CN104702580B - More communication channel Certificate Authority plateform systems and method - Google Patents

More communication channel Certificate Authority plateform systems and method Download PDF

Info

Publication number
CN104702580B
CN104702580B CN201310665028.2A CN201310665028A CN104702580B CN 104702580 B CN104702580 B CN 104702580B CN 201310665028 A CN201310665028 A CN 201310665028A CN 104702580 B CN104702580 B CN 104702580B
Authority
CN
China
Prior art keywords
token
code
software
authorization terminal
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310665028.2A
Other languages
Chinese (zh)
Other versions
CN104702580A (en
Inventor
程伟强
梁达光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Singapore i-Sprint Technology Co.,Ltd.
Original Assignee
BEIJING ANXUNBEN SCIENCE & TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING ANXUNBEN SCIENCE & TECHNOLOGY Co Ltd filed Critical BEIJING ANXUNBEN SCIENCE & TECHNOLOGY Co Ltd
Priority to CN201310665028.2A priority Critical patent/CN104702580B/en
Priority to TW103122183A priority patent/TW201524177A/en
Publication of CN104702580A publication Critical patent/CN104702580A/en
Application granted granted Critical
Publication of CN104702580B publication Critical patent/CN104702580B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of more communication channel Certificate Authority plateform systems and method.Wherein system includes token generation server STPM, registrar TIM, certificate server TAM and authorization terminal TAD.Token generation server STPM generation token combinations, and it is supplied to the registrar;Token combination is fed back to authorization terminal and certificate server by registrar;When certificate server is connected to authorization terminal request progress authorization identifying request, it is authenticated authorizing.It is safely, conveniently easy to operate, and cost is low, and various malicious attacks are effectively prevented in network authentication licensing process.

Description

More communication channel Certificate Authority plateform systems and method
Technical field
The present invention relates to technical field of network security, more particularly to a kind of more communication channel Certificate Authority plateform systems and Method.
Background technology
In digital certificate licensing process, program can generate electronic data, user by some access channels, such as with Computer, phone, the IVR at family(Interactive Voice Response, interactive voice answering), information station(Kiosk)Deng These data are read, after user profile must be by certification and authorizing, these could be used to access channel and go to obtain generation electronics Change data.It may require that the electronic transaction of user uses number for the higher electronic data of some confidentialities, during Certificate Authority Word stamped signature, to ensure the authenticity and reliability of transaction.For example, by the solution method of stamped signature, single equipment platform, example are used Computer, information station such as user(Kiosk), submit request to give Certificate Authority platform, and carry out stamped signature.
The Certificate Authority stamped signature of other safety solves method, and the first authentication code is made using other equipment.Example Such as, user is started by network connection using some Certificate Authority platform and asked, and during response, Certificate Authority platform program is led to Network connection is crossed, by the computer at information transmission reuse family.After information is received, user is by the part of required information, input Equipment to stamped signature is needed(The equipment not connection server/computer), to make Electronic Signature;User inputs Electronic Signature and arrived Computer, and Electronic Signature is submitted to Certificate Authority platform, to complete stamped signature process.
If for other Certificate Authority processes manual or based on phone, using above-mentioned conventional method, electronic signature is It is irrealizable.
Traditional Certificate Authority solves method, including Electronic Signature solves method, there is following various weak points:
1)For the manual authentication mandate by sales counter, the instruction finished writing or phone, it is impossible to use recognizing for electronics Card authorizes solution method, including stamped signature equipment to solve method and realize.
2)For single equipment platform, request is submitted to be put down to the single equipment of some Certificate Authority platform and making stamped signature Platform, easily by Malware, man-in-the middle phishing(Man-In-the-Middle, MitM)Attack, and data can be changed To implement to cheat.
3)For the stamped signature equipment do not networked, although it, which provides safer Certificate Authority, solves method, not The stamped signature equipment of networking, single service provider is only supported, and typically require that user is manually entered important data to client End.This process easily malfunctions;In stamped signature, the limitation of data volume can be included, and may also can by the data of stamped signature It is restricted.In addition, this stamped signature equipment, all of a relatively high in manufacture, purchase, distribution and revocation whole process, cost.Meanwhile If Certificate Authority is related to one or more Certificate Authorities, then this Certificate Authority process will become complicated, while also can Take more time.
The content of the invention
Based on this, it is necessary to the defects of for prior art and deficiency, there is provided a kind of more communication channel Certificate Authority platforms System and method, it is safely, conveniently easy to operate, and cost is low, effectively prevents various malice from attacking in network authentication licensing process Hit.
To realize a kind of more communication channel Certificate Authority plateform systems that the object of the invention provides, including token generation clothes Be engaged in device STPM, registrar TIM, certificate server TAM and authorization terminal TAD;
Wherein:
The token generation server, for when registrar sends registration request to it, generating token combination, and Token combination is supplied to the registrar;
The registrar, for be connected to the authorization terminal of user by one or more access communication channel to When it sends registration request, the token is asked to combine to the token generation server according to registration request;And obtaining institute After stating token combination, the token is combined corresponding with authorization terminal information;Then token is combined, encrypting and decrypting software and recognized Code building format software is demonstrate,proved, the authorization terminal of user is fed back to by one or more of access channels;Simultaneously by institute State token combination with corresponding authorization terminal information, encrypting and decrypting software and authentication codes generation format software, by different from One or more of another access channels for accessing channel are sent to certificate server;
The certificate server, for obtaining the token combination with after corresponding authorization terminal information, being awarded when being connected to When weighing terminal request progress authorization identifying, combined using token, first password is generated with corresponding authorisation device information;And according to The second authentication code that authorization terminal is sent, format software is generated using encrypting and decrypting software and authentication codes, by described first Password converts the authentication code of form identical first with the second authentication code, is authenticated comparing;Or utilize encrypting and decrypting software And authentication codes generation format software, the second authentication code sent to authorization terminal parse, authorized terminal is sent The second password come, is authenticated comparing with first password, is authenticated authorizing according to the result that certification compares;
The authorization terminal, for after the token combination is received, when needing to be authenticated authorizing, utilizing token Combination, the second password is generated according to corresponding authorisation device information, and utilize encrypting and decrypting software and authentication codes generation form Software, after second password is converted into the second authentication code, it is sent to certificate server and is authenticated authorizing.
In one of the embodiments, the authorization terminal information is the personalized sound that user is inputted by authorization terminal Sound, image, finger print data.
In one of the embodiments, the authorization terminal information can also include the Unique Device identification of authorization terminal Number.
In one of the embodiments, the access channel is network/telephone network, uses tactile sound and/or sound instruction Phone IVR networks, the system based on information, e-mail system, kiosks, pass through image scan send or facsimile transmission paper Part.
In one of the embodiments, the token combination includes any combination of one or more following data:
A1)Certificates in digital form containing two group keys pair:One is used for stamped signature, and one is used to encrypt;
A2)The data stamped signature token seed file of the sequence number containing unique token;
A3)The OTP token generation software of the sequence number containing unique token.
In one of the embodiments, the certificate server is configured with loudspeaker, microphone, camera and/or fingerprint Scanner, it can be read or generate the first authentication code of corresponding format.
In one of the embodiments, first authentication code is sound code, image code, finger-print code or two dimension The code of one or more kinds of forms in code.
In one of the embodiments, the authorization terminal is handheld device, mobile phone, tablet personal computer;
The authorization terminal is configured with loudspeaker, microphone, camera and/or fingerprint scanner, can be read or generates Second authentication code of corresponding format.
In one of the embodiments, second authentication code is sound code, image code, finger-print code or two dimension The code of one or more kinds of forms in code.
In one of the embodiments, the data stamped signature token seed file of the sequence number containing unique token utilizes mandate End message generates corresponding first password or the second password.
In one of the embodiments, token combination and corresponding authorization terminal, encrypting and decrypting software and recognize Demonstrate,prove code building format software, when being sent to certificate server and authorization terminal by registrar, be using RSA Algorithm or What aes algorithm was encrypted.
In one of the embodiments, the encryption key of the RSA Algorithm or aes algorithm is stored in tamper resistant device In.
In one of the embodiments, the encryption is what is be encrypted using the rsa encryption method of private cipher key, and/ Or, the public keys using service provider, using the random generation activating pin of AES encryption, token combination is entered again The encryption of one step.
In one of the embodiments, the registrar, it is additionally operable to generation one and is used to download token combination, encryption The URL of decryption software and authentication codes generation format software, by the authorization terminal of user(TAD)Download obtains.
To realize that the object of the invention also provides a kind of more communication channel authentication authority methods, comprise the following steps:
Step S100, registrar be connected to the authorization terminal of user by one or more access communication channel to When it sends registration request, the token is asked to combine to the token generation server according to registration request;
Step S200, token generation server is after the request of registrar is connected to, token generation server generation order Board is combined, and token combination is returned into registrar;
Step S300, registrar is after the token combination is obtained, by token combination and authorization terminal information It is corresponding;Then token is combined, encrypting and decrypting software and authentication codes generation format software, passes through one or more of visits Ask that channel feeds back to the authorization terminal of user;The token is combined simultaneously soft with corresponding authorization terminal information, encrypting and decrypting Part and authentication codes generation format software, by being sent different from another access channel of one or more of access channels To certificate server;
Step S400, authorization terminal initiate authentication authorization request, authentication server response to certificate server;
Step S500, after authentication server response, authorization terminal combines by using token, is set according to corresponding mandate Standby information generates the second password, and using encrypting and decrypting software and authentication codes generation format software, second password is turned After being changed to the second authentication code, it is sent to certificate server and is authenticated authorizing;
Step S600, after authentication server response, certificate server is combined using token, is believed with corresponding authorisation device Breath generation first password;And the second authentication code sent according to authorization terminal, given birth to using encrypting and decrypting software and authentication codes Into format software, first password conversion and the authentication code of form identical first of the second authentication code are authenticated comparing; Or solved using encrypting and decrypting software and authentication codes generation format software, the second authentication code sent to authorization terminal Analysis, the second password that authorized terminal is sent, is authenticated comparing with first password, and the result compared according to certification is carried out Certificate Authority.
In one of the embodiments, the authentication codes generation format software is figure, light code, sound code or voice Form generates software.
In one of the embodiments, the step S300 also comprises the following steps:
Step S310, the token component of registrar feedback is being received, encryption software and authentication codes generation form are soft After part, URL information is decrypted in authorization terminal using default settings decruption key, and requires that user inputs token activation password peace Fill security token combination and encryption software and form generation software.
In one of the embodiments, it is described to be encrypted as:
It is close according to presetting between token generation server and authorization terminal using aes algorithm or RSA Algorithm Key, URL information and token component and encryption software and form generation software are encrypted.
In one of the embodiments, the step S300 also comprises the following steps:
Step S320, after the installation of token component is completed, authorization terminal requires user's input by dynamic security token Software Create and the dynamic password shown, then verify dynamic password.
In one of the embodiments, the authorization terminal information is the personalized sound that user is inputted by authorization terminal Sound, image, finger print data.
In one of the embodiments, the authorization terminal information also includes the Unique Device identifier of authorization terminal.
In one of the embodiments, the access channel is network/telephone network, uses tactile sound and/or sound instruction Phone IVR networks, the system based on information, e-mail system, kiosks, pass through image scan send or facsimile transmission paper Part.
In one of the embodiments, the token combination includes any combination of one or more following data:
A1)Certificates in digital form containing two group keys pair:One is used for stamped signature, and one is used to encrypt;
A2)The data stamped signature token seed file of the sequence number containing unique token;
A3)The OTP token generation software of the sequence number containing unique token.
In one of the embodiments, first authentication code is sound code, image code, finger-print code or two dimension The code of one or more kinds of forms in code.
In one of the embodiments, second authentication code is sound code, image code, finger-print code or two dimension The code of one or more kinds of forms in code.
Beneficial effects of the present invention:The more communication channel Certificate Authority plateform systems and method of the present invention, by more logical It is authenticated authorizing between news channel, end-to-end protection is provided for certification and authorization message integrality, and the proving and comparisom of information Can then be carried out in anti-tamper environment, and by using password and the data based on user's checking transaction stamped signature, prevent from disliking Meaning software, real-time network are gone fishing and based on man-in-the middle phishing(Man-In-the-Middle, MitM)Attack, its safety, Convenient, easy to operate, cost is low, and various malicious attacks are effectively prevented in network authentication licensing process.Further, it is supported Certificate Authority between multiple service providers of one or more communications conduits and multiple Certificate Authority platforms.
Brief description of the drawings
Fig. 1 is more communication channel Certificate Authority plateform system structural representations of the embodiment of the present invention;
Fig. 2 is more communication channel authentication authority method flow charts of the embodiment of the present invention.
Embodiment
In order that more communication channel Certificate Authority plateform systems of the invention and the object, technical solution and advantage of method are more Add it is clear, below in conjunction with specific drawings and the specific embodiments, to the more communication channel Certificate Authority plateform systems of the present invention and Method is further elaborated.
One embodiment of the more communication channel Certificate Authority plateform systems of the present invention, as shown in Figure 1.
As shown in figure 1, more communication channel Certificate Authority plateform systems of the embodiment of the present invention(Authentication and Authorization Platform, AAP)Including token generation server(Security Token Provisioning Module, STPM)100, registrar(Transaction Initiation Module, TIM)200, certificate server (Transaction Authorization Module, TAM)300, and authorization terminal(Transaction Authorization Device, TAD)400.
Token generation server(STPM)100 be a complete lifecycle processing module, and it handles authorization terminal(TAD) One or more security tokens authentication mandate and release authentication mandate, for being sent in registrar to it During registration request, generation token combination, and token combination is supplied to the registrar.
Registrar(TIM)200 provide the interface of sequencing, with support it is one or more access communication channels so as to Family is obtained for certification and the token authorized combination, to start certification and mandate, for being connected to the authorization terminal of user(TAD) When sending registration request to it by one or more access communication channel, generated and serviced to the token according to registration request Device(STPM)The token is asked to combine;And after the token combination is obtained, by token combination and authorization terminal information It is corresponding;Then token is combined, encrypting and decrypting software and authentication codes generation format software, passes through one or more of visits Ask that channel feeds back to the authorization terminal of user(TAD);Token combination is solved with corresponding authorization terminal information, encryption simultaneously Close software and authentication codes generate format software, pass through another access channel different from one or more of access channels It is sent to certificate server(TAM).
The encrypting and decrypting software, and authentication codes generation format software, are to be set in advance in the registrar In known existing encrypting and decrypting software, and known authentication codes generation format software, be a kind of prior art, because This, in embodiments of the present invention, is no longer described in detail one by one.
The authorization terminal information can be that user passes through authorization terminal(TAD)Personalized sound, the image of input(Such as The personal images or signature of scanning), finger print data etc., these authorization terminal information can be carried out by user in authorization terminal Regularly change and notified by accessing channel to certificate server.
As a kind of embodiment, the authorization terminal information can also include authorization terminal(TAD)Unique Device Identifier(Unique Device Identification Number, UDIN).
As a kind of embodiment, the Unique Device identifier is the authorization terminal by reading user(TAD)'s UUID(Universally Unique Identifier, general unique identifier)Obtain.
The access channel includes but is not limited to network/telephone network, using tactile sound(touch tone)And/or sound refers to The Phone IVR networks of order, the system based on information(Including short message system), e-mail system, kiosks, pass through image Scanning is sent or fax paper(Paper)Deng.
The token combination includes but is not limited to any combination of one or more data:
A1)Certificates in digital form containing two group keys pair:One is used for stamped signature, and one is used to encrypt;
A2)The data stamped signature token seed file of the sequence number containing unique token;
A3)The OTP of the sequence number containing unique token(One-time Password, dynamic password)Token generates software.
Certificate server(TAM)300 be to pass through application programming interface(application programming Interfaces, API)Make certificate server(TAM)With certification and authorization function, for obtain the token combination with it is right After the authorization terminal information answered, when being connected to authorization terminal request progress authorization identifying, combined using token, with corresponding mandate Facility information generates first password;And the second authentication code sent according to authorization terminal, utilize encrypting and decrypting software and certification Code building format software, first password conversion and the authentication code of form identical first of the second authentication code are recognized Card compares;Or using encrypting and decrypting software and authentication codes generation format software, the second certification sent to authorization terminal Code is parsed using encrypting and decrypting software and authentication codes generation format software, and authorized terminal is sent second close Code, is authenticated comparing with first password, is authenticated authorizing according to the result that certification compares.
It is described that the second authentication code is parsed using encrypting and decrypting software and authentication codes generation format software, obtain the Two passwords, it is a kind of prior art, therefore, in embodiments of the present invention, is no longer described in detail one by one.
The certificate server(TAM)300 are configured with the function device of similar computer, such as loudspeaker, microphone, photograph Machine, fingerprint scanner, the first authentication code of corresponding format is can be read or generates, such as sound code, image code, finger-print code Or the code of one or more kinds of forms of Quick Response Code etc..
Authorization terminal(TAD)400 be a kind of computing device, for after the token combination is received, needing to carry out During Certificate Authority, combined using token, the second password is generated according to corresponding authorisation device information, and utilize encrypting and decrypting software And authentication codes generation format software, after second password is converted into the second authentication code, it is sent to certificate server(TAM) It is authenticated authorizing.
The authorization terminal(TAD)400 can be such as handheld device, mobile phone, tablet personal computer or similar devices, this A little equipment are all configured to the function device of similar computer, such as loudspeaker, microphone, camera, fingerprint scanner, can be read or Generate the second authentication code of corresponding format, such as sound code, image code, finger-print code either Quick Response Code it is a kind of or more The code of kind form.
The data stamped signature token seed file of the sequence number containing unique token can utilize authorization terminal information generation phase The first password or the second password answered.
As a kind of embodiment, the token combination and corresponding authorization terminal(TAD), encrypting and decrypting software And authentication codes generation format software, it is to use RSA Algorithm when being sent to certificate server and authorization terminal by registrar Or aes algorithm is encrypted, and encryption key is stored in tamper resistant device(Such as the equipment of FIPS140 certifications)In, Ensure its security.
As a kind of embodiment, the encryption is what is be encrypted using the rsa encryption method of private cipher key, and/ Or, random generation activating pin of the public keys by AES encryption is used, token combination is further encrypted;So Post-registration server generates a URL for being used to download token combination(Uniform Resource Locator, unified resource are fixed Position symbol, also referred to as web page address), by the authorization terminal of user(TAD)Download obtains.
In more communication channel Certificate Authority plateform systems of the embodiment of the present invention(AAP)In, the user authorized uses order Board generates server(STPM)Come individual cultivation and supply identity to its own authorization terminal(TAD)One or more Security token combines, and authorization terminal(TAD)It is associated with certification and the service provider authorized, user can pass through service The registrar of provider(TIM), asked for security token application.
As a kind of embodiment, it is authenticated and authorizes in more communication channel Certificate Authority plateform systems, can be with It is related to one or more and uses different authorization terminals(TAD)User authorization terminal, and each authorization terminal is participating in awarding Before power process, its authorization terminal(TAD)Token generation server will be obtained(STPM)Approval.
Authorization terminal(TAD)Communication channel is accessed from one, for example, desktop web browsers, phone, IVR, Kiosk, pass through Registrar(TIM), and using communications conduit, submit security token application request to arrive registrar, registrar will Security token application request is forwarded to token generation server(STPM), request generation token combination.
The present invention also provides a kind of more communication channel authentication authority methods, as shown in Fig. 2 comprising the following steps:
Step S100, registrar(TIM)It is being connected to the authorization terminal of user(TAD)Pass through one or more access When communication channel sends registration request to it, according to registration request to the token generation server(STPM)Ask the token Combination;
Step S200, token generation server(STPM)After the request of registrar is connected to, token generation server (STPM)One token combination of generation, and token combination is returned into registrar.
Step S300, registrar(TIM)After token combination is obtained, the token is combined and authorization terminal Information is corresponding;Then token is combined, encrypting and decrypting software and authentication codes generation format software, by one or more The individual authorization terminal for accessing channel and feeding back to user(TAD);Simultaneously by the token combination with corresponding authorization terminal information, add Close decryption software and authentication codes generate format software, pass through another access different from one or more of access channels Channel is sent to certificate server(TAM).
Step S400, authorization terminal(TAD)To certificate server(TAM)Initiate authentication authorization request, certificate server (TAM)Response;
Step S500, after authentication server response, authorization terminal combines by using token, is set according to corresponding mandate Standby information generates the second password, and using encrypting and decrypting software and authentication codes generation format software, second password is turned After being changed to the second authentication code, certificate server is sent to(TAM)It is authenticated authorizing.
Step S600, after authentication server response, certificate server is combined using token, is believed with corresponding authorisation device Breath generation first password;And the second authentication code sent according to authorization terminal, given birth to using encrypting and decrypting software and authentication codes Into format software, first password conversion and the authentication code of form identical first of the second authentication code are authenticated comparing; Or solved using encrypting and decrypting software and authentication codes generation format software, the second authentication code sent to authorization terminal Analysis, the second password that authorized terminal is sent, is authenticated comparing with first password, and the result compared according to certification is carried out Certificate Authority.
Token generation server token generating algorithm known to, generate seed file and kind Ziwen in token The unique identifier of part, and encryption data is added, composition token combination.
After generating token component, token generation server(STPM)Following information is returned to registrar(TIM):Order Board component, encrypting and decrypting software and authentication codes generation format software.
The authentication codes generate format software, including but not limited to figure(Such as VRcode, Barcode), light code (Such as optical frequency-light frequency), sound code(Such as tone-audio tone)Or phonetic matrix generation software, it is described Form generation software can be by authorization terminal(TAD)Or certificate server(TAM)The first password of generation or the life of the second password The first authentication code or the second authentication code specified into user by authorisation device.
Receiving registrar(TAD)After the token component of feedback, encryption software and authentication codes generation format software, Using default settings decruption key in authorization terminal(TAD)Upper decryption URL information, and require that user inputs token activation password (It is provided previously by by certificate server)To install security token combination and encryption software and form generation software.
As a kind of embodiment, aes algorithm or RSA Algorithm can be used, according to token generation server(STPM) And authorization terminal(TAD)Between preset key, software is generated to URL information and token component and encryption software and form It is encrypted.
Token activation password of the invention, it is by pre-defined and registered in advance as a kind of embodiment Internet channel(Email, SMS or voice call for passing through IVR etc.), it is sent to authorization terminal(TAD)'s.
After user have input token activation password, authorization terminal(TAD)The token component of encryption is downloaded, and to token group Information integrity in part is verified, is decrypted content and is installed token component and encryption software and form generation software.
As a kind of embodiment, in the embodiment of the present invention, after the installation of token component is completed, authorization terminal (TAD)The dynamic password that user's input is generated and shown by security token can be required(OTP), then verify dynamic password(OTP) To ensure that security token component can normally play a role.
Authorization terminal(TAD)From one or more access channel, for example, desktop web browsers, phone IVR, Kiosk, etc., the Certificate Authority of equipment room is carried out, the access channel is to be connected to certificate server by communication channel (TAM).The access channel is certificate server(TAM)By advance safety certification, such as authorized by stamped signature equipment The secure connection of certification connection.
Authorization terminal(TAD)The first authentication code is sent to certificate server(TAM).
First authentication code can be the encryption for first password change generation using form generation software life Figure(Such as VRcode, Barcode), light code(Such as optical frequency-light frequency), sound code(Such as tone- audio tone)Or speech data.
As a kind of embodiment, the first transmitted authentication code, the combination based on multiple encryption keys has been used AES(Advanced Encryption Standard, also known as Advanced Encryption Standard, Rijndael enciphered methods)Encryption.These Key and authorization terminal(TAD)Unique Device identifier(Unique Device Identification Number, UDIN) With unique token sequence number(Unique Token Serial Number, UTSN)It is encrypted.Then, reuse and carried containing service For the rsa encryption of the private cipher key of business, obtained after encrypting again.
Ciphering process is that the data of encryption only can be by following in order to ensure safety, also, a kind of embodiment of conduct User reads:
1)Initiate certification and the authorization terminal authorized(TAD)Holder;
2)In authorization terminal(TAD)For security component that service provider installs in advance.
Certificate server(TAM)After receiving request and confirming data and confirm authorization data, it can obtain in the following manner First authentication code:
1)Use form generation software scans figure, Quick Response Code, finger print data;Or
2)Sound code or voice are read to obtain using default microphone.
As a kind of embodiment, before Certificate Authority completion, certificate server(TAM)The encryption that decryption receives First authentication code, the first authentication code after being decrypted.
As a kind of embodiment, for example, when carrying out checking data, authorization terminal(TAD)Use finger print data Confirmation is authenticated authorizing, and uses authorization terminal(TAD)To create first authentication code for Certificate Authority.Then, from awarding Weigh terminal(TAD)Stamped signature is submitted to certificate server(TAM), to be authenticated authorizing.
As a kind of embodiment, authorisation device(TAD)The communications conduit of its safety certification can be used, whether is detecting Certificate server can be connected(TAM)If connect certificate server(TAM)Failure, then local mode is switched to, makes the first certification Code, deliver the first authentication code and pass through communication interface(Such as USB, Bluetooth, NFC interface)To certificate server(TAM), so as to The first authentication code is delivered to certificate server(TAM)Confirm certification and mandate.
Certificate server(TAM)In safety, anti-tamper environment, such as HSM(Hierarchical Storage Management, hierarchical storage management)In environment, the first authentication code of checking confirms that certification and mandate come into force to make.
If the first authentication code is effective, the other Certificate Authority of next stage will be waited, if invalid, will be refused, Certificate Authority does not lead to Cross.
Certificate server(TAM)After Certificate Authority is completed, the mandate of all request Certificate Authorities is sent an acknowledgement to Terminal(TAD), to complete Certificate Authority.
In certificate server(TAM), will be true after demonstrating all required certifications and mandate from whole authorisation devices Recognize Certificate Authority completion, send an acknowledgement to the authorization terminal of all request Certificate Authorities(TAD).
Authorization terminal(TAD)Receive after confirming response, decrypt all related datas, and use is displayed information to clear-text way Family, so that it carries out next step operation.
Further, as a kind of embodiment, certificate server(TAM)All Certificate Authority daily records are recorded, each Authorization terminal(TAD)Record the Certificate Authority record of user.
More communication channel Certificate Authority plateform systems of the embodiment of the present invention(AAP), by from registrar(TIM) Stamped signature, authorization terminal are generated in independent stamped signature equipment(TAD)And certificate server(TAM)Between Certificate Authority, carry For the safeguard protection of Primary plateaus.Registering modules(TIM)Using handheld computing device(For example, intelligent telephone, tablet personal computer) Available network connection, data are delivered using figure, light or acoustic safety to authorization terminal(TAD).Can so minimize or Person eliminates sex chromosome mosaicism safe to use, the problem of especially with respect to stamped signature equipment is input information manually into.And it can provide strong Secret protection and certification, it is by figure, light or form of sound, from registrar because the transaction data of encryption and stamped signature (TIM)It is sent to authorization terminal(TAD)'s.
Embodiment described above only expresses the several embodiments of the present invention, and its description is more specific and detailed, but simultaneously Therefore the limitation to the scope of the claims of the present invention can not be interpreted as.It should be pointed out that for one of ordinary skill in the art For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to the guarantor of the present invention Protect scope.Therefore, the protection domain of patent of the present invention should be determined by the appended claims.

Claims (24)

1. a kind of more communication channel Certificate Authority plateform systems, it is characterised in that including token generation server STPM, registration clothes Be engaged in device TIM, certificate server TAM and authorization terminal TAD;
Wherein:
The token generation server, for when registrar sends registration request to it, generation token combination, and by institute State token combination and be supplied to the registrar;
The registrar, for being sent out in the authorization terminal for being connected to user by one or more access communication channel to it When going out registration request, the token is asked to combine to the token generation server according to registration request;And obtaining the order After board combination, the token is combined corresponding with authorization terminal information;Then token is combined, encrypting and decrypting software and certification generation Code generation format software, the authorization terminal of user is fed back to by one or more of access channels;Simultaneously by the order Board combines generates format software with corresponding authorization terminal information, encrypting and decrypting software and authentication codes, by different from described One or more another access channel for accessing channel is sent to certificate server;
The certificate server, for obtaining the token combination with after corresponding authorization terminal information, being authorized eventually when being connected to When end request carries out authorization identifying, combined using token, first password is generated with corresponding authorisation device information;And according to mandate The second authentication code that terminal is sent, format software is generated using encrypting and decrypting software and authentication codes, by the first password Conversion and the authentication code of form identical first of the second authentication code, are authenticated comparing;Or using encrypting and decrypting software and recognize Code building format software is demonstrate,proved, the second authentication code sent to authorization terminal parses, what authorized terminal was sent Second password, it is authenticated comparing with first password, is authenticated authorizing according to the result that certification compares;
The authorization terminal, for after the token combination is received, when needing to be authenticated authorizing, utilizing token group Close, the second password is generated according to corresponding authorisation device information, and it is soft using encrypting and decrypting software and authentication codes generation form Part, after second password is converted into the second authentication code, it is sent to certificate server and is authenticated authorizing.
2. more communication channel Certificate Authority plateform systems according to claim 1, it is characterised in that the authorization terminal letter Breath is personalized sound, image, the finger print data that user is inputted by authorization terminal.
3. more communication channel Certificate Authority plateform systems according to claim 2, it is characterised in that the authorization terminal letter Breath also includes the Unique Device identifier of authorization terminal.
4. more communication channel Certificate Authority plateform systems according to claim 1, it is characterised in that it is described access channel be Network/telephone network, use the Phone IVR networks of tactile sound and/or sound instruction, the system based on information, Email system System, kiosks, sent or faxed by image scan paper.
5. more communication channel Certificate Authority plateform systems according to claim 1, it is characterised in that the token combination bag Include any combination of one or more following data:
A1)Certificates in digital form containing two group keys pair:One is used for stamped signature, and one is used to encrypt;
A2)The data stamped signature token seed file of the sequence number containing unique token;
A3)The OTP token generation software of the sequence number containing unique token.
6. more communication channel Certificate Authority plateform systems according to claim 1, it is characterised in that the certificate server Loudspeaker, microphone, camera and/or fingerprint scanner are configured with, can be read or generate the first authentication code of corresponding format.
7. more communication channel Certificate Authority plateform systems according to claim 6, it is characterised in that first authentication code For the code of one or more kinds of forms in sound code, image code, finger-print code or Quick Response Code.
8. more communication channel Certificate Authority plateform systems according to claim 1, it is characterised in that the authorization terminal is Handheld device, mobile phone, tablet personal computer;
The authorization terminal is configured with loudspeaker, microphone, camera and/or fingerprint scanner, can be read or generates and be corresponding Second authentication code of form.
9. more communication channel Certificate Authority plateform systems according to claim 8, it is characterised in that second authentication code For the code of one or more kinds of forms in sound code, image code, finger-print code or Quick Response Code.
10. more communication channel Certificate Authority plateform systems according to claim 5, it is characterised in that described containing unique order The data stamped signature token seed file of card sequence number generates corresponding first password or the second password using authorization terminal information.
11. more communication channel Certificate Authority plateform systems according to claim 1, it is characterised in that the token combination And corresponding authorization terminal, encrypting and decrypting software and authentication codes generation format software, it is sent to and is recognized by registrar When demonstrate,proving server and authorization terminal, it is encrypted using RSA Algorithm or aes algorithm.
12. more communication channel Certificate Authority plateform systems according to claim 11, it is characterised in that the RSA Algorithm Or the encryption key of aes algorithm is stored in tamper resistant device.
13. more communication channel Certificate Authority plateform systems according to claim 12, it is characterised in that the encryption is to make It is encrypted with the rsa encryption method of private cipher key, and/or, using the public keys of service provider, use AES encryption Random generation activating pin, to token combination further encrypted.
14. more communication channel Certificate Authority plateform systems according to claim 13, it is characterised in that the registration service Device, the URL that generation one is used to download token combination, encrypting and decrypting software and authentication codes generation format software is additionally operable to, by The authorization terminal of user is downloaded to obtain.
15. a kind of more communication channel authentication authority methods, it is characterised in that comprise the following steps:
Step S100, registrar are sent out in the authorization terminal for being connected to user by one or more access communication channel to it When going out registration request, combined according to registration request to token generation server request token;
Step S200, token generation server is after the request of registrar is connected to, token generation server generation token group Close, and token combination is returned into registrar;
Step S300, registrar combine the token corresponding with authorization terminal information after the token combination is obtained; Then token is combined, encrypting and decrypting software and authentication codes generation format software, passes through one or more of access canals Road feeds back to the authorization terminal of user;Simultaneously by the token combination with corresponding authorization terminal information, encrypting and decrypting software and Authentication codes generate format software, are recognized by being sent to different from another access channel of one or more of access channels Demonstrate,prove server;
Step S400, authorization terminal initiate authentication authorization request, authentication server response to certificate server;
Step S500, after authentication server response, authorization terminal combines by using token, is believed according to corresponding authorisation device Breath the second password of generation, and using encrypting and decrypting software and authentication codes generation format software, second password is converted to After second authentication code, it is sent to certificate server and is authenticated authorizing;
Step S600, after authentication server response, certificate server is combined using token, is given birth to corresponding authorisation device information Into first password;And the second authentication code sent according to authorization terminal, generate lattice using encrypting and decrypting software and authentication codes Formula software, first password conversion and the authentication code of form identical first of the second authentication code are authenticated comparing;Or Parsed using encrypting and decrypting software and authentication codes generation format software, the second authentication code sent to authorization terminal, The second password that authorized terminal is sent, it is authenticated comparing with first password, is recognized according to the result that certification compares Card authorizes.
16. more communication channel authentication authority methods according to claim 15, it is characterised in that the authentication codes generation Format software is that figure, light code, sound code or phonetic matrix generate software.
17. more communication channel authentication authority methods according to claim 15, it is characterised in that the step S300 is also wrapped Include following steps:
Step S310, registrar generate in the token component, encryption software and authentication codes for receiving registrar feedback After format software, URL information is decrypted in authorization terminal using default settings decruption key, and requires that user inputs token activation Password installation security token combination and encryption software and form generation software.
18. more communication channel authentication authority methods according to claim 17, it is characterised in that described to be encrypted as:
It is right according to the key that presets between token generation server and authorization terminal using aes algorithm or RSA Algorithm URL information and token component and encryption software and form generation software are encrypted.
19. more communication channel authentication authority methods according to claim 17, it is characterised in that the step S300 is also wrapped Include following steps:
Step S320, after the installation of token component is completed, authorization terminal requires user's input by dynamic security token software The dynamic password for generating and showing, then verifies dynamic password.
20. more communication channel authentication authority methods according to claim 15, it is characterised in that the authorization terminal information It is personalized sound, image, the finger print data that user is inputted by authorization terminal.
21. more communication channel authentication authority methods according to claim 20, it is characterised in that the authorization terminal information Also include the Unique Device identifier of authorization terminal.
22. more communication channel authentication authority methods according to claim 15, it is characterised in that the access channel is net Network/telephone network, using the Phone IVR networks of tactile sound and/or sound instruction, the system based on information, e-mail system, Kiosks, sent or faxed by image scan paper.
23. more communication channel authentication authority methods according to claim 15, it is characterised in that the token combination includes Any combination of one or more data below:
A1)Certificates in digital form containing two group keys pair:One is used for stamped signature, and one is used to encrypt;
A2)The data stamped signature token seed file of the sequence number containing unique token;
A3)The OTP token generation software of the sequence number containing unique token.
24. more communication channel authentication authority methods according to claim 15, it is characterised in that first authentication code is The code of one or more kinds of forms in sound code, image code, finger-print code or Quick Response Code;
Second authentication code is one or more kinds of forms in sound code, image code, finger-print code or Quick Response Code Code.
CN201310665028.2A 2013-12-10 2013-12-10 More communication channel Certificate Authority plateform systems and method Active CN104702580B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201310665028.2A CN104702580B (en) 2013-12-10 2013-12-10 More communication channel Certificate Authority plateform systems and method
TW103122183A TW201524177A (en) 2013-12-10 2014-06-26 Authentication and authorization platform system and method with multiple communication channels

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310665028.2A CN104702580B (en) 2013-12-10 2013-12-10 More communication channel Certificate Authority plateform systems and method

Publications (2)

Publication Number Publication Date
CN104702580A CN104702580A (en) 2015-06-10
CN104702580B true CN104702580B (en) 2017-12-29

Family

ID=53349352

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310665028.2A Active CN104702580B (en) 2013-12-10 2013-12-10 More communication channel Certificate Authority plateform systems and method

Country Status (2)

Country Link
CN (1) CN104702580B (en)
TW (1) TW201524177A (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105791259B (en) * 2015-10-26 2018-11-16 北京中金国盛认证有限公司 A kind of method of personal information protection
US10075557B2 (en) * 2015-12-30 2018-09-11 Amazon Technologies, Inc. Service authorization handshake
TWI657399B (en) * 2017-11-17 2019-04-21 匯智通訊有限公司 Method for performing anti-counterfeiting authentication on transaction voucher by using ultrasonic verification code and transaction verification method
CN108769992B (en) * 2018-06-12 2021-06-18 腾讯科技(深圳)有限公司 User authentication method, device, terminal and storage medium
TWI672606B (en) * 2018-08-28 2019-09-21 國立暨南國際大學 Authorization authentication method based on authentication and key agreement protocol
CN109583872A (en) * 2018-11-30 2019-04-05 阿里巴巴集团控股有限公司 Method of payment and device
CN110417907B (en) * 2019-08-05 2022-04-15 斑马网络技术有限公司 Management method and device of terminal equipment
CN110659006B (en) * 2019-08-20 2023-08-22 北京捷通华声科技股份有限公司 Cross-screen display method and device, electronic equipment and readable storage medium
CN111586023B (en) * 2020-04-30 2022-05-31 广州市百果园信息技术有限公司 Authentication method, authentication equipment and storage medium
CN112235276B (en) * 2020-10-09 2023-04-18 三星电子(中国)研发中心 Master-slave equipment interaction method, device, system, electronic equipment and computer medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009028060A1 (en) * 2007-08-29 2009-03-05 Mitsubishi Electric Corporation Authentication system, authentication device, terminal device, ic card, and program
CN103209160A (en) * 2012-01-13 2013-07-17 中兴通讯股份有限公司 Authentication method and system for heterogeneous network
CN103401686A (en) * 2013-07-31 2013-11-20 陕西海基业高科技实业有限公司 User Internet identity authentication system and application method thereof

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7548620B2 (en) * 2004-02-23 2009-06-16 Verisign, Inc. Token provisioning

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009028060A1 (en) * 2007-08-29 2009-03-05 Mitsubishi Electric Corporation Authentication system, authentication device, terminal device, ic card, and program
CN103209160A (en) * 2012-01-13 2013-07-17 中兴通讯股份有限公司 Authentication method and system for heterogeneous network
CN103401686A (en) * 2013-07-31 2013-11-20 陕西海基业高科技实业有限公司 User Internet identity authentication system and application method thereof

Also Published As

Publication number Publication date
TWI520557B (en) 2016-02-01
TW201524177A (en) 2015-06-16
CN104702580A (en) 2015-06-10

Similar Documents

Publication Publication Date Title
CN104702580B (en) More communication channel Certificate Authority plateform systems and method
CN109150548B (en) Digital certificate signing and signature checking method and system and digital certificate system
JP6012125B2 (en) Enhanced 2CHK authentication security through inquiry-type transactions
US8739260B1 (en) Systems and methods for authentication via mobile communication device
JP6105721B2 (en) Start of corporate trigger type 2CHK association
US9185096B2 (en) Identity verification
CN101414909B (en) Network application user authentication system, method and mobile communication terminal
US8433914B1 (en) Multi-channel transaction signing
US20120297187A1 (en) Trusted Mobile Device Based Security
US20070067620A1 (en) Systems and methods for third-party authentication
CN105959287A (en) Biological feature based safety certification method and device
EP1807966A1 (en) Authentication method
WO2011083867A1 (en) Authentication device, authentication method, and program
JP2006244081A (en) Server with authentication function and method
JP5495194B2 (en) Account issuing system, account server, service server, and account issuing method
US20100257366A1 (en) Method of authenticating a user
KR102171377B1 (en) Method of login control
TWI643086B (en) Method for binding by scanning two-dimensional barcode
CN114640460B (en) User login method, device, equipment and medium in application program
CN114338201B (en) Data processing method and device, electronic equipment and storage medium
JP7079528B2 (en) Service provision system and service provision method
JP7050466B2 (en) Authentication system and authentication method
US20090106829A1 (en) Method and system for electronic reauthentication of a communication party
CN106921639A (en) Mobile digital certificate application method and device
JP6325654B2 (en) Network service providing apparatus, network service providing method, and program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20231031

Address after: Singapore 750D Caishi Road # 08-01ESR Industrial Park @ Caishi

Patentee after: Singapore i-Sprint Technology Co.,Ltd.

Address before: Room 1509, Shougang International Building, No. 60, Xizhimen North Street, Haidian District, Beijing 100082

Patentee before: BEIJING ANXUNBEN SCIENCE & TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right