CN106102058A

CN106102058A - A kind of identity identifying method and device

Info

Publication number: CN106102058A
Application number: CN201610368089.6A
Authority: CN
Inventors: 陆舟; 于华章
Original assignee: Feitian Technologies Co Ltd
Current assignee: Feitian Technologies Co Ltd
Priority date: 2016-05-30
Filing date: 2016-05-30
Publication date: 2016-11-09
Anticipated expiration: 2036-05-30
Also published as: CN106102058B

Abstract

The open a kind of identity identifying method of the present invention and device, described method includes: mobile terminal sends the first certification request including ID to server background, receives the 5th response from server background；Search and preset service identify the ID authentication device that matches, and set up bluetooth with it and be connected；Obtain the service of ID authentication device；From service, obtain notice feature and write feature；Enable notice feature；Generate authentication data according to the information in default certification instruction type and the 5th response, include that the certification of authentication data instructs according to writing feature to ID authentication device transmission；Receive the 7th response including the second certification criterion that ID authentication device is returned by notice feature；The the second certification request including certification instruction type, the second challenging value, derived data, application ID, ID and the second certification criterion is sent to server background；Receive the 8th response from server background；Judge that certification is the most successful according to the 8th response.

Description

A kind of identity identifying method and device

Technical field

The present invention relates to field of identity authentication, particularly to a kind of identity identifying method and device.

Background technology

Identity identifying technology is a kind of authenticating party used for confirming the legal identity of operator in a computer network Method, in order to ensure that the operator carrying out operating with digital identity is exactly this digital identity lawful owner.Identity identifying technology The multiple form of authentication such as including static password, short message password and dynamic password.In prior art, in the multiple certification of authentication Being required for user in form and input password or dynamic password, authentication procedures is the most loaded down with trivial details exists potential safety hazard simultaneously.

Summary of the invention

The invention provides a kind of identity identifying method and device, solve above-mentioned technical problem.

The invention provides a kind of identity identifying method, including:

Step s1: mobile terminal sends the first certification request including ID to server background, receives from institute State server background include apply ID, the second challenging value, derived data and the key handles corresponding with described ID 5th response；

Step s2: described mobile terminal to search and preset service identify the ID authentication device matched, and with described body Part authenticating device is set up bluetooth and is connected；

Step s3: the service of ID authentication device described in described acquisition for mobile terminal；Notice spy is obtained from described service Seek peace and write feature；Enable described notice feature；

Step s4: described mobile terminal is according to the certification instruction type preset, described second challenging value, described source number Generate authentication data according to, described application ID and described key handles, send to described ID authentication device according to described feature of writing Certification including described authentication data instructs；Receive described ID authentication device and include second by what described notice feature returned 7th response of certification criterion；

Step s5: described mobile terminal to described server background send include described certification instruction type, described second Second certification request of challenging value, described derived data, described application ID, described ID and described second certification criterion；

Step s6: described mobile terminal receives the 8th response including error code from described server background；Judge Whether described error code is the second preset value, if it is, judge certification success；Otherwise, it is determined that authentification failure.

Present invention also offers a kind of identification authentication system, including: mobile terminal；

Described mobile terminal includes: first send submodule, first receive submodule, search submodule, connexon module, First obtain submodule, enable submodule, feature send submodule, feature receive submodule, first generate submodule, second Submodule, the second reception submodule and first is sent to judge submodule；

Described first sends submodule, for sending the first certification request including ID to server background；

Described first receive submodule, for receive from described server background include apply ID, the second challenging value, Derived data and the 5th response of the key handles corresponding with described ID；

Described search submodule, identifies, with preset service, the ID authentication device matched for search；

Described connexon module, for setting up bluetooth even with the described ID authentication device matched with preset service mark Connect；

Described first obtains submodule, for obtaining the service of described ID authentication device；Obtain logical from described service Know feature and write feature；

Described enable submodule, obtains, for enabling described first, the notice feature that submodule gets；

Described first generates submodule, for receiving according to the certification instruction type preset, described first reception submodule Described second challenging value arrived, described derived data, described application ID and described key handles generate authentication data；

Described feature sends submodule, after enabling described notice feature when described enable submodule, writes according to described Feature sends to described ID authentication device and includes the described first certification instruction generating the authentication data that submodule generates；

Described feature receives submodule, for receiving described ID authentication device by including that described notice feature returns 7th response of the second certification criterion；

Described second sends submodule, includes described certification instruction type, described for sending to described server background Second certification of the second challenging value, described derived data, described application ID, described ID and described second certification criterion please Ask；

Described second receives submodule, for receiving the 8th response including error code from described server background；

First judges submodule, is used for judging whether described error code is the second preset value, if it is, judge that certification becomes Merit；Otherwise, it is determined that authentification failure.

Beneficial effects of the present invention: provide a kind of identity identifying method and device in the present embodiment, in verification process Combine with ID authentication device, it is not necessary to user inputs password, make authentication more convenient and be more easy to operation, also improving simultaneously The safety of authentication.

Accompanying drawing explanation

The flow chart of a kind of identity identifying method that Fig. 1 provides for the embodiment of the present invention 1；

The flow chart of the registration phase in a kind of identity identifying method that Fig. 2-Fig. 3 provides for the embodiment of the present invention 2；

The flow chart of the authentication phase in a kind of identity identifying method that Fig. 4-Fig. 5 provides for the embodiment of the present invention 2；

The structural representation of a kind of identification authentication system that Fig. 6 provides for the embodiment of the present invention 3.

Specific implementation method

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Describe, it is clear that described embodiment is only a part of embodiment of the present invention rather than whole embodiments wholely.Based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under not making creative work premise Embodiment, broadly falls into the scope of protection of the invention.

Embodiment 1

Present embodiments provide a kind of identity identifying method, as it is shown in figure 1, include:

Step s1: mobile terminal sends the first certification request including ID to server background, receives from clothes The including of business device backstage apply ID, the second challenging value, derived data and the 5th response of the key handles corresponding with ID；

Step s2: mobile terminal to search identifies, with preset service, the ID authentication device matched, and sets with authentication Standby bluetooth of setting up connects；

Step s3: the service of acquisition for mobile terminal ID authentication device；From service, obtain notice feature and write feature；Make Feature can be notified；

Wherein, the service of acquisition for mobile terminal ID authentication device；From service, obtain notice feature and write feature；Specifically For: mobile terminal obtains the service of ID authentication device according to preset service mark, according to default notice signature identification from clothes Business obtains notice feature；Feature is write according to default signature identification acquisition from service of writing.

Step s4: mobile terminal is according to the certification instruction type preset, the second challenging value, derived data, application ID and close Key handle generates authentication data, includes that the certification of authentication data instructs according to writing feature to ID authentication device transmission；Receive body The 7th response including the second certification criterion that part authenticating device is returned by notice feature；

Wherein, generate according to default certification instruction type, the second challenging value, derived data, application ID and key handles Authentication data specifically includes:

Step a1: mobile terminal tissue includes certification instruction type, the second challenging value and the second of derived data preset Client data；

Step a2: mobile terminal carries out Hash process respectively to the second client data and application ID, obtains the 3rd Hash Value and the 4th cryptographic Hash, generate authentication data according to the 3rd cryptographic Hash, the 4th cryptographic Hash and key handles；

After ID authentication device receives certification instruction, from certification instructs, obtain authentication data, from authentication data Obtaining key handles and the private key corresponding with key handles, tissue includes the 3rd cryptographic Hash in authentication data and the 4th cryptographic Hash The second data to be signed, according to default hash algorithm and the private key corresponding with key handles, the second data to be signed are carried out Signature obtains the second signed data, and tissue includes the second certification criterion of the second signed data, will include the second certification criterion 7th response returns to mobile terminal.

Step s5: mobile terminal to server background send include certification instruction type, the second challenging value, derived data, Second certification request of application ID, ID and the second certification criterion；

Wherein, certification instruction type, the second challenging value, derived data, application ID, user are included to server background transmission Mark and the second certification request of the second certification criterion, particularly as follows: include the second client data to server background transmission, answer With ID, ID and the second certification request of the second certification criterion.

After server background receives the second certification request, obtain according to the ID in the second certification request and use The PKI that family mark is corresponding, according to the second client data in the second certification request and application ID, default hash algorithm and PKI, carries out sign test to the second signed data in the second certification criterion, it is judged that sign test is the most successful, if it is, by mistake Code is set to the second preset value, sends the 8th response including error code to mobile terminal；Otherwise, error code is set to the 3rd Preset value, sends the 8th response including error code to mobile terminal.

Step s6: mobile terminal receives the 8th response including error code from server background；The error code that misdeems is No is the second preset value, if it is, judge certification success；Otherwise, it is determined that authentification failure.

In the present embodiment, the 5th response also includes first version number, correspondingly, can also include before step s4: move Dynamic terminal sends the instruction of acquisition version number according to writing feature to ID authentication device, receives ID authentication device by notice feature The 6th response including the second edition number returned；Judge whether first version number matches with the second edition number, if it is, Perform step s4；Otherwise, report an error.

In the present embodiment, step s3 can also include obtain from service and read feature, and the eigenvalue reading feature is made For subpackage length；

According to write feature to ID authentication device send include authentication data certification instruction before, also include: according to recognizing Card data tissue certification instruction；Judge whether certification instruction is carried out subpackage process according to subpackage length, if it is, according to dividing Packet length carries out subpackage process to certification instruction, continues；Otherwise, continue.

Wherein, instruct according to authentication data tissue certification, specifically include: according to authentication data tissue second instruction, by the Two instructions, as the data field in certification instruction, add protocol instructions type identification and the data of the second instruction before the second instruction Length, obtains certification instruction.

In the present embodiment, can also include before step s1:

Step r1: mobile terminal sends the first registration request including ID to server background, receives from clothes First response including applying ID, the first challenging value and derived data on business device backstage；

Step r2: mobile terminal to search identifies, with preset service, the ID authentication device matched, and sets with authentication Standby bluetooth of setting up connects；

Step r3: the service of acquisition for mobile terminal ID authentication device；From service, obtain notice feature and write feature；Make Feature can be notified；

Step r4: mobile terminal generates according to the register instruction type preset, the first challenging value, derived data and application ID Log-on data, sends to ID authentication device include the register instruction of log-on data according to writing feature；Receive ID authentication device The 3rd response including the first certification criterion is returned by notice feature；

Wherein, log-on data tool is generated according to default certification instruction type, the first challenging value, derived data and application ID Body includes:

Step b1: mobile terminal tissue includes register instruction type, the first challenging value and the first of derived data preset Client data；

Step b2: mobile terminal carries out Hash process respectively to the first client data and application ID, obtains the first Hash Value and the second cryptographic Hash, generate log-on data according to the first cryptographic Hash and the second cryptographic Hash；

After ID authentication device receives register instruction, ID authentication device generates double secret key and corresponding with double secret key Key handles, tissue include the first cryptographic Hash in the PKI of cipher key pair, key handles, log-on data and the second cryptographic Hash The first data to be signed, according to the private key of default hash algorithm and cipher key pair, the first data to be signed are signed To the first signed data, tissue includes the PKI of the cipher key pair key handles corresponding with double secret key and the first signed data The first certification criterion, the 3rd response including the first certification criterion is returned to mobile terminal.

Step r5: mobile terminal obtains the first certification criterion from the 3rd response, sends to server background and includes registration Instruction type, the first challenging value, derived data, application ID, ID and the second registration request of the first certification criterion；

Wherein, register instruction type, the first challenging value, derived data, application ID, user are included to server background transmission Mark and the second registration request of the first certification criterion, particularly as follows: include the first client data to server background transmission, answer With ID, ID and the second registration request of the first certification criterion.

After server background receives the second registration request, sentence according to the first client data, application ID, the first certification PKI according to, the key handles in the first certification criterion and default hash algorithm are to the first signature in the first certification criterion Data carry out sign test, it is judged that sign test whether success, be the key handles in then responding the 3rd and PKI respectively with ID Set up corresponding relation and preserve, error code is set to the second preset value, sending the 4th sound including error code to mobile terminal Should；Otherwise, error code is set to the 3rd preset value, sends the 4th response including error code to mobile terminal.

Step r6: mobile terminal receives the 4th response including error code from server background；The error code that misdeems is No is the second preset value, if it is, judge to succeed in registration；Otherwise, it is determined that registration failure.

In the present embodiment, the first response also includes first version number；Correspondingly, also include before step r4: mobile whole End sends the instruction of acquisition version number according to writing feature to ID authentication device, receives ID authentication device and is returned by notice feature Include the second edition number second response；Judge whether first version number matches with the second edition number, if it is, perform Step r4；Otherwise, report an error.

In the present embodiment, step r3 also includes obtain from service and read feature, and using the eigenvalue reading feature as dividing Packet length；

According to writing feature before ID authentication device sends the register instruction including log-on data, also include: according to note Volumes instructs according to organization registration；Judge whether register instruction is carried out subpackage process according to subpackage length, if it is, according to dividing Packet length carries out subpackage process to register instruction, continues；Otherwise, continue.

Wherein, instruct according to log-on data organization registration, specifically include: according to log-on data tissue second instruction, by the Two instructions, as the data field in register instruction, add protocol instructions type identification and the data of the second instruction before the second instruction Length, obtains register instruction.

In the present embodiment, search with the preset service ID authentication device that matches of mark particularly as follows:

Mobile terminal to search ID authentication device, receives the broadcast data from ID authentication device, it is judged that broadcast data In service identifiers whether match with preset service mark, match if it is, judge to search with preset service mark ID authentication device, continue；Otherwise, report an error.

Wherein, mobile terminal to search ID authentication device, receive the broadcast data from ID authentication device, particularly as follows:

The searching interface search ID authentication device of mobile terminal calling system, and search callback object is set, search for back Object is adjusted to include searching for callback method；The broadcast data from ID authentication device is received by the search callback method of system And the device object corresponding with ID authentication device.

Wherein, set up bluetooth with ID authentication device and be connected, specifically include:

Mobile terminal uses method of attachment and the authentication of the device object calling system corresponding with ID authentication device Equipment is set up bluetooth and is connected, and obtains general-purpose attribute protocol object and arranges connection callback object.

Further, the service of ID authentication device is obtained；From service, obtain notice feature and write feature, specifically wrapping Include:

Step t1: preset service mark as parameter, is used general-purpose attribute protocol object by mobile terminal, calling system Obtain method of servicing, obtain the service object of ID authentication device；Using default signature identification of writing as parameter, use service right As the acquisition characterization method of calling system, obtain from service object and write feature object；Using default notice signature identification as Parameter, uses the acquisition characterization method of service object's calling system, obtains notice feature object from service object.

Further, callback object includes the notice callback method of system；

Enable notice feature, particularly as follows: the feature notification method that arranges of calling system, enable notice feature object；

Receive the 6th response including the second edition number that ID authentication device is returned by notice feature, particularly as follows: move Dynamic terminal receives ID authentication device by the communication callback method of system and includes the second edition by what notice feature object returned 6th response of this number；

Receive the 7th response that ID authentication device is returned by notice feature, particularly as follows: mobile terminal is by system Communication callback method receives the 7th response that ID authentication device is returned by notice feature object.

A kind of identity identifying method provided in the present embodiment, combines with ID authentication device in verification process, nothing Need user to input password, make authentication more convenient and be more easy to operation, also improving the safety of authentication simultaneously.

Embodiment 2

Present embodiments providing a kind of identity identifying method, including registration phase and authentication phase, wherein, registration phase is such as Shown in Fig. 2-Fig. 3, including:

Step 101: mobile terminal sends the first registration request including ID to server background；

In this enforcement, ID is specially user name.

Step 102: mobile terminal receive from server background first response, from first response obtain application ID, First challenging value, derived data and first version number；

Specifically, mobile terminal receives the first response of the JOSN form from server background, by default application ID Mark, challenging value mark, derived data mark and version number's mark are as parameter, the acquisition character string side of difference calling system Method, obtains the first corresponding with challenging value mark for the application ID corresponding with applying ID mark challenging value from the first response and comes Source data identifies corresponding derived data and identifies corresponding first version number with version number；

In the present embodiment, the application ID mark preset is specially APPID, default challenging value mark is specially Challenge, default derived data mark is specially origin, default version number mark is specially version.

Such as, mobile terminal receives first of the JOSN form from server background and responds and is:

"APPID":"https://u2fdemo.appspot.com","challenge":"x9-d9XlfOZVWKjHkWh GIRg ", " origin ": " https://u2fdemo.appspot.com ", " version ": " U2F_V2 ", should by default APPID, challenging value mark challenge, derived data mark origin and version number mark version is identified as ginseng with ID Number, respectively acquisition character string method getString () of calling system, the application ID got from the first response is Https: //u2fdemo.appspot.com, the first challenging value got is x9-d9XlfOZVWKjHkWhgIRg, gets Derived data be: https://u2fdemo.appspot.com, the first version number got is U2F_V2.

Step 103: whether mobile terminal detection Bluetooth channels is opened, if it is, perform step 105；Otherwise, step is performed Rapid 104；

Step 104: mobile terminal opens Bluetooth channels；

Step 105: mobile terminal searches for ID authentication device by Bluetooth channels；

Specifically, the searching interface of mobile terminal calling system searches for ID authentication device by Bluetooth channels, and arranges Search callback object.

Wherein, search callback object includes the search callback method of system.

Such as, mobile use the first preset kind parameter filters, the second preset kind parameter settings, search Recover tune object type parameter scanCallback, the first searching interface startscan () of calling system, pass through Bluetooth channels Search ID authentication device, arranges search callback object scanCallback.

In the present embodiment, ID authentication device can be, but not limited to the intelligent cipher key equipment for having Bluetooth function.

Step 106: mobile terminal receives the broadcast data from ID authentication device by Bluetooth channels；

Specifically, mobile terminal receives the broadcast of the ID authentication device from system by the search callback method of system Data and the device object corresponding with ID authentication device.

Such as, mobile terminal receives the body from system by the first search callback method onscanresult () of system The broadcast data of part authenticating device and the device object device corresponding with ID authentication device.

In the present embodiment, searching interface includes that the first searching interface, search callback method include the first search callback method, First searching interface is corresponding with the first search callback method.It should be noted that, searching interface can also include the second searching interface, Search callback method can also include that the second search callback method, the second searching method and the second search callback method are corresponding.

Such as, the second searching method is startlescan (), and the second search callback method is onlescanresult ().

Step 107: mobile terminal judges whether the service identifiers in broadcast data matches with preset service mark, if It is then to perform step 108；Otherwise, report an error.

In the present embodiment, service identifiers (being commonly called as UUID) is the service unique identification information that ID authentication device is supported.

In the present embodiment, preset service mark is specially " 0000fffd-0000-1000-8000-00805f9b34fb ".

Step 108: mobile terminal and ID authentication device are set up bluetooth and connected；

Specifically, mobile terminal uses method of attachment and the body of the device object calling system corresponding with ID authentication device Part authenticating device is set up bluetooth and is connected, and obtains general-purpose attribute protocol object and also arranges connection callback object.Wherein, readjustment is connected right As including the connection status callback method of system, finding service callback method, reading feature callback method, communication readjustment side Method.

Such as, mobile terminal by the 3rd preset kind object context, the 4th preset kind object false and connects back to Adjust object gattCallback to do parameter, use device object device calling system method of attachment connectGatt () and ID authentication device is set up bluetooth and is connected, and obtains general-purpose attribute protocol object gatt and arranges connection callback object gattCallback.Wherein, connect callback object gattCallback and include connection status callback method OnConnectionStateChange (), discovery service callback method onServicesDiscovered (), reading feature readjustment Method onCharacteristicRead (), communication callback method onCharacteristicChanged ().

Step 109: mobile terminal judges whether that being successfully established bluetooth with ID authentication device connects, if it is, perform Step 110；Otherwise, report an error；

Specifically, mobile terminal by the connection status callback method of system receive from system and ID authentication device Set up bluetooth connect results messages, according to from system and ID authentication device set up bluetooth connect results messages judge Whether it is successfully established bluetooth with ID authentication device to connect.

Such as, mobile terminal connection status callback method onConnectionStateChange () by system, receive From integer type parameter paramStatus of system, and set up, as with ID authentication device, the result that bluetooth connects Message, it is judged that whether paramStatus parameter is 0, if it is, judge that being successfully established bluetooth with ID authentication device connects； Otherwise, it is determined that set up bluetooth connection failure with ID authentication device.

Step 110: the service that mobile terminal to search ID authentication device is supported；

Specifically, mobile terminal uses the search method of servicing of general-purpose attribute protocol object calling system DiscoverServices (), the service that search ID authentication device is supported.

Step 111: mobile terminal judges whether to search the service that ID authentication device is supported, if it is, perform step Rapid 112；Otherwise, report an error；

Specifically, the search service result that mobile terminal is received from system by the service that the finds callback method of system disappears Breath, according to the search service result message from system, it may be judged whether is successfully established bluetooth with ID authentication device and connects.

Such as, mobile terminal by the discovery of system service callback method onServicesDiscovered () receive from Integer type parameter paramStatus of system, and as search service result message, it is judged that paramStatus parameter Whether it is 0, if it is, judge to search the service that ID authentication device is supported；Otherwise, it is determined that do not search authentication The service that equipment is supported.

Step 112: the service of acquisition for mobile terminal ID authentication device；

Specifically, preset service mark as parameter, is used general-purpose attribute protocol object by mobile terminal, calling system Obtain method of servicing, obtain the service object of ID authentication device.

Such as, preset service is identified serviceUuid as parameter, use general-purpose attribute protocol object by mobile terminal Gatt, acquisition method of servicing getService () of calling system, obtain the service object service of ID authentication device.

Wherein, preset service mark serviceUuid is " 0000fffd-0000-1000-8000-00805f9b34fb ".

Step 113: mobile terminal judges whether to match with ID authentication device, if it is, perform step 116；No Then, step 114 is performed；

Step 114: mobile terminal and ID authentication device match；

Step 115: mobile terminal judges and ID authentication device whether successful matching, if it is, perform step 116； Otherwise, report an error；

Step 116: mobile terminal obtains from service reads feature；

Specifically, default reading signature identification as parameter, is used the acquisition of service object's calling system by mobile terminal Characterization method, obtains from service object and reads feature object.

Such as, default reading signature identification characteristicUuid as parameter, is used service right by mobile terminal As acquisition characterization method getCharacteristic () of service calling system, obtain from service object service and read Feature object characteristic.

Wherein, signature identification characteristicUuid is read particularly as follows: f1d0fff3-deaa-ecee-b42f- c9ba7ed623bb。

Step 117: mobile terminal reads the eigenvalue of feature；

Specifically, mobile terminal will read feature object as parameter, use general-purpose attribute protocol object, the reading of calling system Take characterization method, read the eigenvalue of feature object.

Such as, mobile terminal will read feature object characteristic as parameter, use general-purpose attribute protocol object Gatt, reading characterization method readCharacteristic () of calling system, read the eigenvalue reading feature object.

Step 118: mobile terminal judges whether successfully to read the eigenvalue of feature, if it is, perform step 119；Otherwise, report an error；

Specifically, mobile terminal receives the spy reading reading feature from system by the reading feature callback method of system The results messages of value indicative, the results messages from the eigenvalue reading feature of system according to receiving judges whether successfully Read the eigenvalue of feature.

Such as, mobile terminal reading feature callback method onCharacteristicRead () by system, receive From integer type parameter paramStatus of system, and the results messages of the eigenvalue reading feature as system, Judge whether paramStatus parameter is 0, if it is, judge successfully to read the eigenvalue of feature；Otherwise, it is determined that do not have There is the eigenvalue successfully reading feature.

Step 119: mobile terminal using read feature eigenvalue as subpackage length；

Step 120: mobile terminal obtains from service writes feature and notice feature；Enable notice feature；

Specifically, default is write signature identification as parameter, the acquisition of use service object's calling system by mobile terminal Characterization method, obtains from service object and writes feature object；Using default notice signature identification as parameter, use service object The acquisition characterization method of calling system, obtains notice feature object from service object；Calling system feature notification side is set Method, enables notice feature object；

Such as, the default signature identification characteristicUuid that writes as parameter, is used service right by mobile terminal As acquisition characterization method getCharacteristic () of service calling system, obtain from service object service and write Feature object characteristic；Using default notice signature identification characteristicUuid as parameter, use clothes Acquisition characterization method getCharacteristic () of business object service calling system, obtains from service object service Take notice feature object characteristic；Calling system feature notification method is set SetCharacteristicNotification (), enables notice feature object.

Wherein, signature identification characteristicUuid is write particularly as follows: " f1d0fff1-deaa-ecee-b42f- c9ba7ed623bb”.Signature identification characteristicUuid is particularly as follows: f1d0fff2-deaa-ecee-b42f-for notice c9ba7ed623bb。

Step 121: mobile terminal sends the instruction of acquisition version number according to writing feature to ID authentication device；

Specifically, mobile terminal tissue obtains version number's instruction, sends to ID authentication device and obtains version number's instruction.

More specifically, mobile terminal tissue the 3rd instructs, using the 3rd instruction as the data obtained in version number's instruction Territory, and before the 3rd instruction, add preset protocol command identification and obtain the data length of version number's instruction.

In the present embodiment, obtaining version number's instruction format is:

Preset protocol command identification	The data length of data field	Data field
			1 byte	2 bytes

The form of the 3rd instruction is:

Such as, the classes of instructions " 00 " that the 3rd instructs is arranged in the first byte of the 3rd instruction by mobile terminal, will obtain Take version number's order code " 03 " to be arranged in second byte of the 3rd instruction, by the data length of the 3rd data field instructed " 000000 " is arranged in the 5th to the 7th byte of the 3rd instruction, it would be desirable to response value length " 0000 " is arranged on the 3rd instruction Latter two byte on, obtain including that the 3rd instruction obtaining version number's order code is " 000300000000000000 ", will 3rd instruction as obtain version number instruction in data field, and the 3rd instruction before interpolation preset protocol command identification " 83 " and The data length " 0009 " of the 3rd instruction, obtains obtaining version number's instruction " 830009000300000000000000 ", to identity Authenticating device sends and obtains version number's instruction.

This step can also be particularly as follows: feature object be write in mobile terminal use sends acquisition version number to ID authentication device Instruction.

Step 122: mobile terminal receives the second response that ID authentication device is returned by notice feature；

Specifically, the ID authentication device that mobile terminal is received from system by the communication callback method of system passes through logical Know the second response that feature object returns.

Such as, mobile terminal receives the BluetoothGattCharact from system by the communication callback method of system Eristic type parameter paramCharacteristic, obtains authentication from parameter paramCharacteristic and sets Standby the second response returned by notice feature.

Step 123: mobile terminal judges whether the second answer code responded is the first preset value, if it is, perform step 124；Otherwise, report an error；

Specifically, mobile terminal resolves the second response, obtains the data in latter two byte in the second response, and will It is as answer code, it is judged that whether the answer code of the second response is the first preset value, if it is, perform step 124；Otherwise, Report an error.

In the present embodiment, the first preset value is 9000.

Step 124: mobile terminal obtains the second edition number from the second response；

Specifically, mobile terminal resolves the second response, (does not include the 3rd after obtaining the 3rd byte in the second response Individual byte), the data in all bytes between (not including penultimate byte) before penultimate byte, and by it As the second edition number.

Such as, mobile terminal resolves the second response " 8300085532465f56329000 ", obtains the in the second response (not including the 3rd byte) after three bytes " 08 ", penultimate byte (does not include penultimate word before " 90 " Joint) between all bytes on data, the data got are " 5532465f5632 ", and by " 5532465f5632 " conduct The second edition number.

Step 125: mobile terminal judges whether first version number matches with the second edition number, if it is, perform step Rapid 126；Otherwise, report an error；

Step 126: mobile terminal is according to the register instruction type preset, the first challenging value, derived data tissue the first visitor Family end data, according to subpackage length, the first client data and application ID organization registration instruction, according to writing feature to authentication Equipment sends register instruction；

This step specifically includes:

Step a1: mobile terminal tissue includes register instruction type, the first challenging value and the first of derived data preset Client data；

Specifically, mobile terminal creates JSON object clientData；Mobile terminal is stored in object clientData The register instruction type preset and mark, the first challenging value and mark thereof and derived data and mark thereof, by object ClientData is converted to character string type, obtains the first client data of JSON form；

Such as: mobile terminal creates JSON object clientData；Mobile terminal is stored in pre-in object clientData If register instruction type navigator.id.finishEnrollment and mark typ, the first challenging value x9- D9XlfOZVWKjHkWhgIRg and mark challenge and derived data https://u2fdemo.appspot.com and It identifies origin, and object clientData is converted to the character string type of JSON form, obtains the first client data；{" typ":"navigator.id.finishEnrollment","challenge":"x9-d9XlfOZVWKjHkWhgIRg"," origin":"https:\/\/u2fdemo.appspot.com"}。

Step a2: mobile terminal carries out Hash process respectively to the first client data and application ID, obtains the first Hash Value and the second cryptographic Hash, according to the first cryptographic Hash and the second cryptographic Hash organization registration data；

Specifically, mobile terminal uses the first preset algorithm respectively the first client data and application ID to be done Hash, To the first cryptographic Hash and the second cryptographic Hash, according to the first cryptographic Hash and the second cryptographic Hash organization registration data.

Wherein, the first client data after the first cryptographic Hash is Hash；Second cryptographic Hash is the application ID after Hash.The One preset algorithm can be, but not limited to as SHA256 algorithm.

Such as: mobile terminal uses SHA256 algorithm respectively to the first client data { " typ ": " navigator.id.finishEnrollment","challenge":"x9-d9XlfOZVWKjHkWhgIRg"," Origin ": " https://u2fdemo.appspot.com " } and " APPID ": " https: // U2fdemo.appspot.com " does Hash, obtains the first cryptographic Hash " 5BFDF71873332EAA9015A128DF3556196E4 AC4243576A71988A047E44EDDC882 " and the second cryptographic Hash " A1AA11AFF7E71252FE5E32AA80B425A0FA FBE5F8A5EA767316A2562AB48DBF56 ", according to the first cryptographic Hash and the second cryptographic Hash organization registration data, obtain Log-on data is " 5BFDF71873332EAA9015A128DF3556196E4AC4243576A71988A047E4 4EDD C882A1AA11AFF7E71252FE5E32AA80B425A0FAFBE5F8A5EA767316A2562A B48DBF56”。

Step a3: mobile terminal instructs according to log-on data and subpackage length organization registration；

Specifically, mobile terminal instructs according to log-on data tissue first, notes according to the first instruction and subpackage length tissue Volume instruction.

In the present embodiment, register instruction can include a bag or many bags data.

More specifically, register instruction code is arranged in second byte of the first instruction by mobile terminal, will register number According in the data field being arranged in the first instruction, obtain including the first instruction of register instruction code and log-on data, refer to first Add preset protocol command identification and the data length of the first instruction before order, obtain register instruction, according to the judgement of subpackage length be No needs carries out subpackage process to register instruction, if it is, register instruction is carried out subpackage according to subpackage length, obtains wrapping more Registration valid data, and the first bag registration valid data are sent data as the first bag registration, from the second bag registration significant figure Other bags after the first bag registration transmission data are obtained according to starting interpolation corresponding bag index before often wrapping registration valid data Registration sends data；Otherwise, step a4 is performed.

In the present embodiment, register instruction code is specially " 01 ", and preset protocol command identification is specially " 83 ".

In the present embodiment, register instruction form is:

The form of the first instruction is:

Such as, the classes of instructions " 00 " that first instructs is arranged in the first byte of the first instruction by mobile terminal, will note Volume order code " 01 " is arranged in second byte of the first instruction, and the data length " 000040 " of log-on data is arranged on the In 5th to the 7th byte of one instruction, by log-on data " 5BFDF71873332EAA9015A128DF3556196E4AC4243 576A71988A047E44EDDC882A1AA11AFF7E71252FE5E32AA80B425A0FAFBE5F8A5EA767316A256 2A B48DBF56 " it is arranged in the data field in the first instruction, it would be desirable to response value length " 0000 " is arranged on the first instruction In latter two byte, obtain including that the first instruction of register instruction code and log-on data is " 000100000000405BFDF71 873332EAA9015A128DF3556196E4AC4243576A71988A047E44EDDC882A1AA11AFF7E71252FE5E 32AA80B425A0FAFBE5F8A5EA767316A2562AB48DBF560000 ", before the first instruction, add preset protocol refer to Order mark " 83 " and the data length " 0049 " of the first instruction, obtain register instruction " 830049000100000000405BFDF71 873332EAA9015A128DF3556196E4AC4243576A71988A047E44EDDC882A1AA11AFF7E71252FE5E 32AA80B425A0FAFBE5F8A5EA767316A2562AB48DBF560000 ", judge whether to need according to subpackage length " 20 " Register instruction will be carried out subpackage process, the first bag obtained registers valid data as " 830049000100000000405BFD F71873332EAA9015 ",

Second bag registers valid data as " A128DF3556196E4AC4243576A71988A047E44E "；

Three guarantees register valid data as " DDC882A1AA11AFF7E71252FE5E32AA80B425A0 "；

4th bag registers valid data as " FAFBE5F8A5EA767316A2562AB48DBF560000 ", and by first Bag registration valid data are as the first bag registration transmission data:

" 830049000100000000405BFDF71873332EAA9015 ",

Second bag registration valid data before add bag index " 00 ", obtain second bag registration send data:

“00A128DF3556196E4AC4243576A71988A047E44E”；

Three guarantees registration valid data before add bag index " 01 ", obtain three guarantees registration send data:

“01DDC882A1AA11AFF7E71252FE5E32AA80B425A0”；

The 4th bag registration valid data before add bag index " 02 ", obtain the 4th bag registration send data:

“02FAFBE5F8A5EA767316A2562AB48DBF560000”。

Step a4: mobile terminal sends register instruction according to writing feature to ID authentication device.

Specifically, mobile terminal use is write feature object and is sent register instruction to ID authentication device.

When ID authentication device receives after the register instruction of mobile terminal, ID authentication device generate double secret key and The key handles corresponding with double secret key, tissue includes the first Hash in the PKI of cipher key pair, key handles, log-on data Value and the first data to be signed of the second cryptographic Hash, the private key according to default hash algorithm and cipher key pair is to be signed to first Data carry out signature and obtain the first signed data, and tissue includes the key handles that the PKI of cipher key pair is corresponding with double secret key With the first certification criterion of the first signed data, the 3rd response including the first certification criterion and answer code is returned to mobile whole End.

Step 127: mobile terminal receives the 3rd response that ID authentication device is returned by notice feature；

Specifically, the ID authentication device that mobile terminal is received from system by the communication callback method of system passes through logical Know the 3rd response that feature object returns.

Such as, mobile terminal is received from system by the communication callback method of system BluetoothGattCharacteristic type parameter paramCharacteristic, from parameter ParamCharacteristic obtains the 3rd response that ID authentication device is returned by notice feature object.

Step 128: mobile terminal judges whether the 3rd answer code responded is the first preset value, if it is, perform step 129；Otherwise, report an error；

Specifically, mobile terminal resolves the 3rd response, obtains the data in latter two byte in the 3rd response, and will It is as answer code, it is judged that whether the answer code of the 3rd response is the first preset value, if it is, perform step 129；Otherwise, Report an error.

Step 129: mobile terminal generates second according to the 3rd response, the first client data, application ID and ID Registration request, sends the second registration request to server background；

Specifically, mobile terminal obtains the first certification criterion from the 3rd response, generate include the first certification criterion, first Client data, application ID and the second registration request of ID, send the second registration request to server background；

More specifically, mobile terminal resolves the 3rd response, (does not includes after obtaining the 3rd byte in the 3rd response 3rd byte), the data in all bytes between (not including penultimate byte) before penultimate byte, and As the first certification criterion, generate and include the of the first certification criterion, the first client data, application ID and ID Two registration requests, send the second registration request to server background；

Such as, mobile terminal resolves the 3rd response 8302260504f8487177637e0a57c7c52f6ba952fc4743 3fc8b2fde13b73e84823473e356c53c7517639b5f1781c32e08660327255335bf4eb92a6907ca 281d7dacd56ba4f9340b842ccb576b616f1c536772b4fdd0c61e6992547b2c51a331cc7599ab2 a198113fa7083f6e6825fad2cd0848b517ecb0b80e2d6c0a2707912d56cddbe9c031543082015 63081fda003020102020a47901280001155957352300a06082a8648ce3d040302301731153013 0603550403130c4654204649444f2030313030301e170d3134303831343138323933325a170d3 234303831343138323933325a3031312f302d0603550403132650696c6f74476e756262792d30 2e342e312d34373930313238303030313135353935373335303059301306072a8648ce3d02010 6082a8648ce3d03010703420004b174bc49c7ca254b70d2e5c207cee9cf174820ebd77ea3c655 08c26da51b657c1cc6b952f8621697936482da0a6d3d3826a59095daf6cd7c03e2e60385d2f6d 9a31730153013060b2b0601040182e51c020101040403020430300a06082a8648ce3d04030203 4800304502210099b8903a57bc9d2a73da0258e70fdf331a1f72945521314ab528477e7fe1ed4 002207a8b7d0d285dcb440d4450e52ac28c21f0bc4b85a0b3a04e42c6d4f4ae47e0a630450221 008e641cc85b3c506874e4e6236e73e473331b5fb5348589221954080aa9a0f73a02201fdba13 5640eb ccd09e7ac684b1674fe15a639b64e991af45ffd9c36c59b802c9000, obtains the 3rd response 3rd byte " 26 " (not including the 3rd byte), (does not include penultimate byte) before penultimate byte " 90 " Between all bytes on data, the data got are 0504f8487177637e0a57c7c52f6ba952fc47433f c8b2fde13b73e84823473e356c53c7517639b5f1781c32e08660327255335bf4eb92a6907ca28 1d7dacd56ba4f9340b842ccb576b616f1c536772b4fdd0c61e6992547b2c51a331cc7599ab2a1 98113fa7083f6e6825fad2cd0848b517ecb0b80e2d6c0a2707912d56cddbe9c03154308201563 081fda003020102020a47901280001155957352300a06082a8648ce3d04030230173115301306 03550403130c4654204649444f2030313030301e170d3134303831343138323933325a170d323 4303831343138323933325a3031312f302d0603550403132650696c6f74476e756262792d302e 342e312d34373930313238303030313135353935373335303059301306072a8648ce3d0201060 82a8648ce3d03010703420004b174bc49c7ca254b70d2e5c207cee9cf174820ebd77ea3c65508 c26da51b657c1cc6b952f8621697936482da0a6d3d3826a59095daf6cd7c03e2e60385d2f6d9a 31730153013060b2b0601040182e51c020101040403020430300a06082a8648ce3d0403020348 00304502210099b8903a57bc9d2a73da0258e70fdf331a1f72945521314ab528477e7fe1ed400 2207a8b7d0d285dcb440d4450e52ac28c21f0bc4b85a0b3a04e42c6d4f4ae47e0a63045022100 8e641cc85b3c506874e4e6236e73e473331b5fb5348589221954080aa9a0f73a02201fdba1356 40ebccd09e7ac684b1674fe15a639b64e991af45ffd9c36c59b802c also sentences as the first certification According to, generate and include the first certification criterion, the first client data, application ID and the second registration request of ID, to service Device backstage sends the second registration request；

In the present embodiment, the communication data between mobile terminal and server background is JOSN formatted data.

After server background receives the second registration request, obtain from the second registration request the first certification criterion, One client data, application ID and ID, according to the PKI in the first client data, application ID, the first certification criterion With the key handles in the first certification criterion, default hash algorithm, the first signed data in the first certification criterion is tested Sign, it is judged that sign test is the most successful, if it is, the key handles in the first certification criterion and PKI are built with ID respectively Vertical corresponding relation also preserves, and error code is set to the second preset value, sends the 4th response including error code to mobile terminal； Otherwise, error code is set to the 3rd preset value, sends the 4th response including error code to mobile terminal.

More specifically, after server background receives the second registration request, from the second registration request, obtain first Certification criterion, the first client data, application ID and ID, and answer the first client data according to the first preset algorithm Make Hash of ID respectively and obtain first server back-end data and second server back-end data；After tissue includes first server PKI in number of units evidence, second server back-end data, the first certification criterion and of the key handles in the first certification criterion One initial data, uses default hash algorithm that the first initial data is done Hash, generates the first fiducial value, uses PKI to the The first signed data in one certification criterion is decrypted and obtains the first solution ciphertext data, it is judged that whether the first fiducial value solves with first Ciphertext data matches, if it is, set up corresponding with ID by the key handles in the first certification criterion respectively with PKI Relation also preserves, and error code is set to the second preset value, sends the 4th response including error code to mobile terminal；Otherwise, Error code is set to the 3rd preset value, sends the 4th response including error code to mobile terminal.

In the present embodiment, the second preset value is 0, and the 3rd preset value is 1.

Step 130: mobile terminal receives the 4th response from server background；

Step 131: mobile terminal obtains error code from the 4th response, it is judged that whether error code is the second preset value, as Fruit is then to succeed in registration；Otherwise, registration failure.

Authentication phase, as shown in fig. 4-5, including:

Step 201: mobile terminal sends the first certification request including ID to server background；

In this enforcement, ID is specially user name.

Step 202: mobile terminal receive from server background the 5th response, from the 5th response obtain application ID, Second challenging value, derived data, first version number and the key handles corresponding with ID；

Specifically, mobile terminal receives the 5th response of the JOSN form from server background, by default application ID Identify, challenging value mark, derived data identify and version number's mark, key handles mark are as parameter, difference calling system Obtain character string method, obtain from the 5th response and identify corresponding the with applying ID application ID corresponding to mark and challenging value Derived data corresponding to two challenging values and derived data mark and version number identify corresponding first version number and with key sentence The key handles that handle mark is corresponding；

In the present embodiment, the application ID mark preset is specially APPID；The challenging value mark preset is specially challenge；The derived data mark preset is specially origin；The version number's mark preset is specially version；Preset Key handles is designated keyHandle.

Such as: mobile terminal receives the 5th response of the JOSN form from server background and is

"APPID":"https://u2fdemo.appspot.com","challenge":" ZaFJmTE0g4yz0sk8D0x07g","origin":"https:\/\/u2fdemo.appspot.com""version":" U2F_V2","keyHandle":"qCw3hfVQlqxr8Ng-uwqa0nZch39y6wB7U7NjW4MdTz4_lOHvjm- 8JIUeK0fm5THjm WV_OQOVwjG92wxL-7z0Og ", by default application ID mark APPID, challenging value mark Challenge, derived data mark origin, version number mark version and key handles mark keyHandle are as ginseng Number, respectively acquisition character string method getString () of calling system, the application ID got from the 5th response is Https: //u2fdemo.appspot.com, the second challenging value got is

ZaFJmTE0g4yz0sk8D0x07g, the derived data got is:

Https://u2fdemo.appspot.com, the first version number got is U2F_V2；Get and user The key handles of mark correspondence is:

qCw3hfVQlqxr8Ng-uwqa0nZch39y6wB7U7NjW4MdTz4_lOHvjm-8JIUeK0fm5T HjmWV_ OQOVwjG92wxL-7z0Og。

Step 203: whether mobile terminal detection Bluetooth channels is opened, if it is, perform step 205；Otherwise, step is performed Rapid 204；

Step 204: mobile terminal opens Bluetooth channels；

Step 205: mobile terminal searches for ID authentication device by Bluetooth channels；

Wherein, search callback object includes the search callback method of system.

Such as, mobile use the first preset kind parameter filters, the second preset kind parameter settings, search Recover tone category shape parameter scanCallback, the first searching interface startscan () of calling system, searched for by Bluetooth channels ID authentication device, arranges search callback object scanCallback.

Step 206: mobile terminal receives the broadcast data from ID authentication device by Bluetooth channels；

Step 207: mobile terminal judges whether the service identifiers in broadcast data matches with preset service mark, if It is then to perform step 208；Otherwise, report an error；

Step 208: mobile terminal and ID authentication device are set up bluetooth and connected；

Specifically, mobile terminal use the device object calling system corresponding with ID authentication device method of attachment and and ID authentication device is set up bluetooth and is connected, and obtains general-purpose attribute protocol object and arranges connection callback object.Wherein, readjustment is connected Object includes the connection status callback method of system, finds service callback method, reading feature callback method and communication readjustment Method.

Step 209: mobile terminal judges whether that being successfully established bluetooth with ID authentication device connects, if it is, perform Step 210；Otherwise, report an error；

Step 210: the service that mobile terminal to search ID authentication device is supported；

Step 211: mobile terminal judges whether to search the service that ID authentication device is supported, if it is, perform step Rapid 212；Otherwise, report an error；

Step 212: the service of acquisition for mobile terminal ID authentication device；

Step 213: mobile terminal judges that ID authentication device matches the most, if it is, perform step 216；Otherwise, Perform step 214；

Step 214: mobile terminal and ID authentication device match；

Step 215: mobile terminal judges and ID authentication device whether successful matching, if it is, perform step 216； Otherwise, report an error；

Step 216: mobile terminal obtains from service reads feature；

Step 217: mobile terminal reads the eigenvalue of feature；

Step 218: mobile terminal judges whether successfully to read the eigenvalue of feature, if it is, perform step 219；Otherwise, report an error；

Step 219: mobile terminal using read feature eigenvalue as subpackage length；

Step 220: mobile terminal obtains from service writes feature and notice feature, enables notice feature；

Specifically, default is write signature identification as parameter, the acquisition of use service object's calling system by mobile terminal Characterization method, obtains from service object and writes feature object.Using default notice signature identification as parameter, use service object The acquisition characterization method of calling system, obtains notice feature object from service object；Calling system feature notification side is set Method, enables notice feature object；

Such as, the default signature identification characteristicUuid that writes as parameter, is used service right by mobile terminal As acquisition characterization method getCharacteristic () of service calling system, obtain from service object service and write Feature object characteristic.Using default notice signature identification characteristicUuid as parameter, use clothes Acquisition characterization method getCharacteristic () of business object service calling system, obtains from service object service Take notice feature object characteristic；Calling system feature notification method is set SetCharacteristicNotification (), enables notice feature object.

Step 221: mobile terminal sends the instruction of acquisition version number according to writing feature to ID authentication device；

Wherein, to ID authentication device send obtain version number instruction, particularly as follows: mobile terminal use write feature object to ID authentication device sends and obtains version number's instruction.

Step 222: mobile terminal receives the 6th response that ID authentication device is returned by notice feature；

Specifically, mobile terminal receives the ID authentication device return from system by the communication callback method of system 6th response.

Such as, mobile terminal is received from system by the communication callback method of system BluetoothGattCharacteristic type parameter paramCharacteristic, from parameter ParamCharacteristic obtains the 6th response that ID authentication device returns.

Step 223: mobile terminal judges whether the 6th answer code responded is the first preset value, if it is, perform step 224；Otherwise, report an error；

Specifically, mobile terminal resolves the 6th response, obtains the data in latter two byte in the 6th response, and will It is as answer code, it is judged that whether the answer code of the 6th response is the first preset value, if it is, perform step 224；Otherwise, Report an error.

In the present embodiment, the first preset value is 9000.

Step 224: mobile terminal obtains the second edition number from the 6th response；

Specifically, mobile terminal resolves the 6th response, (does not include the 3rd after obtaining the 3rd byte in the 6th response Individual byte), the data in all bytes between (not including penultimate byte) before penultimate byte, and by it As the second edition number.

Such as, mobile terminal resolves the 6th response " 8300085532465f56329000 ", obtains the in the 6th response (not including the 3rd byte) after three bytes " 08 ", penultimate byte (does not include penultimate word before " 90 " Joint) between all bytes on data, the data got are " 5532465f5632 ", and by " 5532465f5632 " conduct The second edition number.

Step 225: mobile terminal judges whether first version number matches with the second edition number, if it is, perform step Rapid 226；Otherwise, report an error；

Step 226: mobile terminal is according to the certification instruction type preset, the second challenging value and derived data tissue the second visitor Family end data, according to application ID, the second client data and subpackage length tissue certification instruction, according to writing feature to authentication Equipment sends certification instruction；

This step specifically includes:

Step b1: mobile terminal tissue includes certification instruction type, the second challenging value and the second of derived data preset Client data；

Specifically, mobile terminal creates JSON object clientData, and mobile terminal is stored in object clientData The certification instruction type preset and mark, the second challenging value and mark thereof and derived data and mark thereof, by object ClientData is converted to character string type, obtains the second client data of JSON form；

Such as, mobile terminal creates JSON object clientData, and mobile terminal is stored in pre-in object clientData If certification instruction type navigator.id.getAssertion and mark typ, the second challenging value ZaFJmTE0g4yz0sk8D0x07g and mark challenge and derived data https:// U2fdemo.appspot.com and mark origin thereof, is converted to character string type by object clientData, obtains the second visitor Family end data " typ ": " navigator.id.getAssertion ", " challenge ": " ZaFJmTE0g4yz0sk8D0x07g","origin":"https:\/\/u2fdemo.appspot.com"}。

Step b2: mobile terminal carries out Hash process respectively to the second client data and application ID, obtains the 3rd Hash Value and the 4th cryptographic Hash, obtain authentication data according to the 3rd cryptographic Hash, the 4th cryptographic Hash and key handles；

Specifically, mobile terminal uses the first preset algorithm respectively the second client data and application ID to be done Hash, To the 3rd cryptographic Hash and the 4th cryptographic Hash, according to the 3rd cryptographic Hash, the 4th cryptographic Hash, key handles length and key handles tissue Authentication data.

Wherein, the second client data after the 3rd cryptographic Hash is Hash；4th cryptographic Hash is the application ID after Hash.The One preset algorithm can be, but not limited to as SHA256.

Such as: mobile terminal uses SHA256 algorithm respectively to the second client data " { " typ ": " navigator.id.getAssertion","challenge":"ZaFJmTE0g4yz0sk8D0x07g","ori gin":" Https://u2fdemo.appspot.com " } " and " APPID ": " https: //u2fdemo.appspot.com " breathes out Uncommon, obtain the 3rd cryptographic Hash " 5FB6F5CA47F4BB78C03F7F4CED729B92364FE43D399BE8DA397AF4F2 F56 549E2 " and the 4th cryptographic Hash " A1AA11AFF7E71252FE5E32AA80B425A0FAFBE5F8A5EA767316A2562A B4 8DBF56 ", according to the 3rd cryptographic Hash, the 4th cryptographic Hash, key handles length " 40 " and key handles " F21A62C01BB90009 EAE0F1CEE253DAE34D2B751AAA8C94D90AD558F42E29B976E16CB8BACE08E676A2332923D4B26 1B78285696F9CB3F59C31739750F E55306A " tissue authentication data, the authentication data obtained is “5FB6F5CA47F4BB78C03F7F4CED729B92364FE43D399BE8DA397AF4F2F56549E2A1AA11AFF7E7 1252FE5E32AA80B425A0FAFBE5F8A5EA767316A2562AB48DBF5640F21A62C01BB90009EAE0F1C EE253DAE34D2B751AAA8C94D90AD558F42E29B976E16CB8BACE08E676A2332923D4B261B78285 696F9CB3F59C31739750FE55306A”。

Step b3: mobile terminal instructs according to authentication data, FIDO agreement and subpackage length tissue certification；

Specifically, mobile terminal instructs according to authentication data tissue second, recognizes according to the second instruction and subpackage length tissue Card instruction.

In the present embodiment, certification instruction can include a bag or many bags data.

More specifically, certification order code is arranged in second byte of the second instruction by mobile terminal, by certification number According to the data field being set in the second instruction, obtain including the second instruction of certification order code and authentication data, instruct second As the data field of certification instruction, before the second instruction, add preset protocol command identification and the data length of the second instruction, Instruct to certification, judge whether to need certification instruction is carried out subpackage process according to subpackage length, if it is, long according to subpackage Spend and certification instruction is carried out subpackage, obtain many bags valid data, and the first bag certification valid data are sent out as the first bag certification Send data, start before often bag certification valid data, add corresponding bag index from the second bag certification valid data and obtain the first bag Certification sends other bag certifications after data and sends data；Otherwise, step b4 is performed.

In the present embodiment, certification order code is specially " 02 ", and preset protocol command identification is specially " 83 ".

In the present embodiment, certification instruction format is:

The form of the second instruction is:

Such as, mobile terminal, by the second classes of instructions " 00 " instructed, is arranged in the first byte of the second instruction, will recognize Card order code " 02 " is arranged in second byte of the second instruction, and the data length " 000081 " of authentication data is arranged on the In 5th to the 7th byte of two instructions, by authentication data " 5FB6F5CA47F4BB78C03F7F4CED729B92364FE43D3 99BE8DA397AF4F2F56549E2A1AA11AFF7E71252FE5E32AA80B425A0FAFBE5F8A5EA767316A256 2A B48DBF5640F21A62C01BB90009EAE0F1CEE253DAE34D2B751AAA8C94D90AD558F42E29B976 E16CB8BACE08E676A2332923D4B261B78285696F9CB3F59C31739750 FE55306A " it is arranged on the second finger In data field in order, it would be desirable to response value length " 0000 " is arranged in latter two byte of the second instruction, including Second instruction of certification order code and authentication data is " 000203000000815FB6F5CA47F4BB78C03F7F4CED729B 92364FE43D399BE8DA397AF4F2F56549E2A1AA11AFF7E71252FE5E32AA80B425A0FAFBE5F8A5E A767316A2562AB48DBF5640F21A62C01BB90009EAE0F1CEE253DAE34D2B751AAA8C94D90AD558 F42E29B976E16CB8BACE08E676A2332923D4B261B78285696F9CB3F59C31739750FE55306A000 0 ", the data field during the second instruction is instructed as certification, interpolation preset protocol command identification " 83 " and the before the second instruction The data length " 008C " of two instructions, obtains certification instruction " 83008C000203000000815FB6F5CA47F4BB78C03F7 F4CED729B92364FE43D399BE8DA397AF4F2F56549E2A1AA11AFF7E71252FE5E32AA80B425A0FA FBE5F8A5EA767316A2562AB48DBF5640F21A62C01BB90009EAE0F1CEE253DAE34D2B751AAA8C9 4D90AD558F42E29B976E16CB8BACE08E676A2332923D4B261B78285696F9CB3F59C31739750FE 55306A0000 ", judge whether to need certification instruction is carried out subpackage process according to subpackage length " 20 ", the first bag obtained is recognized Card valid data are: " 83008C000203000000815FB6F5CA47F4BB78C03F ",

Second bag certification valid data are: " 7F4CED729B92364FE43D399BE8DA397AF4F2F5 "；

Three guarantees certification valid data are:

“6549E2A1AA11AFF7E71252FE5E32AA80B425A0”

4th bag certification valid data are:

“FAFBE5F8A5EA767316A2562AB48DBF5640F21A”；

5th bag certification valid data are:

" 62C01BB90009EAE0F1CEE253DAE34D2B751AAA ",

6th bag certification valid data are:

“8C94D90AD558F42E29B976E16CB8BACE08E676”；

7th bag certification valid data are:

“A2332923D4B261B78285696F9CB3F59C317397”；

8th bag certification valid data are " 50FE55306A 0000 "；

And using the first bag certification valid data as the first bag certification transmission data:

" 83008C000203000000815FB6F5CA47F4BB78C03F ",

Before the second bag certification valid data add bag index " 00 ", obtain second bag certification send data:

“007F4CED729B92364FE43D399BE8DA397AF4F2F5”；

Before three guarantees certification valid data add bag index " 01 ", obtain three guarantees certification send data:

“016549E2A1AA11AFF7E71252FE5E32AA80B425A0”；

Before the 4th bag certification valid data add bag index " 02 ", obtain the 4th bag certification send data:

“02FAFBE5F8A5EA767316A2562AB48DBF5640F21A”；

Before the 5th bag certification valid data add bag index " 03 ", obtain the 5th bag certification send data:

“0362C01BB90009EAE0F1CEE253DAE34D2B751AAA”；

Before the 6th bag certification valid data add bag index " 04 ", obtain the 6th bag certification send data:

“048C94D90AD558F42E29B976E16CB8BACE08E676”；

Before the 7th bag certification valid data add bag index " 05 ", obtain the 7th bag certification send data:

“05A2332923D4B261B78285696F9CB3F59C317397”；

Before the 8th bag certification valid data add bag index " 06 ", obtain the 8th bag certification send data:

“0650FE55306A 0000”。

Step b4: mobile eventually according to writing feature to ID authentication device transmission certification instruction.

Specifically, mobile terminal uses and writes feature object to ID authentication device transmission certification instruction.

When ID authentication device receives after the certification instruction of mobile terminal, and ID authentication device instructs according to certification In key handles obtain the private key corresponding with key handles, organize and include the 3rd cryptographic Hash in authentication data and the 4th Hash Second data to be signed are entered by the second data to be signed of value according to default hash algorithm and the private key corresponding with key handles Row signature obtains the second signed data, and tissue includes the second certification criterion of the second signed data, will include the second certification criterion The 7th response with the first preset value returns to mobile terminal.

Step 227: mobile terminal receives the 7th response that ID authentication device is returned by notice feature；

Specifically, the ID authentication device that mobile terminal is received from system by the communication callback method of system passes through logical Know the 7th response that feature object returns.

Such as, mobile terminal is received from system by the communication callback method of system BluetoothGattCharacteristic type parameter paramCharacteristic, from parameter ParamCharacteristic obtains the 7th response that ID authentication device is returned by notice feature object.

Step 228: mobile terminal judges whether the 7th answer code responded is the first preset value, if it is, perform step 229；Otherwise, report an error；

Step 229: mobile terminal is according to the second client data, application ID, ID and the 7th response generation second Certification is asked, and sends the second certification request to server background；

Specifically, mobile terminal obtains the second certification criterion from the 7th response, generate include the second certification criterion, second Second certification request of client data, application ID and ID, sends the second certification request to server background；

More specifically, mobile terminal resolves the 7th response, (does not includes after obtaining the 3rd byte in the 7th response 3rd byte), the data in all bytes between (not including penultimate byte) before penultimate byte, and As the second certification criterion, generate and include the of the second certification criterion, the second client data, application ID and ID Two certification requests, send the second certification request to server background；

Such as, mobile terminal resolves the 7th response 83004e01000000033045022066f456ba4b5decff5f63 c78eca95a56d5fd757a8221ec89c6b9e7324ef537c8f022100c66a187fcce133ea99294c1804f 023c4546513daf5fe1b09a fd7ae21b334ea969000, the 3rd byte " 4e " obtaining the 7th response (is not wrapped Include the 3rd byte), in all bytes between (not including penultimate byte) before penultimate byte " 90 " Data, the data got are 01000000033045022066f456ba4b5decff5f63c78eca95a56d5fd757 a8 221ec89c6b9e7324ef537c8f022100c66a187fcce133ea99294c1804f023c4546513daf5fe1b0 9afd7ae21b334ea96 as the second certification criterion, generate include the second certification criterion, the second client data, Application ID and the second certification request of ID, send the second certification request to server background；

When server background receive second certification request after, from second certification request obtain the second client data, Application ID, ID and the second certification criterion, obtain the PKI corresponding with ID according to ID, according to the second visitor Family end data and application ID, default hash algorithm and PKI carry out sign test to the second signed data in the second certification criterion, Judge that sign test is the most successful, if it is, error code to be set to the second preset value, send to mobile terminal and include error code 8th response；Otherwise, error code is set to the 3rd preset value, sends the 8th response including error code to mobile terminal.

More specifically, after server background receives the second certification request, from the second certification request, obtain second Client data, application ID, ID and the second certification criterion, obtain the public affairs corresponding with ID according to ID Key, uses the first preset algorithm that the second client data and application ID are done Hash respectively, obtains the 3rd server background data With the 4th server background data；Tissue includes the second original of the 3rd server background data and the 4th server background data Data, use default hash algorithm that the second initial data does Hash and generate the second fiducial value, use PKI to the second certification The second signed data in criterion is decrypted and obtains the second solution ciphertext data, it is judged that whether the second fiducial value solves ciphertext data with second Match, if it is, error code to be set to the second preset value, send the 8th response including error code to mobile terminal； Otherwise, error code is set to the 3rd preset value, sends the 8th response including error code to mobile terminal.

Step 230: mobile terminal receives the 8th response from server background；

Step 231: mobile terminal obtains error code from server background the 8th responds, it is judged that whether error code is second Preset value, if it is, certification success；Otherwise, authentification failure.

Embodiment 3

Present embodiments provide a kind of identification authentication system, as shown in Figure 6, including: mobile terminal；

Mobile terminal includes: first sends submodule 01, first receives submodule 02, search submodule 03, connects submodule Block 04, first obtains submodule 05, enables submodule 06, feature transmission submodule 07, feature reception submodule the 08, first generation Submodule 09, second sends submodule the 10, second reception submodule 11 and first and judges submodule 12；

First sends submodule 01, for sending the first certification request including ID to server background；

First receive submodule 02, for receive from server background include apply ID, the second challenging value, source number According to and the 5th response of the key handles corresponding with ID；

Search submodule 03, identifies, with preset service, the ID authentication device matched for search；

Connexon module 04, the ID authentication device for matching with preset service mark is set up and is connected；

First obtains submodule 05, for obtaining the service of ID authentication device；From service, obtain notice feature and write Feature；

First acquisition submodule 05 specifically for obtaining the service of ID authentication device according to preset service mark, according in advance If notice signature identification from service obtain notice feature；Feature is write according to default signature identification acquisition from service of writing.

Enable submodule 06, for enabling the notice feature that the first acquisition submodule 05 gets；

First generates submodule 09, for receiving according to the certification instruction type preset, the first reception submodule 02 Second challenging value, derived data, application ID and key handles generate authentication data；

First generates submodule 09 specifically includes: the first organizational unit, the first hash units and the first signal generating unit；

First organizational unit includes certification instruction type, the second challenging value and the second of derived data preset for tissue Client data；

First hash units is for breathing out respectively the second client data of the first organizational unit tissue and application ID Uncommon process, obtains the 3rd cryptographic Hash and the 4th cryptographic Hash；

First signal generating unit receives for the 3rd cryptographic Hash obtained according to the first hash units, the 4th cryptographic Hash and first The key handles that unit receives generates authentication data.

Feature sends submodule 07, for, after enabling submodule 06 enable notice feature, recognizing to identity according to writing feature Card equipment sends the certification instruction of the authentication data including the first generation submodule 09 generation；

Feature receives submodule 08, includes that the second certification is sentenced for receiving ID authentication device by what notice feature returned According to the 7th response；

Second sends submodule 10, includes certification instruction type, the second challenging value, source for sending to server background Second certification request of data, application ID, ID and described second certification criterion；

Second sends submodule 10 includes the second client data, application ID, use specifically for sending to server background Family mark and the second certification request of the second certification criterion.

Second receives submodule 11, for receiving the 8th response including error code from server background；

First judges submodule 12, and whether the error code that is used for misdeeming is the second preset value, if it is, judge that certification becomes Merit；Otherwise, it is determined that authentification failure.

Further, in the present embodiment, identification authentication system can also include: ID authentication device；

Wherein, ID authentication device includes that the first authentication module, the first authentication module include: second obtain submodule, the One signature submodule, the 3rd transmission submodule and the 3rd receive submodule；

3rd receives submodule, is used for receiving certification instruction；

Second obtains submodule, obtains authentication data for receiving the certification instruction that submodule receives from the 3rd, from Authentication data obtains key handles and the private key corresponding with key handles；

First signature submodule, for organizing the second of the 3rd cryptographic Hash and the 4th cryptographic Hash including in authentication data to treat Signed data, the private key corresponding with key handles got according to the second acquisition submodule and default hash algorithm are to second Data to be signed carry out signature and obtain the second signed data；

3rd sends submodule, includes the second certification criterion of the second signed data for tissue, will include the second certification 7th response of criterion returns to mobile terminal.

Further, in the present embodiment, identification authentication system can also include: server background；

Server background includes that the second authentication module, the second authentication module include: the 4th receives submodule, the 3rd acquisition Module, the first sign test submodule, the 3rd judge submodule；4th sends submodule；

4th receives submodule, for receiving the second certification request；

3rd obtains submodule, for obtaining the public affairs corresponding with ID according to the ID in the second certification request Key；

First sign test submodule, for according to the second client data in the second certification request and application ID, default Hash algorithm and the 3rd obtains the PKI that submodule gets, and the second signed data in the second certification criterion is carried out sign test；

3rd judges submodule, and for judging the first sign test submodule, whether sign test is successful；

4th sends submodule, after judging that submodule is judged to be when the 3rd, error code is set to second and presets Value, sends the 8th response including error code to mobile terminal；When the 3rd judge submodule be judged to no after, by error code arrange It is the 3rd preset value, sends the 8th response including error code to mobile terminal.

In the present embodiment, the 5th response also includes first version number；Correspondingly, mobile terminal can also include: second Judge that submodule and first reports an error submodule；

Feature sends submodule 07, is additionally operable to, after enabling submodule 06 enable notice feature, obtain submodule according to first Feature that what block 05 got write sends to ID authentication device and obtains version number's instruction；

The sub-receiver module of feature 08, is additionally operable to receive ID authentication device and includes the second edition by what notice feature returned Number the 6th response；

Second judges submodule, and the second edition number received in the 6th response that submodule 08 is received for judging characteristic is The no first version number received with the first reception submodule 02 matches；Correspondingly, first generates submodule 09, specifically for After judging that submodule is judged to be when second, according to default certification instruction type, first receive that submodule 02 receives the Two challenging values, derived data, application ID and key handles generate authentication data；

First reports an error submodule, for when second judge submodule be judged to no after, report an error.

In the present embodiment, mobile terminal also includes: the first tissue submodule, the 4th judge submodule and the first subpackage submodule Block；

First obtains submodule 05 is additionally operable to obtain from service read feature；And using long as subpackage for the eigenvalue of reading feature Degree；First tissue submodule is used for organizing certification to instruct；4th judges that submodule is for judging whether the according to subpackage length The certification instruction of one tissue submodule tissue carries out subpackage process；

First subpackage submodule after judge that submodule is judged to be when the 4th, according to subpackage length certification instructed into Row subpackage processes.

Further, the first tissue submodule is specifically for generating, according to first, the authentication data tissue that submodule 09 generates Second instruction, using second instruction as certification instruct in data field, second instruction before add preset protocol command identification with The data length of the second instruction, obtains certification instruction.

In the present embodiment, mobile terminal module also includes: the 5th sends submodule, the 5th reception submodule, the 5th judgement Submodule, the second generation submodule, the 6th transmission submodule, the 6th reception submodule and the 6th judge submodule；

5th sends submodule, for sending the first registration request including ID to server background；

5th receive submodule, for receive from server background include apply ID, the first challenging value and source number According to first response；

Second generates submodule, is used for first received according to the register instruction type preset, the 5th reception submodule Challenging value, derived data and application ID generate log-on data；

Feature sends submodule 07, is additionally operable to after enabling submodule 06 enable notice feature, according to writing feature to identity Authenticating device sends the register instruction of the log-on data including the second generation submodule generation；

Feature receives submodule 08, is additionally operable to receive ID authentication device and includes that the first certification is sentenced by notice feature return According to the 3rd response；

In the present embodiment, second generates submodule specifically includes: minor microstructure unit, the second hash units and second generate Unit；

Minor microstructure unit includes register instruction type, the first challenging value and the first of derived data preset for tissue Client data；

Second hash units is for breathing out respectively the first client data of minor microstructure cellular organization and application ID Uncommon process, obtains the first cryptographic Hash and the second cryptographic Hash；

Second signal generating unit generates registration for the first cryptographic Hash obtained according to the second hash units and the second cryptographic Hash Data；

6th sends submodule, includes register instruction type, the first challenging value, source number for sending to server background According to, application ID, ID and the second registration request of described first certification criterion；

6th sends submodule, includes the first client data, application ID, user specifically for sending to server background Mark and the second registration request of the first certification criterion.

6th receives submodule, for receiving the 4th response including error code from server background；

6th judges submodule, and whether the error code that is used for misdeeming is the second preset value, if it is, judge to succeed in registration； Otherwise, it is determined that registration failure.

Further, in the present embodiment in identification authentication system, it is also possible to include ID authentication device；

ID authentication device includes that the 3rd authentication module, the 3rd authentication module include: the 3rd generates submodule, the second signature Submodule, the 7th transmission submodule and the 7th receive submodule；

7th receives submodule, is used for receiving register instruction；

3rd generates submodule, after receiving register instruction when the 7th reception submodule, generates double secret key and with close Key is to corresponding key handles；

Second signature submodule, includes the first Kazakhstan in the PKI of cipher key pair, key handles, log-on data for tissue Uncommon value and the first data to be signed of the second cryptographic Hash, wait to sign to first according to the private key of default hash algorithm and cipher key pair Name data carry out signature and obtain the first signed data；

7th sends submodule, for tissue include the PKI of the cipher key pair key handles corresponding with double secret key and First certification criterion of the first signed data, returns to mobile terminal by the 3rd response including the first certification criterion.

Further, in the present embodiment in identification authentication system, it is also possible to including: server background；

Server background includes that the 4th authentication module, the 4th authentication module include: the 8th receives submodule, the second sign test Module, the 8th judge submodule, the 8th send submodule and associate submodule；

8th receives submodule, for receiving the second registration request；

Second sign test submodule, for according to the PKI in the first client data, application ID, the first certification criterion, the Key handles in one certification criterion and the hash algorithm preset carry out sign test to the first signed data in the first certification criterion；

8th judges submodule, and for judging the second sign test submodule, whether sign test is successful；

Association submodule, after judging that submodule is judged to be when the 8th, the key handles in responding the 3rd and public affairs Key is set up corresponding relation respectively and preserves with ID；

8th sends submodule, after judging that submodule is judged to be when the 8th, error code is set to second and presets Value, sends the 4th response including error code to mobile terminal；When the 8th judge submodule be judged to no after, by error code arrange It is the 3rd preset value, sends the 4th response including error code to mobile terminal.

In the present embodiment, the first response also includes first version number；

Correspondingly, mobile terminal can also include: the 7th judges that submodule and second reports an error submodule；

Feature receives submodule 08, is additionally operable to receive ID authentication device and includes the second edition by what notice feature returned Number second response；

7th judges submodule, and the second edition number received in the second response that submodule 08 is received for judging characteristic is The no first version number received with the 5th reception submodule matches；

Second generates submodule, after judge that submodule is judged to be when the 7th, according to default register instruction type, 5th receives the first challenging value, derived data and the application ID generation log-on data that submodule receives；

Second reports an error submodule, for when the 7th judge submodule be judged to no after, report an error.

In the present embodiment, mobile terminal also includes that the second subpackage submodule, minor microstructure submodule and the 9th judge submodule Block, first obtains submodule 05 is additionally operable in service obtain reading feature；And using the eigenvalue of reading feature as subpackage length；The Two tissue submodules instruct for organization registration；9th judges that submodule is for judging whether minor microstructure according to subpackage length The register instruction of submodule tissue carries out subpackage process；Second subpackage submodule is used for after the 9th judge module is judged to be, According to subpackage length, register instruction is carried out subpackage process.

Further, minor microstructure submodule is specifically for generating, according to second, the log-on data tissue that submodule generates One instruction, using the first instruction as the data field in register instruction, interpolation protocol instructions type identification and the before the first instruction The data length of one instruction, obtains register instruction.

In the present embodiment, mobile terminal can also including, the 3rd reports an error submodule；Search submodule 03 includes that search is single Unit, reception unit and judging unit；

Search unit is used for searching for ID authentication device；

Receive unit for receiving the broadcast data from ID authentication device；

Judging unit is for judging the service mark in the broadcast data from ID authentication device that reception unit receives Know and whether match with preset service mark, identify, with preset service, the authentication matched if it is, judge to search Equipment；

3rd report an error submodule for when judging unit be judged to no after, report an error.

Further, search unit searches for ID authentication device specifically for the searching interface of calling system, and setting is searched Rope callback object, search callback object includes searching for callback method；

Receive unit specifically for receiving the broadcast data from ID authentication device by the search callback method of system And the device object corresponding with ID authentication device.

Further, connexon module 04 is corresponding with ID authentication device specifically for use reception unit to receive The method of attachment of device object calling system and ID authentication device set up bluetooth and connect, obtain general-purpose attribute protocol object also Connection callback object is set.

Yet further, the first acquisition submodule 05, specifically for identifying preset service as parameter, uses general genus Property protocol object, the acquisition method of servicing of calling system, obtain ID authentication device service object；Default is write feature mark Know as parameter, use the acquisition characterization method of service object's calling system, obtain from service object and write feature object；Will be pre- If notice signature identification as parameter, use the acquisition characterization method of service object's calling system, obtain from service object Notice feature object.

Wherein, callback object includes the notice callback method of system；Correspondingly:

Enable the submodule 06 feature notification method that arranges specifically for calling system, enable notice feature object；

Feature receives submodule 08 specifically for receiving ID authentication device by logical by the communication callback method of system Know the 6th response including the second edition number that feature object returns；And recognized by the communication callback method reception identity of system The 7th response that card equipment is returned by notice feature object.

The above, the only present invention preferably detailed description of the invention, but protection scope of the present invention is not limited thereto, Any those familiar with the art in technical scope disclosed by the invention, the change that can readily occur in or replacement, All should contain within protection scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims It is as the criterion.

Claims

1. an identity identifying method, it is characterised in that including:

Step s1: mobile terminal sends the first certification request including ID to server background, receives from described clothes Business device backstage include apply ID, the second challenging value, derived data and the 5th of the key handles corresponding with described ID the Response；

Step s2: described mobile terminal to search identifies, with preset service, the ID authentication device matched, and recognizes with described identity Card equipment is set up bluetooth and is connected；

Step s3: the service of ID authentication device described in described acquisition for mobile terminal；From described service obtain notice feature and Write feature；Enable described notice feature；

Step s4: described mobile terminal is according to the certification instruction type preset, described second challenging value, described derived data, institute State application ID and described key handles generates authentication data, include institute according to described feature of writing to the transmission of described ID authentication device State the certification instruction of authentication data；Receive described ID authentication device and include that the second certification is sentenced by what described notice feature returned According to the 7th response；

Step s5: described mobile terminal sends to described server background and includes described certification instruction type, described second challenge Second certification request of value, described derived data, described application ID, described ID and described second certification criterion；

Step s6: described mobile terminal receives the 8th response including error code from described server background；Judge described Whether error code is the second preset value, if it is, judge certification success；Otherwise, it is determined that authentification failure.

Method the most according to claim 1, it is characterised in that also include first version number in described 5th response；

Also include before described step s4: described mobile terminal according to described in write feature to described ID authentication device send obtain Version number instructs, and receives the 6th sound including the second edition number that described ID authentication device is returned by described notice feature Should；Judge whether described first version number matches with the described second edition number, if it is, perform step s4；Otherwise, report Wrong.

Method the most according to claim 1, it is characterised in that described basis preset certification instruction type, described second Challenging value, described derived data, described application ID and described key handles generate authentication data, specifically include:

Step a1: described mobile terminal tissue includes certification instruction type, the second challenging value and the second of derived data preset Client data；

Step a2: described mobile terminal carries out Hash process respectively to the second client data and described application ID, obtains the 3rd Cryptographic Hash and the 4th cryptographic Hash, generate described authentication data according to the 3rd cryptographic Hash, the 4th cryptographic Hash and described key handles；

Described to described server background send include described certification instruction type, described second challenging value, described derived data, Second certification request of described application ID, described ID and described second certification criterion, particularly as follows: after described server Platform sends and includes described second client data, described application ID, described ID and the second of described second certification criterion Certification is asked.

Method the most according to claim 3, it is characterised in that after described ID authentication device receives certification instruction, from Described certification instruction obtains authentication data, from described authentication data, obtains key handles and corresponding with described key handles Private key, tissue includes the 3rd cryptographic Hash in described authentication data and the second data to be signed of the 4th cryptographic Hash, according to presetting Hash algorithm and the private key corresponding with described key handles described second data to be signed are carried out signature and obtain the second signature Data, tissue includes the second certification criterion of described second signed data, will include the 7th response of described second certification criterion Return to described mobile terminal.

Method the most according to claim 4, it is characterised in that after described server background receives the second certification request, The PKI corresponding with described ID is obtained, according to described second certification according to the ID in described second certification request The second client data in request and application ID, default hash algorithm and described PKI, to the in the second certification criterion Two signed datas carry out sign test, it is judged that sign test is the most successful, if it is, error code is set to the second preset value, to movement Terminal sends the 8th response including error code；Otherwise, error code is set to the 3rd preset value, sends to mobile terminal and include 8th response of error code.

Method the most according to claim 1, it is characterised in that also include in described step s3 obtaining from described service reading Feature, and using the eigenvalue of described reading feature as subpackage length；

Before writing the certification instruction that feature includes described authentication data to the transmission of described ID authentication device described in described basis, also Including: instruct according to the described described certification of authentication data tissue；Judge whether described certification instruction is carried out according to subpackage length Subpackage processes, if it is, described certification instruction is carried out subpackage process according to subpackage length, continues；Otherwise, continue.

Method the most according to claim 6, it is characterised in that described refer to according to the described described certification of authentication data tissue Order, specifically includes: instruct according to described authentication data tissue second, the number in described second instruction being instructed as described certification According to territory, before described second instruction, add protocol instructions type identification and the data length of the second instruction, obtain described certification and refer to Order.

Method the most according to claim 1, it is characterised in that also include before described step s1:

Step r1: mobile terminal sends the first registration request including ID to server background, receives from described clothes First response including applying ID, the first challenging value and derived data on business device backstage；

Step r2: described mobile terminal to search identifies, with preset service, the ID authentication device matched, and recognizes with described identity Card equipment is set up bluetooth and is connected；

Step r3: the service of ID authentication device described in described acquisition for mobile terminal；From described service obtain notice feature with Write feature；Enable described notice feature；

Step r4: described mobile terminal is according to register instruction type, described first challenging value, described derived data and the institute preset State application ID and generate log-on data, include the note of described log-on data to the transmission of described ID authentication device according to described feature of writing Volume instruction；Receive described ID authentication device and returned the 3rd response including the first certification criterion by described notice feature；

Step r5: described mobile terminal sends to server background and includes described register instruction type, described first challenging value, institute State derived data, described application ID, described ID and the second registration request of described first certification criterion；

Step r6: described mobile terminal receives the 4th response including error code from described server background；Judge described Whether error code is the second preset value, if it is, judge to succeed in registration；Otherwise, it is determined that registration failure.

Method the most according to claim 8, it is characterised in that also include first version number in described first response；

Also include before described step r4: described mobile terminal according to described in write feature to described ID authentication device send obtain Version number instructs, and receives the second sound including the second edition number that described ID authentication device is returned by described notice feature Should；Judge whether described first version number matches with the described second edition number, if it is, perform step r4；Otherwise, report Wrong.

Method the most according to claim 8, it is characterised in that described basis preset certification instruction type, described first Challenging value, described derived data and described application ID generate log-on data, specifically include:

Step b1: described mobile terminal tissue includes register instruction type, the first challenging value and the first of derived data preset Client data；

Step b2: described mobile terminal carries out Hash process respectively to described first client data and described application ID, obtains First cryptographic Hash and the second cryptographic Hash, generate described log-on data according to the first cryptographic Hash and the second cryptographic Hash；

Described to described server background send include described register instruction type, described first challenging value, described derived data, Described application ID, described ID and the second registration request of described first certification criterion, particularly as follows: after described server Platform sends and includes described first client data, described application ID, described ID and the second of described first certification criterion Registration request.

11. methods according to claim 10, it is characterised in that after described ID authentication device receives register instruction, Described ID authentication device generates double secret key and the key handles corresponding with described double secret key, and tissue includes described cipher key pair PKI, key handles, the first cryptographic Hash in log-on data and the first data to be signed of the second cryptographic Hash, according to default The private key of hash algorithm and described cipher key pair carries out signature to described first data to be signed and obtains the first signed data, tissue The first of the key handles corresponding with described double secret key including the PKI of described cipher key pair and described first signed data is recognized Card criterion, returns to mobile terminal by the 3rd response including the first certification criterion.

12. methods according to claim 11, it is characterised in that described server background receives the second registration request After, according to the PKI in the first client data, application ID, the first certification criterion, key handles in the first certification criterion and The hash algorithm preset carries out sign test to the first signed data in the first certification criterion, it is judged that sign test is the most successful, then will be Key handles and PKI in 3rd response are set up corresponding relation respectively and preserve with ID, and error code is set to second Preset value, sends, to mobile terminal, the 4th response that error code is the second preset value；Otherwise, error code is set to the 3rd preset Value, sends, to mobile terminal, the 4th response that error code is the 3rd preset value.

13. method according to claim 8, it is characterised in that also include in described step r3 obtaining from described service Read feature, and using the eigenvalue of described reading feature as subpackage length；

Feature was write before described ID authentication device sends the register instruction including described log-on data, also described in described basis Including: according to the described described register instruction of log-on data tissue；Judge whether described register instruction is carried out according to subpackage length Subpackage processes, if it is, described register instruction is carried out subpackage process according to subpackage length, continues；Otherwise, continue.

14. methods according to claim 13, it is characterised in that described refer to according to the described described registration of log-on data tissue Order, specifically includes: instruct according to described log-on data tissue second, using described second instruction as the number in described register instruction According to territory, before described second instruction, add protocol instructions type identification and the data length of the second instruction, obtain described registration and refer to Order.

15. according to the method described in claim 1 or 8, it is characterised in that described search identifies, with preset service, the body matched Part authenticating device particularly as follows:

Described mobile terminal to search ID authentication device, receives the broadcast data from ID authentication device, it is judged that described broadcast Whether the service identifiers in data matches with preset service mark, identifies phase if it is, judge to search with preset service The ID authentication device of coupling, continues；Otherwise, report an error.

16. methods according to claim 15, it is characterised in that described mobile terminal to search ID authentication device, receive From the broadcast data of ID authentication device, particularly as follows:

The searching interface search ID authentication device of described mobile terminal calling system, and arranges search callback object, described in search Rope callback object includes searching for callback method；Received by the search callback method of described system and set from described authentication Standby broadcast data and the device object corresponding with described ID authentication device.

17. methods according to claim 16, it is characterised in that described and described ID authentication device sets up bluetooth even Connect, specifically include:

Described mobile terminal uses the method for attachment of the device object calling system corresponding with described ID authentication device and described ID authentication device is set up bluetooth and is connected, and obtains general-purpose attribute protocol object and arranges connection callback object.

18. methods according to claim 17, it is characterised in that the service of the described ID authentication device of described acquisition；From Described service obtain notice feature and write feature, specifically including:

Step t1: preset service mark as parameter, is used general-purpose attribute protocol object, the acquisition of calling system by mobile terminal Method of servicing, obtains the service object of described ID authentication device；Using default signature identification of writing as parameter, use described clothes The acquisition characterization method of business object reference system, obtains from described service object and writes feature object；By default notice feature Mark, as parameter, uses the acquisition characterization method of described service object's calling system, obtains notice from described service object Feature object.

19. methods according to claim 18, it is characterised in that described callback object includes that the notice of described system is returned Tune method；

Described enable notifies feature, particularly as follows: the feature notification method that arranges of calling system, enables notice feature object；

The 6th response including the second edition number that the described ID authentication device of described reception is returned by described notice feature, tool Body is: described mobile terminal receives described ID authentication device by described notice spy by the communication callback method of described system Levy the 6th response including the second edition number that object returns；

The 7th response that the described ID authentication device of described reception is returned by described notice feature, particularly as follows: described mobile whole Hold receive that described ID authentication device is returned by described notice feature object by the communication callback method of described system the Seven responses.

20. according to the method described in claim 1 or 8, it is characterised in that ID authentication device described in described acquisition for mobile terminal Service；From described service, obtain notice feature and write feature；Particularly as follows: described mobile terminal is according to described preset service mark Know the service obtaining described ID authentication device, from described service, obtain notice feature according to default notice signature identification； Obtain from described service write feature according to default signature identification of writing.

21. 1 kinds of identification authentication systems, it is characterised in that including: mobile terminal；

Described mobile terminal includes: first send submodule, first receive submodule, search submodule, connexon module, first Obtain submodule, enable submodule, feature send submodule, feature receive submodule, first generate submodule, second send son Module, the second reception submodule and first judge submodule；

Described first receive submodule, for receive from described server background include apply ID, the second challenging value, source Data and the 5th response of the key handles corresponding with described ID；

Described connexon module, is connected for setting up bluetooth with the described ID authentication device matched with preset service mark；

Described first obtains submodule, for obtaining the service of described ID authentication device；Notice spy is obtained from described service Seek peace and write feature；

Described first generates submodule, for receiving according to the certification instruction type preset, described first reception submodule Described second challenging value, described derived data, described application ID and described key handles generate authentication data；

Described feature sends submodule, after enabling described notice feature when described enable submodule, writes feature according to described Send to described ID authentication device and include the described first certification instruction generating the authentication data that submodule generates；

Described feature receives submodule, includes second for receiving described ID authentication device by what described notice feature returned 7th response of certification criterion；

Described second send submodule, for described server background send include described certification instruction type, described second Second certification request of challenging value, described derived data, described application ID, described ID and described second certification criterion；

First judges submodule, is used for judging whether described error code is the second preset value, if it is, judge certification success； Otherwise, it is determined that authentification failure.

22. devices according to claim 21, it is characterised in that also include first version number in described 5th response；Institute State mobile terminal also to include: second judges that submodule and first reports an error submodule；

Described feature sends submodule, is additionally operable to after described enable submodule enables described notice feature, according to described first Obtain submodule get described in write feature to described ID authentication device send obtain version number instruction；

Described feature receives submodule, is additionally operable to receive described ID authentication device by what described notice feature returned and includes the 6th response of two version numbers；

Described second judges submodule, for judging that described feature receives the second edition in described 6th response that submodule is received Whether this number receive the first version number that submodule receives and match with described first；

Described first generates submodule, after judging that submodule is judged to be when described second, according to default certification instruction Type, described first receive described second challenging value that submodule receives, described derived data, described application ID and described close Key handle generates authentication data；

Described first reports an error submodule, for when described second judge submodule be judged to no after, report an error.

23. devices according to claim 21, it is characterised in that described first generates submodule specifically includes: first group Knit unit, the first hash units and the first signal generating unit；

Described first organizational unit includes certification instruction type, the second challenging value and the second of derived data preset for tissue Client data；

Described first hash units is for dividing the second client data and the described application ID of described first organizational unit tissue Do not carry out Hash process, obtain the 3rd cryptographic Hash and the 4th cryptographic Hash；

Described first signal generating unit is for the 3rd cryptographic Hash obtained according to described first hash units, the 4th cryptographic Hash and described First receives the described key handles described authentication data of generation that unit receives；

Described second sends submodule includes described second client data, described specifically for sending to described server background Second certification request of application ID, described ID and described second certification criterion.

24. devices according to claim 23, it is characterised in that also include ID authentication device；

Described ID authentication device includes: the second acquisition submodule, the first signature submodule, the 3rd transmission submodule and the 3rd connect Receive submodule；

Described 3rd receives submodule, is used for receiving certification instruction；

Described second obtains submodule, obtains certification for receiving the described certification instruction that submodule receives from the described 3rd Data, obtain key handles and the private key corresponding with described key handles from described authentication data；

Described first signature submodule, includes the of the 3rd cryptographic Hash in described authentication data and the 4th cryptographic Hash for tissue Two data to be signed, obtain the private key corresponding with described key handles that submodule gets and the Kazakhstan preset according to described second Uncommon algorithm carries out signature to described second data to be signed and obtains the second signed data；

Described 3rd sends submodule, is used for including described in organizing the second certification criterion of the second signed data, will include described 7th response of the second certification criterion returns to described mobile terminal.

25. devices according to claim 24, it is characterised in that also include: server background；

Described server background includes: the 4th receives submodule, the 3rd acquisition submodule, the first sign test submodule, the 3rd judgement Submodule；4th sends submodule；

Described 4th receives submodule, for receiving the second certification request；

Described 3rd obtains submodule, for obtaining and described ID according to the ID in described second certification request Corresponding PKI；

Described first sign test submodule, for according to the second client data in described second certification request and application ID, pre- If hash algorithm and the described 3rd obtain the PKI that gets of submodule, the second signed data in the second certification criterion is entered Row sign test；

Described 3rd judges submodule, and for judging the first sign test submodule, whether sign test is successful；

Described 4th sends submodule, after judging that submodule is judged to be when the described 3rd, error code is set to second Preset value, sends the 8th response including error code to mobile terminal；When the described 3rd judge submodule be judged to no after, by mistake Error code is set to the 3rd preset value, sends the 8th response including error code to mobile terminal.

26. devices according to claim 21, it is characterised in that described mobile terminal also includes: the first tissue submodule, 4th judges submodule and the first subpackage submodule；

Described first obtains submodule is additionally operable to from described service obtain reading feature；And using the eigenvalue of described reading feature as Subpackage length；

Described first tissue submodule is used for organizing described certification to instruct；

4th judges that submodule for judging whether the described certification to described first tissue submodule tissue according to subpackage length Instruction carries out subpackage process；

Described first subpackage submodule, after judging that submodule is judged to be when the described 4th, is recognized described according to subpackage length Card instruction carries out subpackage process.

27. devices according to claim 26, it is characterised in that the first tissue submodule is specifically for according to described first Generate authentication data tissue the second instruction that submodule generates, the data in described second instruction being instructed as described certification Territory, adds preset protocol command identification and the data length of the second instruction before described second instruction, obtains described certification instruction.

28. device according to claim 21, it is characterised in that described mobile terminal also includes: the 5th transmission submodule, 5th receive submodule, the 5th judge submodule, second generate submodule, the 6th send submodule, the 6th reception submodule and 6th judges submodule；

Described 5th sends submodule, for sending the first registration request including ID to server background；

Described 5th receives submodule, for receiving including application ID, the first challenging value and coming from described server background First response of source data；

Described second generates submodule, for receiving according to the register instruction type preset, described 5th reception submodule Described first challenging value, described derived data and described application ID generate log-on data；

Described feature sends submodule, is additionally operable to, after described enable submodule enables described notice feature, write spy according to described Levy to send to described ID authentication device and include the described second register instruction generating the log-on data that submodule generates；

Described feature receives submodule, is additionally operable to receive described ID authentication device and includes first by the return of described notice feature 3rd response of certification criterion；

Described 6th send submodule, for described server background send include described register instruction type, described first Challenging value, described derived data, described application ID, described ID and the second registration request of described first certification criterion；

Described 6th receives submodule, for receiving the 4th response including error code from described server background；

6th judges submodule, is used for judging whether described error code is the second preset value, if it is, judge to succeed in registration； Otherwise, it is determined that registration failure.

29. devices according to claim 28, it is characterised in that also include first version number in described first response；

Described feature receives submodule, is additionally operable to receive described ID authentication device by what described notice feature returned and includes the Second response of two version numbers；

Described mobile terminal also includes: the 7th judges that submodule and second reports an error submodule；

Described 7th judges submodule, for judging that described feature receives the second edition in described second response that submodule is received Whether this number receive the first version number that submodule receives and match with the described 5th；

Described second generates submodule, after judging that submodule is judged to be when the described 7th, according to default register instruction Described first challenging value, described derived data and described application ID that type, described 5th reception submodule receive generate note Volumes evidence；

Described second reports an error submodule, for when the described 7th judge submodule be judged to no after, report an error.

30. devices according to claim 28, it is characterised in that second generates submodule specifically includes: minor microstructure list Unit, the second hash units and the second signal generating unit；

Described minor microstructure unit includes register instruction type, the first challenging value and the first of derived data preset for tissue Client data；

Described second hash units is for dividing the first client data and the described application ID of described minor microstructure cellular organization Do not carry out Hash process, obtain the first cryptographic Hash and the second cryptographic Hash；

Described second signal generating unit generates for the first cryptographic Hash obtained according to described second hash units and the second cryptographic Hash Described log-on data；

Described 6th sends submodule, includes described first client data, institute specifically for sending to described server background State application ID, described ID and the second registration request of described first certification criterion.

31. devices according to claim 30, it is characterised in that also include ID authentication device；

Described ID authentication device includes: the 3rd generation submodule, the second signature submodule, the 7th transmission submodule and the 7th connect Receive submodule；

Described 7th receives submodule, is used for receiving register instruction；

Described 3rd generates submodule, after receiving described register instruction when described 7th reception submodule, generates key To and the key handles corresponding with described double secret key；

Described second signature submodule, includes the in the PKI of described cipher key pair, key handles, log-on data for tissue One cryptographic Hash and the first data to be signed of the second cryptographic Hash, according to default hash algorithm and the private key pair of described cipher key pair Described first data to be signed carry out signature and obtain the first signed data；

Described 7th sends submodule, includes close corresponding with described double secret key of the PKI of described cipher key pair for tissue Key handle and the first certification criterion of described first signed data, return to mobile by the 3rd response including the first certification criterion Terminal.

32. devices according to claim 31, it is characterised in that also include: server background；

Described server background includes: the 8th receive submodule, the second sign test submodule, the 8th judge submodule, the 8th transmission Submodule with associate submodule；

Described 8th receives submodule, for receiving the second registration request；

Described second sign test submodule, for according to the PKI in the first client data, application ID, the first certification criterion, the Key handles in one certification criterion and the hash algorithm preset carry out sign test to the first signed data in the first certification criterion；

Described 8th judges submodule, and whether sign test is successful to be used for judging described second sign test submodule；

Association submodule, after judging that submodule is judged to be when the described 8th, by the key handles in described 3rd response Set up corresponding relation with PKI respectively with ID and preserve；

Described 8th sends submodule, after judging that submodule is judged to be when the described 8th, error code is set to second Preset value, sends the 4th response including error code to mobile terminal；When the described 8th judge submodule be judged to no after, by mistake Error code is set to the 3rd preset value, sends the 4th response including error code to mobile terminal.

33. devices according to claim 28, it is characterised in that described mobile terminal also include the second subpackage submodule, Minor microstructure submodule and the 9th judges submodule, and described first obtains submodule is additionally operable to obtain reading spy in the service Levy；And using the eigenvalue of described reading feature as subpackage length；

Described minor microstructure submodule is used for organizing described register instruction；

Described 9th judges that submodule is for judging whether described in described minor microstructure submodule tissue according to subpackage length Register instruction carries out subpackage process；

Described second subpackage submodule is for after described 9th judge module is judged to be, according to subpackage length to described registration Instruction carries out subpackage process.

34. devices according to claim 33, it is characterised in that minor microstructure submodule is specifically for according to described second Generate log-on data tissue the first instruction that submodule generates, using described first instruction as the data in described register instruction Territory, adds protocol instructions type identification and the data length of the first instruction before described first instruction, obtains described register instruction.

35. according to the device described in claim 21 or 28, it is characterised in that described mobile terminal also includes that the 3rd reports an error submodule Block；Described search submodule includes search unit, receives unit and judging unit；

Described search unit is used for searching for ID authentication device；

Described reception unit is for receiving the broadcast data from ID authentication device；

Described judging unit is for judging the clothes in the broadcast data from ID authentication device that described reception unit receives Business identifies whether to match with preset service mark, identifies, with preset service, the identity matched if it is, judge to search Authenticating device；

Described 3rd report an error submodule for when described judging unit be judged to no after, report an error.

36. devices according to claim 35, it is characterised in that described search unit is specifically for the search of calling system Interface search ID authentication device, and search callback object is set, described search callback object includes searching for callback method；

Described reception unit is specifically for receiving from described ID authentication device by the search callback method of described system Broadcast data and the device object corresponding with described ID authentication device.

37. devices according to claim 36, it is characterised in that described connexon module is specifically for using described reception The method of attachment of the device object calling system corresponding with described ID authentication device that unit receives and described authentication Equipment is set up bluetooth and is connected, and obtains general-purpose attribute protocol object and arranges connection callback object.

38. according to the device described in claim 37, it is characterised in that described first obtains submodule specifically for by default clothes Business mark, as parameter, uses general-purpose attribute protocol object, the acquisition method of servicing of calling system, obtains described authentication and set Standby service object；Using default signature identification of writing as parameter, use the acquisition feature side of described service object's calling system Method, obtains from described service object and writes feature object；Using default notice signature identification as parameter, use described service right As the acquisition characterization method of calling system, from described service object, obtain notice feature object.

39. according to the device described in claim 38, it is characterised in that described callback object includes that the notice of described system is returned Tune method；

Described enable submodule, specifically for the feature notification method that arranges of calling system, enables notice feature object；

Described feature receives submodule specifically for receiving described ID authentication device by the communication callback method of described system The 6th response including the second edition number returned by described notice feature object；And adjusted back by the communication of described system Method receives the 7th response that described ID authentication device is returned by described notice feature object.

40. according to the device described in claim 21 or 28, it is characterised in that described first obtains submodule specifically for basis Described preset service mark obtains the service of described ID authentication device, according to default notice signature identification from described service Obtain notice feature；Obtain from described service write feature according to default signature identification of writing.