CN105373919A

CN105373919A - Safety certification device and method for user identity based on far and near field data interaction

Info

Publication number: CN105373919A
Application number: CN201510705976.3A
Authority: CN
Inventors: 熊文俊; 杨盛麟
Original assignee: Individual
Current assignee: Individual
Priority date: 2015-10-27
Filing date: 2015-10-27
Publication date: 2016-03-02

Abstract

The invention provides a safety certification device and method for the user identity based on far and near field data interaction, relates to the field of long and short range communication and data safety, and aims at solving the problem that the safety of long and short range data interaction is hard to ensure in the prior art; and the method can realize mobile payment, roaming free with virtual number and multi-number multi-channel network speed improvement via user identity based safety identification. A Micro-sd or U/SIM card integrated with certification function of the system is replaced to enhance the resistance to Trojan of a mobile phone and enable the intelligent mobile phone to serve as POS comprehensively; in near-field payment, a system server issues certification data to the mobile phone POS, the mobile phone POS transfers time-limited feedback certification data to the paying mobile phone, and the identity certification passes when returned data is the same with data of the server; in remote payment, the system carries out twice identification on the identity codes of user to prevent user data from being stolen remotely; and a set of safety guarantee flow for remote virtual number authentication is provided, so that roaming-free application of the virtual number and the network speed improvement of multiple virtual numbers and multiple carrier waves are realized.

Description

The user identity safety certificate equipment mutual based on far and near field data and authentication method

Technical field

The present invention relates to the full technology of identification safety authentication, particularly a kind of user identity secure authentication technology mutual based on far and near field data.

Background technology

Along with internationalization, the flattening of the flourish of global economy and all kinds of activity, make interchange both at home and abroad also day by day frequent, but thing followed mobile communication roaming charges also increase substantially, simultaneously user breaks out formula demand to data service, urgently expects to have and moves network speed faster.On the other hand, along with smart mobile phone popularizes the today with mobile network's fast development, internet finance sound of the wind water rises, in the ascendant, from AUTHORITATIVE DATA: the mobile payment amount of money 23 trillion yuan of commercial bank's system in 2014, the Third-party payment mechanism mobile payment amount of money reaches more than 80,000 hundred million yuan, but also faces POS shortage simultaneously, disposal environment is not enough and frequently suffers trojan horse to steal the predicament of account fund.

Summary of the invention

The object of the invention is to solve that existing mobile-phone payment security is not high, POS lazy weight and roaming in other places expense is high and network speed is not good enough problem.

For achieving the above object, the invention provides a kind of user identity safety certifying method mutual based on far and near field data, it is characterized in that, comprise the steps:

A. first terminal initiates authentication request with service code to server, authentication request comprises the identity code of first terminal, server carries out certification according to the identity code of described first terminal to first terminal, the identity code of described first terminal is the identification information of unique identification first terminal identity, described identity code some identity key built-in with first terminal are corresponding, a corresponding cipher key number of identity key;

B. server is verified rear generation random code to first terminal identity code, then arbitrary identity key corresponding to first terminal identity code and corresponding cryptographic algorithm thereof is chosen, and to obtain the first enciphered data after described identity key and cryptographic algorithm and described random code computing, thereafter the dynamic authentication frequency n of described first enciphered data and cipher key number corresponding to described identity key and this second terminal is sent to first terminal, back up described random code and the first enciphered data and dynamic authentication frequency n simultaneously, record the corresponding relation of described random code and first terminal identity code,

C. the second terminal stochastic generation access code, after first terminal gathers described access code by cordless, just trigger first terminal and search corresponding built-in identity key according to the described cipher key number received, and utilize built-in decipherment algorithm and described built-in identity key to be decrypted computing to the first enciphered data received to obtain described random code, by near-field communication, described random code and dynamic authentication operation times n are sent to the second terminal according to described access code subsequently, meanwhile trigger the timing to the second terminal authentication data time of return or counting;

D. the digital n of the dynamic authentication operation times of reception and the second terminal built-in identity key are obtained this modification identity key through its built-in authentication arithmetic computing by the second terminal, then the second terminal is carried out first time authentication computing through described built-in authentication arithmetic obtain the first Authentication Response value according to the described random code received and described modification identity key, carry out the computing of second time authentication with described first Authentication Response and described modification identity key through described built-in authentication arithmetic more subsequently and obtain the second Authentication Response value, carry out third time authentication computing with this second Authentication Response value and described modification identity key through described built-in authentication arithmetic again and obtain the 3rd Authentication Response value, the n-th Authentication Response value is obtained after having analogized n authentication computing in proper order, thereafter the identity code of described n-th Authentication Response value and the second terminal is sent to first terminal, the identity code of described second terminal is the identification information of unique identification second terminal identity, described identity code is uniquely corresponding with the built-in identity key of the second terminal, second terminal only has a unique built-in identity key,

E. the optional built-in identity key of first terminal to be encrypted the time of the second terminal return authentication data or the count pulse of period with built-in cryptographic algorithm and to obtain the second enciphered data, then sends to server by the n-th described Authentication Response value, the identity code of first terminal, the identity code of the second terminal and the second enciphered data and cipher key number corresponding to the second encrypted data key;

F. server receives the data that first terminal sends, server inquires about the dynamic authentication frequency n of this second terminal according to the identity code receiving first terminal in data, carry out computing obtain this modification identity key by receiving the second terminal identity code inquiry is corresponding in data identity key and authentication arithmetic and described digital n simultaneously, then the first Authentication Response value is obtained by sending to the described backup random code of first terminal identity code and described modification identity key to carry out first time authentication computing through authentication arithmetic, again described first Authentication Response value and described modification identity key are carried out the computing of second time authentication through authentication arithmetic and obtain the second Authentication Response value, carry out third time authentication computing with this second Authentication Response value and described modification identity key through authentication arithmetic again and obtain the 3rd Authentication Response value, the n-th Authentication Response value is obtained after having analogized n authentication computing in proper order, then first terminal is sent the identity key of first terminal identity code in data and cipher key number inquiry thereof and decipherment algorithm and described second enciphered data and be decrypted authenticated time or the count pulse that computing obtains the second terminal, if the described n-th Authentication Response value that first terminal sends in data is identical with the described n-th Authentication Response value that server obtains after n authentication computing, and obtained to the second decrypt encrypted data or count pulse is less than setting time corresponding to described n dynamic authentication, then by the certification to first terminal and the second terminal.

As one application of the present invention, described first terminal is cash receiving terminal, described second terminal is checkout terminal, when server sends described first enciphered data to cash receiving terminal, in step B, server choose the arbitrary identity key of cash receiving terminal and algorithm thereof to random code be encrypted obtain the first enciphered data after described random code and the first enciphered data are backed up, after cash receiving terminal receives release near-field communication equipment and scanning device blocking order, open its data acquisition function simultaneously, and by its near-field communication equipment and radio data communication equipment locking after collecting access code, do not revised by other processes or close to make it, in step C, the first enciphered data backup that cash receiving terminal sends server, in step e, the data that cash receiving terminal sends to server comprise dealing money, cash receiving terminal completes the data acquisition function of closing its near-field communication equipment and scanning device after server transmission verify data, in step F, server completes after cash receiving terminal and checkout terminal authentication, drawing in the bank card of cash receiving terminal binding or credit card from the bank card of checkout terminal binding the amount of money corresponding to transaction pays.The solution of the present invention is applied to mobile phone bank settlement, mobile phone can also make cash receiving terminal except as except checkout terminal, efficiently solves the problem of POS lazy weight.

Further, in step D, the second terminal only can receive the random code described in the near-field communication of described access code, otherwise the process of end; In step F, after having concluded the business, server sends the SMS notification of transaction receipt using the first enciphered data of described backup as short message verification code to first terminal, first enciphered data of the identifying code and its backup that receive described note is compared by first terminal, if both are inconsistent, then this short message of user is pointed out to be fraud information.

Above scheme is mainly used in near-field communication, and naturally, first terminal and the second terminal all must possess the function of near-field communication, and conventional near-field communication comprises NFC, bluetooth, wifi and sound wave, light wave.Except payment function, method of the present invention can also be applied to public transport, subway is swiped the card and intelligent entrance guard.

Mutual corresponding to above-mentioned Near-field Data, the user identity safety certification first terminal mutual based on far and near field data provided by the invention, is characterized in that, comprising:

Authentication request module, authentication request is initiated to server, authentication request comprises the identity code of first terminal, the identity code of described first terminal is the identification information of unique identification first terminal identity, described identity code some identity key built-in with first terminal are corresponding, a corresponding cipher key number of identity key;

Decoder module, for backing up the first enciphered data received in data, simultaneously only after first terminal scanning device collects the access code of the second terminal, first terminal just searches its built-in identity key to the described cipher key number received, and utilizes built-in decoding algorithm and described identity key to carry out decoding computing to the first enciphered data received to obtain described random code;

Terminal data equipment locking module, locks its near-field communication equipment and radio data communication equipment for first terminal, is not revised or close to make it by other processes after collection access code;

Identification authentication timing or counting module, at first terminal sending after verify data to the second terminal, just start the timing to the second terminal authentication data time of return or counting;

Near-field communication module, for carrying out Near-field Data transmission with the second terminal;

Encrypting module, for the built-in identity key of optional first terminal and with built-in cryptographic algorithm the time of the second terminal return authentication data or the count pulse of period is encrypted and obtains the second enciphered data, then cipher key number corresponding to the identity code of the n-th Authentication Response value of the second terminal, the identity code of the second terminal and first terminal, the second enciphered data and the second encrypted data key is sent to server;

Memory module, the corresponding relation data of some identity key that identity code and first terminal for storing first terminal are built-in and identity key and cipher key number;

Data acquisition unblock and lock modules, after receiving server unlock command for first terminal, open the data acquisition function of near-field communication equipment and scanning device, and complete after server transmission verify data at first terminal, close the data acquisition function of near-field communication equipment and scanning device;

Short message authentication module, the first enciphered data retained for the first enciphered data of the note received being embedded and the machine is compared, if both are inconsistent, then points out this short message of user to be fraud information.

Based on user identity safety certification second terminal that far and near field data is mutual, it is characterized in that, comprising:

Access code generation module, for stochastic generation access code, for the passage access between near-field communication terminal;

Random code number identification module, differentiates for the second terminal the number receiving random code in one-time identity authentication process, in the near-field communication of described access code, the second terminal can only and only allow to receive a random code, otherwise terminate authentication processes;

Identification authentication and number of times identification module, for the second terminal according to receiving and the frequency n of identification dynamic authentication computing, and obtain this modification identity key according to described digital n and the second terminal built-in identity key through its built-in authentication arithmetic computing, then carry out first time authentication computing according to the described random code received and described modification identity key through its built-in authentication arithmetic and obtain the first Authentication Response value, carry out the computing of second time authentication with described first Authentication Response value and described modification identity key through its built-in authentication arithmetic again and obtain the second Authentication Response value, carry out third time authentication computing with this second Authentication Response value and described modification identity key through its built-in authentication arithmetic again and obtain the 3rd Authentication Response value, the n-th Authentication Response value is obtained after having analogized n authentication computing in proper order, thereafter the identity code of described n-th Authentication Response value and the second terminal is sent to first terminal, the identity code of described second terminal is the identification information of unique identification second terminal identity, described identity code is uniquely corresponding with the built-in identity key of the second terminal, second terminal only has a unique built-in identity key,

Memory module, for built-in identity key and the built-in authentication arithmetic data of the identity code and the second terminal that store the second terminal.

Based on the user identity safety certificate server that far and near field data is mutual, it is characterized in that, comprising:

Encrypting module, for being verified rear generation random code to first terminal identity code, choose arbitrary identity key corresponding to first terminal identity code and corresponding cryptographic algorithm thereof, and to obtain the first enciphered data after described identity key and cryptographic algorithm and described random code computing, described first enciphered data is sent to first terminal together with cipher key number corresponding to described identity key and this to the dynamic authentication frequency n of the second terminal;

First terminal, second terminal identity authentication module, inquire about the dynamic authentication frequency n of this second terminal according to the identity code receiving first terminal in data for server, the the second terminal identity code received in data is inquired about the identity key of its correspondence and authentication arithmetic and described digital n to carry out computing and obtain this modification identity key simultaneously, then described backup random code corresponding for first terminal identity code and described modification identity key are carried out first time authentication computing through authentication arithmetic and obtain the first Authentication Response value, again described first Authentication Response value and described modification identity key are carried out the computing of second time authentication through described authentication arithmetic and obtain the second Authentication Response value, carry out third time authentication computing with this second Authentication Response value and described modification identity key through described authentication arithmetic again and obtain the 3rd Authentication Response value, the n-th Authentication Response value is obtained after having analogized n authentication computing in proper order, thereafter the first terminal identity code received in first terminal transmission data and cipher key number thereof are inquired about corresponding identity key and decipherment algorithm and described second enciphered data and be decrypted authenticated time or the count pulse that computing obtains the second terminal, if the described n-th Authentication Response value that first terminal sends in data is identical with the n-th Authentication Response value that server obtains after n authentication computing, and to obtaining time corresponding to described n dynamic authentication after the second decrypt encrypted data or count pulse is less than setting, then complete the certification to first terminal and the second terminal,

Data backup module, for backing up described random code and described first enciphered data.

Consider in daily life, mobile phone is more utilized to carry out the data service of Telnet operation and roaming in other places communication and frequent online, the present invention also provides a kind of user identity safety certifying method mutual based on far and near field data, it is characterized in that, comprises the steps:

A. mobile terminal initiates authentication request with service code to server, authentication request information comprises the identity code of mobile terminal, the identity code of described mobile terminal is the identification information of unique identification mobile terminal identity, described identity code is uniquely corresponding with the built-in identity key of mobile terminal, the built-in unique identity key of mobile terminal;

B. server is after reception authentication request, generate the first random code and send to mobile terminal, the identity key that simultaneously server lookup mobile terminal identity code is corresponding and authentication arithmetic thereof, and carry out computing with described identity key and authentication arithmetic and the first random code and obtain the first Authentication Response value;

C. the first random code identity key built-in with it received and authentication arithmetic are carried out computing and are obtained the second Authentication Response value and send to server by mobile terminal, while setting up procedure E; Described first time authentication computing uses identical algorithm with the computing of second time authentication;

D. the second Authentication Response value of described first Authentication Response value and reception contrasts by server, if both are consistent, then IP address when recording step C mobile terminal sends the second Authentication Response value, then enters step F, otherwise terminate this identifying procedure;

E. mobile terminal generates the second random code and mails to server;

F. server records the IP address of mobile terminal after receiving described second random code, and replys information of mobile terminal and receive;

G. mobile terminal is receiving after server replys, more described second random code identity key built-in with it and authentication arithmetic are carried out computing obtains the 3rd Authentication Response value and send to server;

If H. mobile terminal can not successfully send described 3rd Authentication Response value to server, then mobile terminal sends authentification failure note to server, and mobile terminal terminates this identifying procedure;

I. server does not receive mobile terminal and sends authentification failure note, then enter step J, otherwise terminate this authentication processes;

J. identity key corresponding with described mobile terminal identity code for the second random code received and authentication arithmetic are carried out computing and are obtained the 4th Authentication Response value by server;

K. the IP address of step D and step F contrasts by server, if both are consistent, then enter step L, if inconsistent, then terminates this authentication processes;

L. the 3rd Authentication Response value and the 4th authentication Authentication Response value contrast by server, if both are identical, then mobile terminal is by certification, if not identical, then terminates this authentication processes.

Particularly, described mobile terminal is cell phone, be inserted with physics U/SIM card in described mobile phone and have the IMSI number of some associateds, server is set up and is stored the unique attaching relation of the identity code of described IMSI number and cell phone, described IMSI number system server sends to cell phone according to the attaching relation of itself and cell phone identity code, is built-in with corresponding physics U/SIM card unique with described IMSI number in server;

In steps A, described authentication request information also comprises IMSI number, also comprises after step L, and server searches its identity code that is corresponding or ownership according to IMSI number, if the identity code of the mobile terminal that the identity code found and certification are passed through is consistent, then IMSI number is by the certification of server.

Particularly, after mobile network completes authentication to several IMSI number described, described IMSI number connection server, so that server record mobile network is the IP address that described IMSI number is distributed, when mobile terminal sends data transmission to server, comprises the following steps:

Data are carried out divided in equal amounts according to the number of IMSI number and are become several data blocks by mobile terminal;

Insert service condition code in each data block, to each data block distribution stage chain store;

Data block is distributed to corresponding IMSI number to transmit in a mobile network;

Carry out assembling according to service feature code and level chain store to each data block after server receives each data block reduce and mail to PDN net or internet;

When server sends to mobile terminal after receiving the data of PDN net or internet, comprise the following steps:

Described data, according to receiving the corresponding mobile terminal identity code of IP address lookup of data and administrative IMSI number thereof, are carried out divided in equal amounts according to the number of IMSI number and are become each data block by server;

IP address tunnel data block being distributed to IMSI number corresponding transmits in a mobile network;

According to service feature code and level chain store, assembling reduction is carried out to each data block after mobile terminal receives each data block.

Merge by wireless data partition transmission and at impact point and reduce to improve data transmission efficiency, this is also the target that each large common carrier in the current world is sought, and by method of the present invention, also makes data transmit more quick while guarantee number safety.

Mutual corresponding to above-mentioned teledata, a kind of user identity safety certification terminal mutual based on far and near field data provided by the invention, is characterized in that, comprising:

Authentication request initiation module, for initiating authentication request to server, authentication request information comprises the identity code of mobile terminal, the identity code of described mobile terminal is the identification information of unique identification mobile terminal identity, described identity code is uniquely corresponding with the built-in identity key of mobile terminal, the built-in unique identity key of mobile terminal;

First authentication module, the second Authentication Response value obtained for the send according to server first random code and own identification key and authentication arithmetic being carried out computing sends to server;

Second authentication module, carries out for the second random code of self being generated and own identification key and authentication arithmetic the 3rd Authentication Response value that computing obtains and sends to server.

Further, also comprise:

Virtual mobile phone number authentication module, for server application to virtual mobile phone number secondary authentication;

Data Division cascade module, for mobile terminal, data are carried out equivalent according to the IMSI number number by network authentication and be divided into corresponding data block, Insert service condition code in each data block, to each data block distribution stage chain store, data block is distributed to described IMSI number and transmit in a mobile network; After also comprising each data block sent for mobile terminal reception server, according to service feature code and level chain store, assembling reduction is carried out to each data block.

The terminal of corresponding above-mentioned near field application, a kind of user identity safety certificate server mutual based on far and near field data provided by the invention, comprises server com-munication module, for carrying out data transmission, it is characterized in that, also comprising:

Mobile terminal authentication module, after mobile terminal receive authentication request, generate the first random code and send to mobile terminal, the identity key that the identity code of server by utilizing mobile terminal is corresponding simultaneously and authentication arithmetic carry out computing to the first random code and obtain the first Authentication Response value, the the second Authentication Response value first Authentication Response value and mobile terminal receive sent contrasts, if come to the same thing and server does not receive mobile terminal sends authentification failure note, then utilize identity key corresponding to mobile terminal identity code and authentication arithmetic to carry out computing to the second random code that mobile terminal sends and obtain the 4th Authentication Response value, two IP addresses when mobile terminal is sent the second Authentication Response value and sends the second random code by server contrast, if both are consistent, the 3rd Authentication Response value then sent by mobile terminal and described 4th authentication Authentication Response value contrast, if both are identical, then this mobile terminal identity passes through certification, if different, then terminate identifying procedure, if receive the authentification failure note that mobile terminal sends, then directly terminate this identifying procedure,

Authentication failure SMS module, for mobile terminal receive authentification failure note.

Further, this server also comprises:

IMSI number authentication module, for after completing the certification to mobile terminal identity code, certification is carried out to the IMSI number validity that mobile terminal sends, server is according to setting up and storing the unique attaching relation table of the identity code of described IMSI number and cell phone, its identity code that is corresponding or ownership is searched with described No. IMS, if the identity code of the mobile terminal that the identity code found and certification are passed through is consistent, then IMSI number certification is passed through.

Further, also comprise Data Division cascade module, for recording its IP address during IMSI number notification server by network authentication, also be divided into corresponding data block for data are carried out equivalent according to described IMSI number number, Insert service condition code in each data block, to each data block distribution stage chain store, IP address data block being distributed to described IMSI corresponding is transferred to mobile terminal by mobile network, after each data block also for the transmission of server mobile terminal receive, according to the service feature code of data block and level chain store, assembling reduction is carried out to each data block, also for after receiving each data block from mobile network, PDN net or internet is mail to after assembling reduction being carried out to each data block according to service feature code and level chain store, also for according to the administrative IMSI number of mobile terminal identity code, the PDN net received or internet data are carried out divided in equal amounts according to the number of IMSI number and becomes each data block, Insert service condition code in each data block, mails to mobile terminal to the IP address tunnel that data block is distributed to described IMSI number corresponding by each data block distribution stage chain store by mobile network.

In the mobile terminal that the present invention relates to, first terminal and the second terminal, the function carrier possessing its corresponding identifying procedure can be an independent hardware module or cassette plug-in unit, when embody rule, this hardware module and mobile terminal is needed to carry out physical connection, such as be applied to the U/SIM card of mobile communication, or possess the Micro-sd storage card of memory function.In addition, the function carrier possessing corresponding function directly can also insert mobile terminal, gives integrated when mobile terminal is produced.

The invention has the beneficial effects as follows: by safety certifying method provided by the invention, user only needs the authentication question that just can solve user identity by changing U/SIM or the Micro-sd card with native system function well, reduce the threat of wooden horse to sensitive data, ensure the safety of information communication, achieve Network and exempt from a key certification cryptographically, greatly extend POS quantity and the applied environment of payment transaction simultaneously, also exempt from roaming charges and high network speed business for user provides.

Embodiment below in conjunction with embodiment is described in further detail technical scheme of the present invention, it should be noted that embodiment is only used to help reader to understand technical conceive of the present invention better, not in order to limit protection scope of the present invention.

Accompanying drawing explanation

Fig. 1 is that the user identity safety certifying method mutual based on far and near field data of the present invention that utilize of embodiment carries out the process flow diagram of near field transaction payment;

Fig. 2 is that the user identity safety certifying method mutual based on far and near field data of the present invention that utilize of embodiment carries out the process flow diagram of Telnet authentication.

Embodiment

The present invention is directed in existing mobile-phone payment process, the problem that in the POS lazy weight of gathering and payment process, identity verification scheme is safe not, each provides a kind of safety certifying method mutual near field and remote interaction safety certifying method.Respectively by specific embodiment, technical scheme of the present invention is described in detail below.

A kind of user identity safety certifying method mutual based on far and near field data provided by the invention, concrete scheme is as follows.

Step one. first terminal initiates authentication request with service code to server, authentication request comprises the identity code of first terminal, server carries out certification according to the identity code of described first terminal to first terminal, the identity code of described first terminal is the identification information of unique identification first terminal identity, described identity code some identity key built-in with first terminal are corresponding, a corresponding cipher key number of identity key;

Step 2. server is verified rear generation random code to first terminal identity code, then arbitrary identity key corresponding to first terminal identity code and corresponding cryptographic algorithm thereof is chosen, and to obtain the first enciphered data after described identity key and cryptographic algorithm and described random code computing, thereafter the dynamic authentication frequency n of described first enciphered data and cipher key number corresponding to described identity key and this second terminal is sent to first terminal, back up described random code and the first enciphered data and dynamic authentication frequency n simultaneously, record the corresponding relation of described random code and first terminal identity code,

Step 3. the second terminal stochastic generation access code, after first terminal gathers described access code by cordless, just trigger first terminal search corresponding built-in identity key according to the described cipher key number received, and utilize built-in decipherment algorithm and described built-in identity key to be decrypted computing to the first enciphered data received to obtain described random code, by near-field communication, described random code and dynamic authentication operation times n are sent to the second terminal according to described access code subsequently, meanwhile trigger the timing to the second terminal authentication data time of return or counting;

Step 4. the digital n of the dynamic authentication operation times of reception and the second terminal built-in identity key are obtained this modification identity key through its built-in authentication arithmetic computing by the second terminal, then the second terminal is carried out first time authentication computing through described built-in authentication arithmetic obtain the first Authentication Response value according to the described random code received and described modification identity key, and then carry out the computing of second time authentication with described first Authentication Response value and described modification identity key through described built-in authentication arithmetic and obtain the second Authentication Response value, carry out third time authentication computing with this second Authentication Response value and described modification identity key through described built-in authentication arithmetic again and obtain the 3rd Authentication Response value, the n-th Authentication Response value is obtained after having analogized n authentication computing in proper order, thereafter the identity code of described n-th Authentication Response value and the second terminal is sent to first terminal, the identity code of described second terminal is the identification information of unique identification second terminal identity, described identity code is uniquely corresponding with the built-in identity key of the second terminal, second terminal only has a unique built-in identity key,

Step 5. the optional built-in identity key of first terminal to be also encrypted the time of the second terminal return authentication data or the count pulse of period with built-in cryptographic algorithm and to obtain the second enciphered data, then the n-th described Authentication Response value, the identity code of first terminal, the identity code of the second terminal and the second enciphered data and cipher key number corresponding to the second encrypted data key is sent to server;

Step 6. server receives the data that first terminal sends, server inquires about the dynamic authentication frequency n of this second terminal according to the identity code receiving first terminal in data, carry out computing obtain this modification identity key by receiving the corresponding identity key of the second terminal identity code inquiry in data and authentication arithmetic and described digital n simultaneously, then described backup random code corresponding for first terminal identity code and described modification identity key are carried out first time authentication computing through authentication arithmetic and obtain the first Authentication Response value, again described first Authentication Response and described modification identity key are carried out the computing of second time authentication through authentication arithmetic and obtain the second Authentication Response value, carry out third time authentication computing with this second Authentication Response value and described modification identity key through authentication arithmetic again and obtain the 3rd Authentication Response value, the n-th Authentication Response value is obtained after having analogized n authentication computing in proper order, then first terminal is sent first terminal identity code in data and identity key corresponding to cipher key number inquiry thereof and decipherment algorithm and described second enciphered data and be decrypted authenticated time or the count pulse that computing obtains the second terminal, if it is identical that the described n-th Authentication Response value in first terminal transmission data and server obtain the n-th described Authentication Response value after n authentication computing, and to obtaining time corresponding to described n dynamic authentication after the second decrypt encrypted data or count pulse is less than setting, then by the certification to first terminal and the second terminal.

For said method, the present invention also provides a set of equipment being exclusively used in said method, comprising:

Based on the user identity safety certification first terminal that far and near field data is mutual, comprising:

Decoder module, for backing up the first enciphered data received in data, simultaneously only after first terminal scanning device collects the access code of the second terminal, first terminal just searches corresponding built-in identity key according to the described cipher key number received, and utilizes built-in decoding algorithm and described identity key to be decrypted computing to obtain described random code to the first enciphered data received;

Terminal data equipment locking module, locks its near-field communication equipment and radio data communication equipment after collecting access code for first terminal, is not revised or closes to make it by other processes;

Identification authentication timing or counting module, for sending after verify data to the second terminal at first terminal, first terminal is just starting time of return timing to the second terminal authentication data or counting;

Encrypting module, for the optional built-in identity key of first terminal and with built-in cryptographic algorithm the time of the second terminal return authentication data or the count pulse of period is encrypted and obtains the second enciphered data, then cipher key number corresponding to the identity code of the n-th Authentication Response value of the second terminal, the identity code of the second terminal and first terminal, the second enciphered data and the second encrypted data key is sent to server;

And, based on user identity safety certification second terminal that far and near field data is mutual, comprising:

And, based on the user identity safety certificate server that far and near field data is mutual, comprising:

First terminal, second terminal identity authentication module, inquire about the dynamic authentication frequency n of this second terminal according to the identity code receiving first terminal in data for server, the the second terminal identity code received in data is inquired about the identity key of its correspondence and authentication arithmetic and described digital n to carry out computing and obtain this modification identity key simultaneously, then described backup random code corresponding for first terminal identity code and described modification identity key are carried out first time authentication computing through authentication arithmetic and obtain the first Authentication Response value, be that random code and described modification identity key are carried out the computing of second time authentication through described authentication arithmetic and obtained the second Authentication Response value again by described first Authentication Response value, carry out third time authentication computing for random code and described modification identity key through described authentication arithmetic with this second Authentication Response value again and obtain the 3rd Authentication Response value, the n-th Authentication Response value is obtained after having analogized n authentication computing in proper order, thereafter first terminal is sent first terminal identity code in data and identity key corresponding to cipher key number inquiry thereof and decipherment algorithm and described second enciphered data and be decrypted authenticated time or the count pulse that computing obtains the second terminal, if it is identical that the described n-th Authentication Response value in first terminal transmission data and server obtain the n-th described Authentication Response value after n authentication computing, and to obtaining time corresponding to described n dynamic authentication after the second decrypt encrypted data or count pulse is less than setting, then complete the certification to first terminal and the second terminal,

Provided by the invention another based on the mutual user identity safety certifying method of far and near field data, comprise the steps:

Step one. mobile terminal initiates authentication request with service code to server, authentication request information comprises the identity code of mobile terminal, the identity code of described mobile terminal is the identification information of unique identification mobile terminal identity, described identity code is uniquely corresponding with the built-in identity key of mobile terminal, the built-in unique identity key of mobile terminal;

Step 2. server is after reception authentication request, generate the first random code and send to mobile terminal, the identity key that simultaneously server lookup mobile terminal identity code is corresponding and authentication arithmetic thereof, and carry out computing with described identity key and authentication arithmetic and the first random code and obtain the first Authentication Response value;

Step 3. the first random code identity key built-in with it received and authentication arithmetic are carried out computing and are obtained the second Authentication Response value and send to server by mobile terminal, simultaneously setting up procedure five; Described first time authentication computing uses identical algorithm with the computing of second time authentication;

Step 4. the second Authentication Response value of described first Authentication Response value and reception contrasts by server, if both are consistent, IP address when then recording step three mobile terminal sends the second Authentication Response value, then enters step 6, otherwise terminates this identifying procedure;

Step 5. mobile terminal generates the second random code and mails to server;

Step 6. server records the IP address of mobile terminal after receiving described second random code, and replys information of mobile terminal and receive;

Step 7. mobile terminal receives after server replys, more described second random code identity key built-in with it and authentication arithmetic are carried out computing obtains the 3rd Authentication Response value and send to server;

Step 8. if mobile terminal can not successfully send described 3rd Authentication Response value to server, then mobile terminal sends authentification failure note to server, and mobile terminal terminates identifying procedure;

Step 9. server does not receive mobile terminal and sends authentification failure note, then enter step 10, otherwise terminate this authentication processes;

Step 10. identity key corresponding with described mobile terminal identity code for the second random code received and authentication arithmetic are carried out computing and are obtained the 4th Authentication Response value by server;

Step 11. the IP address of step 4 and step 6 contrasts by server, if both are consistent, then enter step 12, if inconsistent, then terminates this authentication processes;

Step 12. the 3rd Authentication Response value and the 4th authentication Authentication Response value contrast by server, if both are identical, then mobile terminal is by certification, if not identical, then terminates this authentication processes.

Corresponding said method, the invention provides the equipment being specifically designed to and realizing said method, comprising:

Based on the user identity safety certification terminal that far and near field data is mutual, comprising:

Second authentication module, carries out for the second random code of self being generated and own identification key and authentication arithmetic the 3rd Authentication Response value that computing obtains and sends to server;

Send failed SMS module, for successfully not sending described 3rd Authentication Response value to server, then mobile terminal sends authentification failure note to server.

And, based on the user identity safety certificate server that far and near field data is mutual, comprise server com-munication module, for carrying out data transmission.Comprise:

Mobile terminal authentication module, after mobile terminal receive authentication request, generate the first random code and send to mobile terminal, the identity key that the identity code of server by utilizing mobile terminal is corresponding simultaneously and authentication arithmetic carry out computing to described first random code and obtain the first Authentication Response value, the the second Authentication Response value first Authentication Response value and mobile terminal receive sent contrasts, if come to the same thing and server does not receive mobile terminal sends authentification failure note, then utilize identity key corresponding to mobile terminal identity code and authentication arithmetic to carry out computing to described second random code that mobile terminal sends and obtain the 4th Authentication Response value, two IP addresses when mobile terminal is sent the second Authentication Response value and sends the second random code by server contrast, if both are consistent, the 3rd Authentication Response value then sent by mobile terminal and described 4th authentication Authentication Response value contrast, if both are identical, then mobile terminal identity passes through certification, if different, terminate this identifying procedure, if receive the authentification failure note that mobile terminal sends, then directly terminate this identifying procedure.

Embodiment

Below embody rule example of the present invention is described in detail.

One, mobile phone near field pays without card

User and trade company need register and make a report on key message on book server, as the handset identities code of phone number, bank's card number/credit card and native system, this handset identities code as the mark of native system to user identity, on the server with this identity code to should the identity key of user and algorithm thereof.When mobile phone is used as POS, also need the relevant component of the regulation such as ID (identity number) card No., enterprise's operation license that gathering user is provided.The function carrier of native system can be the physical entity card of function described in integrated first terminal of the present invention and the second terminal.First terminal is gathering mobile phone, and be described with mobile phone POS below, the second terminal is mobile phone with payment function, carries out the flow process of payment authentication as shown in Figure 1.

Without loss of generality, the barcode scanning mode paid near field, flow process is as follows:

Mobile phone POS initiates authentication request with service code to server, authentication request comprises the identity code of mobile phone POS, server carries out certification according to the identity code of described mobile phone POS to mobile phone POS, the identity code of described mobile phone POS is the identification information of unique identification mobile phone POS identity, described identity code some identity key built-in with mobile phone POS are corresponding, a corresponding cipher key number of identity key.Server is verified rear generation random code to mobile phone POS identity code, then arbitrary identity key corresponding to mobile phone POS identity code and corresponding cryptographic algorithm thereof is chosen, and to obtain the first enciphered data after described identity key and cryptographic algorithm and described random code computing, thereafter the dynamic authentication frequency n of described first enciphered data and cipher key number corresponding to described identity key and this mobile phone with payment function is sent to mobile phone POS, back up described random code and the first enciphered data and dynamic authentication frequency n simultaneously, record the corresponding relation of described random code and mobile phone POS identity code.Mobile phone with payment function generates random access code, after gathering described access code when mobile phone POS by cordless, just trigger mobile phone POS and search corresponding built-in identity key process according to the described cipher key number received, and utilize built-in decipherment algorithm and described built-in identity key to be decrypted computing to the first enciphered data received to obtain described random code, by near-field communication, described random code and dynamic authentication operation times n are sent to mobile phone with payment function according to described access code subsequently, meanwhile trigger the timing to the time of return of mobile phone with payment function verify data or counting.Identity key built-in with it for the digital n of the dynamic authentication operation times of reception is obtained this modification identity key through its built-in authentication arithmetic computing by mobile phone with payment function, then mobile phone with payment function carries out first time authentication computing through described built-in authentication arithmetic obtain the first Authentication Response value according to the described random code received and described modification identity key, and then carry out the computing of second time authentication with described first Authentication Response value and described modification identity key through described built-in authentication arithmetic and obtain the second Authentication Response value, carry out third time authentication computing with this second Authentication Response value and described modification identity key through described built-in authentication arithmetic again and obtain the 3rd Authentication Response value, the n-th Authentication Response value is obtained after having analogized n authentication computing in proper order, thereafter the identity code of described n-th Authentication Response value and mobile phone with payment function is sent to mobile phone POS, the identity code of described mobile phone with payment function is the identification information of unique identification mobile phone with payment function identity, described identity code is uniquely corresponding with the built-in identity key of mobile phone with payment function, mobile phone with payment function only has a unique built-in identity key.The optional built-in identity key of mobile phone POS the count pulse of the verify data time returned mobile phone with payment function with built-in cryptographic algorithm or period are encrypted and obtain the second enciphered data, then described the n-th Authentication Response value, the identity code of mobile phone with payment function, the identity code of mobile phone POS and the second enciphered data and cipher key number corresponding to the second encrypted data key are sent to server.Server receives the data that mobile phone POS sends, server inquires about the dynamic authentication frequency n of this mobile phone with payment function according to the identity code receiving mobile phone POS in data, inquire about the identity key of its correspondence and authentication arithmetic and described digital n and carry out computing by receiving mobile phone with payment function identity code in data and obtain this modification identity key simultaneously, then described backup random code corresponding for mobile phone POS identity code and described modification identity key are carried out first time authentication computing through authentication arithmetic and obtain the first Authentication Response value, again described first Authentication Response value and described modification identity key are carried out the computing of second time authentication through authentication arithmetic and obtain the second Authentication Response value, carry out third time authentication computing with this second Authentication Response value and described modification identity key through authentication arithmetic again and obtain the 3rd Authentication Response value, the n-th Authentication Response value is obtained after having analogized n authentication computing in proper order, then mobile phone POS is sent mobile phone POS identity code in data and cipher key number thereof to inquire about the identity key of its correspondence and decipherment algorithm and described second enciphered data and be decrypted authenticated time or the count pulse that computing obtains mobile phone with payment function, if the described n-th Authentication Response value that mobile phone POS sends in data is identical with the described n-th Authentication Response value that server obtains after n authentication computing, and to obtaining time corresponding to described n dynamic authentication after the second decrypt encrypted data or count pulse is less than setting, then by the certification to mobile phone POS and mobile phone with payment function.Server completes after mobile phone POS and mobile phone with payment function authentication, draws and the amount of money corresponding to transaction pay from the bank card of mobile phone with payment function binding in the bank card of mobile phone POS binding or credit card.

Especially, transaction receipt is according to short message mode, consider that paying user may utilize " pseudo-base station " to send pseudo-Transaction Information to confuse the other side, book server adopts the first enciphered data of affixation backup as short message verification code to the note that mobile phone POS sends, when mobile phone POS receives the affixation note coming from book server port numbers, just with its first enciphered data retained, this note suffix code is compared, if incorrect, then delete or point out this note Transaction Information of user to be false.

Have two cipher key number herein, first cipher key number mails to mobile phone POS after being chosen by server, and in the machine, inquire about the identity key of its correspondence after being received by mobile phone POS, to obtain random code to after the first enciphered data decoding; Second cipher key number chooses rear upload server by mobile phone POS, for the server identity key that numbering inquiry mobile phone POS identity code is corresponding accordingly, to decode to the count pulse encrypted packet of mobile phone with payment function authentication.Server prestores the identity code of mobile phone POS and the identity key of correspondence thereof and cipher key number, the corresponding identity key of each cipher key number, and passage on transmission security key is numbered and is not transmitted identity key, its objective is and prevent other people from violence cracking identity key, if do not use the cipher mode choosing corresponding " key " with " cipher key number ", and adopt the authentication mode of " random code "+" Authentication Response ", then because identity authentication function module communicates with mobile phone baseband, therefore the external world can send Randomised code acquisition Authentication Response and Brute Force identity key to mobile phone at any time.Identity key and numbering with after just give up, therefore the external world is difficult to crack identity key, the possibility getting around the counting/timer of native system by cracking mobile phone POS identity key can being taken precautions against like this, preventing distorting Authentication Counter umber of pulse, cut off the approach that far-end steals user authentication data.

Two, mobile phone remote pays without card

User still completes corresponding information on the server by existing procedure and makes a report on, and comprises the handset identities code of phone number and native system and binds bank card or credit card.Native system, for providing the authentication service of user identity to the such as multi-service website such as micro-letter, Taobao, QQ and mailbox or Third-party payment mechanism, requires that user also need fill in the handset identities code of phone number or native system in those business websites for this reason.Because such teleaction service does not need the near-end accepting terminal of such as POS, function when thus lacking the lock to subscriber identity authentication duration, therefore for such business, server need carry out double probate to handset identities code, certification principle: plural IP address can not be had simultaneously to occur with an identity code, carrys out the long-range approach stealing user authentication data of anti-blocking " broiler chicken " wooden horse with this.Be initiated by server to the first time certification of handset identities code, and second time certification is initiated by mobile phone, as shown in Figure 2.Remote payment flow process is as follows:

1. when user enters business website payment interface or logs in this website requests certification, server is mail to the authentication of application to this user by logging in phone number corresponding to this account or handset identities code and IP address thereof in business website, thereafter the first random code generated is mail to this mobile phone by the passage of website and mobile phone by server, initiate first time authentication to this user, server its identity key of inquiring about with this handset identities code and described first random code obtain the first Authentication Response through its authentication arithmetic and store simultaneously.User mobile phone is by described first random code received and built-in identity key and obtain the second Authentication Response through its authentication arithmetic computing and reply server, thereafter the first Authentication Response value and the second Authentication Response value are compared by server, if different, then notify that this website refuses to provide service for the account that this phone number is corresponding; If 2. identical, then enter second time authentication process.This second time certification is intended to take precautions against wooden horse far-end and transmits the first random code to steal the second Authentication Response of user mobile phone.Certainly, if now this account has logged in and communication of reaching the standard grade, then server has ignored the authentication application of identical account.Second time identifying procedure is as follows: mobile phone just triggers to server application second time identifying procedure while computing second Authentication Response value, judge now whether have same account to log in this business website to coordinate server, that is, mobile phone sends the second random code to initiate second time identifying procedure with the IP address of preset book server to server.Server receives this second random code and answering mobile phone, records this mobile phone IP ' address simultaneously.The 3rd Authentication Response that second random code and built-in identity key obtain through authentication arithmetic computing is just mail to book server after receiving server reply by mobile phone, if mobile phone successfully can not send the 3rd Authentication Response, then sends authentification failure note to server.Correspondingly, if server confiscates the authentification failure note that mobile phone sends, the identity key of then this handset identities code being inquired about its correspondence and the second random code received obtain the 4th Authentication Response through authentication arithmetic computing, server does following judgement subsequently: compare in the IP ' address when IP address that business website is sent here by I > and the certification of mobile phone second time, if not identical, then server notifies that this business website stops the service to the corresponding account of this phone number; If II > is identical, then the described 3rd Authentication Response value received and the 4th Authentication Response value are compared, if identical, then this account of server informing business website passes through certification; If different, then notify that this business website stops the service to the corresponding account of this phone number; If receive the authentification failure note that mobile phone sends, then directly notify that this business website stops the service to the corresponding account of this phone number.In addition, the book server IP address external world preset in mobile phone can not arbitrarily change, it is mainly used in the new IP address synchronization with native system server, for preventing wooden horse cracking identity key, second time authentication processes is moved and is guided to other servers by strick precaution, this place adopts the mode of the key choosing its correspondence with cipher key number, passage only passes this cipher key number and does not transmit key.If book server IP address change, when user mobile phone connects native system legacy server with preset IP address, on the server by the new IP address of the redirect that sends instructions under legacy server, and the book server IP address that instruction amendment mobile phone prestores.

This double probate technology, not only for remote payment, also can be used as the authentication of exempting from password of authentication center for the such as Internet service such as mailbox, QQ.

Three, roaming application is exempted from

For roamer, after its replacing native system has U/SIM or the Micro-sd card function carrier of double probate function, just can communicate by local rate under the assistance of native system server.For realizing this business, first the legal physics U/SIM card that mobile operator place buys is inserted the U/SIM card reader of book server, so that it provides mobile network to the data needed for virtual-number authentication to server.User mobile phone has multiple IMSI number of primary U/SIM card and associated or multiple virtual mobile phone number, IMSI number (international mobile subscriber identity) issues user mobile phone by book server according to the attaching relation of itself and primary U/SIM card, it is identical with the IMSI number of the physics U/SIM card in server card reader, after user supplements with money those virtual mobile phone numbers, the mobile operator charge system belonging to it carries out charging to it.User need register to become native system user in advance on the server, after completing the making a report on of the information such as ID (identity number) card No., address name that primary phone number, virtual mobile phone number, handset identities code and system of real name specify, server is just set up and stored with this handset identities code is many number home relation chain of first-in-chain(FIC), and this relation chain is the foundation of server-aided IMSI number authentication.User completes information solicitation and after native system account is supplemented with money selected number, server just issues the virtual mobile phone number and corresponding IMSI number thereof chosen to this phone number, flow process is as follows:

When user click APP icon start exempt from roam mode time, the primary U/SIM of mobile phone is connected to server and sends its handset identities code and need the IMSI number of authentication, and server carries out double probate with flow process described above to this handset identities code and checks the attaching relation of described IMSI and this handset identities code thereafter.Double probate flow process is as follows: 1. first time authentication.Primary U/SIM with its handset identities code to server application authentication, after this server just issues to this mobile phone the first time authentication that the first random code requires to carry out antitheft number wooden horse, and identity key and described first random code of this handset identities code being inquired about its correspondence obtain the first Authentication Response through authentication arithmetic and store simultaneously.The first random code received and built-in identity key are obtained the second Authentication Response through its authentication arithmetic computing and reply server by mobile phone, the IP address of this mobile phone of server record.Thereafter the first Authentication Response value and the second Authentication Response value are compared by server, if different, then refuse as this mobile phone provides service; If 2. identical, then carry out the second time authentication of anti-blocking smart remote Trojan for stealing numbers.Mobile phone just triggers the flow process initiating second time certification to server when computing second Authentication Response value, mobile phone sends the second random code to initiate second time authentication to server, server receives the second random code and answering mobile phone, records the IP ' address of this mobile phone simultaneously.After mobile phone receives server reply, just the 3rd Authentication Response value that the described second random identity key built-in with it obtains through authentication arithmetic computing is mail to book server, if mobile phone successfully can not send the 3rd Authentication Response to server, then send authentification failure note and terminate mobile phone identifying procedure.Certainly, if now this primary U/SIM is by certification also upper Network Communication, then book server ignores the authentication application to common identity code.Correspondingly, if server confiscates authentification failure note, then after the identity key of this handset identities code correspondence of inquiry, this second random code received and the described identity key checked in are obtained the 4th Authentication Response through authentication arithmetic computing, server does following judgement subsequently: compare in the IP ' address when IP address of answering during this handset identities code first time authentication and its second time authentication by I >, if different, then server stops providing service to this handset identities code; If II > is identical, then the 3rd Authentication Response and the 4th Authentication Response value are compared, if identical, then this handset identities code is by the certification of server, if different, then refuses the service to this handset identities code; If receive authentification failure note, then the directly service of refusal to this handset identities code.After handset identities code is by book server certification, check the attaching relation of described IMSI and this handset identities code subsequently, if be verified, then when described IMSI applies for the registration of to mobile network and is moved network requirement authentication, the passage that mobile phone has been set up by primary U/SIM and server is by the authentication parameter of mobile network downward, as rand or rand, AUTN or Kasme passes and server, and read this IMSI number corresponding U/SIM card participation authentication by server calls card reader, with after through this passage required Authentication Response value Sres returned mobile phone and carries out authentication by handset replies mobile network, if checking is not passed through, then refuse the authentication service to this this IMSI number.If this IMSI number is by the mobile network authentication of its ownership, then this virtual-number just can communicate by local rate.If IMSI number is stolen, on the one hand because this IMSI number is in the upper use of the relation chain of non-attribution handset identities code, it is not by the member authentication of server to handset identities code attaching relation chain, on the other hand due to the movement of mobile phone location, the base station served for it or sector may change, therefore mobile phone upgrades because of co-location or periodically co-location upgrades and is required to re-authenticate, even if therefore IMSI number is stolen can not use.In view of the IMSI number of authentication takies base station with the different time-gap of sector with frequency, therefore main number, countermark can be simultaneously standby.

Four, network speed-raising

For promoting network speed significantly, can reduce again construction and drop into and save the cost changing mobile phone, user has the native system function carrier U/SIM of double probate flow process or Micro-sd card to realize the lifting to mobile phone network speed by replacing.Native system server serves as the role of internet or PDN net proxy server, and mobile communication data are produced, proceeded between mobile network and internet.For the PS domain data service of mobile network, flow process is as follows:

As mentioned above, first user need register the member becoming native system in service, and sets up the attaching relation chain with the handset identities code Multi-IMSI that is first-in-chain(FIC) number.When user mobile phone switches to raising model, server carries out double probate by as above flow process to handset identities code, checks the attaching relation of IMSI number and this handset identities code simultaneously, completes the secondary authentication to each IMSI.If each IMSI of mobile phone have passed mobile network to its authentication, then the opportunity that those IMSI of server by utilizing need activate with server obtains the IP address that mobile network distributes for it.Mobile phone shares the original data of mobile phone, resource under raising model, native system server is all pointed in its packet prefix IP address of uploading, if user sends data with single IMSI number, then data are directly mail to mobile network and mail to server by the PS territory SGSN/GGSN of network or S/P-GW gateway device by mobile phone, and these data are sent to PDN net or internet according to the service feature code of data packet head by server; If pass through at many numbers uploading data that server activates, then this Data Division is the data sub-block of equivalent according to the IMSI number quantity activated by mobile phone before uploading data, and is uploaded to mobile network in each sub-block Insert service condition code and after configuring each sub-block level chain store and adding redundancy check code with those IMSI number.After server receives those data transmitted in mobile network PS territory, after reducing with the data sub-block assembling that those disperse by the level chain store of data sub-block according to the service feature code of data packet head, mail to PDN net or internet.In like manner, after book server receives the data of PDN net or internet transmission, the handset identities code corresponding according to data packet head IP address and the administrative IMSI number of this identity code relation chain, this PDN net received or internet data are split into the sub-block equal with IMSI number number, and cascade service feature code is inserted to each sub-block and configuration stage chain store and after adding redundancy check code, data are mail to mobile network by the IP address corresponding according to those IMSI number.After mobile phone receives the data that mobile network issues Multi-IMSI number, data sub-block assembling that those disperse by the service feature code carried according to these data and cascade numbering is reduced to complete data.This technology by the multiple IMSI number of mobile phone to base station application U/SIM card primary with it with multiple orthogonal sub-carriers of frequency and different time-gap, different operators or networks with different systems or different base station sector and different frequent points situation are registered in for countermark and major number, the radio-frequency module of part mobile phone may not support this business, maybe needs upgrading mobile phone baseband ROM.

Claims

1., based on the user identity safety certifying method that far and near field data is mutual, it is characterized in that, comprise the steps:

D. the digital n of the dynamic authentication operation times of reception and the second terminal built-in identity key are obtained this modification identity key through its built-in authentication arithmetic computing by the second terminal, then the second terminal is carried out first time authentication computing through described built-in authentication arithmetic obtain the first Authentication Response value according to the described random code received and described modification identity key, carry out the computing of second time authentication with described first Authentication Response value and modification identity key through described built-in authentication arithmetic more subsequently and obtain the second Authentication Response value, carry out third time authentication computing with this second Authentication Response value and described modification identity key through described built-in authentication arithmetic again and obtain the 3rd Authentication Response value, the n-th Authentication Response value is obtained after having analogized n authentication computing in proper order, thereafter the identity code of described n-th Authentication Response value and the second terminal is sent to first terminal, the identity code of described second terminal is the identification information of unique identification second terminal identity, described identity code is uniquely corresponding with the built-in identity key of the second terminal, second terminal only has a unique built-in identity key,

F. server receives the data that first terminal sends, server inquires about this dynamic authentication frequency n to the second terminal according to receiving the identity code of first terminal in data, carry out computing obtain this modification identity key by receiving the corresponding identity key of the second terminal identity code inquiry in data and authentication arithmetic and described digital n simultaneously, then the first Authentication Response value is obtained by sending to the described backup random code of first terminal identity code and described modification identity key to carry out first time authentication computing through described authentication arithmetic, again described first Authentication Response value and described modification identity key are carried out the computing of second time authentication through described authentication arithmetic and obtain the second Authentication Response value, carry out third time authentication computing with this second Authentication Response value and described modification identity key through described authentication arithmetic again and obtain the 3rd Authentication Response value, the n-th Authentication Response value is obtained after having analogized n authentication computing in proper order, then the identity key of the first terminal identity code in received data and cipher key number inquiry thereof and decipherment algorithm and described second enciphered data are decrypted authenticated time or the count pulse that computing obtains the second terminal, if the described n-th Authentication Response value that the described n-th Authentication Response value in received data and server obtain after n authentication computing is identical, and to obtaining time corresponding to described n dynamic authentication after the second decrypt encrypted data or count pulse is less than setting, then by the certification to first terminal and the second terminal.

2. as claimed in claim 1 based on the user identity safety certifying method that far and near field data is mutual, it is characterized in that, described first terminal is cash receiving terminal, described second terminal is checkout terminal, when server sends described first enciphered data to cash receiving terminal, in step B, server is chosen the arbitrary identity key of cash receiving terminal and algorithm thereof and is encrypted after computing obtains the first enciphered data random code and backs up described random code and the first enciphered data, after cash receiving terminal receives release near-field communication equipment and scanning device blocking order, open its data acquisition function simultaneously, and by its near-field communication equipment and radio data communication equipment locking after collecting access code, do not revised by other processes or close to make it, in step C, the first enciphered data backup that cash receiving terminal sends server, in step e, the data that cash receiving terminal sends to server comprise dealing money, cash receiving terminal completes the data acquisition function of closing its near-field communication equipment and scanning device after server transmission verify data, in step F, server completes after cash receiving terminal and checkout terminal authentication, drawing in the bank card of cash receiving terminal binding or credit card from the bank card of checkout terminal binding the amount of money corresponding to transaction pays.

3., as claimed in claim 2 based on the user identity safety certifying method that far and near field data is mutual, it is characterized in that, in step D, the second terminal only can receive the random code described in the near-field communication of described access code, otherwise the process of end; In step F, after having concluded the business, server sends the SMS notification of transaction receipt using the first enciphered data of described backup as short message verification code to first terminal, first enciphered data of the identifying code and its backup that receive described note is compared by first terminal, if both are inconsistent, then this short message of user is pointed out to be fraud information.

4., based on the user identity safety certifying method that far and near field data is mutual, it is characterized in that, comprise the steps:

E. mobile terminal generates the second random code and mails to server;

G. mobile terminal is after receiving server reply, described second random code identity key built-in with it and authentication arithmetic is carried out computing and obtains the 3rd Authentication Response value and send to server;

If H. mobile terminal successfully can not send described 3rd Authentication Response value to server, then mobile terminal sends authentification failure note to server, and mobile terminal terminates this identifying procedure;

L. the 3rd Authentication Response value and the 4th authentication Authentication Response value contrast by server, if both phases, then mobile terminal is by certification, if not identical, then terminates this authentication processes.

5. as claimed in claim 4 based on the user identity safety certifying method that far and near field data is mutual, it is characterized in that, described mobile terminal is cell phone, be inserted with physics U/SIM card in described mobile phone and have the IMSI number of some associateds, server is set up and is stored the unique attaching relation of the identity code of described IMSI number and cell phone, described IMSI number system server sends to cell phone according to the attaching relation of itself and cell phone identity code, is built-in with corresponding physics U/SIM card unique with described IMSI number in server;

In steps A, described authentication request information also comprises IMSI number, also comprise after step L, server searches according to IMSI number the identity code that this IMSI is corresponding or belong to, if the identity code of the mobile terminal that the identity code found and certification are passed through is consistent, then IMSI number is by the certification of server.

6. as claimed in claim 5 based on the user identity safety certifying method that far and near field data is mutual, it is characterized in that, after mobile network completes authentication to several IMSI number described, described IMSI number connection server is so that server record mobile network is the IP address that described IMSI number is distributed, when mobile terminal sends data transmission to server, comprise the following steps:

Data, according to the administrative IMSI number of mobile terminal identity code, are carried out divided in equal amounts according to the number of IMSI number and are become each data block by server;

7., based on the user identity safety certification mobile terminal that far and near field data is mutual, it is characterized in that, comprising:

First authentication module, carries out for the first random code of being sent by server and own identification key and authentication arithmetic the second Authentication Response value that computing obtains and sends to server;

Send failed SMS module, during for successfully not sending described 3rd Authentication Response value to server, mobile terminal sends authentification failure note to server.

8., as claimed in claim 7 based on the user identity safety certification mobile terminal that far and near field data is mutual, it is characterized in that, also comprise:

9. based on the user identity safety certificate server that far and near field data is mutual, comprise server com-munication module, for carrying out data transmission, it is characterized in that, also comprising:

Mobile terminal authentication module, after mobile terminal receive authentication request, generate the first random code and send to mobile terminal, the identity key that the identity code of server by utilizing mobile terminal is corresponding simultaneously and authentication arithmetic carry out computing to the first random code and obtain the first Authentication Response value, the the second Authentication Response value first Authentication Response value and mobile terminal receive sent contrasts, if identical and server does not receive mobile terminal and sends authentification failure note, two IP addresses when then mobile terminal is sent the second Authentication Response value and sends the second random code by server contrast, if both are consistent, utilize identity key corresponding to mobile terminal identity code and authentication arithmetic to carry out computing to the second random code that mobile terminal sends and obtain the 4th Authentication Response value, and the 3rd Authentication Response value sent by mobile terminal and described 4th authentication Authentication Response value contrast, if both are identical, then mobile terminal identity passes through certification, if different, then terminate this identifying procedure, if receive mobile terminal to send authentification failure note, then directly terminate this identifying procedure,

10. as claimed in claim 9 based on the user identity safety certificate server that far and near field data is mutual, it is characterized in that, also comprise IMSI number authentication module, for after completing the certification to mobile terminal identity code, certification is carried out to the IMSI number validity that mobile terminal sends, server is according to setting up and storing the unique attaching relation table of the identity code of described IMSI number and cell phone, its identity code that is corresponding or ownership is searched with described No. IMS, if the identity code of the mobile terminal that the identity code found and certification are passed through is consistent, then IMSI number certification is passed through.

11. as claimed in claim 10 based on the user identity safety certificate server that far and near field data is mutual, it is characterized in that, also comprise Data Division cascade module, for recording its IP address during IMSI number notification server by network authentication, after each data block also for the transmission of server mobile terminal receive, carry out assembling according to the service feature code of data block and level chain store to each data block reduce and mail to PDN net or internet, also for server according to the administrative IMSI number of mobile terminal identity code, be some data blocks by the PDN net received or internet data according to the number divided in equal amounts of IMSI number, Insert service condition code in each data block, to each data block distribution stage chain store, IP address tunnel data block being distributed to described IMSI number corresponding mails to mobile terminal by mobile network.

12., based on the mutual user identity safety certification first terminal of far and near field data, is characterized in that, comprising:

Decoder module, for backing up the first enciphered data received in data, simultaneously only after first terminal scanning device collects the access code of the second terminal, first terminal just searches its built-in identity key to the described cipher key number received, and utilizes built-in decoding algorithm and described identity key to be decrypted computing to obtain described random code to the first enciphered data received;

Terminal data equipment locking module, locks its near-field communication equipment and radio data communication equipment for first terminal, is not revised or close to make it by other processes after collecting access code;

Identification authentication timing or counting module, at first terminal sending after verify data to the second terminal, start the timing to the second terminal authentication data time of return or counting;

13., based on mutual user identity safety certification second terminal of far and near field data, is characterized in that, comprising:

14., based on the mutual user identity safety certificate server of far and near field data, is characterized in that, comprising:

First terminal, second terminal identity authentication module, inquire about the dynamic authentication frequency n of this second terminal according to the identity code receiving first terminal in data for server, the the second terminal identity code received in data is inquired about the identity key of its correspondence and authentication arithmetic and described digital n to carry out computing and obtain this modification identity key simultaneously, then described backup random code corresponding for first terminal identity code and described modification identity key are carried out first time authentication computing through authentication arithmetic and obtain the first Authentication Response value, again described first Authentication Response value and described modification identity key are carried out the computing of second time authentication through described authentication arithmetic and obtain the second Authentication Response value, carry out third time authentication computing with this second Authentication Response value and described modification identity key through described authentication arithmetic again and obtain the 3rd Authentication Response value, the n-th Authentication Response value is obtained after having analogized n authentication computing in proper order, thereafter the first terminal identity code received in data and cipher key number thereof are inquired about corresponding identity key and decipherment algorithm and described second enciphered data and be decrypted authenticated time or the count pulse that computing obtains the second terminal, if its described n-th Authentication Response value received in data is identical with the described n-th Authentication Response value that server obtains after n authentication computing, and to obtaining time corresponding to described n dynamic authentication after the second decrypt encrypted data or count pulse is less than setting, then complete the certification to first terminal and the second terminal,