CN105827656A - Identity authentication method based on NFC payment and device - Google Patents
Identity authentication method based on NFC payment and device Download PDFInfo
- Publication number
- CN105827656A CN105827656A CN201610367636.9A CN201610367636A CN105827656A CN 105827656 A CN105827656 A CN 105827656A CN 201610367636 A CN201610367636 A CN 201610367636A CN 105827656 A CN105827656 A CN 105827656A
- Authority
- CN
- China
- Prior art keywords
- key
- payment gateway
- hash
- hash key
- nfc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/327—Short range or proximity payments by means of M-devices
- G06Q20/3278—RFID or NFC payments by means of M-devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3825—Use of electronic signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Abstract
An embodiment of the invention discloses an identity authentication method based on NFC payment. The method comprises steps that a first secret key is generated and cached, an identity authentication request is sent to a payment gateway, and the first secret key is contained in the identity authentication request; a second secret key returned by the payment gateway is received, and a first Hash secret key is generated according to a preset Hash algorithm by taking the first secret key and the second secret key as input; the first Hash secret key is sent to the payment gateway, the first Hash secret key is verified by the payment gateway, whether identity authentication passes is determined according to a verification result of the first Hash secret key; an identity authentication response returned by the payment gateway is received. The invention further discloses a use identity authentication device based on NFC payment. According to the method, payment safety is improved when a user utilizes the NFC function of a mobile terminal.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to a kind of identity identifying method paid based on NFC and device.
Background technology
NFC (NearFieldCommunication, near-field communication or close range wireless communication), it it is a kind of short-range high frequency wireless communication technology, along with popularizing of the mobile consumption electronic products such as smart mobile phone, the NFC system that energy consumption is low, data transmission bauds is fast is widely used in fields such as mobile payment, electronic identity authentication, electronic ticket, and user can realize mobile payment by its user's mobile device such as the mobile phone with NFC function (i.e. having NFC module) or intelligent watch.
Utilizing NFC to during realizing mobile payment (such as mobile phone mobile payment), it is typically not required mobile electronic device access network, mobile electronic device is by NFC radio-frequency channel and POS (pointofsale, point of sale) the charging terminal equipment such as equipment or automatic vending machine carries out local communication, information is carried out mutual, to realize consumption purpose by charging terminal equipment and network side.
But the above-mentioned means of payment based on NFC, during paying, not to user identity and current transaction scene whether safety, deposit in the case of viruses at cash receiving terminal, it is likely to cause user's stolen brush in the case of unwitting, it is to say, there is the technical problem that safety is not enough in above-mentioned mobile payment mode based on NFC.
Summary of the invention
Based on this, for solve mobile payment mode based on NFC in conventional art during paying because trading environment is not carried out safety verification and the not enough technical problem of safety, spy proposes a kind of identity identifying method based on NFC payment.
A kind of identity identifying method paid based on NFC, including:
Generate the first key and cache, sending ID authentication request to payment gateway, described ID authentication request is carried described first key;
Receive the second key that payment gateway returns, generate first Hash key with described first key and described second key for input according to default hash algorithm;
Described first Hash key is sent to described payment gateway, described payment gateway described first Hash key is verified whether determine whether described authentication is passed through by checking according to described first Hash key;
Receive the authentication response that described payment gateway returns.
Optionally, wherein in an embodiment, also carry timestamp when sending described ID authentication request in described ID authentication request, always according to described timestamp, described payment gateway judges that described ID authentication request is the most overtime, is having not timed out described second key of return.
Optionally, wherein in an embodiment, described by described payment gateway, described first Hash key is verified particularly as follows: described payment gateway generates second Hash key with described second key and described first key for input according to the hash algorithm preset, described payment gateway judges whether described first Hash key mates with described second Hash key, the most then judge that described first Hash key is by checking.
Optionally, wherein in an embodiment, also include after the authentication response that the described payment gateway of described reception returns:
When authentication success, generate transaction request and be sent to described payment gateway;
Receive the first Transaction Information after the encryption that payment gateway returns and decipher, obtaining the second Transaction Information after deciphering;
According to default AES described second Transaction Information is encrypted and obtains cryptographic digest;
Described cryptographic digest is sent to described payment gateway, described payment gateway judges that described cryptographic digest whether by safety verification, the most then performs the transaction corresponding with described transaction request;
Receive the transaction request response that described payment gateway returns.
Optionally, wherein in an embodiment, described basis preset AES described second Transaction Information is encrypted obtain cryptographic digest particularly as follows:
The 3rd Hash key is generated with described first Hash key and described second Transaction Information for input according to default hash algorithm;
It is digitally signed according to the 3rd Hash key described in default Digital Signature Algorithm and the 3rd double secret key;
It is encrypted according to the 3rd Hash key after digital signature described in default rivest, shamir, adelman and the 4th double secret key, obtains encrypted result as described cryptographic digest.
Additionally, for solve mobile payment mode based on NFC in conventional art during paying because trading environment is not carried out safety verification and the not enough technical problem of safety, it is also proposed that a kind of authenticating user identification device based on NFC payment.
A kind of authenticating user identification device paid based on NFC, including:
ID authentication request sending module, for generating the first key and caching, sends ID authentication request to payment gateway, carries described first key in described ID authentication request;
First Hash key generation module, for receiving the second key that payment gateway returns, generates first Hash key with described first key and described second key for input according to default hash algorithm;
First Hash key matching module, for sending described first Hash key to described payment gateway, is verified described first Hash key by described payment gateway whether determine whether described authentication is passed through by checking according to described first Hash key;
Identity authentication result receiver module, for receiving the authentication response that described payment gateway returns.
Optionally, wherein in an embodiment, also carry timestamp when sending described ID authentication request in described ID authentication request, always according to described timestamp, described payment gateway judges that described ID authentication request is the most overtime, is having not timed out described second key of return.
Optionally, wherein in an embodiment, described payment gateway generates second Hash key with described second key and described first key for input according to the hash algorithm preset, described payment gateway judges whether described first Hash key mates with described second Hash key, the most then judge that described first Hash key is by checking.
Optionally, wherein in an embodiment, described device also includes:
Transaction request generation module, for when authentication success, generates transaction request and is sent to described payment gateway;
Transaction Information acquisition module, is used for the first Transaction Information after receiving the encryption that payment gateway returns and deciphers, and obtains the second Transaction Information after deciphering;
Cryptographic digest acquisition module, obtains cryptographic digest for being encrypted described second Transaction Information according to the AES preset;
By described payment gateway, cryptographic digest sending module, for described cryptographic digest is sent to described payment gateway, judges that described cryptographic digest whether by safety verification, the most then performs the transaction corresponding with described transaction request;
Transaction request response receiver module, for receiving the transaction request response that described payment gateway returns.
Optionally, wherein in an embodiment, described cryptographic digest acquisition module is additionally operable to generate threeth Hash key with described first Hash key and described second Transaction Information for input according to the hash algorithm preset;It is digitally signed according to the 3rd Hash key described in default Digital Signature Algorithm and the 3rd double secret key;It is encrypted according to the 3rd Hash key after digital signature described in default rivest, shamir, adelman and the 4th double secret key, obtains encrypted result as described cryptographic digest.
Implement the embodiment of the present invention, will have the advantages that
After have employed the above-mentioned identity identifying method paid based on NFC and device, when user uses mobile terminal to carry out NFC payment, by the checking to user identity, ensure that the legitimacy of user identity in payment process, improve the safety of mobile payment based on NFC, ensure that the fund security of user, improve Consumer's Experience.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, accompanying drawing in describing below is only some embodiments of the present invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Wherein:
Fig. 1 is the schematic flow sheet of a kind of identity identifying method paid based on NFC in an embodiment;
Fig. 2 is the interaction schematic diagram of a kind of authentication paid based on NFC in an embodiment;
Fig. 3 is the schematic flow sheet of a kind of trading environment safe verification method paid based on NFC in an embodiment;
Fig. 4 is the interaction schematic diagram of a kind of trading environment safety verification paid based on NFC in an embodiment;
Fig. 5 is the structural representation of a kind of authenticating user identification device paid based on NFC in an embodiment;
Fig. 6 is the structural representation of the computer equipment running aforementioned identity identifying method based on NFC payment in an embodiment.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the present invention rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art are obtained under not making creative work premise, broadly fall into the scope of protection of the invention.
For solve mobile payment mode based on NFC in conventional art during paying because trading environment is not carried out safety verification and the technical problem of safety deficiency, in the present embodiment, spy proposes a kind of identity identifying method paid based on NFC, the realization of the method can be dependent on computer program, this computer program can run on computer system based on von Neumann system, and this computer program can be the mobile payment application of base NFC.This computer system can be to run the terminal units such as the smart mobile phone of above computer program, panel computer.
It should be noted that in the present embodiment, above-mentioned terminal unit is the terminal being integrated with NFC module, say, that this terminal is the terminal with NFC function, and user can utilize the NFC function of this terminal to move payment.Concrete, NFC (NearFieldCommunication, near-field communication or close range wireless communication), being a kind of short-range high frequency wireless communication technology, user can realize mobile payment by user's mobile device such as mobile phone or intelligent watch with NFC function (i.e. having NFC module).Utilizing NFC to during realizing mobile payment (such as mobile phone mobile payment), it is typically not required mobile electronic device access network, mobile electronic device is by NFC radio-frequency channel and POS (pointofsale, point of sale) the charging terminal equipment such as equipment or automatic vending machine carries out local communication, information is carried out mutual, to realize consumption purpose by charging terminal equipment and payment gateway.
It is to say, the information that mobile terminal is realized between payment gateway by charging terminal is mutual.In the present embodiment, information between following mobile terminal and payment gateway mutual (such as mobile terminal sends the request of payment to payment gateway) refers to mobile terminal will need the message sent to be sent to charging terminal by NFC, the message received is transmitted to payment gateway by charging terminal, to realize the transmission of message, such as, above-mentioned mobile terminal sends the request of payment, payment request is sent to charging terminal by NFC by mobile terminal, charging terminal is after receiving the payment request that mobile terminal sends, this payment request is sent to payment gateway, so that the payment request that mobile terminal sends is paid for gateway smoothly and is received.
It should be noted that, in the present embodiment, mobile terminal can be the terminal unit being integrated with eSIM card, i.e. SIM in terminal is eSIM card, relative to the SIM (SubscriberIdentityModule that mobile terminal in conventional art is conventional, client identification module) from the point of view of, eSIM card is to be directly embedded in device chip by traditional SIM card rather than as in independent removable parts addition equipment.It is to say, eSIM card can be integrated on mobile phone, user cannot be carried out dismounting.But user is when using eSIM card, the identification module of user allows user to need selection operator according to oneself, and allows user's any switching laws at any time.This way will allow user to select operator's set meal more flexibly, or on the premise of without unlocker device, purchase new equipment, change operator at any time, save more mobile device use cost for ordinary consumer, enterprise customer, and bring more convenient, safety.It is to say, in the present embodiment, the encryption and decryption operation function needed in NFC payment process can be stored in the secure storage section of eSIM card, i.e. utilize the safe encryption mechanism of eSIM further to improve the safety in NFC payment process.
Certainly, completing of the NFC payment process of indication of the present invention can also be mobile terminal based on traditional SIM card, is based only on eSIM card different from the security mechanism of tradition SIM, and the safety of the mobile terminal that eSIM card is corresponding can be higher than the mobile terminal of traditional SIM card.
In following detailed description of the invention, as a example by the mobile terminal of eSIM card, mobile payment process based on NFC and the authenticating user identification process etc. in this payment process in mobile terminal are described.
Concrete, as it is shown in figure 1, the above-mentioned method for authenticating user identity paid based on NFC comprises the steps:
Step S102: generate the first key and cache, sends ID authentication request to payment gateway, carries described first key in described ID authentication request.
When user uses NFC to pay, user has only to open in the case of NFC pays near cash receiving terminal at mobile terminal, it is possible to start the flow process that NFC pays.Mobile terminal near cash receiving terminal time, the execution of the payment process of mobile terminal can be triggered, i.e. trigger the generation of the first key.In the present embodiment, mobile terminal automatically generates random key (the first key), and sends ID authentication request to payment gateway, in the process, the first key generated can be sent to payment gateway in the lump.
Step S104: receive the second key that payment gateway returns, generates first Hash key with described first key and described second key for input according to default hash algorithm.
Payment gateway, after receiving the ID authentication request that mobile terminal sends, generates random key (the i.e. second key) and this key is returned to mobile terminal.Mobile terminal, by being connected with the communication between payment gateway, receives the second key that payment gateway is beamed back.
In the present embodiment, HMAC (key, message) represents the Hash operation that key is relevant, and its computing utilizes hash algorithm, with a key key and message m essage for input, generates an eap-message digest as output.Mobile terminal, after getting the first key and the second key, with the first key and the second key for input, generates the first Hash key HKe, it may be assumed that
HKe=HMAC (RKw, RKe)
Wherein, RKw is the second key, and RKe is the first key, and HKe is the first Hash key.
Whether whether step S106: send described first Hash key to described payment gateway, described payment gateway verify described first Hash key, passed through by the checking certification that determines one's identity according to described first Hash key.
First Hash key HKe, after getting the first Hash key HKe, is sent to payment gateway by mobile terminal.First Hash key HKe, after receiving the first Hash key HKe, is verified by payment gateway, i.e. judges whether mobile terminal corresponding to the first Hash key passes through authentication.
In a specific embodiment, the step verified described first Hash key by described payment gateway is particularly as follows: described payment gateway generates second Hash key with described second key and described first key for input according to the hash algorithm preset, described payment gateway judges whether described first Hash key mates with described second Hash key, the most then judge that described first Hash key is by checking.
That is, payment gateway is after getting the first key and the second key, by default hash algorithm, generates the second Hash key HKw with described second key and described first key for input, it may be assumed that
HKw=HMAC (RKe, RKw),
Wherein, HKw is the second Hash key.
Concrete, if HKw=HKe, then judging that the first Hash key is mated with the second Hash key, i.e. identify the first Hash key and passed through checking, corresponding mobile terminal or the authentication of user are passed through, otherwise, then authentication is not passed through.
Step S108: receive the authentication response that described payment gateway returns.
Whether payment gateway after obtaining the identity authentication result of user according to the first Hash key by checking, and the authentication response of the ID authentication request corresponding identity authentication result sent as mobile terminal in step S102 sends back to mobile terminal.
It should be noted that, in the present embodiment, mobile terminal is while generation the first key RKe that is triggered, also obtain current timestamp, this timestamp is for the legitimacy of the current transaction of checking during ensuing authenticating user identification and payment, and prevent Replay Attack, i.e. prevent the account of user from again being stolen brush.Concrete, mobile terminal, after obtaining current timestamp, is also including the timestamp got in the ID authentication request that payment gateway sends.Further, payment gateway, after receiving ID authentication request, obtains the first key and timestamp carried in ID authentication request, determines that the time of mobile terminal transmission ID authentication request is Ti.Payment gateway obtains current time stamp T j, and calculate the difference of Ti and Tj, when the difference of above-mentioned timestamp is less than the time threshold preset, it is determined that ID authentication request is not timed-out, and perform next step, i.e. generate the second key and the second key is sent back mobile terminal.If the difference of above-mentioned timestamp is more than the time threshold preset, then illustrating that current ID authentication request has timed, out, user account there may be the probability of stolen brush, in this case, directly judge authenticating user identification failure, need to re-start authenticating user identification.
In a specific embodiment, as in figure 2 it is shown, Fig. 2 illustrates the schematic diagram of the interaction of a kind of authenticating user identification based on NFC payment.In the present embodiment, as a example by mobile terminal is for eSIM card terminal, the interaction of this authentication is illustrated.Concrete, eSIM card terminal generates the first key RKe, obtains current time stamp T i, and generates ID authentication request, then ID authentication request, the first key RKe, time stamp T i is sent to payment gateway;Payment gateway upon receipt, obtains current time Tj, and judges < whether Δ T sets up ABS (Tj-Ti), the most then generate the second key RKw, and be sent to eSIM card terminal;ESIM card terminal upon receipt, calculates the first Hash key HKe=HMAC (RKw, RKe) Ti and is sent to payment gateway;Payment gateway calculates the second Hash key HKw=HMAC (RKe, RKw) Tj, and judges whether HKw=Hke sets up, the most then authentication is passed through, and ID authentication request response is returned to eSIM card terminal.
It should be noted that in the present embodiment, after step S102-step S108, in the case of the authentication of user is passed through, it is possible to the process that NFC pays.Concrete, after above-mentioned steps S108, as it is shown on figure 3, said method also comprises the steps:
Step S202: when authentication success, generates transaction request and is sent to described payment gateway.
Step S204: receive the first Transaction Information after the encryption that described payment gateway returns and decipher, obtains the second Transaction Information after deciphering.
In the case of authenticating user identification passes through, namely in the case of NFC payment is allowed for, mobile terminal generates transaction request, and this transaction request is sent to payment gateway.
Payment gateway is after receiving the transaction request that mobile terminal sends, respond this transaction request, and generate Transaction Information according to exchange hour, the transaction relevant information such as network address, transaction authentication information of current transaction correspondence, i.e. first Transaction Information, and the first Transaction Information is encrypted, then first after encryption is added confidential information and be sent to mobile terminal.
Concrete, above-mentioned payment gateway can be by asymmetric encryption function RSA-enc (message to the ciphering process of the first payment information, key) realize, concrete, RSA-enc (message, key) represents that use PKI key carries out asymmetric encryption handling function operation to message message, and, in the present embodiment, the encryption to the first Transaction Information can be such that
KMw=RSA-enc (Mw, UKe),
Wherein, Mw represents the first Transaction Information, and Uke represents the private key of mobile terminal, such as, in the case of terminal is eSIM terminal, Uke is the private key of eSIM terminal.
Ciphertext is decrypted after the first Transaction Information after getting the encryption that payment gateway sends by mobile terminal, obtains the Transaction Information after deciphering, the i.e. second Transaction Information.Concrete, above-mentioned decrypting process can be realized by asymmetric decryption function, it may be assumed that
Me=RSA-enc (KMw, PKe),
Wherein, RSA-dec (message, key) represents that use private key key carries out asymmetric decryption oprerations function to message message, and PKe represents the PKI of mobile terminal.In general, at mobile terminal, charging terminal all under properly functioning situation, the first Transaction Information and the second Transaction Information are consistent, but if charging terminal existence is viral or in the case of other potential safety hazards, the two is possible to be inconsistent.
Step S206: according to default AES described second Transaction Information is encrypted and obtains cryptographic digest.
In the present embodiment, mobile terminal is after getting the second Transaction Information, second Transaction Information carrying out the operation such as computing, encryption, obtains cryptographic digest, cryptographic digest is for verifying trading environment between mobile terminal, charging terminal, payment gateway whether safety.
In a specific embodiment, the acquisition process of above-mentioned cryptographic digest may include steps of S2062-step S2066:
Step S2062: generate the 3rd Hash key with described first Hash key and described second Transaction Information for input according to default hash algorithm;
Step S2064: be digitally signed according to the 3rd Hash key described in default Digital Signature Algorithm and the 3rd double secret key;
Step S2066: be encrypted according to the 3rd Hash key after digital signature described in default rivest, shamir, adelman and the 4th double secret key, obtains encrypted result as described cryptographic digest.
Hash operation function HMAC (key, message) using key relevant calculates the 3rd Hash key:
HHKe=HMAC (HKe, Mw+Me),
Then use signature function SIGN-enc (message, key) and mobile terminal private key Uke (the i.e. the 3rd key) that the 3rd Hash key is digitally signed, it may be assumed that
SHK=SIGN-enc (HHKe, UKe);
Wherein, SIGN-enc (message, key) represents that use private key key carries out stamped signature handling function to message message;Asymmetric encryption function RSA-enc (message, key) and payment gateway PKI PKb (the i.e. the 4th key) is finally used to calculate cryptographic digest, it may be assumed that
AKb=RSA-enc (Mw+Me+SHK, PKb).
Cryptographic digest AKb is can be obtained by according to above-mentioned steps S2062-step S2066.
By described payment gateway, step S208: described cryptographic digest is sent to described payment gateway, judges that described cryptographic digest whether by safety verification, the most then performs the transaction corresponding with described transaction request.
Mobile terminal is after getting cryptographic digest, send it to payment gateway, and by paying to close, cryptographic digest is judged, i.e. judge that it, whether by safety verification, if safety verification passes through, then illustrates that current trading environment is safe, transaction can be proceeded, if it is not, then illustrate that current trading environment exists potential safety hazard, need to terminate transaction.
In a specific embodiment, payment gateway is during judging cryptographic digest, and concrete operating procedure is as follows:
Asymmetric decryption function RSA-dec (message, key) and payment gateway private key UKb is used to calculate Mw+Me+SHK=RSA-dec (AKb, UKb);Use is tested a function SIGN-dec (message, key) and mobile terminal PKI PKe and is calculated HHKe=SIGN-dec (SHK, PKe);Finally use Hash operation function HMAC (key, message) that key is relevant to calculate HHKw=HMAC (HKw, Mw+Me), i.e. HHKw is the deciphering summary that payment gateway calculates.Use PKI key that message message is carried out verification operation function operation it should be noted that above-mentioned SIGN-dec (message, key) represents.
Then cryptographic digest HHKe that payment gateway sends according to mobile terminal, and calculated deciphering summary HHKw cryptographic digest HHKe is verified, i.e. judge that whether cryptographic digest HHKe is equal to deciphering summary HHKw, if it is equal, it is safe for being considered as scene of concluding the business, and complete transaction, otherwise terminate this step.
Step S210: receive the transaction request response that described payment gateway returns.
Payment gateway cryptographic digest is carried out authenticated after, become, according to corresponding result, the response that swap asks, and transaction request response returned to mobile terminal, to complete the process that whole NFC pays.
In a specific embodiment, as shown in Figure 4, Fig. 4 illustrates the interaction schematic diagram of a kind of trading environment safety verification paid based on NFC in an embodiment, in the drawings as a example by eSIM card terminal, illustrate during trading environment safety verification, the interaction between eSIM card terminal and payment gateway.
After the security verification of the transaction site environment of the process of the subscriber authentication of above-mentioned steps S102-S108 and step S202-step S210, if relevant result is all affirmative, then it is safe for illustrating that current NFC pays, and can pay.Concrete, first, demonstrate whether user identity in current transaction is tampered by hash algorithm, it is ensured that the legitimacy of the user identity of mobile terminal;Second, employ timestamp mechanism, can effectively prevent Replay Attack;3rd, by Transaction Information being carried out Hash operation and utilizing the private key of key to carry out RSA signature, ensure that payment gateway can verify whether it is tampered after deciphering signing messages, it is ensured that the integrity of Transaction Information, the safety of the trading environment of i.e. current transaction;4th, the digital signature of Transaction Information be ensure that mobile terminal and the payment gateway non-repudiation to institute's messaging;It is to say, NFC payments mechanism disclosed in above-described embodiment solves user's problem that safety is not enough during using NFC to pay, improve the safety that NFC pays.
In addition, for solve mobile payment mode based on NFC in conventional art during paying because trading environment is not carried out safety verification and the technical problem of safety deficiency, in one embodiment, also proposed a kind of authenticating user identification device paid based on NFC, as shown in Figure 5, said apparatus includes ID authentication request sending module the 102, first Hash key generation module the 104, first Hash key matching module 106, identity authentication result receiver module 108, wherein:
ID authentication request sending module 102, for generating the first key and caching, sends ID authentication request to payment gateway, carries described first key in described ID authentication request;
First Hash key generation module 104, for receiving the second key that described payment gateway returns, generates first Hash key with described first key and described second key for input according to default hash algorithm;
First Hash key matching module 106, for described first Hash key is sent to described payment gateway, by described payment gateway, described first Hash key is verified whether determine whether described authentication is passed through by checking according to described first Hash key;
Identity authentication result receiver module 108, for receiving the authentication response that described payment gateway returns.
Optionally, in one embodiment, also carrying timestamp when sending described ID authentication request in ID authentication request, always according to described timestamp, described payment gateway judges that described ID authentication request is the most overtime, if having not timed out, return described second key.
Optionally, in one embodiment, described payment gateway generates second Hash key with described second key and described first key for input always according to default hash algorithm, described payment gateway judges whether described first Hash key mates with described second Hash key, the most then judge that described first Hash key is by checking.
Optionally, in one embodiment, as it is shown in figure 5, said apparatus also includes that transaction request generation module 202, Transaction Information acquisition module 204, cryptographic digest acquisition module 206, cryptographic digest sending module 208, transaction request respond receiver module 210, wherein:
Transaction request generation module 202, for when authentication success, generates transaction request and is sent to described payment gateway;
Transaction Information acquisition module 204, is used for the first Transaction Information after receiving the encryption that described payment gateway returns and deciphers, and obtains the second Transaction Information after deciphering;
Cryptographic digest acquisition module 206, obtains cryptographic digest for being encrypted described second Transaction Information according to the AES preset;
By described payment gateway, cryptographic digest sending module 208, for described cryptographic digest is sent to described payment gateway, judges that described cryptographic digest whether by safety verification, the most then performs the transaction corresponding with described transaction request;
Transaction request response receiver module 210, for receiving the transaction request response that described payment gateway returns.
Optionally, in one embodiment, above-mentioned cryptographic digest acquisition module 206 is additionally operable to generate threeth Hash key with described first Hash key and described second Transaction Information for input according to the hash algorithm preset;It is digitally signed according to the 3rd Hash key described in default Digital Signature Algorithm and the 3rd double secret key;It is encrypted according to the 3rd Hash key after digital signature described in default rivest, shamir, adelman and the 4th double secret key, obtains encrypted result as described cryptographic digest.
Implement the embodiment of the present invention, will have the advantages that
After have employed the above-mentioned identity identifying method paid based on NFC and device, when user uses mobile terminal to carry out NFC payment, by the checking to user identity, ensure that the legitimacy of user identity in payment process, improve the safety of mobile payment based on NFC, ensure that the fund security of user, improve Consumer's Experience.
In one embodiment, as shown in Figure 6, Fig. 6 illustrates the terminal of a kind of computer system based on von Neumann system running above-mentioned identity identifying method based on NFC payment.This computer system can be the terminal units such as smart mobile phone, panel computer, palm PC.Concrete, it may include outer input interface 1001, processor 1002, memorizer 1003 and the output interface 1004 connected by system bus.Wherein, outer input interface 1001 optionally can at least include network interface 10012.Memorizer 1003 can include external memory 10032 (such as hard disk, CD or floppy disk etc.) and built-in storage 10034.Output interface 1004 can at least include display screen 10042 equipment such as grade.
In the present embodiment, the operation of this method is based on computer program, the program file of this computer program is stored in the external memory 10032 of aforementioned computer system based on von Neumann system, operationally it is loaded in built-in storage 10034, then it is transferred to after being compiled as machine code in processor 1002 perform, so that computer system based on von Neumann system is formed ID authentication request sending module 102 in logic, first Hash key generation module 104, first Hash key matching module 106, identity authentication result receiver module 108 and transaction request generation module 202, Transaction Information acquisition module 204, cryptographic digest acquisition module 206, 3rd cryptographic digest sending module 208, transaction request response receiver module 210.And during the above-mentioned identity identifying method paid based on NFC performs, the parameter of input is all received by outer input interface 1001, and it is transferred in memorizer 1003 caching, it is then input in processor 1002 process, the result data or be cached in memorizer 1003 processed subsequently processes, or is passed to output interface 1004 and exports.
The above disclosed present pre-ferred embodiments that is only, certainly can not limit the interest field of the present invention, the equivalent variations therefore made according to the claims in the present invention with this, still belong to the scope that the present invention is contained.
Claims (10)
1. the identity identifying method paid based on NFC, it is characterised in that including:
Generate the first key and cache, sending ID authentication request to payment gateway, described ID authentication request is carried described first key;
Receive the second key that payment gateway returns, generate first Hash key with described first key and described second key for input according to default hash algorithm;
Described first Hash key is sent to described payment gateway, described payment gateway described first Hash key is verified, whether whether passed through by the checking certification that determines one's identity according to described first Hash key;
Receive the authentication response that described payment gateway returns.
The identity identifying method paid based on NFC the most according to claim 1, it is characterized in that, described ID authentication request also carries timestamp when sending described ID authentication request, always according to described timestamp, described payment gateway judges that described ID authentication request is the most overtime, if having not timed out, return described second key.
The most according to claim 1 based on NFC pay identity identifying method, it is characterised in that described by described payment gateway, described first Hash key is verified particularly as follows:
Described payment gateway generates second Hash key with described second key and described first key for input according to the hash algorithm preset, described payment gateway judges whether described first Hash key mates with described second Hash key, the most then judge that described first Hash key is by checking.
The identity identifying method paid based on NFC the most according to claim 1, it is characterised in that also include after the authentication response that the described payment gateway of described reception returns:
When authentication success, generate transaction request and be sent to described payment gateway;
Receive the first Transaction Information after the encryption that described payment gateway returns and decipher, obtaining the second Transaction Information after deciphering;
According to default AES described second Transaction Information is encrypted and obtains cryptographic digest;
Described cryptographic digest is sent to described payment gateway, described payment gateway judges that described cryptographic digest whether by safety verification, the most then performs the transaction corresponding with described transaction request;
Receive the transaction request response that described payment gateway returns.
The most according to claim 4 based on NFC pay identity identifying method, it is characterised in that described basis preset AES described second Transaction Information is encrypted obtain cryptographic digest particularly as follows:
The 3rd Hash key is generated with described first Hash key and described second Transaction Information for input according to default hash algorithm;
It is digitally signed according to the 3rd Hash key described in default Digital Signature Algorithm and the 3rd double secret key;
It is encrypted according to the 3rd Hash key after digital signature described in default rivest, shamir, adelman and the 4th double secret key, obtains encrypted result as described cryptographic digest.
6. the authenticating user identification device paid based on NFC, it is characterised in that including:
ID authentication request sending module, for generating the first key and caching, sends ID authentication request to payment gateway, carries described first key in described ID authentication request;
First Hash key generation module, for receiving the second key that payment gateway returns, generates first Hash key with described first key and described second key for input according to default hash algorithm;
Whether whether the first Hash key matching module, for described first Hash key is sent extremely described payment gateway, is verified described first Hash key by described payment gateway, passed through by the checking certification that determines one's identity according to described first Hash key;
Identity authentication result receiver module, for receiving the authentication response that described payment gateway returns.
The authenticating user identification device paid based on NFC the most according to claim 6, it is characterized in that, described ID authentication request also carries timestamp when sending described ID authentication request, always according to described timestamp, described payment gateway judges that described ID authentication request is the most overtime, if having not timed out, return described second key.
The authenticating user identification device paid based on NFC the most according to claim 6, it is characterized in that, described payment gateway generates second Hash key with described second key and described first key for input always according to default hash algorithm, described payment gateway judges whether described first Hash key mates with described second Hash key, the most then judge that described first Hash key is by checking.
The authenticating user identification device paid based on NFC the most according to claim 6, it is characterised in that described device also includes:
Transaction request generation module, for when authentication success, generates transaction request and is sent to described payment gateway;
Transaction Information acquisition module, is used for the first Transaction Information after receiving the encryption that described payment gateway returns and deciphers, and obtains the second Transaction Information after deciphering;
Cryptographic digest acquisition module, obtains cryptographic digest for being encrypted described second Transaction Information according to the AES preset;
By described payment gateway, cryptographic digest sending module, for described cryptographic digest is sent to described payment gateway, judges that described cryptographic digest whether by safety verification, the most then performs the transaction corresponding with described transaction request;
Transaction request response receiver module, for receiving the transaction request response that described payment gateway returns.
The authenticating user identification device paid based on NFC the most according to claim 9, it is characterized in that, described cryptographic digest acquisition module is additionally operable to generate threeth Hash key with described first Hash key and described second Transaction Information for input according to the hash algorithm preset;It is digitally signed according to the 3rd Hash key described in default Digital Signature Algorithm and the 3rd double secret key;It is encrypted according to the 3rd Hash key after digital signature described in default rivest, shamir, adelman and the 4th double secret key, obtains encrypted result as described cryptographic digest.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610367636.9A CN105827656B (en) | 2016-05-30 | 2016-05-30 | Identity identifying method and device based on NFC payment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610367636.9A CN105827656B (en) | 2016-05-30 | 2016-05-30 | Identity identifying method and device based on NFC payment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105827656A true CN105827656A (en) | 2016-08-03 |
| CN105827656B CN105827656B (en) | 2019-08-02 |
Family
ID=56532377
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610367636.9A Active CN105827656B (en) | 2016-05-30 | 2016-05-30 | Identity identifying method and device based on NFC payment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105827656B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106952409A (en) * | 2017-04-27 | 2017-07-14 | 济南大学 | It is a kind of charge by flow sell water system and method |
| CN107784712A (en) * | 2016-08-25 | 2018-03-09 | 大连楼兰科技股份有限公司 | A kind of method of car networking embedded system car telephone control cryptographic check |
| CN108207039A (en) * | 2016-12-19 | 2018-06-26 | 比亚迪股份有限公司 | Safe transmission method, external device and the car borne gateway of vehicle-mounted data |
| CN109377679A (en) * | 2018-09-03 | 2019-02-22 | 深圳壹账通智能科技有限公司 | Withdrawal method and terminal device |
| CN110942313A (en) * | 2019-12-02 | 2020-03-31 | 北京市燃气集团有限责任公司 | Gas card interaction method, gas card payment method and gas card reader |
| CN111949953A (en) * | 2020-06-23 | 2020-11-17 | 卓尔智联(武汉)研究院有限公司 | Identity authentication method, system and device based on block chain and computer equipment |
| CN112350984A (en) * | 2019-08-09 | 2021-02-09 | 罗斯蒙特公司 | Two-factor authentication of wireless field devices |
| CN115001822A (en) * | 2022-06-02 | 2022-09-02 | 广东电网有限责任公司 | Power distribution network security authentication method based on time delay judgment and gateway |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120297204A1 (en) * | 2011-05-16 | 2012-11-22 | Broadcom Corporation | Security Architecture For Using Host Memory in the Design of A Secure Element |
| CN105009154A (en) * | 2012-12-27 | 2015-10-28 | 新韩信用卡株式会社 | Method for mutual authentication for payment device |
| CN105530241A (en) * | 2015-12-07 | 2016-04-27 | 广西咪付网络技术有限公司 | Authentication method of mobile intelligent terminal and POS terminal |
-
2016
- 2016-05-30 CN CN201610367636.9A patent/CN105827656B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120297204A1 (en) * | 2011-05-16 | 2012-11-22 | Broadcom Corporation | Security Architecture For Using Host Memory in the Design of A Secure Element |
| CN105009154A (en) * | 2012-12-27 | 2015-10-28 | 新韩信用卡株式会社 | Method for mutual authentication for payment device |
| CN105530241A (en) * | 2015-12-07 | 2016-04-27 | 广西咪付网络技术有限公司 | Authentication method of mobile intelligent terminal and POS terminal |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107784712A (en) * | 2016-08-25 | 2018-03-09 | 大连楼兰科技股份有限公司 | A kind of method of car networking embedded system car telephone control cryptographic check |
| CN108207039A (en) * | 2016-12-19 | 2018-06-26 | 比亚迪股份有限公司 | Safe transmission method, external device and the car borne gateway of vehicle-mounted data |
| CN108207039B (en) * | 2016-12-19 | 2021-05-14 | 比亚迪股份有限公司 | Safe transmission method of vehicle-mounted data, external equipment and vehicle-mounted gateway |
| CN106952409A (en) * | 2017-04-27 | 2017-07-14 | 济南大学 | It is a kind of charge by flow sell water system and method |
| CN106952409B (en) * | 2017-04-27 | 2022-10-11 | 济南大学 | Water selling system and method based on flow charging |
| CN109377679A (en) * | 2018-09-03 | 2019-02-22 | 深圳壹账通智能科技有限公司 | Withdrawal method and terminal device |
| CN112350984A (en) * | 2019-08-09 | 2021-02-09 | 罗斯蒙特公司 | Two-factor authentication of wireless field devices |
| CN112350984B (en) * | 2019-08-09 | 2022-12-02 | 罗斯蒙特公司 | Two-factor authentication of wireless field devices |
| CN110942313A (en) * | 2019-12-02 | 2020-03-31 | 北京市燃气集团有限责任公司 | Gas card interaction method, gas card payment method and gas card reader |
| CN111949953A (en) * | 2020-06-23 | 2020-11-17 | 卓尔智联(武汉)研究院有限公司 | Identity authentication method, system and device based on block chain and computer equipment |
| CN111949953B (en) * | 2020-06-23 | 2021-10-22 | 卓尔智联(武汉)研究院有限公司 | Identity authentication method, system and device based on block chain and computer equipment |
| CN115001822A (en) * | 2022-06-02 | 2022-09-02 | 广东电网有限责任公司 | Power distribution network security authentication method based on time delay judgment and gateway |
| CN115001822B (en) * | 2022-06-02 | 2023-11-10 | 广东电网有限责任公司 | Power distribution network security authentication method and gateway based on time delay judgment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105827656B (en) | 2019-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11720943B2 (en) | Trusted remote attestation agent (TRAA) | |
| CN105827656A (en) | Identity authentication method based on NFC payment and device | |
| CN103714639B (en) | A kind of method and system that realize the operation of POS terminal security | |
| KR101544722B1 (en) | Method for performing non-repudiation, payment managing server and user device therefor | |
| EP1277301B1 (en) | Method for transmitting payment information between a terminal and a third equipement | |
| AU2012303620B2 (en) | System and method for secure transaction process via mobile device | |
| WO2015161699A1 (en) | Secure data interaction method and system | |
| CN113170299A (en) | System and method for password authentication of contactless cards | |
| US11557164B2 (en) | Contactless card personal identification system | |
| EP3234893B1 (en) | Securing contactless payment performed by a mobile device | |
| CN101098225A (en) | Safety data transmission method and paying method, paying terminal and paying server | |
| CN112789643A (en) | System and method for password authentication of contactless cards | |
| CN112602104A (en) | System and method for password authentication of contactless cards | |
| CN103944736A (en) | Data security interactive method | |
| WO2015161690A1 (en) | Secure data interaction method and system | |
| CN104240073A (en) | Offline payment method and offline payment system on basis of prepaid cards | |
| CN103942690A (en) | Data security interactive system | |
| CN113168631A (en) | System and method for password authentication of contactless cards | |
| CN103944729A (en) | Data security interactive method | |
| CN103944734A (en) | Data security interactive method | |
| CN103944735A (en) | Data security interactive method | |
| CN103944728A (en) | Data security interactive system | |
| CN102264069B (en) | Authentication control method, device and system based on universal guide architecture | |
| KR20070089427A (en) | Authentication system for on-line banking, and user terminal for the same | |
| US20220300942A1 (en) | Secure mobile payment acceptable as contactless payment for on-shelf trade devices, and back office application solution |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |