CN104240074B - The online payment system of prepaid card and its method of payment of identity-based certification - Google Patents
The online payment system of prepaid card and its method of payment of identity-based certification Download PDFInfo
- Publication number
- CN104240074B CN104240074B CN201410531823.7A CN201410531823A CN104240074B CN 104240074 B CN104240074 B CN 104240074B CN 201410531823 A CN201410531823 A CN 201410531823A CN 104240074 B CN104240074 B CN 104240074B
- Authority
- CN
- China
- Prior art keywords
- information
- client
- payment
- certification
- prepaid card
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/22—Payment schemes or models
- G06Q20/28—Pre-payment schemes, e.g. "pay before"
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/327—Short range or proximity payments by means of M-devices
- G06Q20/3278—RFID or NFC payments by means of M-devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/342—Cards defining paid or billed services or quantities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/351—Virtual cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Accounting & Taxation (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Strategic Management (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Computer Security & Cryptography (AREA)
- Finance (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The present invention relates to the payment technical field of intelligent terminal, more particularly to the system that client realizes entity card virtualization payment with management service platform cooperation.The online payment system of prepaid card of identity-based certification provided by the invention specifically includes:The client of built-in first authentication module and the first NFC module, it obtains token information by authentication module, while payment information and token information are sent to payment management equipment by NFC module;The payment management equipment of built-in second NFC module, it receives the information of client transmission by the second NFC module, while payment information and token information are sent to management service platform, to realize the response of payment information;The management service platform of built-in second authentication module, for generation and authentication token information, while by the second authentication module management and certification user profile and prepayment card information, realize the authentication in payment process, improve the security performance of the present invention, expanded application.
Description
Technical field
The present invention relates to the payment technical field of intelligent terminal, more particularly to a kind of client to realize with the cooperation of management service platform
The system and its method of payment that entity card virtualization is paid.
Background technology
Prepaid card is called stored value card, consumption card, Fu Lika, smart card, accumulating card etc., refers to card sending mechanism with specific support
With form distribution, commodity or the prepaid value of service can be bought outside card sending mechanism, i.e., a kind of post-pay paystation is consumed again in fact
Card.By whether recording holder's identity information and being divided into sign prepaid card and blank prepaid card, wherein prepaid card bag of signing
The purchase card that such as supermarket provides is included, blank prepaid card includes the SIM card in such as mobile phone;It is divided into magnetic by information carrier difference
Bar card, chip (IC) card.
Prepaid card shopping is the transaction form occurred after the credit card, now using it is most common be Japan.Prepaid card
Use process be:Consumer pre-pays in the shop in a certain system scope the cash for limiting number, this card is obtained, in these business
Only one or many directly shopping in advance payment can not be stuck in shop by this in cash.
Make either there are many benefits to businessman or consumer in this way.For businessman, using pre-
Businessman does not handle cash after paying card, substantially reduce the number the flowing of cash, can both avoid receiving the loss of counterfeit money, can reduce and rob again
It is dangerous;Prepaid card is used simultaneously, cash is collected, account revenue and expenditure is largely reduced, and can both improve efficiency, can reduce artificial and equipment again
Expense etc.;For consumers, it is only necessary to take a very thin prepaid card, can without or it is few with many cashes, subtract
Few stolen and the danger that meets with a catastrophe, carrying are convenient to.
The content of the invention
At present, the platform paid using prepaid card has been had a lot, such as silver-colored business's information " virtual prepaid card " platform,
Trade company can realize the virtual of existing entity card by own software and third-party platform, such as wechat, Alipay wallet in platform
Change, while also can issue pure virtual card in the platform.During being paid using third-party platform, holder makes first
Bar code is generated online with mobile phone, and cashier carries out barcode scanning payment by barcode scanning gun to bar code.But pay system this
Also there are problems that in the payment process of system it is a lot, such as:Bar code only supports feux rouges scanning not support laser scanning at present;Whole
Lack authentication procedures in individual payment process:Even if user is not by third-party platform, such as wechat platform in payment process,
User can be also directly with computer browser input URL (Uniform Resource Locator:Uniform resource locator) it is raw
Code is in strip to be paid;And in whole process of exchange it is that data and password belong to plaintext transmission, it is easy to monitored
Be trapped.For problem above, the invention provides a kind of online payment system of prepaid card of identity-based certification, it is in visitor
Authentication module is set respectively among family end and management server platform, realizes the authentication in payment process;Again in visitor
Set NFC module to realize the information exchange between client and payment management equipment respectively in family end and payment management equipment, enter
And the security performance of the present invention is improved, while extend application.
A kind of prepaid card online payment system of identity-based certification, including:
Client, payment management equipment, and management service platform;
First authentication module built in the client and the first NFC (Near Field Communication, near field
Communication) module, and token information is obtained by the authentication module, while payment information and the token information are passed through
The NFC module is sent to the payment management equipment;
Second NFC module built in the payment management equipment, the client is received by second NFC module and sent
Information, while the payment information and the token information are sent to the management service platform, to realize the payment
The response of information;
Second authentication module built in the management service platform, for token information described in generation and certification, simultaneously
Pass through the second authentication module management and certification user profile and prepayment card information.
Near-field communication (NFC) technology be identified by non-contact radio-frequency (Radio Frequency Identification,
RFID) develop, developed jointly by Philips Semiconductors (Xian Enzhi Pus semiconductor company), Nokia and Sony, its
Basis is RFID and interconnection technique, and it is a kind of radiotechnics of short distance high frequency, 13.56MHz frequencies run on 20cm away from
From interior;Transmission speed point has three kinds of 106kbit/ seconds, 212kbit/ seconds or 424kbit/ seconds.Near-field communication passes through at present
For the international standards of ISO/IEC IS 18092, ECMA-340 standards and the standards of ETSI TS 102 190.NFC using actively and by
Move two kinds of read modes.NFC technology is combining induction card reader, icah wavw and point pair on one chip
The function of point, to realize the purpose being identified in short distance with compatible equipment with data exchange.
Authentication is to confirm the process of user identity in a computer network.Authentication can be divided into user and client
Between certification and client and client between certification, certification between user and client can be based on as next or several
Individual factor:Such as password, password, such as information of unique mark user, credit card;Biological characteristic possessed by user:Such as
Fingerprint, sound, retina, signature etc..
Preferably, the management service platform includes:Management server, certificate server, and prepaid card management equipment;
Second authentication module built in the management server, receive user profile that the client sends and
Card information is prepay, is respectively sent to the certificate server and the prepaid card management equipment;
The certificate server, before system is paid, generate session key and token information;In payment process
In, for user profile described in certification and the token information;
The prepaid card management equipment, for prepaying card information described in management and certification.
Preferably, the user profile includes the identification information for unique mark user.
Preferably, the payment management equipment includes POS, and the POS includes NFC reader.
Present invention simultaneously provides a kind of prepaid card online payment method of identity-based certification, applied to above-mentioned identity-based
The online payment system of prepaid card of certification, is specifically included:
The user profile that S1 is obtained based on the client, realizes the client and the phase of the certificate server
Mutual certification;
Certificate server described in S2 realizes the legitimacy certification of the prepayment card information, and the prepaid card management equipment is realized
The correctness certification of the prepayment card information;
Client request described in authentication server response described in S3 generates corresponding token information;
Payment management equipment described in S4 sends described pay and asked to the client;
Client described in S5 is by the payment information and the token information via the payment management equipment and described pre-
Card management equipment is paid to send to the certificate server;
Certificate server described in S6 realizes the certification of token information, while the authentication result and described pay are asked into hair
Deliver to prepaid card management equipment;
Prepaid card management equipment described in S7 completes delivery operation, while is sent response is paid to payment management equipment.
Preferably, in step S1, the user profile that is obtained based on the client, the client and described is realized
In being mutually authenticated of certificate server:Phase is formed according to the user profile respectively in the client and the certificate server
Same session key, to realize the information exchange between the client and the management service platform.
Here the formation of the session key mentioned mainly user realizes the communication between client and management service platform,
To ensure the security performance of Transaction Information, it is a kind of base in OTP (One-time Password, disposable dynamic password)
Developed on plinth a kind of new cipher system SOTP (Strong One-time Password, it is reinforced disposable dynamic
State password), SOTP algorithms are in addition to for solving identification, data encryption, additionally it is possible to the integrality of checking transmission data
And non repudiation.
SOTP cipher systems are described in detail below, three phases are broadly divided into whole process and are realized:
Registration phase, authentication phase and session stage.
1st, registration phase
Before using SOTP, user is registered to server in a secure environment first, completes the initialization of user.
In registration phase, client makes with reference to the identification information uid and user password information pw of unique mark user first
It is encrypted with the first algorithm H, as SHA1 algorithms generate the first information;At the same time, server generate immediately first key k and
Second key k ', and first key k and the second key k ' is sent to client, and first key k and AES E is tied
Close, generate an encryption function E related to first key kk, the second key k ' is combined to generation and second with decipherment algorithm D
The decryption function D of key k ' associationsk。
At this stage, AES, decipherment algorithm, first key, the second key, identification information are stored in server
And the first information;Storage sends AES and decipherment algorithm extremely by server in client.
2nd, authentication phase
In authentication procedures, first, user inputs identification information uid and user password information pw in the client,
In combination with current time TuiAnd user password information pw, use encryption function EkIt is encrypted with the first algorithm H, generation first
Encryption informationSubsequent client is again by identification information uid and the first encryption informationIt is sent to server.
Server receives identification information uid and the first encryption informationAfterwards, first, it is determined that
Whether identification information uid is validated user, i.e., is registered in the server, that is, identifies whether user profile uid prestores
In the list of user identity information in the server.
If after checking, user is validated user, then completes the preliminary certification in server;If after preliminary certification
It was found that user is illicit user, then the session between client is terminated immediately.
And then, server chooses current time Tsi, while with AES E and the second key k ' to the current time
TsiIt is encrypted as Ek’(Tsi);Then using decipherment algorithm D and first key k to receiving
It is decrypted to obtainAgain result(carry out xor operation), obtains Ek(Tui), finally make again
With decipherment algorithm D and first key k to Ek(Tui) be decrypted to obtain Tui。
Obtain TuiAfterwards, T is calculatedsiWith TuiBetween time difference, if the time difference in preset time, within 10min,
Then server disconnects the session between client to client certificate success, otherwise server.
After the authentication for completing client, server is and then by Ek(Tui) negate (bit order and bit polarities)
Obtain E 'k(Tui), then using AES E and first key k to Ek(Tui) and E 'k(Tui) be encrypted, it is close to obtain session
Key Ki=Ek(Ek(Tui))+Ek(E’k(Tui)), realize and extend original 64bit for 128bit, greatly reinforced information
Safety.
After server obtains session key, with i.e. by Ek’(Tsi) it is sent to client.
Client receives Ek’(Tsi) after, it is decrypted using decipherment algorithm D and the second key k ', when obtaining
Between Tsi;And then T is calculatedsiWith TuiBetween time difference, if within the default time difference, within 10min, then client
To server authentication success, the otherwise session between client disconnection and server.
After the authentication for completing server, and then by Ek(Tui) negate to obtain E 'k(Tui), then calculated using encryption
Method E and first key k are to Ek(Tui) and E 'k(Tui) be encrypted, obtain session key Ki=Ek(Ek(Tui))+Ek(E’k
(Tui))。
3rd, session stage
After generating session key respectively in client and server, that is, establish the meeting between client and server
Words relation, hereafter the packet in each conversation procedure between server and client side use session key KiEncryption is protected
Protect, and the verification of completeness check is carried out with the first algorithm H.
In addition, the sender of packet and recipient include public encrypted transaction data algorithm e respectively in conversation procedure
And corresponding decipherment algorithm d, including AES-128.
If the content that sender and recipient conversate is M, the data packet format that sender sends is:eKi(M)+H
(M);After recipient receives packet, send information in server corresponding to recipient, server receives other side's
After session data bag, first by decipherment algorithm d to information eKi(M) it is decrypted to obtain M, is then calculated by obtained M logical
Cross the first algorithm H and obtain H (M), finally by obtained H (M) compared with the H (M) received, if identical, illustrate that data include
Method, otherwise terminates session, so far completes the verification process of whole SOTP algorithms.
Preferably, in step S2, the certificate server realizes the legitimacy certification of the prepayment card information, the prepayment
Card management equipment is realized in the correctness certification of the prepayment card information, is specifically included:
The prepayment card information and the session key are encrypted as the first encryption information the client, carry simultaneously
The first summary info in the prepayment card information is taken, then by first encryption information and first summary info together
Send to the management server;
The firstth encryption information received and the first summary info are sent to described and recognized by the management server
Demonstrate,prove server;
The certificate server is decrypted to obtain pre- using the session key of generation to first encryption information
Card information is paid, and then obtains the second summary info of the prepayment card information, then by second summary info with receiving
The first summary info be compared, realize it is described prepayment card information legitimacy certification;Finally the prepaid card received is believed
Breath and user profile are sent to the prepaid card management equipment together;
The prepaid card management equipment receives user profile according to and obtains matching be preset in equipment
User, then the prepayment card information received is compared with the prepayment card information that the user includes, realizes institute
State the certification of prepaid card information correctness.
Preferably, generated in step S3, client request described in the authentication server response in corresponding token information,
Specifically include:
Token solicited message and the session key are encrypted as the second encryption information the client, extract simultaneously
The 3rd summary info in the token solicited message, then by second encryption information and the 3rd summary info together
Send to the management server;
The management server sends second encryption information received and the 3rd summary info to the certification
Server;
The certificate server is decrypted to second encryption information using the session key of generation and made
Board solicited message, and then the 4th summary info of the token solicited message is obtained, then by the 3rd summary info with connecing
The 4th summary info received is compared, and realizes the certification of the token solicited message legitimacy;Finally according to the client
The token request at end generates corresponding token information.
Preferably, in step s 6, the certificate server realizes the certification of token information, while by the authentication result
Request transmission is paid to prepaid card management equipment with described, is specifically included:
The payment management equipment, which is sent, pays request to the client;
The token information, payment information and the session key are encrypted the client believes for the 3rd encryption
Breath, while the 5th summary info in the token information and the payment information is extracted, then by the 3rd encryption information
Sent with the 5th summary info to the payment management equipment;
The payment management equipment sends the 3rd encryption information and the 5th summary info to the prepaid card
Management equipment;
The prepaid card management equipment by the 3rd encryption information received and the 5th summary info send to
The certificate server;
The session key of certificate server generation the 3rd encryption information is decrypted to obtain token information and
Payment information, and then the 6th summary info is obtained, then the 6th summary info and the 5th summary info received are entered
Row compares, and realizes the certification of the token solicited message legitimacy;Finally by the token information received and itself generation
Token information be compared, complete the comparison of the token information.
Preferably, in step S7, the prepaid card management equipment completes delivery operation, while is sent response is paid to branch
Management equipment is paid, in specifically including:
After token information certification success, will the authentication result and payment information send to the prepaid card pipe
Manage equipment;
After the prepaid card management equipment receives authentication result and the payment information, according to the disbursement letter received
Breath carries out payment response, while the payment response is sent to the payment management equipment, completes the online branch of the prepaid card
The delivery operation for the system of paying.
The invention provides a kind of online payment system of prepaid card of identity-based certification, its advantage is:
1. the present invention authentication module is set in client and management service platform respectively, realize client and
Session between management service platform;The security performance of session information in conversation procedure is substantially increased simultaneously;
2. session information is entered using SOTP technologies in the conversation procedure of client and management service platform in the present invention
Row encryption:
In this process, each client includes independent application program or plug-in unit and melts built-in algorithm and key
It is combined, i.e., the encryption function and decryption function that only storage is generated by encryption-decryption algorithm combination random key in client,
Efficiently solve the safety problem that session key stores in conversation procedure;And the key generated at random in each client is not
Together, thus the algorithm that includes of each client it is different, surprisingly reveal also not interfering with even if safety insert in client and be
The overall security of system;
The method of two-way authentication is taken between client and management service platform respectively to client and management service platform
It is authenticated, the impersonation attack in the external world is effectively prevent using this authentication method.
Carry out generating identical session key respectively after two-way authentication between client and management service platform, and then
The integrality of protection session information is all encrypted in the whole conversation procedure of client and server platform using session key, prevents
The leakage of transaction content, distort, deny and internuncial attack.
3. the present invention sets NFC module respectively in client and payment management equipment, in whole payment process, client
Communicated between end and payment management equipment by NFC module, it is convenient and swift, simultaneously effective solve payment management equipment
The payment information in client can not be timely and effectively obtained, extends the application scenario of present system.
Brief description of the drawings
The present invention is described in further detail with reference to the accompanying drawings and detailed description:
Fig. 1 is the structural representation of the online payment system of prepaid card of identity-based certification in the present invention;
Fig. 2 is the schematic flow sheet of the prepaid card online payment method of identity-based certification in the present invention.
Embodiment
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below in conjunction with the accompanying drawings and implement
The present invention is specifically described example.Drawings in the following description are only some embodiments of the present invention.For this area
For those of ordinary skill, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
As shown in figure 1, the invention provides a kind of online payment system of prepaid card of identity-based certification, specifically include:
Client, payment management equipment, and management service platform.
Specifically, built-in first authentication module and the first NFC module are distinguished in client;Wherein, the first identity is recognized
Card module is used to realize the authentication in the data communication process between client and management service platform, to ensure communication number
According to security performance;First NFC module, for the payment information in client and token information to be sent to there is provided second
The payment management equipment of NFC module.
Further, client includes the intelligent terminal of built-in NFC module, such as mobile phone.Especially, in order to realize this hair
Bright purpose, in intelligent terminal, as used HCE (Host Card Mode, main frame mode card) technology to ensure client in mobile phone
Hold from the information of external reception and be sent directly in client host in corresponding application program, rather than send to client,
In the security module (SE) in mobile phone.However, HCE technologies are the data that realizes and will be sent from outside NFC module
HCE into client is serviced or returned to data are replied in outside NFC module, and processing and sensitivity for data
The storage of information does not implement, thus in the present invention, mould in the client is realized by using the mode of SOTP algorithms
Intend security module, to ensure the security performance of NFC business.As described above, it is recognised that being based on NFC module and HCE technologies
Client concrete form besides a cellular phone, in addition to there is provided NFC module and set using other intelligence of HCE technologies
It is standby, as long as having used the SOTP algorithms in the present invention during entering row data communication between client and management service platform,
Security performance in data communication process can be ensured.
Second NFC module built in payment management equipment, it receives the information of client transmission by the second NFC module, together
When payment information and token information are sent to management service platform, to realize the response of payment information.
Further, payment management equipment includes POS, and POS includes NFC reader.In payment process, POS
Machine sends the HCE services for paying request to client by the NFC reader built in it, while passes through NFC reader and receive visitor
The information that family end sends over.Especially, the present invention is not limited the concrete form of payment management equipment, as long as it can be realized
The purpose of the present invention, it is included in present disclosure.
Second authentication module built in management service platform, for generation and authentication token information, while pass through second
Authentication module management and certification user profile and prepayment card information.
Further, specifically included in management service platform:Management server, certificate server, and prepaid card management
Equipment.
Specifically, built-in second authentication module in management server, user profile that client sends and pre- is received
Card information is paid, is respectively sent to certificate server and prepaid card management equipment.Especially, in the present invention, management server master
It is used for the information for being managed collectively prepaid card, including:Prepayment card user is held before delivery operation in management service platform enter
Capable registration operation, and the cancellation operation of user;Realize bindings or the user couple of prepaid card and the entity card of user
Prepaid card is supplemented with money;User's on-line purchase prepaid card;And user is to the operation such as inquiry into balance, integration inquiry in prepaid card.
In addition, management server provides the effect of access (by built-in authentication for certificate server and prepayment card apparatus simultaneously
Module is realized), the information of reception is then forwarded to certificate server and prepayment card apparatus respectively.
Certificate server, before system is paid, generate session key and token information;In payment process, use
In certification user profile and token information.Specifically, carried out by client in management service platform holding prepayment card user
During registration, management server, which receives, to be sent information to certificate server after user profile and is stored, to enter
Row realizes the checking to user identity before paying.Further, user profile includes being capable of the mark letter of displacement mark user
Breath, such as user name, in addition to modification logging of user etc..In addition, certificate server, which also includes energy basis, to realize
SOTP algorithm, including:The generation of SOTP algorithms libraries, the download of SOTP algorithms libraries, to realize the generation of session key;Root simultaneously
User profile is based on according to the request of client and temporal information generates corresponding token information.Especially, first in client
The second authentication module in authentication module and management server includes the port of SOTP algorithms, is used for realizing
The transmission of data after SOTP algorithm for encryption.
Prepaid card management equipment, for management and certification prepayment card information.Specifically, in systems, each user can be with
Including multiple prepaid cards, user only needs that the information of prepaid card is stored in into management server and prepaid card during registration
In management equipment, then user is during payment, it is only necessary to prepaid card is selected, prepaid card management equipment receives
To after user profile and prepayment card information, first to by user's information searching to the user, and then confirm what user selected
Whether prepaid card is reasonable.
As shown in Fig. 2 present invention also offers a kind of prepaid card online payment method of identity-based certification, specific bag
Include:
The user profile that S1 is obtained based on client, realize being mutually authenticated for client and certificate server;
S2 certificate servers realize the legitimacy certification of prepayment card information, and prepaid card management equipment realizes prepayment card information
Correctness certification;
S3 authentication server responses client request generates corresponding token information;
S4 payment managements equipment, which is sent, pays request to client;
S5 clients send payment information and token information to recognizing via payment management equipment and prepaid card management equipment
Demonstrate,prove server;
S6 certificate servers realize the certification of token information, while by authentication result and pay request transmission to prepaid card pipe
Manage equipment;
S7 prepaid card managements equipment completes delivery operation, while is sent response is paid to payment management equipment.
Specifically, in step sl, i.e., before the online payment system of prepaid card carries out delivery operation, client and management take
Identical session key is formed respectively according to user profile in business platform, realizes mutually recognizing each other for client and management service platform
Card.Because the present invention uses SOTP algorithms, the introduction based on us to SOTP algorithms is known, in the use process of algorithm
In, whole process is broadly divided into three phases and realized:Registration phase, authentication phase and session stage.Specifically, this
In the process of information exchange is carried out between the session stage i.e. client said and management service platform;Before information exchange, pipe
Registration phase can be realized according to SOTP algorithms based on user profile in certificate server in reason service platform and in client
And authentication phase, certification and certificate server certification to client of the client to certificate server is realized, while generate phase
Same session key, at the same time, user's successful log management service platform;In follow-up payment process, client and pipe
Each dialogue in reason service platform is all encrypted by session key, to ensure the security performance of the information of interaction.
After session key generates, the checking of data can be carried out between client and management service platform.Especially,
In the present invention, in the client with the encryption that user is respectively further comprised in certificate server interactive information is encrypted and decrypted
Algorithm and decipherment algorithm, such as AES-128;Also include being used for the H algorithms for extracting summary info, such as SHA1, especially, the present invention are right
Encryption-decryption algorithm and H algorithms are all not construed as limiting, as long as it can realize the purpose of the present invention, are included in present disclosure
In.
After client is by above-mentioned steps successful log management service platform, that is, start the prepaid card pair with user-association
Selected, i.e., in step s 2, specifically included:Client will prepay card information and session key is added by AES
Close is the first encryption information, while using the first summary info in H algorithms extraction prepayment card information, is then believed the first encryption
Breath and the first summary info are sent to management server together;Management server plucks the first encryption information received and first
Information is wanted to send to certificate server;Certificate server is believed the first encryption using the session key and decipherment algorithm of itself generation
Breath is decrypted to obtain prepayment card information, and then the second summary info of prepayment card information is obtained by H algorithms, then by second
Summary info is compared with the second summary info received, realizes the certification of prepayment card information legitimacy, if authentication verification,
Then the prepayment card information and user profile that receive are sent to prepaid card management equipment together;Prepaid card management equipment is according to connecing
Receive user profile and obtain the matching user being preset in equipment, then by the prepayment card information received and user
Including prepayment card information be compared, realize the certification of prepaid card information correctness.If card information is prepay in legitimate verification
During there is mistake, then stop immediately with the conversation procedure of client, while remind user;Such as in the verification process of correctness
In there is mistake, then also stop conversation procedure immediately, at the same prompt user's prepaid card selection error.Further, authentication result
It can equally pass through said process during sending back client by management server, i.e., be used first in certificate server
Session key and AES are encrypted, and extract the summary info in authentication result, send together to client, client's termination
After receipts, encryption information is decrypted using decipherment algorithm, obtains the summary info of solution confidential information, finally believes two summaries
Breath is compared, and the reasonability and integrality of the information of acquisition are separately verified.
In this step, prepaid card management equipment records the prepaid card that user needs to use in payment process,
To realize follow-up payment process.
After prepaid card selection is correct, in order to further ensure that the security performance in payment process, client will also be to pipe
Manage service platform request and download corresponding token information, i.e., in step s3, specifically include:Client by token solicited message and
Session key is encrypted as the second encryption information using AES, while using in H algorithms extraction token solicited message
3rd summary info, then the second encryption information and the 3rd summary info are sent to management server together;Management server
The second encryption information received and the 3rd summary info are sent to certificate server;Certificate server uses itself generation
Session key and the decryption encryption information of function pair second are decrypted to obtain token solicited message, and then are obtained and made by H algorithms
4th summary info of board solicited message, then the 3rd summary info is compared with the 4th summary info received, if
Certification success, then realize the certification of token solicited message legitimacy;User is finally based on according to the request generation of the token of client
Information, temporal information and key seed information (key seed is stored in certificate server during user's registration)
Generate token information.If token solicited message authentification failure, stop the session between client immediately.Further, it is raw
Into token information sent back by management server and can equally pass through the process of above-mentioned encrypting and decrypting during client,
It is encrypted first in certificate server using session key and AES, extracts the summary info in token information,
Encryption information and summary info are sent to client, after client receives, using decipherment algorithm to encryption information together again
It is decrypted, the summary info of solution confidential information is then obtained by H algorithms, finally two summary infos are compared, to obtaining
The reasonability and integrality of the information taken separately verify.
After preparation before paying above is all carried out, you can paid with proceeding by, the process specifically paid includes:
First, such as step S4, payment management equipment, which is sent, pays request to client.Especially, payment management here
Equipment includes POS, and POS includes NFC reader.NFC reader i.e. in POS sends to pay and asked to client,
Received in client again by built-in NFC module and pay request.
Then, as token information, payment information and session key are encrypted as the 3rd encryption for step S6, client
Information, while the 5th summary info in token information and payment information is extracted, then the 3rd encryption information and the 5th are made a summary
Information is sent to payment management equipment;Here payment information, payment etc. is specifically included.
Payment management equipment sends the 3rd encryption information and the 5th summary info to prepaid card management equipment;
And then, the 3rd encryption information received and the 5th summary info are sent to certification and taken by prepaid card management equipment
Business device;
Finally, the session key of certificate server generation is decrypted to obtain token information and payment to the 3rd encryption information
Information, and then the 6th summary info is obtained, then the 6th summary info and the 5th summary info received are compared, it is real
The certification of existing token solicited message legitimacy;Finally the token information that the token information received generates with itself is compared
It is right, complete the comparison of token information.
In certificate server, such as step s7, if token information certification is successful, i.e., authentication information is sent back into prepaid card pipe
Manage equipment;After prepaid card management equipment receives the successful message of token information certification, i.e., according to the payment information received
Delivery operation is carried out, while is sent response is paid to payment management equipment, completes whole delivery operation.Especially, certification takes
It is engaged in device after token information certification success, i.e., is unregistered token information, waits next token information request to generate newly
Token information.
To sum up, the invention provides the online payment system of prepaid card and method of a kind of identity-based certification, it is in client
Authentication module is set respectively among end and management server platform, realizes the authentication in payment process;Again in client
NFc modules are set to realize the information exchange between client and payment management equipment respectively in end and payment management equipment, and then
The security performance of the present invention is improved, while extends application.
The specific embodiment of invention is described in detail above, but the present invention be not restricted to it is described above specific
Embodiment, it is intended only as example.To those skilled in the art, any equivalent modifications and replacement carried out to the system
Also all among scope of the invention.Therefore, impartial conversion made under the spirit and scope for not departing from invention and modification,
It all should be contained within the scope of the invention.
Claims (8)
- A kind of 1. online payment system of prepaid card of identity-based certification, it is characterised in that including:Client, payment management equipment, and management service platform;First authentication module built in the client and the first NFC module, and obtained by first authentication module Token information is taken, while payment information and the token information are sent to the payment management by first NFC module Equipment;Second NFC module built in the payment management equipment, the letter of the client transmission is received by second NFC module Breath, while the payment information and the token information are sent to the management service platform, to realize the payment information Response;Second authentication module built in the management service platform, for token information described in generation and certification, pass through simultaneously The second authentication module management and certification user profile and prepayment card information;The user profile includes being used for uniquely marking Know the identification information of user;Before system carries out delivery operation, the first authentication module and the management service platform built in the client The second built-in authentication module completes the mutual of client and management service platform according to user profile, using SOTP algorithms Certification and respectively formation identical session key, to realize that the information between the client and the management service platform is handed over Mutually;Wherein, the SOTP algorithms are realized by registration phase, authentication phase and session stage;The registration phase, the identification information of client combination unique mark user and user password information are to management service platform Registered, complete the initialization of user;The authentication phase, client encryption current time, user password information obtain the first encryption information, and by described first The identification information of encryption information and the user are sent to the management service platform;Management service platform decryption described the One encryption information, obtain the current time that the client obtains;And it is obtained with the management service platform it is current when Between be compared, complete management service platform to client certificate;The management service platform is according to first encryption information The encryption information for the current time that the client obtains is obtained, and the encryption of the current time obtained according to the client is believed Breath generation session key, and the session key is sent to the client;The management service platform also obtains itself Current time be encrypted after be sent to the client;The client receives working as the management service platform acquisition Be decrypted after the encryption information of preceding time, obtain the current time that the management service platform obtains, and with the client The current time obtained before is compared, and completes certification of the client to the management service platform;After the session stage, the client and the management service platform obtain same session key, the management service The packet in each conversation procedure between platform and the client is protected using session key.
- 2. the online payment system of prepaid card of identity-based certification as claimed in claim 1, it is characterised in that the management service Platform includes:Management server, certificate server, and prepaid card management equipment;Second authentication module built in the management server, receive user profile and prepayment that the client is sent Card information, it is respectively sent to the certificate server and the prepaid card management equipment;The certificate server, before system is paid, generate the token information;In payment process, for certification The user profile and the token information;The prepaid card management equipment, for prepaying card information described in management and certification.
- 3. the online payment system of prepaid card of identity-based certification as claimed in claim 2, it is characterised in that:The payment management Equipment includes POS, and the POS includes NFC reader.
- 4. a kind of prepaid card online payment method of identity-based certification, applied to being based on body as described in claim 2-3 is any The online payment system of prepaid card of part certification, it is characterised in that specifically include:The user profile that S1 is obtained based on client, the client and the certificate server are realized using SOTP algorithms Be mutually authenticated and form identical session key respectively, to realize the information between the client and the certificate server Interaction;Certificate server described in S2 realizes the legitimacy certification of the prepayment card information, described in the prepaid card management equipment is realized Prepay the correctness certification of card information;Client request described in authentication server response described in S3 generates corresponding token information;Payment management equipment described in S4, which is sent, pays request to the client;Client described in S5 is by the payment information and the token information via the payment management equipment and the prepaid card Management equipment is sent to the certificate server;Certificate server described in S6 realizes the certification of token information, while authentication result and described pay are asked to send to prepayment Card management equipment;Prepaid card management equipment described in S7 completes delivery operation, while is sent response is paid to payment management equipment.
- 5. the prepaid card online payment method of identity-based certification as claimed in claim 4, it is characterised in that in step S2, institute The legitimacy certification that certificate server realizes the prepayment card information is stated, the prepaid card management equipment realizes the prepaid card letter In the correctness certification of breath, specifically include:The prepayment card information and the session key are encrypted as the first encryption information the client, while extract institute The first summary info in prepayment card information is stated, then sends first encryption information and first summary info together To the management server;The management server sends first encryption information received and the first summary info to the authentication service Device;The certificate server is decrypted to obtain prepaid card using the session key of generation to first encryption information Information, and then obtain the second summary info of the prepayment card information, then by second summary info and receive the One summary info is compared, and realizes the certification of the prepayment card information legitimacy;Finally by the prepayment card information received and User profile is sent to the prepaid card management equipment together;The prepaid card management equipment receives user profile according to and obtains the matching user being preset in equipment, Then the prepayment card information received is compared with the prepayment card information that the user includes, realizes the prepayment The certification of card information correctness.
- 6. the prepaid card online payment method of identity-based certification as claimed in claim 4, it is characterised in that in step S3, institute State client request described in authentication server response to generate in corresponding token information, specifically include:Token solicited message and the session key are encrypted as the second encryption information the client, while described in extracting The 3rd summary info in token solicited message, then second encryption information and the 3rd summary info are sent together To the management server;The management server sends second encryption information received and the 3rd summary info to the authentication service Device;The certificate server is decrypted to obtain token using the session key of generation to second encryption information please Information is sought, and then obtains the 4th summary info of the token solicited message, then by the 3rd summary info with receiving The 4th summary info be compared, realize the certification of the token solicited message legitimacy;Finally according to the client Token request generates corresponding token information.
- 7. the prepaid card online payment method of identity-based certification as claimed in claim 6, it is characterised in that in step s 6, The certificate server realizes the certification of token information, while the authentication result and described pay are asked to send to prepaid card Management equipment, specifically include:The payment management equipment, which is sent, pays request to the client;The token information, payment information and the session key are encrypted as the 3rd encryption information the client, The 5th summary info in the token information and the payment information is extracted simultaneously, then by the 3rd encryption information and institute The 5th summary info is stated to send to the payment management equipment;The payment management equipment sends the 3rd encryption information and the 5th summary info to the prepaid card management Equipment;The prepaid card management equipment sends the 3rd encryption information received and the 5th summary info to described Certificate server;The session key of the certificate server generation is decrypted to obtain token information and payment to the 3rd encryption information Information, and then the 6th summary info is obtained, then the 6th summary info and the 5th summary info received are compared It is right, realize the certification of the token solicited message legitimacy;Finally by the token information received and the order of itself generation Board information is compared, and completes the comparison of the token information.
- 8. the prepaid card online payment method of identity-based certification as claimed in claim 4, it is characterised in that in step S7, institute State prepaid card management equipment and complete delivery operation, while response will be paid and sent to payment management equipment, in specifically including:After token information certification success, will the authentication result and payment information send to the prepaid card management and set It is standby;After the prepaid card management equipment receives authentication result and the payment information, entered according to the payment information received Row payment response, while the payment response is sent to the payment management equipment, complete the online payment system of the prepaid card The delivery operation of system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410531823.7A CN104240074B (en) | 2014-10-11 | 2014-10-11 | The online payment system of prepaid card and its method of payment of identity-based certification |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410531823.7A CN104240074B (en) | 2014-10-11 | 2014-10-11 | The online payment system of prepaid card and its method of payment of identity-based certification |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104240074A CN104240074A (en) | 2014-12-24 |
CN104240074B true CN104240074B (en) | 2018-02-13 |
Family
ID=52228094
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410531823.7A Active CN104240074B (en) | 2014-10-11 | 2014-10-11 | The online payment system of prepaid card and its method of payment of identity-based certification |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104240074B (en) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104574060A (en) * | 2015-01-09 | 2015-04-29 | 艾体威尔电子技术(北京)有限公司 | On-line payment method and system based on NFC token |
CN106161032B (en) * | 2015-04-24 | 2019-03-19 | 华为技术有限公司 | A kind of identity authentication method and device |
CN105023182B (en) * | 2015-08-12 | 2019-03-08 | 上海众人网络安全技术有限公司 | A kind of purchase system and method based on Intelligent bracelet |
CN105187937B (en) * | 2015-08-12 | 2019-02-01 | 上海众人网络安全技术有限公司 | A kind of purchase system and method based on smart phone |
CN105550877A (en) * | 2015-12-21 | 2016-05-04 | 北京智付融汇科技有限公司 | Payment method and apparatus |
CN105635168B (en) * | 2016-01-25 | 2019-01-22 | 恒宝股份有限公司 | A kind of application method of offline transaction device and its security key |
CN107153957A (en) * | 2016-03-06 | 2017-09-12 | 神州黑鹰(上海)信息科技有限公司 | The management system of universal single-use prepaid card |
CN105959109A (en) * | 2016-06-28 | 2016-09-21 | 来谊金融信息科技(上海)股份有限公司 | Host card simulation based key storage method and payment method |
CN108805539A (en) * | 2018-02-09 | 2018-11-13 | 深圳市微付充科技有限公司 | A kind of method of payment, mobile device and storage device that Intrusion Detection based on host snap gauge is quasi- |
CN109949037A (en) * | 2019-03-26 | 2019-06-28 | 深圳市元征科技股份有限公司 | A kind of method of payment and relevant device based on net card |
CN112016918B (en) * | 2019-05-30 | 2024-06-25 | 小米数字科技有限公司 | Signature writing method, signature verification method, device and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101933246A (en) * | 2008-01-30 | 2010-12-29 | 电子湾有限公司 | Near field communication intialization |
CN103067335A (en) * | 2011-10-18 | 2013-04-24 | 中国移动通信集团公司 | Method for realizing information interaction as non-contact mode, correlation equipment and system |
CN103457913A (en) * | 2012-05-30 | 2013-12-18 | 阿里巴巴集团控股有限公司 | Data processing method, communication terminals, server and system |
CN103501191A (en) * | 2013-08-21 | 2014-01-08 | 王越 | Mobile payment device and method thereof based on NFC technology |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8782391B2 (en) * | 2009-06-10 | 2014-07-15 | Visa International Service Association | Service activation using algorithmically defined key |
KR101385429B1 (en) * | 2011-09-07 | 2014-04-15 | 주식회사 팬택 | Method for authenticating individual of electronic contract using nfc, authentication server and terminal for performing the method |
-
2014
- 2014-10-11 CN CN201410531823.7A patent/CN104240074B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101933246A (en) * | 2008-01-30 | 2010-12-29 | 电子湾有限公司 | Near field communication intialization |
CN103067335A (en) * | 2011-10-18 | 2013-04-24 | 中国移动通信集团公司 | Method for realizing information interaction as non-contact mode, correlation equipment and system |
CN103457913A (en) * | 2012-05-30 | 2013-12-18 | 阿里巴巴集团控股有限公司 | Data processing method, communication terminals, server and system |
CN103501191A (en) * | 2013-08-21 | 2014-01-08 | 王越 | Mobile payment device and method thereof based on NFC technology |
Also Published As
Publication number | Publication date |
---|---|
CN104240074A (en) | 2014-12-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104240074B (en) | The online payment system of prepaid card and its method of payment of identity-based certification | |
US20200286088A1 (en) | Method, device, and system for securing payment data for transmission over open communication networks | |
US10270587B1 (en) | Methods and systems for electronic transactions using multifactor authentication | |
Chen et al. | NFC mobile transactions and authentication based on GSM network | |
Pourghomi et al. | A proposed NFC payment application | |
CN104240073A (en) | Offline payment method and offline payment system on basis of prepaid cards | |
US11182784B2 (en) | Systems and methods for performing transactions with contactless cards | |
CN104318437B (en) | Payment system and its method of payment in a kind of virtual prepayment card line | |
CN101853453A (en) | System and method for realizing mobile payment | |
CN102073958A (en) | System and method for implementing mobile payment | |
JP2007226810A (en) | System and method for facilitating transaction over communication network | |
US20150142669A1 (en) | Virtual payment chipcard service | |
US11974127B2 (en) | Systems and methods for cryptographic authentication of contactless cards | |
US11997208B2 (en) | Systems and methods for inventory management using cryptographic authentication of contactless cards | |
EP4315753A1 (en) | Protocol and gateway for communicating secure transaction data | |
KR102574524B1 (en) | Remote transaction system, method and point of sale terminal | |
CN101261709B (en) | Online payment method and system using the mobile terminal supporting eNFC function | |
CN101330675A (en) | Mobile payment terminal equipment | |
KR101667005B1 (en) | Method for Providing Electronic Payment by Using Subscriber Information And Subscriber Identification Module, System, Terminal And Communication Management Apparatus Therefor | |
CN113169873A (en) | System and method for password authentication of contactless cards | |
KR101786941B1 (en) | Method for Providing Electronic Payment by Using Subscriber Information And Subscriber Identification Module, System, Terminal And Communication Management Apparatus Therefor | |
KR101683664B1 (en) | Method for Providing Electronic Payment by Using Subscriber Information And Security Token, System, Terminal And Communication Management Apparatus Therefor | |
Saeed | Improvements to NFC mobile transaction and authentication protocol | |
KR20040075159A (en) | System and Method for Confirming Card Settlement | |
KR20170072847A (en) | Method for Providing Electronic Payment by Using Near Field Communication, System, Terminal And Communication Management Apparatus Therefor |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C41 | Transfer of patent application or patent right or utility model | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20160310 Address after: 201821, room 4, building 1411, 211 Yecheng Road, Jiading Industrial Zone, Shanghai, China Applicant after: Shanghai PeopleNet Security Technology Co., Ltd. Address before: 201203 Shanghai City, Pudong New Area Zhangjiang hi tech park Zuchongzhi Road No. 899 Building 9 room 01 4 Applicant before: Shanghai everybody Science and Technology Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |