verification process of whole SOTP algorithm.
Preferably, in step S2, described certificate server realizes the legitimacy certification of described prepaid card information, and described prepaid card management equipment realizes, in the correctness certification of described prepaid card information, specifically comprising:
It is the first enciphered message that described prepaid card information and described session key are encrypted by described client, extract the first summary info in described prepaid card information simultaneously, subsequently described first enciphered message is sent to described management server together with described first summary info;
Described firstth enciphered message received and the first summary info are sent to described certificate server by described management server;
Described certificate server uses the described session key generated to be decrypted described first enciphered message and obtains prepaid card information, and then obtain the second summary info of described prepaid card information, subsequently described second summary info and the first summary info received are compared, realize the certification of described prepaid card information legitimacy; Finally the prepaid card information received is sent to described prepaid card management equipment together with user profile;
Described prepaid card management equipment according to described in receive user profile and obtain the user be preset in equipment matched, subsequently the prepaid card information that the described prepaid card information received and described user comprise is compared, realize the certification of described prepaid card information correctness.
Preferably, in step S3, described in described authentication server response, client-requested generates in corresponding token information, specifically comprises:
It is the second enciphered message that described client token solicited message and described session key are encrypted, extract the 3rd summary info in described token request information simultaneously, subsequently described second enciphered message is sent to described management server together with described 3rd summary info;
Described second enciphered message received and the 3rd summary info are sent to described certificate server by described management server;
Described certificate server uses the described session key generated to be decrypted described second enciphered message and obtains token request information, and then obtain the 4th summary info of described token request information, subsequently described 3rd summary info and the 4th summary info received are compared, realize the certification of described token request information legitimacy; Finally generate corresponding token information according to the token request of described client.
Preferably, in step s 6, described certificate server realizes the certification of token information, described authentication result and described payment request is sent to prepaid card management equipment simultaneously, specifically comprises:
Described payment management equipment sends the request of payment to described client;
It is the 3rd enciphered message that described token information, payment information and described session key are encrypted by described client, extract the 5th summary info in described token information and described payment information simultaneously, subsequently described 3rd enciphered message and described 5th summary info are sent to described payment management equipment;
Described 3rd enciphered message and described 5th summary info are sent to described prepaid card management equipment by described payment management equipment;
Described 3rd enciphered message received and described 5th summary info are sent to described certificate server by described prepaid card management equipment;
The described session key that described certificate server generates is decrypted the 3rd enciphered message and obtains token information and payment information, and then obtain the 6th summary info, subsequently described 6th summary info and the 5th summary info received are compared, realize the certification of described token request information legitimacy; Finally the described token information received and the token information self generated are compared, complete the comparison of described token information.
Preferably, in step S7, described prepaid card management equipment completes delivery operation, payment response is sent to payment management equipment, in specifically comprising simultaneously:
After described token information authentication success, be sent to described prepaid card management equipment by described authentication result and payment information;
After described prepaid card management equipment receives authentication result and described payment information, payment response is carried out according to the payment information received, described payment response is sent to described payment management equipment simultaneously, completes the delivery operation of the online payment system of described prepaid card.
The invention provides a kind of online payment system of prepaid card of identity-based certification, its beneficial effect is:
1. respectively authentication module is set in client and management service platform in the present invention, achieves the session between client and management service platform; Substantially increase the security performance of session information in conversation procedure simultaneously;
2. in the conversation procedure of client and management service platform in the present invention, use SOTP technology to be encrypted session information:
In this process, each client comprises independently application program or plug-in unit and built-in algorithm and key is merged, namely only store the encryption function and decryption function that are generated in conjunction with random key by encryption-decryption algorithm in client, efficiently solve the safety problem of session key storage in conversation procedure; And the key of stochastic generation is different in each client, thus the algorithm that comprises of each client is different, though in client safety insert surprisingly reveal also can not the overall security of influential system;
Take the method for two-way authentication to carry out certification to client and management service platform respectively between client and management service platform, adopt this authentication method to effectively prevent extraneous impersonation attack.
Identical session key is generated respectively after having carried out two-way authentication between client and management service platform; and then the whole conversation procedure of client and server platform all adopts session key to be encrypted the integrality of protection session information, prevents the leakage of transaction content, distorts, denies and internuncial attack.
3. the present invention arranges NFC module respectively in client and payment management equipment, in whole payment process, communicated by NFC module between client and payment management equipment, convenient and swift, efficiently solve payment management equipment simultaneously and can not obtain payment information in client timely and effectively, extend the application scenario of present system.
Accompanying drawing explanation
Below in conjunction with the drawings and specific embodiments, the present invention is described in further detail:
Fig. 1 is the structural representation of the online payment system of prepaid card of identity-based certification in the present invention;
Fig. 2 is the schematic flow sheet of the prepaid card online payment method of identity-based certification in the present invention.
Embodiment
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, below in conjunction with drawings and Examples, the present invention is specifically described.Accompanying drawing in the following describes is only some embodiments of the present invention.For those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
As shown in Figure 1, the invention provides a kind of online payment system of prepaid card of identity-based certification, specifically comprise: client, payment management equipment, and management service platform.
Particularly, built-in first authentication module of difference and the first NFC module in client; Wherein, the first authentication module for realizing the authentication in the data communication process between client and management service platform, to ensure the security performance of communication data; First NFC module, for being sent to the payment management equipment being provided with the second NFC module by the payment information in client and token information.
Further, client comprises the intelligent terminal of built-in NFC module, as mobile phone etc.Especially, in order to realize object of the present invention, at intelligent terminal, as employed HCE (Host Card Mode in mobile phone, host card pattern) technology guarantees that client to be directly sent to client host in corresponding application program from the information of external reception, instead of be sent to client, as in the security module (SE) in mobile phone.But, HCE technology just achieves the data of sending from outside NFC module to the HCE service in client or return in outside NFC module by replying data, and specific implementation is not had for the process of data and the storage of sensitive information, thus in the present invention, simulating Safety module is in the client realized, to ensure the security performance of NFC business by using the mode of SOTP algorithm.According to above description, can know, based on the client of NFC module and HCE technology concrete form besides a cellular phone, also comprise other smart machines being provided with NFC module and using HCE technology, as long as carry out the SOTP algorithm employed in the process of data communication in the present invention between client and management service platform, security performance in data communication process can be ensured.
Built-in second NFC module of payment management equipment, it receives the information of client transmission by the second NFC module, payment information and token information is sent to management service platform, to realize the response of payment information simultaneously.
Further, payment management equipment comprises POS, and POS comprises NFC reader.In payment process, POS sends by its built-in NFC reader the request of payment and serve to the HCE of client, simultaneously by information that NFC reader reception client sends over.Especially, the concrete form of the present invention to payment management equipment does not limit, as long as it can realize object of the present invention, is all included in content of the present invention.
Built-in second authentication module of management service platform, for generating and authentication token information, is managed and authenticated information and prepaid card information by the second authentication module simultaneously.
Further, specifically comprise in management service platform: management server, certificate server, and prepaid card management equipment.
Particularly, built-in second authentication module in management server, receives user profile and the prepaid card information of client transmission, is sent to certificate server and prepaid card management equipment respectively.Especially, in the present invention, management server is mainly used in the information of unified management prepaid card, comprising: hold in the registration operation that management service platform carries out before prepaid card user carries out delivery operation, and the logoff operation of user; The bindings or the user that realize the entity card of prepaid card and user supplement with money prepaid card; User's on-line purchase prepaid card; And user is to operations such as inquiry into balance in prepaid card, integration inquiries.In addition, management server provides the effect of access (being realized by built-in authentication module) for certificate server and prepaid card equipment simultaneously, subsequently the information of reception is forwarded to certificate server and prepaid card equipment respectively.
Certificate server, before system pays, generates the secret key of session and token information; In payment process, for authenticated information and token information.Particularly, hold prepaid card user registered in management service platform by client time, management server is sent to certificate server by information after receiving user profile and stores, to realize the checking to user identity before paying.Further, user profile comprises can the identification information of displacement identifying user, and as user name etc., what also comprise user logs in password etc.In addition, certificate server also comprises and according to the algorithm that can realize SOTP, can comprise: the generation of SOTP algorithms library, the download of SOTP algorithms library, to realize the generation of session key; Generate corresponding token information according to the request of client based on user profile and temporal information simultaneously.Especially, the first authentication module in client and the second authentication module in management server comprise the port of SOTP algorithm, for realizing employing the transmission of the data after SOTP algorithm for encryption.
Prepaid card management equipment, for managing and certification prepaid card information.Particularly, in systems in which, each user can comprise multiple prepaid card, user only needs to be stored in management server and prepaid card management equipment by the information of prepaid card in the process of registration, then user is in the process paid, and only needs to select prepaid card, after prepaid card management equipment receives user profile and prepaid card information, first find this user to by user profile, and then confirm that whether the prepaid card that user selects is reasonable.
As shown in Figure 2, present invention also offers a kind of prepaid card online payment method of identity-based certification, specifically comprise:
The user profile that S1 obtains based on client, realizes the mutual certification of client and certificate server;
S2 certificate server realizes the legitimacy certification of prepaid card information, and prepaid card management equipment realizes the correctness certification of prepaid card information;
S3 authentication server response client-requested generates corresponding token information;
S4 payment management equipment sends the request of payment to client;
Payment information and token information are sent to certificate server via payment management equipment and prepaid card management equipment by S5 client;
S6 certificate server realizes the certification of token information, authentication result and payment request is sent to prepaid card management equipment simultaneously;
S7 prepaid card management equipment completes delivery operation, payment response is sent to payment management equipment simultaneously.
Particularly, in step sl, before namely the online payment system of prepaid card carries out delivery operation, in client and management service platform, form identical session key respectively according to user profile, realize the mutual certification of client and management service platform.Because the present invention uses SOTP algorithm, know the introduction of SOTP algorithm based on us, in the use procedure of algorithm, whole process is mainly divided into three phases to realize: registration phase, authentication phase and session stage.Particularly, the session stage said here and carry out the process of information interaction between client and management service platform; Before information interaction, registration phase and authentication phase can be realized based on user profile according to SOTP algorithm in certificate server in management service platform and in client, realize client to the certification of certificate server and certificate server to the certification of client, generate identical session key simultaneously, meanwhile, user's successful log management service platform; In follow-up payment process, each dialogue in client and management service platform is all encrypted by session key, to ensure the security performance of mutual information.
After session key generates, the checking of data between client and management service platform, can be carried out.Especially, in the present invention, also comprise the cryptographic algorithm and decipherment algorithm that user encrypts and decrypts interactive information respectively, as AES-128 in the client with in certificate server; Also comprise the H algorithm for extracting summary info, as SHA1, especially, the present invention is not construed as limiting encryption-decryption algorithm and H algorithm, as long as it can realize object of the present invention, is all included in content of the present invention.
Client is by after above-mentioned steps successful log management service platform, namely start to select the prepaid card with user-association, namely in step s 2, specifically comprise: it is the first enciphered message that prepaid card information and session key are encrypted by cryptographic algorithm by client, use the first summary info in H algorithm extraction prepaid card information simultaneously, subsequently the first enciphered message is sent to management server together with the first summary info; The first enciphered message received and the first summary info are sent to certificate server by management server; Certificate server uses the session key of self generation and decipherment algorithm to be decrypted the first enciphered message and obtains prepaid card information, and then the second summary info of prepaid card information is obtained by H algorithm, subsequently the second summary info and the second summary info received are compared, realize the certification of prepaid card information legitimacy, if authentication verification, then the prepaid card information received is sent to prepaid card management equipment together with user profile; Prepaid card management equipment obtains according to receiving user profile the user be preset in equipment matched, and the prepaid card information that the prepaid card information received and user comprise is compared subsequently, realizes the certification of prepaid card information correctness.If prepaid card information occurs mistake in legitimate verification process, then stop the conversation procedure with client immediately, simultaneously reminding user; As there is mistake in the proof procedure of correctness, then also stopping conversation procedure immediately, pointing out user's prepaid card to select to make mistakes simultaneously.Further, authentication result sends it back through management server equally can through said process in the process of client, namely in certificate server, first use the secret key of session and cryptographic algorithm to be encrypted, extract the summary info in authentication result, be sent to client together, after client receives, decipherment algorithm is used to be decrypted enciphered message, obtain the summary info of decryption information, finally two summary infos are compared, the rationality of the information obtained and integrality are verified respectively.
In this step, namely prepaid card management equipment record the prepaid card that user needs to use in payment process, to realize follow-up payment process.
Prepaid card is selected correctly, in order to guarantee the security performance in payment process further, client also will download corresponding token information to management service platform request, namely in step s3, specifically comprise: it is the second enciphered message that client token solicited message and session key use cryptographic algorithm to be encrypted, use the 3rd summary info in H algorithm extraction token request information simultaneously, subsequently the second enciphered message is sent to management server together with the 3rd summary info; The second enciphered message received and the 3rd summary info are sent to certificate server by management server; Certificate server uses the session key of self generation and decryption function to be decrypted the second enciphered message and obtains token request information, and then the 4th summary info of token request information is obtained by H algorithm, subsequently the 3rd summary info and the 4th summary info received are compared, if authentication success, then realize the certification of token request information legitimacy; Finally generate according to the token request of client and generate token information based on user profile, temporal information and key seed information (being stored in certificate server by key seed in the process of user's registration).If the failure of token request authentification of message, then stop the session between client immediately.Further, the token information generated sends it back through management server equally can through the process of above-mentioned encrypting and decrypting in the process of client, namely in certificate server, first use the secret key of session and cryptographic algorithm to be encrypted, extract the summary info in token information, again enciphered message is sent to client together with summary info, after client receives, decipherment algorithm is used to be decrypted enciphered message, the summary info of decryption information is obtained subsequently by H algorithm, finally two summary infos are compared, the rationality of information obtained and integrality are verified respectively.
Namely preliminary work before more than paying can start to pay after all carrying out, and the concrete process paid comprises:
First, as step S4, payment management equipment sends the request of payment to client.Especially, payment management equipment here comprises POS, and POS comprises NFC reader.Namely the NFC reader in POS sends the request of payment to client, receives the request of payment equally in client by built-in NFC module.
Subsequently, as step S6, it is the 3rd enciphered message that client token information, payment information and session key are encrypted, and extracts the 5th summary info in token information and payment information simultaneously, subsequently the 3rd enciphered message and the 5th summary info is sent to payment management equipment; Here payment information, specifically comprises payment etc.
3rd enciphered message and the 5th summary info are sent to prepaid card management equipment by payment management equipment;
And then, the 3rd enciphered message received and the 5th summary info are sent to certificate server by prepaid card management equipment;
Finally, the session key that certificate server generates is decrypted the 3rd enciphered message and obtains token information and payment information, and then obtain the 6th summary info, subsequently the 6th summary info and the 5th summary info received are compared, realize the certification of token request information legitimacy; Finally the token information received and the token information that self generates are compared, complete the comparison of token information.
In certificate server, as step s7, if token information authentication success, send it back prepaid card management equipment by authentication information; After prepaid card management equipment receives the message of token information authentication success, namely carry out delivery operation according to the payment information received, payment response is sent to payment management equipment simultaneously, completes whole delivery operation.Especially, in certificate server after token information authentication success, nullify by token information, wait for that next token information request generates new token information.
To sum up, the invention provides a kind of online payment system of prepaid card and method of identity-based certification, it arranges authentication module respectively in the middle of client and management service applicator platform, realizes the authentication in payment process; The information interaction that NFc module realizes between client and payment management equipment is set respectively again in client and payment management equipment, and then improves security performance of the present invention, extend application simultaneously.
Be described in detail the specific embodiment of invention above, but the present invention is not restricted to specific embodiment described above, it is just as example.To those skilled in the art, any equivalent modifications that this system is carried out and substituting also all among category of the present invention.Therefore, equalization conversion done under the spirit and scope not departing from invention and amendment, all should contain within the scope of the invention.

Claims (10)

1. the online payment system of the prepaid card of identity-based certification, is characterized in that, comprising:
Client, payment management equipment, and management service platform;
Built-in first authentication module of described client and the first NFC module, and obtain token information by described authentication module, payment information and described token information are sent to described payment management equipment by described NFC module simultaneously;
Built-in second NFC module of described payment management equipment, is received the information of described client transmission, described payment information and described token information is sent to described management service platform, to realize the response of described payment information simultaneously by described second NFC module;
Built-in second authentication module of described management service platform, for generating and token information described in certification, is managed and authenticated information and prepaid card information by described second authentication module simultaneously.
2. the online payment system of the prepaid card of identity-based certification as claimed in claim 1, it is characterized in that, described management service platform comprises: management server, certificate server, and prepaid card management equipment;
Built-in described second authentication module of described management server, receives user profile and the prepaid card information of the transmission of described client, is sent to described certificate server and described prepaid card management equipment respectively;
Described certificate server, before system pays, generates described token information; In payment process, for user profile described in certification and described token information;
Described prepaid card management equipment, for managing and prepaid card information described in certification.
3. the online payment system of the prepaid card of identity-based certification as claimed in claim 1 or 2, is characterized in that: described user profile comprises the identification information for unique identification user.
4. the online payment system of the prepaid card of identity-based certification as claimed in claim 2, is characterized in that: described payment management equipment comprises POS, and described POS comprises NFC reader.
5. a prepaid card online payment method for identity-based certification, be applied to as arbitrary in claim 1-4 as described in the online payment system of prepaid card of identity-based certification, it is characterized in that, specifically comprise:
The described user profile that S1 obtains based on described client, realizes the mutual certification of described client and described certificate server;
Certificate server described in S2 realizes the legitimacy certification of described prepaid card information, and described prepaid card management equipment realizes the correctness certification of described prepaid card information;
Described in S3, client-requested described in authentication server response generates corresponding token information;
Payment management equipment described in S4 sends described payment request to described client;
Described payment information and described token information are sent to described certificate server via described payment management equipment and described prepaid card management equipment by client described in S5;
Certificate server described in S6 realizes the certification of token information, described authentication result and described payment request is sent to prepaid card management equipment simultaneously;
Described in S7, prepaid card management equipment completes delivery operation, payment response is sent to payment management equipment simultaneously.
6. the prepaid card online payment method of identity-based certification as claimed in claim 5, it is characterized in that, in step S1, based on the described user profile that described client obtains, realize in the mutual certification of described client and described certificate server: in described client and described certificate server, form identical session key according to described user profile respectively, to realize the information interaction between described client and described management service platform.
7. the prepaid card online payment method of identity-based certification as claimed in claim 5, it is characterized in that, in step S2, described certificate server realizes the legitimacy certification of described prepaid card information, described prepaid card management equipment realizes, in the correctness certification of described prepaid card information, specifically comprising:
It is the first enciphered message that described prepaid card information and described session key are encrypted by described client, extract the first summary info in described prepaid card information simultaneously, subsequently described first enciphered message is sent to described management server together with described first summary info;
Described firstth enciphered message received and the first summary info are sent to described certificate server by described management server;
Described certificate server uses the described session key generated to be decrypted described first enciphered message and obtains prepaid card information, and then obtain the second summary info of described prepaid card information, subsequently described second summary info and the first summary info received are compared, realize the certification of described prepaid card information legitimacy; Finally the prepaid card information received is sent to described prepaid card management equipment together with user profile;
Described prepaid card management equipment according to described in receive user profile and obtain the user be preset in equipment matched, subsequently the prepaid card information that the described prepaid card information received and described user comprise is compared, realize the certification of described prepaid card information correctness.
8. the prepaid card online payment method of identity-based certification as claimed in claim 5, is characterized in that, in step S3, described in described authentication server response, client-requested generates in corresponding token information, specifically comprises:
It is the second enciphered message that described client token solicited message and described session key are encrypted, extract the 3rd summary info in described token request information simultaneously, subsequently described second enciphered message is sent to described management server together with described 3rd summary info;
Described second enciphered message received and the 3rd summary info are sent to described certificate server by described management server;
Described certificate server uses the described session key generated to be decrypted described second enciphered message and obtains token request information, and then obtain the 4th summary info of described token request information, subsequently described 3rd summary info and the 4th summary info received are compared, realize the certification of described token request information legitimacy; Finally generate corresponding token information according to the token request of described client.
9. the prepaid card online payment method of identity-based certification as claimed in claim 5, it is characterized in that, in step s 6, described certificate server realizes the certification of token information, described authentication result and described payment request are sent to prepaid card management equipment simultaneously, specifically comprise:
Described payment management equipment sends the request of payment to described client;
It is the 3rd enciphered message that described token information, payment information and described session key are encrypted by described client, extract the 5th summary info in described token information and described payment information simultaneously, subsequently described 3rd enciphered message and described 5th summary info are sent to described payment management equipment;
Described 3rd enciphered message and described 5th summary info are sent to described prepaid card management equipment by described payment management equipment;
Described 3rd enciphered message received and described 5th summary info are sent to described certificate server by described prepaid card management equipment;
The described session key that described certificate server generates is decrypted the 3rd enciphered message and obtains token information and payment information, and then obtain the 6th summary info, subsequently described 6th summary info and the 5th summary info received are compared, realize the certification of described token request information legitimacy; Finally the described token information received and the token information self generated are compared, complete the comparison of described token information.
10. the prepaid card online payment method of identity-based certification as claimed in claim 5, is characterized in that, in step S7, described prepaid card management equipment completes delivery operation, payment response is sent to payment management equipment, in specifically comprising simultaneously:
After described token information authentication success, be sent to described prepaid card management equipment by described authentication result and payment information;
After described prepaid card management equipment receives authentication result and described payment information, payment response is carried out according to the payment information received, described payment response is sent to described payment management equipment simultaneously, completes the delivery operation of the online payment system of described prepaid card.
CN201410531823.7A 2014-10-11 2014-10-11 The online payment system of prepaid card and its method of payment of identity-based certification Active CN104240074B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410531823.7A CN104240074B (en) 2014-10-11 2014-10-11 The online payment system of prepaid card and its method of payment of identity-based certification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410531823.7A CN104240074B (en) 2014-10-11 2014-10-11 The online payment system of prepaid card and its method of payment of identity-based certification

Publications (2)

Publication Number Publication Date
CN104240074A true CN104240074A (en) 2014-12-24
CN104240074B CN104240074B (en) 2018-02-13

Family

ID=52228094

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410531823.7A Active CN104240074B (en) 2014-10-11 2014-10-11 The online payment system of prepaid card and its method of payment of identity-based certification

Country Status (1)

Country Link
CN (1) CN104240074B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104574060A (en) * 2015-01-09 2015-04-29 艾体威尔电子技术(北京)有限公司 On-line payment method and system based on NFC token
CN105187937A (en) * 2015-08-12 2015-12-23 上海众人网络安全技术有限公司 Shopping system and method based on smartphone
CN105550877A (en) * 2015-12-21 2016-05-04 北京智付融汇科技有限公司 Payment method and apparatus
CN105635168A (en) * 2016-01-25 2016-06-01 恒宝股份有限公司 Off-line transaction device and security key using method thereof
CN105959109A (en) * 2016-06-28 2016-09-21 来谊金融信息科技(上海)股份有限公司 Host card simulation based key storage method and payment method
CN106161032A (en) * 2015-04-24 2016-11-23 华为技术有限公司 A kind of identity authentication method and device
CN107153957A (en) * 2016-03-06 2017-09-12 神州黑鹰(上海)信息科技有限公司 The management system of universal single-use prepaid card
CN108805539A (en) * 2018-02-09 2018-11-13 深圳市微付充科技有限公司 A kind of method of payment, mobile device and storage device that Intrusion Detection based on host snap gauge is quasi-
CN105023182B (en) * 2015-08-12 2019-03-08 上海众人网络安全技术有限公司 A kind of purchase system and method based on Intelligent bracelet

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100318783A1 (en) * 2009-06-10 2010-12-16 Ashwin Raj Service activation using algorithmically defined key
CN101933246A (en) * 2008-01-30 2010-12-29 电子湾有限公司 Near field communication intialization
US20130061051A1 (en) * 2011-09-07 2013-03-07 Pantech Co., Ltd. Method for authenticating electronic transaction, server, and terminal
CN103067335A (en) * 2011-10-18 2013-04-24 中国移动通信集团公司 Method for realizing information interaction as non-contact mode, correlation equipment and system
CN103457913A (en) * 2012-05-30 2013-12-18 阿里巴巴集团控股有限公司 Data processing method, communication terminals, server and system
CN103501191A (en) * 2013-08-21 2014-01-08 王越 Mobile payment device and method thereof based on NFC technology

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101933246A (en) * 2008-01-30 2010-12-29 电子湾有限公司 Near field communication intialization
US20100318783A1 (en) * 2009-06-10 2010-12-16 Ashwin Raj Service activation using algorithmically defined key
US20130061051A1 (en) * 2011-09-07 2013-03-07 Pantech Co., Ltd. Method for authenticating electronic transaction, server, and terminal
CN103067335A (en) * 2011-10-18 2013-04-24 中国移动通信集团公司 Method for realizing information interaction as non-contact mode, correlation equipment and system
CN103457913A (en) * 2012-05-30 2013-12-18 阿里巴巴集团控股有限公司 Data processing method, communication terminals, server and system
CN103501191A (en) * 2013-08-21 2014-01-08 王越 Mobile payment device and method thereof based on NFC technology

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104574060A (en) * 2015-01-09 2015-04-29 艾体威尔电子技术(北京)有限公司 On-line payment method and system based on NFC token
CN106161032A (en) * 2015-04-24 2016-11-23 华为技术有限公司 A kind of identity authentication method and device
CN106161032B (en) * 2015-04-24 2019-03-19 华为技术有限公司 A kind of identity authentication method and device
CN105187937A (en) * 2015-08-12 2015-12-23 上海众人网络安全技术有限公司 Shopping system and method based on smartphone
CN105187937B (en) * 2015-08-12 2019-02-01 上海众人网络安全技术有限公司 A kind of purchase system and method based on smart phone
CN105023182B (en) * 2015-08-12 2019-03-08 上海众人网络安全技术有限公司 A kind of purchase system and method based on Intelligent bracelet
CN105550877A (en) * 2015-12-21 2016-05-04 北京智付融汇科技有限公司 Payment method and apparatus
CN105635168A (en) * 2016-01-25 2016-06-01 恒宝股份有限公司 Off-line transaction device and security key using method thereof
CN105635168B (en) * 2016-01-25 2019-01-22 恒宝股份有限公司 A kind of application method of offline transaction device and its security key
CN107153957A (en) * 2016-03-06 2017-09-12 神州黑鹰(上海)信息科技有限公司 The management system of universal single-use prepaid card
CN105959109A (en) * 2016-06-28 2016-09-21 来谊金融信息科技(上海)股份有限公司 Host card simulation based key storage method and payment method
CN108805539A (en) * 2018-02-09 2018-11-13 深圳市微付充科技有限公司 A kind of method of payment, mobile device and storage device that Intrusion Detection based on host snap gauge is quasi-

Also Published As

Publication number Publication date
CN104240074B (en) 2018-02-13

Similar Documents

Publication Publication Date Title
CN104240074B (en) The online payment system of prepaid card and its method of payment of identity-based certification
EP3050247B1 (en) Method for securing over-the-air communication between a mobile application and a gateway
CN104240073A (en) Offline payment method and offline payment system on basis of prepaid cards
US10270587B1 (en) Methods and systems for electronic transactions using multifactor authentication
CN104318437B (en) Payment system and its method of payment in a kind of virtual prepayment card line
CA3117817A1 (en) Systems and methods for cryptographic authentication of contactless cards
US20220092589A1 (en) Systems and methods for cryptographic authentication of contactless cards
CN112602104A (en) System and method for password authentication of contactless cards
CN101330675A (en) Mobile payment terminal equipment
US20220239494A1 (en) Systems and methods for inventory management using cryptographic authentication of contactless cards
CN104182875A (en) Payment method and payment system
CN113168631A (en) System and method for password authentication of contactless cards
CA3106454A1 (en) Systems and methods for cryptographic authentication of contactless cards
US20220020012A1 (en) Systems and methods for performing transactions with contactless cards
CA3114753A1 (en) Systems and methods for cryptographic authentication of contactless cards
US20210385652A1 (en) Systems and methods for cryptographic authentication of contactless cards
Abughazalah et al. Secure mobile payment on NFC-enabled mobile phones formally analysed using CasperFDR
US10581611B1 (en) Systems and methods for cryptographic authentication of contactless cards
CA3112585A1 (en) Systems and methods for cryptographic authentication of contactless cards

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20160310

Address after: 201821, room 4, building 1411, 211 Yecheng Road, Jiading Industrial Zone, Shanghai, China

Applicant after: Shanghai PeopleNet Security Technology Co., Ltd.

Address before: 201203 Shanghai City, Pudong New Area Zhangjiang hi tech park Zuchongzhi Road No. 899 Building 9 room 01 4

Applicant before: Shanghai everybody Science and Technology Ltd.

GR01 Patent grant
GR01 Patent grant