CN105516104B - A kind of auth method and system of the dynamic password based on TEE - Google Patents

A kind of auth method and system of the dynamic password based on TEE Download PDF

Info

Publication number
CN105516104B
CN105516104B CN201510862528.4A CN201510862528A CN105516104B CN 105516104 B CN105516104 B CN 105516104B CN 201510862528 A CN201510862528 A CN 201510862528A CN 105516104 B CN105516104 B CN 105516104B
Authority
CN
China
Prior art keywords
dynamic password
user
information
dynamic
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510862528.4A
Other languages
Chinese (zh)
Other versions
CN105516104A (en
Inventor
李登峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Science And Technology (beijing) Co Ltd Rong'an
Original Assignee
China Science And Technology (beijing) Co Ltd Rong'an
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Science And Technology (beijing) Co Ltd Rong'an filed Critical China Science And Technology (beijing) Co Ltd Rong'an
Priority to CN201811032412.8A priority Critical patent/CN108809659B/en
Priority to CN201510862528.4A priority patent/CN105516104B/en
Publication of CN105516104A publication Critical patent/CN105516104A/en
Application granted granted Critical
Publication of CN105516104B publication Critical patent/CN105516104B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/067Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina

Abstract

This application discloses a kind of auth methods of the dynamic password based on TEE, it is pre-configured with dynamic password system, dynamic password generating process and verifying dynamic password process including terminal, the terminal has TEE, the dynamic password generating process, it is carried out in terminal, dynamic password is requested to generate for being directed to user, identity of the verifying dynamic password process for the user of certification request, authentication mode includes the dynamic password;Wherein, the dynamic password generating process is carried out at TEE;Dynamic password system provided by the invention based on TEE, dynamic password generating process, crypto-operation process and user's discrimination process are carried out at TEE, the sensitive informations such as key, identity information, biological information and the password information of user are stored at TEE by secure storage module, avoid problems in the prior art, if dynamic password generating process carries out in REE, user sensitive information stores under REE environment, privacy leakage is generated, the hidden danger etc. that property is stolen.

Description

A kind of auth method and system of the dynamic password based on TEE
Technical field
This application involves information technology fields, specifically, being related to a kind of authentication side of the dynamic password based on TEE Method and system.
Background technology
It is answered to improve the networks such as Web bank, telephone bank, Internet securities, phone security, shopping online, online game With the identification authentication security of system, every profession and trade, each enterprise release one after another has the dynamic of greater security than traditional static password State password authentication system.
Authentication is carried out using dynamic password identification authenticating system, greatly improves the safety of network application system. Current main identification authentication mode and its advantage and disadvantage are:
Dynamic-password technique and PKI technologies, more at present to realize in the form of hardware, safety is higher, is widely used at present; But it needs user to go to get material object, carry and have study to use process, user experience poor;And short message therein is tested Although card code does not need additional hardware device, but due to the opening of cell phone platform, safety is poor, and Problems are increasingly It is more;
The authentication of biological characteristic, user need not carry additional hardware, and usage experience is preferable;But since it is mostly quiet State data are easy to be trapped or be replicated on open environment, open network, open platform;Especially because biology is special Sign has the characteristic that cannot be changed, and easy tos produce more safety problem, therefore it is more suitable near field authentication means;
The authentication of analysis based on big data is entirely transparent to user, and user experience is more preferable, but the multidimensional number of degrees According to collect and the problems such as using there is no relevant laws and regulations, also involving secret protection, while its recognition result can only be one Probability, rather than a deterministic judgement, therefore it is more suitable for advertisement marketing and risk control means.
Therefore, it is badly in need of the identity identifying method of a kind of safe and convenient and good compatibility the dynamic password based on TEE.
Invention content
In view of this, technical problems to be solved in this application are that existing identity identifying method is dangerous, unstable, no Problem convenient and that compatibility is not high.
In order to solve the above technical problem, the present invention provides a kind of auth methods of the dynamic password based on TEE And it is dangerous, no to avoid existing identity identifying method by carrying out the generation and verification of dynamic password at TEE for system Stable, not convenient and compatible not high problem, technical scheme are as follows:
A kind of auth method of the dynamic password based on TEE, including terminal are pre-configured with dynamic password system, dynamic Password generated process and verifying dynamic password process, which is characterized in that the terminal has TEE, and the dynamic password generated Journey carries out in the terminal, requests to generate dynamic password for being directed to user, the verifying dynamic password process is used for certification The identity of the user of request, authentication mode include the dynamic password;Wherein, the dynamic password generating process at TEE into Row.
Preferably, the client is the terminal inner applications client, and the dynamic password generating process includes:
Step 1:The dynamic password system safe storage subscriber identity information, the application that the terminal receives client are asked It asks, the application request sends the request for generating dynamic password and the label using the corresponding private key of client digital certificate to request Name, starts the dynamic password system, client signature described in the dynamic password system check it is legal after, to terminal user Send the request for inputting the subscriber identity information;
Step 2:The subscriber identity information that the dynamic password system will store in the information of input and the step 1 It is verified;
Step 3:When the result verified in the step 2 is that information is consistent, the dynamic password system generates dynamic mouth It enables, the dynamic password generating process is completed.
Preferably, the client is the exterior of terminal applications client, and the applications client refers to described The carrier of applications client is that the equipment except terminal, the dynamic password generating process include in the step 1:
Step is 1.:The dynamic password system safe storage subscriber identity information, when starting the dynamic password system, institute It states dynamic password system and sends the request for inputting the subscriber identity information to user;
Step is 2.:The dynamic password system by the information of input, 1. believe with the step by the middle user identity stored Breath is verified;
Step is 3.:When the step 2. in verify result be information it is consistent when, the dynamic password system by OTG, NFC, bluetooth, audio, sound wave, user inputs or the mode of scanning bar code, Quick Response Code obtains the client request generation and moves The information of state password, generates dynamic password, and the dynamic password generating process is completed.
Preferably, the client is terminal inner applications client, and the verifying dynamic password process includes:
Step A1:The dynamic password system sends dynamic password to the terminal inner generated in the step 3 and answers Use client;
Step B1:After the terminal inner applications client receives the dynamic password, the solicited message in forwarding step 1 To the corresponding server of the client application;
Step C1:Server described in step B1 receives the dynamic password, verifies and is sent in user information and step B1 Dynamic password, when check results are correct, application request described in the server process simultaneously returns to handling result to the end Hold internal applications client;
Step D1:The terminal inner applications client receives the handling result in the step C1, verifies relevant information And show, the verifying dynamic password process finishes.
Preferably, the client is exterior of terminal applications client, and the applications client refers to the application The carrier of client is that the equipment except terminal, the verifying dynamic password process include in the step 1:
Step A2:The dynamic password that the terminal generates in showing the step 3. reads for user and inputs the client End sends dynamic password to the client, or with bar code, two by way of OTG, NFC, bluetooth, audio or sound wave The form display for tieing up code is read for the applications client scan;
Step B2:After the applications client obtains the dynamic password, the solicited message in sending the step 3. To the corresponding server of the client application;
Step C2:Server described in step B2 receives the dynamic password in the step B2, verifies user information The dynamic password sent with step B2, when check results are correct, application request described in the server process simultaneously returns to processing As a result to the applications client;
Step D2:The applications client receives the handling result in the step C2, verifies relevant information and shows Show, the verifying dynamic password process finishes.
Preferably, further include that the dynamic password system creates an account the process downloaded with seed key, wherein packet It includes:
Step 1:Terminal is pre-configured with the dynamic password system based on TEE and constitutes the dynamic password system, described dynamic State password system registers user account, and registration user account includes input identity information and setting access password, the dynamic mouth Enable enrollment status information and access password described in system safe storage;
Step 2:The dynamic password system reads the authentication data of trust root device or request trust root device is signed and issued Authentication data;
Step 3:The dynamic password system asks root of trust system authentication step 2 by dynamic password authentication server Described in authentication data and the enrollment status information, the root of trust system is opposite with trust root device described in step 2 It answers;
Step 4:Authentication data described in the root of trust system check step 2 and verify the enrollment status information with Whether the trust root device is corresponding, and check results are sent to the dynamic mouth by the dynamic password authentication server Enable system;
Step 5:The check results described in the step 4 are that the authentication data verifies successfully and the enrollment status information When corresponding with the trust root device, the dynamic password system generates the first random number, the dynamic password authentication clothes to prestore First random number described in business device encrypted certificate public key encryption is simultaneously sent to the dynamic password authentication server;
Step 6:The server receives the first random number in the step 5, by user account described in step 1 With the dynamic password system binding, and the second random number is generated, with being sent to institute after first random number encryption of decryption State dynamic password system;
Step 7:The second random number that the dynamic password system receives after being decrypted in step 6 described in simultaneously safe storage is made For seed key, creating an account for the dynamic password system is completed with seed key downloading process;
The step 1 to three, step 5 and step 7 is carried out at TEE.
Preferably, further include the dynamic password system seed key renewal process, wherein including:
Step a:The dynamic password system request more new seed, and sent to user and input the subscriber identity information Request;
Step b:The subscriber identity information that the dynamic password system will store in the information of input and the step 1 It is verified;When check results are consistent, the request using trust root device is sent to user;
Step c:The dynamic password system reads the authentication data of trust root device or request trust root device is signed and issued Authentication data;When trust root device mandate reads or signs and issues associated authentication data, the dynamic password system passes through dynamic mouth Enable certificate server request root of trust system authentication described in enrollment status information and the authentication data, the root of trust system with Trust root device is corresponding described in step b;
Step d:Authentication data and the enrollment status information and institute are verified in step c described in the root of trust system check It whether corresponding states trust root device, check results is sent to the dynamic password by the dynamic password authentication server System;
Step e:The check results described in the step d be the authentication data verify successfully and the enrollment status information and When the trust root device is corresponding, the dynamic password system generates third random number, the dynamic password authentication service to prestore Third random number described in device encrypted certificate public key encryption is simultaneously sent to the dynamic password authentication server;
Step f:User account described in step a and the dynamic password system binding are generated the by the server Four random numbers, with being sent to the dynamic password system after the third random number encryption of decryption;
Step g:The dynamic password system receives the 4th random number conduct after being decrypted in step f described in simultaneously safe storage New seed key simultaneously deletes old seed key, and the renewal process of the seed key of the dynamic password system is completed;
The step a to c, step e and step g are carried out at TEE.
Preferably, the subscriber identity information in the step 1 includes user's basic identity information and biological information, institute It includes name and passport NO. to state basic identity information, and the biological information includes finger print information, face feature information, sound Line information and/or iris information;
Further include in the step 3:When the result verified in the step 2 is that information is consistent, the dynamic password system System safety shows the application request message of the client, and alerting users confirm, after the request is agreed in user's confirmation, institute It states dynamic password system and generates dynamic password, the dynamic password generating process is completed;
The step 3. in further include:When 2. the middle result verified is that information is consistent to the step, the dynamic password System shows safely the application request message of the client, and alerting users confirm, after user confirms the agreement request, The dynamic password system generates dynamic password, and the dynamic password generating process is completed.
Preferably, the dynamic password system includes:
Safe input/output module for safety management and calls input/output component, it is described enter/output block packet It includes:Screen, button, Fingerprint Identification Unit, photographic device, bluetooth, OTG and NFC;
User's identification module, the instruction for receiving safe execution module differentiates user, and feeds back identification result to described Safe execution module;
Crypto-operation module, the instruction for receiving safe execution module carries out operation, and sends operation result to described Safe execution module;
Secure storage module, the instruction for receiving safe execution module, secure storage user data and with the safety Execution module carries out the transmission of the user data;
Safe execution module, for being transported to the safe input/output module, user's identification module, the password Module and the secure storage module scheduling of resource are calculated, instruction is sent and receives related data.
A kind of authentication system of the dynamic password based on TEE, including dispensing unit dynamic password generation unit and dynamic State password authenticating unit, which is characterized in that
Dispensing unit, for being pre-configured with dynamic password system in terminal;
Dynamic password generation unit carries out in the terminal, and dynamic password is requested to generate for being directed to user;
Verifying dynamic password unit, the identity of the user for certification request, authentication mode includes the dynamic password;
Wherein, the dynamic password generation unit is run under TEE.
Compared with prior art, method and system described herein has reached following effect:
(1) the dynamic password system provided by the invention based on TEE, dynamic password generating process, crypto-operation process and User's discrimination process is carried out at TEE, the sensitive informations such as key, identity information, biological information and password information of user It is stored by secure storage module at TEE, avoids problems in the prior art, as dynamic password generating process exists It is carried out in REE, user sensitive information stores under REE environment, the hidden danger etc. that generation privacy leakage, property are stolen;Meanwhile Under TEE environment, manage and call the input module and input module of terminal, authentication to ask by safe input/output interface Ask information security to show and pass through the confirmation of user, avoid output and input under REE environment module by illegal application control and The risk distorted, it is ensured that authentication procedures can embody the actual wishes of user;
(2) auth method of the dynamic password provided by the invention based on TEE, the terminal can have to be any The smart machine of TEE does not need specific equipment, can be carried out on the usually portable intelligent terminal of user, as mobile phone, The equipment such as tablet computer, but its safety used is equally very high;
(3) auth method of the dynamic password provided by the invention based on TEE, compatible biological characteristic differentiates, people This distinctive fixed information of body biological characteristic is also applied, and differentiates that certification just cannot enter body not over biological characteristic The next step of part certification, and the above process is being carried out at TEE, is also improved and was used while safe to use Convenience in journey;
(4) auth method of the dynamic password provided by the invention based on TEE, need not go in person sales counter open an account and Seed key is downloaded, user is easy-to-use, and treatment effeciency is high, experience is good, high to the compatibility of each application, entire authentication Journey safety coefficient also higher;
(5) auth method of the dynamic password provided by the invention based on TEE, when use, do not need special religion Journey, use are responded both for user's request, are completed by terminal notifying, meet the use habit of the masses one by one, Identity identifying method in compared to the prior art is provided simultaneously with high-caliber security performance and agrees with the use habit of user Used, use is very convenient;It protects the key of user, identity information, biological information and password information etc., using just The safety during use and privacy are also improved while sharp;
(6) auth method of the dynamic password provided by the invention based on TEE, the renewal process of seed key exist It is carried out at TEE, level of security can reach or even surmount the level of security of hardware material object dynamic token;
(7) auth method of the dynamic password provided by the invention based on TEE, the dynamic password safe system work( Can be comprehensive, operation safety combines the modes such as certificate discriminating, biological characteristic discriminating and password authentication, makes its authentication The compatibility of mode is stronger, security performance is more preferable, user experience more preferably;
(8) authentication system of the dynamic password provided by the invention based on TEE, is based on since initial step TEE is carried out, and the safety coefficient of authentication is improved from flow;As the seed key of dynamic password system, downloading process It is carried out based on TEE, seed key is stored in the TEE of equipment, and the safety coefficient of authentication is improved from system setting.
Description of the drawings
Attached drawing described herein is used for providing further understanding of the present application, constitutes part of this application, this Shen Illustrative embodiments and their description please do not constitute the improper restriction to the application for explaining the application.In the accompanying drawings:
Fig. 1 is the flow chart of dynamic password generating process described in the embodiment of the present application;
Fig. 2 is the flow chart of dynamic password generating process described in the embodiment of the present application;
Fig. 3 is the flow chart of verifying dynamic password process described in the embodiment of the present application;
Fig. 4 is the flow chart of verifying dynamic password process described in the embodiment of the present application;
Fig. 5 is the flow for creating an account the process downloaded with seed key of dynamic password system described in the embodiment of the present application Figure;
Fig. 6 is the flow chart of the renewal process of the seed key of dynamic password system described in the embodiment of the present application;
Fig. 7 is the structural schematic diagram of dynamic password system described in the embodiment of the present application;
Fig. 8 is the structural schematic diagram of terminal described in the embodiment of the present application;
Fig. 9 is the structural schematic diagram of the embodiment of the present application the method.
Specific implementation mode
Some vocabulary has such as been used to censure specific components in specification and claim.Those skilled in the art answer It is understood that hardware manufacturer may call the same component with different nouns.This specification and claims are not with name The difference of title is used as the mode for distinguishing component, but is used as the criterion of differentiation with the difference of component functionally.Such as logical The "comprising" of piece specification and claim mentioned in is an open language, therefore should be construed to " include but do not limit In "." substantially " refer in receivable error range, those skilled in the art can be described within a certain error range solution Technical problem basically reaches the technique effect.In addition, " coupling " word includes any direct and indirect electric property coupling herein Means.Therefore, if it is described herein that a first device is coupled to a second device, then representing the first device can directly electrical coupling It is connected to the second device, or the second device indirectly electrically coupled through other devices or coupling means.Specification Subsequent descriptions be implement the application better embodiment, so it is described description be for the purpose of the rule for illustrating the application, It is not limited to scope of the present application.The protection domain of the application is when subject to appended claims institute defender.
Embodiment one:
A kind of auth method of the dynamic password based on TEE, including terminal 2 are pre-configured with dynamic password system, move State password generated process and verifying dynamic password process, which is characterized in that the terminal 2 has TEE, and the dynamic password generates Process carries out in the terminal 2, requests to generate dynamic password for being directed to user, the verifying dynamic password process is used for The identity of the user of certification request, authentication mode include the dynamic password;Wherein, the dynamic password generating process is in TEE Lower progress.
The dynamic password system 1 is located in the terminal 2TEE, and TEE is Trusted execution The abbreviation of environment, Chinese translation are credible performing environment, the identity of the dynamic password provided by the invention based on TEE Verification method, is a kind of identity identifying method, and the dynamic password generating process is carried out at TEE, avoided in the prior art Problems generate privacy leakage, property has the hidden danger etc. that is stolen if dynamic password generating process carries out in REE; The terminal 2 can be any smart machine for having TEE, specific equipment not needed, in the usually portable intelligence of user It can be carried out in terminal, such as mobile phone, tablet computer equipment, but its safety used is equally very high;When use not It needs special study course, use to be responded one by one both for user's request, prompts, to complete, to meet group by terminal 2 Many use habits, compared to the prior art in identity identifying method, be provided simultaneously with high-caliber security performance and contract The use habit at family is shared, use is very convenient.
Embodiment two:
A kind of auth method of the dynamic password based on TEE, including terminal 2 are pre-configured with dynamic password system 1, move State password generated process and verifying dynamic password process, which is characterized in that the terminal 2 has TEE and REE, the dynamic mouth Generating process is enabled, is carried out in the terminal 2, dynamic password, the verifying dynamic password mistake are requested to generate for being directed to user Identity of the journey for the user of certification request, authentication mode includes the dynamic password;Wherein, the dynamic password system 1 In the terminal 2TEE, the dynamic password generating process is carried out at TEE.
As described in Fig. 1 the embodiment of the present application shown in the flow chart of dynamic password generating process, the client is the end Hold internal applications client, the internal applications client that can be located in mobile device REE, the dynamic password generating process packet It includes:
Step 1:1 safe storage subscriber identity information of the dynamic password system, the terminal 2 receive the generation of client The request of dynamic password and the corresponding private key of use client digital certificate start the dynamic password system to the signature of request 1, the dynamic password system 1 verify the client signature it is legal after, sent to 2 user of terminal and input the user identity The request of information;User can input according to the prompt of system, and the subscriber identity information generally includes the basic identity of user Information and biological information, the basic identity information include name and passport NO., and the biological information includes referring to Line information, face feature information, voiceprint and/or iris information.
The request of the client includes the request that all requirements carry out the mobile application of authentication, such as Mobile banking The operation requests etc. of transaction request, the transaction request and game application of security application.The terminal 2 receives the request of client Cause includes but not limited to following several situations:2 internal applications client of the terminal sends a request to the terminal;The end The applications client at end 2 is generated request and is presented in the form of Quick Response Code, and the scanning of the terminal 2 receives the applications The request of client;The applications client of the terminal generates request, inputted in the terminal 2 solicited message from And receive the request of the applications client.The 2 internal applications client of terminal refers to the hard of the applications client Part carrier and the terminal 2 are the same equipment, and the applications client refers to the carrier of the applications client for institute State the equipment except terminal in step 1.
Step 2:The dynamic password system 1 believes the user identity stored in the information of input and the step 1 Breath is verified;
Step 3:When the result verified in the step 2 is that information is consistent, the dynamic password system 1 generates dynamic mouth It enables, the dynamic password generating process is completed.
Terminal is that an end user is used for and equipment structure of terminal 2 as described in Fig. 7 the embodiment of the present application of main-machine communication is shown Shown in intention, the terminal 2 includes:Execution module 202, including REE execution modules and TEE execution modules;Output module 201, Including display unit, sound components and/or indicate indicator;Input module 203, including screen unit, push-button unit, finger print information are adopted Collect unit, sound collection unit, camera unit and/or sensor unit;Communication module 205, including mobile communication component, bluetooth Component, WIFI components, OTG components and/or NFC components;Storage module 204, including RAM component and/or FLASH components.
The terminal 2 can be any smart machine for having TEE, and the dynamic password generating process is carried out at TEE, Namely above-mentioned steps 1-3 is carried out at TEE, solves the problems, such as that dynamic password is easy to be intercepted and captured day in the prior art, and this The method that the identity identifying method compatible subscribers identity information certification provided is provided, this distinctive fixation human body biological characteristics Information be also applied, not over subscriber identity information certification just cannot enter authentication next step, and The above process is being carried out at TEE, protects key, identity information, biological information and password information of user etc., The safety during use and privacy are also improved while easy-to-use.
Preferably, the subscriber identity information in the step 1 includes user's basic identity information and biological information, institute It includes name and passport NO. to state basic identity information, and the biological information includes finger print information, face feature information, sound Line information and/or iris information.
Preferably, further include in the step 3:When the result verified in the step 2 is that information is consistent, the dynamic 1 safety of password system shows the application request message of the client, and alerting users confirm, confirms in user and is asked described in agreement After asking, the dynamic password system 1 generates dynamic password, and the dynamic password generating process is completed.The dynamic password can be with It is time type, event mode or challenge response type.The process that an alerting users confirm wherein is added, is reaffirmed convenient for user Solicited message, in order to avoid causing to slip up, user experience is more preferable.
Embodiment three:
A kind of auth method of the dynamic password based on TEE, including terminal 2 are pre-configured with dynamic password system 1, move State password generated process and verifying dynamic password process, which is characterized in that the terminal 2 has TEE and REE, the dynamic mouth Generating process is enabled, is carried out in the terminal 2, dynamic password, the verifying dynamic password mistake are requested to generate for being directed to user Identity of the journey for the user of certification request, authentication mode includes the dynamic password;Wherein, the dynamic password system 1 In the terminal 2TEE, the dynamic password generating process is carried out at TEE.
The client is the exterior of terminal applications client, and the dynamic password generating process includes:
Step is 1.:The dynamic password system safe storage subscriber identity information, the terminal user start the dynamic Password system, the dynamic password system send the request for inputting the subscriber identity information to user;
Step is 2.:The dynamic password system by the information of input, 1. believe with the step by the middle user identity stored Breath is verified;
Step is 3.:When the step 2. in verify result be information it is consistent when, the dynamic password system by OTG, NFC, bluetooth, audio, sound wave scan the pass that the modes such as bar code, Quick Response Code obtain the client request generation dynamic password Key information, then generates dynamic password, and the dynamic password generating process is completed.The applications client refers to described answers It is the equipment in the step 1 except terminal with the carrier of client.
Preferably, the step 3. in further include:It is described dynamic when 2. the middle result verified is that information is consistent to the step 1 safety of state password system shows the application request message of the client, and alerting users confirm, confirms described in agreement in user After request, the dynamic password system 1 generates dynamic password, and the dynamic password generating process is completed.The dynamic password can To be time type, event mode or challenge response type.
Auth method provided by the present application can be used for applications client, and information input mode is various, no Same input mode can give the user of different customs all bring good experience, widely applicable, easy-to-use.
Example IV:
On the basis of one content of embodiment or embodiment one add two content of embodiment, the client is in terminal Portion's applications client, the flow chart of verifying dynamic password process and Fig. 8 the embodiment of the present application institute as described in Fig. 2 the embodiment of the present application It states shown in the structural schematic diagram of method, the verifying dynamic password process includes:
Step A1:The terminal sends the dynamic password that is generated in the step 3 to 2 internal applications client of the terminal 5;The 2 internal applications client 5 of terminal refers to the hardware carrier of the applications client and the terminal is the same equipment, Correspondent mechanism or shared drive mechanism etc. of its sending method between TEE and REE.
Step B1:After 2 internal applications client 5 of the terminal receives the dynamic password, client in the step 1 is sent The solicited message at end is to the corresponding server of the client application;The internal applications client 5 and the dynamic password system 1 Certification and service background system can be present on this server.
Step C1:Server 3 receives the dynamic password in the step B1, verifies user information and the step B1 The dynamic password of transmission, when check results are correct, the server 3, which is handled, asks and returns to handling result to the inside to answer With client 5;When check results are mistake, the verifying dynamic password process finishes, the authentication procedures failure.
Step D1:The internal applications client 5 receives the handling result in the step C1, verifies relevant information and shows Show, the verifying dynamic password process finishes.
Embodiment five:
On the basis of one content of embodiment or embodiment one add two content of embodiment, the client is outside terminal Portion's applications client, the flow chart of verifying dynamic password process and Fig. 8 the embodiment of the present application institute as described in Fig. 3 the embodiment of the present application It states shown in the structural schematic diagram of method, the verifying dynamic password process includes:
Step A2:The dynamic password that the terminal generates in showing the step 3. reads for user and inputs the client End or the dynamic password that generates in sending the step 3. by modes such as OTG, NFC, bluetooth, audio or sound waves are to the visitor Family end, or shown in the form of bar code, Quick Response Code etc. and read for the applications client 4 scanning;The applications visitor Family end 4 refers to that the carrier of the applications client is the equipment in the step 1 except terminal 2.
Step B2:After the applications client 4 obtains the dynamic password, the solicited message in sending the step 3. To the corresponding server of the client application;
Step C2:The server receives the dynamic password in the step B2, verifies user information and the step The dynamic password that rapid B2 is sent, when check results are correct, the server 3 handles the application request and returns to handling result To the applications client 4;
Step D2:The applications client 4 receives the handling result in the step C2, verifies relevant information and shows Show, the verifying dynamic password process finishes.
Embodiment six:
On the basis of the method for above-described embodiment and its method being bound to each other to form, such as Fig. 4 the embodiment of the present application institute It states shown in the flow chart for creating an account the process downloaded with seed key of dynamic password system 1, the dynamic mouth based on TEE The auth method of order further includes that the dynamic password system creates an account the process downloaded with seed key, wherein packet It includes:
Step 1:Terminal is pre-configured with the dynamic password system 1 based on TEE and constitutes the dynamic password system, described Dynamic password system 1 registers user account, and registration user account includes input identity information and setting access password, the dynamic Enrollment status information and access password described in 1 safe storage of password system;
Step 2:The dynamic password system 1 reads the authentication data or request trust root device label of trust root device Send out authentication data;The trust root device includes but not limited to resident identification card, the identity of citizen's network electronic and USBKEY Deng the reading manner includes but not limited to the modes such as OTG, NFC, bluetooth, audio or sound wave.
Step 3:The dynamic password system 1 asks root of trust system authentication step by dynamic password authentication server Authentication data certification described in two and the enrollment status information, the root of trust system and trust root device described in step 2 It is corresponding;
Step 4:Authentication data described in the root of trust system check step 2 and verify the enrollment status information with Whether the trust root device is corresponding, and check results are sent to the dynamic password system by dynamic password authentication server System;
Step 5:The check results described in the step 4 are that the authentication data verifies successfully and the enrollment status information When corresponding with the trust root device, the dynamic password system generates the first random number, is recognized using the dynamic password to prestore Card server for encrypting CertPubKey encrypts first random number and is sent to the dynamic password authentication server;
Step 6:The server 3 receives the first random number in the step 5, by user account described in step 1 With the dynamic password system binding, and the second random number is generated, with being sent to institute after first random number encryption of decryption Dynamic password system 1 is stated, the Encryption Algorithm can be the symmetric cryptographic algorithms such as AES, SM1, SM4,3DES;
Step 7:The dynamic password system 1 receives the second random number after being decrypted in step 6 described in simultaneously safe storage As seed key, creating an account for the dynamic password system 1 is completed with seed key downloading process;
The step 1 to three, step 5 and step 7 is carried out at TEE.
It is the initial step for using system to create an account, and TEE is based on since initial step and is carried out, is improved from flow The safety coefficient of authentication, as the seed key of dynamic password system, downloading process is carried out based on TEE, seed key It is stored in the TEE of equipment, the safety coefficient of authentication is improved from system setting;And the method need not be gone in person Seed key is opened an account and downloaded to sales counter, and user is easy-to-use, and treatment effeciency is high, experience is good, high to the compatibility of each application, entirely Authentication procedures safety coefficient also higher.
Preferably, as described in Fig. 5 the embodiment of the present application the renewal process of the seed key of dynamic password system 1 flow chart It is shown, the auth method of the dynamic password based on TEE further include the seed key of the dynamic password system 1 more New process, wherein including:
Step a:The dynamic password system 1 asks more new seed, and is sent to user and input the subscriber identity information Request;
Step b:The dynamic password system 1 believes the user identity stored in the information of input and the step 1 Breath is verified;When check results are consistent, the request using trust root device is sent to user;
Step c:The dynamic password system 1 reads the authentication data of trust root device or request trust root device is signed and issued Authentication data;When trust root device mandate reads or signs and issues associated authentication data, the dynamic password system 1 passes through dynamic mouth Enable certificate server request root of trust system authentication described in enrollment status information and the authentication data, the root of trust system with Trust root device is corresponding described in step b;
Step d:Authentication data and the enrollment status information and institute are verified in step c described in the root of trust system check It whether corresponding states trust root device, check results is sent to the dynamic password system by dynamic password authentication server 1;
Step e:The check results described in the step d be the authentication data verify successfully and the enrollment status information and When the trust root device is corresponding, the dynamic password system 1 generates third random number, uses the dynamic password authentication to prestore Server for encrypting CertPubKey encrypts the third random number and is sent to the dynamic password authentication server;
Step f:The server 3 binds user account described in step a and the dynamic password system 1, and generates 4th random number, with the dynamic password system 1 is sent to after the third random number encryption of decryption, the Encryption Algorithm can To be the symmetric cryptographic algorithms such as AES, SM1, SM4,3DES;
Step g:The 4th random number that the dynamic password system 1 receives after being decrypted in step f described in simultaneously safe storage is made For new seed key and old seed key is deleted, the renewal process of the seed key of the dynamic password system 1 is completed;
The step a to c, step e and step g are carried out at TEE.Updating seed key is that dynamic updates, is different from existing There is the products in kind in technology, is only once updated in user hand after manufacture, and the seed key in the present invention Dynamic update can repeatedly be updated;Update refers to that present seed key is different with original seed key.Even if Seed key before is stolen, and what is stolen is original seed key, but does not know that the seed key used now is. So, seed data is secret forever.And the authentication side of the dynamic password provided by the present invention based on TEE The renewal process of method, seed key is being carried out at TEE, and level of security can reach or even surmount hardware material object dynamic token Level of security.
Embodiment seven:
As described in Fig. 6 the embodiment of the present application shown in the structural schematic diagram of dynamic password system 1, the dynamic password system 1 Including:Secure storage module 104, safe input/output module 101, user's identification module 105, crypto-operation module 103 and peace Full execution module 102, user's identification module 105, crypto-operation module 103, safe input/output module 101 and safety Memory module 104 is connect with the safe execution module 102 respectively, and the safe input/output module 101, safety execute mould Block 102 and secure storage module 104 are connect with the TEE execution modules in the terminal installation 2.
User's identification module 105, the instruction for receiving safe execution module 102 differentiates user, and feeds back discriminating As a result to the safe execution module 102;
Crypto-operation module 103, the instruction for receiving safe execution module 102 carries out operation, and sends operation result To the safe execution module 102;
Secure storage module 104, the instruction for receiving safe execution module 102, secure storage user data and with institute State the transmission that safe execution module 102 carries out the user data;
Safe execution module 102 is used for the safe input/output module 101, user's identification module 105, institute 104 scheduling of resource of crypto-operation module 103 and the secure storage module is stated, instruction is sent and receives related data;
The safe input/output module 101, safe execution module 102 and secure storage module 104 are filled with the terminal Set the TEE modules connection in 2.
The safe input/output module for safety management and call the output module, the input module and/or The communication module;
The secure storage module is for safety management and calls the storage module.
Preferably, user's identification module 105 includes password authentication unit, finger print information discriminating unit, facial characteristics Information discriminating unit, voiceprint discriminating unit and/or iris information discriminating unit.I.e. user's identification module 105 includes Any and its arbitrary combination of following units:Password authentication unit, finger print information discriminating unit, face feature information differentiate single Member, voiceprint discriminating unit, iris information discriminating unit.
Preferably, the output module 201 includes display unit, voice unit (VU) and/or indicating unit;The input module 203 include:Shield unit, push-button unit, finger print information collecting unit, sound collection unit, camera unit and/or sensor list Member.
Preferably, the crypto-operation module 103 include asymmetric cryptography arithmetic element, symmetric cryptography arithmetic element, when Between type dynamic password arithmetic element, event mode dynamic password arithmetic element and/or challenge response type dynamic password arithmetic element.Institute State any and its arbitrary combination that crypto-operation module 103 includes following units:Asymmetric cryptography arithmetic element, symmetric cryptography Arithmetic element, time type dynamic password arithmetic element, event mode dynamic password arithmetic element and challenge response type dynamic password fortune Calculate unit.
Preferably, the user data includes:User basic information, user's authentication information, digital certificate, seed, key And/or character library.The i.e. described user data includes any and its arbitrary combination of following information:User basic information, Yong Hujian Other information, digital certificate, seed, key and character library.
1 function synthesized of dynamic password safe system, operation safety combine certificate discriminating, biological characteristic mirror And the modes such as password authentication, do not keep the compatibility of its identification authentication mode stronger, security performance is more preferable, user experience more preferably.
Embodiment eight:
A kind of authentication system of the dynamic password based on TEE, including dispensing unit dynamic password generation unit and dynamic State password authenticating unit, which is characterized in that
Dispensing unit, for being pre-configured with dynamic password system 1 in terminal 2;
Dynamic password generation unit carries out in the terminal, and dynamic password is requested to generate for being directed to user;Authenticating party Formula includes the dynamic password;Specifically, for being answered using the seed key and time, event, challenge for user's request It the variable factors such as answers and generates dynamic password;Wherein, the dynamic password system is located in the terminal TEE, the dynamic password Generation unit is run under TEE.
Preferably, the dynamic password generation unit includes:
Signal dispatcher module:For the dynamic password system safe storage subscriber identity information, the terminal 2 receives visitor When the request at family end, start the dynamic password system 1, the dynamic password system 1 sends to 2 user of terminal and inputs the use The request of family identity information;
Information checking module:When inputting the subscriber identity information for user, the dynamic password system is by input Information is verified with the subscriber identity information stored in the dynamic password system 1, or receive client request and When signature, the legitimacy of client is verified;
Command generation module:For when the result verified in the step 2 be information it is consistent when, the dynamic password system 1 generates dynamic password, and the dynamic password generating process is completed.
Preferably, it can also include seed key download and updating unit, identity verification, account note for terminal user The download and update of volume and dynamic password seed key;
The authentication system 1 of dynamic password provided by the invention based on TEE, meets the use habit of the masses, compares In identity identifying method in the prior art, it is provided simultaneously with high-caliber security performance and agrees with the use habit of user, Using very convenient;Key, identity information, biological information and the password information etc. for protecting user, easy-to-use While also improving the safety during use and privacy.
By the above various embodiments it is found that advantageous effect existing for the application is:
(1) the dynamic password system provided by the invention based on TEE, dynamic password generating process, crypto-operation process and User's discrimination process is carried out at TEE, the sensitive informations such as key, identity information, biological information and password information of user It is stored by secure storage module at TEE, avoids problems in the prior art, as dynamic password generating process exists It is carried out in REE, user sensitive information stores under REE environment, the hidden danger etc. that generation privacy leakage, property are stolen;Meanwhile Under TEE environment, manage and call the input module and input module of terminal, authentication to ask by safe input/output interface Ask information security to show and pass through the confirmation of user, avoid output and input under REE environment module by illegal application control and The risk distorted, it is ensured that authentication procedures can embody the actual wishes of user;
(2) auth method of the dynamic password provided by the invention based on TEE, the terminal can have to be any The smart machine of TEE does not need specific equipment, can be carried out on the usually portable intelligent terminal of user, as mobile phone, The equipment such as tablet computer, but its safety used is equally very high;
(3) auth method of the dynamic password provided by the invention based on TEE, compatible biological characteristic differentiates, people This distinctive fixed information of body biological characteristic is also applied, and differentiates that certification just cannot enter body not over biological characteristic The next step of part certification, and the above process is being carried out at TEE, is also improved and was used while safe to use Convenience in journey;
(4) auth method of the dynamic password provided by the invention based on TEE, need not go in person sales counter open an account and Seed key is downloaded, user is easy-to-use, and treatment effeciency is high, experience is good, high to the compatibility of each application, entire authentication Journey safety coefficient also higher;
(5) auth method of the dynamic password provided by the invention based on TEE, when use, do not need special religion Journey, use are responded both for user's request, are completed by terminal notifying, meet the use habit of the masses one by one, Identity identifying method in compared to the prior art is provided simultaneously with high-caliber security performance and agrees with the use habit of user Used, use is very convenient;It protects the key of user, identity information, biological information and password information etc., using just The safety during use and privacy are also improved while sharp;
(6) auth method of the dynamic password provided by the invention based on TEE, the renewal process of seed key exist It is carried out at TEE, level of security can reach or even surmount the level of security of hardware material object dynamic token;
(7) auth method of the dynamic password provided by the invention based on TEE, the dynamic password safe system work( Can be comprehensive, operation safety combines the modes such as certificate discriminating, biological characteristic discriminating and password authentication, makes its authentication The compatibility of mode is stronger, security performance is more preferable, user experience more preferably;
(8) authentication system of the dynamic password provided by the invention based on TEE, is based on since initial step TEE is carried out, and the safety coefficient of authentication is improved from flow;As the seed key of dynamic password system, downloading process It is carried out based on TEE, seed key is stored in the TEE of equipment, and the safety coefficient of authentication is improved from system setting.
Certainly, the technical solution that the present invention is protected must not necessarily reach all above-mentioned advantageous effects, a scheme simultaneously Reaching all above-mentioned advantageous effects does not constitute limiting the scope of the invention simultaneously.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, apparatus or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, the application can be used in one or more wherein include computer usable program code computer The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
Several preferred embodiments of the application have shown and described in above description, but as previously described, it should be understood that the application Be not limited to form disclosed herein, be not to be taken as excluding other embodiments, and can be used for various other combinations, Modification and environment, and the above teachings or related fields of technology or knowledge can be passed through in the scope of the invention is set forth herein It is modified.And changes and modifications made by those skilled in the art do not depart from spirit and scope, then it all should be in this Shen It please be in the protection domain of appended claims.

Claims (9)

1. a kind of auth method of the dynamic password based on TEE, including terminal are pre-configured with dynamic password system, dynamic mouth Enable generating process and verifying dynamic password process, which is characterized in that further include creating an account and planting for the dynamic password system The process that sub-key is downloaded;The terminal has TEE, and the dynamic password generating process carries out in the terminal, is used for needle Dynamic password, identity of the verifying dynamic password process for the user of certification request, authentication mode are requested to generate to user Including the dynamic password;Wherein, the dynamic password generating process is carried out at TEE;
The process downloaded with seed key that creates an account includes:
Step 1:Terminal is pre-configured with the dynamic password system based on TEE and constitutes the dynamic password system, in the dynamic mouth It includes input identity information and setting access password, the dynamic password system to enable system registry user account, registration user account Enrollment status information and access password described in system safe storage;
Step 2:The dynamic password system reads the authentication data of trust root device or request trust root device signs and issues certification Data;
Step 3:The dynamic password system asks institute in root of trust system authentication step 2 by dynamic password authentication server Authentication data and the enrollment status information are stated, the root of trust system is corresponding with trust root device described in step 2;
Step 4:Authentication data described in the root of trust system check step 2 and verify the enrollment status information with it is described Whether trust root device is corresponding, and check results are sent to the dynamic password system by the dynamic password authentication server System;
Step 5:The check results described in the step 4 verify successfully and the enrollment status information and institute for the authentication data State trust root device it is corresponding when, the dynamic password system generates the first random number, the dynamic password authentication server to prestore First random number described in encrypted certificate public key encryption is simultaneously sent to the dynamic password authentication server;
Step 6:The server receives the first random number in the step 5, by user account described in step 1 and institute Dynamic password system binding is stated, and generates the second random number, it is described dynamic with being sent to after first random number encryption of decryption State password system;
Step 7:The dynamic password system receives the second random number after being decrypted in step 6 described in simultaneously safe storage as kind Sub-key, creating an account for the dynamic password system are completed with seed key downloading process;
The step 1 to three, step 5 and step 7 is carried out at TEE.
2. according to the method described in claim 1, it is characterized in that, further including client, the client is in the terminal Portion's applications client, the dynamic password generating process include:
Step 1:The dynamic password system safe storage subscriber identity information, the terminal receive the application request of client, The application request sends the request for generating dynamic password and the signature using the corresponding private key of client digital certificate to request, Start the dynamic password system, client signature described in the dynamic password system check it is legal after, sent out to terminal user Send the request for inputting the subscriber identity information;
Step 2:The dynamic password system carries out the subscriber identity information stored in the information of input and the step 1 Verification;
Step 3:When the result verified in the step 2 is that information is consistent, the dynamic password system generates dynamic password, institute State the completion of dynamic password generating process.
3. according to the method described in claim 1, it is characterized in that, further including client, the client is outside the terminal Portion's applications client, the applications client refer to the applications client carrier be terminal inner applications client it Outer equipment, the dynamic password generating process include:
Step is 1.:The dynamic password system safe storage subscriber identity information, it is described dynamic when starting the dynamic password system State password system sends the request for inputting the subscriber identity information to user;
Step is 2.:The dynamic password system by the information of input and the step 1. in the subscriber identity information that stores into Row verification;
Step is 3.:When the step 2. in verify result be information it is consistent when, the dynamic password system by OTG, NFC, Bluetooth, audio, sound wave, user inputs or the mode of scanning bar code, Quick Response Code obtains the client request and generates dynamic mouth The information of order, generates dynamic password, and the dynamic password generating process is completed.
4. according to the method described in claim 2, it is characterized in that, the client be terminal inner applications client, it is described Verifying dynamic password process includes:
Step A1:It is objective to terminal inner application that the dynamic password system sends the dynamic password generated in the step 3 Family end;
Step B1:After the terminal inner applications client receives the dynamic password, the solicited message in forwarding step 1 extremely should The corresponding server of client application;
Step C1:What is sent in the reception of server described in the step B1 dynamic password, verification user information and step B1 is dynamic State password, when check results are correct, application request described in the server process simultaneously returns in handling result to the terminal Portion's applications client;
Step D1:The terminal inner applications client receives the handling result in the step C1, verifies relevant information and shows Show, the verifying dynamic password process finishes.
5. according to the method described in claim 3, it is characterized in that, the client be exterior of terminal applications client, it is described Applications client refers to that the carrier of the applications client is the equipment except terminal inner applications client, the dynamic Password authentication process includes:
Step A2:The terminal show the step 3. in generate dynamic password read and input for user the client, Or dynamic password is sent by way of OTG, NFC, bluetooth, audio or sound wave to the client, or with bar code, Quick Response Code Form display for the applications client scan read;
Step B2:After the applications client obtains the dynamic password, the solicited message in sending the step 3. extremely should The corresponding server of client application;
Step C2:Server described in step B2 receives the dynamic password in the step B2, verifies user information and step The dynamic password that rapid B2 is sent, when check results are correct, application request described in the server process simultaneously returns to handling result To the applications client;
Step D2:The applications client receives the handling result in the step C2, verifies relevant information and shows, institute Verifying dynamic password process is stated to finish.
6. according to claim 2 or 4 the methods, which is characterized in that further include the seed key of the dynamic password system Renewal process, wherein including:
Step a:The dynamic password system request more new seed, and sent to user and input asking for the subscriber identity information It asks;
Step b:The dynamic password system carries out the subscriber identity information stored in the information of input and the step 1 Verification;When check results are consistent, the request using trust root device is sent to user;
Step c:The dynamic password system reads the authentication data of trust root device or request trust root device signs and issues certification Data;When trust root device mandate reads or signs and issues associated authentication data, the dynamic password system is recognized by dynamic password Demonstrate,prove enrollment status information and the authentication data described in server request root of trust system authentication, the root of trust system and step Trust root device described in b is corresponding;
Step d:Authentication data and the enrollment status information and the letter are verified in step c described in the root of trust system check Appoint root device whether corresponding, check results are sent to the dynamic password system by the dynamic password authentication server System;
Step e:The check results described in the step d be the authentication data verify successfully and the enrollment status information with it is described When trust root device is corresponding, the dynamic password system generates third random number, and the dynamic password authentication server to prestore adds Close CertPubKey encrypts the third random number and is sent to the dynamic password authentication server;
Step f:The server by user account described in step a and the dynamic password system binding, and generate the 4th with Machine number, with being sent to the dynamic password system after the third random number encryption of decryption;
Step g:The dynamic password system receive and safe storage described in decrypt in step f after the 4th random number as newly Seed key simultaneously deletes old seed key, and the renewal process of the seed key of the dynamic password system is completed;
The step a to c, step e and step g are carried out at TEE.
7. according to claim 2 or 4 the methods, which is characterized in that the subscriber identity information in the step 1 includes user's base This identity information and biological information, the basic identity information include name and passport NO., the biological information Including finger print information, face feature information, voiceprint and/or iris information;
Further include in the step 3:When the result verified in the step 2 is that information is consistent, the dynamic password system peace The application request message of the client is shown entirely, and alerting users confirm, it is described dynamic after user confirms the agreement request State password system generates dynamic password, and the dynamic password generating process is completed;
The step 3. in further include:When 2. the middle result verified is that information is consistent to the step, the dynamic password system Safety shows the application request message of the client, and alerting users confirm, described after user confirms the agreement request Dynamic password system generates dynamic password, and the dynamic password generating process is completed.
8. method according to claim 7, which is characterized in that the dynamic password system includes:
Safe input/output module for safety management and calls input/output component, it is described enter/output block includes:Screen, Button, Fingerprint Identification Unit, photographic device, bluetooth, OTG and NFC;
User's identification module, the instruction for receiving safe execution module differentiates user, and feeds back identification result to the safety Execution module;
Crypto-operation module, the instruction for receiving safe execution module carries out operation, and sends operation result to the safety Execution module;
Secure storage module, the instruction for receiving safe execution module, secure storage user data are simultaneously executed with the safety Module carries out the transmission of the user data;
Safe execution module is used for the safe input/output module, user's identification module, the crypto-operation mould Block and the secure storage module scheduling of resource send instruction and receive related data.
9. a kind of authentication system of the dynamic password based on TEE, including dispensing unit dynamic password generation unit and dynamic Password authenticating unit, which is characterized in that
Dispensing unit, for being pre-configured with dynamic password system in terminal;
Dynamic password generation unit carries out in the terminal, and dynamic password is requested to generate for being directed to user;
Verifying dynamic password unit, the identity of the user for certification request, authentication mode includes the dynamic password;
Wherein, the dynamic password generation unit is run under TEE;
The authentication system of the dynamic password based on TEE uses in claim 1 to 8, and any one of them is based on The auth method of the dynamic password of TEE.
CN201510862528.4A 2015-12-01 2015-12-01 A kind of auth method and system of the dynamic password based on TEE Active CN105516104B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201811032412.8A CN108809659B (en) 2015-12-01 2015-12-01 Dynamic password generation method, dynamic password verification method, dynamic password system and dynamic password verification system
CN201510862528.4A CN105516104B (en) 2015-12-01 2015-12-01 A kind of auth method and system of the dynamic password based on TEE

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510862528.4A CN105516104B (en) 2015-12-01 2015-12-01 A kind of auth method and system of the dynamic password based on TEE

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN201811032412.8A Division CN108809659B (en) 2015-12-01 2015-12-01 Dynamic password generation method, dynamic password verification method, dynamic password system and dynamic password verification system

Publications (2)

Publication Number Publication Date
CN105516104A CN105516104A (en) 2016-04-20
CN105516104B true CN105516104B (en) 2018-10-26

Family

ID=55723742

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201811032412.8A Active CN108809659B (en) 2015-12-01 2015-12-01 Dynamic password generation method, dynamic password verification method, dynamic password system and dynamic password verification system
CN201510862528.4A Active CN105516104B (en) 2015-12-01 2015-12-01 A kind of auth method and system of the dynamic password based on TEE

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201811032412.8A Active CN108809659B (en) 2015-12-01 2015-12-01 Dynamic password generation method, dynamic password verification method, dynamic password system and dynamic password verification system

Country Status (1)

Country Link
CN (2) CN108809659B (en)

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847000A (en) * 2016-05-27 2016-08-10 深圳市雪球科技有限公司 Token generation method and communication system based on same
CN111800276B (en) * 2016-05-30 2022-12-23 创新先进技术有限公司 Service processing method and device
CN106230594B (en) * 2016-07-22 2019-06-25 浪潮通用软件有限公司 A method of user authentication is carried out based on dynamic password
CN106411856A (en) * 2016-09-06 2017-02-15 北京交通大学 Authentication method and apparatus based on face recognition of mobile terminal
EP3447992B1 (en) 2016-11-14 2020-09-23 Huawei Technologies Co., Ltd. Message pushing method and terminal
CN108234113B (en) * 2016-12-15 2020-11-27 腾讯科技(深圳)有限公司 Identity verification method, device and system
CN107092819B (en) * 2017-03-08 2020-04-14 Oppo广东移动通信有限公司 Fingerprint input inspection method and device
CN107104792B (en) * 2017-04-05 2020-03-31 中国人民大学 Portable mobile password management system and management method thereof
CN112884859B (en) * 2017-04-26 2023-12-26 创新先进技术有限公司 Anti-fake image generation and identification method and device and computer storage medium
CN107240157B (en) * 2017-05-12 2020-08-21 南京心视窗信息科技有限公司 Near field communication security control method, mobile terminal and computer readable storage medium
CN108616516A (en) * 2018-04-03 2018-10-02 四川新网银行股份有限公司 A kind of third party's plaintext password method of calibration based on multiple encryption algorithms
CN108768655B (en) * 2018-04-13 2022-01-18 北京握奇智能科技有限公司 Dynamic password generation method and system
CN108616352B (en) * 2018-04-13 2022-01-18 北京握奇智能科技有限公司 Dynamic password generation method and system based on secure element
CN110881015B (en) * 2018-09-05 2021-10-01 程强 System and method for processing user information
CN109684801B (en) * 2018-11-16 2023-06-16 创新先进技术有限公司 Method and device for generating, issuing and verifying electronic certificate
CN110012048B (en) * 2018-11-22 2021-11-12 创新先进技术有限公司 Information identification code generation method and device, electronic equipment and computer storage medium
CN109586921B (en) * 2018-12-14 2021-07-02 飞天诚信科技股份有限公司 Method and system for realizing dynamic password
CN111131140B (en) * 2019-09-30 2022-11-08 武汉信安珞珈科技有限公司 Method and system for enhancing login security of Windows operating system based on message pushing
CN110995416A (en) * 2019-10-12 2020-04-10 武汉信安珞珈科技有限公司 Method for associating mobile terminal with client
CN112685702A (en) * 2020-02-28 2021-04-20 乐清市川嘉电气科技有限公司 Intelligent dynamic authorization system for external visitors
CN111666560A (en) * 2020-05-28 2020-09-15 南开大学 Password management method and system based on trusted execution environment
CN112039676A (en) * 2020-09-01 2020-12-04 中国银行股份有限公司 Token dynamic verification code safety generation method, device and equipment
CN113553204B (en) * 2021-09-16 2021-12-28 支付宝(杭州)信息技术有限公司 Data transmission method and device
CN113852681A (en) * 2021-09-22 2021-12-28 深信服科技股份有限公司 Gateway authentication method and device and security gateway equipment
CN115288562B (en) * 2022-06-29 2023-09-22 北京计算机技术及应用研究所 Movable intelligent control cabinet with article identification function

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1980127A (en) * 2005-12-08 2007-06-13 中国银联股份有限公司 Command identifying method and command identifying method
US8667285B2 (en) * 2007-05-31 2014-03-04 Vasco Data Security, Inc. Remote authentication and transaction signatures
CN101699892B (en) * 2009-10-30 2012-06-06 北京神州付电子支付科技有限公司 Method and device for generating dynamic passwords and network system
CN101741843B (en) * 2009-12-10 2012-12-12 北京握奇数据系统有限公司 Method, device and system for realizing user authentication by utilizing public key infrastructure
CN102255917B (en) * 2011-08-15 2014-09-03 北京宏基恒信科技有限责任公司 Method, system and device for updating and synchronizing keys of dynamic token
CN102722813A (en) * 2012-04-21 2012-10-10 郁晓东 Hierarchical multiple electronic currency device and multiple electronic currency management method
US9430211B2 (en) * 2012-08-31 2016-08-30 Jpmorgan Chase Bank, N.A. System and method for sharing information in a private ecosystem
CN103856468B (en) * 2012-12-06 2017-05-31 鸿富锦精密工业(深圳)有限公司 Authentication system and method
CN103220280A (en) * 2013-04-03 2013-07-24 天地融科技股份有限公司 Dynamic password token and data transmission method and system for dynamic password token
CN103714459A (en) * 2013-12-26 2014-04-09 电子科技大学 Secure payment system and method of intelligent terminal
US20150310427A1 (en) * 2014-04-24 2015-10-29 Xilix Llc Method, apparatus, and system for generating transaction-signing one-time password
CN105809536A (en) * 2014-12-29 2016-07-27 北京握奇智能科技有限公司 Online banking transaction system

Also Published As

Publication number Publication date
CN108809659B (en) 2022-01-18
CN105516104A (en) 2016-04-20
CN108809659A (en) 2018-11-13

Similar Documents

Publication Publication Date Title
CN105516104B (en) A kind of auth method and system of the dynamic password based on TEE
CN105429760B (en) A kind of auth method and system of the digital certificate based on TEE
AU2018333068B2 (en) Systems and methods for managing digital identities associated with mobile devices
US20210266318A1 (en) Authenticator centralization and protection based on authenticator type and authentication policy
US20180082050A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
WO2017197974A1 (en) Biometric characteristic-based security authentication method, device and electronic equipment
US11876807B2 (en) Secure online access control to prevent identification information misuse
WO2017032263A1 (en) Identity authentication method and apparatus
CN107113315A (en) Identity authentication method, terminal and server
CN110462658A (en) For providing system and method for the digital identity record to verify the identity of user
CN109150535A (en) A kind of identity identifying method, equipment, computer readable storage medium and device
CN106850201B (en) Intelligent terminal multiple-factor authentication method, intelligent terminal, certificate server and system
US20090265544A1 (en) Method and system for using personal devices for authentication and service access at service outlets
CN103944724B (en) A kind of subscriber identification card
EP3681126B1 (en) Systems and methods for securely verifying a subset of personally identifiable information
CN108122112A (en) Electronic ID card based on authentication device signs and issues certification and safety payment system
CN109711834B (en) Address management method for block chain cold wallet
CN101652782B (en) Communication terminal device, communication device, electronic card, method for a communication terminal device and method for a communication device for providing a verification
WO2021190197A1 (en) Method and apparatus for authenticating biometric payment device, computer device and storage medium
CN107733636A (en) Authentication method and Verification System
CN108462725A (en) A kind of electronic signature equipment, auth method and system
CN113364597A (en) Privacy information proving method and system based on block chain
CN106027254A (en) Secret key use method for identity card reading terminal in identity card authentication system
TW201243602A (en) Electronic file delivering system, portable communication apparatus with decryption functionality, and related computer program product
CN106027474B (en) A kind of identity card card-reading terminal in authentication ids system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant