CN105516104B - A kind of auth method and system of the dynamic password based on TEE - Google Patents
A kind of auth method and system of the dynamic password based on TEE Download PDFInfo
- Publication number
- CN105516104B CN105516104B CN201510862528.4A CN201510862528A CN105516104B CN 105516104 B CN105516104 B CN 105516104B CN 201510862528 A CN201510862528 A CN 201510862528A CN 105516104 B CN105516104 B CN 105516104B
- Authority
- CN
- China
- Prior art keywords
- dynamic password
- user
- information
- dynamic
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/067—Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
Abstract
This application discloses a kind of auth methods of the dynamic password based on TEE, it is pre-configured with dynamic password system, dynamic password generating process and verifying dynamic password process including terminal, the terminal has TEE, the dynamic password generating process, it is carried out in terminal, dynamic password is requested to generate for being directed to user, identity of the verifying dynamic password process for the user of certification request, authentication mode includes the dynamic password;Wherein, the dynamic password generating process is carried out at TEE;Dynamic password system provided by the invention based on TEE, dynamic password generating process, crypto-operation process and user's discrimination process are carried out at TEE, the sensitive informations such as key, identity information, biological information and the password information of user are stored at TEE by secure storage module, avoid problems in the prior art, if dynamic password generating process carries out in REE, user sensitive information stores under REE environment, privacy leakage is generated, the hidden danger etc. that property is stolen.
Description
Technical field
This application involves information technology fields, specifically, being related to a kind of authentication side of the dynamic password based on TEE
Method and system.
Background technology
It is answered to improve the networks such as Web bank, telephone bank, Internet securities, phone security, shopping online, online game
With the identification authentication security of system, every profession and trade, each enterprise release one after another has the dynamic of greater security than traditional static password
State password authentication system.
Authentication is carried out using dynamic password identification authenticating system, greatly improves the safety of network application system.
Current main identification authentication mode and its advantage and disadvantage are:
Dynamic-password technique and PKI technologies, more at present to realize in the form of hardware, safety is higher, is widely used at present;
But it needs user to go to get material object, carry and have study to use process, user experience poor;And short message therein is tested
Although card code does not need additional hardware device, but due to the opening of cell phone platform, safety is poor, and Problems are increasingly
It is more;
The authentication of biological characteristic, user need not carry additional hardware, and usage experience is preferable;But since it is mostly quiet
State data are easy to be trapped or be replicated on open environment, open network, open platform;Especially because biology is special
Sign has the characteristic that cannot be changed, and easy tos produce more safety problem, therefore it is more suitable near field authentication means;
The authentication of analysis based on big data is entirely transparent to user, and user experience is more preferable, but the multidimensional number of degrees
According to collect and the problems such as using there is no relevant laws and regulations, also involving secret protection, while its recognition result can only be one
Probability, rather than a deterministic judgement, therefore it is more suitable for advertisement marketing and risk control means.
Therefore, it is badly in need of the identity identifying method of a kind of safe and convenient and good compatibility the dynamic password based on TEE.
Invention content
In view of this, technical problems to be solved in this application are that existing identity identifying method is dangerous, unstable, no
Problem convenient and that compatibility is not high.
In order to solve the above technical problem, the present invention provides a kind of auth methods of the dynamic password based on TEE
And it is dangerous, no to avoid existing identity identifying method by carrying out the generation and verification of dynamic password at TEE for system
Stable, not convenient and compatible not high problem, technical scheme are as follows:
A kind of auth method of the dynamic password based on TEE, including terminal are pre-configured with dynamic password system, dynamic
Password generated process and verifying dynamic password process, which is characterized in that the terminal has TEE, and the dynamic password generated
Journey carries out in the terminal, requests to generate dynamic password for being directed to user, the verifying dynamic password process is used for certification
The identity of the user of request, authentication mode include the dynamic password;Wherein, the dynamic password generating process at TEE into
Row.
Preferably, the client is the terminal inner applications client, and the dynamic password generating process includes:
Step 1:The dynamic password system safe storage subscriber identity information, the application that the terminal receives client are asked
It asks, the application request sends the request for generating dynamic password and the label using the corresponding private key of client digital certificate to request
Name, starts the dynamic password system, client signature described in the dynamic password system check it is legal after, to terminal user
Send the request for inputting the subscriber identity information;
Step 2:The subscriber identity information that the dynamic password system will store in the information of input and the step 1
It is verified;
Step 3:When the result verified in the step 2 is that information is consistent, the dynamic password system generates dynamic mouth
It enables, the dynamic password generating process is completed.
Preferably, the client is the exterior of terminal applications client, and the applications client refers to described
The carrier of applications client is that the equipment except terminal, the dynamic password generating process include in the step 1:
Step is 1.:The dynamic password system safe storage subscriber identity information, when starting the dynamic password system, institute
It states dynamic password system and sends the request for inputting the subscriber identity information to user;
Step is 2.:The dynamic password system by the information of input, 1. believe with the step by the middle user identity stored
Breath is verified;
Step is 3.:When the step 2. in verify result be information it is consistent when, the dynamic password system by OTG,
NFC, bluetooth, audio, sound wave, user inputs or the mode of scanning bar code, Quick Response Code obtains the client request generation and moves
The information of state password, generates dynamic password, and the dynamic password generating process is completed.
Preferably, the client is terminal inner applications client, and the verifying dynamic password process includes:
Step A1:The dynamic password system sends dynamic password to the terminal inner generated in the step 3 and answers
Use client;
Step B1:After the terminal inner applications client receives the dynamic password, the solicited message in forwarding step 1
To the corresponding server of the client application;
Step C1:Server described in step B1 receives the dynamic password, verifies and is sent in user information and step B1
Dynamic password, when check results are correct, application request described in the server process simultaneously returns to handling result to the end
Hold internal applications client;
Step D1:The terminal inner applications client receives the handling result in the step C1, verifies relevant information
And show, the verifying dynamic password process finishes.
Preferably, the client is exterior of terminal applications client, and the applications client refers to the application
The carrier of client is that the equipment except terminal, the verifying dynamic password process include in the step 1:
Step A2:The dynamic password that the terminal generates in showing the step 3. reads for user and inputs the client
End sends dynamic password to the client, or with bar code, two by way of OTG, NFC, bluetooth, audio or sound wave
The form display for tieing up code is read for the applications client scan;
Step B2:After the applications client obtains the dynamic password, the solicited message in sending the step 3.
To the corresponding server of the client application;
Step C2:Server described in step B2 receives the dynamic password in the step B2, verifies user information
The dynamic password sent with step B2, when check results are correct, application request described in the server process simultaneously returns to processing
As a result to the applications client;
Step D2:The applications client receives the handling result in the step C2, verifies relevant information and shows
Show, the verifying dynamic password process finishes.
