CN104240074B - The online payment system of prepaid card and its method of payment of identity-based certification - Google Patents

The online payment system of prepaid card and its method of payment of identity-based certification Download PDF

Info

Publication number
CN104240074B
CN104240074B CN201410531823.7A CN201410531823A CN104240074B CN 104240074 B CN104240074 B CN 104240074B CN 201410531823 A CN201410531823 A CN 201410531823A CN 104240074 B CN104240074 B CN 104240074B
Authority
CN
China
Prior art keywords
information
client
payment
certification
prepaid card
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410531823.7A
Other languages
Chinese (zh)
Other versions
CN104240074A (en
Inventor
谈剑锋
姜立稳
何江华
王力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Peoplenet Security Technology Co Ltd
Original Assignee
Shanghai Peoplenet Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Peoplenet Security Technology Co Ltd filed Critical Shanghai Peoplenet Security Technology Co Ltd
Priority to CN201410531823.7A priority Critical patent/CN104240074B/en
Publication of CN104240074A publication Critical patent/CN104240074A/en
Application granted granted Critical
Publication of CN104240074B publication Critical patent/CN104240074B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/22Payment schemes or models
    • G06Q20/28Pre-payment schemes, e.g. "pay before"
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3278RFID or NFC payments by means of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/342Cards defining paid or billed services or quantities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/351Virtual cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The present invention relates to the payment technical field of intelligent terminal, more particularly to the system that client realizes entity card virtualization payment with management service platform cooperation.The online payment system of prepaid card of identity-based certification provided by the invention specifically includes:The client of built-in first authentication module and the first NFC module, it obtains token information by authentication module, while payment information and token information are sent to payment management equipment by NFC module;The payment management equipment of built-in second NFC module, it receives the information of client transmission by the second NFC module, while payment information and token information are sent to management service platform, to realize the response of payment information;The management service platform of built-in second authentication module, for generation and authentication token information, while by the second authentication module management and certification user profile and prepayment card information, realize the authentication in payment process, improve the security performance of the present invention, expanded application.

Description

The online payment system of prepaid card and its method of payment of identity-based certification
Technical field
The present invention relates to the payment technical field of intelligent terminal, more particularly to a kind of client to realize with the cooperation of management service platform The system and its method of payment that entity card virtualization is paid.
Background technology
Prepaid card is called stored value card, consumption card, Fu Lika, smart card, accumulating card etc., refers to card sending mechanism with specific support With form distribution, commodity or the prepaid value of service can be bought outside card sending mechanism, i.e., a kind of post-pay paystation is consumed again in fact Card.By whether recording holder's identity information and being divided into sign prepaid card and blank prepaid card, wherein prepaid card bag of signing The purchase card that such as supermarket provides is included, blank prepaid card includes the SIM card in such as mobile phone;It is divided into magnetic by information carrier difference Bar card, chip (IC) card.
Prepaid card shopping is the transaction form occurred after the credit card, now using it is most common be Japan.Prepaid card Use process be:Consumer pre-pays in the shop in a certain system scope the cash for limiting number, this card is obtained, in these business Only one or many directly shopping in advance payment can not be stuck in shop by this in cash.
Make either there are many benefits to businessman or consumer in this way.For businessman, using pre- Businessman does not handle cash after paying card, substantially reduce the number the flowing of cash, can both avoid receiving the loss of counterfeit money, can reduce and rob again It is dangerous;Prepaid card is used simultaneously, cash is collected, account revenue and expenditure is largely reduced, and can both improve efficiency, can reduce artificial and equipment again Expense etc.;For consumers, it is only necessary to take a very thin prepaid card, can without or it is few with many cashes, subtract Few stolen and the danger that meets with a catastrophe, carrying are convenient to.
The content of the invention
At present, the platform paid using prepaid card has been had a lot, such as silver-colored business's information " virtual prepaid card " platform, Trade company can realize the virtual of existing entity card by own software and third-party platform, such as wechat, Alipay wallet in platform Change, while also can issue pure virtual card in the platform.During being paid using third-party platform, holder makes first Bar code is generated online with mobile phone, and cashier carries out barcode scanning payment by barcode scanning gun to bar code.But pay system this Also there are problems that in the payment process of system it is a lot, such as:Bar code only supports feux rouges scanning not support laser scanning at present;Whole Lack authentication procedures in individual payment process:Even if user is not by third-party platform, such as wechat platform in payment process, User can be also directly with computer browser input URL (Uniform Resource Locator:Uniform resource locator) it is raw Code is in strip to be paid;And in whole process of exchange it is that data and password belong to plaintext transmission, it is easy to monitored Be trapped.For problem above, the invention provides a kind of online payment system of prepaid card of identity-based certification, it is in visitor Authentication module is set respectively among family end and management server platform, realizes the authentication in payment process;Again in visitor Set NFC module to realize the information exchange between client and payment management equipment respectively in family end and payment management equipment, enter And the security performance of the present invention is improved, while extend application.
A kind of prepaid card online payment system of identity-based certification, including:
Client, payment management equipment, and management service platform;
First authentication module built in the client and the first NFC (Near Field Communication, near field Communication) module, and token information is obtained by the authentication module, while payment information and the token information are passed through The NFC module is sent to the payment management equipment;
Second NFC module built in the payment management equipment, the client is received by second NFC module and sent Information, while the payment information and the token information are sent to the management service platform, to realize the payment The response of information;
Second authentication module built in the management service platform, for token information described in generation and certification, simultaneously Pass through the second authentication module management and certification user profile and prepayment card information.
Near-field communication (NFC) technology be identified by non-contact radio-frequency (Radio Frequency Identification, RFID) develop, developed jointly by Philips Semiconductors (Xian Enzhi Pus semiconductor company), Nokia and Sony, its Basis is RFID and interconnection technique, and it is a kind of radiotechnics of short distance high frequency, 13.56MHz frequencies run on 20cm away from From interior;Transmission speed point has three kinds of 106kbit/ seconds, 212kbit/ seconds or 424kbit/ seconds.Near-field communication passes through at present For the international standards of ISO/IEC IS 18092, ECMA-340 standards and the standards of ETSI TS 102 190.NFC using actively and by Move two kinds of read modes.NFC technology is combining induction card reader, icah wavw and point pair on one chip The function of point, to realize the purpose being identified in short distance with compatible equipment with data exchange.
Authentication is to confirm the process of user identity in a computer network.Authentication can be divided into user and client Between certification and client and client between certification, certification between user and client can be based on as next or several Individual factor:Such as password, password, such as information of unique mark user, credit card;Biological characteristic possessed by user:Such as Fingerprint, sound, retina, signature etc..
Preferably, the management service platform includes:Management server, certificate server, and prepaid card management equipment;
Second authentication module built in the management server, receive user profile that the client sends and Card information is prepay, is respectively sent to the certificate server and the prepaid card management equipment;
The certificate server, before system is paid, generate session key and token information;In payment process In, for user profile described in certification and the token information;
The prepaid card management equipment, for prepaying card information described in management and certification.
Preferably, the user profile includes the identification information for unique mark user.
Preferably, the payment management equipment includes POS, and the POS includes NFC reader.
Present invention simultaneously provides a kind of prepaid card online payment method of identity-based certification, applied to above-mentioned identity-based The online payment system of prepaid card of certification, is specifically included:
The user profile that S1 is obtained based on the client, realizes the client and the phase of the certificate server Mutual certification;
Certificate server described in S2 realizes the legitimacy certification of the prepayment card information, and the prepaid card management equipment is realized The correctness certification of the prepayment card information;
Client request described in authentication server response described in S3 generates corresponding token information;
Payment management equipment described in S4 sends described pay and asked to the client;
Client described in S5 is by the payment information and the token information via the payment management equipment and described pre- Card management equipment is paid to send to the certificate server;
Certificate server described in S6 realizes the certification of token information, while the authentication result and described pay are asked into hair Deliver to prepaid card management equipment;
Prepaid card management equipment described in S7 completes delivery operation, while is sent response is paid to payment management equipment.
Preferably, in step S1, the user profile that is obtained based on the client, the client and described is realized In being mutually authenticated of certificate server:Phase is formed according to the user profile respectively in the client and the certificate server Same session key, to realize the information exchange between the client and the management service platform.
Here the formation of the session key mentioned mainly user realizes the communication between client and management service platform, To ensure the security performance of Transaction Information, it is a kind of base in OTP (One-time Password, disposable dynamic password) Developed on plinth a kind of new cipher system SOTP (Strong One-time Password, it is reinforced disposable dynamic State password), SOTP algorithms are in addition to for solving identification, data encryption, additionally it is possible to the integrality of checking transmission data And non repudiation.
SOTP cipher systems are described in detail below, three phases are broadly divided into whole process and are realized: Registration phase, authentication phase and session stage.
1st, registration phase
Before using SOTP, user is registered to server in a secure environment first, completes the initialization of user.
In registration phase, client makes with reference to the identification information uid and user password information pw of unique mark user first It is encrypted with the first algorithm H, as SHA1 algorithms generate the first information;At the same time, server generate immediately first key k and Second key k ', and first key k and the second key k ' is sent to client, and first key k and AES E is tied Close, generate an encryption function E related to first key kk, the second key k ' is combined to generation and second with decipherment algorithm D The decryption function D of key k ' associationsk
At this stage, AES, decipherment algorithm, first key, the second key, identification information are stored in server And the first information;Storage sends AES and decipherment algorithm extremely by server in client.
2nd, authentication phase
In authentication procedures, first, user inputs identification information uid and user password information pw in the client, In combination with current time TuiAnd user password information pw, use encryption function EkIt is encrypted with the first algorithm H, generation first Encryption informationSubsequent client is again by identification information uid and the first encryption informationIt is sent to server.
Server receives identification information uid and the first encryption informationAfterwards, first, it is determined that Whether identification information uid is validated user, i.e., is registered in the server, that is, identifies whether user profile uid prestores In the list of user identity information in the server.
If after checking, user is validated user, then completes the preliminary certification in server;If after preliminary certification It was found that user is illicit user, then the session between client is terminated immediately.
And then, server chooses current time Tsi, while with AES E and the second key k ' to the current time TsiIt is encrypted as Ek’(Tsi);Then using decipherment algorithm D and first key k to receiving It is decrypted to obtainAgain result(carry out xor operation), obtains Ek(Tui), finally make again With decipherment algorithm D and first key k to Ek(Tui) be decrypted to obtain Tui
Obtain TuiAfterwards, T is calculatedsiWith TuiBetween time difference, if the time difference in preset time, within 10min, Then server disconnects the session between client to client certificate success, otherwise server.
After the authentication for completing client, server is and then by Ek(Tui) negate (bit order and bit polarities) Obtain E 'k(Tui), then using AES E and first key k to Ek(Tui) and E 'k(Tui) be encrypted, it is close to obtain session Key Ki=Ek(Ek(Tui))+Ek(E’k(Tui)), realize and extend original 64bit for 128bit, greatly reinforced information Safety.
After server obtains session key, with i.e. by Ek’(Tsi) it is sent to client.
Client receives Ek’(Tsi) after, it is decrypted using decipherment algorithm D and the second key k ', when obtaining Between Tsi;And then T is calculatedsiWith TuiBetween time difference, if within the default time difference, within 10min, then client To server authentication success, the otherwise session between client disconnection and server.
After the authentication for completing server, and then by Ek(Tui) negate to obtain E 'k(Tui), then calculated using encryption Method E and first key k are to Ek(Tui) and E 'k(Tui) be encrypted, obtain session key Ki=Ek(Ek(Tui))+Ek(E’k (Tui))。
3rd, session stage
After generating session key respectively in client and server, that is, establish the meeting between client and server Words relation, hereafter the packet in each conversation procedure between server and client side use session key KiEncryption is protected Protect, and the verification of completeness check is carried out with the first algorithm H.
In addition, the sender of packet and recipient include public encrypted transaction data algorithm e respectively in conversation procedure And corresponding decipherment algorithm d, including AES-128.
If the content that sender and recipient conversate is M, the data packet format that sender sends is:eKi(M)+H (M);After recipient receives packet, send information in server corresponding to recipient, server receives other side's After session data bag, first by decipherment algorithm d to information eKi(M) it is decrypted to obtain M, is then calculated by obtained M logical Cross the first algorithm H and obtain H (M), finally by obtained H (M) compared with the H (M) received, if identical, illustrate that data include Method, otherwise terminates session, so far completes the verification process of whole SOTP algorithms.
Preferably, in step S2, the certificate server realizes the legitimacy certification of the prepayment card information, the prepayment Card management equipment is realized in the correctness certification of the prepayment card information, is specifically included:
The prepayment card information and the session key are encrypted as the first encryption information the client, carry simultaneously The first summary info in the prepayment card information is taken, then by first encryption information and first summary info together Send to the management server;
The firstth encryption information received and the first summary info are sent to described and recognized by the management server Demonstrate,prove server;
The certificate server is decrypted to obtain pre- using the session key of generation to first encryption information Card information is paid, and then obtains the second summary info of the prepayment card information, then by second summary info with receiving The first summary info be compared, realize it is described prepayment card information legitimacy certification;Finally the prepaid card received is believed Breath and user profile are sent to the prepaid card management equipment together;
The prepaid card management equipment receives user profile according to and obtains matching be preset in equipment User, then the prepayment card information received is compared with the prepayment card information that the user includes, realizes institute State the certification of prepaid card information correctness.
Preferably, generated in step S3, client request described in the authentication server response in corresponding token information, Specifically include:
Token solicited message and the session key are encrypted as the second encryption information the client, extract simultaneously The 3rd summary info in the token solicited message, then by second encryption information and the 3rd summary info together Send to the management server;
The management server sends second encryption information received and the 3rd summary info to the certification Server;
The certificate server is decrypted to second encryption information using the session key of generation and made Board solicited message, and then the 4th summary info of the token solicited message is obtained, then by the 3rd summary info with connecing The 4th summary info received is compared, and realizes the certification of the token solicited message legitimacy;Finally according to the client The token request at end generates corresponding token information.
Preferably, in step s 6, the certificate server realizes the certification of token information, while by the authentication result Request transmission is paid to prepaid card management equipment with described, is specifically included:
The payment management equipment, which is sent, pays request to the client;
The token information, payment information and the session key are encrypted the client believes for the 3rd encryption Breath, while the 5th summary info in the token information and the payment information is extracted, then by the 3rd encryption information Sent with the 5th summary info to the payment management equipment;
The payment management equipment sends the 3rd encryption information and the 5th summary info to the prepaid card Management equipment;
The prepaid card management equipment by the 3rd encryption information received and the 5th summary info send to The certificate server;
The session key of certificate server generation the 3rd encryption information is decrypted to obtain token information and Payment information, and then the 6th summary info is obtained, then the 6th summary info and the 5th summary info received are entered Row compares, and realizes the certification of the token solicited message legitimacy;Finally by the token information received and itself generation Token information be compared, complete the comparison of the token information.
Preferably, in step S7, the prepaid card management equipment completes delivery operation, while is sent response is paid to branch Management equipment is paid, in specifically including:
After token information certification success, will the authentication result and payment information send to the prepaid card pipe Manage equipment;
After the prepaid card management equipment receives authentication result and the payment information, according to the disbursement letter received Breath carries out payment response, while the payment response is sent to the payment management equipment, completes the online branch of the prepaid card The delivery operation for the system of paying.
The invention provides a kind of online payment system of prepaid card of identity-based certification, its advantage is:
1. the present invention authentication module is set in client and management service platform respectively, realize client and Session between management service platform;The security performance of session information in conversation procedure is substantially increased simultaneously;
2. session information is entered using SOTP technologies in the conversation procedure of client and management service platform in the present invention Row encryption:
In this process, each client includes independent application program or plug-in unit and melts built-in algorithm and key It is combined, i.e., the encryption function and decryption function that only storage is generated by encryption-decryption algorithm combination random key in client, Efficiently solve the safety problem that session key stores in conversation procedure;And the key generated at random in each client is not Together, thus the algorithm that includes of each client it is different, surprisingly reveal also not interfering with even if safety insert in client and be The overall security of system;
The method of two-way authentication is taken between client and management service platform respectively to client and management service platform It is authenticated, the impersonation attack in the external world is effectively prevent using this authentication method.
Carry out generating identical session key respectively after two-way authentication between client and management service platform, and then The integrality of protection session information is all encrypted in the whole conversation procedure of client and server platform using session key, prevents The leakage of transaction content, distort, deny and internuncial attack.
3. the present invention sets NFC module respectively in client and payment management equipment, in whole payment process, client Communicated between end and payment management equipment by NFC module, it is convenient and swift, simultaneously effective solve payment management equipment The payment information in client can not be timely and effectively obtained, extends the application scenario of present system.
Brief description of the drawings
The present invention is described in further detail with reference to the accompanying drawings and detailed description:
Fig. 1 is the structural representation of the online payment system of prepaid card of identity-based certification in the present invention;
Fig. 2 is the schematic flow sheet of the prepaid card online payment method of identity-based certification in the present invention.
Embodiment
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below in conjunction with the accompanying drawings and implement The present invention is specifically described example.Drawings in the following description are only some embodiments of the present invention.For this area For those of ordinary skill, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
As shown in figure 1, the invention provides a kind of online payment system of prepaid card of identity-based certification, specifically include: Client, payment management equipment, and management service platform.
Specifically, built-in first authentication module and the first NFC module are distinguished in client;Wherein, the first identity is recognized Card module is used to realize the authentication in the data communication process between client and management service platform, to ensure communication number According to security performance;First NFC module, for the payment information in client and token information to be sent to there is provided second The payment management equipment of NFC module.
Further, client includes the intelligent terminal of built-in NFC module, such as mobile phone.Especially, in order to realize this hair Bright purpose, in intelligent terminal, as used HCE (Host Card Mode, main frame mode card) technology to ensure client in mobile phone Hold from the information of external reception and be sent directly in client host in corresponding application program, rather than send to client, In the security module (SE) in mobile phone.However, HCE technologies are the data that realizes and will be sent from outside NFC module HCE into client is serviced or returned to data are replied in outside NFC module, and processing and sensitivity for data The storage of information does not implement, thus in the present invention, mould in the client is realized by using the mode of SOTP algorithms Intend security module, to ensure the security performance of NFC business.As described above, it is recognised that being based on NFC module and HCE technologies Client concrete form besides a cellular phone, in addition to there is provided NFC module and set using other intelligence of HCE technologies It is standby, as long as having used the SOTP algorithms in the present invention during entering row data communication between client and management service platform, Security performance in data communication process can be ensured.
Second NFC module built in payment management equipment, it receives the information of client transmission by the second NFC module, together When payment information and token information are sent to management service platform, to realize the response of payment information.
Further, payment management equipment includes POS, and POS includes NFC reader.In payment process, POS Machine sends the HCE services for paying request to client by the NFC reader built in it, while passes through NFC reader and receive visitor The information that family end sends over.Especially, the present invention is not limited the concrete form of payment management equipment, as long as it can be realized The purpose of the present invention, it is included in present disclosure.
Second authentication module built in management service platform, for generation and authentication token information, while pass through second Authentication module management and certification user profile and prepayment card information.
Further, specifically included in management service platform:Management server, certificate server, and prepaid card management Equipment.
Specifically, built-in second authentication module in management server, user profile that client sends and pre- is received Card information is paid, is respectively sent to certificate server and prepaid card management equipment.Especially, in the present invention, management server master It is used for the information for being managed collectively prepaid card, including:Prepayment card user is held before delivery operation in management service platform enter Capable registration operation, and the cancellation operation of user;Realize bindings or the user couple of prepaid card and the entity card of user Prepaid card is supplemented with money;User's on-line purchase prepaid card;And user is to the operation such as inquiry into balance, integration inquiry in prepaid card. In addition, management server provides the effect of access (by built-in authentication for certificate server and prepayment card apparatus simultaneously Module is realized), the information of reception is then forwarded to certificate server and prepayment card apparatus respectively.
Certificate server, before system is paid, generate session key and token information;In payment process, use In certification user profile and token information.Specifically, carried out by client in management service platform holding prepayment card user During registration, management server, which receives, to be sent information to certificate server after user profile and is stored, to enter Row realizes the checking to user identity before paying.Further, user profile includes being capable of the mark letter of displacement mark user Breath, such as user name, in addition to modification logging of user etc..In addition, certificate server, which also includes energy basis, to realize SOTP algorithm, including:The generation of SOTP algorithms libraries, the download of SOTP algorithms libraries, to realize the generation of session key;Root simultaneously User profile is based on according to the request of client and temporal information generates corresponding token information.Especially, first in client The second authentication module in authentication module and management server includes the port of SOTP algorithms, is used for realizing The transmission of data after SOTP algorithm for encryption.
Prepaid card management equipment, for management and certification prepayment card information.Specifically, in systems, each user can be with Including multiple prepaid cards, user only needs that the information of prepaid card is stored in into management server and prepaid card during registration In management equipment, then user is during payment, it is only necessary to prepaid card is selected, prepaid card management equipment receives To after user profile and prepayment card information, first to by user's information searching to the user, and then confirm what user selected Whether prepaid card is reasonable.
As shown in Fig. 2 present invention also offers a kind of prepaid card online payment method of identity-based certification, specific bag Include:
The user profile that S1 is obtained based on client, realize being mutually authenticated for client and certificate server;
S2 certificate servers realize the legitimacy certification of prepayment card information, and prepaid card management equipment realizes prepayment card information Correctness certification;
S3 authentication server responses client request generates corresponding token information;
S4 payment managements equipment, which is sent, pays request to client;
S5 clients send payment information and token information to recognizing via payment management equipment and prepaid card management equipment Demonstrate,prove server;
S6 certificate servers realize the certification of token information, while by authentication result and pay request transmission to prepaid card pipe Manage equipment;
S7 prepaid card managements equipment completes delivery operation, while is sent response is paid to payment management equipment.
Specifically, in step sl, i.e., before the online payment system of prepaid card carries out delivery operation, client and management take Identical session key is formed respectively according to user profile in business platform, realizes mutually recognizing each other for client and management service platform Card.Because the present invention uses SOTP algorithms, the introduction based on us to SOTP algorithms is known, in the use process of algorithm In, whole process is broadly divided into three phases and realized:Registration phase, authentication phase and session stage.Specifically, this In the process of information exchange is carried out between the session stage i.e. client said and management service platform;Before information exchange, pipe Registration phase can be realized according to SOTP algorithms based on user profile in certificate server in reason service platform and in client And authentication phase, certification and certificate server certification to client of the client to certificate server is realized, while generate phase Same session key, at the same time, user's successful log management service platform;In follow-up payment process, client and pipe Each dialogue in reason service platform is all encrypted by session key, to ensure the security performance of the information of interaction.
After session key generates, the checking of data can be carried out between client and management service platform.Especially, In the present invention, in the client with the encryption that user is respectively further comprised in certificate server interactive information is encrypted and decrypted Algorithm and decipherment algorithm, such as AES-128;Also include being used for the H algorithms for extracting summary info, such as SHA1, especially, the present invention are right Encryption-decryption algorithm and H algorithms are all not construed as limiting, as long as it can realize the purpose of the present invention, are included in present disclosure In.
After client is by above-mentioned steps successful log management service platform, that is, start the prepaid card pair with user-association Selected, i.e., in step s 2, specifically included:Client will prepay card information and session key is added by AES Close is the first encryption information, while using the first summary info in H algorithms extraction prepayment card information, is then believed the first encryption Breath and the first summary info are sent to management server together;Management server plucks the first encryption information received and first Information is wanted to send to certificate server;Certificate server is believed the first encryption using the session key and decipherment algorithm of itself generation Breath is decrypted to obtain prepayment card information, and then the second summary info of prepayment card information is obtained by H algorithms, then by second Summary info is compared with the second summary info received, realizes the certification of prepayment card information legitimacy, if authentication verification, Then the prepayment card information and user profile that receive are sent to prepaid card management equipment together;Prepaid card management equipment is according to connecing Receive user profile and obtain the matching user being preset in equipment, then by the prepayment card information received and user Including prepayment card information be compared, realize the certification of prepaid card information correctness.If card information is prepay in legitimate verification During there is mistake, then stop immediately with the conversation procedure of client, while remind user;Such as in the verification process of correctness In there is mistake, then also stop conversation procedure immediately, at the same prompt user's prepaid card selection error.Further, authentication result It can equally pass through said process during sending back client by management server, i.e., be used first in certificate server Session key and AES are encrypted, and extract the summary info in authentication result, send together to client, client's termination After receipts, encryption information is decrypted using decipherment algorithm, obtains the summary info of solution confidential information, finally believes two summaries Breath is compared, and the reasonability and integrality of the information of acquisition are separately verified.
In this step, prepaid card management equipment records the prepaid card that user needs to use in payment process, To realize follow-up payment process.
After prepaid card selection is correct, in order to further ensure that the security performance in payment process, client will also be to pipe Manage service platform request and download corresponding token information, i.e., in step s3, specifically include:Client by token solicited message and Session key is encrypted as the second encryption information using AES, while using in H algorithms extraction token solicited message 3rd summary info, then the second encryption information and the 3rd summary info are sent to management server together;Management server The second encryption information received and the 3rd summary info are sent to certificate server;Certificate server uses itself generation Session key and the decryption encryption information of function pair second are decrypted to obtain token solicited message, and then are obtained and made by H algorithms 4th summary info of board solicited message, then the 3rd summary info is compared with the 4th summary info received, if Certification success, then realize the certification of token solicited message legitimacy;User is finally based on according to the request generation of the token of client Information, temporal information and key seed information (key seed is stored in certificate server during user's registration) Generate token information.If token solicited message authentification failure, stop the session between client immediately.Further, it is raw Into token information sent back by management server and can equally pass through the process of above-mentioned encrypting and decrypting during client, It is encrypted first in certificate server using session key and AES, extracts the summary info in token information, Encryption information and summary info are sent to client, after client receives, using decipherment algorithm to encryption information together again It is decrypted, the summary info of solution confidential information is then obtained by H algorithms, finally two summary infos are compared, to obtaining The reasonability and integrality of the information taken separately verify.
After preparation before paying above is all carried out, you can paid with proceeding by, the process specifically paid includes:
First, such as step S4, payment management equipment, which is sent, pays request to client.Especially, payment management here Equipment includes POS, and POS includes NFC reader.NFC reader i.e. in POS sends to pay and asked to client, Received in client again by built-in NFC module and pay request.
Then, as token information, payment information and session key are encrypted as the 3rd encryption for step S6, client Information, while the 5th summary info in token information and payment information is extracted, then the 3rd encryption information and the 5th are made a summary Information is sent to payment management equipment;Here payment information, payment etc. is specifically included.
Payment management equipment sends the 3rd encryption information and the 5th summary info to prepaid card management equipment;
And then, the 3rd encryption information received and the 5th summary info are sent to certification and taken by prepaid card management equipment Business device;
Finally, the session key of certificate server generation is decrypted to obtain token information and payment to the 3rd encryption information Information, and then the 6th summary info is obtained, then the 6th summary info and the 5th summary info received are compared, it is real The certification of existing token solicited message legitimacy;Finally the token information that the token information received generates with itself is compared It is right, complete the comparison of token information.
In certificate server, such as step s7, if token information certification is successful, i.e., authentication information is sent back into prepaid card pipe Manage equipment;After prepaid card management equipment receives the successful message of token information certification, i.e., according to the payment information received Delivery operation is carried out, while is sent response is paid to payment management equipment, completes whole delivery operation.Especially, certification takes It is engaged in device after token information certification success, i.e., is unregistered token information, waits next token information request to generate newly Token information.
To sum up, the invention provides the online payment system of prepaid card and method of a kind of identity-based certification, it is in client Authentication module is set respectively among end and management server platform, realizes the authentication in payment process;Again in client NFc modules are set to realize the information exchange between client and payment management equipment respectively in end and payment management equipment, and then The security performance of the present invention is improved, while extends application.
The specific embodiment of invention is described in detail above, but the present invention be not restricted to it is described above specific Embodiment, it is intended only as example.To those skilled in the art, any equivalent modifications and replacement carried out to the system Also all among scope of the invention.Therefore, impartial conversion made under the spirit and scope for not departing from invention and modification, It all should be contained within the scope of the invention.

Claims (8)

  1. A kind of 1. online payment system of prepaid card of identity-based certification, it is characterised in that including:
    Client, payment management equipment, and management service platform;
    First authentication module built in the client and the first NFC module, and obtained by first authentication module Token information is taken, while payment information and the token information are sent to the payment management by first NFC module Equipment;
    Second NFC module built in the payment management equipment, the letter of the client transmission is received by second NFC module Breath, while the payment information and the token information are sent to the management service platform, to realize the payment information Response;
    Second authentication module built in the management service platform, for token information described in generation and certification, pass through simultaneously The second authentication module management and certification user profile and prepayment card information;The user profile includes being used for uniquely marking Know the identification information of user;
    Before system carries out delivery operation, the first authentication module and the management service platform built in the client The second built-in authentication module completes the mutual of client and management service platform according to user profile, using SOTP algorithms Certification and respectively formation identical session key, to realize that the information between the client and the management service platform is handed over Mutually;Wherein, the SOTP algorithms are realized by registration phase, authentication phase and session stage;
    The registration phase, the identification information of client combination unique mark user and user password information are to management service platform Registered, complete the initialization of user;
    The authentication phase, client encryption current time, user password information obtain the first encryption information, and by described first The identification information of encryption information and the user are sent to the management service platform;Management service platform decryption described the One encryption information, obtain the current time that the client obtains;And it is obtained with the management service platform it is current when Between be compared, complete management service platform to client certificate;The management service platform is according to first encryption information The encryption information for the current time that the client obtains is obtained, and the encryption of the current time obtained according to the client is believed Breath generation session key, and the session key is sent to the client;The management service platform also obtains itself Current time be encrypted after be sent to the client;The client receives working as the management service platform acquisition Be decrypted after the encryption information of preceding time, obtain the current time that the management service platform obtains, and with the client The current time obtained before is compared, and completes certification of the client to the management service platform;
    After the session stage, the client and the management service platform obtain same session key, the management service The packet in each conversation procedure between platform and the client is protected using session key.
  2. 2. the online payment system of prepaid card of identity-based certification as claimed in claim 1, it is characterised in that the management service Platform includes:Management server, certificate server, and prepaid card management equipment;
    Second authentication module built in the management server, receive user profile and prepayment that the client is sent Card information, it is respectively sent to the certificate server and the prepaid card management equipment;
    The certificate server, before system is paid, generate the token information;In payment process, for certification The user profile and the token information;
    The prepaid card management equipment, for prepaying card information described in management and certification.
  3. 3. the online payment system of prepaid card of identity-based certification as claimed in claim 2, it is characterised in that:The payment management Equipment includes POS, and the POS includes NFC reader.
  4. 4. a kind of prepaid card online payment method of identity-based certification, applied to being based on body as described in claim 2-3 is any The online payment system of prepaid card of part certification, it is characterised in that specifically include:
    The user profile that S1 is obtained based on client, the client and the certificate server are realized using SOTP algorithms Be mutually authenticated and form identical session key respectively, to realize the information between the client and the certificate server Interaction;
    Certificate server described in S2 realizes the legitimacy certification of the prepayment card information, described in the prepaid card management equipment is realized Prepay the correctness certification of card information;
    Client request described in authentication server response described in S3 generates corresponding token information;
    Payment management equipment described in S4, which is sent, pays request to the client;
    Client described in S5 is by the payment information and the token information via the payment management equipment and the prepaid card Management equipment is sent to the certificate server;
    Certificate server described in S6 realizes the certification of token information, while authentication result and described pay are asked to send to prepayment Card management equipment;
    Prepaid card management equipment described in S7 completes delivery operation, while is sent response is paid to payment management equipment.
  5. 5. the prepaid card online payment method of identity-based certification as claimed in claim 4, it is characterised in that in step S2, institute The legitimacy certification that certificate server realizes the prepayment card information is stated, the prepaid card management equipment realizes the prepaid card letter In the correctness certification of breath, specifically include:
    The prepayment card information and the session key are encrypted as the first encryption information the client, while extract institute The first summary info in prepayment card information is stated, then sends first encryption information and first summary info together To the management server;
    The management server sends first encryption information received and the first summary info to the authentication service Device;
    The certificate server is decrypted to obtain prepaid card using the session key of generation to first encryption information Information, and then obtain the second summary info of the prepayment card information, then by second summary info and receive the One summary info is compared, and realizes the certification of the prepayment card information legitimacy;Finally by the prepayment card information received and User profile is sent to the prepaid card management equipment together;
    The prepaid card management equipment receives user profile according to and obtains the matching user being preset in equipment, Then the prepayment card information received is compared with the prepayment card information that the user includes, realizes the prepayment The certification of card information correctness.
  6. 6. the prepaid card online payment method of identity-based certification as claimed in claim 4, it is characterised in that in step S3, institute State client request described in authentication server response to generate in corresponding token information, specifically include:
    Token solicited message and the session key are encrypted as the second encryption information the client, while described in extracting The 3rd summary info in token solicited message, then second encryption information and the 3rd summary info are sent together To the management server;
    The management server sends second encryption information received and the 3rd summary info to the authentication service Device;
    The certificate server is decrypted to obtain token using the session key of generation to second encryption information please Information is sought, and then obtains the 4th summary info of the token solicited message, then by the 3rd summary info with receiving The 4th summary info be compared, realize the certification of the token solicited message legitimacy;Finally according to the client Token request generates corresponding token information.
  7. 7. the prepaid card online payment method of identity-based certification as claimed in claim 6, it is characterised in that in step s 6, The certificate server realizes the certification of token information, while the authentication result and described pay are asked to send to prepaid card Management equipment, specifically include:
    The payment management equipment, which is sent, pays request to the client;
    The token information, payment information and the session key are encrypted as the 3rd encryption information the client, The 5th summary info in the token information and the payment information is extracted simultaneously, then by the 3rd encryption information and institute The 5th summary info is stated to send to the payment management equipment;
    The payment management equipment sends the 3rd encryption information and the 5th summary info to the prepaid card management Equipment;
    The prepaid card management equipment sends the 3rd encryption information received and the 5th summary info to described Certificate server;
    The session key of the certificate server generation is decrypted to obtain token information and payment to the 3rd encryption information Information, and then the 6th summary info is obtained, then the 6th summary info and the 5th summary info received are compared It is right, realize the certification of the token solicited message legitimacy;Finally by the token information received and the order of itself generation Board information is compared, and completes the comparison of the token information.
  8. 8. the prepaid card online payment method of identity-based certification as claimed in claim 4, it is characterised in that in step S7, institute State prepaid card management equipment and complete delivery operation, while response will be paid and sent to payment management equipment, in specifically including:
    After token information certification success, will the authentication result and payment information send to the prepaid card management and set It is standby;
    After the prepaid card management equipment receives authentication result and the payment information, entered according to the payment information received Row payment response, while the payment response is sent to the payment management equipment, complete the online payment system of the prepaid card The delivery operation of system.
CN201410531823.7A 2014-10-11 2014-10-11 The online payment system of prepaid card and its method of payment of identity-based certification Active CN104240074B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410531823.7A CN104240074B (en) 2014-10-11 2014-10-11 The online payment system of prepaid card and its method of payment of identity-based certification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410531823.7A CN104240074B (en) 2014-10-11 2014-10-11 The online payment system of prepaid card and its method of payment of identity-based certification

Publications (2)

Publication Number Publication Date
CN104240074A CN104240074A (en) 2014-12-24
CN104240074B true CN104240074B (en) 2018-02-13

Family

ID=52228094

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410531823.7A Active CN104240074B (en) 2014-10-11 2014-10-11 The online payment system of prepaid card and its method of payment of identity-based certification

Country Status (1)

Country Link
CN (1) CN104240074B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104574060A (en) * 2015-01-09 2015-04-29 艾体威尔电子技术(北京)有限公司 On-line payment method and system based on NFC token
CN106161032B (en) * 2015-04-24 2019-03-19 华为技术有限公司 A kind of identity authentication method and device
CN105023182B (en) * 2015-08-12 2019-03-08 上海众人网络安全技术有限公司 A kind of purchase system and method based on Intelligent bracelet
CN105187937B (en) * 2015-08-12 2019-02-01 上海众人网络安全技术有限公司 A kind of purchase system and method based on smart phone
CN105550877A (en) * 2015-12-21 2016-05-04 北京智付融汇科技有限公司 Payment method and apparatus
CN105635168B (en) * 2016-01-25 2019-01-22 恒宝股份有限公司 A kind of application method of offline transaction device and its security key
CN107153957A (en) * 2016-03-06 2017-09-12 神州黑鹰(上海)信息科技有限公司 The management system of universal single-use prepaid card
CN105959109A (en) * 2016-06-28 2016-09-21 来谊金融信息科技(上海)股份有限公司 Host card simulation based key storage method and payment method
CN108805539A (en) * 2018-02-09 2018-11-13 深圳市微付充科技有限公司 A kind of method of payment, mobile device and storage device that Intrusion Detection based on host snap gauge is quasi-
CN109949037A (en) * 2019-03-26 2019-06-28 深圳市元征科技股份有限公司 A kind of method of payment and relevant device based on net card
CN112016918B (en) * 2019-05-30 2024-06-25 小米数字科技有限公司 Signature writing method, signature verification method, device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101933246A (en) * 2008-01-30 2010-12-29 电子湾有限公司 Near field communication intialization
CN103067335A (en) * 2011-10-18 2013-04-24 中国移动通信集团公司 Method for realizing information interaction as non-contact mode, correlation equipment and system
CN103457913A (en) * 2012-05-30 2013-12-18 阿里巴巴集团控股有限公司 Data processing method, communication terminals, server and system
CN103501191A (en) * 2013-08-21 2014-01-08 王越 Mobile payment device and method thereof based on NFC technology

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8782391B2 (en) * 2009-06-10 2014-07-15 Visa International Service Association Service activation using algorithmically defined key
KR101385429B1 (en) * 2011-09-07 2014-04-15 주식회사 팬택 Method for authenticating individual of electronic contract using nfc, authentication server and terminal for performing the method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101933246A (en) * 2008-01-30 2010-12-29 电子湾有限公司 Near field communication intialization
CN103067335A (en) * 2011-10-18 2013-04-24 中国移动通信集团公司 Method for realizing information interaction as non-contact mode, correlation equipment and system
CN103457913A (en) * 2012-05-30 2013-12-18 阿里巴巴集团控股有限公司 Data processing method, communication terminals, server and system
CN103501191A (en) * 2013-08-21 2014-01-08 王越 Mobile payment device and method thereof based on NFC technology

Also Published As

Publication number Publication date
CN104240074A (en) 2014-12-24

Similar Documents

Publication Publication Date Title
CN104240074B (en) The online payment system of prepaid card and its method of payment of identity-based certification
US20200286088A1 (en) Method, device, and system for securing payment data for transmission over open communication networks
US10270587B1 (en) Methods and systems for electronic transactions using multifactor authentication
Chen et al. NFC mobile transactions and authentication based on GSM network
Pourghomi et al. A proposed NFC payment application
CN104240073A (en) Offline payment method and offline payment system on basis of prepaid cards
US11182784B2 (en) Systems and methods for performing transactions with contactless cards
CN104318437B (en) Payment system and its method of payment in a kind of virtual prepayment card line
CN101853453A (en) System and method for realizing mobile payment
CN102073958A (en) System and method for implementing mobile payment
JP2007226810A (en) System and method for facilitating transaction over communication network
US20150142669A1 (en) Virtual payment chipcard service
US11974127B2 (en) Systems and methods for cryptographic authentication of contactless cards
US11997208B2 (en) Systems and methods for inventory management using cryptographic authentication of contactless cards
EP4315753A1 (en) Protocol and gateway for communicating secure transaction data
KR102574524B1 (en) Remote transaction system, method and point of sale terminal
CN101261709B (en) Online payment method and system using the mobile terminal supporting eNFC function
CN101330675A (en) Mobile payment terminal equipment
KR101667005B1 (en) Method for Providing Electronic Payment by Using Subscriber Information And Subscriber Identification Module, System, Terminal And Communication Management Apparatus Therefor
CN113169873A (en) System and method for password authentication of contactless cards
KR101786941B1 (en) Method for Providing Electronic Payment by Using Subscriber Information And Subscriber Identification Module, System, Terminal And Communication Management Apparatus Therefor
KR101683664B1 (en) Method for Providing Electronic Payment by Using Subscriber Information And Security Token, System, Terminal And Communication Management Apparatus Therefor
Saeed Improvements to NFC mobile transaction and authentication protocol
KR20040075159A (en) System and Method for Confirming Card Settlement
KR20170072847A (en) Method for Providing Electronic Payment by Using Near Field Communication, System, Terminal And Communication Management Apparatus Therefor

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20160310

Address after: 201821, room 4, building 1411, 211 Yecheng Road, Jiading Industrial Zone, Shanghai, China

Applicant after: Shanghai PeopleNet Security Technology Co., Ltd.

Address before: 201203 Shanghai City, Pudong New Area Zhangjiang hi tech park Zuchongzhi Road No. 899 Building 9 room 01 4

Applicant before: Shanghai everybody Science and Technology Ltd.

GR01 Patent grant
GR01 Patent grant