CN106102058B

CN106102058B - A kind of identity identifying method and device

Info

Publication number: CN106102058B
Application number: CN201610368089.6A
Authority: CN
Inventors: 陆舟; 于华章
Original assignee: Feitian Technologies Co Ltd
Current assignee: Feitian Technologies Co Ltd
Priority date: 2016-05-30
Filing date: 2016-05-30
Publication date: 2019-04-12
Anticipated expiration: 2036-05-30
Also published as: CN106102058A

Abstract

The present invention discloses a kind of identity identifying method and device, which comprises mobile terminal sent to server background include user identifier the first certification request, receive the 5th response from server background；Search identifies the ID authentication device to match with preset service, and establishes bluetooth connection with it；Obtain the service of ID authentication device；Notice feature is obtained from service and writes feature；Enabled notice feature；Authentication data is generated according to the information in preset certification instruction type and the 5th response, is instructed according to feature is write to the certification that ID authentication device transmission includes authentication data；Receive the 7th response including the second certification criterion that ID authentication device is returned by notice feature；Sending to server background includes the second certification request for authenticating instruction type, the second challenging value, derived data, application ID, user identifier and the second certification criterion；Receive the 8th response from server background；Judge whether certification succeeds according to the 8th response.

Description

A kind of identity identifying method and device

Technical field

The present invention relates to field of identity authentication, in particular to a kind of identity identifying method and device.

Background technique

Identity identifying technology is the legal identity for confirmation operation person in a computer network and a kind of authenticating party used Method, to guarantee being exactly this digital identity lawful owner with the operator that digital identity is operated.Identity identifying technology Including a variety of form of authentication such as static password, short message password and dynamic password.In the prior art, in a variety of certifications of authentication User is required in form and inputs password or dynamic password, and authentication procedures are excessively cumbersome to exist simultaneously security risk.

Summary of the invention

The present invention provides a kind of identity identifying method and devices, solve above-mentioned technical problem.

The present invention provides a kind of identity identifying methods, comprising:

Step s1: mobile terminal sends the first certification request including user identifier to server background, receives and comes from institute State server background includes application ID, the second challenging value, derived data and key handles corresponding with the user identifier 5th response；

Step s2: the mobile terminal to search and preset service identify the ID authentication device to match, and with the body Part authenticating device establishes bluetooth connection；

Step s3: the service of ID authentication device described in the acquisition for mobile terminal；It is special that notice is obtained from the service It seeks peace and writes feature；Enable the notice feature；

Step s4: the mobile terminal is according to preset certification instruction type, second challenging value, the source number Authentication data is generated according to, the application ID and the key handles, feature is write according to described and is sent to the ID authentication device Certification instruction including the authentication data；The ID authentication device is received by the notice feature return including second Authenticate the 7th response of criterion；

Step s5: it includes the certification instruction type, described second that the mobile terminal is sent to the server background Challenging value, the derived data, the application ID, the second certification request of the user identifier and the second certification criterion；

Step s6: the mobile terminal receives the 8th response including error code from the server background；Judgement Whether the error code is the second preset value, if it is, determining to authenticate successfully；Otherwise, it is determined that authentification failure.

The present invention also provides a kind of identification authentication systems, comprising: mobile terminal；

The mobile terminal include: the first sending submodule, the first receiving submodule, search submodule, connection submodule, First acquisition submodule, enabled submodule, feature sending submodule, feature receiving submodule, first generate submodule, the second hair Send submodule, the second receiving submodule and the first judging submodule；

First sending submodule, for sending the first certification request including user identifier to server background；

First receiving submodule, for receive from the server background include application ID, the second challenging value, 5th response of derived data and key handles corresponding with the user identifier；

Described search submodule identifies the ID authentication device to match with preset service for searching for；

The connection submodule connects for establishing bluetooth with the ID authentication device to match with preset service mark It connects；

First acquisition submodule, for obtaining the service of the ID authentication device；It is obtained from the service logical Know feature and writes feature；

The enabled submodule, the notice feature got for enabling first acquisition submodule；

Described first generates submodule, for being received according to preset certification instruction type, first receiving submodule Second challenging value, the derived data, the application ID and the key handles arrived generate authentication data；

The feature sending submodule, for being write according to described after the enabled submodule enables the notice feature It includes the described first certification instruction for generating the authentication data that submodule generates that feature is sent to the ID authentication device；

The feature receiving submodule, for receive the ID authentication device by it is described notice feature return include 7th response of the second certification criterion；

Second sending submodule includes the certification instruction type, described for sending to the server background Second certification of the second challenging value, the derived data, the application ID, the user identifier and the second certification criterion is asked It asks；

Second receiving submodule, for receiving the 8th response including error code from the server background；

First judging submodule, for judging whether the error code is the second preset value, if it is, determine certification at Function；Otherwise, it is determined that authentification failure.

Beneficial effects of the present invention: a kind of identity identifying method and device are provided in the present embodiment, in verification process It is combined with ID authentication device, inputs password without user, keep authentication more convenient and easier to operate, while also improving The safety of authentication.

Detailed description of the invention

Fig. 1 is a kind of flow chart for identity identifying method that the embodiment of the present invention 1 provides；

Fig. 2-Fig. 3 is the flow chart of the registration phase in a kind of identity identifying method that the embodiment of the present invention 2 provides；

Fig. 4-Fig. 5 is the flow chart of the authentication phase in a kind of identity identifying method that the embodiment of the present invention 2 provides；

Fig. 6 is a kind of structural schematic diagram for identification authentication system that the embodiment of the present invention 3 provides.

Specific implementation method

Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.

Embodiment 1

A kind of identity identifying method is present embodiments provided, as shown in Figure 1, comprising:

Step s1: mobile terminal sends the first certification request including user identifier to server background, receives from clothes Be engaged in device backstage includes the 5th response of application ID, the second challenging value, derived data and key handles corresponding with user identifier；

Step s2: mobile terminal to search and preset service identify the ID authentication device to match, and set with authentication It is standby to establish bluetooth connection；

Step s3: the service of acquisition for mobile terminal ID authentication device；Notice feature is obtained from service and writes feature；Make It can notify feature；

Wherein, the service of acquisition for mobile terminal ID authentication device；Notice feature is obtained from service and writes feature；Specifically Are as follows: mobile terminal identifies the service for obtaining ID authentication device according to preset service, according to preset notice signature identification from clothes Notice feature is obtained in business；According to it is preset write signature identification and obtained from service write feature.

Step s4: mobile terminal is according to preset certification instruction type, the second challenging value, derived data, application ID and close Key handle generates authentication data, and the certification instruction including authentication data is sent to ID authentication device according to feature is write；Receive body The 7th response for authenticating criterion including second that part authenticating device is returned by notice feature；

Wherein, it is generated according to preset certification instruction type, the second challenging value, derived data, application ID and key handles Authentication data specifically includes:

Step a1: mobile terminal tissue includes the second of preset certification instruction type, the second challenging value and derived data Client data；

Step a2: mobile terminal carries out Hash processing to the second client data and application ID respectively, obtains third Hash Value and the 4th cryptographic Hash generate authentication data according to third cryptographic Hash, the 4th cryptographic Hash and key handles；

After ID authentication device receives certification instruction, authentication data is obtained from certification instruction, from authentication data Key handles and private key corresponding with key handles are obtained, tissue includes the third cryptographic Hash and the 4th cryptographic Hash in authentication data The second data to be signed, the second data to be signed are carried out according to preset hash algorithm and private key corresponding with key handles Signature obtains the second signed data, and it will include the second certification criterion that tissue, which includes the second certification criterion of the second signed data, 7th response returns to mobile terminal.

Step s5: mobile terminal to server background send include certification instruction type, the second challenging value, derived data, Second certification request of application ID, user identifier and the second certification criterion；

Wherein, send to server background includes certification instruction type, the second challenging value, derived data, application ID, user Second certification request of mark and the second certification criterion, specifically: it sends to server background including the second client data, answer With ID, the second certification request of user identifier and the second certification criterion.

After server background receives the second certification request, is obtained and used according to the user identifier in the second certification request Family identifies corresponding public key, according in the second certification request the second client data and application ID, preset hash algorithm and Public key carries out sign test to the second signed data in the second certification criterion, judges whether sign test succeeds, if it is, by mistake Code is set as the second preset value, and the 8th response including error code is sent to mobile terminal；Otherwise, third is set by error code Preset value sends the 8th response including error code to mobile terminal.

Step s6: mobile terminal receives the 8th response including error code from server background；The error code that misdeems is No is the second preset value, if it is, determining to authenticate successfully；Otherwise, it is determined that authentification failure.

Further include first version number in the 5th response in the present embodiment, can also include: to move before step s4 correspondingly Dynamic terminal receives ID authentication device by notifying feature according to feature is write to the instruction of ID authentication device transmission acquisition version number The 6th response including the second edition number returned；Judge whether first version number matches with the second edition number, if it is, Execute step s4；Otherwise, it reports an error.

It can also include obtaining to read feature from service, and the characteristic value for reading feature is made in the present embodiment, in step s3 For subpackage length；

According to write feature to ID authentication device and send include authentication data certification instruction before, further includes: according to recognizing Demonstrate,prove data organization certification instruction；Judge whether to instruct certification according to subpackage length and carry out subpackage processing, if it is, according to dividing Packet length instructs certification and carries out subpackage processing, continues；Otherwise, continue.

Wherein, it is authenticated and is instructed according to authentication data tissue, specifically included: instructed according to authentication data tissue second, by the Two instructions are as the data field in certification instruction, the data of addition protocol instructions type identification and the second instruction before the second instruction Length obtains certification instruction.

In the present embodiment, can also include: before step s1

Step r1: mobile terminal sends the first registration request including user identifier to server background, receives from clothes Be engaged in device backstage includes the first response of application ID, the first challenging value and derived data；

Step r2: mobile terminal to search and preset service identify the ID authentication device to match, and set with authentication It is standby to establish bluetooth connection；

Step r3: the service of acquisition for mobile terminal ID authentication device；Notice feature is obtained from service and writes feature；Make It can notify feature；

Step r4: mobile terminal is generated according to preset register instruction type, the first challenging value, derived data and application ID Log-on data sends the register instruction including log-on data to ID authentication device according to feature is write；Receive ID authentication device Being returned by notice feature includes the first third response for authenticating criterion；

Wherein, log-on data tool is generated according to preset certification instruction type, the first challenging value, derived data and application ID Body includes:

Step b1: mobile terminal tissue includes the first of preset register instruction type, the first challenging value and derived data Client data；

Step b2: mobile terminal carries out Hash processing to the first client data and application ID respectively, obtains the first Hash Value and the second cryptographic Hash generate log-on data according to the first cryptographic Hash and the second cryptographic Hash；

After ID authentication device receives register instruction, ID authentication device generates key pair and corresponding with key pair Key handles, tissue include cipher key pair public key, key handles, the first cryptographic Hash and the second cryptographic Hash in log-on data The first data to be signed, the first data to be signed sign according to preset hash algorithm and the private key of cipher key pair To the first signed data, tissue includes public key, key handles corresponding with key pair and the first signed data of cipher key pair First certification criterion, by include first certification criterion third response return to mobile terminal.

Step r5: mobile terminal obtains the first certification criterion from third response, and sending to server background includes registration Instruction type, the first challenging value, derived data, application ID, user identifier and first authenticate the second registration request of criterion；

Wherein, sending to server background includes register instruction type, the first challenging value, derived data, application ID, user Second registration request of mark and the first certification criterion, specifically: it sends to server background including the first client data, answer With ID, the second registration request of user identifier and the first certification criterion.

After server background receives the second registration request, sentenced according to the first client data, application ID, the first certification Public key in, the key handles in the first certification criterion and preset hash algorithm are to the first signature in the first certification criterion Data carry out sign test, judge whether sign test succeeds, be, by third respond in key handles and public key respectively with user identifier It establishes corresponding relationship and saves, set the second preset value for error code, send the 4th sound including error code to mobile terminal It answers；Otherwise, third preset value is set by error code, the 4th response including error code is sent to mobile terminal.

Step r6: mobile terminal receives the 4th response including error code from server background；The error code that misdeems is No is the second preset value, if it is, determining to succeed in registration；Otherwise, it is determined that registration failure.

It further include first version number in the first response in the present embodiment；Correspondingly, before step r4 further include: mobile whole End receives ID authentication device by notifying feature return according to feature is write to the instruction of ID authentication device transmission acquisition version number Including the second edition number second response；Judge whether first version number matches with the second edition number, if it is, executing Step r4；Otherwise, it reports an error.

It further include obtaining to read feature from service, and the characteristic value of feature will be read as dividing in the present embodiment, in step r3 Packet length；

According to write feature to ID authentication device send include log-on data register instruction before, further includes: according to note Volumes is instructed according to organization registration；Judged whether to carry out subpackage processing to register instruction according to subpackage length, if it is, according to dividing Packet length carries out subpackage processing to register instruction, continues；Otherwise, continue.

Wherein, it is instructed, is specifically included according to log-on data organization registration: instructed according to log-on data tissue second, by the Two instructions are as the data field in register instruction, the data of addition protocol instructions type identification and the second instruction before the second instruction Length obtains register instruction.

In the present embodiment, search identifies the ID authentication device to match with preset service specifically:

Mobile terminal to search ID authentication device receives the broadcast data from ID authentication device, judges broadcast data In service identifiers whether with preset service mark match, if it is, judgement search with preset service mark match ID authentication device, continue；Otherwise, it reports an error.

Wherein, mobile terminal to search ID authentication device receives the broadcast data from ID authentication device, specifically:

The searching interface of mobile terminal calling system searches for ID authentication device, and search callback object is arranged, and searches for back Adjusting in object includes search callback method；The broadcast data from ID authentication device is received by the search callback method of system With device object corresponding with ID authentication device.

Wherein, bluetooth connection is established with ID authentication device, specifically included:

Mobile terminal uses the connection method and authentication of device object calling system corresponding with ID authentication device Equipment establishes bluetooth connection, obtains general-purpose attribute protocol object and connection callback object is arranged.

Further, the service of ID authentication device is obtained；Notice feature is obtained from service and writes feature, it is specific to wrap It includes:

Step t1: mobile terminal regard preset service mark as parameter, using general-purpose attribute protocol object, calling system Method of servicing is obtained, the service object of ID authentication device is obtained；Using preset signature identification of writing as parameter, service pair is used As the acquisition characterization method of calling system, is obtained from service object and write feature object；Using preset notice signature identification as Parameter obtains notice feature object using the acquisition characterization method of service object's calling system from service object.

It further, include the notice callback method of system in callback object；

Enabled notice feature, specifically: the setting feature notification method of calling system enables notice feature object；

The 6th response including the second edition number that ID authentication device is returned by notice feature is received, specifically: it moves What the communication callback method reception ID authentication device that dynamic terminal passes through system passed through notice feature object return includes the second edition This number the 6th response；

The 7th response that ID authentication device is returned by notice feature is received, specifically: mobile terminal passes through system It communicates callback method and receives the 7th response that ID authentication device is returned by notice feature object.

A kind of identity identifying method provided in the present embodiment, combines in verification process with ID authentication device, nothing It needs user to input password, keeps authentication more convenient and easier to operate, while also improving the safety of authentication.

Embodiment 2

Present embodiments provide a kind of identity identifying method, including registration phase and authentication phase, wherein registration phase is such as Shown in Fig. 2-Fig. 3, comprising:

Step 101: mobile terminal sends the first registration request including user identifier to server background；

In this implementation, user identifier is specially user name.

Step 102: mobile terminal receive from server background first response, from first response in obtain application ID, First challenging value, derived data and first version number；

Specifically, mobile terminal receives the first response of the JOSN format from server background, by preset application ID Mark, challenging value mark, derived data mark and version number identifier are as parameter, the acquisition character string side of difference calling system Method, obtained from the first response with the corresponding application ID of application ID mark, the first challenging value corresponding with challenging value mark and Source data identifies corresponding derived data and first version number corresponding with version number identifier；

In the present embodiment, preset application ID mark specially APPID, preset challenging value mark are specially Challenge, preset derived data mark specially origin, preset version number identifier are specially version.

For example, mobile terminal receives the first response of the JOSN format from server background are as follows:

"APPID":"https://u2fdemo.appspot.com","challenge":"x9-d9XlfOZVWKjHkWh GIRg ", " origin ": " https://u2fdemo.appspot.com ", " version ": " U2F_V2 " is answered preset ID mark APPID, challenging value mark challenge, derived data is used to identify origin and version number identifier version as ginseng Number, the acquisition character string method getString () of calling system, the application ID got from the first response are respectively Https: //u2fdemo.appspot.com, the first challenging value got is x9-d9XlfOZVWKjHkWhgIRg, is got Derived data are as follows: https://u2fdemo.appspot.com, the first version number got be U2F_V2.

Step 103: whether mobile terminal detection Bluetooth channels are opened, if so, thening follow the steps 105；Otherwise, step is executed Rapid 104；

Step 104: mobile terminal opens Bluetooth channels；

Step 105: mobile terminal searches for ID authentication device by Bluetooth channels；

Specifically, the searching interface of mobile terminal calling system searches for ID authentication device by Bluetooth channels, and is arranged Search for callback object.

Wherein, the search callback method in callback object including system is searched for.

For example, mobile mobile searched using the first preset kind parameter filters, the second preset kind parameter settings It recovers and adjusts object type parameter scanCallback, the first searching interface startscan () of calling system, it is logical by bluetooth ID authentication device, setting search callback object scanCallback are searched in road.

In the present embodiment, ID authentication device be can be, but not limited to as intelligent cipher key equipment bluetooth-capable.

Step 106: mobile terminal receives the broadcast data from ID authentication device by Bluetooth channels；

Specifically, mobile terminal receives the broadcast of the ID authentication device from system by the search callback method of system Data and device object corresponding with ID authentication device.

For example, mobile terminal receives the body from system by the first search callback method onscanresult () of system The broadcast data and device object device corresponding with ID authentication device of part authenticating device.

In the present embodiment, searching interface includes the first searching interface, and search callback method includes the first search callback method, First searching interface and the first search callback method are corresponding.It should be noted that searching interface can also include the second searching interface, Searching for callback method can also include the second search callback method, and the second searching method and the second search callback method are corresponding.

For example, the second searching method is startlescan (), the second search callback method is onlescanresult ().

Step 107: mobile terminal judges whether the service identifiers in broadcast data match with preset service mark, if It is to then follow the steps 108；Otherwise, it reports an error.

In the present embodiment, service identifiers (being commonly called as UUID) are the service unique identification information that ID authentication device is supported.

In the present embodiment, preset service mark is specially " 0000fffd-0000-1000-8000-00805f9b34fb ".

Step 108: mobile terminal and ID authentication device establish bluetooth connection；

Specifically, connection method and body of the mobile terminal using device object calling system corresponding with ID authentication device Part authenticating device establishes bluetooth connection, obtains general-purpose attribute protocol object and connection callback object simultaneously is arranged.Wherein, connection readjustment pair Connection status callback method, discovery service callback method, reading feature callback method, communication readjustment side as in including system Method.

For example, mobile terminal is by third preset kind object context, the 4th preset kind object false and connects back to Adjust object gattCallback do parameter, using device object device calling system connection method connectGatt () and ID authentication device establishes bluetooth connection, obtains general-purpose attribute protocol object gatt and connection callback object is arranged gattCallback.Wherein, connect includes connection status callback method in callback object gattCallback OnConnectionStateChange (), discovery service callback method onServicesDiscovered (), feature time is read Tune method onCharacteristicRead (), communication callback method onCharacteristicChanged ().

Step 109: mobile terminal judges whether to be successfully established bluetooth connection with ID authentication device, if it is, executing Step 110；Otherwise, it reports an error；

Specifically, mobile terminal receives from system and ID authentication device by the connection status callback method of system The results messages for establishing bluetooth connection judge according to the results messages that from system and ID authentication device establishes bluetooth connection Whether with ID authentication device bluetooth connection is successfully established.

For example, mobile terminal passes through the connection status callback method onConnectionStateChange () of system, receive Integer type parameter paramStatus from system, and as the result for establishing bluetooth connection with ID authentication device Message judges whether paramStatus parameter is 0, if it is, determining to be successfully established bluetooth connection with ID authentication device； Otherwise, it is determined that establishing bluetooth connection failure with ID authentication device.

Step 110: the service that mobile terminal to search ID authentication device is supported；

Specifically, mobile terminal uses the search service method of general-purpose attribute protocol object calling system DiscoverServices (), the service that search ID authentication device is supported.

Step 111: mobile terminal judges whether to search the service of ID authentication device support, if it is, executing step Rapid 112；Otherwise, it reports an error；

Specifically, mobile terminal services search service result of the callback method reception from system by the discovery of system and disappears Breath, according to the search service results messages from system, judges whether to be successfully established bluetooth connection with ID authentication device.

It is come from for example, mobile terminal is received by discovery service callback method onServicesDiscovered () of system The integer type parameter paramStatus of system, and as search service results messages, judge paramStatus parameter It whether is 0, if it is, determining to search the service that ID authentication device is supported；Otherwise, it is determined that not searching authentication The service that equipment is supported.

Step 112: the service of acquisition for mobile terminal ID authentication device；

Specifically, mobile terminal regard preset service mark as parameter, using general-purpose attribute protocol object, calling system Method of servicing is obtained, the service object of ID authentication device is obtained.

For example, mobile terminal uses general-purpose attribute protocol object using preset service mark serviceUuid as parameter Gatt, the acquisition method of servicing getService () of calling system obtain the service object service of ID authentication device.

Wherein, preset service mark serviceUuid is " 0000fffd-0000-1000-8000-00805f9b34fb ".

Step 113: mobile terminal judges whether to have matched with ID authentication device, if so, thening follow the steps 116；It is no Then, step 114 is executed；

Step 114: mobile terminal and ID authentication device are matched；

Step 115: mobile terminal judgement and ID authentication device whether successful matching, if so, thening follow the steps 116； Otherwise, it reports an error；

Step 116: mobile terminal is obtained from service reads feature；

Specifically, mobile terminal uses the acquisition of service object's calling system using preset reading signature identification as parameter Characterization method obtains from service object and reads feature object.

For example, mobile terminal uses service pair using preset reading signature identification characteristicUuid as parameter As the acquisition characterization method getCharacteristic () of service calling system, obtains and read from service object service Feature object characteristic.

Wherein, signature identification characteristicUuid is read specifically: f1d0fff3-deaa-ecee-b42f- c9ba7ed623bb。

Step 117: mobile terminal reads the characteristic value of feature；

Specifically, mobile terminal will read feature object as parameter, use general-purpose attribute protocol object, the reading of calling system Characterization method is taken, the characteristic value of feature object is read.

For example, mobile terminal will read feature object characteristic as parameter, general-purpose attribute protocol object is used Gatt, the reading characterization method readCharacteristic () of calling system read the characteristic value for reading feature object.

Step 118: mobile terminal judges whether the characteristic value for successfully reading feature, if so, thening follow the steps 119；Otherwise, it reports an error；

Specifically, mobile terminal receives the spy that feature is read in the reading from system by the reading feature callback method of system The results messages of the results messages of value indicative, the characteristic value for reading feature according to the reading from system received judge whether success Read the characteristic value of feature.

For example, mobile terminal passes through the reading feature callback method onCharacteristicRead () of system, receives and From the integer type parameter paramStatus of system, and the results messages of the characteristic value as the reading reading feature of system, Judge whether paramStatus parameter is 0, if it is, determining the characteristic value for successfully reading feature；Otherwise, it is determined that not having There is the characteristic value for successfully reading feature.

Step 119: mobile terminal will read the characteristic value of feature as subpackage length；

Step 120: mobile terminal is obtained from service writes feature and notice feature；Enabled notice feature；

Specifically, mobile terminal uses the acquisition of service object's calling system using preset signature identification of writing as parameter Characterization method obtains from service object and writes feature object；Using preset notice signature identification as parameter, service object is used The acquisition characterization method of calling system obtains notice feature object from service object；The setting feature notification side of calling system Method enables notice feature object；

For example, mobile terminal uses service pair using the preset signature identification characteristicUuid that writes as parameter As the acquisition characterization method getCharacteristic () of service calling system, obtains and write from service object service Feature object characteristic；Using preset notice signature identification characteristicUuid as parameter, clothes are used The acquisition characterization method getCharacteristic () of business object service calling system, is obtained from service object service Take notice feature object characteristic；The setting feature notification method of calling system SetCharacteristicNotification () enables notice feature object.

Wherein, signature identification characteristicUuid is write specifically: " f1d0fff1-deaa-ecee-b42f- c9ba7ed623bb".Notify signature identification characteristicUuid specifically: f1d0fff2-deaa-ecee-b42f- c9ba7ed623bb。

Step 121: mobile terminal according to write feature to ID authentication device send obtain version number instruct；

Specifically, mobile terminal tissue obtains version number's instruction, sends to ID authentication device and obtains version number's instruction.

More specifically, mobile terminal tissue third instructs, by third instruction as the data obtained in version number's instruction Domain, and the data length that addition preset protocol command identification and acquisition version number instruct before third instruction.

In the present embodiment, version number's instruction format is obtained are as follows:

Preset protocol command identification	The data length of data field	Data field
			1 byte	2 bytes

The format of third instruction are as follows:

For example, mobile terminal the classes of instructions " 00 " that third instructs is arranged in the first byte of third instruction, will obtain Version number's instruction code " 03 " is taken to be arranged in second byte of third instruction, by the data length of the data field of third instruction " 000000 " is arranged in the 5th to the 7th byte of third instruction, it would be desirable to which response value length " 0000 " setting is instructed in third Most latter two byte on, obtain include obtain version number's instruction code third instruction be " 000300000000000000 ", will Third instruction as obtain version number instruction in data field, and third instruction before add preset protocol command identification " 83 " and The data length " 0009 " of third instruction obtains obtaining version number's instruction " 830009000300000000000000 ", to identity Authenticating device, which is sent, obtains version number's instruction.

This step can be with specifically: mobile terminal use, which is write feature object and sent to ID authentication device, obtains version number Instruction.

Step 122: mobile terminal receives the second response that ID authentication device is returned by notice feature；

Specifically, mobile terminal receives the ID authentication device from system by leading to by the communication callback method of system Know the second response that feature object returns.

For example, mobile terminal is received by the communication callback method of system from system BluetoothGattCharacteristic type parameter paramCharacteristic, from parameter The second response that ID authentication device is returned by notice feature is obtained in paramCharacteristic.

Step 123: mobile terminal judges whether the answer code of the second response is the first preset value, if so, executing step 124；Otherwise, it reports an error；

Specifically, the second response of mobile terminal parsing obtains the data in most latter two byte in the second response, and will Its code in response judges whether the answer code of the second response is the first preset value, if so, thening follow the steps 124；Otherwise, It reports an error.

In the present embodiment, the first preset value is 9000.

Step 124: mobile terminal obtains the second edition number from the second response；

Specifically, mobile terminal parsing second responds, and (does not include third after the third byte in the second response of acquisition A byte), the data in all bytes before penultimate byte between (not including penultimate byte), and by its As the second edition number.

For example, the second response " 8300085532465f56329000 " of mobile terminal parsing, obtains the in the second response It (does not include penultimate word before penultimate byte " 90 " after three bytes " 08 " (not including third byte) Section) between all bytes on data, the data got are " 5532465f5632 ", and by " 5532465f5632 " conduct The second edition number.

Step 125: mobile terminal judges whether first version number matches with the second edition number, if it is, executing step Rapid 126；Otherwise, it reports an error；

Step 126: mobile terminal is according to preset register instruction type, the first challenging value, the first visitor of derived data tissue Family end data is instructed according to subpackage length, the first client data and application ID organization registration, according to writing feature to authentication Equipment sends register instruction；

This step specifically includes:

Step a1: mobile terminal tissue includes the first of preset register instruction type, the first challenging value and derived data Client data；

Specifically, mobile terminal creates JSON object clientData；Mobile terminal is stored in object clientData Preset register instruction type and its mark, the first challenging value and its mark and derived data and its mark, by object ClientData is converted to character string type, obtains the first client data of JSON format；

Such as: mobile terminal creates JSON object clientData；Mobile terminal is stored in advance in object clientData If register instruction type navigator.id.finishEnrollment and its mark typ, the first challenging value x9- D9XlfOZVWKjHkWhgIRg and its mark challenge and derived data https://u2fdemo.appspot.com and It identifies origin, and object clientData is converted to the character string type of JSON format, obtains the first client data；{" typ":"navigator.id.finishEnrollment","challenge":"x9-d9XlfOZVWKjHkWhgIRg"," origin":"https:\/\/u2fdemo.appspot.com"}。

Step a2: mobile terminal carries out Hash processing to the first client data and application ID respectively, obtains the first Hash Value and the second cryptographic Hash, according to the first cryptographic Hash and the second cryptographic Hash organization registration data；

Specifically, mobile terminal does Hash to the first client data and application ID respectively using the first preset algorithm, obtains To the first cryptographic Hash and the second cryptographic Hash, according to the first cryptographic Hash and the second cryptographic Hash organization registration data.

Wherein, the first cryptographic Hash is the first client data after Hash；Second cryptographic Hash is the application ID after Hash.The One preset algorithm can be, but not limited to as SHA256 algorithm.

Such as: mobile terminal is using SHA256 algorithm respectively to the first client data { " typ ": " navigator.id.finishEnrollment","challenge":"x9-d9XlfOZVWKjHkWhgIRg"," Origin ": " https://u2fdemo.appspot.com " } and " APPID ": " https: // U2fdemo.appspot.com " does Hash, obtains the first cryptographic Hash " 5BFDF71873332EAA9015A128DF3556196E 4AC4243576A71988A047E44EDDC882 " and the second cryptographic Hash " A1AA11AFF7E71252FE5E32AA80B425A0 FAFBE5F8A5EA767316A2562AB48DBF56 " is obtained according to the first cryptographic Hash and the second cryptographic Hash organization registration data Log-on data be " 5BFDF71873332EAA9015A128DF3556196E4AC4243576A71988A047E4 4EDD C8 82A1AA11AFF7E71252FE5E32AA80B425A0FAFBE5F8A5EA767316A2562A B48DBF56”。

Step a3: mobile terminal is instructed according to log-on data and subpackage length organization registration；

Specifically, mobile terminal is instructed according to log-on data tissue first, is infused according to the first instruction and subpackage length tissue Volume instruction.

In the present embodiment, register instruction may include a packet or more bag datas.

More specifically, mobile terminal register instruction code is arranged in second byte of the first instruction, will register number According in the data field being arranged in the first instruction, obtain include register instruction code and log-on data the first instruction, in the first finger The data length of addition preset protocol command identification and the first instruction, obtains register instruction before enabling, and is according to the judgement of subpackage length It is no to need to carry out subpackage processing to register instruction, if it is, carrying out subpackage to register instruction according to subpackage length, obtain wrap more Valid data are registered, and send data for the first packet registration valid data as the first packet registration, from the second packet registration significant figure Other packets after the first packet registration transmission data are obtained according to the corresponding packet index of addition before every packet registration valid data is started Registration sends data；Otherwise, step a4 is executed.

In the present embodiment, register instruction code is specially " 01 ", and preset protocol command identification is specially " 83 ".

In the present embodiment, register instruction format are as follows:

The format of first instruction are as follows:

For example, mobile terminal the classes of instructions " 00 " of the first instruction is arranged in the first byte of the first instruction, will infuse Volume instruction code " 01 " is arranged in second byte of the first instruction, by the setting of the data length " 000040 " of log-on data the In 5th to the 7th byte of one instruction, by log-on data " 5BFDF71873332EAA9015A128DF3556196E4AC424 3576A71988A047E44EDD C882A1AA11AFF7E71252FE5E32AA80B425A0FAFBE5F8A5EA767316A 2562A B48DBF56 " is arranged in the data field in the first instruction, it would be desirable to which response value length " 0000 " setting refers to first In most latter two byte enabled, obtain including the first instruction of register instruction code and log-on data being " 000100000000405B FDF71873332EAA9015A128DF3556196E4AC4243576A71988A047E44EDDC882A1AA11AFF7E712 52FE5E32AA80B425A0FAFBE5F8A5EA767316A2562AB48DBF560000 ", addition is default before the first instruction Protocol instructions identify the data length " 0049 " of " 83 " and the first instruction, obtain register instruction " 83004900010000000040 5BFDF71873332EAA9015A128DF3556196E4AC4243576A71988A047E44EDDC882A1AA11AFF7E7 1252FE5E32AA80B425A0FAFBE5F8A5EA767316A2562AB48DBF560000 " sentences according to subpackage length " 20 " The first packet registration valid data that are disconnected whether to need to carry out subpackage processing to register instruction, obtaining are as follows: " 830049000100000 000405BFDF71873332EAA9015 ",

Second packet registration valid data are as follows: " A128DF3556196E4AC4243576A71988A047E44E "；

Third packet registers valid data are as follows: " DDC882A1AA11AFF7E71252FE5E32AA80B425A0 "；

4th packet registration valid data are as follows: " FAFBE5F8A5EA767316A2562AB48DBF560000 ", and by first Packet registration valid data send data as the first packet registration:

" 830049000100000000405BFDF71873332EAA9015 ",

The addition packet index " 00 " before the second packet registration valid data, obtains the registration of the second packet and sends data:

"00A128DF3556196E4AC4243576A71988A047E44E"；

The addition packet index " 01 " before third packet registers valid data obtains the registration of third packet and sends data:

"01DDC882A1AA11AFF7E71252FE5E32AA80B425A0"；

The addition packet index " 02 " before the 4th packet registration valid data obtains the 4th packet registration and sends data:

“02FAFBE5F8A5EA767316A2562AB48DBF560000”。

Step a4: mobile terminal according to write feature to ID authentication device send register instruction.

Specifically, mobile terminal use writes feature object and sends register instruction to ID authentication device.

After ID authentication device receives the register instruction from mobile terminal, ID authentication device generate key pair and Key handles corresponding with key pair, tissue include the first Hash in the public key, key handles, log-on data of cipher key pair First data to be signed of value and the second cryptographic Hash, it is to be signed to first according to preset hash algorithm and the private key of cipher key pair Data are signed to obtain the first signed data, and tissue includes public key, the key handles corresponding with key pair of cipher key pair Criterion is authenticated with the first of the first signed data, will include that the first third response for authenticating criterion and answer code returns to movement eventually End.

Step 127: mobile terminal receives the third response that ID authentication device is returned by notice feature；

Specifically, mobile terminal receives the ID authentication device from system by leading to by the communication callback method of system Know the third response that feature object returns.

For example, mobile terminal is received by the communication callback method of system from system BluetoothGattCharacteristic type parameter paramCharacteristic, from parameter The third response that ID authentication device is returned by notice feature object is obtained in paramCharacteristic.

Step 128: mobile terminal judges whether the answer code of third response is the first preset value, if so, executing step 129；Otherwise, it reports an error；

Specifically, mobile terminal parsing third response obtains the data in most latter two byte in third response, and will Its code in response judges whether the answer code of third response is the first preset value, if so, thening follow the steps 129；Otherwise, It reports an error.

Step 129: mobile terminal generates second according to third response, the first client data, application ID and user identifier Registration request sends the second registration request to server background；

Specifically, mobile terminal obtains the first certification criterion from third response, and generating includes the first certification criterion, first Second registration request of client data, application ID and user identifier sends the second registration request to server background；

More specifically, mobile terminal parsing third responds, and (does not include after the third byte in acquisition third response Third byte), the data in all bytes before penultimate byte between (not including penultimate byte), and As the first certification criterion, generate include the first certification criterion, the first client data, application ID and user identifier the Two registration requests send the second registration request to server background；

For example, mobile terminal parsing third responds 8302260504f8487177637e0a57c7c52f6ba952fc474 33fc8b2fde13b73e84823473e356c53c7517639b5f1781c32e08660327255335bf4eb92a6907 ca281d7dacd56ba4f9340b842ccb576b616f1c536772b4fdd0c61e6992547b2c51a331cc7599 ab2a198113fa7083f6e6825fad2cd0848b517ecb0b80e2d6c0a2707912d56cddbe9c03154308 201563081fda003020102020a47901280001155957352300a06082a8648ce3d0403023017311 530130603550403130c4654204649444f2030313030301e170d3134303831343138323933325 a170d3234303831343138323933325a3031312f302d0603550403132650696c6f74476e75626 2792d302e342e312d34373930313238303030313135353935373335303059301306072a8648c e3d020106082a8648ce3d03010703420004b174bc49c7ca254b70d2e5c207cee9cf174820ebd 77ea3c65508c26da51b657c1cc6b952f8621697936482da0a6d3d3826a59095daf6cd7c03e2e 60385d2f6d9a31730153013060b2b0601040182e51c020101040403020430300a06082a8648c e3d040302034800304502210099b8903a57bc9d2a73da0258e70fdf331a1f72945521314ab52 8477e7fe1ed4002207a8b7d0d285dc b440d4450e52ac28c21f0bc4b85a0b3a04e42c6d4f4ae 47e0a630450221008e641cc85b3c506874e4e6236e73e473331b5fb5348589221954080aa9a0 f73a02201fdba135640eb ccd09e7ac684b1674fe15a639b64e991af45ffd9c36c59b802c90 00, the third byte " 26 " (not including third byte) of third response is obtained, penultimate byte (is not wrapped before " 90 " Include penultimate byte) between all bytes on data, the data got be 0504f8487177637e0a57c7 c52f6ba952fc47433fc8b2fde13b73e84823473e356c53c7517639b5f1781c32e08660327255 335bf4eb92a6907ca281d7dacd56ba4f9340b842ccb576b616f1c536772b4fdd0c61e6992547 b2c51a331cc7599ab2a198113fa7083f6e6825f ad2cd0848b517ecb0b80e2d6c0a2707912d5 6cddbe9c03154308201563081fda003020102020a47901280001155957352300a06082a8648c e3d0403023017311530130603550403130c4654204649444f2030313030301e170d313430383 1343138323933325a170d3234303831343138323933325a3031312f302d06035504031326506 96c6f74476e756262792d302e342e312d3437393031323830303031313535393537333530305 9301306072a8648ce3d020106082a8648ce3d03010703420004b174bc49c7ca254b70d2e5c20 7cee9cf174820ebd77ea3c65508c26da51b657c1cc6b952f8621697936482da0a6d3d3826a59 095daf6cd7c03e2e60385d2f6d9a31730153013060b2b0601040182e51c02010104040302043 0300a06082a8648ce3d040302034800304502210099b8903a57bc9d2a73da0258e70fdf331a1 f72945521314ab528477e7fe1ed4002207a8b7d0d285dcb440d4450e52ac28c21f0bc4b85a0b 3a04e42c6d4f4ae47e0a630450221008e641cc85b3c506874e4e6236e73e473331b5fb534858 9221954080aa9a0f73a02201fdba135640ebccd09e7ac684b1674fe15a639b64e991af45ffd9 C36c59b802c simultaneously authenticates criterion as first, and generating includes the first certification criterion, the first client data, application ID With the second registration request of user identifier, the second registration request is sent to server background；

In the present embodiment, the communication data between mobile terminal and server background is JOSN formatted data.

After server background receives the second registration request, the first certification criterion, the are obtained from the second registration request One client data, application ID and user identifier, according to the public key in the first client data, application ID, the first certification criterion The first signed data in the first certification criterion is tested with key handles, the preset hash algorithm in the first certification criterion Label, judge whether sign test succeeds, if it is, by first authenticate criterion in key handles and public key built respectively with user identifier Vertical corresponding relationship simultaneously saves, and sets the second preset value for error code, and the 4th response including error code is sent to mobile terminal； Otherwise, third preset value is set by error code, the 4th response including error code is sent to mobile terminal.

More specifically, after server background receives the second registration request, first is obtained from the second registration request Criterion, the first client data, application ID and user identifier are authenticated, to the first client data and is answered according to the first preset algorithm It makes Hash respectively of ID and obtains first server back-end data and second server back-end data；Tissue is including after first server Number of units evidence, second server back-end data, the public key in the first certification criterion and the key handles in the first certification criterion the One initial data does Hash to the first initial data using preset hash algorithm, generates the first fiducial value, using public key to the The first signed data in one certification criterion is decrypted to obtain the first ciphertext data, judges whether the first fiducial value solves with first Ciphertext data matches, if it is, by first authenticate criterion in key handles and public key it is corresponding with user identifier foundation respectively Relationship simultaneously saves, and sets the second preset value for error code, and the 4th response including error code is sent to mobile terminal；Otherwise, Third preset value is set by error code, the 4th response including error code is sent to mobile terminal.

In the present embodiment, the second preset value is 0, and third preset value is 1.

Step 130: mobile terminal receives the 4th response from server background；

Step 131: mobile terminal obtains error code from the 4th response, and whether the error code that misdeems is the second preset value, such as Fruit is then to succeed in registration；Otherwise, registration failure.

Authentication phase, as shown in fig. 4-5, comprising:

Step 201: mobile terminal sends the first certification request including user identifier to server background；

In this implementation, user identifier is specially user name.

Step 202: mobile terminal receive from server background the 5th response, from the 5th response in obtain application ID, Second challenging value, derived data, first version number and key handles corresponding with user identifier；

Specifically, mobile terminal receives the 5th response of the JOSN format from server background, by preset application ID Mark, challenging value mark, derived data mark and version number identifier, key handles mark are used as parameter, respectively calling system Character string method is obtained, is obtained from the 5th response and the corresponding application ID of application ID mark, corresponding with challenging value mark the Two challenging values and derived data identify corresponding derived data, first version number corresponding with version number identifier and with key sentence Handle identifies corresponding key handles；

In the present embodiment, preset application ID mark is specially APPID；Preset challenging value identifies challenge；Preset derived data mark is specially origin；Preset version number identifier is specially version；It is preset Key handles are identified as keyHandle.

Such as: the 5th response that mobile terminal receives the JOSN format from server background is

"APPID":"https://u2fdemo.appspot.com","challenge":" ZaFJmTE0g4yz0sk8D0x07g","origin":"https:\/\/u2fdemo.appspot.com""version":" U2F_V2","keyHandle":"qCw3hfVQlqxr8Ng-uwqa0nZch39y6wB7U7NjW4MdTz4_lOHvjm- Preset application ID is identified APPID by 8JIUeK0fm5THjm WV_OQOVwjG92wxL-7z0Og ", challenging value identifies Challenge, derived data mark origin, version number identifier version and key handles mark keyHandle are as ginseng Number, the acquisition character string method getString () of calling system, the application ID got from the 5th response are respectively Https: //u2fdemo.appspot.com, the second challenging value got is

ZaFJmTE0g4yz0sk8D0x07g, the derived data got are as follows:

Https://u2fdemo.appspot.com, the first version number got is U2F_V2；It gets and user Identify corresponding key handles are as follows:

qCw3hfVQlqxr8Ng-uwqa0nZch39y6wB7U7NjW4MdTz4_lOHvjm-8JIUeK0fm5T HjmWV_ OQOVwjG92wxL-7z0Og。

Step 203: whether mobile terminal detection Bluetooth channels are opened, if so, thening follow the steps 205；Otherwise, step is executed Rapid 204；

Step 204: mobile terminal opens Bluetooth channels；

Step 205: mobile terminal searches for ID authentication device by Bluetooth channels；

For example, mobile mobile searched using the first preset kind parameter filters, the second preset kind parameter settings Tone category shape parameter scanCallback is recovered, the first searching interface startscan () of calling system is searched by Bluetooth channels Rope ID authentication device, setting search callback object scanCallback.

Step 206: mobile terminal receives the broadcast data from ID authentication device by Bluetooth channels；

Step 207: mobile terminal judges whether the service identifiers in broadcast data match with preset service mark, if It is to then follow the steps 208；Otherwise, it reports an error；

Step 208: mobile terminal and ID authentication device establish bluetooth connection；

Specifically, mobile terminal using device object calling system corresponding with ID authentication device connection method and and ID authentication device establishes bluetooth connection, obtains general-purpose attribute protocol object and connection callback object is arranged.Wherein, connection readjustment Connection status callback method, discovery service callback method, reading feature callback method and communication readjustment in object including system Method.

Step 209: mobile terminal judges whether to be successfully established bluetooth connection with ID authentication device, if it is, executing Step 210；Otherwise, it reports an error；

Step 210: the service that mobile terminal to search ID authentication device is supported；

Step 211: mobile terminal judges whether to search the service of ID authentication device support, if it is, executing step Rapid 212；Otherwise, it reports an error；

Step 212: the service of acquisition for mobile terminal ID authentication device；

Step 213: mobile terminal judges whether ID authentication device has matched, if so, thening follow the steps 216；Otherwise, Execute step 214；

Step 214: mobile terminal and ID authentication device are matched；

Step 215: mobile terminal judgement and ID authentication device whether successful matching, if so, thening follow the steps 216； Otherwise, it reports an error；

Step 216: mobile terminal is obtained from service reads feature；

Step 217: mobile terminal reads the characteristic value of feature；

Step 218: mobile terminal judges whether the characteristic value for successfully reading feature, if so, thening follow the steps 219；Otherwise, it reports an error；

Step 219: mobile terminal will read the characteristic value of feature as subpackage length；

Step 220: mobile terminal is obtained from service writes feature and notice feature, enables notice feature；

Specifically, mobile terminal uses the acquisition of service object's calling system using preset signature identification of writing as parameter Characterization method obtains from service object and writes feature object.Using preset notice signature identification as parameter, service object is used The acquisition characterization method of calling system obtains notice feature object from service object；The setting feature notification side of calling system Method enables notice feature object；

For example, mobile terminal uses service pair using the preset signature identification characteristicUuid that writes as parameter As the acquisition characterization method getCharacteristic () of service calling system, obtains and write from service object service Feature object characteristic.Using preset notice signature identification characteristicUuid as parameter, clothes are used The acquisition characterization method getCharacteristic () of business object service calling system, is obtained from service object service Take notice feature object characteristic；The setting feature notification method of calling system SetCharacteristicNotification () enables notice feature object.

Step 221: mobile terminal according to write feature to ID authentication device send obtain version number instruct；

Wherein, to ID authentication device send obtain version number instruction, specifically: mobile terminal use write feature object to ID authentication device, which is sent, obtains version number's instruction.

Step 222: mobile terminal receives the 6th response that ID authentication device is returned by notice feature；

Specifically, mobile terminal receives what the ID authentication device from system returned by the communication callback method of system 6th response.

For example, mobile terminal is received by the communication callback method of system from system BluetoothGattCharacteristic type parameter paramCharacteristic, from parameter The 6th response that ID authentication device returns is obtained in paramCharacteristic.

Step 223: mobile terminal judges whether the answer code of the 6th response is the first preset value, if so, executing step 224；Otherwise, it reports an error；

Specifically, the 6th response of mobile terminal parsing obtains the data in most latter two byte in the 6th response, and will Its code in response judges whether the answer code of the 6th response is the first preset value, if so, thening follow the steps 224；Otherwise, It reports an error.

In the present embodiment, the first preset value is 9000.

Step 224: mobile terminal obtains the second edition number from the 6th response；

Specifically, mobile terminal parsing the 6th responds, and (does not include third after the third byte in the 6th response of acquisition A byte), the data in all bytes before penultimate byte between (not including penultimate byte), and by its As the second edition number.

For example, the 6th response " 8300085532465f56329000 " of mobile terminal parsing, obtains the in the 6th response It (does not include penultimate word before penultimate byte " 90 " after three bytes " 08 " (not including third byte) Section) between all bytes on data, the data got are " 5532465f5632 ", and by " 5532465f5632 " conduct The second edition number.

Step 225: mobile terminal judges whether first version number matches with the second edition number, if it is, executing step Rapid 226；Otherwise, it reports an error；

Step 226: mobile terminal is according to the second visitor of preset certification instruction type, the second challenging value and derived data tissue Family end data is authenticated according to application ID, the second client data and subpackage length tissue and is instructed, according to writing feature to authentication Equipment sends certification instruction；

This step specifically includes:

Step b1: mobile terminal tissue includes the second of preset certification instruction type, the second challenging value and derived data Client data；

Specifically, mobile terminal creates JSON object clientData, and mobile terminal is stored in object clientData Preset certification instruction type and its mark, the second challenging value and its mark and derived data and its mark, by object ClientData is converted to character string type, obtains the second client data of JSON format；

For example, mobile terminal creates JSON object clientData, mobile terminal is stored in advance in object clientData If certification instruction type navigator.id.getAssertion and its mark typ, the second challenging value ZaFJmTE0g4yz0sk8D0x07g and its mark challenge and derived data https:// U2fdemo.appspot.com and its mark origin, is converted to character string type for object clientData, obtains the second visitor Family end data " typ ": " navigator.id.getAssertion ", " challenge ": " ZaFJmTE0g4yz0sk8D0x07g","origin":"https:\/\/u2fdemo.appspot.com"}。

Step b2: mobile terminal carries out Hash processing to the second client data and application ID respectively, obtains third Hash Value and the 4th cryptographic Hash, obtain authentication data according to third cryptographic Hash, the 4th cryptographic Hash and key handles；

Specifically, mobile terminal does Hash to the second client data and application ID respectively using the first preset algorithm, obtains To third cryptographic Hash and the 4th cryptographic Hash, according to third cryptographic Hash, the 4th cryptographic Hash, key handles length and key handles tissue Authentication data.

Wherein, third cryptographic Hash is the second client data after Hash；4th cryptographic Hash is the application ID after Hash.The One preset algorithm can be, but not limited to as SHA256.

Such as: mobile terminal is using SHA256 algorithm respectively to the second client data " { " typ ": " navigator.id.getAssertion","challenge":"ZaFJmTE0g4yz0sk8D0x07g","ori gin":" Https://u2fdemo.appspot.com " " and " APPID ": " and https: //u2fdemo.appspot.com " is breathed out It is uncommon, obtain third cryptographic Hash " 5FB6F5CA47F4BB78C03F7F4CED729B92364FE43D399BE8DA397AF4F2 F5 6549E2 " and the 4th cryptographic Hash " A1AA11AFF7E71252FE5E32AA80B425A0FAFBE5F8A5EA767316A2562A B48DBF56 ", according to third cryptographic Hash, the 4th cryptographic Hash, key handles length " 40 " and key handles " F21A62C01BB90 009EAE0F1CEE253DAE34D2B751AAA8C94D90AD558F42E29B976E16CB8BACE08E676A2332923D 4B261B78285696F9CB3F59C31739750F E55306A " organizes authentication data, and obtained authentication data is " 5FB6F 5CA47F4BB78C03F7F4CED729B92364FE43D399BE8DA397AF4F2F56549E2A1AA11AFF7E71252F E5E32AA80B425A0FAFBE5F8A5EA767316A2562A B48DBF5640F21A62C01BB90009EAE0F1CEE2 53DAE34D2B751AAA8C94D90AD558F42E29B976E16CB8BACE08E676A2332923D4B261B7828569 6F9CB3F59C31739750FE55306A”。

Step b3: mobile terminal is authenticated according to authentication data, FIDO agreement and subpackage length tissue and is instructed；

Specifically, mobile terminal is instructed according to authentication data tissue second, is recognized according to the second instruction and subpackage length tissue Card instruction.

In the present embodiment, certification instruction may include a packet or more bag datas.

More specifically, mobile terminal is arranged in instruction code is authenticated in second byte of the second instruction, and will authenticate number According to the data field being set as in the second instruction, obtain including the second instruction for authenticating instruction code and authentication data, by the second instruction As the data field of certification instruction, the data length of addition preset protocol command identification and the second instruction, is obtained before the second instruction It is instructed to certification, judges whether to need to instruct certification according to subpackage length to carry out subpackage processing, if it is, long according to subpackage Degree instructs certification and carries out subpackage, obtains more packet valid data, and using the first packet certification valid data as the first packet certification hair Data are sent, corresponding packet index is added before every packet authenticates valid data since the second packet certification valid data and obtains the first packet Certification sends other packet certification transmission data after data；Otherwise, step b4 is executed.

In the present embodiment, certification instruction code is specially " 02 ", and preset protocol command identification is specially " 83 ".

In the present embodiment, instruction format is authenticated are as follows:

The format of second instruction are as follows:

For example, the classes of instructions " 00 " of the second instruction is arranged in the first byte of the second instruction, will be recognized by mobile terminal Card instruction code " 02 " is arranged in second byte of the second instruction, by the setting of the data length " 000081 " of authentication data the In 5th to the 7th byte of two instructions, by authentication data " 5FB6F5CA47F4BB78C03F7F4CED729B92364FE43D 399BE8DA397AF4F2F56549E2A1AA11AFF7E71252FE5E32AA80B425A0FAFBE5F8A5EA767316A2 562A B48DBF5640F21A62C01BB90009EAE0F1CEE253DAE34D2B751AAA8C94D90AD558F42E29B 976E16CB8BACE08E676A2332923D4B261B78285696F9CB3F59C31739 750FE55306A " setting is the In data field in two instructions, it would be desirable to which response value length " 0000 " is arranged in most latter two byte of the second instruction, obtains The second instruction including certification instruction code and authentication data is " 000203000000815FB6F5CA47F4BB78C03F7F4CE D729B92364FE43D399BE8D A397AF4F2F56549E2A1AA11AFF7E71252FE5E32AA80B425A0FAFB E5F8A5E A767316A2562AB48DBF5640F21A62C01BB90009EAE0F1CEE253DAE34D2B751AAA8C9 4D90AD558F42E29B976E16CB8BACE08E676A2332923D4B261B78285696F9CB3F59C31739750F E55306A0000 ", by the second instruction as the data field in certification instruction, the addition preset protocol instruction mark before the second instruction The data length " 008C " for knowing " 83 " and the second instruction obtains certification instruction " 83008C000203000000815FB6F5CA47 F4BB78C03F7F4CED729B92364FE43D399BE8DA397AF4F2F56549E2A1AA11AFF7E71252FE5E32 AA80B425A0FAFBE5F8A5EA767316A2562AB48DBF5640F21A62C01BB90009EAE0F1CEE253DAE3 4D2B751AAA8C94D90AD558F42E29B976E16CB8BACE08E676A2332923D4B261B78285696F9CB3 F59C31739750FE55306A0000 " judges whether to need to instruct certification progress subpackage processing according to subpackage length " 20 ", The first obtained packet certification valid data are as follows: " 83008C000203000000815FB6F5CA47F4BB78C03F ",

Second packet certification valid data are as follows: " 7F4CED729B92364FE43D399BE8DA397AF4F2F5 "；

Third packet authenticates valid data are as follows:

“6549E2A1AA11AFF7E71252FE5E32AA80B425A0”

4th packet certification valid data are as follows:

"FAFBE5F8A5EA767316A2562AB48DBF5640F21A"；

5th packet certification valid data are as follows:

" 62C01BB90009EAE0F1CEE253DAE34D2B751AAA ",

6th packet certification valid data are as follows:

"8C94D90AD558F42E29B976E16CB8BACE08E676"；

7th packet certification valid data are as follows:

"A2332923D4B261B78285696F9CB3F59C317397"；

8th packet certification valid data are " 50FE55306A 0000 "；

And data are sent using the first packet certification valid data as the first packet certification:

" 83008C000203000000815FB6F5CA47F4BB78C03F ",

The addition packet index " 00 " before the second packet certification valid data, obtains the certification of the second packet and sends data:

"007F4CED729B92364FE43D399BE8DA397AF4F2F5"；

The addition packet index " 01 " before third packet authenticates valid data obtains the certification of third packet and sends data:

"016549E2A1AA11AFF7E71252FE5E32AA80B425A0"；

The addition packet index " 02 " before the 4th packet certification valid data obtains the 4th packet certification and sends data:

"02FAFBE5F8A5EA767316A2562AB48DBF5640F21A"；

The addition packet index " 03 " before the 5th packet certification valid data obtains the 5th packet certification and sends data:

"0362C01BB90009EAE0F1CEE253DAE34D2B751AAA"；

The addition packet index " 04 " before the 6th packet certification valid data obtains the 6th packet certification and sends data:

"048C94D90AD558F42E29B976E16CB8BACE08E676"；

The addition packet index " 05 " before the 7th packet certification valid data obtains the 7th packet certification and sends data:

"05A2332923D4B261B78285696F9CB3F59C317397"；

The addition packet index " 06 " before the 8th packet certification valid data obtains the 8th packet certification and sends data:

“0650FE55306A 0000”。

Step b4: mobile basis eventually writes feature and sends certification instruction to ID authentication device.

Specifically, mobile terminal use writes feature object and sends certification instruction to ID authentication device.

After ID authentication device receives the instruction of the certification from mobile terminal, ID authentication device is instructed according to certification In key handles obtain corresponding with key handles private key, organize including the third cryptographic Hash and the 4th Hash in authentication data Second data to be signed of value, according to preset hash algorithm and private key corresponding with key handles to the second data to be signed into Row signature obtains the second signed data, and it will include the second certification criterion that tissue, which includes the second certification criterion of the second signed data, The 7th response with the first preset value returns to mobile terminal.

Step 227: mobile terminal receives the 7th response that ID authentication device is returned by notice feature；

Specifically, mobile terminal receives the ID authentication device from system by leading to by the communication callback method of system Know the 7th response that feature object returns.

For example, mobile terminal is received by the communication callback method of system from system BluetoothGattCharacteristic type parameter paramCharacteristic, from parameter The 7th response that ID authentication device is returned by notice feature object is obtained in paramCharacteristic.

Step 228: mobile terminal judges whether the answer code of the 7th response is the first preset value, if so, executing step 229；Otherwise, it reports an error；

Step 229: mobile terminal generates second according to the second client data, application ID, user identifier and the 7th response Certification request sends the second certification request to server background；

Specifically, mobile terminal obtains the second certification criterion from the 7th response, and generating includes the second certification criterion, second Second certification request of client data, application ID and user identifier sends the second certification request to server background；

More specifically, mobile terminal parsing the 7th responds, and (does not include after the third byte in the 7th response of acquisition Third byte), the data in all bytes before penultimate byte between (not including penultimate byte), and As the second certification criterion, generate include the second certification criterion, the second client data, application ID and user identifier the Two certification requests send the second certification request to server background；

For example, the 7th response 83004e01000000033045022066f456ba4b5decff5f6 of mobile terminal parsing 3c78eca95a56d5fd757a8221ec89c6b9e7324ef537c8f022100c66a187fcce133ea99294c180 4f023c4546513daf5fe1b09a fd7ae21b334ea969000 obtains the third byte " 4e " of the 7th response (no Including third byte), in all bytes before penultimate byte " 90 " between (not including penultimate byte) Data, the data got be 01000000033045022066f456ba4b5decff5f63c78eca95a56d5fd75 7a8221ec89c6b9e7324ef537c8f022100c66a187fcce133ea99294c1804f023c4546513daf5f E1b09afd7ae21b334ea96 simultaneously authenticates criterion as second, and generating includes the second certification criterion, the second number clients According to, the second certification request of application ID and user identifier, the second certification request is sent to server background；

After server background receives the second certification request, obtained from the second certification request the second client data, Application ID, user identifier and the second certification criterion, obtain public key corresponding with user identifier according to user identifier, according to the second visitor Family end data and application ID, preset hash algorithm and public key carry out sign test to the second signed data in the second certification criterion, Judge whether sign test succeeds, if it is, setting the second preset value for error code, sending to mobile terminal includes error code 8th response；Otherwise, third preset value is set by error code, the 8th response including error code is sent to mobile terminal.

More specifically, after server background receives the second certification request, second is obtained from the second certification request Client data, application ID, user identifier and the second certification criterion, obtain public affairs corresponding with user identifier according to user identifier Key does Hash to the second client data and application ID using the first preset algorithm respectively, obtains third server background data With the 4th server background data；Tissue second including third server background data and the 4th server background data is original Data do Hash to the second initial data using preset hash algorithm and generate the second fiducial value, are authenticated using public key to second The second signed data in criterion is decrypted to obtain the second ciphertext data, judge the second fiducial value whether with the second ciphertext data Match, if it is, setting the second preset value for error code, the 8th response including error code is sent to mobile terminal； Otherwise, third preset value is set by error code, the 8th response including error code is sent to mobile terminal.

Step 230: mobile terminal receives the 8th response from server background；

Step 231: mobile terminal obtains error code from the response of server background the 8th, and whether the error code that misdeems is second Preset value, if it is, authenticating successfully；Otherwise, authentification failure.

Embodiment 3

A kind of identification authentication system is present embodiments provided, as shown in Figure 6, comprising: mobile terminal；

Mobile terminal includes: the first sending submodule 01, the first receiving submodule 02, search submodule 03, connection submodule Block 04, the first acquisition submodule 05, enabled submodule 06, feature sending submodule 07, feature receiving submodule 08, first generate Submodule 09, the second sending submodule 10, the second receiving submodule 11 and the first judging submodule 12；

First sending submodule 01, for sending the first certification request including user identifier to server background；

First receiving submodule 02, for receive from server background include application ID, the second challenging value, source number It is responded according to the 5th with key handles corresponding with user identifier；

Submodule 03 is searched for, identifies the ID authentication device to match with preset service for searching for；

Submodule 04 is connected, the ID authentication device for matching with preset service mark establishes connection；

First acquisition submodule 05, for obtaining the service of ID authentication device；Notice feature is obtained from service and is write Feature；

First acquisition submodule 05 is specifically used for identifying the service for obtaining ID authentication device according to preset service, according to pre- If notice signature identification obtained from service notice feature；According to it is preset write signature identification and obtained from service write feature.

Enabled submodule 06, the notice feature got for enabling the first acquisition submodule 05；

First generates submodule 09, for being received according to preset certification instruction type, the first receiving submodule 02 Second challenging value, derived data, application ID and key handles generate authentication data；

First generation submodule 09 specifically includes: the first tissue unit, the first hash units and the first generation unit；

The first tissue unit includes the second of preset certification instruction type, the second challenging value and derived data for tissue Client data；

First hash units for breathing out the second client data and application ID of the first tissue cellular organization respectively Uncommon processing, obtains third cryptographic Hash and the 4th cryptographic Hash；

Third cryptographic Hash, the 4th cryptographic Hash and the first reception that first generation unit is used to be obtained according to the first hash units The key handles that unit receives generate authentication data.

Feature sending submodule 07, for recognizing according to feature is write to identity after enabled submodule 06 enabled notice feature Demonstrate,proving equipment and sending includes the first certification instruction for generating the authentication data that submodule 09 generates；

Feature receiving submodule 08 is sentenced by what notice feature returned including the second certification for receiving ID authentication device According to the 7th response；

Second sending submodule 10 includes certification instruction type, the second challenging value, source for sending to server background Data, application ID, the second certification request of user identifier and the second certification criterion；

It includes the second client data, application ID, use that second sending submodule 10, which is specifically used for sending to server background, Second certification request of family mark and the second certification criterion.

Second receiving submodule 11, for receiving the 8th response including error code from server background；

First judging submodule 12, for misdeeming, whether error code is the second preset value, if it is, determine certification at Function；Otherwise, it is determined that authentification failure.

Further, in this embodiment identification authentication system can also include: ID authentication device；

Wherein, ID authentication device includes the first authentication module, and the first authentication module includes: the second acquisition submodule, the One signature submodule, third sending submodule and third receiving submodule；

Third receiving submodule, for receiving certification instruction；

Second acquisition submodule, for obtaining authentication data from the certification instruction that third receiving submodule receives, from Key handles and private key corresponding with key handles are obtained in authentication data；

First signature submodule, for tissue include the third cryptographic Hash and the 4th cryptographic Hash in authentication data second to Signed data, the private key corresponding with key handles got according to the second acquisition submodule and preset hash algorithm are to second Data to be signed are signed to obtain the second signed data；

Third sending submodule includes the second certification criterion of the second signed data for tissue, will include the second certification 7th response of criterion returns to mobile terminal.

Further, identification authentication system can also include: server background in the present embodiment；

Server background includes the second authentication module, and the second authentication module includes: the 4th receiving submodule, third acquisition Module, the first sign test submodule, third judging submodule；4th sending submodule；

4th receiving submodule, for receiving the second certification request；

Third acquisition submodule, for obtaining public affairs corresponding with user identifier according to the user identifier in the second certification request Key；

First sign test submodule, for according to the second client data in the second certification request and application ID, preset The public key that hash algorithm and third acquisition submodule are got carries out sign test to the second signed data in the second certification criterion；

Third judging submodule, for judging the first sign test submodule, whether sign test is successful；

4th sending submodule, for setting second for error code and presetting after third judging submodule is judged to being Value sends the 8th response including error code to mobile terminal；After third judging submodule is determined as no, error code is arranged For third preset value, the 8th response including error code is sent to mobile terminal.

It further include first version number in the 5th response in the present embodiment；Correspondingly, mobile terminal can also include: second Judging submodule and first reports an error submodule；

Feature sending submodule 07 is also used to obtain submodule according to first after enabled submodule 06 enabled notice feature What block 05 was got writes feature to the instruction of ID authentication device transmission acquisition version number；

The sub- receiving module 08 of feature is also used to receive ID authentication device by notice feature return including the second edition Number the 6th response；

Second judgment submodule, the second edition number in the 6th response being connected to for judging characteristic receiving submodule 08 are The no first version number received with the first receiving submodule 02 matches；Correspondingly, first submodule 09 is generated, be specifically used for After second judgment submodule, which is determined as, is, received according to preset certification instruction type, the first receiving submodule 02 the Two challenging values, derived data, application ID and key handles generate authentication data；

First reports an error submodule, for reporting an error after second judgment submodule is determined as no.

In the present embodiment, mobile terminal further include: the first tissue submodule, the 4th judging submodule and the first subpackage submodule Block；

First acquisition submodule 05, which is also used to obtain from service, reads feature；And it is the characteristic value for reading feature is long as subpackage Degree；The first tissue submodule is for tissue certification instruction；4th judging submodule is used to be judged whether according to subpackage length to the The certification instruction of one tissue submodule tissue carries out subpackage processing；

First subpackage submodule be used for after the 4th judging submodule is judged to being, according to subpackage length to certification instruct into Row subpackage processing.

Further, the first tissue submodule is specifically used for generating the authentication data tissue that submodule 09 generates according to first Second instruction, by second instruction as certification instruction in data field, second instruction before addition preset protocol command identification with The data length of second instruction obtains certification instruction.

In the present embodiment, mobile terminal module further include: the 5th sending submodule, the 5th receiving submodule, the 5th judgement Submodule, second generate submodule, the 6th sending submodule, the 6th receiving submodule and the 6th judging submodule；

5th sending submodule, for sending the first registration request including user identifier to server background；

5th receiving submodule, for receive from server background include application ID, the first challenging value and source number According to first response；

Second generation submodule, first for being received according to preset register instruction type, the 5th receiving submodule Challenging value, derived data and application ID generate log-on data；

Feature sending submodule 07 is also used to after enabled submodule 06 enabled notice feature, according to writing feature to identity It includes the second register instruction for generating the log-on data that submodule generates that authenticating device, which is sent,；

Feature receiving submodule 08, being also used to receive ID authentication device and being returned by notice feature includes that the first certification is sentenced According to third response；

In the present embodiment, the second generation submodule specifically includes: minor microstructure unit, the second hash units and second are generated Unit；

Minor microstructure unit includes the first of preset register instruction type, the first challenging value and derived data for tissue Client data；

Second hash units for breathing out the first client data and application ID of minor microstructure cellular organization respectively Uncommon processing, obtains the first cryptographic Hash and the second cryptographic Hash；

The first cryptographic Hash and the second cryptographic Hash that second generation unit is used to be obtained according to the second hash units generate registration Data；

6th sending submodule includes register instruction type, the first challenging value, source number for sending to server background According to, application ID, user identifier and it is described first certification criterion the second registration request；

6th sending submodule, being specifically used for sending to server background includes the first client data, application ID, user Second registration request of mark and the first certification criterion.

6th receiving submodule, for receiving the 4th response including error code from server background；

6th judging submodule, for misdeeming, whether error code is the second preset value, if it is, determining to succeed in registration； Otherwise, it is determined that registration failure.

Further, in this embodiment can also include ID authentication device in identification authentication system；

ID authentication device includes third authentication module, and third authentication module includes: that third generates submodule, the second signature Submodule, the 7th sending submodule and the 7th receiving submodule；

7th receiving submodule, for receiving register instruction；

Third generates submodule, for when the 7th receiving submodule receives register instruction after, generation key pair and with it is close Key is to corresponding key handles；

Second signature submodule includes the first Kazakhstan in the public key, key handles, log-on data of cipher key pair for tissue First data to be signed of uncommon value and the second cryptographic Hash, according to preset hash algorithm and the private key of cipher key pair to first wait sign Name data are signed to obtain the first signed data；

7th sending submodule, for tissue include the public key of cipher key pair, key handles corresponding with key pair and First certification criterion of the first signed data will include that the first third response for authenticating criterion returns to mobile terminal.

It further, can also include: server background in the present embodiment in identification authentication system；

Server background includes the 4th authentication module, and the 4th authentication module includes: the 8th receiving submodule, the second sign test Module, the 8th judging submodule, the 8th sending submodule and it is associated with submodule；

8th receiving submodule, for receiving the second registration request；

Second sign test submodule, for according in the first client data, application ID, the first certification criterion public key, the Key handles and preset hash algorithm in one certification criterion carry out sign test to the first signed data in the first certification criterion；

8th judging submodule, for judging the second sign test submodule, whether sign test is successful；

Be associated with submodule, for after the 8th judging submodule is judged to being, by third respond in key handles and public affairs Key is established corresponding relationship respectively and is saved with user identifier；

8th sending submodule, for setting second for error code and presetting after the 8th judging submodule is judged to being Value sends the 4th response including error code to mobile terminal；After the 8th judging submodule is determined as no, error code is arranged For third preset value, the 4th response including error code is sent to mobile terminal.

It further include first version number in the first response in the present embodiment；

Correspondingly, mobile terminal can also include: that the 7th judging submodule and second report an error submodule；

Feature receiving submodule 08 is also used to receive ID authentication device by notice feature return including the second edition Number second response；

7th judging submodule, the second edition number in the second response being connected to for judging characteristic receiving submodule 08 are The no first version number received with the 5th receiving submodule matches；

Second generates submodule, for after the 7th judging submodule is judged to being, according to preset register instruction type, The first challenging value, derived data and the application ID that 5th receiving submodule receives generate log-on data；

Second reports an error submodule, for reporting an error after the 7th judging submodule is determined as no.

In the present embodiment, mobile terminal further includes that the second subpackage submodule, minor microstructure submodule and the 9th judge submodule Block, the first acquisition submodule 05 are also used to obtain reading feature in service；And the characteristic value of feature will be read as subpackage length；The Two tissue submodules are instructed for organization registration；9th judging submodule according to subpackage length for judging whether to minor microstructure The register instruction of submodule tissue carries out subpackage processing；Second subpackage submodule is used for after the 9th judgment module is judged to being, Subpackage processing is carried out to register instruction according to subpackage length.

Further, minor microstructure submodule is specifically used for generating the log-on data tissue that submodule generates according to second One instruction regard the first instruction as the data field in register instruction, adds protocol instructions type identification and the before the first instruction The data length of one instruction, obtains register instruction.

In the present embodiment, can also report an error submodule in mobile terminal including third；Searching for submodule 03 includes that search is single Member, receiving unit and judging unit；

Search unit is for searching for ID authentication device；

Receiving unit is for receiving the broadcast data from ID authentication device；

Judging unit is used to judge the service mark in the broadcast data from ID authentication device that receiving unit receives Know and whether match with preset service mark, if it is, judgement, which is searched, identifies the authentication to match with preset service Equipment；

Third reports an error submodule for reporting an error after judging unit is determined as no.

Further, the searching interface that search unit is specifically used for calling system searches for ID authentication device, and is arranged and searches Rope callback object, searching in callback object includes search callback method；

Receiving unit is specifically used for receiving the broadcast data from ID authentication device by the search callback method of system With device object corresponding with ID authentication device.

Further, connection submodule 04 is specifically used for receiving using receiving unit corresponding with ID authentication device Device object calling system connection method and ID authentication device establish bluetooth connection, obtain general-purpose attribute protocol object simultaneously Setting connection callback object.

Still further, the first acquisition submodule 05 is specifically used for regarding preset service mark as parameter, general category is used Property protocol object, the acquisition method of servicing of calling system obtain the service object of ID authentication device；Feature mark is write by preset Know and be used as parameter, using the acquisition characterization method of service object's calling system, is obtained from service object and write feature object；It will be pre- If notice signature identification obtained from service object as parameter using the acquisition characterization method of service object's calling system Notify feature object.

It wherein, include the notice callback method of system in callback object；Correspondingly:

Enabled submodule 06 is specifically used for the setting feature notification method of calling system, enables notice feature object；

Feature receiving submodule 08 is specifically used for receiving ID authentication device by the communication callback method of system by leading to Know the 6th response including the second edition number that feature object returns；And recognized by the communication callback method reception identity of system Demonstrate,prove the 7th response that equipment is returned by notice feature object.

The foregoing is only a preferred embodiment of the present invention, but scope of protection of the present invention is not limited thereto, Anyone skilled in the art is in technical scope disclosed by the invention, and any changes or substitutions that can be easily thought of, It should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with scope of protection of the claims Subject to.

Claims

1. a kind of identity identifying method characterized by comprising

Step s1: mobile terminal sends the first certification request including user identifier to server background, receives and comes from the clothes Be engaged in device backstage includes the 5th of application ID, the second challenging value, derived data and key handles corresponding with the user identifier Response；

Step s2: the mobile terminal to search and preset service identify the ID authentication device to match, and recognize with the identity Card equipment establishes bluetooth connection；

Step s3: the service of ID authentication device described in the acquisition for mobile terminal；From the service obtain notice feature and Write feature；Enable the notice feature；

Step s4: the mobile terminal is according to preset certification instruction type, second challenging value, the derived data, institute It states application ID and the key handles and generates authentication data, to write feature and send to the ID authentication device include institute according to described State the certification instruction of authentication data；The ID authentication device is received to sentence by what the notice feature returned including the second certification According to the 7th response；

Step s5: it includes the certification instruction type, second challenge that the mobile terminal is sent to the server background Second certification request of value, the derived data, the application ID, the user identifier and the second certification criterion；

Step s6: the mobile terminal receives the 8th response including error code from the server background；Described in judgement Whether error code is the second preset value, if it is, determining to authenticate successfully；Otherwise, it is determined that authentification failure；

It is described according to preset certification instruction type, second challenging value, the derived data, the application ID and described close Key handle generates authentication data, specifically includes:

Step a1: the mobile terminal tissue includes the second of preset certification instruction type, the second challenging value and derived data Client data；

Step a2: the mobile terminal carries out Hash processing to the second client data and the application ID respectively, obtains third Cryptographic Hash and the 4th cryptographic Hash generate the authentication data according to third cryptographic Hash, the 4th cryptographic Hash and the key handles.

2. the method according to claim 1, wherein further including first version number in the 5th response；

Before the step s4 further include: the mobile terminal writes feature according to and sends acquisition to the ID authentication device Version number's instruction receives the 6th sound including the second edition number that the ID authentication device is returned by the notice feature It answers；Judge whether the first version number matches with the second edition number, if so, thening follow the steps s4；Otherwise, it reports It is wrong.

3. the method according to claim 1, wherein

It is described to the server background send include the certification instruction type, second challenging value, the derived data, Second certification request of the application ID, the user identifier and the second certification criterion, specifically: after Xiang Suoshu server It includes the second of second client data, the application ID, the user identifier and the second certification criterion that platform, which is sent, Certification request.

4. according to the method described in claim 3, it is characterized in that, the ID authentication device receive certification instruction after, from Authentication data is obtained in certification instruction, key handles and corresponding with the key handles are obtained from the authentication data Private key, tissue includes the second data to be signed of the third cryptographic Hash and the 4th cryptographic Hash in the authentication data, according to default Hash algorithm and private key corresponding with the key handles second data to be signed are signed to obtain the second signature Data, tissue include the second certification criterion of second signed data, will include the 7th response of the second certification criterion Return to the mobile terminal.

5. according to the method described in claim 4, it is characterized in that, after the server background receives the second certification request, Public key corresponding with the user identifier is obtained according to the user identifier in second certification request, according to second certification The second client data and application ID, preset hash algorithm and the public key in request, to the in the second certification criterion Two signed datas carry out sign test, judge whether sign test succeeds, if it is, setting the second preset value, Xiang Yidong for error code Terminal sends the 8th response including error code；Otherwise, third preset value is set by error code, includes to mobile terminal transmission 8th response of error code.

6. the method according to claim 1, wherein further including obtaining to read from the service in the step s3 Feature, and using the characteristic value for reading feature as subpackage length；

It is described write according to feature to the ID authentication device send include the authentication data certification instruction before, also It include: that instruction is authenticated according to the authentication data tissue；Judge whether to instruct the certification according to subpackage length and carry out Subpackage processing carries out subpackage processing if it is, instructing according to subpackage length to the certification, continues；Otherwise, continue.

7. according to the method described in claim 6, it is characterized in that, described authenticate according to the authentication data tissue refers to It enables, specifically includes: being instructed according to the authentication data tissue second, by second instruction as the number in the certification instruction According to domain, the data length of addition protocol instructions type identification and the second instruction before second instruction obtains the certification and refers to It enables.

8. the method according to claim 1, wherein before the step s1 further include:

Step r1: mobile terminal sends the first registration request including user identifier to server background, receives and comes from the clothes Be engaged in device backstage includes the first response of application ID, the first challenging value and derived data；

Step r2: the mobile terminal to search and preset service identify the ID authentication device to match, and recognize with the identity Card equipment establishes bluetooth connection；

Step r3: the service of ID authentication device described in the acquisition for mobile terminal；From the service obtain notice feature with Write feature；Enable the notice feature；

Step r4: the mobile terminal is according to preset register instruction type, first challenging value, the derived data and institute It states application ID and generates log-on data, according to the feature of writing to note of the ID authentication device transmission including the log-on data Volume instruction；Receiving the ID authentication device and being returned by the notice feature includes that the first third for authenticating criterion responds；

Step r5: it includes the register instruction type, first challenging value, institute that the mobile terminal is sent to server background State the second registration request of derived data, the application ID, the user identifier and the first certification criterion；

Step r6: the mobile terminal receives the 4th response including error code from the server background；Described in judgement Whether error code is the second preset value, if it is, determining to succeed in registration；Otherwise, it is determined that registration failure.

9. according to the method described in claim 8, it is characterized in that, further including first version number in first response；

Before the step r4 further include: the mobile terminal writes feature according to and sends acquisition to the ID authentication device Version number's instruction receives the second sound including the second edition number that the ID authentication device is returned by the notice feature It answers；Judge whether the first version number matches with the second edition number, if so, thening follow the steps r4；Otherwise, it reports It is wrong.

10. according to the method described in claim 8, it is characterized in that, described according to preset certification instruction type, described first Challenging value, the derived data and the application ID generate log-on data, specifically include:

Step b1: the mobile terminal tissue includes the first of preset register instruction type, the first challenging value and derived data Client data；

Step b2: the mobile terminal carries out Hash processing to first client data and the application ID respectively, obtains First cryptographic Hash and the second cryptographic Hash generate the log-on data according to the first cryptographic Hash and the second cryptographic Hash；

It is described to the server background send include the register instruction type, first challenging value, the derived data, Second registration request of the application ID, the user identifier and the first certification criterion, specifically: after Xiang Suoshu server It includes the second of first client data, the application ID, the user identifier and the first certification criterion that platform, which is sent, Registration request.

11. according to the method described in claim 10, it is characterized in that, after the ID authentication device receives register instruction, The ID authentication device generates key pair and key handles corresponding with the key pair, and tissue includes the cipher key pair Public key, key handles, the first cryptographic Hash in log-on data and the second cryptographic Hash the first data to be signed, according to preset Hash algorithm and the private key of the cipher key pair sign first data to be signed to obtain the first signed data, tissue First of public key, key handles corresponding with the key pair and first signed data including the cipher key pair is recognized Criterion is demonstrate,proved, will include that the first third response for authenticating criterion returns to mobile terminal.

12. according to the method for claim 11, which is characterized in that the server background receives the second registration request Afterwards, according to the first client data, application ID, first certification criterion in public key, first certification criterion in key handles and Preset hash algorithm carries out sign test to the first signed data in the first certification criterion, judges whether sign test succeeds, and then will be Key handles and public key in third response are established corresponding relationship respectively and are saved with user identifier, set second for error code Preset value sends the 4th response that error code is the second preset value to mobile terminal；Otherwise, third is set by error code to preset Value sends the 4th response that error code is third preset value to mobile terminal.

13. according to the method described in claim 8, it is characterized in that, further including being obtained from the service in the step r3 Feature is read, and using the characteristic value for reading feature as subpackage length；

It is described write according to feature to the ID authentication device send include the log-on data register instruction before, also It include: the register instruction according to the log-on data tissue；Judge whether to carry out the register instruction according to subpackage length Subpackage processing continues if it is, carrying out subpackage processing to the register instruction according to subpackage length；Otherwise, continue.

14. according to the method for claim 13, which is characterized in that described register according to the log-on data tissue refers to It enables, specifically includes: being instructed according to the log-on data tissue second, by second instruction as the number in the register instruction According to domain, the data length of addition protocol instructions type identification and the second instruction before second instruction obtains the registration and refers to It enables.

15. method according to claim 1 or 8, which is characterized in that described search and preset service identify the body to match Part authenticating device specifically:

The mobile terminal to search ID authentication device receives the broadcast data from ID authentication device, judges the broadcast Whether the service identifiers in data match with preset service mark, if it is, judgement, which is searched, identifies phase with preset service Matched ID authentication device continues；Otherwise, it reports an error.

16. according to the method for claim 15, which is characterized in that the mobile terminal to search ID authentication device receives Broadcast data from ID authentication device, specifically:

The searching interface of the mobile terminal calling system searches for ID authentication device, and search callback object is arranged, described to search It include search callback method in rope callback object；It is received by the search callback method of the system and is set from the authentication Standby broadcast data and device object corresponding with the ID authentication device.

17. according to the method for claim 16, which is characterized in that described to establish bluetooth company with the ID authentication device It connects, specifically includes:

The mobile terminal uses the connection method of device object calling system corresponding with the ID authentication device and described ID authentication device establishes bluetooth connection, obtains general-purpose attribute protocol object and connection callback object is arranged.

18. according to the method for claim 17, which is characterized in that the service for obtaining the ID authentication device；From Notice feature is obtained in the service and writes feature, is specifically included:

Step t1: mobile terminal regard preset service mark as parameter, uses general-purpose attribute protocol object, the acquisition of calling system Method of servicing obtains the service object of the ID authentication device；Using preset signature identification of writing as parameter, the clothes are used The acquisition characterization method for object reference system of being engaged in obtains from the service object and writes feature object；By preset notice feature Mark is used as parameter, and using the acquisition characterization method of service object's calling system, notice is obtained from the service object Feature object.

19. according to the method for claim 18, which is characterized in that the notice in the callback object including the system is returned Tune method；

The enabled notice feature, specifically: the setting feature notification method of calling system enables notice feature object；

The 6th response including the second edition number for receiving the ID authentication device and being returned by the notice feature, tool Body are as follows: the mobile terminal receives the ID authentication device by the communication callback method of the system and passes through the notice spy Levy the 6th response including the second edition number that object returns；

The 7th response for receiving the ID authentication device and being returned by the notice feature, specifically: the movement is eventually End receives the ID authentication device by the communication callback method of the system and notifies the of feature object return by described Seven responses.

20. method according to claim 1 or 8, which is characterized in that ID authentication device described in the acquisition for mobile terminal Service；Notice feature is obtained from the service and writes feature；Specifically: the mobile terminal is according to the preset service mark Know the service for obtaining the ID authentication device, obtains notice feature from the service according to preset notice signature identification； According to it is preset write signature identification and obtained from the service write feature.

21. a kind of identification authentication system characterized by comprising mobile terminal；

The mobile terminal includes: the first sending submodule, the first receiving submodule, search submodule, connection submodule, first Acquisition submodule, enabled submodule, feature sending submodule, feature receiving submodule, first generate submodule, the second transmission Module, the second receiving submodule and the first judging submodule；

First receiving submodule, for receive from the server background include application ID, the second challenging value, source 5th response of data and key handles corresponding with the user identifier；

The connection submodule, for establishing bluetooth connection with the ID authentication device to match with preset service mark；

First acquisition submodule, for obtaining the service of the ID authentication device；It is special that notice is obtained from the service It seeks peace and writes feature；

Described first generates submodule, for being received according to preset certification instruction type, first receiving submodule Second challenging value, the derived data, the application ID and the key handles generate authentication data；

The feature sending submodule, for writing feature according to described after the enabled submodule enables the notice feature Sending to the ID authentication device includes the described first certification instruction for generating the authentication data that submodule generates；

The feature receiving submodule, for receiving the ID authentication device by the notice feature return including second Authenticate the 7th response of criterion；

Second sending submodule includes the certification instruction type, described second for sending to the server background Challenging value, the derived data, the application ID, the second certification request of the user identifier and the second certification criterion；

First judging submodule, for judging whether the error code is the second preset value, if it is, determining to authenticate successfully； Otherwise, it is determined that authentification failure；

The first generation submodule specifically includes: the first tissue unit, the first hash units and the first generation unit；

First hash units are used for the second client data of the first tissue cellular organization and the application ID point Not carry out Hash processing, obtain third cryptographic Hash and the 4th cryptographic Hash；

Third cryptographic Hash that first generation unit is used to be obtained according to first hash units, the 4th cryptographic Hash and described The key handles that first receiving unit receives generate the authentication data.

22. device according to claim 21, which is characterized in that further include first version number in the 5th response；Institute State mobile terminal further include: second judgment submodule and first reports an error submodule；

The feature sending submodule is also used to after the enabled submodule enables the notice feature, according to described first The feature of writing that acquisition submodule is got is to the instruction of ID authentication device transmission acquisition version number；

The feature receiving submodule, is also used to receive that the ID authentication device returned by the notice feature includes the 6th response of two version numbers；

The second judgment submodule, for judging the second edition in the 6th response that the feature receiving submodule is connected to This number first version number whether received with first receiving submodule matches；

Described first generates submodule, for being instructed after the second judgment submodule is judged to being according to preset certification Second challenging value that type, first receiving submodule receive, the derived data, the application ID and described close Key handle generates authentication data；

Described first reports an error submodule, for reporting an error after the second judgment submodule is determined as no.

23. device according to claim 21, which is characterized in that

It includes second client data that second sending submodule, which is specifically used for sending to the server background, described Second certification request of application ID, the user identifier and the second certification criterion.

24. device according to claim 23, which is characterized in that further include ID authentication device；

The ID authentication device includes: that the second acquisition submodule, the first signature submodule, third sending submodule and third connect Receive submodule；

The third receiving submodule, for receiving certification instruction；

Second acquisition submodule, for obtaining certification from the certification instruction that the third receiving submodule receives Data obtain key handles and private key corresponding with the key handles from the authentication data；

The first signature submodule includes the of third cryptographic Hash in the authentication data and the 4th cryptographic Hash for tissue Two data to be signed, the private key corresponding with the key handles got according to second acquisition submodule and preset Kazakhstan Uncommon algorithm is signed to obtain the second signed data to second data to be signed；

The third sending submodule will include described for including the second certification criterion of the second signed data described in tissue 7th response of the second certification criterion returns to the mobile terminal.

25. device according to claim 24, which is characterized in that further include: server background；

The server background includes: the 4th receiving submodule, third acquisition submodule, the first sign test submodule, third judgement Submodule；4th sending submodule；

4th receiving submodule, for receiving the second certification request；

The third acquisition submodule, for being obtained and the user identifier according to the user identifier in second certification request Corresponding public key；

The first sign test submodule, for according to the second client data in second certification request and application ID, pre- If the public key that gets of hash algorithm and the third acquisition submodule, to the second signed data in the second certification criterion into Row sign test；

The third judging submodule, for judging the first sign test submodule, whether sign test is successful；

4th sending submodule, for setting second for error code after the third judging submodule is judged to being Preset value sends the 8th response including error code to mobile terminal；It, will be wrong after the third judging submodule is determined as no Error code is set as third preset value, and the 8th response including error code is sent to mobile terminal.

26. device according to claim 21, which is characterized in that the mobile terminal further include: the first tissue submodule, 4th judging submodule and the first subpackage submodule；

First acquisition submodule, which is also used to obtain from the service, reads feature；And using it is described read feature characteristic value as Subpackage length；

The first tissue submodule is for authenticating instruction described in tissue；

4th judging submodule is used to judge whether the certification to the first tissue submodule tissue according to subpackage length Instruction carries out subpackage processing；

The first subpackage submodule is used for after the 4th judging submodule is judged to being, is recognized according to subpackage length described Card instruction carries out subpackage processing.

27. device according to claim 26, which is characterized in that the first tissue submodule is specifically used for according to described first It generates the authentication data tissue second that submodule generates to instruct, by second instruction as the data in the certification instruction Domain, the data length of addition preset protocol command identification and the second instruction before second instruction, obtains the certification instruction.

28. device according to claim 21, which is characterized in that the mobile terminal further include: the 5th sending submodule, 5th receiving submodule, the 5th judging submodule, second generate submodule, the 6th sending submodule, the 6th receiving submodule and 6th judging submodule；

5th receiving submodule, for receive from the server background include application ID, the first challenging value and come First response of source data；

Described second generates submodule, for being received according to preset register instruction type, the 5th receiving submodule First challenging value, the derived data and the application ID generate log-on data；

The feature sending submodule is also used to write spy according to described after the enabled submodule enables the notice feature It levies to the ID authentication device and sends the register instruction for generating the log-on data that submodule generates including described second；

The feature receiving submodule, being also used to receive the ID authentication device and being returned by the notice feature includes first Authenticate the third response of criterion；

6th sending submodule includes the register instruction type, described first for sending to the server background Challenging value, the derived data, the application ID, the user identifier and described first authenticate the second registration request of criterion；

6th receiving submodule, for receiving the 4th response including error code from the server background；

6th judging submodule, for judging whether the error code is the second preset value, if it is, determining to succeed in registration； Otherwise, it is determined that registration failure.

29. device according to claim 28, which is characterized in that further include first version number in first response；

The feature receiving submodule, is also used to receive that the ID authentication device returned by the notice feature includes the Second response of two version numbers；

The mobile terminal further include: the 7th judging submodule and second reports an error submodule；

7th judging submodule, for judging the second edition in second response that the feature receiving submodule is connected to This number first version number whether received with the 5th receiving submodule matches；

Described second generates submodule, for after the 7th judging submodule is judged to being, according to preset register instruction First challenging value, the derived data and the application ID that type, the 5th receiving submodule receive generate note Volumes evidence；

Described second reports an error submodule, for reporting an error after the 7th judging submodule is determined as no.

30. device according to claim 28, which is characterized in that the second generation submodule specifically includes: minor microstructure list Member, the second hash units and the second generation unit；

The minor microstructure unit includes the first of preset register instruction type, the first challenging value and derived data for tissue Client data；

Second hash units are used for the first client data of the minor microstructure cellular organization and the application ID point Not carry out Hash processing, obtain the first cryptographic Hash and the second cryptographic Hash；

The first cryptographic Hash and the second cryptographic Hash that second generation unit is used to be obtained according to second hash units generate The log-on data；

6th sending submodule, being specifically used for sending to the server background includes first client data, institute State the second registration request of application ID, the user identifier and the first certification criterion.

31. device according to claim 30, which is characterized in that further include ID authentication device；

The ID authentication device includes: that third generates submodule, the second signature submodule, the 7th sending submodule and the 7th connects Receive submodule；

7th receiving submodule, for receiving register instruction；

The third generates submodule, for generating key after the 7th receiving submodule receives the register instruction Pair and key handles corresponding with the key pair；

The second signature submodule, includes the in the public key, key handles, log-on data of the cipher key pair for tissue First data to be signed of one cryptographic Hash and the second cryptographic Hash, according to the private key pair of preset hash algorithm and the cipher key pair First data to be signed are signed to obtain the first signed data；

7th sending submodule includes the public key, corresponding with the key pair close of the cipher key pair for tissue First certification criterion of key handle and first signed data will include that the first third response for authenticating criterion returns to movement Terminal.

32. device according to claim 31, which is characterized in that further include: server background；

The server background includes: the 8th receiving submodule, the second sign test submodule, the 8th judging submodule, the 8th transmission Submodule be associated with submodule；

8th receiving submodule, for receiving the second registration request；

The second sign test submodule, for according in the first client data, application ID, the first certification criterion public key, the Key handles and preset hash algorithm in one certification criterion carry out sign test to the first signed data in the first certification criterion；

Be associated with submodule, for when the 8th judging submodule is judged to being after, by the third respond in key handles It establishes corresponding relationship with user identifier respectively with public key and saves；

8th sending submodule, for setting second for error code after the 8th judging submodule is judged to being Preset value sends the 4th response including error code to mobile terminal；It, will be wrong after the 8th judging submodule is determined as no Error code is set as third preset value, and the 4th response including error code is sent to mobile terminal.

33. device according to claim 28, which is characterized in that the mobile terminal further include the second subpackage submodule, Minor microstructure submodule and the 9th judging submodule, it is special that first acquisition submodule is also used to obtain reading in the service Sign；And using the characteristic value for reading feature as subpackage length；

The minor microstructure submodule is for register instruction described in tissue；

9th judging submodule according to subpackage length for judging whether to described in the minor microstructure submodule tissue Register instruction carries out subpackage processing；

The second subpackage submodule is used for after the 9th judgment module is judged to being, according to subpackage length to the registration Instruction carries out subpackage processing.

34. device according to claim 33, which is characterized in that minor microstructure submodule is specifically used for according to described second It generates the log-on data tissue first that submodule generates to instruct, by first instruction as the data in the register instruction Domain, the data length of addition protocol instructions type identification and the first instruction, obtains the register instruction before first instruction.

35. the device according to claim 21 or 28, which is characterized in that the mobile terminal further includes that third reports an error submodule Block；Described search submodule includes search unit, receiving unit and judging unit；

Described search unit is for searching for ID authentication device；

The receiving unit is for receiving the broadcast data from ID authentication device；

The judging unit is used to judge the clothes in the broadcast data from ID authentication device that the receiving unit receives Business, which identifies whether to identify with preset service, to match, if it is, judgement, which is searched, identifies the identity to match with preset service Authenticating device；

The third reports an error submodule for reporting an error after the judging unit is determined as no.

36. device according to claim 35, which is characterized in that described search unit is specifically used for the search of calling system Interface searches for ID authentication device, and search callback object is arranged, and includes search callback method in described search callback object；

The receiving unit is specifically used for receiving by the search callback method of the system from the ID authentication device Broadcast data and device object corresponding with the ID authentication device.

37. device according to claim 36, which is characterized in that the connection submodule is specifically used for using the reception The connection method and the authentication for the device object calling system corresponding with the ID authentication device that unit receives Equipment establishes bluetooth connection, obtains general-purpose attribute protocol object and connection callback object is arranged.

38. the device according to claim 37, which is characterized in that first acquisition submodule is specifically used for taking default Business mark is used as parameter, and using general-purpose attribute protocol object, the acquisition method of servicing of calling system obtains the authentication and sets Standby service object；Using preset signature identification of writing as parameter, the acquisition feature side of service object's calling system is used Method obtains from the service object and writes feature object；Using preset notice signature identification as parameter, the service pair is used As the acquisition characterization method of calling system, notice feature object is obtained from the service object.

39. the device according to claim 38, which is characterized in that the notice in the callback object including the system is returned Tune method；

The enabled submodule is specifically used for the setting feature notification method of calling system, enables notice feature object；

The feature receiving submodule is specifically used for receiving the ID authentication device by the communication callback method of the system The 6th response including the second edition number returned by the notice feature object；And it is adjusted back by the communication of the system Method receives the 7th response that the ID authentication device is returned by the notice feature object.

40. the device according to claim 21 or 28, which is characterized in that first acquisition submodule is specifically used for basis The preset service mark obtains the service of the ID authentication device, according to preset notice signature identification from the service Obtain notice feature；According to it is preset write signature identification and obtained from the service write feature.