Preferably, further include that the dynamic password system creates an account the process downloaded with seed key, wherein packet
It includes:
Step 1:Terminal is pre-configured with the dynamic password system based on TEE and constitutes the dynamic password system, described dynamic
State password system registers user account, and registration user account includes input identity information and setting access password, the dynamic mouth
Enable enrollment status information and access password described in system safe storage;
Step 2:The dynamic password system reads the authentication data of trust root device or request trust root device is signed and issued
Authentication data;
Step 3:The dynamic password system asks root of trust system authentication step 2 by dynamic password authentication server
Described in authentication data and the enrollment status information, the root of trust system is opposite with trust root device described in step 2
It answers;
Step 4:Authentication data described in the root of trust system check step 2 and verify the enrollment status information with
Whether the trust root device is corresponding, and check results are sent to the dynamic mouth by the dynamic password authentication server
Enable system;
Step 5:The check results described in the step 4 are that the authentication data verifies successfully and the enrollment status information
When corresponding with the trust root device, the dynamic password system generates the first random number, the dynamic password authentication clothes to prestore
First random number described in business device encrypted certificate public key encryption is simultaneously sent to the dynamic password authentication server;
Step 6:The server receives the first random number in the step 5, by user account described in step 1
With the dynamic password system binding, and the second random number is generated, with being sent to institute after first random number encryption of decryption
State dynamic password system;
Step 7:The second random number that the dynamic password system receives after being decrypted in step 6 described in simultaneously safe storage is made
For seed key, creating an account for the dynamic password system is completed with seed key downloading process;
The step 1 to three, step 5 and step 7 is carried out at TEE.
Preferably, further include the dynamic password system seed key renewal process, wherein including:
Step a:The dynamic password system request more new seed, and sent to user and input the subscriber identity information
Request;
Step b:The subscriber identity information that the dynamic password system will store in the information of input and the step 1
It is verified;When check results are consistent, the request using trust root device is sent to user;
Step c:The dynamic password system reads the authentication data of trust root device or request trust root device is signed and issued
Authentication data;When trust root device mandate reads or signs and issues associated authentication data, the dynamic password system passes through dynamic mouth
Enable certificate server request root of trust system authentication described in enrollment status information and the authentication data, the root of trust system with
Trust root device is corresponding described in step b;
Step d:Authentication data and the enrollment status information and institute are verified in step c described in the root of trust system check
It whether corresponding states trust root device, check results is sent to the dynamic password by the dynamic password authentication server
System;
Step e:The check results described in the step d be the authentication data verify successfully and the enrollment status information and
When the trust root device is corresponding, the dynamic password system generates third random number, the dynamic password authentication service to prestore
Third random number described in device encrypted certificate public key encryption is simultaneously sent to the dynamic password authentication server;
Step f:User account described in step a and the dynamic password system binding are generated the by the server
Four random numbers, with being sent to the dynamic password system after the third random number encryption of decryption;
Step g:The dynamic password system receives the 4th random number conduct after being decrypted in step f described in simultaneously safe storage
New seed key simultaneously deletes old seed key, and the renewal process of the seed key of the dynamic password system is completed;
The step a to c, step e and step g are carried out at TEE.
Preferably, the subscriber identity information in the step 1 includes user's basic identity information and biological information, institute
It includes name and passport NO. to state basic identity information, and the biological information includes finger print information, face feature information, sound
Line information and/or iris information;
Further include in the step 3:When the result verified in the step 2 is that information is consistent, the dynamic password system
System safety shows the application request message of the client, and alerting users confirm, after the request is agreed in user's confirmation, institute
It states dynamic password system and generates dynamic password, the dynamic password generating process is completed;
The step 3. in further include:When 2. the middle result verified is that information is consistent to the step, the dynamic password
System shows safely the application request message of the client, and alerting users confirm, after user confirms the agreement request,
The dynamic password system generates dynamic password, and the dynamic password generating process is completed.
Preferably, the dynamic password system includes:
Safe input/output module for safety management and calls input/output component, it is described enter/output block packet
It includes:Screen, button, Fingerprint Identification Unit, photographic device, bluetooth, OTG and NFC;
User's identification module, the instruction for receiving safe execution module differentiates user, and feeds back identification result to described
Safe execution module;
Crypto-operation module, the instruction for receiving safe execution module carries out operation, and sends operation result to described
Safe execution module;
Secure storage module, the instruction for receiving safe execution module, secure storage user data and with the safety
Execution module carries out the transmission of the user data;
Safe execution module, for being transported to the safe input/output module, user's identification module, the password
Module and the secure storage module scheduling of resource are calculated, instruction is sent and receives related data.
A kind of authentication system of the dynamic password based on TEE, including dispensing unit dynamic password generation unit and dynamic
State password authenticating unit, which is characterized in that
Dispensing unit, for being pre-configured with dynamic password system in terminal;
Dynamic password generation unit carries out in the terminal, and dynamic password is requested to generate for being directed to user;
Verifying dynamic password unit, the identity of the user for certification request, authentication mode includes the dynamic password;
Wherein, the dynamic password generation unit is run under TEE.
Compared with prior art, method and system described herein has reached following effect:
(1) the dynamic password system provided by the invention based on TEE, dynamic password generating process, crypto-operation process and
User's discrimination process is carried out at TEE, the sensitive informations such as key, identity information, biological information and password information of user
It is stored by secure storage module at TEE, avoids problems in the prior art, as dynamic password generating process exists
It is carried out in REE, user sensitive information stores under REE environment, the hidden danger etc. that generation privacy leakage, property are stolen;Meanwhile
Under TEE environment, manage and call the input module and input module of terminal, authentication to ask by safe input/output interface
Ask information security to show and pass through the confirmation of user, avoid output and input under REE environment module by illegal application control and
The risk distorted, it is ensured that authentication procedures can embody the actual wishes of user;
(2) auth method of the dynamic password provided by the invention based on TEE, the terminal can have to be any
The smart machine of TEE does not need specific equipment, can be carried out on the usually portable intelligent terminal of user, as mobile phone,
The equipment such as tablet computer, but its safety used is equally very high;
(3) auth method of the dynamic password provided by the invention based on TEE, compatible biological characteristic differentiates, people
This distinctive fixed information of body biological characteristic is also applied, and differentiates that certification just cannot enter body not over biological characteristic
The next step of part certification, and the above process is being carried out at TEE, is also improved and was used while safe to use
Convenience in journey;
(4) auth method of the dynamic password provided by the invention based on TEE, need not go in person sales counter open an account and
Seed key is downloaded, user is easy-to-use, and treatment effeciency is high, experience is good, high to the compatibility of each application, entire authentication
Journey safety coefficient also higher;
(5) auth method of the dynamic password provided by the invention based on TEE, when use, do not need special religion
Journey, use are responded both for user's request, are completed by terminal notifying, meet the use habit of the masses one by one,
Identity identifying method in compared to the prior art is provided simultaneously with high-caliber security performance and agrees with the use habit of user
Used, use is very convenient;It protects the key of user, identity information, biological information and password information etc., using just
The safety during use and privacy are also improved while sharp;
(6) auth method of the dynamic password provided by the invention based on TEE, the renewal process of seed key exist
It is carried out at TEE, level of security can reach or even surmount the level of security of hardware material object dynamic token;
(7) auth method of the dynamic password provided by the invention based on TEE, the dynamic password safe system work(
Can be comprehensive, operation safety combines the modes such as certificate discriminating, biological characteristic discriminating and password authentication, makes its authentication
The compatibility of mode is stronger, security performance is more preferable, user experience more preferably;
(8) authentication system of the dynamic password provided by the invention based on TEE, is based on since initial step
TEE is carried out, and the safety coefficient of authentication is improved from flow;As the seed key of dynamic password system, downloading process
It is carried out based on TEE, seed key is stored in the TEE of equipment, and the safety coefficient of authentication is improved from system setting.
Description of the drawings
Attached drawing described herein is used for providing further understanding of the present application, constitutes part of this application, this Shen
Illustrative embodiments and their description please do not constitute the improper restriction to the application for explaining the application.In the accompanying drawings:
Fig. 1 is the flow chart of dynamic password generating process described in the embodiment of the present application;
Fig. 2 is the flow chart of dynamic password generating process described in the embodiment of the present application;
Fig. 3 is the flow chart of verifying dynamic password process described in the embodiment of the present application;
Fig. 4 is the flow chart of verifying dynamic password process described in the embodiment of the present application;
Fig. 5 is the flow for creating an account the process downloaded with seed key of dynamic password system described in the embodiment of the present application
Figure;
Fig. 6 is the flow chart of the renewal process of the seed key of dynamic password system described in the embodiment of the present application;
Fig. 7 is the structural schematic diagram of dynamic password system described in the embodiment of the present application;
Fig. 8 is the structural schematic diagram of terminal described in the embodiment of the present application;
Fig. 9 is the structural schematic diagram of the embodiment of the present application the method.
Specific implementation mode
Some vocabulary has such as been used to censure specific components in specification and claim.Those skilled in the art answer
It is understood that hardware manufacturer may call the same component with different nouns.This specification and claims are not with name
The difference of title is used as the mode for distinguishing component, but is used as the criterion of differentiation with the difference of component functionally.Such as logical
The "comprising" of piece specification and claim mentioned in is an open language, therefore should be construed to " include but do not limit
In "." substantially " refer in receivable error range, those skilled in the art can be described within a certain error range solution
Technical problem basically reaches the technique effect.In addition, " coupling " word includes any direct and indirect electric property coupling herein
Means.Therefore, if it is described herein that a first device is coupled to a second device, then representing the first device can directly electrical coupling
It is connected to the second device, or the second device indirectly electrically coupled through other devices or coupling means.Specification
Subsequent descriptions be implement the application better embodiment, so it is described description be for the purpose of the rule for illustrating the application,
It is not limited to scope of the present application.The protection domain of the application is when subject to appended claims institute defender.
Embodiment one:
A kind of auth method of the dynamic password based on TEE, including terminal 2 are pre-configured with dynamic password system, move
State password generated process and verifying dynamic password process, which is characterized in that the terminal 2 has TEE, and the dynamic password generates
Process carries out in the terminal 2, requests to generate dynamic password for being directed to user, the verifying dynamic password process is used for
The identity of the user of certification request, authentication mode include the dynamic password;Wherein, the dynamic password generating process is in TEE
Lower progress.
The dynamic password system 1 is located in the terminal 2TEE, and TEE is Trusted execution
The abbreviation of environment, Chinese translation are credible performing environment, the identity of the dynamic password provided by the invention based on TEE
Verification method, is a kind of identity identifying method, and the dynamic password generating process is carried out at TEE, avoided in the prior art
Problems generate privacy leakage, property has the hidden danger etc. that is stolen if dynamic password generating process carries out in REE;
The terminal 2 can be any smart machine for having TEE, specific equipment not needed, in the usually portable intelligence of user
It can be carried out in terminal, such as mobile phone, tablet computer equipment, but its safety used is equally very high;When use not
It needs special study course, use to be responded one by one both for user's request, prompts, to complete, to meet group by terminal 2
Many use habits, compared to the prior art in identity identifying method, be provided simultaneously with high-caliber security performance and contract
The use habit at family is shared, use is very convenient.
Embodiment two:
A kind of auth method of the dynamic password based on TEE, including terminal 2 are pre-configured with dynamic password system 1, move
State password generated process and verifying dynamic password process, which is characterized in that the terminal 2 has TEE and REE, the dynamic mouth
Generating process is enabled, is carried out in the terminal 2, dynamic password, the verifying dynamic password mistake are requested to generate for being directed to user
Identity of the journey for the user of certification request, authentication mode includes the dynamic password;Wherein, the dynamic password system 1
In the terminal 2TEE, the dynamic password generating process is carried out at TEE.
As described in Fig. 1 the embodiment of the present application shown in the flow chart of dynamic password generating process, the client is the end
Hold internal applications client, the internal applications client that can be located in mobile device REE, the dynamic password generating process packet
It includes:
Step 1:1 safe storage subscriber identity information of the dynamic password system, the terminal 2 receive the generation of client
The request of dynamic password and the corresponding private key of use client digital certificate start the dynamic password system to the signature of request
1, the dynamic password system 1 verify the client signature it is legal after, sent to 2 user of terminal and input the user identity
The request of information;User can input according to the prompt of system, and the subscriber identity information generally includes the basic identity of user
Information and biological information, the basic identity information include name and passport NO., and the biological information includes referring to
Line information, face feature information, voiceprint and/or iris information.
The request of the client includes the request that all requirements carry out the mobile application of authentication, such as Mobile banking
The operation requests etc. of transaction request, the transaction request and game application of security application.The terminal 2 receives the request of client
Cause includes but not limited to following several situations:2 internal applications client of the terminal sends a request to the terminal;The end
The applications client at end 2 is generated request and is presented in the form of Quick Response Code, and the scanning of the terminal 2 receives the applications
The request of client;The applications client of the terminal generates request, inputted in the terminal 2 solicited message from
And receive the request of the applications client.The 2 internal applications client of terminal refers to the hard of the applications client
Part carrier and the terminal 2 are the same equipment, and the applications client refers to the carrier of the applications client for institute
State the equipment except terminal in step 1.
Step 2:The dynamic password system 1 believes the user identity stored in the information of input and the step 1
Breath is verified;
Step 3:When the result verified in the step 2 is that information is consistent, the dynamic password system 1 generates dynamic mouth
It enables, the dynamic password generating process is completed.
Terminal is that an end user is used for and equipment structure of terminal 2 as described in Fig. 7 the embodiment of the present application of main-machine communication is shown
Shown in intention, the terminal 2 includes:Execution module 202, including REE execution modules and TEE execution modules;Output module 201,
Including display unit, sound components and/or indicate indicator;Input module 203, including screen unit, push-button unit, finger print information are adopted
Collect unit, sound collection unit, camera unit and/or sensor unit;Communication module 205, including mobile communication component, bluetooth
Component, WIFI components, OTG components and/or NFC components;Storage module 204, including RAM component and/or FLASH components.
The terminal 2 can be any smart machine for having TEE, and the dynamic password generating process is carried out at TEE,
Namely above-mentioned steps 1-3 is carried out at TEE, solves the problems, such as that dynamic password is easy to be intercepted and captured day in the prior art, and this
The method that the identity identifying method compatible subscribers identity information certification provided is provided, this distinctive fixation human body biological characteristics
Information be also applied, not over subscriber identity information certification just cannot enter authentication next step, and
The above process is being carried out at TEE, protects key, identity information, biological information and password information of user etc.,
The safety during use and privacy are also improved while easy-to-use.
Preferably, the subscriber identity information in the step 1 includes user's basic identity information and biological information, institute
It includes name and passport NO. to state basic identity information, and the biological information includes finger print information, face feature information, sound
Line information and/or iris information.
Preferably, further include in the step 3:When the result verified in the step 2 is that information is consistent, the dynamic
1 safety of password system shows the application request message of the client, and alerting users confirm, confirms in user and is asked described in agreement
After asking, the dynamic password system 1 generates dynamic password, and the dynamic password generating process is completed.The dynamic password can be with
It is time type, event mode or challenge response type.The process that an alerting users confirm wherein is added, is reaffirmed convenient for user
Solicited message, in order to avoid causing to slip up, user experience is more preferable.
Embodiment three:
A kind of auth method of the dynamic password based on TEE, including terminal 2 are pre-configured with dynamic password system 1, move
State password generated process and verifying dynamic password process, which is characterized in that the terminal 2 has TEE and REE, the dynamic mouth
Generating process is enabled, is carried out in the terminal 2, dynamic password, the verifying dynamic password mistake are requested to generate for being directed to user
Identity of the journey for the user of certification request, authentication mode includes the dynamic password;Wherein, the dynamic password system 1
In the terminal 2TEE, the dynamic password generating process is carried out at TEE.
The client is the exterior of terminal applications client, and the dynamic password generating process includes:
Step is 1.:The dynamic password system safe storage subscriber identity information, the terminal user start the dynamic
Password system, the dynamic password system send the request for inputting the subscriber identity information to user;
Step is 2.:The dynamic password system by the information of input, 1. believe with the step by the middle user identity stored
Breath is verified;
Step is 3.:When the step 2. in verify result be information it is consistent when, the dynamic password system by OTG,
NFC, bluetooth, audio, sound wave scan the pass that the modes such as bar code, Quick Response Code obtain the client request generation dynamic password
Key information, then generates dynamic password, and the dynamic password generating process is completed.The applications client refers to described answers
It is the equipment in the step 1 except terminal with the carrier of client.
Preferably, the step 3. in further include:It is described dynamic when 2. the middle result verified is that information is consistent to the step
1 safety of state password system shows the application request message of the client, and alerting users confirm, confirms described in agreement in user
After request, the dynamic password system 1 generates dynamic password, and the dynamic password generating process is completed.The dynamic password can
To be time type, event mode or challenge response type.
Auth method provided by the present application can be used for applications client, and information input mode is various, no
Same input mode can give the user of different customs all bring good experience, widely applicable, easy-to-use.
Example IV:
On the basis of one content of embodiment or embodiment one add two content of embodiment, the client is in terminal
Portion's applications client, the flow chart of verifying dynamic password process and Fig. 8 the embodiment of the present application institute as described in Fig. 2 the embodiment of the present application
It states shown in the structural schematic diagram of method, the verifying dynamic password process includes:
Step A1:The terminal sends the dynamic password that is generated in the step 3 to 2 internal applications client of the terminal
5;The 2 internal applications client 5 of terminal refers to the hardware carrier of the applications client and the terminal is the same equipment,
Correspondent mechanism or shared drive mechanism etc. of its sending method between TEE and REE.
Step B1:After 2 internal applications client 5 of the terminal receives the dynamic password, client in the step 1 is sent
The solicited message at end is to the corresponding server of the client application;The internal applications client 5 and the dynamic password system 1
Certification and service background system can be present on this server.
Step C1:Server 3 receives the dynamic password in the step B1, verifies user information and the step B1
The dynamic password of transmission, when check results are correct, the server 3, which is handled, asks and returns to handling result to the inside to answer
With client 5;When check results are mistake, the verifying dynamic password process finishes, the authentication procedures failure.
Step D1:The internal applications client 5 receives the handling result in the step C1, verifies relevant information and shows
Show, the verifying dynamic password process finishes.
Embodiment five:
On the basis of one content of embodiment or embodiment one add two content of embodiment, the client is outside terminal
Portion's applications client, the flow chart of verifying dynamic password process and Fig. 8 the embodiment of the present application institute as described in Fig. 3 the embodiment of the present application
It states shown in the structural schematic diagram of method, the verifying dynamic password process includes:
Step A2:The dynamic password that the terminal generates in showing the step 3. reads for user and inputs the client
End or the dynamic password that generates in sending the step 3. by modes such as OTG, NFC, bluetooth, audio or sound waves are to the visitor
Family end, or shown in the form of bar code, Quick Response Code etc. and read for the applications client 4 scanning;The applications visitor
Family end 4 refers to that the carrier of the applications client is the equipment in the step 1 except terminal 2.
Step B2:After the applications client 4 obtains the dynamic password, the solicited message in sending the step 3.
To the corresponding server of the client application;
Step C2:The server receives the dynamic password in the step B2, verifies user information and the step
The dynamic password that rapid B2 is sent, when check results are correct, the server 3 handles the application request and returns to handling result
To the applications client 4;
Step D2:The applications client 4 receives the handling result in the step C2, verifies relevant information and shows
Show, the verifying dynamic password process finishes.
Embodiment six:
On the basis of the method for above-described embodiment and its method being bound to each other to form, such as Fig. 4 the embodiment of the present application institute
It states shown in the flow chart for creating an account the process downloaded with seed key of dynamic password system 1, the dynamic mouth based on TEE
The auth method of order further includes that the dynamic password system creates an account the process downloaded with seed key, wherein packet
It includes:
Step 1:Terminal is pre-configured with the dynamic password system 1 based on TEE and constitutes the dynamic password system, described
Dynamic password system 1 registers user account, and registration user account includes input identity information and setting access password, the dynamic
Enrollment status information and access password described in 1 safe storage of password system;
Step 2:The dynamic password system 1 reads the authentication data or request trust root device label of trust root device
Send out authentication data;The trust root device includes but not limited to resident identification card, the identity of citizen's network electronic and USBKEY
Deng the reading manner includes but not limited to the modes such as OTG, NFC, bluetooth, audio or sound wave.
Step 3:The dynamic password system 1 asks root of trust system authentication step by dynamic password authentication server
Authentication data certification described in two and the enrollment status information, the root of trust system and trust root device described in step 2
It is corresponding;
Step 4:Authentication data described in the root of trust system check step 2 and verify the enrollment status information with
Whether the trust root device is corresponding, and check results are sent to the dynamic password system by dynamic password authentication server
System;
Step 5:The check results described in the step 4 are that the authentication data verifies successfully and the enrollment status information
When corresponding with the trust root device, the dynamic password system generates the first random number, is recognized using the dynamic password to prestore
Card server for encrypting CertPubKey encrypts first random number and is sent to the dynamic password authentication server;
Step 6:The server 3 receives the first random number in the step 5, by user account described in step 1
With the dynamic password system binding, and the second random number is generated, with being sent to institute after first random number encryption of decryption
Dynamic password system 1 is stated, the Encryption Algorithm can be the symmetric cryptographic algorithms such as AES, SM1, SM4,3DES;
Step 7:The dynamic password system 1 receives the second random number after being decrypted in step 6 described in simultaneously safe storage
As seed key, creating an account for the dynamic password system 1 is completed with seed key downloading process;
The step 1 to three, step 5 and step 7 is carried out at TEE.
It is the initial step for using system to create an account, and TEE is based on since initial step and is carried out, is improved from flow
The safety coefficient of authentication, as the seed key of dynamic password system, downloading process is carried out based on TEE, seed key
It is stored in the TEE of equipment, the safety coefficient of authentication is improved from system setting;And the method need not be gone in person
Seed key is opened an account and downloaded to sales counter, and user is easy-to-use, and treatment effeciency is high, experience is good, high to the compatibility of each application, entirely
Authentication procedures safety coefficient also higher.
Preferably, as described in Fig. 5 the embodiment of the present application the renewal process of the seed key of dynamic password system 1 flow chart
It is shown, the auth method of the dynamic password based on TEE further include the seed key of the dynamic password system 1 more
New process, wherein including:
Step a:The dynamic password system 1 asks more new seed, and is sent to user and input the subscriber identity information
Request;
Step b:The dynamic password system 1 believes the user identity stored in the information of input and the step 1
Breath is verified;When check results are consistent, the request using trust root device is sent to user;
Step c:The dynamic password system 1 reads the authentication data of trust root device or request trust root device is signed and issued
Authentication data;When trust root device mandate reads or signs and issues associated authentication data, the dynamic password system 1 passes through dynamic mouth
Enable certificate server request root of trust system authentication described in enrollment status information and the authentication data, the root of trust system with
Trust root device is corresponding described in step b;
Step d:Authentication data and the enrollment status information and institute are verified in step c described in the root of trust system check
It whether corresponding states trust root device, check results is sent to the dynamic password system by dynamic password authentication server
1;
Step e:The check results described in the step d be the authentication data verify successfully and the enrollment status information and
When the trust root device is corresponding, the dynamic password system 1 generates third random number, uses the dynamic password authentication to prestore
Server for encrypting CertPubKey encrypts the third random number and is sent to the dynamic password authentication server;
Step f:The server 3 binds user account described in step a and the dynamic password system 1, and generates
4th random number, with the dynamic password system 1 is sent to after the third random number encryption of decryption, the Encryption Algorithm can
To be the symmetric cryptographic algorithms such as AES, SM1, SM4,3DES;
Step g:The 4th random number that the dynamic password system 1 receives after being decrypted in step f described in simultaneously safe storage is made
For new seed key and old seed key is deleted, the renewal process of the seed key of the dynamic password system 1 is completed;
The step a to c, step e and step g are carried out at TEE.Updating seed key is that dynamic updates, is different from existing
There is the products in kind in technology, is only once updated in user hand after manufacture, and the seed key in the present invention
Dynamic update can repeatedly be updated;Update refers to that present seed key is different with original seed key.Even if
Seed key before is stolen, and what is stolen is original seed key, but does not know that the seed key used now is.
So, seed data is secret forever.And the authentication side of the dynamic password provided by the present invention based on TEE
The renewal process of method, seed key is being carried out at TEE, and level of security can reach or even surmount hardware material object dynamic token
Level of security.
Embodiment seven:
As described in Fig. 6 the embodiment of the present application shown in the structural schematic diagram of dynamic password system 1, the dynamic password system 1
Including:Secure storage module 104, safe input/output module 101, user's identification module 105, crypto-operation module 103 and peace
Full execution module 102, user's identification module 105, crypto-operation module 103, safe input/output module 101 and safety
Memory module 104 is connect with the safe execution module 102 respectively, and the safe input/output module 101, safety execute mould
Block 102 and secure storage module 104 are connect with the TEE execution modules in the terminal installation 2.
User's identification module 105, the instruction for receiving safe execution module 102 differentiates user, and feeds back discriminating
As a result to the safe execution module 102;
Crypto-operation module 103, the instruction for receiving safe execution module 102 carries out operation, and sends operation result
To the safe execution module 102;
Secure storage module 104, the instruction for receiving safe execution module 102, secure storage user data and with institute
State the transmission that safe execution module 102 carries out the user data;
Safe execution module 102 is used for the safe input/output module 101, user's identification module 105, institute
104 scheduling of resource of crypto-operation module 103 and the secure storage module is stated, instruction is sent and receives related data;
The safe input/output module 101, safe execution module 102 and secure storage module 104 are filled with the terminal
Set the TEE modules connection in 2.
The safe input/output module for safety management and call the output module, the input module and/or
The communication module;
The secure storage module is for safety management and calls the storage module.
Preferably, user's identification module 105 includes password authentication unit, finger print information discriminating unit, facial characteristics
Information discriminating unit, voiceprint discriminating unit and/or iris information discriminating unit.I.e. user's identification module 105 includes
Any and its arbitrary combination of following units:Password authentication unit, finger print information discriminating unit, face feature information differentiate single
Member, voiceprint discriminating unit, iris information discriminating unit.
Preferably, the output module 201 includes display unit, voice unit (VU) and/or indicating unit;The input module
203 include:Shield unit, push-button unit, finger print information collecting unit, sound collection unit, camera unit and/or sensor list
Member.
Preferably, the crypto-operation module 103 include asymmetric cryptography arithmetic element, symmetric cryptography arithmetic element, when
Between type dynamic password arithmetic element, event mode dynamic password arithmetic element and/or challenge response type dynamic password arithmetic element.Institute
State any and its arbitrary combination that crypto-operation module 103 includes following units:Asymmetric cryptography arithmetic element, symmetric cryptography
Arithmetic element, time type dynamic password arithmetic element, event mode dynamic password arithmetic element and challenge response type dynamic password fortune
Calculate unit.
Preferably, the user data includes:User basic information, user's authentication information, digital certificate, seed, key
And/or character library.The i.e. described user data includes any and its arbitrary combination of following information:User basic information, Yong Hujian
Other information, digital certificate, seed, key and character library.
1 function synthesized of dynamic password safe system, operation safety combine certificate discriminating, biological characteristic mirror
And the modes such as password authentication, do not keep the compatibility of its identification authentication mode stronger, security performance is more preferable, user experience more preferably.
Embodiment eight:
A kind of authentication system of the dynamic password based on TEE, including dispensing unit dynamic password generation unit and dynamic
State password authenticating unit, which is characterized in that
Dispensing unit, for being pre-configured with dynamic password system 1 in terminal 2;
Dynamic password generation unit carries out in the terminal, and dynamic password is requested to generate for being directed to user;Authenticating party
Formula includes the dynamic password;Specifically, for being answered using the seed key and time, event, challenge for user's request
It the variable factors such as answers and generates dynamic password;Wherein, the dynamic password system is located in the terminal TEE, the dynamic password
Generation unit is run under TEE.
Preferably, the dynamic password generation unit includes:
Signal dispatcher module:For the dynamic password system safe storage subscriber identity information, the terminal 2 receives visitor
When the request at family end, start the dynamic password system 1, the dynamic password system 1 sends to 2 user of terminal and inputs the use
The request of family identity information;
Information checking module:When inputting the subscriber identity information for user, the dynamic password system is by input
Information is verified with the subscriber identity information stored in the dynamic password system 1, or receive client request and
When signature, the legitimacy of client is verified;
Command generation module:For when the result verified in the step 2 be information it is consistent when, the dynamic password system
1 generates dynamic password, and the dynamic password generating process is completed.
Preferably, it can also include seed key download and updating unit, identity verification, account note for terminal user
The download and update of volume and dynamic password seed key;
The authentication system 1 of dynamic password provided by the invention based on TEE, meets the use habit of the masses, compares
In identity identifying method in the prior art, it is provided simultaneously with high-caliber security performance and agrees with the use habit of user,
Using very convenient;Key, identity information, biological information and the password information etc. for protecting user, easy-to-use
While also improving the safety during use and privacy.
By the above various embodiments it is found that advantageous effect existing for the application is:
(1) the dynamic password system provided by the invention based on TEE, dynamic password generating process, crypto-operation process and
User's discrimination process is carried out at TEE, the sensitive informations such as key, identity information, biological information and password information of user
It is stored by secure storage module at TEE, avoids problems in the prior art, as dynamic password generating process exists
It is carried out in REE, user sensitive information stores under REE environment, the hidden danger etc. that generation privacy leakage, property are stolen;Meanwhile
Under TEE environment, manage and call the input module and input module of terminal, authentication to ask by safe input/output interface
Ask information security to show and pass through the confirmation of user, avoid output and input under REE environment module by illegal application control and
The risk distorted, it is ensured that authentication procedures can embody the actual wishes of user;
(2) auth method of the dynamic password provided by the invention based on TEE, the terminal can have to be any
The smart machine of TEE does not need specific equipment, can be carried out on the usually portable intelligent terminal of user, as mobile phone,
The equipment such as tablet computer, but its safety used is equally very high;
(3) auth method of the dynamic password provided by the invention based on TEE, compatible biological characteristic differentiates, people
This distinctive fixed information of body biological characteristic is also applied, and differentiates that certification just cannot enter body not over biological characteristic
The next step of part certification, and the above process is being carried out at TEE, is also improved and was used while safe to use
Convenience in journey;
(4) auth method of the dynamic password provided by the invention based on TEE, need not go in person sales counter open an account and
Seed key is downloaded, user is easy-to-use, and treatment effeciency is high, experience is good, high to the compatibility of each application, entire authentication
Journey safety coefficient also higher;
(5) auth method of the dynamic password provided by the invention based on TEE, when use, do not need special religion
Journey, use are responded both for user's request, are completed by terminal notifying, meet the use habit of the masses one by one,
Identity identifying method in compared to the prior art is provided simultaneously with high-caliber security performance and agrees with the use habit of user
Used, use is very convenient;It protects the key of user, identity information, biological information and password information etc., using just
The safety during use and privacy are also improved while sharp;
(6) auth method of the dynamic password provided by the invention based on TEE, the renewal process of seed key exist
It is carried out at TEE, level of security can reach or even surmount the level of security of hardware material object dynamic token;
(7) auth method of the dynamic password provided by the invention based on TEE, the dynamic password safe system work(
Can be comprehensive, operation safety combines the modes such as certificate discriminating, biological characteristic discriminating and password authentication, makes its authentication
The compatibility of mode is stronger, security performance is more preferable, user experience more preferably;
(8) authentication system of the dynamic password provided by the invention based on TEE, is based on since initial step
TEE is carried out, and the safety coefficient of authentication is improved from flow;As the seed key of dynamic password system, downloading process
It is carried out based on TEE, seed key is stored in the TEE of equipment, and the safety coefficient of authentication is improved from system setting.
Certainly, the technical solution that the present invention is protected must not necessarily reach all above-mentioned advantageous effects, a scheme simultaneously
Reaching all above-mentioned advantageous effects does not constitute limiting the scope of the invention simultaneously.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, apparatus or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, the application can be used in one or more wherein include computer usable program code computer
The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
Several preferred embodiments of the application have shown and described in above description, but as previously described, it should be understood that the application
Be not limited to form disclosed herein, be not to be taken as excluding other embodiments, and can be used for various other combinations,
Modification and environment, and the above teachings or related fields of technology or knowledge can be passed through in the scope of the invention is set forth herein
It is modified.And changes and modifications made by those skilled in the art do not depart from spirit and scope, then it all should be in this Shen
It please be in the protection domain of appended claims.
Claims (9)
1. a kind of auth method of the dynamic password based on TEE, including terminal are pre-configured with dynamic password system, dynamic mouth
Enable generating process and verifying dynamic password process, which is characterized in that further include creating an account and planting for the dynamic password system
The process that sub-key is downloaded;The terminal has TEE, and the dynamic password generating process carries out in the terminal, is used for needle
Dynamic password, identity of the verifying dynamic password process for the user of certification request, authentication mode are requested to generate to user
Including the dynamic password;Wherein, the dynamic password generating process is carried out at TEE;
The process downloaded with seed key that creates an account includes:
Step 1:Terminal is pre-configured with the dynamic password system based on TEE and constitutes the dynamic password system, in the dynamic mouth
It includes input identity information and setting access password, the dynamic password system to enable system registry user account, registration user account
Enrollment status information and access password described in system safe storage;
Step 2:The dynamic password system reads the authentication data of trust root device or request trust root device signs and issues certification
Data;
Step 3:The dynamic password system asks institute in root of trust system authentication step 2 by dynamic password authentication server
Authentication data and the enrollment status information are stated, the root of trust system is corresponding with trust root device described in step 2;
Step 4:Authentication data described in the root of trust system check step 2 and verify the enrollment status information with it is described
Whether trust root device is corresponding, and check results are sent to the dynamic password system by the dynamic password authentication server
System;
Step 5:The check results described in the step 4 verify successfully and the enrollment status information and institute for the authentication data
State trust root device it is corresponding when, the dynamic password system generates the first random number, the dynamic password authentication server to prestore
First random number described in encrypted certificate public key encryption is simultaneously sent to the dynamic password authentication server;
Step 6:The server receives the first random number in the step 5, by user account described in step 1 and institute
Dynamic password system binding is stated, and generates the second random number, it is described dynamic with being sent to after first random number encryption of decryption
State password system;
Step 7:The dynamic password system receives the second random number after being decrypted in step 6 described in simultaneously safe storage as kind
Sub-key, creating an account for the dynamic password system are completed with seed key downloading process;
The step 1 to three, step 5 and step 7 is carried out at TEE.
2. according to the method described in claim 1, it is characterized in that, further including client, the client is in the terminal
Portion's applications client, the dynamic password generating process include:
Step 1:The dynamic password system safe storage subscriber identity information, the terminal receive the application request of client,
The application request sends the request for generating dynamic password and the signature using the corresponding private key of client digital certificate to request,
Start the dynamic password system, client signature described in the dynamic password system check it is legal after, sent out to terminal user
Send the request for inputting the subscriber identity information;
Step 2:The dynamic password system carries out the subscriber identity information stored in the information of input and the step 1
Verification;
Step 3:When the result verified in the step 2 is that information is consistent, the dynamic password system generates dynamic password, institute
State the completion of dynamic password generating process.
3. according to the method described in claim 1, it is characterized in that, further including client, the client is outside the terminal
Portion's applications client, the applications client refer to the applications client carrier be terminal inner applications client it
Outer equipment, the dynamic password generating process include:
Step is 1.:The dynamic password system safe storage subscriber identity information, it is described dynamic when starting the dynamic password system
State password system sends the request for inputting the subscriber identity information to user;
Step is 2.:The dynamic password system by the information of input and the step 1. in the subscriber identity information that stores into
Row verification;
Step is 3.:When the step 2. in verify result be information it is consistent when, the dynamic password system by OTG, NFC,
Bluetooth, audio, sound wave, user inputs or the mode of scanning bar code, Quick Response Code obtains the client request and generates dynamic mouth
The information of order, generates dynamic password, and the dynamic password generating process is completed.
4. according to the method described in claim 2, it is characterized in that, the client be terminal inner applications client, it is described
Verifying dynamic password process includes:
Step A1:It is objective to terminal inner application that the dynamic password system sends the dynamic password generated in the step 3
Family end;
Step B1:After the terminal inner applications client receives the dynamic password, the solicited message in forwarding step 1 extremely should
The corresponding server of client application;
Step C1:What is sent in the reception of server described in the step B1 dynamic password, verification user information and step B1 is dynamic
State password, when check results are correct, application request described in the server process simultaneously returns in handling result to the terminal
Portion's applications client;
Step D1:The terminal inner applications client receives the handling result in the step C1, verifies relevant information and shows
Show, the verifying dynamic password process finishes.
5. according to the method described in claim 3, it is characterized in that, the client be exterior of terminal applications client, it is described
Applications client refers to that the carrier of the applications client is the equipment except terminal inner applications client, the dynamic
Password authentication process includes:
Step A2:The terminal show the step 3. in generate dynamic password read and input for user the client,
Or dynamic password is sent by way of OTG, NFC, bluetooth, audio or sound wave to the client, or with bar code, Quick Response Code
Form display for the applications client scan read;
Step B2:After the applications client obtains the dynamic password, the solicited message in sending the step 3. extremely should
The corresponding server of client application;
Step C2:Server described in step B2 receives the dynamic password in the step B2, verifies user information and step
The dynamic password that rapid B2 is sent, when check results are correct, application request described in the server process simultaneously returns to handling result
To the applications client;
Step D2:The applications client receives the handling result in the step C2, verifies relevant information and shows, institute
Verifying dynamic password process is stated to finish.
6. according to claim 2 or 4 the methods, which is characterized in that further include the seed key of the dynamic password system
Renewal process, wherein including:
Step a:The dynamic password system request more new seed, and sent to user and input asking for the subscriber identity information
It asks;
Step b:The dynamic password system carries out the subscriber identity information stored in the information of input and the step 1
Verification;When check results are consistent, the request using trust root device is sent to user;
Step c:The dynamic password system reads the authentication data of trust root device or request trust root device signs and issues certification
Data;When trust root device mandate reads or signs and issues associated authentication data, the dynamic password system is recognized by dynamic password
Demonstrate,prove enrollment status information and the authentication data described in server request root of trust system authentication, the root of trust system and step
Trust root device described in b is corresponding;
Step d:Authentication data and the enrollment status information and the letter are verified in step c described in the root of trust system check
Appoint root device whether corresponding, check results are sent to the dynamic password system by the dynamic password authentication server
System;
Step e:The check results described in the step d be the authentication data verify successfully and the enrollment status information with it is described
When trust root device is corresponding, the dynamic password system generates third random number, and the dynamic password authentication server to prestore adds
Close CertPubKey encrypts the third random number and is sent to the dynamic password authentication server;
Step f:The server by user account described in step a and the dynamic password system binding, and generate the 4th with
Machine number, with being sent to the dynamic password system after the third random number encryption of decryption;
Step g:The dynamic password system receive and safe storage described in decrypt in step f after the 4th random number as newly
Seed key simultaneously deletes old seed key, and the renewal process of the seed key of the dynamic password system is completed;
The step a to c, step e and step g are carried out at TEE.
7. according to claim 2 or 4 the methods, which is characterized in that the subscriber identity information in the step 1 includes user's base
This identity information and biological information, the basic identity information include name and passport NO., the biological information
Including finger print information, face feature information, voiceprint and/or iris information;
Further include in the step 3:When the result verified in the step 2 is that information is consistent, the dynamic password system peace
The application request message of the client is shown entirely, and alerting users confirm, it is described dynamic after user confirms the agreement request
State password system generates dynamic password, and the dynamic password generating process is completed;
The step 3. in further include:When 2. the middle result verified is that information is consistent to the step, the dynamic password system
Safety shows the application request message of the client, and alerting users confirm, described after user confirms the agreement request
Dynamic password system generates dynamic password, and the dynamic password generating process is completed.
8. method according to claim 7, which is characterized in that the dynamic password system includes:
Safe input/output module for safety management and calls input/output component, it is described enter/output block includes:Screen,
Button, Fingerprint Identification Unit, photographic device, bluetooth, OTG and NFC;
User's identification module, the instruction for receiving safe execution module differentiates user, and feeds back identification result to the safety
Execution module;
Crypto-operation module, the instruction for receiving safe execution module carries out operation, and sends operation result to the safety
Execution module;
Secure storage module, the instruction for receiving safe execution module, secure storage user data are simultaneously executed with the safety
Module carries out the transmission of the user data;
Safe execution module is used for the safe input/output module, user's identification module, the crypto-operation mould
Block and the secure storage module scheduling of resource send instruction and receive related data.
9. a kind of authentication system of the dynamic password based on TEE, including dispensing unit dynamic password generation unit and dynamic
Password authenticating unit, which is characterized in that
Dispensing unit, for being pre-configured with dynamic password system in terminal;
Dynamic password generation unit carries out in the terminal, and dynamic password is requested to generate for being directed to user;
Verifying dynamic password unit, the identity of the user for certification request, authentication mode includes the dynamic password;
Wherein, the dynamic password generation unit is run under TEE;
The authentication system of the dynamic password based on TEE uses in claim 1 to 8, and any one of them is based on
The auth method of the dynamic password of TEE.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811032412.8A CN108809659B (en) | 2015-12-01 | 2015-12-01 | Dynamic password generation method, dynamic password verification method, dynamic password system and dynamic password verification system |
CN201510862528.4A CN105516104B (en) | 2015-12-01 | 2015-12-01 | A kind of auth method and system of the dynamic password based on TEE |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510862528.4A CN105516104B (en) | 2015-12-01 | 2015-12-01 | A kind of auth method and system of the dynamic password based on TEE |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811032412.8A Division CN108809659B (en) | 2015-12-01 | 2015-12-01 | Dynamic password generation method, dynamic password verification method, dynamic password system and dynamic password verification system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105516104A CN105516104A (en) | 2016-04-20 |
CN105516104B true CN105516104B (en) | 2018-10-26 |
Family
ID=55723742
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811032412.8A Active CN108809659B (en) | 2015-12-01 | 2015-12-01 | Dynamic password generation method, dynamic password verification method, dynamic password system and dynamic password verification system |
CN201510862528.4A Active CN105516104B (en) | 2015-12-01 | 2015-12-01 | A kind of auth method and system of the dynamic password based on TEE |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811032412.8A Active CN108809659B (en) | 2015-12-01 | 2015-12-01 | Dynamic password generation method, dynamic password verification method, dynamic password system and dynamic password verification system |
Country Status (1)
Country | Link |
---|---|
CN (2) | CN108809659B (en) |
Families Citing this family (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105847000A (en) * | 2016-05-27 | 2016-08-10 | 深圳市雪球科技有限公司 | Token generation method and communication system based on same |
CN111800276B (en) * | 2016-05-30 | 2022-12-23 | 创新先进技术有限公司 | Service processing method and device |
CN106230594B (en) * | 2016-07-22 | 2019-06-25 | 浪潮通用软件有限公司 | A method of user authentication is carried out based on dynamic password |
CN106411856A (en) * | 2016-09-06 | 2017-02-15 | 北京交通大学 | Authentication method and apparatus based on face recognition of mobile terminal |
EP3447992B1 (en) | 2016-11-14 | 2020-09-23 | Huawei Technologies Co., Ltd. | Message pushing method and terminal |
CN108234113B (en) * | 2016-12-15 | 2020-11-27 | 腾讯科技(深圳)有限公司 | Identity verification method, device and system |
CN107092819B (en) * | 2017-03-08 | 2020-04-14 | Oppo广东移动通信有限公司 | Fingerprint input inspection method and device |
CN107104792B (en) * | 2017-04-05 | 2020-03-31 | 中国人民大学 | Portable mobile password management system and management method thereof |
CN112884859B (en) * | 2017-04-26 | 2023-12-26 | 创新先进技术有限公司 | Anti-fake image generation and identification method and device and computer storage medium |
CN107240157B (en) * | 2017-05-12 | 2020-08-21 | 南京心视窗信息科技有限公司 | Near field communication security control method, mobile terminal and computer readable storage medium |
CN108616516A (en) * | 2018-04-03 | 2018-10-02 | 四川新网银行股份有限公司 | A kind of third party's plaintext password method of calibration based on multiple encryption algorithms |
CN108768655B (en) * | 2018-04-13 | 2022-01-18 | 北京握奇智能科技有限公司 | Dynamic password generation method and system |
CN108616352B (en) * | 2018-04-13 | 2022-01-18 | 北京握奇智能科技有限公司 | Dynamic password generation method and system based on secure element |
CN110881015B (en) * | 2018-09-05 | 2021-10-01 | 程强 | System and method for processing user information |
CN109684801B (en) * | 2018-11-16 | 2023-06-16 | 创新先进技术有限公司 | Method and device for generating, issuing and verifying electronic certificate |
CN110012048B (en) * | 2018-11-22 | 2021-11-12 | 创新先进技术有限公司 | Information identification code generation method and device, electronic equipment and computer storage medium |
CN109586921B (en) * | 2018-12-14 | 2021-07-02 | 飞天诚信科技股份有限公司 | Method and system for realizing dynamic password |
CN111131140B (en) * | 2019-09-30 | 2022-11-08 | 武汉信安珞珈科技有限公司 | Method and system for enhancing login security of Windows operating system based on message pushing |
CN110995416A (en) * | 2019-10-12 | 2020-04-10 | 武汉信安珞珈科技有限公司 | Method for associating mobile terminal with client |
CN112685702A (en) * | 2020-02-28 | 2021-04-20 | 乐清市川嘉电气科技有限公司 | Intelligent dynamic authorization system for external visitors |
CN111666560A (en) * | 2020-05-28 | 2020-09-15 | 南开大学 | Password management method and system based on trusted execution environment |
CN112039676A (en) * | 2020-09-01 | 2020-12-04 | 中国银行股份有限公司 | Token dynamic verification code safety generation method, device and equipment |
CN113553204B (en) * | 2021-09-16 | 2021-12-28 | 支付宝(杭州)信息技术有限公司 | Data transmission method and device |
CN113852681A (en) * | 2021-09-22 | 2021-12-28 | 深信服科技股份有限公司 | Gateway authentication method and device and security gateway equipment |
CN115288562B (en) * | 2022-06-29 | 2023-09-22 | 北京计算机技术及应用研究所 | Movable intelligent control cabinet with article identification function |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1980127A (en) * | 2005-12-08 | 2007-06-13 | 中国银联股份有限公司 | Command identifying method and command identifying method |
US8667285B2 (en) * | 2007-05-31 | 2014-03-04 | Vasco Data Security, Inc. | Remote authentication and transaction signatures |
CN101699892B (en) * | 2009-10-30 | 2012-06-06 | 北京神州付电子支付科技有限公司 | Method and device for generating dynamic passwords and network system |
CN101741843B (en) * | 2009-12-10 | 2012-12-12 | 北京握奇数据系统有限公司 | Method, device and system for realizing user authentication by utilizing public key infrastructure |
CN102255917B (en) * | 2011-08-15 | 2014-09-03 | 北京宏基恒信科技有限责任公司 | Method, system and device for updating and synchronizing keys of dynamic token |
CN102722813A (en) * | 2012-04-21 | 2012-10-10 | 郁晓东 | Hierarchical multiple electronic currency device and multiple electronic currency management method |
US9430211B2 (en) * | 2012-08-31 | 2016-08-30 | Jpmorgan Chase Bank, N.A. | System and method for sharing information in a private ecosystem |
CN103856468B (en) * | 2012-12-06 | 2017-05-31 | 鸿富锦精密工业(深圳)有限公司 | Authentication system and method |
CN103220280A (en) * | 2013-04-03 | 2013-07-24 | 天地融科技股份有限公司 | Dynamic password token and data transmission method and system for dynamic password token |
CN103714459A (en) * | 2013-12-26 | 2014-04-09 | 电子科技大学 | Secure payment system and method of intelligent terminal |
US20150310427A1 (en) * | 2014-04-24 | 2015-10-29 | Xilix Llc | Method, apparatus, and system for generating transaction-signing one-time password |
CN105809536A (en) * | 2014-12-29 | 2016-07-27 | 北京握奇智能科技有限公司 | Online banking transaction system |
-
2015
- 2015-12-01 CN CN201811032412.8A patent/CN108809659B/en active Active
- 2015-12-01 CN CN201510862528.4A patent/CN105516104B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN108809659B (en) | 2022-01-18 |
CN105516104A (en) | 2016-04-20 |
CN108809659A (en) | 2018-11-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105516104B (en) | A kind of auth method and system of the dynamic password based on TEE | |
CN105429760B (en) | A kind of auth method and system of the digital certificate based on TEE | |
AU2018333068B2 (en) | Systems and methods for managing digital identities associated with mobile devices | |
US20210266318A1 (en) | Authenticator centralization and protection based on authenticator type and authentication policy | |
US20180082050A1 (en) | Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device | |
WO2017197974A1 (en) | Biometric characteristic-based security authentication method, device and electronic equipment | |
US11876807B2 (en) | Secure online access control to prevent identification information misuse | |
WO2017032263A1 (en) | Identity authentication method and apparatus | |
CN107113315A (en) | Identity authentication method, terminal and server | |
CN110462658A (en) | For providing system and method for the digital identity record to verify the identity of user | |
CN109150535A (en) | A kind of identity identifying method, equipment, computer readable storage medium and device | |
CN106850201B (en) | Intelligent terminal multiple-factor authentication method, intelligent terminal, certificate server and system | |
US20090265544A1 (en) | Method and system for using personal devices for authentication and service access at service outlets | |
CN103944724B (en) | A kind of subscriber identification card | |
EP3681126B1 (en) | Systems and methods for securely verifying a subset of personally identifiable information | |
CN108122112A (en) | Electronic ID card based on authentication device signs and issues certification and safety payment system | |
CN109711834B (en) | Address management method for block chain cold wallet | |
CN101652782B (en) | Communication terminal device, communication device, electronic card, method for a communication terminal device and method for a communication device for providing a verification | |
WO2021190197A1 (en) | Method and apparatus for authenticating biometric payment device, computer device and storage medium | |
CN107733636A (en) | Authentication method and Verification System | |
CN108462725A (en) | A kind of electronic signature equipment, auth method and system | |
CN113364597A (en) | Privacy information proving method and system based on block chain | |
CN106027254A (en) | Secret key use method for identity card reading terminal in identity card authentication system | |
TW201243602A (en) | Electronic file delivering system, portable communication apparatus with decryption functionality, and related computer program product | |
CN106027474B (en) | A kind of identity card card-reading terminal in authentication ids system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |