CN104767617A

CN104767617A - Message processing method, system and related device

Info

Publication number: CN104767617A
Application number: CN201510101401.0A
Authority: CN
Inventors: 韩晟; 王盈
Original assignee: Beijing Shidun Technology Co Ltd
Current assignee: Beijing Shidun Technology Co Ltd
Priority date: 2015-03-06
Filing date: 2015-03-06
Publication date: 2015-07-08

Abstract

The invention discloses a message processing method, system and related device which aim to improve the safety and universality of identity related message processing. The system comprises a message processing device, a terminal device and a message processing server. The message processing device is used for receiving a first authentication message input by a user, processing a seed message through a stored first secret key to obtain a second authentication message, and generating an identity recognition message corresponding to the user. The seed message at least comprises the first authentication message. The identity recognition message comprises the second authentication message. The terminal device is used for setting up communication with the message processing device, obtaining the identity recognition message generated by the message processing device according to the set communication connection, and sending an identity recognition request to the message processing server according to the identity recognition message. The message processing server is used for obtaining the second authentication message according to the received identity recognition request and recognizing the user according to the obtained second authentication message.

Description

A kind of information processing method, system and relevant device

Technical field

The present invention relates to field of information security technology, particularly relate to a kind of information processing method, system and relevant device.

Background technology

Along with the develop rapidly of Internet technology especially development of Mobile Internet technology, the internet, applications provided by the Internet is got more and more.User is when accessing these internet, applications, and as access Email, the application of access instant messaging, access websites etc., in order to ensure the fail safe that user accesses, the provider of each internet, applications needs to carry out certification when user logs in user identity usually.

Current, the username and password provided when modal identity identifying method is for registering by user, username and password is made up of upper and lower case letter, numeral and the symbol that can input usually, if the username and password coupling of input is namely by certification.In the internet, applications higher to security requirement, as Web bank, on-line payment application etc., usually also can use other auxiliary authentication means, common are mobile phone authentication code, RSA SecurID two-factor authentication token and smart card etc.

In above-mentioned various identity identifying method, by the identity identifying method that username and password is the most frequently used, but have certain restriction due to username and password length, password arranges too short, too simple simon says, easily be cracked, oversize too complicated with being not easy to memory.And user name and facial mask, when by input through keyboard, are easily stolen by the malicious code in terminal equipment, thus are reduced the fail safe of authentication.

If mobile phone authentication code is as auxiliary authentication means, because smart mobile phone is easy to implanted malicious code, it can tackle the mobile phone authentication code that network side issues, thus also cannot ensure the fail safe of authentication.And smart card is due to hardware constraints, be difficult to universal and versatility is not strong.As for RSA SecurID two-factor authentication token, it is widely used in important information system all over the world, but is that employing 6 bit digital carries out certification due to it, is only suitable for using as authentication code, and can not as the user name of authenticating identity and main password.And the method intelligence uses in independently information system, cannot be general, user needs to hold multiple different securid token usually.

As can be seen here, how to need to carry out in the application scenarios of authentication, improving and one of technical problem urgently to be resolved hurrily in prior art is become to the fail safe of user identity relevant information process and versatility.

Summary of the invention

The embodiment of the present invention provides a kind of information processing method, system and relevant device, in order to improve fail safe and the versatility of identity-related information process.

The embodiment of the present invention provides a kind of information processing system, comprising:

Messaging device, for receiving the first authentication information of user's input; Utilize the first double secret key seed information stored to carry out process and obtain the second authentication information, described seed information at least comprises described first authentication information; Generate the identity identification information that described user is corresponding, described identity identification information comprises described second authentication information;

Terminal equipment, for establishing a communications link with described messaging device; The identity identification information of described messaging device generation is obtained by the communication connection of setting up; Identification request is sent to netscape messaging server Netscape according to described identity identification information;

Netscape messaging server Netscape, for obtaining described second authentication information according to the identification request received; User according to the second authentication information identification obtained.

Described terminal equipment, specifically for extracting described second authentication information from the identity identification information obtained, being carried at described second authentication information in described identification request and sending to described netscape messaging server Netscape;

Described netscape messaging server Netscape, specifically for after receiving described identification request, obtains described second authentication information from described identification request.

Described terminal equipment, sends to described netscape messaging server Netscape specifically for being carried in described identification request by the identity identification information of acquisition;

Described netscape messaging server Netscape, specifically for after receiving described identification request, extracts described second authentication information from the identity identification information that described identification request is carried.

Described messaging device, the first double secret key first authentication information stored specifically for utilization is encrypted, sign or Hash operation obtains described second authentication information.

Described first authentication information is that described user is inputted by following either type: the communication of physical keyboard input mode, roller input mode, touch-screen input mode, scintigram shape code input mode, stroboscopic input mode, speech recognition input mode, camera identification input mode, radio communication input mode, infrared scan input mode, laser scanning input mode or graphic code data acquisition input mode.

Described identity identification information is graphic code.

Described graphic code comprises one-dimension code or Quick Response Code.

Described netscape messaging server Netscape, specifically for after described second authentication information of acquisition, from the key that self stores, searches the second key that described first double secret key is answered; Utilize the second key recovery of finding and/or verify described second authentication information, and determining whether to identify described user according to reduction result or authentication result.

The device identification of described messaging device is also comprised in described identity identification information;

Described netscape messaging server Netscape, also for after receiving described identification request, obtains described device identification; According to obtain device identification from the device identification self stored with search key corresponding to described device identification the corresponding relation of key, the key found is defined as the second key corresponding to described first key.

Described identity identification information is electronic signature information or authentication information.

If when described identity identification information is authentication information, also comprise the 3rd authentication information in described seed information, described 3rd authentication information is arbitrary information that computer system can process.

Described messaging device, the first double secret key first authentication information stored specifically for utilization and/or the 3rd authentication information are encrypted, sign or Hash operation obtains described second authentication information;

Described netscape messaging server Netscape, carries out reducing and/or verifying specifically for the first authentication information after utilizing the process that comprises in the second authentication information described in described second double secret key and/or the 3rd authentication information.

Described 3rd authentication information is the current time of described messaging device.

Described system adopts asymmetric-key encryption system, and wherein, the first key that described messaging device stores is private key, and the second key that described netscape messaging server Netscape stores is the PKI that described private key is corresponding.

The information processing method that the embodiment of the present invention provides a kind of messaging device to implement, comprising:

Receive the first authentication information of user's input;

Utilize the first double secret key seed information stored to carry out process and obtain the second authentication information, described seed information at least comprises described first authentication information;

Generate the identity identification information of described user, described identity identification information comprises described second authentication information;

By the communication connection of setting up with terminal equipment, provide described identity identification information to described terminal equipment.

Utilize the first double secret key seed information stored to carry out process and obtain the second authentication information, specifically comprise:

First authentication information described in the first double secret key that utilization stores is encrypted, sign or Hash operation obtains described second authentication information.

Described seed information also comprises the 3rd authentication information, and described 3rd authentication information is arbitrary information that computer system can process; And

First authentication information and/or the 3rd authentication information described in the first double secret key that utilization stores are encrypted, sign or Hash operation obtains described second authentication information.

The embodiment of the present invention provides a kind of messaging device, comprising:

Information receiving unit, for receiving the first authentication information of user's input;

Information process unit, carry out process for utilizing the first double secret key seed information of storage and obtain the second authentication information, described seed information at least comprises described first authentication information;

Generation unit, for generating the identity identification information of described user, described identity identification information comprises described second authentication information;

Communication unit, by the communication connection of setting up with terminal equipment, provides described identity identification information to described terminal equipment.

Described information process unit, is encrypted specifically for utilizing the first authentication information described in the first double secret key of storing, signs or Hash operation obtains described second authentication information.

Described information process unit, being encrypted specifically for utilizing the first authentication information and/or the 3rd authentication information described in the first double secret key of storing, signing or Hash operation obtains described second authentication information.

The information processing method that the embodiment of the present invention provides a kind of terminal equipment to implement, comprising:

Obtain by the communication connection of setting up with messaging device the identity identification information that described messaging device generates according to seed information, in described seed information, at least comprise the first authentication information that user inputs to described messaging device; Described identity identification information comprises the second authentication information, and described second authentication information is that described messaging device utilizes the first double secret key seed information stored to carry out processing and obtain;

Identification request is sent to netscape messaging server Netscape according to the identity identification information obtained.

Send identification request according to the identity identification information obtained to netscape messaging server Netscape, specifically comprise:

From the identity identification information obtained, extract described second authentication information, described second authentication information is carried in described identification request and sends to described netscape messaging server Netscape.

Acquisition identity identification information is carried in described identification request and sends to described netscape messaging server Netscape.

The embodiment of the present invention provides a kind of terminal equipment, comprising:

Acquiring unit, obtaining for the communication connection by setting up with messaging device the identity identification information that described messaging device generates according to seed information, in described seed information, at least comprising the first authentication information that user inputs to described messaging device; Described identity identification information comprises the second authentication information, and described second authentication information is that described messaging device utilizes the first double secret key seed information stored to carry out processing and obtain;

Transmitting element, for sending identification request according to the identity identification information obtained to netscape messaging server Netscape.

Described transmitting element, extracts described second authentication information specifically in the identity identification information that obtains from described acquiring unit, is carried in described identification request by described second authentication information and sends to described netscape messaging server Netscape.

Described transmitting element, the identity identification information specifically for being obtained by described acquiring unit is carried in described identification request and sends to described netscape messaging server Netscape.

The information processing method that the embodiment of the present invention provides, system and relevant device, messaging device is utilized to process the first authentication information that user inputs, and utilize the first authentication information after process to generate identity identification information corresponding to this user, and by the communication connection of setting up with terminal equipment, the identity identification information of generation is supplied to terminal equipment, the identity identification information that terminal equipment provides according to messaging device sends identification request to netscape messaging server Netscape, netscape messaging server Netscape obtains the second authentication information in identity identification information according to the identification request received, and then according to the second authentication information identification user.Due to above-mentioned in identity-related information processing procedure, on the one hand, username and password is remembered without the need to user, simplify user operation, on the other hand, identity identification information is that the authentication information that third party device inputs according to user generates, and is not easy to monitored or steals, thus improve the fail safe of identity-related information process.In addition, the information processing method that the embodiment of the present invention provides, is applicable to all scenes needing to identify identity, therefore, which raises the versatility of identity-related information process.

Other features and advantages of the present invention will be set forth in the following description, and, partly become apparent from specification, or understand by implementing the present invention.Object of the present invention and other advantages realize by structure specifically noted in write specification, claims and accompanying drawing and obtain.

Accompanying drawing explanation

Accompanying drawing described herein is used to provide a further understanding of the present invention, forms a part of the present invention, and schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:

Fig. 1 is in the embodiment of the present invention, the structural representation of information processing system;

Fig. 2 is in the embodiment of the present invention, the mutual schematic diagram of information flow in electronic signature process;

Fig. 3 is in the embodiment of the present invention, information interaction schematic flow sheet in authentication procedures;

Fig. 4 is in the embodiment of the present invention, the implementing procedure schematic diagram of netscape messaging server Netscape implementation information processing method;

Fig. 5 is in the embodiment of the present invention, the structural representation of netscape messaging server Netscape;

Fig. 6 is in the embodiment of the present invention, the implementing procedure schematic diagram of messaging device implementation information processing method;

Fig. 7 is in the embodiment of the present invention, the structural representation of messaging device;

Fig. 8 is in the embodiment of the present invention, the implementing procedure schematic diagram of terminal equipment implementation information processing method;

Fig. 9 is in the embodiment of the present invention, the structural representation of terminal equipment.

Embodiment

In order to improve fail safe and the versatility of identity-related information process, embodiments provide a kind of information processing method, system and relevant device.

Below in conjunction with Figure of description, the preferred embodiments of the present invention are described, be to be understood that, preferred embodiment described herein is only for instruction and explanation of the present invention, be not intended to limit the present invention, and when not conflicting, the embodiment in the present invention and the feature in embodiment can combine mutually.

Embodiment one

As shown in Figure 1, be the structural representation of the information processing system that the embodiment of the present invention provides, comprise messaging device 11, terminal equipment 12 and netscape messaging server Netscape 13, wherein:

Messaging device 11, for receiving the first authentication information of user's input; Utilize the first double secret key seed information stored to carry out process and obtain the second authentication information, seed information at least comprises the first authentication information; Generate the identity identification information that user is corresponding, identity identification information comprises the second authentication information;

Terminal equipment 12, for for establishing a communications link with messaging device 11; By the identity identification information that the communication connection obtaining information treatment facility 11 set up generates; Identification request is sent to netscape messaging server Netscape 13 according to identity identification information;

Netscape messaging server Netscape 13, for obtaining the second authentication information according to the identification request received; User according to the second authentication information identification obtained.

During concrete enforcement, terminal equipment 12 can be, but not limited to send identification request by following two kinds of modes to netscape messaging server Netscape 13:

Mode one, terminal equipment extract the second authentication information comprised in identity identification information, are carried in identification request by the second authentication information and send to netscape messaging server Netscape 13.

Under this processing mode, netscape messaging server Netscape 13 directly can obtain the second authentication information from identification request.

Mode two, terminal equipment do not process the identity identification information obtained, and are directly carried in identification request and send to netscape messaging server Netscape 13.

Under this processing mode, after netscape messaging server Netscape 13 gets identity identification information from identification request, need from identity identification information, extract the second authentication information.

Preferably, when specifically implementing, messaging device 11 can utilize the first double secret key first authentication information of storage to be encrypted, sign or Hash operation obtains the second authentication information.

During concrete enforcement, the first authentication information can be inputted by following either type for user: the communication of physical keyboard input mode, roller input mode, touch-screen input mode, scintigram shape code input mode, stroboscopic input mode, speech recognition input mode, camera identification input mode, radio communication input mode, infrared scan input mode, laser scanning input mode or graphic code data acquisition input mode.

Preferably, identity identification information can be graphic code.Wherein, graphic code can be one-dimension code or Quick Response Code, and wherein, Quick Response Code comprises standard two-dimensional code and non-standard Quick Response Code (i.e. the Quick Response Code of some distortion, as circular two-dimensional code, color 2 D code etc.), and the present invention does not limit this.

The information processing system that the embodiment of the present invention provides can be, but not limited to be applied to following scene: the application scenarios needing user to carry out signing electronically or the application scenarios needing to carry out user authentication.Accordingly, when being applied under electronic signature scene, the identity identification information that messaging device generates can be electronic signature information; And when being applied under authentication scene, the identity identification information that messaging device generates can be authentication information.

It should be noted that, when being applied under electronic signature scene, netscape messaging server Netscape has confirmed electronic signature after first will completing the authentication to user again, and when being applied under authentication scene, netscape messaging server Netscape, after obtaining the second authentication information, completes the authentication to user.

When the information processing system provided utilizing the embodiment of the present invention realizes electronic signature functionality, the first authentication information can be the information needing to carry out signing electronically, such as, and the Transaction Information, electronic document information, anti-counterfeiting information etc. of e-bank.Needing the information of carrying out signing electronically can be supplied to user by the application server of business provider, also for needing the electronic government documents etc. carrying out signing electronically, electronic signature information can be carried out by user's input information treatment facility at needs.

When the information processing system provided utilizing the embodiment of the present invention realizes identity authentication function, first authentication information can be in user registration course, the information of user or user is supplied in the reserved information of netscape messaging server Netscape by netscape messaging server Netscape, also can for use user the information produced in business procedure, the information produced in use electronic banking process as user can be the Bank Account Number of payee, dealing money etc.; Can also be the identity identification information of communication counterpart, as website domain name, server ip, the Email etc. of the other side.Wherein, user can be user name, user password or user ID etc. in the information that netscape messaging server Netscape is reserved.

No matter carry out signing electronically or carrying out authentication, netscape messaging server Netscape is after obtaining the second authentication information, the second key that the first double secret key searching messaging device storage in the key that self stores is answered, and the second authentication information utilizing the second double secret key found to obtain carries out reducing and/or verifying, if there is the second key can reduce and/or verify the second authentication information, then confirm to identify user.When confirming to identify user, can confirm to pass through the authentication of user, confirming to pass through afterwards the authentication of user, just can confirm that user completes electronic signature process.That is, carrying out in the process signed electronically, needing first to confirm that the authentication to user is passed through.

When the information processing system utilizing the embodiment of the present invention to provide realizes identity authentication function, it can be applied to the various scene needing to carry out authentication, as user's Website login need to carry out authentication scene, user logs in that mailbox needs to carry out the scene of authentication, user accesses e-bank needs to carry out authentication and user and access various Internet service and need scene of carrying out authentication etc.

Preferably, can be, but not limited between terminal equipment 12 and messaging device 11 in the embodiment of the present invention adopt following either type to establish a communications link: earphone interface, bluetooth, infrared, NFC (near-field communication), WIFI (Wireless Fidelity), USB (USB (universal serial bus)) or OTG (On-The-Go, data transmission interface) etc.

It should be noted that, messaging device 11 generates identity identification information and it establishes a communications link with terminal equipment 12 and there is no priority execution sequence, first can establish a communications link and generate identity identification information afterwards, also establish a communications link after can first generating identity identification information, the embodiment of the present invention does not limit this again.

Messaging device 11 after generation identity identification information, can with the terminal equipment 12 mutual identity identification information that self generate of communication connection by setting up.During specific implementation, can be the identity identification information that terminal equipment 12 initiatively reads messaging device 11 generation, also initiatively the identity identification information that self generates can be sent to terminal equipment 12 for messaging device 11.The embodiment of the present invention does not limit this.

During concrete enforcement, terminal equipment 12 can also be used for before sending identification request to netscape messaging server Netscape 13, obtain the application identities of internet, applications that user accesses, and the application identities of acquisition is carried in identification request sends to netscape messaging server Netscape 13.So that netscape messaging server Netscape 13 is after obtaining identification result, the identification result obtained is informed to application server corresponding to this application identities.Concrete, netscape messaging server Netscape 13 can from the application identities prestored with search application server identifier corresponding to described application identities the corresponding relation of application server identifier, according to the application server identifier found, identification result is sent to the application server that this application server identifier is corresponding.Application server can be judged according to the identification result received, and whether user completes electronic signature or authentication.

During concrete enforcement, because user may use the terminal equipment access internet, applications of carrying out identification, also can by other terminal equipment access internet, applications, therefore, in the embodiment of the present invention, terminal equipment can obtain the application identities of the internet, applications that user accesses according to any one in following two kinds of modes:

If when mode one user uses the terminal equipment carrying out identification to access internet, applications, the interface that terminal equipment can provide by calling internet, applications obtains the application identities of this internet, applications; If when user uses other terminal equipment to access internet, applications, the graphic code (can be, but not limited to as Quick Response Code) that it can use this internet, applications of terminal device scans to provide obtains the application identities of this internet, applications.

During concrete enforcement, in order to improve the fail safe of internet, applications access, terminal equipment is after setting up the communication connection between messaging device, terminal equipment can also obtain the application identification code of the internet, applications that user accesses, and the application identification code of acquisition is sent to messaging device, after this application identification code of the first double secret key that messaging device utilizes self to store processes, be carried in identity identification information and sent to terminal equipment, terminal equipment is carried in identification request sends to netscape messaging server Netscape by receiving the application identification code after process.During concrete enforcement, the mode that terminal equipment obtains application identification code is identical with the mode that above-mentioned terminal equipment obtains application identities, repeats no more here.

Preferably, application identification code is the unique coding of an overall situation, and different internet, applications, different terminal equipments, different time do not repeat.Preferably, this application identification code can be, but not limited to as UUID (Universally Unique Identifier, general unique identifier) or GUID (GloballyUnique Identifier, GUID), can certainly be adopt a mark in the global scope of similar techniques realization, be described for UUID for convenience of description.

After the application identification code of netscape messaging server Netscape after obtaining messaging device process, if messaging device has carried out encryption to this application identification code, then netscape messaging server Netscape the second double secret key of needing to utilize self to store its be decrypted after send to corresponding application server in the lump with identification result, according to the application identification code received, application server can determine that user accesses the terminal equipment of internet, applications, and return response message according to the identification result that netscape messaging server Netscape sends to terminal equipment, as under electronic signature application scenarios, if determine to sign electronically successfully according to identification result, terminal equipment then to correspondence sends the successful response message of electronic signature, otherwise, terminal equipment to correspondence sends the failed response message of electronic signature, under authentication scene, then according to identification result determine one's identity certification by time, the terminal equipment to correspondence sends the response message allowing access, otherwise the terminal equipment to correspondence sends the response message of denied access.

The identification system that the embodiment of the present invention provides can be applied to the various application scenarios needing to carry out identification, as electronic signature and authentication, when being applied under authentication scene, following application scenarios can be comprised: user's Website login needs to carry out authentication scene, user logs in that mailbox needs to carry out the scene of authentication, user accesses e-bank needs to carry out authentication and user and access various Internet service and need scene of carrying out authentication etc.

Embodiment for a better understanding of the present invention, the specific implementation process of information interaction flow process to the embodiment of the present invention below respectively with electronic signature and when carrying out identification to user is described.

As shown in Figure 2, information interaction schematic flow sheet when providing information processing system to realize electronic signature functionality for utilizing the embodiment of the present invention, comprises the following steps:

S21, message processing information equipment receive the first authentication information of the needs signature of user's input.

During concrete enforcement, user, in access internet, applications process, can, by following either type triggerable electronic signature flow process, need when the embodiment of the present invention accesses e-bank for user to sign electronically to Transaction Information.

Mode one,

User uses the terminal equipment access e-bank carrying out electronic signature information, and such as, user uses mobile phone access e-bank, uses user's electronic signature information that this mobile phone obtaining information treatment facility generates simultaneously.In this case, the transaction page of the e-bank that user accesses needs to provide the application programming interfaces of the information processing method encapsulation using the embodiment of the present invention to provide, when user needs to sign electronically to Transaction Information by calling this application programming interfaces triggerable electronic signature flow process.

Mode two,

User uses the other-end device access e-bank beyond the terminal equipment obtaining user's electronic signature information, and such as user uses computer to access e-bank, uses user's electronic signature information that the mobile phone obtaining information treatment facility of oneself generates.In this case, e-bank's transaction page needs the application program embedding the information processing method encapsulation that the embodiment of the present invention provides, and show with the form of graphic code (can be, but not limited to as Quick Response Code) in transaction page, when user needs to sign electronically, directly this Quick Response Code of scanning just can trigger and carry out electronic signature flow process.

During concrete enforcement, first authentication information to be signed can for needing the electronic document information carrying out signing electronically, also information that can be to be signed for the needs being supplied to user by application server, if user is in use e-bank process, the first authentication information can for the Transaction Information etc. provided by e-bank.User inputs the first authentication information to be signed to messaging device.

S22, messaging device utilize the first double secret key seed information stored to carry out process and obtain the second authentication information.

Wherein, the first authentication information of user's input is at least comprised in seed information.In the present embodiment, be described only to comprise the first authentication information in seed information, namely seed information is the first authentication information.

Preferably, when specifically implementing, the electric signing system that the embodiment of the present invention provides can adopt symmetric key encryption system, also can adopt asymmetric-key encryption system.If adopt symmetric key encryption system, the key that messaging device stores is identical with the key of electronic signature server stores.If adopt asymmetric-key encryption system, can be each messaging device stochastic generation one group of PKI and private key, messaging device stores private key, electronic signature server stores PKI.Compared to symmetric key encryption mechanism, asymmetric-key encryption mechanism can improve the fail safe of electric signing system further, and in this case, even if netscape messaging server Netscape is invaded, assailant also cannot forge user and log in.

Based on this, messaging device is after the first authentication information receiving user's input, and the first double secret key first authentication information utilizing self to store processes.Preferably, messaging device can utilize the first double secret key first encrypted authentication information to obtain the ciphertext of its correspondence, or, messaging device can also utilize the first double secret key first authentication information to sign, or messaging device can also utilize the first double secret key first authentication information to carry out Hash calculation and obtain corresponding cryptographic Hash.

For convenience of description, in the invention process, the information obtained after processing the first authentication information is called the second authentication information.According to the difference of the processing mode of messaging device process first authentication information, second authentication information can be the above-mentioned ciphertext obtained that is encrypted the first authentication information, also can be the first authentication information after the signature obtained after the first authentication information is signed, can also for carrying out the cryptographic Hash that Hash calculation obtains to the first authentication information.

S23, messaging device generate electronic signature information corresponding to user.

The second authentication information that messaging device obtains after utilizing and processing the first authentication information generates electronic signature information corresponding to user.

Preferably, the electronic signature information that messaging device generates can be, but not limited to as graphic code, this graphic code can be one-dimension code (bar code) and Quick Response Code, wherein, Quick Response Code comprises standard two-dimensional code and non-standard Quick Response Code (the i.e. Quick Response Code of some distortion, as circular two-dimensional code, color 2 D code etc.), the present invention does not limit this.

During concrete enforcement, messaging device by secure storage module, MIM message input module, message processing module and can the electronic console of display graphics code can form, and wherein, stores the first key that this messaging device stores in secure storage module.Like this, user, when needs sign electronically, inputs the first authentication information by MIM message input module, and the first authentication information of the first double secret key user input that message processing module utilizes secure storage module to prestore carries out process and obtains the second authentication information.Message processing module utilizes the second authentication information to generate a graphic code.

Preferably, in order to avoid the risk that user's drop-out treatment facility brings, in the embodiment of the present invention, messaging device can also identify user identity before generation electronic signature information, such as, can be identified by fingerprint, the codon pair user that also can be pre-set by user is identified, here do not limit, accordingly, messaging device can also comprise digital keys or fingerprint acquisition device.

S24, messaging device and terminal equipment establish a communications link.

It should be noted that, the step established a communications link can generate the step enforcement of electronic signature information prior to above-mentioned messaging device, both there is no successively execution sequence.

S25, messaging device provide electronic signature information by the communication connection of setting up to terminal equipment.

Following either type can be adopted between terminal and messaging device to establish a communications link: earphone interface, bluetooth, infrared, NFC (near-field communication), WIFI (Wireless Fidelity), USB (USB (universal serial bus)) or OTG (On-The-Go, data transmission interface) etc.

S26, terminal equipment send electronic signature request to electronic signature server.

Terminal equipment, after obtaining electronic signature information, has following two kinds of processing modes:

Processing mode one,

This electronic signature information is left intact by terminal equipment, is directly carried at by the electronic signature information of acquisition in electronic signature request and sends to electronic signature server.

Processing mode two,

After terminal equipment extracts the second authentication information comprised in electronic signature information, the second authentication information is carried in electronic signature request and sends to electronic signature server.

Corresponding with above-mentioned two kinds of processing modes respectively, terminal equipment can carry the second authentication information of electronic signature information or extraction in the electronic signature request sent in electronic signature server.

Accordingly, electronic signature server can obtain the second authentication information in such a way: electronic signature server is after receiving electronic signature request, if wherein carry electronic signature information, then the server that signs electronically can extract the second authentication information from electronic signature information; If wherein carry the second authentication information, then the server that signs electronically directly can obtain the second authentication information from ID authentication request.

During concrete enforcement, terminal equipment can also carry the application identities of internet, applications of user's access or Apply Names and the unique identification of this internet, applications in global scope in electronic signature request, this unique identification is the unique coding of an overall situation, and different internet, applications, different terminal equipments, different time do not repeat.Preferably, this unique identification can be, but not limited to as UUID (Universally UniqueIdentifier, general unique identifier) or GUID (Globally Unique Identifier, GUID), can certainly be adopt a mark in the global scope of similar techniques realization, be described for UUID for convenience of description.

If user is by the first kind of way triggerable electronic that provides in step S21 signature flow process, then the UUID of the terminal equipment application identities or Apply Names and correspondence thereof that directly can obtain the current internet, applications of accessing of user sends to electronic signature server in the lump, if the second way triggerable electronic signature flow process of user by providing in step S21, then comprise UUID corresponding to the application identities of internet, applications or Apply Names and this internet, applications at the graphic code generating login page display, like this, terminal equipment just can obtain UUID corresponding to application identities or Apply Names and this internet, applications by this graphic code of scanning, send in the lump with the second authentication information obtained in the graphic code generated from messaging device and sign electronically server or also can send to electronic signature server in the lump with the graphic code generated from messaging device.

During concrete enforcement, terminal equipment can pass through cable network, wireless network and mobile communications network etc. and send electronic signature request to electronic signature server.

S27, electronic signature server are according to electronic signature request acquisition second authentication information received.

Describe electronic signature server in step S26 according to two kinds of modes of electronic signature request acquisition second authentication information received, repeat no more here.

S28, electronic signature server search the second key that the first double secret key is answered from the key self stored.

After obtaining the second authentication information, electronic signature server searches the second key that the first double secret key is answered from the key self stored.

For the ease of the second key that electronic signature server fast finding first double secret key is answered, messaging device, when generating electronic signature information, can add the device identification of self.

Based on this, electronic signature server can obtain this device identification by following two kinds of modes:

Mode one,

If terminal equipment does not carry out any process to the electronic signature information obtained, but direct being carried at by the electronic signature information of acquisition in electronic signature request sends to electronic signature server, then extract the second authentication information and this device identification respectively in the electronic signature information that the service that signs electronically can be carried from electronic signature is asked.

Mode two, if terminal equipment processes the electronic signature information obtained, then terminal equipment extracts the second authentication information and this device identification that comprise in electronic signature information respectively, and will be carried at electronic signature request in send to electronic signature server in the lump, electronic signature server extracting directly second authentication information and device identification from the electronic signature request received can obtain, and then, electronic signature server according to obtain device identification from the device identification self stored with search key corresponding to described device identification the corresponding relation of key, the key found is defined as the second key corresponding to described first key.

The second key recovery that S29, electronic signature server by utilizing find and/or checking the second authentication information.

With step S22, the processing mode that messaging device processes the first authentication information is corresponding, in step S29, corresponding ciphertext is obtained if messaging device utilizes the first double secret key first authentication information to be encrypted, the ciphertext that electronic signature server can utilize the second double secret key to obtain is decrypted, and the second key can also be utilized directly to verify the ciphertext obtained; If messaging device utilize the first double secret key first authentication information to carry out signing the first authentication information after signature, then the first authentication information after the server that signs electronically can utilize the second double secret key signature is verified; If messaging device utilizes the first double secret key first authentication information to carry out Hash calculation and obtains cryptographic Hash, then the cryptographic Hash that the server that signs electronically can utilize the second double secret key to obtain is verified.

According to reduction and/or the result, S210, electronic signature server confirm that whether electronic signature is successful.

If electronic signature server determines that the ciphertext that the first authentication information after utilizing the second key pair encryption obtains is decrypted (namely reducing) when obtaining the first authentication information, determine that user signs electronically successfully, otherwise determine to sign electronically unsuccessfully; Or the ciphertext that the first authentication information after electronic signature server by utilizing second key pair encryption obtains is verified, if the verification passes, then determines to sign electronically successfully, otherwise determines to sign electronically unsuccessfully; Or electronic signature server determines that the first authentication information after utilizing the second double secret key signature carries out verifying and being verified, and determines to sign electronically successfully, otherwise determines to sign electronically unsuccessfully; Or when electronic signature server determine to utilize the second double secret key to carry out cryptographic Hash that Hash calculation obtains carries out verifying and being verified, determine to sign electronically successfully, otherwise determine to sign electronically unsuccessfully.

Concrete, when using asymmetric-key encryption technology, if messaging device uses private key to sign to the first authentication information, then the second authentication information that the PKI of the server stores that signs electronically may be used for obtaining is verified; If messaging device uses private key to be encrypted the first authentication information, then the PKI of the server stores that signs electronically may be used for reducing to obtaining ciphertext and/or verifying.If use symetric key cryptography, if messaging device uses double secret key first authentication information stored to sign, then the second authentication information that the key of the server stores that signs electronically may be used for obtaining after signature is verified; If messaging device uses double secret key first authentication information stored to be encrypted, then verified again after the key of the server stores that signs electronically both may be used for being decrypted ciphertext, and also can not reduce and directly verify ciphertext; If messaging device uses hash algorithm to carry out Hash operation to the first authentication information and obtains cryptographic Hash, then the cryptographic Hash that the server that signs electronically may be used for obtaining is verified.

S211, electronic signature server send to providing the application server of internet, applications the result signing electronically and whether pass through.

During concrete enforcement, electronic signature server provides electronic signature result according to the application identities of carrying in electronic signature request or Apply Names to this application identities or application server corresponding to Apply Names, and carries the UUID of the internet, applications of user's current accessed in the electronic signature result sent.

S212, application server send electronic signature result to terminal equipment.

During concrete enforcement, according to UUID, application server determines that user accesses terminal equipment and the application program of internet, applications, and sends the response message of permission/denied access to this terminal equipment according to authentication result.

During concrete enforcement, the above-mentioned information processing system being applied to electronic signature can provide a messaging device for different internet, applications, also independent messaging device can be provided for internet, applications such as e-bank, the on-line payment etc. that safety requirements is high, now, corresponding relation between the device identification of the messaging device that the application identities that electronic signature server needs to safeguard internet, applications is corresponding with it and key, to provide electronic signature functionality to different internet, applications.

Embodiment three,

When being applied under authentication scene, the identity identification information that messaging device generates can be authentication information, netscape messaging server Netscape can be authentication server, messaging device can be ID authentication request to the identification request that authentication server sends, for convenience of explanation, the embodiment of the present invention accesses e-bank for user to be needed to carry out authentication and is described, and as shown in Figure 3, can comprise the following steps:

S31, access e-bank need to carry out authentication time, messaging device receive user input the first authentication information.

During concrete enforcement, user can access e-bank by following either type:

Mode one,

User uses the terminal equipment access e-bank obtaining user's ID authentication information, and such as, user uses mobile phone access e-bank, uses the user's ID authentication information that this mobile phone obtaining information treatment facility generates simultaneously.In this case, the login page of the e-bank that user accesses needs to provide the application programming interfaces of the identity identifying method encapsulation using the embodiment of the present invention to provide, when user needs to log in e-bank by calling the authentication of this application programming interfaces triggered for user.

Mode two,

User uses the other-end device access e-bank beyond the terminal equipment obtaining user's ID authentication information, and such as user uses computer to access e-bank, uses the user's ID authentication information that the mobile phone obtaining information treatment facility of oneself generates.In this case, e-bank's login page needs the authentication procedure embedding the identity identifying method encapsulation that the embodiment of the present invention provides, and show with the form of graphic code (can be, but not limited to as Quick Response Code) at login page, when user needs to log in e-bank, directly this Quick Response Code of scanning just can the authentication of triggered for user.

After the authentication of triggered for user, (this equipment can be supplied to user by business provider to messaging device, for electronic banking, messaging device can be supplied to user by bank) indicating user inputs the first authentication information, first authentication information can be in user registration course, the information of user or user is supplied in the reserved information of authentication server by authentication server, also can for use user the information produced in business procedure, if user can be the Bank Account Number of payee using the information produced in electronic banking process, dealing money etc., can also be the identity identification information of communication counterpart, as website domain name, server ip, the Email etc. of the other side.Wherein, user can be user name, user password or user ID etc. in the information that authentication server is reserved.

Preferably, user can be, but not limited to input the first authentication information by following arbitrary input mode to messaging device: the communication of physical keyboard input mode, roller input mode, touch-screen input mode, scintigram shape code input mode, stroboscopic input mode, speech recognition input mode, camera identification input mode, radio communication input mode, infrared scan input mode, laser scanning input mode or graphic code data acquisition input mode.Its China, in radio communication input mode, can use Wi-Fi, bluetooth, NFC (NearField Communication, near-field communication), the input such as microwave and broadcast.

S32, messaging device utilize the first double secret key seed information stored to carry out process and obtain the second authentication information.

Wherein, the first authentication information of user's input is at least comprised in seed information.In embodiment one, be described only to comprise the first authentication information in seed information, namely seed information is the first authentication information.

Preferably, when specifically implementing, the identity authorization system that the embodiment of the present invention provides can adopt symmetric key encryption system, also can adopt asymmetric-key encryption system.If adopt symmetric key encryption system, the key that messaging device stores is identical with the key that authentication server stores.If adopt asymmetric-key encryption system, can be each messaging device stochastic generation one group of PKI and private key, messaging device stores private key, authentication server storage of public keys.Compared to symmetric key encryption mechanism, asymmetric-key encryption mechanism can improve the fail safe of identity authorization system further, and in this case, even if authentication server is invaded, assailant also cannot forge user and log in.

S33, messaging device generate authentication information corresponding to user.

The second authentication information that messaging device obtains after utilizing and processing the first authentication information generates authentication information corresponding to user.

Preferably, the authentication information that messaging device generates can be, but not limited to as graphic code, this graphic code can be one-dimension code (bar code) and Quick Response Code, wherein, Quick Response Code comprises standard two-dimensional code and non-standard Quick Response Code (the i.e. Quick Response Code of some distortion, as circular two-dimensional code, color 2 D code etc.), the present invention does not limit this.

During concrete enforcement, messaging device by secure storage module, MIM message input module, message processing module and can the electronic console of display graphics code can form, and wherein, stores the first key that this messaging device stores in secure storage module.Like this, user, when needs carry out authentication, inputs the first authentication information by MIM message input module, and the first authentication information of the first double secret key user input that message processing module utilizes secure storage module to prestore carries out process and obtains the second authentication information.Message processing module utilizes the second authentication information to generate a graphic code.

Preferably, in order to avoid the risk that user's drop-out treatment facility brings, in the embodiment of the present invention, messaging device can also identify user identity before generation user's ID authentication information, such as, can be identified by fingerprint, the codon pair user that also can be pre-set by user is identified, here do not limit, accordingly, messaging device can also comprise digital keys or fingerprint acquisition device.

S34, terminal equipment and messaging device establish a communications link.

S35, messaging device provide the authentication information of generation to terminal equipment.

S36, terminal equipment send ID authentication request to authentication server.

Terminal equipment, after obtaining authentication information, has following two kinds of processing modes:

Processing mode one,

This authentication information is left intact by terminal equipment, directly the authentication information of acquisition is carried in ID authentication request and sends to authentication server.

Processing mode two,

Second authentication information is carried in ID authentication request and sends to authentication server after extracting the second authentication information comprised in authentication information by terminal equipment.

Corresponding with above-mentioned two kinds of processing modes respectively, terminal equipment can carry the second authentication information of authentication information or extraction in the ID authentication request sent in authentication server.

Accordingly, authentication server can obtain the second authentication information in such a way: authentication server is after receiving ID authentication request, if wherein carry authentication information, then authentication server can extract the second authentication information from authentication information; If wherein carry the second authentication information, then authentication server directly can obtain the second authentication information from ID authentication request.

During concrete enforcement, terminal equipment can also carry the application identities of internet, applications of user's access or Apply Names and the unique identification of this internet, applications in global scope in ID authentication request, this unique identification is the unique coding of an overall situation, and different internet, applications, different terminal equipments, different time do not repeat.Preferably, this unique identification can be, but not limited to as UUID (Universally UniqueIdentifier, general unique identifier) or GUID (Globally Unique Identifier, GUID), can certainly be adopt a mark in the global scope of similar techniques realization, be described for UUID for convenience of description.

If user is by the first kind of way that provides in step S31 access internet, applications, then the UUID of the terminal equipment application identities or Apply Names and correspondence thereof that directly can obtain the current internet, applications of accessing of user sends to authentication server in the lump, if the second way access internet, applications of user by providing in step S31, then comprise UUID corresponding to the application identities of internet, applications or Apply Names and this internet, applications at the graphic code generating login page display, like this, terminal equipment just can obtain UUID corresponding to application identities or Apply Names and this internet, applications by this graphic code of scanning, send to authentication server in the lump with the second authentication information obtained in the graphic code generated from messaging device or also can send to authentication server in the lump with the graphic code generated from messaging device.

During concrete enforcement, terminal equipment can pass through cable network, wireless network and mobile communications network etc. and send ID authentication request to authentication server.

S37, authentication server obtain the second authentication information according to the ID authentication request received.

Describe authentication server obtains the second authentication information two kinds of modes according to the ID authentication request received in step S36, repeat no more here.

S38, authentication server search the second key that the first double secret key is answered from the key self stored.

After obtaining the second authentication information, authentication server searches the second key that the first double secret key is answered from the key self stored.

For the ease of the second key that authentication server fast finding first double secret key is answered, messaging device, when generating authentication information, can add the device identification of self.

Based on this, authentication server can obtain this device identification by following two kinds of modes:

Mode one,

If terminal equipment does not carry out any process to the authentication information obtained, but the direct authentication information of acquisition being carried in ID authentication request sends to authentication server, then extract the second authentication information and this device identification in the authentication information that identity authentication service can carry from ID authentication request respectively.

Mode two, if terminal equipment processes the authentication information obtained, then terminal equipment extracts the second authentication information and this device identification that comprise in authentication information respectively, and will be carried in ID authentication request and send to authentication server in the lump, authentication server extracting directly second authentication information and device identification from the ID authentication request received can obtain, and then, authentication server according to obtain device identification from the device identification self stored with search key corresponding to described device identification the corresponding relation of key, the key found is defined as the second key corresponding to described first key.

S39, authentication server utilize the second key recovery and/or checking the second authentication information that find.

With step S32, the processing mode that messaging device processes the first authentication information is corresponding, in step S38, corresponding ciphertext is obtained if messaging device utilizes the first double secret key first authentication information to be encrypted, the ciphertext that authentication server can utilize the second double secret key to obtain is decrypted, and the second key can also be utilized directly to verify the ciphertext obtained; If messaging device utilize the first double secret key first authentication information to carry out signing the first authentication information after signature, then the first authentication information after authentication server can utilize the second double secret key signature is verified; If messaging device utilizes the first double secret key first authentication information to carry out Hash calculation and obtains cryptographic Hash, then the cryptographic Hash that authentication server can utilize the second double secret key to obtain is verified.

S310, authentication server carry out authentication.

If authentication server determines that the ciphertext that the first authentication information after utilizing the second key pair encryption obtains is decrypted (namely reducing) when obtaining the first authentication information, determine to pass through the authentication of this user, otherwise determine not pass through the authentication of this user; Or the ciphertext that the first authentication information after authentication server utilizes the second key pair encryption obtains is verified, if the verification passes, then determine to pass through the authentication of this user, otherwise determine not pass through the authentication of this user; Or authentication server determines that the first authentication information after utilizing the second double secret key signature carries out verifying and being verified, and determines to pass through the authentication of this user, otherwise determines not pass through the authentication of this user; Or when authentication server determine to utilize the second double secret key to carry out cryptographic Hash that Hash calculation obtains carries out verifying and being verified, determine to pass through the authentication of this user, otherwise determine not pass through the authentication of this user.

Concrete, when using asymmetric-key encryption technology, if messaging device uses private key to sign to the first authentication information, then the second authentication information that the PKI that authentication server stores may be used for obtaining is verified; If messaging device uses private key to be encrypted the first authentication information, then the PKI that authentication server stores may be used for reducing to obtaining ciphertext and/or verifying.If use symetric key cryptography, if messaging device uses double secret key first authentication information stored to sign, then the second authentication information that the key that authentication server stores may be used for obtaining after signature is verified; If messaging device uses double secret key first authentication information stored to be encrypted, then verified again after the key that authentication server stores both may be used for being decrypted ciphertext, and also can not reduce and directly verify ciphertext; If messaging device uses hash algorithm to carry out Hash operation to the first authentication information and obtains cryptographic Hash, then the cryptographic Hash that authentication server may be used for obtaining is verified.

S311, authentication server send identity authentication result to providing the application server of internet, applications.

During concrete enforcement, authentication server provides authentication result according to the application identities of carrying in ID authentication request or Apply Names to this application identities or application server corresponding to Apply Names, and carries the UUID of the internet, applications of user's current accessed in the authentication result sent.

S312, application server send the response message of permission/denied access to terminal equipment.

During concrete enforcement, the above-mentioned information processing system being applied to authentication can provide a messaging device for different internet, applications, also independent messaging device can be provided for internet, applications such as e-bank, the on-line payment etc. that safety requirements is high, now, corresponding relation between the device identification of the messaging device that the application identities that authentication server needs to safeguard internet, applications is corresponding with it and key, to provide authentication to different internet, applications.

When being applied under authentication scene, in order to improve the fail safe of authentication further, the 3rd authentication information in seed information, can also be comprised.3rd authentication information can be the accessible arbitrary information of computer system, fix information as is known (such as name, fixing numeral etc.), random number, time, summary counter etc., as long as key can be used to carry out the information processed, the present invention does not limit this.Preferably, the 3rd authentication information can be unique and the information that cannot repeat, and such as the 3rd authentication information can be the current time of messaging device.

For convenience of description, below for the current time that the 3rd authentication information is messaging device, that is seed information comprises the first authentication information of user's input and the current time of messaging device, in this case, the process of authentication is carried out to user and embodiment one similar, specific implementation process can with reference to step S31 ~ step S312, difference is, in step s 32, messaging device utilizes the first double secret key seed information stored to carry out process when obtaining the second authentication information, if seed information comprises the first authentication information and the 3rd authentication information, then messaging device can utilize the first double secret key first authentication information and the 3rd authentication information to carry out process and obtain the second authentication information, also the first key can be utilized to process the first authentication information and the 3rd authentication information respectively, namely messaging device can utilize the first key of storage to be encrypted the first authentication information and the 3rd authentication information respectively, signature or Hash operation, the first authentication information after process and the 3rd authentication information after processing form the second authentication information, accordingly, in step S39, if when processing respectively the first authentication information and the 3rd authentication information, then the first authentication information after authentication server needs to utilize the process comprised in the second double secret key second authentication information and the 3rd authentication information after process carry out reducing and/or verifying respectively.

Concrete, in step S32, if messaging device utilizes the first double secret key seed information to be encrypted, then need to be encrypted the first authentication information and the 3rd authentication information respectively to obtain corresponding ciphertext; If messaging device utilizes the first double secret key seed information to sign, then need to sign to the first authentication information and the 3rd authentication information respectively; If messaging device utilizes the first double secret key seed information to carry out Hash calculation, then need respectively Hash calculation to be carried out to the first authentication information and the 3rd authentication information and obtain corresponding cryptographic Hash.Like this, in the graphic code that messaging device generates, will comprise the first authentication information after process and the 3rd authentication information, accordingly, netscape messaging server Netscape obtains the first authentication information after process and the 3rd authentication information after process the most respectively.In step S39, authentication server is when carrying out authentication, the second key utilizing self to store is needed to reduce respectively and/or the 3rd authentication information after the first authentication information after verification process and process, and when all passing through both checkings, the certification that just determines one's identity is passed through, as long as there is a checking not pass through, then the certification that determines one's identity is not passed through.

It should be noted that, if the 3rd authentication information is the current time of messaging device, then authentication server can determine whether pass through the certification of the 3rd authentication information in accordance with the following methods: if when being interposed between (as being set to the extremely short time interval) within prefixed time interval scope between the time utilizing the current time of the messaging device of the second key pair encryption to be decrypted to obtain and the current time of self, determine to pass through the certification of the 3rd authentication information, otherwise, determine not pass through; Or when determining to be used for determine to being verified of the current time of messaging device, the certification that determines one's identity is passed through.

In above-described embodiment, authentication server, after the ID authentication request receiving terminal equipment, needs to search all keys stored from self seed information after the second key recovery and/or verification process that the first double secret key of storing in messaging device answers.Concrete, authentication server can attempt each key that self stores successively, can to reduce and/or till seed information after verification process until it.Also the second key can answered according to device identification fast finding first double secret key of messaging device, utilizes the seed information after the second key recovery and/or verification process found.

It should be noted that, the terminal equipment related in the embodiment of the present invention can be the mobile terminal devices such as mobile phone, panel computer, PDA (personal digital assistant), intelligent watch, also can be the equipment such as PC (PC), as long as be provided with camera head or scanning means, the terminal equipment of the graphic code that obtaining information treatment facility generates can be scanned.

In addition, the internet, applications related in the embodiment of the present invention comprises the website, application client etc. that can be conducted interviews by the Internet/mobile Internet.

During concrete enforcement, the identity authorization system that the embodiment of the present invention provides can provide a messaging device for different internet, applications, also independent messaging device can be provided for internet, applications such as Web bank, the on-line payment etc. that safety requirements is high, now, corresponding relation between the device identification of the messaging device that the application identities that netscape messaging server Netscape needs to safeguard internet, applications is corresponding with it and key, to provide authentication to different internet, applications.

In safety system due to existing employing encryption mechanism, the fail safe of asymmetric-key encryption technology has obtained abundant theoretical proof, and widely uses.But its topmost shortcoming is that key is oversize, the mankind cannot directly remember and input, and user needs usually by key storage in computer document or hardware device, imports during use, like this, just there is the risk of Key Exposure, and use very inconvenience.And in the embodiment of the present invention, because graphic code is as one machine automatic identification technology easily, can be used for representing and and be easily identified cipher-text information and transmits and then decipher.Which solve key in existing asymmetric-key encryption mechanism oversize, be not easy to the problem directly used.In addition, in the embodiment of the present invention, use separate hardware to generate identity identification information, private key can be avoided to be stolen, to copy and to distort, there is high fail safe.Simultaneously, when using asymmetric-key encryption mechanism in the embodiment of the present invention, private key is stored in the secure storage module of messaging device, PKI is stored in netscape messaging server Netscape, even if netscape messaging server Netscape suffers hacker attacks, PKI is all revealed, and the identity that assailant also cannot forge any user carries out certification, thus does not form any threat.Finally, due to the length of key and intensity enough, therefore can directly use the device identification of messaging device (can be its unique numbering) as user name, each cipher-text information to seed information encryption generation or the information of having signed carry out authentication as password, realize one-time pad, and password complexity is far away higher than the password that the common mankind are arranged, fail safe and convenience improve all greatly.

Therefore, relative in traditional identity identifying method to the processing mode of user identity relevant information, the information processing method fail safe that the embodiment of the present invention provides is higher, achieves password and the one-time pad of high complexity, avoids the risk that password is stolen.And the information processing method that the embodiment of the present invention provides, more convenient and quicker, user is without the need to memory and input various different username and password, directly obtains identity identification information from messaging device and sends to netscape messaging server Netscape can complete the processes such as electronic signature or authentication fast.

6 pure digi-tal that the password arranged due to the Password Length in the identity identifying method that the embodiment of the present invention provides and strength ratio domestic consumer and existing RSA SecurID two-factor authentication token use are high a lot, therefore, when being applied under authentication scene, it directly can carry out authentication as main password.

Based on same inventive concept, information processing method and the relevant device of the enforcement of a kind of netscape messaging server Netscape, messaging device and terminal equipment is also each provided in the embodiment of the present invention, the principle of dealing with problems due to said method and equipment is similar to information processing system, therefore the enforcement of said method and equipment see the enforcement of system, can repeat part and repeats no more.

Embodiment four

As shown in Figure 4, the implementing procedure schematic diagram of the information processing method that the netscape messaging server Netscape provided for the embodiment of the present invention is implemented, comprising:

The identification request that S41, receiving terminal apparatus send.

Wherein, identification request is that described terminal equipment is determined according to the identity identification information obtained from messaging device, described identity identification information comprises the second authentication information, described second authentication information is that described messaging device utilizes the first double secret key seed information stored to carry out processing and obtain, and described seed information at least comprises the first authentication information that user inputs to described messaging device.

The identification request that S42, basis receive obtains described second authentication information.

S43, according to obtain the second authentication information identification described in user.

Wherein, send the mode of identification request according to terminal equipment, netscape messaging server Netscape can obtain the second authentication information by different modes.

Send in such a way if identification request is described terminal equipment: described terminal equipment extracts described second authentication information from the identity identification information that messaging device obtains, described second authentication information is carried in described identification request and sends.Based on this, in step S42, the second authentication information can be obtained in such a way: after receiving described identification request, from described identification request, obtain described second authentication information.

Send in such a way if identification request is terminal equipment: the identity identification information obtained from messaging device is carried in described identification request and sends.Based on this, in step S42, netscape messaging server Netscape can obtain the second authentication information in such a way: after receiving identification request, from the identity identification information that described identification request is carried, extract described second authentication information.

Preferably, when specifically implementing, the second authentication information obtains for described messaging device processes described seed information in accordance with the following methods: utilize the first authentication information described in described first double secret key to be encrypted, to sign or Hash calculation.

Preferably, in step S43, user according to the second authentication information identification obtained, can implement: from the key stored, search the second key that described first double secret key is answered in such a way; Utilize the second key recovery of finding and/or verify described second authentication information, and determining whether to identify described user according to reduction result or authentication result.

Preferably, the device identification of described messaging device is also comprised in identity identification information, based on this, netscape messaging server Netscape is after receiving identification request, the second key that the first double secret key is answered can be searched in such a way: according to obtain device identification from the device identification self stored with search key corresponding to described device identification the corresponding relation of key, the key found is defined as the second key corresponding to described first key.

In order to increase the fail safe of information processing further, can also comprise the 3rd authentication information in seed information, described 3rd authentication information is arbitrary information that computer system can process.Preferably, seed information can be, but not limited to the current time into messaging device.Then the second authentication information is that messaging device processes seed information in accordance with the following methods and obtains: utilize the first double secret key first authentication information and/or described 3rd authentication information to be encrypted, to sign or Hash calculation; And utilize the second key recovery and/or checking the second authentication information, can comprise: utilize the first authentication information after the process comprised in the second double secret key second authentication information and/or the 3rd authentication information to carry out reducing and/or verifying.

Embodiment five,

As shown in Figure 5, be the structural representation of the netscape messaging server Netscape that the embodiment of the present invention provides, can comprise:

Receiving element 51, for the identification request that receiving terminal apparatus sends, described identification request is that described terminal equipment is determined according to the user identification information obtained from messaging device, described identity identification information comprises the second authentication information, described second authentication information is that described messaging device utilizes the first double secret key seed information stored to carry out processing and obtain, and described seed information at least comprises the first authentication information that user inputs to described messaging device;

Obtain unit 52, for obtaining described second authentication information according to the identification request received;

Recognition unit 53, for user according to the second authentication information identification of described acquisition unit acquisition.

Wherein, identification request is that terminal equipment sends in such a way: terminal equipment extracts described second authentication information from the identity identification information that messaging device obtains, and is carried in described identification request by described second authentication information and sends; And

Obtain unit 52, specifically for after described receiving element 51 receives described identification request, from identification request, obtain described second authentication information.

Wherein, identification request is that described terminal equipment sends in such a way: be carried in described identification request by the identity identification information obtained from messaging device and send; And obtain unit 52, specifically for after receiving identification request, from the identity identification information that identification request is carried, extract described second authentication information.

During concrete enforcement, the second authentication information obtains for described messaging device processes described seed information in accordance with the following methods: utilize the first authentication information described in described first double secret key to be encrypted, to sign or Hash calculation.

Preferably, recognition unit 53 can comprise:

Search subelement, after obtaining described second authentication information at described acquisition unit, from the key stored, search the second key that described first double secret key is answered;

Recognin unit, specifically for searching the second key recovery that subelement finds described in utilizing and/or verifying described second authentication information, and determines whether to identify described user according to reduction result or authentication result.

Preferably, the device identification of described messaging device can also be comprised in identity identification information; And

Described acquisition unit, also for after receiving described identification request, obtains described device identification according to described identification request;

Describedly search subelement, may be used for the device identification that obtains according to described acquisition unit from the device identification self stored with search key corresponding to described device identification the corresponding relation of key, the key found is defined as the second key corresponding to described first key.

During concrete enforcement, identity identification information is electronic signature information or authentication information; If when described identity identification information is authentication information, also comprise the 3rd authentication information in described seed information, described 3rd authentication information is arbitrary information that computer system can process; Described second authentication information obtains for described messaging device processes described seed information in accordance with the following methods: utilize the first authentication information described in described first double secret key and/or described 3rd authentication information to be encrypted, to sign or Hash calculation; And

Described recognin unit unit, carries out reducing and/or verifying specifically for the first authentication information after utilizing the process that comprises in the second authentication information described in described second double secret key and/or the 3rd authentication information.

For convenience of description, above each several part is divided into each module (or unit) according to function and describes respectively.Certainly, the function of each module (or unit) can be realized in same or multiple software or hardware when implementing of the present invention.

As shown in Figure 6, be the implementing procedure schematic diagram of the messaging device implementation information processing method that the embodiment of the present invention provides, can comprise the following steps:

First authentication information of S61, reception user input.

The first double secret key seed information that S62, utilization store carries out process and obtains the second authentication information, and described seed information at least comprises described first authentication information.

S63, generate the identity identification information of described user, described identity identification information comprises described second authentication information.

S64, communication connection by setting up with terminal equipment, provide described identity identification information to described terminal equipment.

Wherein, can implement in such a way in step S62: the first authentication information described in the first double secret key that utilization stores is encrypted, sign or Hash operation obtains described second authentication information.

Preferably, seed information can also comprise the 3rd authentication information, arbitrary information that the 3rd authentication information can be able to process for computer system.Based on this, in step S62, can implement in such a way: the first authentication information and/or the 3rd authentication information described in the first double secret key that utilization stores are encrypted, sign or Hash operation obtains described second authentication information.

As shown in Figure 7, be the structural representation of the messaging device that the embodiment of the present invention provides, can comprise:

Information receiving unit 71, for receiving the first authentication information of user's input;

Information process unit 72, carry out process for utilizing the first double secret key seed information of storage and obtain the second authentication information, described seed information at least comprises described first authentication information;

Generation unit 73, for generating the identity identification information of described user, described identity identification information comprises described second authentication information;

Communication unit 74, by the communication connection of setting up with terminal equipment, provides described identity identification information to described terminal equipment.

Wherein, information process unit 72, may be used for utilizing the first authentication information described in the first double secret key of storing to be encrypted, to sign or Hash operation obtains described second authentication information.

Preferably, seed information also comprises the 3rd authentication information, arbitrary information that the 3rd authentication information can be able to process for computer system.Based on this, information process unit 72, may be used for utilizing the first authentication information and/or the 3rd authentication information described in the first double secret key of storing to be encrypted, to sign or Hash operation obtains described second authentication information.

As shown in Figure 8, be the implementing procedure schematic diagram of terminal equipment implementation information processing method, can comprise the following steps:

S81, to be obtained the identity identification information that described messaging device generates according to seed information by the communication connection of setting up with messaging device.

Wherein, the first authentication information that user inputs to described messaging device is at least comprised in seed information; Described identity identification information comprises the second authentication information, and described second authentication information is that described messaging device utilizes the first double secret key seed information stored to carry out processing and obtain

S82, send identification request according to the identity identification information obtained to netscape messaging server Netscape.

During concrete enforcement, can implement according to any one in following two kinds of modes in step S82:

Execution mode one, terminal equipment Ei extract described second authentication information from the identity identification information obtained, and are carried in described identification request by described second authentication information and send to described netscape messaging server Netscape.

Execution mode two, acquisition identity identification information is carried in described identification request sends to described netscape messaging server Netscape.

As shown in Figure 9, be the structural representation of the terminal equipment that the embodiment of the present invention provides, can comprise:

Acquiring unit 91, obtains for the communication connection by setting up with messaging device the identity identification information that described messaging device generates according to seed information.

Wherein, the first authentication information that user inputs to described messaging device is at least comprised in seed information; Described identity identification information comprises the second authentication information, and described second authentication information is that described messaging device utilizes the first double secret key seed information stored to carry out processing and obtain;

Transmitting element 92, for sending identification request according to the identity identification information obtained to netscape messaging server Netscape.

During concrete enforcement, transmitting element 92, may be used for extracting described second authentication information the identity identification information obtained from described acquiring unit 91, is carried in described identification request by described second authentication information and sends to described netscape messaging server Netscape.

During concrete enforcement, transmitting element 92, may be used for the identity identification information that described acquiring unit 91 obtains to be carried in described identification request to send to described netscape messaging server Netscape.

Those skilled in the art should understand, embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt the form of complete hardware embodiment, completely software implementation or the embodiment in conjunction with software and hardware aspect.And the present invention can adopt in one or more form wherein including the upper computer program implemented of computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) of computer usable program code.

The present invention describes with reference to according to the flow chart of the method for the embodiment of the present invention, equipment (system) and computer program and/or block diagram.Should understand can by the combination of the flow process in each flow process in computer program instructions realization flow figure and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame.These computer program instructions can being provided to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, making the instruction performed by the processor of computer or other programmable data processing device produce device for realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.

These computer program instructions also can be stored in can in the computer-readable memory that works in a specific way of vectoring computer or other programmable data processing device, the instruction making to be stored in this computer-readable memory produces the manufacture comprising command device, and this command device realizes the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.

These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices is provided for the step realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.

Although describe the preferred embodiments of the present invention, those skilled in the art once obtain the basic creative concept of cicada, then can make other change and amendment to these embodiments.So claims are intended to be interpreted as comprising preferred embodiment and falling into all changes and the amendment of the scope of the invention.

Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.

Claims

1. an information processing system, is characterized in that, comprising:

2. the system as claimed in claim 1, is characterized in that,

3. the system as claimed in claim 1, is characterized in that,

4. the system as claimed in claim 1, is characterized in that,

5. the system as claimed in claim 1, it is characterized in that, described first authentication information is that described user is inputted by following either type: the communication of physical keyboard input mode, roller input mode, touch-screen input mode, scintigram shape code input mode, stroboscopic input mode, speech recognition input mode, camera identification input mode, radio communication input mode, infrared scan input mode, laser scanning input mode or graphic code data acquisition input mode.

6. the system as claimed in claim 1, is characterized in that, described identity identification information is graphic code.

7. system as claimed in claim 6, it is characterized in that, described graphic code comprises one-dimension code or Quick Response Code.

8. the system as claimed in claim 1, is characterized in that,

9. system as claimed in claim 8, is characterized in that, also comprise the device identification of described messaging device in described identity identification information;

10. the system as described in claim as arbitrary in claim 1 ~ 9, is characterized in that, described identity identification information is electronic signature information or authentication information.

11. systems as claimed in claim 10, is characterized in that, if when described identity identification information is authentication information, also comprise the 3rd authentication information in described seed information, and described 3rd authentication information is arbitrary information that computer system can process.

12. systems as claimed in claim 11, is characterized in that,

13. systems as claimed in claim 12, is characterized in that, described 3rd authentication information is the current time of described messaging device.

14. the system as claimed in claim 1, it is characterized in that, described system adopts asymmetric-key encryption system, wherein, the first key that described messaging device stores is private key, and the second key that described netscape messaging server Netscape stores is the PKI that described private key is corresponding.

15. 1 kinds of information processing methods, is characterized in that, comprising:

Receive the first authentication information of user's input;

16. methods as claimed in claim 15, is characterized in that, utilize the first double secret key seed information stored to carry out process and obtain the second authentication information, specifically comprise:

17. methods as claimed in claim 15, it is characterized in that, described seed information also comprises the 3rd authentication information, and described 3rd authentication information is arbitrary information that computer system can process; And

18. 1 kinds of messaging devices, is characterized in that, comprising:

19. messaging devices as claimed in claim 18, is characterized in that,

20. messaging devices as claimed in claim 18, it is characterized in that, described seed information also comprises the 3rd authentication information, and described 3rd authentication information is arbitrary information that computer system can process; And

21. 1 kinds of information processing methods, is characterized in that, comprising:

22. methods as claimed in claim 21, is characterized in that, send identification request, specifically comprise according to the identity identification information obtained to netscape messaging server Netscape:

23. methods as claimed in claim 21, is characterized in that, send identification request, specifically comprise according to the identity identification information obtained to netscape messaging server Netscape:

24. 1 kinds of terminal equipments, is characterized in that, comprising:

25. terminal equipments as claimed in claim 24, is characterized in that,

26. terminal equipments as claimed in claim 24, is characterized in that,