CN106102058B - A kind of identity identifying method and device - Google Patents
A kind of identity identifying method and device Download PDFInfo
- Publication number
- CN106102058B CN106102058B CN201610368089.6A CN201610368089A CN106102058B CN 106102058 B CN106102058 B CN 106102058B CN 201610368089 A CN201610368089 A CN 201610368089A CN 106102058 B CN106102058 B CN 106102058B
- Authority
- CN
- China
- Prior art keywords
- submodule
- data
- feature
- certification
- mobile terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
Abstract
The present invention discloses a kind of identity identifying method and device, which comprises mobile terminal sent to server background include user identifier the first certification request, receive the 5th response from server background;Search identifies the ID authentication device to match with preset service, and establishes bluetooth connection with it;Obtain the service of ID authentication device;Notice feature is obtained from service and writes feature;Enabled notice feature;Authentication data is generated according to the information in preset certification instruction type and the 5th response, is instructed according to feature is write to the certification that ID authentication device transmission includes authentication data;Receive the 7th response including the second certification criterion that ID authentication device is returned by notice feature;Sending to server background includes the second certification request for authenticating instruction type, the second challenging value, derived data, application ID, user identifier and the second certification criterion;Receive the 8th response from server background;Judge whether certification succeeds according to the 8th response.
Description
Technical field
The present invention relates to field of identity authentication, in particular to a kind of identity identifying method and device.
Background technique
Identity identifying technology is the legal identity for confirmation operation person in a computer network and a kind of authenticating party used
Method, to guarantee being exactly this digital identity lawful owner with the operator that digital identity is operated.Identity identifying technology
Including a variety of form of authentication such as static password, short message password and dynamic password.In the prior art, in a variety of certifications of authentication
User is required in form and inputs password or dynamic password, and authentication procedures are excessively cumbersome to exist simultaneously security risk.
Summary of the invention
The present invention provides a kind of identity identifying method and devices, solve above-mentioned technical problem.
The present invention provides a kind of identity identifying methods, comprising:
Step s1: mobile terminal sends the first certification request including user identifier to server background, receives and comes from institute
State server background includes application ID, the second challenging value, derived data and key handles corresponding with the user identifier
5th response;
Step s2: the mobile terminal to search and preset service identify the ID authentication device to match, and with the body
Part authenticating device establishes bluetooth connection;
Step s3: the service of ID authentication device described in the acquisition for mobile terminal;It is special that notice is obtained from the service
It seeks peace and writes feature;Enable the notice feature;
Step s4: the mobile terminal is according to preset certification instruction type, second challenging value, the source number
Authentication data is generated according to, the application ID and the key handles, feature is write according to described and is sent to the ID authentication device
Certification instruction including the authentication data;The ID authentication device is received by the notice feature return including second
Authenticate the 7th response of criterion;
Step s5: it includes the certification instruction type, described second that the mobile terminal is sent to the server background
Challenging value, the derived data, the application ID, the second certification request of the user identifier and the second certification criterion;
Step s6: the mobile terminal receives the 8th response including error code from the server background;Judgement
Whether the error code is the second preset value, if it is, determining to authenticate successfully;Otherwise, it is determined that authentification failure.
The present invention also provides a kind of identification authentication systems, comprising: mobile terminal;
The mobile terminal include: the first sending submodule, the first receiving submodule, search submodule, connection submodule,
First acquisition submodule, enabled submodule, feature sending submodule, feature receiving submodule, first generate submodule, the second hair
Send submodule, the second receiving submodule and the first judging submodule;
First sending submodule, for sending the first certification request including user identifier to server background;
First receiving submodule, for receive from the server background include application ID, the second challenging value,
5th response of derived data and key handles corresponding with the user identifier;
Described search submodule identifies the ID authentication device to match with preset service for searching for;
The connection submodule connects for establishing bluetooth with the ID authentication device to match with preset service mark
It connects;
First acquisition submodule, for obtaining the service of the ID authentication device;It is obtained from the service logical
Know feature and writes feature;
The enabled submodule, the notice feature got for enabling first acquisition submodule;
Described first generates submodule, for being received according to preset certification instruction type, first receiving submodule
Second challenging value, the derived data, the application ID and the key handles arrived generate authentication data;
The feature sending submodule, for being write according to described after the enabled submodule enables the notice feature
It includes the described first certification instruction for generating the authentication data that submodule generates that feature is sent to the ID authentication device;
The feature receiving submodule, for receive the ID authentication device by it is described notice feature return include
7th response of the second certification criterion;
Second sending submodule includes the certification instruction type, described for sending to the server background
Second certification of the second challenging value, the derived data, the application ID, the user identifier and the second certification criterion is asked
It asks;
Second receiving submodule, for receiving the 8th response including error code from the server background;
First judging submodule, for judging whether the error code is the second preset value, if it is, determine certification at
Function;Otherwise, it is determined that authentification failure.
Beneficial effects of the present invention: a kind of identity identifying method and device are provided in the present embodiment, in verification process
It is combined with ID authentication device, inputs password without user, keep authentication more convenient and easier to operate, while also improving
The safety of authentication.
Detailed description of the invention
Fig. 1 is a kind of flow chart for identity identifying method that the embodiment of the present invention 1 provides;
Fig. 2-Fig. 3 is the flow chart of the registration phase in a kind of identity identifying method that the embodiment of the present invention 2 provides;
Fig. 4-Fig. 5 is the flow chart of the authentication phase in a kind of identity identifying method that the embodiment of the present invention 2 provides;
Fig. 6 is a kind of structural schematic diagram for identification authentication system that the embodiment of the present invention 3 provides.
Specific implementation method
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Embodiment 1
A kind of identity identifying method is present embodiments provided, as shown in Figure 1, comprising:
Step s1: mobile terminal sends the first certification request including user identifier to server background, receives from clothes
Be engaged in device backstage includes the 5th response of application ID, the second challenging value, derived data and key handles corresponding with user identifier;
Step s2: mobile terminal to search and preset service identify the ID authentication device to match, and set with authentication
It is standby to establish bluetooth connection;
Step s3: the service of acquisition for mobile terminal ID authentication device;Notice feature is obtained from service and writes feature;Make
It can notify feature;
Wherein, the service of acquisition for mobile terminal ID authentication device;Notice feature is obtained from service and writes feature;Specifically
Are as follows: mobile terminal identifies the service for obtaining ID authentication device according to preset service, according to preset notice signature identification from clothes
Notice feature is obtained in business;According to it is preset write signature identification and obtained from service write feature.
Step s4: mobile terminal is according to preset certification instruction type, the second challenging value, derived data, application ID and close
Key handle generates authentication data, and the certification instruction including authentication data is sent to ID authentication device according to feature is write;Receive body
The 7th response for authenticating criterion including second that part authenticating device is returned by notice feature;
Wherein, it is generated according to preset certification instruction type, the second challenging value, derived data, application ID and key handles
Authentication data specifically includes:
Step a1: mobile terminal tissue includes the second of preset certification instruction type, the second challenging value and derived data
Client data;
Step a2: mobile terminal carries out Hash processing to the second client data and application ID respectively, obtains third Hash
Value and the 4th cryptographic Hash generate authentication data according to third cryptographic Hash, the 4th cryptographic Hash and key handles;
After ID authentication device receives certification instruction, authentication data is obtained from certification instruction, from authentication data
Key handles and private key corresponding with key handles are obtained, tissue includes the third cryptographic Hash and the 4th cryptographic Hash in authentication data
The second data to be signed, the second data to be signed are carried out according to preset hash algorithm and private key corresponding with key handles
Signature obtains the second signed data, and it will include the second certification criterion that tissue, which includes the second certification criterion of the second signed data,
7th response returns to mobile terminal.
Step s5: mobile terminal to server background send include certification instruction type, the second challenging value, derived data,
Second certification request of application ID, user identifier and the second certification criterion;
Wherein, send to server background includes certification instruction type, the second challenging value, derived data, application ID, user
Second certification request of mark and the second certification criterion, specifically: it sends to server background including the second client data, answer
With ID, the second certification request of user identifier and the second certification criterion.
After server background receives the second certification request, is obtained and used according to the user identifier in the second certification request
Family identifies corresponding public key, according in the second certification request the second client data and application ID, preset hash algorithm and
Public key carries out sign test to the second signed data in the second certification criterion, judges whether sign test succeeds, if it is, by mistake
Code is set as the second preset value, and the 8th response including error code is sent to mobile terminal;Otherwise, third is set by error code
Preset value sends the 8th response including error code to mobile terminal.
Step s6: mobile terminal receives the 8th response including error code from server background;The error code that misdeems is
No is the second preset value, if it is, determining to authenticate successfully;Otherwise, it is determined that authentification failure.
Further include first version number in the 5th response in the present embodiment, can also include: to move before step s4 correspondingly
Dynamic terminal receives ID authentication device by notifying feature according to feature is write to the instruction of ID authentication device transmission acquisition version number
The 6th response including the second edition number returned;Judge whether first version number matches with the second edition number, if it is,
Execute step s4;Otherwise, it reports an error.
It can also include obtaining to read feature from service, and the characteristic value for reading feature is made in the present embodiment, in step s3
For subpackage length;
According to write feature to ID authentication device and send include authentication data certification instruction before, further includes: according to recognizing
Demonstrate,prove data organization certification instruction;Judge whether to instruct certification according to subpackage length and carry out subpackage processing, if it is, according to dividing
Packet length instructs certification and carries out subpackage processing, continues;Otherwise, continue.
Wherein, it is authenticated and is instructed according to authentication data tissue, specifically included: instructed according to authentication data tissue second, by the
Two instructions are as the data field in certification instruction, the data of addition protocol instructions type identification and the second instruction before the second instruction
Length obtains certification instruction.
In the present embodiment, can also include: before step s1
Step r1: mobile terminal sends the first registration request including user identifier to server background, receives from clothes
Be engaged in device backstage includes the first response of application ID, the first challenging value and derived data;
Step r2: mobile terminal to search and preset service identify the ID authentication device to match, and set with authentication
It is standby to establish bluetooth connection;
Step r3: the service of acquisition for mobile terminal ID authentication device;Notice feature is obtained from service and writes feature;Make
It can notify feature;
Wherein, the service of acquisition for mobile terminal ID authentication device;Notice feature is obtained from service and writes feature;Specifically
Are as follows: mobile terminal identifies the service for obtaining ID authentication device according to preset service, according to preset notice signature identification from clothes
Notice feature is obtained in business;According to it is preset write signature identification and obtained from service write feature.
Step r4: mobile terminal is generated according to preset register instruction type, the first challenging value, derived data and application ID
Log-on data sends the register instruction including log-on data to ID authentication device according to feature is write;Receive ID authentication device
Being returned by notice feature includes the first third response for authenticating criterion;
Wherein, log-on data tool is generated according to preset certification instruction type, the first challenging value, derived data and application ID
Body includes:
Step b1: mobile terminal tissue includes the first of preset register instruction type, the first challenging value and derived data
Client data;
Step b2: mobile terminal carries out Hash processing to the first client data and application ID respectively, obtains the first Hash
Value and the second cryptographic Hash generate log-on data according to the first cryptographic Hash and the second cryptographic Hash;
After ID authentication device receives register instruction, ID authentication device generates key pair and corresponding with key pair
Key handles, tissue include cipher key pair public key, key handles, the first cryptographic Hash and the second cryptographic Hash in log-on data
The first data to be signed, the first data to be signed sign according to preset hash algorithm and the private key of cipher key pair
To the first signed data, tissue includes public key, key handles corresponding with key pair and the first signed data of cipher key pair
First certification criterion, by include first certification criterion third response return to mobile terminal.
Step r5: mobile terminal obtains the first certification criterion from third response, and sending to server background includes registration
Instruction type, the first challenging value, derived data, application ID, user identifier and first authenticate the second registration request of criterion;
Wherein, sending to server background includes register instruction type, the first challenging value, derived data, application ID, user
Second registration request of mark and the first certification criterion, specifically: it sends to server background including the first client data, answer
With ID, the second registration request of user identifier and the first certification criterion.
After server background receives the second registration request, sentenced according to the first client data, application ID, the first certification
Public key in, the key handles in the first certification criterion and preset hash algorithm are to the first signature in the first certification criterion
Data carry out sign test, judge whether sign test succeeds, be, by third respond in key handles and public key respectively with user identifier
It establishes corresponding relationship and saves, set the second preset value for error code, send the 4th sound including error code to mobile terminal
It answers;Otherwise, third preset value is set by error code, the 4th response including error code is sent to mobile terminal.
Step r6: mobile terminal receives the 4th response including error code from server background;The error code that misdeems is
No is the second preset value, if it is, determining to succeed in registration;Otherwise, it is determined that registration failure.
It further include first version number in the first response in the present embodiment;Correspondingly, before step r4 further include: mobile whole
End receives ID authentication device by notifying feature return according to feature is write to the instruction of ID authentication device transmission acquisition version number
Including the second edition number second response;Judge whether first version number matches with the second edition number, if it is, executing
Step r4;Otherwise, it reports an error.
It further include obtaining to read feature from service, and the characteristic value of feature will be read as dividing in the present embodiment, in step r3
Packet length;
According to write feature to ID authentication device send include log-on data register instruction before, further includes: according to note
Volumes is instructed according to organization registration;Judged whether to carry out subpackage processing to register instruction according to subpackage length, if it is, according to dividing
Packet length carries out subpackage processing to register instruction, continues;Otherwise, continue.
Wherein, it is instructed, is specifically included according to log-on data organization registration: instructed according to log-on data tissue second, by the
Two instructions are as the data field in register instruction, the data of addition protocol instructions type identification and the second instruction before the second instruction
Length obtains register instruction.
In the present embodiment, search identifies the ID authentication device to match with preset service specifically:
Mobile terminal to search ID authentication device receives the broadcast data from ID authentication device, judges broadcast data
In service identifiers whether with preset service mark match, if it is, judgement search with preset service mark match
ID authentication device, continue;Otherwise, it reports an error.
Wherein, mobile terminal to search ID authentication device receives the broadcast data from ID authentication device, specifically:
The searching interface of mobile terminal calling system searches for ID authentication device, and search callback object is arranged, and searches for back
Adjusting in object includes search callback method;The broadcast data from ID authentication device is received by the search callback method of system
With device object corresponding with ID authentication device.
Wherein, bluetooth connection is established with ID authentication device, specifically included:
Mobile terminal uses the connection method and authentication of device object calling system corresponding with ID authentication device
Equipment establishes bluetooth connection, obtains general-purpose attribute protocol object and connection callback object is arranged.
Further, the service of ID authentication device is obtained;Notice feature is obtained from service and writes feature, it is specific to wrap
It includes:
Step t1: mobile terminal regard preset service mark as parameter, using general-purpose attribute protocol object, calling system
Method of servicing is obtained, the service object of ID authentication device is obtained;Using preset signature identification of writing as parameter, service pair is used
As the acquisition characterization method of calling system, is obtained from service object and write feature object;Using preset notice signature identification as
Parameter obtains notice feature object using the acquisition characterization method of service object's calling system from service object.
It further, include the notice callback method of system in callback object;
Enabled notice feature, specifically: the setting feature notification method of calling system enables notice feature object;
The 6th response including the second edition number that ID authentication device is returned by notice feature is received, specifically: it moves
What the communication callback method reception ID authentication device that dynamic terminal passes through system passed through notice feature object return includes the second edition
This number the 6th response;
The 7th response that ID authentication device is returned by notice feature is received, specifically: mobile terminal passes through system
It communicates callback method and receives the 7th response that ID authentication device is returned by notice feature object.
A kind of identity identifying method provided in the present embodiment, combines in verification process with ID authentication device, nothing
It needs user to input password, keeps authentication more convenient and easier to operate, while also improving the safety of authentication.
Embodiment 2
Present embodiments provide a kind of identity identifying method, including registration phase and authentication phase, wherein registration phase is such as
Shown in Fig. 2-Fig. 3, comprising:
Step 101: mobile terminal sends the first registration request including user identifier to server background;
In this implementation, user identifier is specially user name.
Step 102: mobile terminal receive from server background first response, from first response in obtain application ID,
First challenging value, derived data and first version number;
Specifically, mobile terminal receives the first response of the JOSN format from server background, by preset application ID
Mark, challenging value mark, derived data mark and version number identifier are as parameter, the acquisition character string side of difference calling system
Method, obtained from the first response with the corresponding application ID of application ID mark, the first challenging value corresponding with challenging value mark and
Source data identifies corresponding derived data and first version number corresponding with version number identifier;
In the present embodiment, preset application ID mark specially APPID, preset challenging value mark are specially
Challenge, preset derived data mark specially origin, preset version number identifier are specially version.
For example, mobile terminal receives the first response of the JOSN format from server background are as follows:
"APPID":"https://u2fdemo.appspot.com","challenge":"x9-d9XlfOZVWKjHkWh
GIRg ", " origin ": " https://u2fdemo.appspot.com ", " version ": " U2F_V2 " is answered preset
ID mark APPID, challenging value mark challenge, derived data is used to identify origin and version number identifier version as ginseng
Number, the acquisition character string method getString () of calling system, the application ID got from the first response are respectively
Https: //u2fdemo.appspot.com, the first challenging value got is x9-d9XlfOZVWKjHkWhgIRg, is got
Derived data are as follows: https://u2fdemo.appspot.com, the first version number got be U2F_V2.
Step 103: whether mobile terminal detection Bluetooth channels are opened, if so, thening follow the steps 105;Otherwise, step is executed
Rapid 104;
Step 104: mobile terminal opens Bluetooth channels;
Step 105: mobile terminal searches for ID authentication device by Bluetooth channels;
Specifically, the searching interface of mobile terminal calling system searches for ID authentication device by Bluetooth channels, and is arranged
Search for callback object.
Wherein, the search callback method in callback object including system is searched for.
For example, mobile mobile searched using the first preset kind parameter filters, the second preset kind parameter settings
It recovers and adjusts object type parameter scanCallback, the first searching interface startscan () of calling system, it is logical by bluetooth
ID authentication device, setting search callback object scanCallback are searched in road.
In the present embodiment, ID authentication device be can be, but not limited to as intelligent cipher key equipment bluetooth-capable.
Step 106: mobile terminal receives the broadcast data from ID authentication device by Bluetooth channels;
Specifically, mobile terminal receives the broadcast of the ID authentication device from system by the search callback method of system
Data and device object corresponding with ID authentication device.
For example, mobile terminal receives the body from system by the first search callback method onscanresult () of system
The broadcast data and device object device corresponding with ID authentication device of part authenticating device.
In the present embodiment, searching interface includes the first searching interface, and search callback method includes the first search callback method,
First searching interface and the first search callback method are corresponding.It should be noted that searching interface can also include the second searching interface,
Searching for callback method can also include the second search callback method, and the second searching method and the second search callback method are corresponding.
For example, the second searching method is startlescan (), the second search callback method is onlescanresult ().
Step 107: mobile terminal judges whether the service identifiers in broadcast data match with preset service mark, if
It is to then follow the steps 108;Otherwise, it reports an error.
In the present embodiment, service identifiers (being commonly called as UUID) are the service unique identification information that ID authentication device is supported.
In the present embodiment, preset service mark is specially " 0000fffd-0000-1000-8000-00805f9b34fb ".
Step 108: mobile terminal and ID authentication device establish bluetooth connection;
Specifically, connection method and body of the mobile terminal using device object calling system corresponding with ID authentication device
Part authenticating device establishes bluetooth connection, obtains general-purpose attribute protocol object and connection callback object simultaneously is arranged.Wherein, connection readjustment pair
Connection status callback method, discovery service callback method, reading feature callback method, communication readjustment side as in including system
Method.
For example, mobile terminal is by third preset kind object context, the 4th preset kind object false and connects back to
Adjust object gattCallback do parameter, using device object device calling system connection method connectGatt () and
ID authentication device establishes bluetooth connection, obtains general-purpose attribute protocol object gatt and connection callback object is arranged
gattCallback.Wherein, connect includes connection status callback method in callback object gattCallback
OnConnectionStateChange (), discovery service callback method onServicesDiscovered (), feature time is read
Tune method onCharacteristicRead (), communication callback method onCharacteristicChanged ().
Step 109: mobile terminal judges whether to be successfully established bluetooth connection with ID authentication device, if it is, executing
Step 110;Otherwise, it reports an error;
Specifically, mobile terminal receives from system and ID authentication device by the connection status callback method of system
The results messages for establishing bluetooth connection judge according to the results messages that from system and ID authentication device establishes bluetooth connection
Whether with ID authentication device bluetooth connection is successfully established.
For example, mobile terminal passes through the connection status callback method onConnectionStateChange () of system, receive
Integer type parameter paramStatus from system, and as the result for establishing bluetooth connection with ID authentication device
Message judges whether paramStatus parameter is 0, if it is, determining to be successfully established bluetooth connection with ID authentication device;
Otherwise, it is determined that establishing bluetooth connection failure with ID authentication device.
Step 110: the service that mobile terminal to search ID authentication device is supported;
Specifically, mobile terminal uses the search service method of general-purpose attribute protocol object calling system
DiscoverServices (), the service that search ID authentication device is supported.
Step 111: mobile terminal judges whether to search the service of ID authentication device support, if it is, executing step
Rapid 112;Otherwise, it reports an error;
Specifically, mobile terminal services search service result of the callback method reception from system by the discovery of system and disappears
Breath, according to the search service results messages from system, judges whether to be successfully established bluetooth connection with ID authentication device.
It is come from for example, mobile terminal is received by discovery service callback method onServicesDiscovered () of system
The integer type parameter paramStatus of system, and as search service results messages, judge paramStatus parameter
It whether is 0, if it is, determining to search the service that ID authentication device is supported;Otherwise, it is determined that not searching authentication
The service that equipment is supported.
Step 112: the service of acquisition for mobile terminal ID authentication device;
Specifically, mobile terminal regard preset service mark as parameter, using general-purpose attribute protocol object, calling system
Method of servicing is obtained, the service object of ID authentication device is obtained.
For example, mobile terminal uses general-purpose attribute protocol object using preset service mark serviceUuid as parameter
Gatt, the acquisition method of servicing getService () of calling system obtain the service object service of ID authentication device.
Wherein, preset service mark serviceUuid is " 0000fffd-0000-1000-8000-00805f9b34fb ".
Step 113: mobile terminal judges whether to have matched with ID authentication device, if so, thening follow the steps 116;It is no
Then, step 114 is executed;
Step 114: mobile terminal and ID authentication device are matched;
Step 115: mobile terminal judgement and ID authentication device whether successful matching, if so, thening follow the steps 116;
Otherwise, it reports an error;
Step 116: mobile terminal is obtained from service reads feature;
Specifically, mobile terminal uses the acquisition of service object's calling system using preset reading signature identification as parameter
Characterization method obtains from service object and reads feature object.
For example, mobile terminal uses service pair using preset reading signature identification characteristicUuid as parameter
As the acquisition characterization method getCharacteristic () of service calling system, obtains and read from service object service
Feature object characteristic.
Wherein, signature identification characteristicUuid is read specifically: f1d0fff3-deaa-ecee-b42f-
c9ba7ed623bb。
Step 117: mobile terminal reads the characteristic value of feature;
Specifically, mobile terminal will read feature object as parameter, use general-purpose attribute protocol object, the reading of calling system
Characterization method is taken, the characteristic value of feature object is read.
For example, mobile terminal will read feature object characteristic as parameter, general-purpose attribute protocol object is used
Gatt, the reading characterization method readCharacteristic () of calling system read the characteristic value for reading feature object.
Step 118: mobile terminal judges whether the characteristic value for successfully reading feature, if so, thening follow the steps
119;Otherwise, it reports an error;
Specifically, mobile terminal receives the spy that feature is read in the reading from system by the reading feature callback method of system
The results messages of the results messages of value indicative, the characteristic value for reading feature according to the reading from system received judge whether success
Read the characteristic value of feature.
For example, mobile terminal passes through the reading feature callback method onCharacteristicRead () of system, receives and
From the integer type parameter paramStatus of system, and the results messages of the characteristic value as the reading reading feature of system,
Judge whether paramStatus parameter is 0, if it is, determining the characteristic value for successfully reading feature;Otherwise, it is determined that not having
There is the characteristic value for successfully reading feature.
Step 119: mobile terminal will read the characteristic value of feature as subpackage length;
Step 120: mobile terminal is obtained from service writes feature and notice feature;Enabled notice feature;
Specifically, mobile terminal uses the acquisition of service object's calling system using preset signature identification of writing as parameter
Characterization method obtains from service object and writes feature object;Using preset notice signature identification as parameter, service object is used
The acquisition characterization method of calling system obtains notice feature object from service object;The setting feature notification side of calling system
Method enables notice feature object;
For example, mobile terminal uses service pair using the preset signature identification characteristicUuid that writes as parameter
As the acquisition characterization method getCharacteristic () of service calling system, obtains and write from service object service
Feature object characteristic;Using preset notice signature identification characteristicUuid as parameter, clothes are used
The acquisition characterization method getCharacteristic () of business object service calling system, is obtained from service object service
Take notice feature object characteristic;The setting feature notification method of calling system
SetCharacteristicNotification () enables notice feature object.
Wherein, signature identification characteristicUuid is write specifically: " f1d0fff1-deaa-ecee-b42f-
c9ba7ed623bb".Notify signature identification characteristicUuid specifically: f1d0fff2-deaa-ecee-b42f-
c9ba7ed623bb。
Step 121: mobile terminal according to write feature to ID authentication device send obtain version number instruct;
Specifically, mobile terminal tissue obtains version number's instruction, sends to ID authentication device and obtains version number's instruction.
More specifically, mobile terminal tissue third instructs, by third instruction as the data obtained in version number's instruction
Domain, and the data length that addition preset protocol command identification and acquisition version number instruct before third instruction.
In the present embodiment, version number's instruction format is obtained are as follows:
Preset protocol command identification | The data length of data field | Data field |
1 byte | 2 bytes |
The format of third instruction are as follows:
For example, mobile terminal the classes of instructions " 00 " that third instructs is arranged in the first byte of third instruction, will obtain
Version number's instruction code " 03 " is taken to be arranged in second byte of third instruction, by the data length of the data field of third instruction
" 000000 " is arranged in the 5th to the 7th byte of third instruction, it would be desirable to which response value length " 0000 " setting is instructed in third
Most latter two byte on, obtain include obtain version number's instruction code third instruction be " 000300000000000000 ", will
Third instruction as obtain version number instruction in data field, and third instruction before add preset protocol command identification " 83 " and
The data length " 0009 " of third instruction obtains obtaining version number's instruction " 830009000300000000000000 ", to identity
Authenticating device, which is sent, obtains version number's instruction.
This step can be with specifically: mobile terminal use, which is write feature object and sent to ID authentication device, obtains version number
Instruction.
Step 122: mobile terminal receives the second response that ID authentication device is returned by notice feature;
Specifically, mobile terminal receives the ID authentication device from system by leading to by the communication callback method of system
Know the second response that feature object returns.
For example, mobile terminal is received by the communication callback method of system from system
BluetoothGattCharacteristic type parameter paramCharacteristic, from parameter
The second response that ID authentication device is returned by notice feature is obtained in paramCharacteristic.
Step 123: mobile terminal judges whether the answer code of the second response is the first preset value, if so, executing step
124;Otherwise, it reports an error;
Specifically, the second response of mobile terminal parsing obtains the data in most latter two byte in the second response, and will
Its code in response judges whether the answer code of the second response is the first preset value, if so, thening follow the steps 124;Otherwise,
It reports an error.
In the present embodiment, the first preset value is 9000.
Step 124: mobile terminal obtains the second edition number from the second response;
Specifically, mobile terminal parsing second responds, and (does not include third after the third byte in the second response of acquisition
A byte), the data in all bytes before penultimate byte between (not including penultimate byte), and by its
As the second edition number.
For example, the second response " 8300085532465f56329000 " of mobile terminal parsing, obtains the in the second response
It (does not include penultimate word before penultimate byte " 90 " after three bytes " 08 " (not including third byte)
Section) between all bytes on data, the data got are " 5532465f5632 ", and by " 5532465f5632 " conduct
The second edition number.
Step 125: mobile terminal judges whether first version number matches with the second edition number, if it is, executing step
Rapid 126;Otherwise, it reports an error;
Step 126: mobile terminal is according to preset register instruction type, the first challenging value, the first visitor of derived data tissue
Family end data is instructed according to subpackage length, the first client data and application ID organization registration, according to writing feature to authentication
Equipment sends register instruction;
This step specifically includes:
Step a1: mobile terminal tissue includes the first of preset register instruction type, the first challenging value and derived data
Client data;
Specifically, mobile terminal creates JSON object clientData;Mobile terminal is stored in object clientData
Preset register instruction type and its mark, the first challenging value and its mark and derived data and its mark, by object
ClientData is converted to character string type, obtains the first client data of JSON format;
Such as: mobile terminal creates JSON object clientData;Mobile terminal is stored in advance in object clientData
If register instruction type navigator.id.finishEnrollment and its mark typ, the first challenging value x9-
D9XlfOZVWKjHkWhgIRg and its mark challenge and derived data https://u2fdemo.appspot.com and
It identifies origin, and object clientData is converted to the character string type of JSON format, obtains the first client data;{"
typ":"navigator.id.finishEnrollment","challenge":"x9-d9XlfOZVWKjHkWhgIRg","
origin":"https:\/\/u2fdemo.appspot.com"}。
Step a2: mobile terminal carries out Hash processing to the first client data and application ID respectively, obtains the first Hash
Value and the second cryptographic Hash, according to the first cryptographic Hash and the second cryptographic Hash organization registration data;
Specifically, mobile terminal does Hash to the first client data and application ID respectively using the first preset algorithm, obtains
To the first cryptographic Hash and the second cryptographic Hash, according to the first cryptographic Hash and the second cryptographic Hash organization registration data.
Wherein, the first cryptographic Hash is the first client data after Hash;Second cryptographic Hash is the application ID after Hash.The
One preset algorithm can be, but not limited to as SHA256 algorithm.
Such as: mobile terminal is using SHA256 algorithm respectively to the first client data { " typ ": "
navigator.id.finishEnrollment","challenge":"x9-d9XlfOZVWKjHkWhgIRg","
Origin ": " https://u2fdemo.appspot.com " } and " APPID ": " https: //
U2fdemo.appspot.com " does Hash, obtains the first cryptographic Hash " 5BFDF71873332EAA9015A128DF3556196E
4AC4243576A71988A047E44EDDC882 " and the second cryptographic Hash " A1AA11AFF7E71252FE5E32AA80B425A0
FAFBE5F8A5EA767316A2562AB48DBF56 " is obtained according to the first cryptographic Hash and the second cryptographic Hash organization registration data
Log-on data be " 5BFDF71873332EAA9015A128DF3556196E4AC4243576A71988A047E4 4EDD C8
82A1AA11AFF7E71252FE5E32AA80B425A0FAFBE5F8A5EA767316A2562A B48DBF56”。
Step a3: mobile terminal is instructed according to log-on data and subpackage length organization registration;
Specifically, mobile terminal is instructed according to log-on data tissue first, is infused according to the first instruction and subpackage length tissue
Volume instruction.
In the present embodiment, register instruction may include a packet or more bag datas.
More specifically, mobile terminal register instruction code is arranged in second byte of the first instruction, will register number
According in the data field being arranged in the first instruction, obtain include register instruction code and log-on data the first instruction, in the first finger
The data length of addition preset protocol command identification and the first instruction, obtains register instruction before enabling, and is according to the judgement of subpackage length
It is no to need to carry out subpackage processing to register instruction, if it is, carrying out subpackage to register instruction according to subpackage length, obtain wrap more
Valid data are registered, and send data for the first packet registration valid data as the first packet registration, from the second packet registration significant figure
Other packets after the first packet registration transmission data are obtained according to the corresponding packet index of addition before every packet registration valid data is started
Registration sends data;Otherwise, step a4 is executed.
In the present embodiment, register instruction code is specially " 01 ", and preset protocol command identification is specially " 83 ".
In the present embodiment, register instruction format are as follows:
Preset protocol command identification | The data length of data field | Data field |
1 byte | 2 bytes |
The format of first instruction are as follows:
For example, mobile terminal the classes of instructions " 00 " of the first instruction is arranged in the first byte of the first instruction, will infuse
Volume instruction code " 01 " is arranged in second byte of the first instruction, by the setting of the data length " 000040 " of log-on data the
In 5th to the 7th byte of one instruction, by log-on data " 5BFDF71873332EAA9015A128DF3556196E4AC424
3576A71988A047E44EDD C882A1AA11AFF7E71252FE5E32AA80B425A0FAFBE5F8A5EA767316A
2562A B48DBF56 " is arranged in the data field in the first instruction, it would be desirable to which response value length " 0000 " setting refers to first
In most latter two byte enabled, obtain including the first instruction of register instruction code and log-on data being " 000100000000405B
FDF71873332EAA9015A128DF3556196E4AC4243576A71988A047E44EDDC882A1AA11AFF7E712
52FE5E32AA80B425A0FAFBE5F8A5EA767316A2562AB48DBF560000 ", addition is default before the first instruction
Protocol instructions identify the data length " 0049 " of " 83 " and the first instruction, obtain register instruction " 83004900010000000040
5BFDF71873332EAA9015A128DF3556196E4AC4243576A71988A047E44EDDC882A1AA11AFF7E7
1252FE5E32AA80B425A0FAFBE5F8A5EA767316A2562AB48DBF560000 " sentences according to subpackage length " 20 "
The first packet registration valid data that are disconnected whether to need to carry out subpackage processing to register instruction, obtaining are as follows: " 830049000100000
000405BFDF71873332EAA9015 ",
Second packet registration valid data are as follows: " A128DF3556196E4AC4243576A71988A047E44E ";
Third packet registers valid data are as follows: " DDC882A1AA11AFF7E71252FE5E32AA80B425A0 ";
4th packet registration valid data are as follows: " FAFBE5F8A5EA767316A2562AB48DBF560000 ", and by first
Packet registration valid data send data as the first packet registration:
" 830049000100000000405BFDF71873332EAA9015 ",
The addition packet index " 00 " before the second packet registration valid data, obtains the registration of the second packet and sends data:
"00A128DF3556196E4AC4243576A71988A047E44E";
The addition packet index " 01 " before third packet registers valid data obtains the registration of third packet and sends data:
"01DDC882A1AA11AFF7E71252FE5E32AA80B425A0";
The addition packet index " 02 " before the 4th packet registration valid data obtains the 4th packet registration and sends data:
“02FAFBE5F8A5EA767316A2562AB48DBF560000”。
Step a4: mobile terminal according to write feature to ID authentication device send register instruction.
Specifically, mobile terminal use writes feature object and sends register instruction to ID authentication device.
After ID authentication device receives the register instruction from mobile terminal, ID authentication device generate key pair and
Key handles corresponding with key pair, tissue include the first Hash in the public key, key handles, log-on data of cipher key pair
First data to be signed of value and the second cryptographic Hash, it is to be signed to first according to preset hash algorithm and the private key of cipher key pair
Data are signed to obtain the first signed data, and tissue includes public key, the key handles corresponding with key pair of cipher key pair
Criterion is authenticated with the first of the first signed data, will include that the first third response for authenticating criterion and answer code returns to movement eventually
End.
Step 127: mobile terminal receives the third response that ID authentication device is returned by notice feature;
Specifically, mobile terminal receives the ID authentication device from system by leading to by the communication callback method of system
Know the third response that feature object returns.
For example, mobile terminal is received by the communication callback method of system from system
BluetoothGattCharacteristic type parameter paramCharacteristic, from parameter
The third response that ID authentication device is returned by notice feature object is obtained in paramCharacteristic.
Step 128: mobile terminal judges whether the answer code of third response is the first preset value, if so, executing step
129;Otherwise, it reports an error;
Specifically, mobile terminal parsing third response obtains the data in most latter two byte in third response, and will
Its code in response judges whether the answer code of third response is the first preset value, if so, thening follow the steps 129;Otherwise,
It reports an error.
Step 129: mobile terminal generates second according to third response, the first client data, application ID and user identifier
Registration request sends the second registration request to server background;
Specifically, mobile terminal obtains the first certification criterion from third response, and generating includes the first certification criterion, first
Second registration request of client data, application ID and user identifier sends the second registration request to server background;
More specifically, mobile terminal parsing third responds, and (does not include after the third byte in acquisition third response
Third byte), the data in all bytes before penultimate byte between (not including penultimate byte), and
As the first certification criterion, generate include the first certification criterion, the first client data, application ID and user identifier the
Two registration requests send the second registration request to server background;
For example, mobile terminal parsing third responds 8302260504f8487177637e0a57c7c52f6ba952fc474
33fc8b2fde13b73e84823473e356c53c7517639b5f1781c32e08660327255335bf4eb92a6907
ca281d7dacd56ba4f9340b842ccb576b616f1c536772b4fdd0c61e6992547b2c51a331cc7599
ab2a198113fa7083f6e6825fad2cd0848b517ecb0b80e2d6c0a2707912d56cddbe9c03154308
201563081fda003020102020a47901280001155957352300a06082a8648ce3d0403023017311
530130603550403130c4654204649444f2030313030301e170d3134303831343138323933325
a170d3234303831343138323933325a3031312f302d0603550403132650696c6f74476e75626
2792d302e342e312d34373930313238303030313135353935373335303059301306072a8648c
e3d020106082a8648ce3d03010703420004b174bc49c7ca254b70d2e5c207cee9cf174820ebd
77ea3c65508c26da51b657c1cc6b952f8621697936482da0a6d3d3826a59095daf6cd7c03e2e
60385d2f6d9a31730153013060b2b0601040182e51c020101040403020430300a06082a8648c
e3d040302034800304502210099b8903a57bc9d2a73da0258e70fdf331a1f72945521314ab52
8477e7fe1ed4002207a8b7d0d285dc b440d4450e52ac28c21f0bc4b85a0b3a04e42c6d4f4ae
47e0a630450221008e641cc85b3c506874e4e6236e73e473331b5fb5348589221954080aa9a0
f73a02201fdba135640eb ccd09e7ac684b1674fe15a639b64e991af45ffd9c36c59b802c90
00, the third byte " 26 " (not including third byte) of third response is obtained, penultimate byte (is not wrapped before " 90 "
Include penultimate byte) between all bytes on data, the data got be 0504f8487177637e0a57c7
c52f6ba952fc47433fc8b2fde13b73e84823473e356c53c7517639b5f1781c32e08660327255
335bf4eb92a6907ca281d7dacd56ba4f9340b842ccb576b616f1c536772b4fdd0c61e6992547
b2c51a331cc7599ab2a198113fa7083f6e6825f ad2cd0848b517ecb0b80e2d6c0a2707912d5
6cddbe9c03154308201563081fda003020102020a47901280001155957352300a06082a8648c
e3d0403023017311530130603550403130c4654204649444f2030313030301e170d313430383
1343138323933325a170d3234303831343138323933325a3031312f302d06035504031326506
96c6f74476e756262792d302e342e312d3437393031323830303031313535393537333530305
9301306072a8648ce3d020106082a8648ce3d03010703420004b174bc49c7ca254b70d2e5c20
7cee9cf174820ebd77ea3c65508c26da51b657c1cc6b952f8621697936482da0a6d3d3826a59
095daf6cd7c03e2e60385d2f6d9a31730153013060b2b0601040182e51c02010104040302043
0300a06082a8648ce3d040302034800304502210099b8903a57bc9d2a73da0258e70fdf331a1
f72945521314ab528477e7fe1ed4002207a8b7d0d285dcb440d4450e52ac28c21f0bc4b85a0b
3a04e42c6d4f4ae47e0a630450221008e641cc85b3c506874e4e6236e73e473331b5fb534858
9221954080aa9a0f73a02201fdba135640ebccd09e7ac684b1674fe15a639b64e991af45ffd9
C36c59b802c simultaneously authenticates criterion as first, and generating includes the first certification criterion, the first client data, application ID
With the second registration request of user identifier, the second registration request is sent to server background;
In the present embodiment, the communication data between mobile terminal and server background is JOSN formatted data.
After server background receives the second registration request, the first certification criterion, the are obtained from the second registration request
One client data, application ID and user identifier, according to the public key in the first client data, application ID, the first certification criterion
The first signed data in the first certification criterion is tested with key handles, the preset hash algorithm in the first certification criterion
Label, judge whether sign test succeeds, if it is, by first authenticate criterion in key handles and public key built respectively with user identifier
Vertical corresponding relationship simultaneously saves, and sets the second preset value for error code, and the 4th response including error code is sent to mobile terminal;
Otherwise, third preset value is set by error code, the 4th response including error code is sent to mobile terminal.
More specifically, after server background receives the second registration request, first is obtained from the second registration request
Criterion, the first client data, application ID and user identifier are authenticated, to the first client data and is answered according to the first preset algorithm
It makes Hash respectively of ID and obtains first server back-end data and second server back-end data;Tissue is including after first server
Number of units evidence, second server back-end data, the public key in the first certification criterion and the key handles in the first certification criterion the
One initial data does Hash to the first initial data using preset hash algorithm, generates the first fiducial value, using public key to the
The first signed data in one certification criterion is decrypted to obtain the first ciphertext data, judges whether the first fiducial value solves with first
Ciphertext data matches, if it is, by first authenticate criterion in key handles and public key it is corresponding with user identifier foundation respectively
Relationship simultaneously saves, and sets the second preset value for error code, and the 4th response including error code is sent to mobile terminal;Otherwise,
Third preset value is set by error code, the 4th response including error code is sent to mobile terminal.
In the present embodiment, the second preset value is 0, and third preset value is 1.
Step 130: mobile terminal receives the 4th response from server background;
Step 131: mobile terminal obtains error code from the 4th response, and whether the error code that misdeems is the second preset value, such as
Fruit is then to succeed in registration;Otherwise, registration failure.
Authentication phase, as shown in fig. 4-5, comprising:
Step 201: mobile terminal sends the first certification request including user identifier to server background;
In this implementation, user identifier is specially user name.
Step 202: mobile terminal receive from server background the 5th response, from the 5th response in obtain application ID,
Second challenging value, derived data, first version number and key handles corresponding with user identifier;
Specifically, mobile terminal receives the 5th response of the JOSN format from server background, by preset application ID
Mark, challenging value mark, derived data mark and version number identifier, key handles mark are used as parameter, respectively calling system
Character string method is obtained, is obtained from the 5th response and the corresponding application ID of application ID mark, corresponding with challenging value mark the
Two challenging values and derived data identify corresponding derived data, first version number corresponding with version number identifier and with key sentence
Handle identifies corresponding key handles;
In the present embodiment, preset application ID mark is specially APPID;Preset challenging value identifies
challenge;Preset derived data mark is specially origin;Preset version number identifier is specially version;It is preset
Key handles are identified as keyHandle.
Such as: the 5th response that mobile terminal receives the JOSN format from server background is
"APPID":"https://u2fdemo.appspot.com","challenge":"
ZaFJmTE0g4yz0sk8D0x07g","origin":"https:\/\/u2fdemo.appspot.com""version":"
U2F_V2","keyHandle":"qCw3hfVQlqxr8Ng-uwqa0nZch39y6wB7U7NjW4MdTz4_lOHvjm-
Preset application ID is identified APPID by 8JIUeK0fm5THjm WV_OQOVwjG92wxL-7z0Og ", challenging value identifies
Challenge, derived data mark origin, version number identifier version and key handles mark keyHandle are as ginseng
Number, the acquisition character string method getString () of calling system, the application ID got from the 5th response are respectively
Https: //u2fdemo.appspot.com, the second challenging value got is
ZaFJmTE0g4yz0sk8D0x07g, the derived data got are as follows:
Https://u2fdemo.appspot.com, the first version number got is U2F_V2;It gets and user
Identify corresponding key handles are as follows:
qCw3hfVQlqxr8Ng-uwqa0nZch39y6wB7U7NjW4MdTz4_lOHvjm-8JIUeK0fm5T HjmWV_
OQOVwjG92wxL-7z0Og。
Step 203: whether mobile terminal detection Bluetooth channels are opened, if so, thening follow the steps 205;Otherwise, step is executed
Rapid 204;
Step 204: mobile terminal opens Bluetooth channels;
Step 205: mobile terminal searches for ID authentication device by Bluetooth channels;
Specifically, the searching interface of mobile terminal calling system searches for ID authentication device by Bluetooth channels, and is arranged
Search for callback object.
Wherein, the search callback method in callback object including system is searched for.
For example, mobile mobile searched using the first preset kind parameter filters, the second preset kind parameter settings
Tone category shape parameter scanCallback is recovered, the first searching interface startscan () of calling system is searched by Bluetooth channels
Rope ID authentication device, setting search callback object scanCallback.
Step 206: mobile terminal receives the broadcast data from ID authentication device by Bluetooth channels;
Specifically, mobile terminal receives the broadcast of the ID authentication device from system by the search callback method of system
Data and device object corresponding with ID authentication device.
For example, mobile terminal receives the body from system by the first search callback method onscanresult () of system
The broadcast data and device object device corresponding with ID authentication device of part authenticating device.
In the present embodiment, searching interface includes the first searching interface, and search callback method includes the first search callback method,
First searching interface and the first search callback method are corresponding.It should be noted that searching interface can also include the second searching interface,
Searching for callback method can also include the second search callback method, and the second searching method and the second search callback method are corresponding.
Step 207: mobile terminal judges whether the service identifiers in broadcast data match with preset service mark, if
It is to then follow the steps 208;Otherwise, it reports an error;
Step 208: mobile terminal and ID authentication device establish bluetooth connection;
Specifically, mobile terminal using device object calling system corresponding with ID authentication device connection method and and
ID authentication device establishes bluetooth connection, obtains general-purpose attribute protocol object and connection callback object is arranged.Wherein, connection readjustment
Connection status callback method, discovery service callback method, reading feature callback method and communication readjustment in object including system
Method.
For example, mobile terminal is by third preset kind object context, the 4th preset kind object false and connects back to
Adjust object gattCallback do parameter, using device object device calling system connection method connectGatt () and
ID authentication device establishes bluetooth connection, obtains general-purpose attribute protocol object gatt and connection callback object is arranged
gattCallback.Wherein, connect includes connection status callback method in callback object gattCallback
OnConnectionStateChange (), discovery service callback method onServicesDiscovered (), feature time is read
Tune method onCharacteristicRead (), communication callback method onCharacteristicChanged ().
Step 209: mobile terminal judges whether to be successfully established bluetooth connection with ID authentication device, if it is, executing
Step 210;Otherwise, it reports an error;
Specifically, mobile terminal receives from system and ID authentication device by the connection status callback method of system
The results messages for establishing bluetooth connection judge according to the results messages that from system and ID authentication device establishes bluetooth connection
Whether with ID authentication device bluetooth connection is successfully established.
For example, mobile terminal passes through the connection status callback method onConnectionStateChange () of system, receive
Integer type parameter paramStatus from system, and as the result for establishing bluetooth connection with ID authentication device
Message judges whether paramStatus parameter is 0, if it is, determining to be successfully established bluetooth connection with ID authentication device;
Otherwise, it is determined that establishing bluetooth connection failure with ID authentication device.
Step 210: the service that mobile terminal to search ID authentication device is supported;
Specifically, mobile terminal uses the search service method of general-purpose attribute protocol object calling system
DiscoverServices (), the service that search ID authentication device is supported.
Step 211: mobile terminal judges whether to search the service of ID authentication device support, if it is, executing step
Rapid 212;Otherwise, it reports an error;
Specifically, mobile terminal services search service result of the callback method reception from system by the discovery of system and disappears
Breath, according to the search service results messages from system, judges whether to be successfully established bluetooth connection with ID authentication device.
It is come from for example, mobile terminal is received by discovery service callback method onServicesDiscovered () of system
The integer type parameter paramStatus of system, and as search service results messages, judge paramStatus parameter
It whether is 0, if it is, determining to search the service that ID authentication device is supported;Otherwise, it is determined that not searching authentication
The service that equipment is supported.
Step 212: the service of acquisition for mobile terminal ID authentication device;
Specifically, mobile terminal regard preset service mark as parameter, using general-purpose attribute protocol object, calling system
Method of servicing is obtained, the service object of ID authentication device is obtained.
For example, mobile terminal uses general-purpose attribute protocol object using preset service mark serviceUuid as parameter
Gatt, the acquisition method of servicing getService () of calling system obtain the service object service of ID authentication device.
Wherein, preset service mark serviceUuid is " 0000fffd-0000-1000-8000-00805f9b34fb ".
Step 213: mobile terminal judges whether ID authentication device has matched, if so, thening follow the steps 216;Otherwise,
Execute step 214;
Step 214: mobile terminal and ID authentication device are matched;
Step 215: mobile terminal judgement and ID authentication device whether successful matching, if so, thening follow the steps 216;
Otherwise, it reports an error;
Step 216: mobile terminal is obtained from service reads feature;
Specifically, mobile terminal uses the acquisition of service object's calling system using preset reading signature identification as parameter
Characterization method obtains from service object and reads feature object.
For example, mobile terminal uses service pair using preset reading signature identification characteristicUuid as parameter
As the acquisition characterization method getCharacteristic () of service calling system, obtains and read from service object service
Feature object characteristic.
Wherein, signature identification characteristicUuid is read specifically: f1d0fff3-deaa-ecee-b42f-
c9ba7ed623bb。
Step 217: mobile terminal reads the characteristic value of feature;
Specifically, mobile terminal will read feature object as parameter, use general-purpose attribute protocol object, the reading of calling system
Characterization method is taken, the characteristic value of feature object is read.
For example, mobile terminal will read feature object characteristic as parameter, general-purpose attribute protocol object is used
Gatt, the reading characterization method readCharacteristic () of calling system read the characteristic value for reading feature object.
Step 218: mobile terminal judges whether the characteristic value for successfully reading feature, if so, thening follow the steps
219;Otherwise, it reports an error;
Specifically, mobile terminal receives the spy that feature is read in the reading from system by the reading feature callback method of system
The results messages of the results messages of value indicative, the characteristic value for reading feature according to the reading from system received judge whether success
Read the characteristic value of feature.
For example, mobile terminal passes through the reading feature callback method onCharacteristicRead () of system, receives and
From the integer type parameter paramStatus of system, and the results messages of the characteristic value as the reading reading feature of system,
Judge whether paramStatus parameter is 0, if it is, determining the characteristic value for successfully reading feature;Otherwise, it is determined that not having
There is the characteristic value for successfully reading feature.
Step 219: mobile terminal will read the characteristic value of feature as subpackage length;
Step 220: mobile terminal is obtained from service writes feature and notice feature, enables notice feature;
Specifically, mobile terminal uses the acquisition of service object's calling system using preset signature identification of writing as parameter
Characterization method obtains from service object and writes feature object.Using preset notice signature identification as parameter, service object is used
The acquisition characterization method of calling system obtains notice feature object from service object;The setting feature notification side of calling system
Method enables notice feature object;
For example, mobile terminal uses service pair using the preset signature identification characteristicUuid that writes as parameter
As the acquisition characterization method getCharacteristic () of service calling system, obtains and write from service object service
Feature object characteristic.Using preset notice signature identification characteristicUuid as parameter, clothes are used
The acquisition characterization method getCharacteristic () of business object service calling system, is obtained from service object service
Take notice feature object characteristic;The setting feature notification method of calling system
SetCharacteristicNotification () enables notice feature object.
Wherein, signature identification characteristicUuid is write specifically: " f1d0fff1-deaa-ecee-b42f-
c9ba7ed623bb".Notify signature identification characteristicUuid specifically: f1d0fff2-deaa-ecee-b42f-
c9ba7ed623bb。
Step 221: mobile terminal according to write feature to ID authentication device send obtain version number instruct;
Specifically, mobile terminal tissue obtains version number's instruction, sends to ID authentication device and obtains version number's instruction.
More specifically, mobile terminal tissue third instructs, by third instruction as the data obtained in version number's instruction
Domain, and the data length that addition preset protocol command identification and acquisition version number instruct before third instruction.
For example, mobile terminal the classes of instructions " 00 " that third instructs is arranged in the first byte of third instruction, will obtain
Version number's instruction code " 03 " is taken to be arranged in second byte of third instruction, by the data length of the data field of third instruction
" 000000 " is arranged in the 5th to the 7th byte of third instruction, it would be desirable to which response value length " 0000 " setting is instructed in third
Most latter two byte on, obtain include obtain version number's instruction code third instruction be " 000300000000000000 ", will
Third instruction as obtain version number instruction in data field, and third instruction before add preset protocol command identification " 83 " and
The data length " 0009 " of third instruction obtains obtaining version number's instruction " 830009000300000000000000 ", to identity
Authenticating device, which is sent, obtains version number's instruction.
Wherein, to ID authentication device send obtain version number instruction, specifically: mobile terminal use write feature object to
ID authentication device, which is sent, obtains version number's instruction.
Step 222: mobile terminal receives the 6th response that ID authentication device is returned by notice feature;
Specifically, mobile terminal receives what the ID authentication device from system returned by the communication callback method of system
6th response.
For example, mobile terminal is received by the communication callback method of system from system
BluetoothGattCharacteristic type parameter paramCharacteristic, from parameter
The 6th response that ID authentication device returns is obtained in paramCharacteristic.
Step 223: mobile terminal judges whether the answer code of the 6th response is the first preset value, if so, executing step
224;Otherwise, it reports an error;
Specifically, the 6th response of mobile terminal parsing obtains the data in most latter two byte in the 6th response, and will
Its code in response judges whether the answer code of the 6th response is the first preset value, if so, thening follow the steps 224;Otherwise,
It reports an error.
In the present embodiment, the first preset value is 9000.
Step 224: mobile terminal obtains the second edition number from the 6th response;
Specifically, mobile terminal parsing the 6th responds, and (does not include third after the third byte in the 6th response of acquisition
A byte), the data in all bytes before penultimate byte between (not including penultimate byte), and by its
As the second edition number.
For example, the 6th response " 8300085532465f56329000 " of mobile terminal parsing, obtains the in the 6th response
It (does not include penultimate word before penultimate byte " 90 " after three bytes " 08 " (not including third byte)
Section) between all bytes on data, the data got are " 5532465f5632 ", and by " 5532465f5632 " conduct
The second edition number.
Step 225: mobile terminal judges whether first version number matches with the second edition number, if it is, executing step
Rapid 226;Otherwise, it reports an error;
Step 226: mobile terminal is according to the second visitor of preset certification instruction type, the second challenging value and derived data tissue
Family end data is authenticated according to application ID, the second client data and subpackage length tissue and is instructed, according to writing feature to authentication
Equipment sends certification instruction;
This step specifically includes:
Step b1: mobile terminal tissue includes the second of preset certification instruction type, the second challenging value and derived data
Client data;
Specifically, mobile terminal creates JSON object clientData, and mobile terminal is stored in object clientData
Preset certification instruction type and its mark, the second challenging value and its mark and derived data and its mark, by object
ClientData is converted to character string type, obtains the second client data of JSON format;
For example, mobile terminal creates JSON object clientData, mobile terminal is stored in advance in object clientData
If certification instruction type navigator.id.getAssertion and its mark typ, the second challenging value
ZaFJmTE0g4yz0sk8D0x07g and its mark challenge and derived data https://
U2fdemo.appspot.com and its mark origin, is converted to character string type for object clientData, obtains the second visitor
Family end data " typ ": " navigator.id.getAssertion ", " challenge ": "
ZaFJmTE0g4yz0sk8D0x07g","origin":"https:\/\/u2fdemo.appspot.com"}。
Step b2: mobile terminal carries out Hash processing to the second client data and application ID respectively, obtains third Hash
Value and the 4th cryptographic Hash, obtain authentication data according to third cryptographic Hash, the 4th cryptographic Hash and key handles;
Specifically, mobile terminal does Hash to the second client data and application ID respectively using the first preset algorithm, obtains
To third cryptographic Hash and the 4th cryptographic Hash, according to third cryptographic Hash, the 4th cryptographic Hash, key handles length and key handles tissue
Authentication data.
Wherein, third cryptographic Hash is the second client data after Hash;4th cryptographic Hash is the application ID after Hash.The
One preset algorithm can be, but not limited to as SHA256.
Such as: mobile terminal is using SHA256 algorithm respectively to the second client data " { " typ ": "
navigator.id.getAssertion","challenge":"ZaFJmTE0g4yz0sk8D0x07g","ori gin":"
Https://u2fdemo.appspot.com " " and " APPID ": " and https: //u2fdemo.appspot.com " is breathed out
It is uncommon, obtain third cryptographic Hash " 5FB6F5CA47F4BB78C03F7F4CED729B92364FE43D399BE8DA397AF4F2 F5
6549E2 " and the 4th cryptographic Hash " A1AA11AFF7E71252FE5E32AA80B425A0FAFBE5F8A5EA767316A2562A
B48DBF56 ", according to third cryptographic Hash, the 4th cryptographic Hash, key handles length " 40 " and key handles " F21A62C01BB90
009EAE0F1CEE253DAE34D2B751AAA8C94D90AD558F42E29B976E16CB8BACE08E676A2332923D
4B261B78285696F9CB3F59C31739750F E55306A " organizes authentication data, and obtained authentication data is " 5FB6F
5CA47F4BB78C03F7F4CED729B92364FE43D399BE8DA397AF4F2F56549E2A1AA11AFF7E71252F
E5E32AA80B425A0FAFBE5F8A5EA767316A2562A B48DBF5640F21A62C01BB90009EAE0F1CEE2
53DAE34D2B751AAA8C94D90AD558F42E29B976E16CB8BACE08E676A2332923D4B261B7828569
6F9CB3F59C31739750FE55306A”。
Step b3: mobile terminal is authenticated according to authentication data, FIDO agreement and subpackage length tissue and is instructed;
Specifically, mobile terminal is instructed according to authentication data tissue second, is recognized according to the second instruction and subpackage length tissue
Card instruction.
In the present embodiment, certification instruction may include a packet or more bag datas.
More specifically, mobile terminal is arranged in instruction code is authenticated in second byte of the second instruction, and will authenticate number
According to the data field being set as in the second instruction, obtain including the second instruction for authenticating instruction code and authentication data, by the second instruction
As the data field of certification instruction, the data length of addition preset protocol command identification and the second instruction, is obtained before the second instruction
It is instructed to certification, judges whether to need to instruct certification according to subpackage length to carry out subpackage processing, if it is, long according to subpackage
Degree instructs certification and carries out subpackage, obtains more packet valid data, and using the first packet certification valid data as the first packet certification hair
Data are sent, corresponding packet index is added before every packet authenticates valid data since the second packet certification valid data and obtains the first packet
Certification sends other packet certification transmission data after data;Otherwise, step b4 is executed.
In the present embodiment, certification instruction code is specially " 02 ", and preset protocol command identification is specially " 83 ".
In the present embodiment, instruction format is authenticated are as follows:
Preset protocol command identification | The data length of data field | Data field |
1 byte | 2 bytes |
The format of second instruction are as follows:
For example, the classes of instructions " 00 " of the second instruction is arranged in the first byte of the second instruction, will be recognized by mobile terminal
Card instruction code " 02 " is arranged in second byte of the second instruction, by the setting of the data length " 000081 " of authentication data the
In 5th to the 7th byte of two instructions, by authentication data " 5FB6F5CA47F4BB78C03F7F4CED729B92364FE43D
399BE8DA397AF4F2F56549E2A1AA11AFF7E71252FE5E32AA80B425A0FAFBE5F8A5EA767316A2
562A B48DBF5640F21A62C01BB90009EAE0F1CEE253DAE34D2B751AAA8C94D90AD558F42E29B
976E16CB8BACE08E676A2332923D4B261B78285696F9CB3F59C31739 750FE55306A " setting is the
In data field in two instructions, it would be desirable to which response value length " 0000 " is arranged in most latter two byte of the second instruction, obtains
The second instruction including certification instruction code and authentication data is " 000203000000815FB6F5CA47F4BB78C03F7F4CE
D729B92364FE43D399BE8D A397AF4F2F56549E2A1AA11AFF7E71252FE5E32AA80B425A0FAFB
E5F8A5E A767316A2562AB48DBF5640F21A62C01BB90009EAE0F1CEE253DAE34D2B751AAA8C9
4D90AD558F42E29B976E16CB8BACE08E676A2332923D4B261B78285696F9CB3F59C31739750F
E55306A0000 ", by the second instruction as the data field in certification instruction, the addition preset protocol instruction mark before the second instruction
The data length " 008C " for knowing " 83 " and the second instruction obtains certification instruction " 83008C000203000000815FB6F5CA47
F4BB78C03F7F4CED729B92364FE43D399BE8DA397AF4F2F56549E2A1AA11AFF7E71252FE5E32
AA80B425A0FAFBE5F8A5EA767316A2562AB48DBF5640F21A62C01BB90009EAE0F1CEE253DAE3
4D2B751AAA8C94D90AD558F42E29B976E16CB8BACE08E676A2332923D4B261B78285696F9CB3
F59C31739750FE55306A0000 " judges whether to need to instruct certification progress subpackage processing according to subpackage length " 20 ",
The first obtained packet certification valid data are as follows: " 83008C000203000000815FB6F5CA47F4BB78C03F ",
Second packet certification valid data are as follows: " 7F4CED729B92364FE43D399BE8DA397AF4F2F5 ";
Third packet authenticates valid data are as follows:
“6549E2A1AA11AFF7E71252FE5E32AA80B425A0”
4th packet certification valid data are as follows:
"FAFBE5F8A5EA767316A2562AB48DBF5640F21A";
5th packet certification valid data are as follows:
" 62C01BB90009EAE0F1CEE253DAE34D2B751AAA ",
6th packet certification valid data are as follows:
"8C94D90AD558F42E29B976E16CB8BACE08E676";
7th packet certification valid data are as follows:
"A2332923D4B261B78285696F9CB3F59C317397";
8th packet certification valid data are " 50FE55306A 0000 ";
And data are sent using the first packet certification valid data as the first packet certification:
" 83008C000203000000815FB6F5CA47F4BB78C03F ",
The addition packet index " 00 " before the second packet certification valid data, obtains the certification of the second packet and sends data:
"007F4CED729B92364FE43D399BE8DA397AF4F2F5";
The addition packet index " 01 " before third packet authenticates valid data obtains the certification of third packet and sends data:
"016549E2A1AA11AFF7E71252FE5E32AA80B425A0";
The addition packet index " 02 " before the 4th packet certification valid data obtains the 4th packet certification and sends data:
"02FAFBE5F8A5EA767316A2562AB48DBF5640F21A";
The addition packet index " 03 " before the 5th packet certification valid data obtains the 5th packet certification and sends data:
"0362C01BB90009EAE0F1CEE253DAE34D2B751AAA";
The addition packet index " 04 " before the 6th packet certification valid data obtains the 6th packet certification and sends data:
"048C94D90AD558F42E29B976E16CB8BACE08E676";
The addition packet index " 05 " before the 7th packet certification valid data obtains the 7th packet certification and sends data:
"05A2332923D4B261B78285696F9CB3F59C317397";
The addition packet index " 06 " before the 8th packet certification valid data obtains the 8th packet certification and sends data:
“0650FE55306A 0000”。
Step b4: mobile basis eventually writes feature and sends certification instruction to ID authentication device.
Specifically, mobile terminal use writes feature object and sends certification instruction to ID authentication device.
After ID authentication device receives the instruction of the certification from mobile terminal, ID authentication device is instructed according to certification
In key handles obtain corresponding with key handles private key, organize including the third cryptographic Hash and the 4th Hash in authentication data
Second data to be signed of value, according to preset hash algorithm and private key corresponding with key handles to the second data to be signed into
Row signature obtains the second signed data, and it will include the second certification criterion that tissue, which includes the second certification criterion of the second signed data,
The 7th response with the first preset value returns to mobile terminal.
Step 227: mobile terminal receives the 7th response that ID authentication device is returned by notice feature;
Specifically, mobile terminal receives the ID authentication device from system by leading to by the communication callback method of system
Know the 7th response that feature object returns.
For example, mobile terminal is received by the communication callback method of system from system
BluetoothGattCharacteristic type parameter paramCharacteristic, from parameter
The 7th response that ID authentication device is returned by notice feature object is obtained in paramCharacteristic.
Step 228: mobile terminal judges whether the answer code of the 7th response is the first preset value, if so, executing step
229;Otherwise, it reports an error;
Step 229: mobile terminal generates second according to the second client data, application ID, user identifier and the 7th response
Certification request sends the second certification request to server background;
Specifically, mobile terminal obtains the second certification criterion from the 7th response, and generating includes the second certification criterion, second
Second certification request of client data, application ID and user identifier sends the second certification request to server background;
More specifically, mobile terminal parsing the 7th responds, and (does not include after the third byte in the 7th response of acquisition
Third byte), the data in all bytes before penultimate byte between (not including penultimate byte), and
As the second certification criterion, generate include the second certification criterion, the second client data, application ID and user identifier the
Two certification requests send the second certification request to server background;
For example, the 7th response 83004e01000000033045022066f456ba4b5decff5f6 of mobile terminal parsing
3c78eca95a56d5fd757a8221ec89c6b9e7324ef537c8f022100c66a187fcce133ea99294c180
4f023c4546513daf5fe1b09a fd7ae21b334ea969000 obtains the third byte " 4e " of the 7th response (no
Including third byte), in all bytes before penultimate byte " 90 " between (not including penultimate byte)
Data, the data got be 01000000033045022066f456ba4b5decff5f63c78eca95a56d5fd75
7a8221ec89c6b9e7324ef537c8f022100c66a187fcce133ea99294c1804f023c4546513daf5f
E1b09afd7ae21b334ea96 simultaneously authenticates criterion as second, and generating includes the second certification criterion, the second number clients
According to, the second certification request of application ID and user identifier, the second certification request is sent to server background;
In the present embodiment, the communication data between mobile terminal and server background is JOSN formatted data.
After server background receives the second certification request, obtained from the second certification request the second client data,
Application ID, user identifier and the second certification criterion, obtain public key corresponding with user identifier according to user identifier, according to the second visitor
Family end data and application ID, preset hash algorithm and public key carry out sign test to the second signed data in the second certification criterion,
Judge whether sign test succeeds, if it is, setting the second preset value for error code, sending to mobile terminal includes error code
8th response;Otherwise, third preset value is set by error code, the 8th response including error code is sent to mobile terminal.
More specifically, after server background receives the second certification request, second is obtained from the second certification request
Client data, application ID, user identifier and the second certification criterion, obtain public affairs corresponding with user identifier according to user identifier
Key does Hash to the second client data and application ID using the first preset algorithm respectively, obtains third server background data
With the 4th server background data;Tissue second including third server background data and the 4th server background data is original
Data do Hash to the second initial data using preset hash algorithm and generate the second fiducial value, are authenticated using public key to second
The second signed data in criterion is decrypted to obtain the second ciphertext data, judge the second fiducial value whether with the second ciphertext data
Match, if it is, setting the second preset value for error code, the 8th response including error code is sent to mobile terminal;
Otherwise, third preset value is set by error code, the 8th response including error code is sent to mobile terminal.
Step 230: mobile terminal receives the 8th response from server background;
Step 231: mobile terminal obtains error code from the response of server background the 8th, and whether the error code that misdeems is second
Preset value, if it is, authenticating successfully;Otherwise, authentification failure.
A kind of identity identifying method provided in the present embodiment, combines in verification process with ID authentication device, nothing
It needs user to input password, keeps authentication more convenient and easier to operate, while also improving the safety of authentication.
Embodiment 3
A kind of identification authentication system is present embodiments provided, as shown in Figure 6, comprising: mobile terminal;
Mobile terminal includes: the first sending submodule 01, the first receiving submodule 02, search submodule 03, connection submodule
Block 04, the first acquisition submodule 05, enabled submodule 06, feature sending submodule 07, feature receiving submodule 08, first generate
Submodule 09, the second sending submodule 10, the second receiving submodule 11 and the first judging submodule 12;
First sending submodule 01, for sending the first certification request including user identifier to server background;
First receiving submodule 02, for receive from server background include application ID, the second challenging value, source number
It is responded according to the 5th with key handles corresponding with user identifier;
Submodule 03 is searched for, identifies the ID authentication device to match with preset service for searching for;
Submodule 04 is connected, the ID authentication device for matching with preset service mark establishes connection;
First acquisition submodule 05, for obtaining the service of ID authentication device;Notice feature is obtained from service and is write
Feature;
First acquisition submodule 05 is specifically used for identifying the service for obtaining ID authentication device according to preset service, according to pre-
If notice signature identification obtained from service notice feature;According to it is preset write signature identification and obtained from service write feature.
Enabled submodule 06, the notice feature got for enabling the first acquisition submodule 05;
First generates submodule 09, for being received according to preset certification instruction type, the first receiving submodule 02
Second challenging value, derived data, application ID and key handles generate authentication data;
First generation submodule 09 specifically includes: the first tissue unit, the first hash units and the first generation unit;
The first tissue unit includes the second of preset certification instruction type, the second challenging value and derived data for tissue
Client data;
First hash units for breathing out the second client data and application ID of the first tissue cellular organization respectively
Uncommon processing, obtains third cryptographic Hash and the 4th cryptographic Hash;
Third cryptographic Hash, the 4th cryptographic Hash and the first reception that first generation unit is used to be obtained according to the first hash units
The key handles that unit receives generate authentication data.
Feature sending submodule 07, for recognizing according to feature is write to identity after enabled submodule 06 enabled notice feature
Demonstrate,proving equipment and sending includes the first certification instruction for generating the authentication data that submodule 09 generates;
Feature receiving submodule 08 is sentenced by what notice feature returned including the second certification for receiving ID authentication device
According to the 7th response;
Second sending submodule 10 includes certification instruction type, the second challenging value, source for sending to server background
Data, application ID, the second certification request of user identifier and the second certification criterion;
It includes the second client data, application ID, use that second sending submodule 10, which is specifically used for sending to server background,
Second certification request of family mark and the second certification criterion.
Second receiving submodule 11, for receiving the 8th response including error code from server background;
First judging submodule 12, for misdeeming, whether error code is the second preset value, if it is, determine certification at
Function;Otherwise, it is determined that authentification failure.
Further, in this embodiment identification authentication system can also include: ID authentication device;
Wherein, ID authentication device includes the first authentication module, and the first authentication module includes: the second acquisition submodule, the
One signature submodule, third sending submodule and third receiving submodule;
Third receiving submodule, for receiving certification instruction;
Second acquisition submodule, for obtaining authentication data from the certification instruction that third receiving submodule receives, from
Key handles and private key corresponding with key handles are obtained in authentication data;
First signature submodule, for tissue include the third cryptographic Hash and the 4th cryptographic Hash in authentication data second to
Signed data, the private key corresponding with key handles got according to the second acquisition submodule and preset hash algorithm are to second
Data to be signed are signed to obtain the second signed data;
Third sending submodule includes the second certification criterion of the second signed data for tissue, will include the second certification
7th response of criterion returns to mobile terminal.
Further, identification authentication system can also include: server background in the present embodiment;
Server background includes the second authentication module, and the second authentication module includes: the 4th receiving submodule, third acquisition
Module, the first sign test submodule, third judging submodule;4th sending submodule;
4th receiving submodule, for receiving the second certification request;
Third acquisition submodule, for obtaining public affairs corresponding with user identifier according to the user identifier in the second certification request
Key;
First sign test submodule, for according to the second client data in the second certification request and application ID, preset
The public key that hash algorithm and third acquisition submodule are got carries out sign test to the second signed data in the second certification criterion;
Third judging submodule, for judging the first sign test submodule, whether sign test is successful;
4th sending submodule, for setting second for error code and presetting after third judging submodule is judged to being
Value sends the 8th response including error code to mobile terminal;After third judging submodule is determined as no, error code is arranged
For third preset value, the 8th response including error code is sent to mobile terminal.
It further include first version number in the 5th response in the present embodiment;Correspondingly, mobile terminal can also include: second
Judging submodule and first reports an error submodule;
Feature sending submodule 07 is also used to obtain submodule according to first after enabled submodule 06 enabled notice feature
What block 05 was got writes feature to the instruction of ID authentication device transmission acquisition version number;
The sub- receiving module 08 of feature is also used to receive ID authentication device by notice feature return including the second edition
Number the 6th response;
Second judgment submodule, the second edition number in the 6th response being connected to for judging characteristic receiving submodule 08 are
The no first version number received with the first receiving submodule 02 matches;Correspondingly, first submodule 09 is generated, be specifically used for
After second judgment submodule, which is determined as, is, received according to preset certification instruction type, the first receiving submodule 02 the
Two challenging values, derived data, application ID and key handles generate authentication data;
First reports an error submodule, for reporting an error after second judgment submodule is determined as no.
In the present embodiment, mobile terminal further include: the first tissue submodule, the 4th judging submodule and the first subpackage submodule
Block;
First acquisition submodule 05, which is also used to obtain from service, reads feature;And it is the characteristic value for reading feature is long as subpackage
Degree;The first tissue submodule is for tissue certification instruction;4th judging submodule is used to be judged whether according to subpackage length to the
The certification instruction of one tissue submodule tissue carries out subpackage processing;
First subpackage submodule be used for after the 4th judging submodule is judged to being, according to subpackage length to certification instruct into
Row subpackage processing.
Further, the first tissue submodule is specifically used for generating the authentication data tissue that submodule 09 generates according to first
Second instruction, by second instruction as certification instruction in data field, second instruction before addition preset protocol command identification with
The data length of second instruction obtains certification instruction.
In the present embodiment, mobile terminal module further include: the 5th sending submodule, the 5th receiving submodule, the 5th judgement
Submodule, second generate submodule, the 6th sending submodule, the 6th receiving submodule and the 6th judging submodule;
5th sending submodule, for sending the first registration request including user identifier to server background;
5th receiving submodule, for receive from server background include application ID, the first challenging value and source number
According to first response;
Second generation submodule, first for being received according to preset register instruction type, the 5th receiving submodule
Challenging value, derived data and application ID generate log-on data;
Feature sending submodule 07 is also used to after enabled submodule 06 enabled notice feature, according to writing feature to identity
It includes the second register instruction for generating the log-on data that submodule generates that authenticating device, which is sent,;
Feature receiving submodule 08, being also used to receive ID authentication device and being returned by notice feature includes that the first certification is sentenced
According to third response;
In the present embodiment, the second generation submodule specifically includes: minor microstructure unit, the second hash units and second are generated
Unit;
Minor microstructure unit includes the first of preset register instruction type, the first challenging value and derived data for tissue
Client data;
Second hash units for breathing out the first client data and application ID of minor microstructure cellular organization respectively
Uncommon processing, obtains the first cryptographic Hash and the second cryptographic Hash;
The first cryptographic Hash and the second cryptographic Hash that second generation unit is used to be obtained according to the second hash units generate registration
Data;
6th sending submodule includes register instruction type, the first challenging value, source number for sending to server background
According to, application ID, user identifier and it is described first certification criterion the second registration request;
6th sending submodule, being specifically used for sending to server background includes the first client data, application ID, user
Second registration request of mark and the first certification criterion.
6th receiving submodule, for receiving the 4th response including error code from server background;
6th judging submodule, for misdeeming, whether error code is the second preset value, if it is, determining to succeed in registration;
Otherwise, it is determined that registration failure.
Further, in this embodiment can also include ID authentication device in identification authentication system;
ID authentication device includes third authentication module, and third authentication module includes: that third generates submodule, the second signature
Submodule, the 7th sending submodule and the 7th receiving submodule;
7th receiving submodule, for receiving register instruction;
Third generates submodule, for when the 7th receiving submodule receives register instruction after, generation key pair and with it is close
Key is to corresponding key handles;
Second signature submodule includes the first Kazakhstan in the public key, key handles, log-on data of cipher key pair for tissue
First data to be signed of uncommon value and the second cryptographic Hash, according to preset hash algorithm and the private key of cipher key pair to first wait sign
Name data are signed to obtain the first signed data;
7th sending submodule, for tissue include the public key of cipher key pair, key handles corresponding with key pair and
First certification criterion of the first signed data will include that the first third response for authenticating criterion returns to mobile terminal.
It further, can also include: server background in the present embodiment in identification authentication system;
Server background includes the 4th authentication module, and the 4th authentication module includes: the 8th receiving submodule, the second sign test
Module, the 8th judging submodule, the 8th sending submodule and it is associated with submodule;
8th receiving submodule, for receiving the second registration request;
Second sign test submodule, for according in the first client data, application ID, the first certification criterion public key, the
Key handles and preset hash algorithm in one certification criterion carry out sign test to the first signed data in the first certification criterion;
8th judging submodule, for judging the second sign test submodule, whether sign test is successful;
Be associated with submodule, for after the 8th judging submodule is judged to being, by third respond in key handles and public affairs
Key is established corresponding relationship respectively and is saved with user identifier;
8th sending submodule, for setting second for error code and presetting after the 8th judging submodule is judged to being
Value sends the 4th response including error code to mobile terminal;After the 8th judging submodule is determined as no, error code is arranged
For third preset value, the 4th response including error code is sent to mobile terminal.
It further include first version number in the first response in the present embodiment;
Correspondingly, mobile terminal can also include: that the 7th judging submodule and second report an error submodule;
Feature sending submodule 07 is also used to obtain submodule according to first after enabled submodule 06 enabled notice feature
What block 05 was got writes feature to the instruction of ID authentication device transmission acquisition version number;
Feature receiving submodule 08 is also used to receive ID authentication device by notice feature return including the second edition
Number second response;
7th judging submodule, the second edition number in the second response being connected to for judging characteristic receiving submodule 08 are
The no first version number received with the 5th receiving submodule matches;
Second generates submodule, for after the 7th judging submodule is judged to being, according to preset register instruction type,
The first challenging value, derived data and the application ID that 5th receiving submodule receives generate log-on data;
Second reports an error submodule, for reporting an error after the 7th judging submodule is determined as no.
In the present embodiment, mobile terminal further includes that the second subpackage submodule, minor microstructure submodule and the 9th judge submodule
Block, the first acquisition submodule 05 are also used to obtain reading feature in service;And the characteristic value of feature will be read as subpackage length;The
Two tissue submodules are instructed for organization registration;9th judging submodule according to subpackage length for judging whether to minor microstructure
The register instruction of submodule tissue carries out subpackage processing;Second subpackage submodule is used for after the 9th judgment module is judged to being,
Subpackage processing is carried out to register instruction according to subpackage length.
Further, minor microstructure submodule is specifically used for generating the log-on data tissue that submodule generates according to second
One instruction regard the first instruction as the data field in register instruction, adds protocol instructions type identification and the before the first instruction
The data length of one instruction, obtains register instruction.
In the present embodiment, can also report an error submodule in mobile terminal including third;Searching for submodule 03 includes that search is single
Member, receiving unit and judging unit;
Search unit is for searching for ID authentication device;
Receiving unit is for receiving the broadcast data from ID authentication device;
Judging unit is used to judge the service mark in the broadcast data from ID authentication device that receiving unit receives
Know and whether match with preset service mark, if it is, judgement, which is searched, identifies the authentication to match with preset service
Equipment;
Third reports an error submodule for reporting an error after judging unit is determined as no.
Further, the searching interface that search unit is specifically used for calling system searches for ID authentication device, and is arranged and searches
Rope callback object, searching in callback object includes search callback method;
Receiving unit is specifically used for receiving the broadcast data from ID authentication device by the search callback method of system
With device object corresponding with ID authentication device.
Further, connection submodule 04 is specifically used for receiving using receiving unit corresponding with ID authentication device
Device object calling system connection method and ID authentication device establish bluetooth connection, obtain general-purpose attribute protocol object simultaneously
Setting connection callback object.
Still further, the first acquisition submodule 05 is specifically used for regarding preset service mark as parameter, general category is used
Property protocol object, the acquisition method of servicing of calling system obtain the service object of ID authentication device;Feature mark is write by preset
Know and be used as parameter, using the acquisition characterization method of service object's calling system, is obtained from service object and write feature object;It will be pre-
If notice signature identification obtained from service object as parameter using the acquisition characterization method of service object's calling system
Notify feature object.
It wherein, include the notice callback method of system in callback object;Correspondingly:
Enabled submodule 06 is specifically used for the setting feature notification method of calling system, enables notice feature object;
Feature receiving submodule 08 is specifically used for receiving ID authentication device by the communication callback method of system by leading to
Know the 6th response including the second edition number that feature object returns;And recognized by the communication callback method reception identity of system
Demonstrate,prove the 7th response that equipment is returned by notice feature object.
The foregoing is only a preferred embodiment of the present invention, but scope of protection of the present invention is not limited thereto,
Anyone skilled in the art is in technical scope disclosed by the invention, and any changes or substitutions that can be easily thought of,
It should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with scope of protection of the claims
Subject to.
Claims (40)
1. a kind of identity identifying method characterized by comprising
Step s1: mobile terminal sends the first certification request including user identifier to server background, receives and comes from the clothes
Be engaged in device backstage includes the 5th of application ID, the second challenging value, derived data and key handles corresponding with the user identifier
Response;
Step s2: the mobile terminal to search and preset service identify the ID authentication device to match, and recognize with the identity
Card equipment establishes bluetooth connection;
Step s3: the service of ID authentication device described in the acquisition for mobile terminal;From the service obtain notice feature and
Write feature;Enable the notice feature;
Step s4: the mobile terminal is according to preset certification instruction type, second challenging value, the derived data, institute
It states application ID and the key handles and generates authentication data, to write feature and send to the ID authentication device include institute according to described
State the certification instruction of authentication data;The ID authentication device is received to sentence by what the notice feature returned including the second certification
According to the 7th response;
Step s5: it includes the certification instruction type, second challenge that the mobile terminal is sent to the server background
Second certification request of value, the derived data, the application ID, the user identifier and the second certification criterion;
Step s6: the mobile terminal receives the 8th response including error code from the server background;Described in judgement
Whether error code is the second preset value, if it is, determining to authenticate successfully;Otherwise, it is determined that authentification failure;
It is described according to preset certification instruction type, second challenging value, the derived data, the application ID and described close
Key handle generates authentication data, specifically includes:
Step a1: the mobile terminal tissue includes the second of preset certification instruction type, the second challenging value and derived data
Client data;
Step a2: the mobile terminal carries out Hash processing to the second client data and the application ID respectively, obtains third
Cryptographic Hash and the 4th cryptographic Hash generate the authentication data according to third cryptographic Hash, the 4th cryptographic Hash and the key handles.
2. the method according to claim 1, wherein further including first version number in the 5th response;
Before the step s4 further include: the mobile terminal writes feature according to and sends acquisition to the ID authentication device
Version number's instruction receives the 6th sound including the second edition number that the ID authentication device is returned by the notice feature
It answers;Judge whether the first version number matches with the second edition number, if so, thening follow the steps s4;Otherwise, it reports
It is wrong.
3. the method according to claim 1, wherein
It is described to the server background send include the certification instruction type, second challenging value, the derived data,
Second certification request of the application ID, the user identifier and the second certification criterion, specifically: after Xiang Suoshu server
It includes the second of second client data, the application ID, the user identifier and the second certification criterion that platform, which is sent,
Certification request.
4. according to the method described in claim 3, it is characterized in that, the ID authentication device receive certification instruction after, from
Authentication data is obtained in certification instruction, key handles and corresponding with the key handles are obtained from the authentication data
Private key, tissue includes the second data to be signed of the third cryptographic Hash and the 4th cryptographic Hash in the authentication data, according to default
Hash algorithm and private key corresponding with the key handles second data to be signed are signed to obtain the second signature
Data, tissue include the second certification criterion of second signed data, will include the 7th response of the second certification criterion
Return to the mobile terminal.
5. according to the method described in claim 4, it is characterized in that, after the server background receives the second certification request,
Public key corresponding with the user identifier is obtained according to the user identifier in second certification request, according to second certification
The second client data and application ID, preset hash algorithm and the public key in request, to the in the second certification criterion
Two signed datas carry out sign test, judge whether sign test succeeds, if it is, setting the second preset value, Xiang Yidong for error code
Terminal sends the 8th response including error code;Otherwise, third preset value is set by error code, includes to mobile terminal transmission
8th response of error code.
6. the method according to claim 1, wherein further including obtaining to read from the service in the step s3
Feature, and using the characteristic value for reading feature as subpackage length;
It is described write according to feature to the ID authentication device send include the authentication data certification instruction before, also
It include: that instruction is authenticated according to the authentication data tissue;Judge whether to instruct the certification according to subpackage length and carry out
Subpackage processing carries out subpackage processing if it is, instructing according to subpackage length to the certification, continues;Otherwise, continue.
7. according to the method described in claim 6, it is characterized in that, described authenticate according to the authentication data tissue refers to
It enables, specifically includes: being instructed according to the authentication data tissue second, by second instruction as the number in the certification instruction
According to domain, the data length of addition protocol instructions type identification and the second instruction before second instruction obtains the certification and refers to
It enables.
8. the method according to claim 1, wherein before the step s1 further include:
Step r1: mobile terminal sends the first registration request including user identifier to server background, receives and comes from the clothes
Be engaged in device backstage includes the first response of application ID, the first challenging value and derived data;
Step r2: the mobile terminal to search and preset service identify the ID authentication device to match, and recognize with the identity
Card equipment establishes bluetooth connection;
Step r3: the service of ID authentication device described in the acquisition for mobile terminal;From the service obtain notice feature with
Write feature;Enable the notice feature;
Step r4: the mobile terminal is according to preset register instruction type, first challenging value, the derived data and institute
It states application ID and generates log-on data, according to the feature of writing to note of the ID authentication device transmission including the log-on data
Volume instruction;Receiving the ID authentication device and being returned by the notice feature includes that the first third for authenticating criterion responds;
Step r5: it includes the register instruction type, first challenging value, institute that the mobile terminal is sent to server background
State the second registration request of derived data, the application ID, the user identifier and the first certification criterion;
Step r6: the mobile terminal receives the 4th response including error code from the server background;Described in judgement
Whether error code is the second preset value, if it is, determining to succeed in registration;Otherwise, it is determined that registration failure.
9. according to the method described in claim 8, it is characterized in that, further including first version number in first response;
Before the step r4 further include: the mobile terminal writes feature according to and sends acquisition to the ID authentication device
Version number's instruction receives the second sound including the second edition number that the ID authentication device is returned by the notice feature
It answers;Judge whether the first version number matches with the second edition number, if so, thening follow the steps r4;Otherwise, it reports
It is wrong.
10. according to the method described in claim 8, it is characterized in that, described according to preset certification instruction type, described first
Challenging value, the derived data and the application ID generate log-on data, specifically include:
Step b1: the mobile terminal tissue includes the first of preset register instruction type, the first challenging value and derived data
Client data;
Step b2: the mobile terminal carries out Hash processing to first client data and the application ID respectively, obtains
First cryptographic Hash and the second cryptographic Hash generate the log-on data according to the first cryptographic Hash and the second cryptographic Hash;
It is described to the server background send include the register instruction type, first challenging value, the derived data,
Second registration request of the application ID, the user identifier and the first certification criterion, specifically: after Xiang Suoshu server
It includes the second of first client data, the application ID, the user identifier and the first certification criterion that platform, which is sent,
Registration request.
11. according to the method described in claim 10, it is characterized in that, after the ID authentication device receives register instruction,
The ID authentication device generates key pair and key handles corresponding with the key pair, and tissue includes the cipher key pair
Public key, key handles, the first cryptographic Hash in log-on data and the second cryptographic Hash the first data to be signed, according to preset
Hash algorithm and the private key of the cipher key pair sign first data to be signed to obtain the first signed data, tissue
First of public key, key handles corresponding with the key pair and first signed data including the cipher key pair is recognized
Criterion is demonstrate,proved, will include that the first third response for authenticating criterion returns to mobile terminal.
12. according to the method for claim 11, which is characterized in that the server background receives the second registration request
Afterwards, according to the first client data, application ID, first certification criterion in public key, first certification criterion in key handles and
Preset hash algorithm carries out sign test to the first signed data in the first certification criterion, judges whether sign test succeeds, and then will be
Key handles and public key in third response are established corresponding relationship respectively and are saved with user identifier, set second for error code
Preset value sends the 4th response that error code is the second preset value to mobile terminal;Otherwise, third is set by error code to preset
Value sends the 4th response that error code is third preset value to mobile terminal.
13. according to the method described in claim 8, it is characterized in that, further including being obtained from the service in the step r3
Feature is read, and using the characteristic value for reading feature as subpackage length;
It is described write according to feature to the ID authentication device send include the log-on data register instruction before, also
It include: the register instruction according to the log-on data tissue;Judge whether to carry out the register instruction according to subpackage length
Subpackage processing continues if it is, carrying out subpackage processing to the register instruction according to subpackage length;Otherwise, continue.
14. according to the method for claim 13, which is characterized in that described register according to the log-on data tissue refers to
It enables, specifically includes: being instructed according to the log-on data tissue second, by second instruction as the number in the register instruction
According to domain, the data length of addition protocol instructions type identification and the second instruction before second instruction obtains the registration and refers to
It enables.
15. method according to claim 1 or 8, which is characterized in that described search and preset service identify the body to match
Part authenticating device specifically:
The mobile terminal to search ID authentication device receives the broadcast data from ID authentication device, judges the broadcast
Whether the service identifiers in data match with preset service mark, if it is, judgement, which is searched, identifies phase with preset service
Matched ID authentication device continues;Otherwise, it reports an error.
16. according to the method for claim 15, which is characterized in that the mobile terminal to search ID authentication device receives
Broadcast data from ID authentication device, specifically:
The searching interface of the mobile terminal calling system searches for ID authentication device, and search callback object is arranged, described to search
It include search callback method in rope callback object;It is received by the search callback method of the system and is set from the authentication
Standby broadcast data and device object corresponding with the ID authentication device.
17. according to the method for claim 16, which is characterized in that described to establish bluetooth company with the ID authentication device
It connects, specifically includes:
The mobile terminal uses the connection method of device object calling system corresponding with the ID authentication device and described
ID authentication device establishes bluetooth connection, obtains general-purpose attribute protocol object and connection callback object is arranged.
18. according to the method for claim 17, which is characterized in that the service for obtaining the ID authentication device;From
Notice feature is obtained in the service and writes feature, is specifically included:
Step t1: mobile terminal regard preset service mark as parameter, uses general-purpose attribute protocol object, the acquisition of calling system
Method of servicing obtains the service object of the ID authentication device;Using preset signature identification of writing as parameter, the clothes are used
The acquisition characterization method for object reference system of being engaged in obtains from the service object and writes feature object;By preset notice feature
Mark is used as parameter, and using the acquisition characterization method of service object's calling system, notice is obtained from the service object
Feature object.
19. according to the method for claim 18, which is characterized in that the notice in the callback object including the system is returned
Tune method;
The enabled notice feature, specifically: the setting feature notification method of calling system enables notice feature object;
The 6th response including the second edition number for receiving the ID authentication device and being returned by the notice feature, tool
Body are as follows: the mobile terminal receives the ID authentication device by the communication callback method of the system and passes through the notice spy
Levy the 6th response including the second edition number that object returns;
The 7th response for receiving the ID authentication device and being returned by the notice feature, specifically: the movement is eventually
End receives the ID authentication device by the communication callback method of the system and notifies the of feature object return by described
Seven responses.
20. method according to claim 1 or 8, which is characterized in that ID authentication device described in the acquisition for mobile terminal
Service;Notice feature is obtained from the service and writes feature;Specifically: the mobile terminal is according to the preset service mark
Know the service for obtaining the ID authentication device, obtains notice feature from the service according to preset notice signature identification;
According to it is preset write signature identification and obtained from the service write feature.
21. a kind of identification authentication system characterized by comprising mobile terminal;
The mobile terminal includes: the first sending submodule, the first receiving submodule, search submodule, connection submodule, first
Acquisition submodule, enabled submodule, feature sending submodule, feature receiving submodule, first generate submodule, the second transmission
Module, the second receiving submodule and the first judging submodule;
First sending submodule, for sending the first certification request including user identifier to server background;
First receiving submodule, for receive from the server background include application ID, the second challenging value, source
5th response of data and key handles corresponding with the user identifier;
Described search submodule identifies the ID authentication device to match with preset service for searching for;
The connection submodule, for establishing bluetooth connection with the ID authentication device to match with preset service mark;
First acquisition submodule, for obtaining the service of the ID authentication device;It is special that notice is obtained from the service
It seeks peace and writes feature;
The enabled submodule, the notice feature got for enabling first acquisition submodule;
Described first generates submodule, for being received according to preset certification instruction type, first receiving submodule
Second challenging value, the derived data, the application ID and the key handles generate authentication data;
The feature sending submodule, for writing feature according to described after the enabled submodule enables the notice feature
Sending to the ID authentication device includes the described first certification instruction for generating the authentication data that submodule generates;
The feature receiving submodule, for receiving the ID authentication device by the notice feature return including second
Authenticate the 7th response of criterion;
Second sending submodule includes the certification instruction type, described second for sending to the server background
Challenging value, the derived data, the application ID, the second certification request of the user identifier and the second certification criterion;
Second receiving submodule, for receiving the 8th response including error code from the server background;
First judging submodule, for judging whether the error code is the second preset value, if it is, determining to authenticate successfully;
Otherwise, it is determined that authentification failure;
The first generation submodule specifically includes: the first tissue unit, the first hash units and the first generation unit;
The first tissue unit includes the second of preset certification instruction type, the second challenging value and derived data for tissue
Client data;
First hash units are used for the second client data of the first tissue cellular organization and the application ID point
Not carry out Hash processing, obtain third cryptographic Hash and the 4th cryptographic Hash;
Third cryptographic Hash that first generation unit is used to be obtained according to first hash units, the 4th cryptographic Hash and described
The key handles that first receiving unit receives generate the authentication data.
22. device according to claim 21, which is characterized in that further include first version number in the 5th response;Institute
State mobile terminal further include: second judgment submodule and first reports an error submodule;
The feature sending submodule is also used to after the enabled submodule enables the notice feature, according to described first
The feature of writing that acquisition submodule is got is to the instruction of ID authentication device transmission acquisition version number;
The feature receiving submodule, is also used to receive that the ID authentication device returned by the notice feature includes the
6th response of two version numbers;
The second judgment submodule, for judging the second edition in the 6th response that the feature receiving submodule is connected to
This number first version number whether received with first receiving submodule matches;
Described first generates submodule, for being instructed after the second judgment submodule is judged to being according to preset certification
Second challenging value that type, first receiving submodule receive, the derived data, the application ID and described close
Key handle generates authentication data;
Described first reports an error submodule, for reporting an error after the second judgment submodule is determined as no.
23. device according to claim 21, which is characterized in that
It includes second client data that second sending submodule, which is specifically used for sending to the server background, described
Second certification request of application ID, the user identifier and the second certification criterion.
24. device according to claim 23, which is characterized in that further include ID authentication device;
The ID authentication device includes: that the second acquisition submodule, the first signature submodule, third sending submodule and third connect
Receive submodule;
The third receiving submodule, for receiving certification instruction;
Second acquisition submodule, for obtaining certification from the certification instruction that the third receiving submodule receives
Data obtain key handles and private key corresponding with the key handles from the authentication data;
The first signature submodule includes the of third cryptographic Hash in the authentication data and the 4th cryptographic Hash for tissue
Two data to be signed, the private key corresponding with the key handles got according to second acquisition submodule and preset Kazakhstan
Uncommon algorithm is signed to obtain the second signed data to second data to be signed;
The third sending submodule will include described for including the second certification criterion of the second signed data described in tissue
7th response of the second certification criterion returns to the mobile terminal.
25. device according to claim 24, which is characterized in that further include: server background;
The server background includes: the 4th receiving submodule, third acquisition submodule, the first sign test submodule, third judgement
Submodule;4th sending submodule;
4th receiving submodule, for receiving the second certification request;
The third acquisition submodule, for being obtained and the user identifier according to the user identifier in second certification request
Corresponding public key;
The first sign test submodule, for according to the second client data in second certification request and application ID, pre-
If the public key that gets of hash algorithm and the third acquisition submodule, to the second signed data in the second certification criterion into
Row sign test;
The third judging submodule, for judging the first sign test submodule, whether sign test is successful;
4th sending submodule, for setting second for error code after the third judging submodule is judged to being
Preset value sends the 8th response including error code to mobile terminal;It, will be wrong after the third judging submodule is determined as no
Error code is set as third preset value, and the 8th response including error code is sent to mobile terminal.
26. device according to claim 21, which is characterized in that the mobile terminal further include: the first tissue submodule,
4th judging submodule and the first subpackage submodule;
First acquisition submodule, which is also used to obtain from the service, reads feature;And using it is described read feature characteristic value as
Subpackage length;
The first tissue submodule is for authenticating instruction described in tissue;
4th judging submodule is used to judge whether the certification to the first tissue submodule tissue according to subpackage length
Instruction carries out subpackage processing;
The first subpackage submodule is used for after the 4th judging submodule is judged to being, is recognized according to subpackage length described
Card instruction carries out subpackage processing.
27. device according to claim 26, which is characterized in that the first tissue submodule is specifically used for according to described first
It generates the authentication data tissue second that submodule generates to instruct, by second instruction as the data in the certification instruction
Domain, the data length of addition preset protocol command identification and the second instruction before second instruction, obtains the certification instruction.
28. device according to claim 21, which is characterized in that the mobile terminal further include: the 5th sending submodule,
5th receiving submodule, the 5th judging submodule, second generate submodule, the 6th sending submodule, the 6th receiving submodule and
6th judging submodule;
5th sending submodule, for sending the first registration request including user identifier to server background;
5th receiving submodule, for receive from the server background include application ID, the first challenging value and come
First response of source data;
Described second generates submodule, for being received according to preset register instruction type, the 5th receiving submodule
First challenging value, the derived data and the application ID generate log-on data;
The feature sending submodule is also used to write spy according to described after the enabled submodule enables the notice feature
It levies to the ID authentication device and sends the register instruction for generating the log-on data that submodule generates including described second;
The feature receiving submodule, being also used to receive the ID authentication device and being returned by the notice feature includes first
Authenticate the third response of criterion;
6th sending submodule includes the register instruction type, described first for sending to the server background
Challenging value, the derived data, the application ID, the user identifier and described first authenticate the second registration request of criterion;
6th receiving submodule, for receiving the 4th response including error code from the server background;
6th judging submodule, for judging whether the error code is the second preset value, if it is, determining to succeed in registration;
Otherwise, it is determined that registration failure.
29. device according to claim 28, which is characterized in that further include first version number in first response;
The feature sending submodule is also used to after the enabled submodule enables the notice feature, according to described first
The feature of writing that acquisition submodule is got is to the instruction of ID authentication device transmission acquisition version number;
The feature receiving submodule, is also used to receive that the ID authentication device returned by the notice feature includes the
Second response of two version numbers;
The mobile terminal further include: the 7th judging submodule and second reports an error submodule;
7th judging submodule, for judging the second edition in second response that the feature receiving submodule is connected to
This number first version number whether received with the 5th receiving submodule matches;
Described second generates submodule, for after the 7th judging submodule is judged to being, according to preset register instruction
First challenging value, the derived data and the application ID that type, the 5th receiving submodule receive generate note
Volumes evidence;
Described second reports an error submodule, for reporting an error after the 7th judging submodule is determined as no.
30. device according to claim 28, which is characterized in that the second generation submodule specifically includes: minor microstructure list
Member, the second hash units and the second generation unit;
The minor microstructure unit includes the first of preset register instruction type, the first challenging value and derived data for tissue
Client data;
Second hash units are used for the first client data of the minor microstructure cellular organization and the application ID point
Not carry out Hash processing, obtain the first cryptographic Hash and the second cryptographic Hash;
The first cryptographic Hash and the second cryptographic Hash that second generation unit is used to be obtained according to second hash units generate
The log-on data;
6th sending submodule, being specifically used for sending to the server background includes first client data, institute
State the second registration request of application ID, the user identifier and the first certification criterion.
31. device according to claim 30, which is characterized in that further include ID authentication device;
The ID authentication device includes: that third generates submodule, the second signature submodule, the 7th sending submodule and the 7th connects
Receive submodule;
7th receiving submodule, for receiving register instruction;
The third generates submodule, for generating key after the 7th receiving submodule receives the register instruction
Pair and key handles corresponding with the key pair;
The second signature submodule, includes the in the public key, key handles, log-on data of the cipher key pair for tissue
First data to be signed of one cryptographic Hash and the second cryptographic Hash, according to the private key pair of preset hash algorithm and the cipher key pair
First data to be signed are signed to obtain the first signed data;
7th sending submodule includes the public key, corresponding with the key pair close of the cipher key pair for tissue
First certification criterion of key handle and first signed data will include that the first third response for authenticating criterion returns to movement
Terminal.
32. device according to claim 31, which is characterized in that further include: server background;
The server background includes: the 8th receiving submodule, the second sign test submodule, the 8th judging submodule, the 8th transmission
Submodule be associated with submodule;
8th receiving submodule, for receiving the second registration request;
The second sign test submodule, for according in the first client data, application ID, the first certification criterion public key, the
Key handles and preset hash algorithm in one certification criterion carry out sign test to the first signed data in the first certification criterion;
8th judging submodule, for judging the second sign test submodule, whether sign test is successful;
Be associated with submodule, for when the 8th judging submodule is judged to being after, by the third respond in key handles
It establishes corresponding relationship with user identifier respectively with public key and saves;
8th sending submodule, for setting second for error code after the 8th judging submodule is judged to being
Preset value sends the 4th response including error code to mobile terminal;It, will be wrong after the 8th judging submodule is determined as no
Error code is set as third preset value, and the 4th response including error code is sent to mobile terminal.
33. device according to claim 28, which is characterized in that the mobile terminal further include the second subpackage submodule,
Minor microstructure submodule and the 9th judging submodule, it is special that first acquisition submodule is also used to obtain reading in the service
Sign;And using the characteristic value for reading feature as subpackage length;
The minor microstructure submodule is for register instruction described in tissue;
9th judging submodule according to subpackage length for judging whether to described in the minor microstructure submodule tissue
Register instruction carries out subpackage processing;
The second subpackage submodule is used for after the 9th judgment module is judged to being, according to subpackage length to the registration
Instruction carries out subpackage processing.
34. device according to claim 33, which is characterized in that minor microstructure submodule is specifically used for according to described second
It generates the log-on data tissue first that submodule generates to instruct, by first instruction as the data in the register instruction
Domain, the data length of addition protocol instructions type identification and the first instruction, obtains the register instruction before first instruction.
35. the device according to claim 21 or 28, which is characterized in that the mobile terminal further includes that third reports an error submodule
Block;Described search submodule includes search unit, receiving unit and judging unit;
Described search unit is for searching for ID authentication device;
The receiving unit is for receiving the broadcast data from ID authentication device;
The judging unit is used to judge the clothes in the broadcast data from ID authentication device that the receiving unit receives
Business, which identifies whether to identify with preset service, to match, if it is, judgement, which is searched, identifies the identity to match with preset service
Authenticating device;
The third reports an error submodule for reporting an error after the judging unit is determined as no.
36. device according to claim 35, which is characterized in that described search unit is specifically used for the search of calling system
Interface searches for ID authentication device, and search callback object is arranged, and includes search callback method in described search callback object;
The receiving unit is specifically used for receiving by the search callback method of the system from the ID authentication device
Broadcast data and device object corresponding with the ID authentication device.
37. device according to claim 36, which is characterized in that the connection submodule is specifically used for using the reception
The connection method and the authentication for the device object calling system corresponding with the ID authentication device that unit receives
Equipment establishes bluetooth connection, obtains general-purpose attribute protocol object and connection callback object is arranged.
38. the device according to claim 37, which is characterized in that first acquisition submodule is specifically used for taking default
Business mark is used as parameter, and using general-purpose attribute protocol object, the acquisition method of servicing of calling system obtains the authentication and sets
Standby service object;Using preset signature identification of writing as parameter, the acquisition feature side of service object's calling system is used
Method obtains from the service object and writes feature object;Using preset notice signature identification as parameter, the service pair is used
As the acquisition characterization method of calling system, notice feature object is obtained from the service object.
39. the device according to claim 38, which is characterized in that the notice in the callback object including the system is returned
Tune method;
The enabled submodule is specifically used for the setting feature notification method of calling system, enables notice feature object;
The feature receiving submodule is specifically used for receiving the ID authentication device by the communication callback method of the system
The 6th response including the second edition number returned by the notice feature object;And it is adjusted back by the communication of the system
Method receives the 7th response that the ID authentication device is returned by the notice feature object.
40. the device according to claim 21 or 28, which is characterized in that first acquisition submodule is specifically used for basis
The preset service mark obtains the service of the ID authentication device, according to preset notice signature identification from the service
Obtain notice feature;According to it is preset write signature identification and obtained from the service write feature.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610368089.6A CN106102058B (en) | 2016-05-30 | 2016-05-30 | A kind of identity identifying method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610368089.6A CN106102058B (en) | 2016-05-30 | 2016-05-30 | A kind of identity identifying method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106102058A CN106102058A (en) | 2016-11-09 |
CN106102058B true CN106102058B (en) | 2019-04-12 |
Family
ID=57229487
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610368089.6A Active CN106102058B (en) | 2016-05-30 | 2016-05-30 | A kind of identity identifying method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106102058B (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106790306B (en) * | 2017-03-27 | 2019-08-09 | 飞天诚信科技股份有限公司 | A kind of authentication method and device increasing by the second factor |
CN107071707A (en) * | 2017-03-31 | 2017-08-18 | 北京小米移动软件有限公司 | Data transmission method and device |
CN107196922B (en) * | 2017-05-03 | 2020-08-04 | 国民认证科技(北京)有限公司 | Identity authentication method, user equipment and server |
JP6918576B2 (en) * | 2017-05-24 | 2021-08-11 | キヤノン株式会社 | Systems, information processing equipment, methods and programs |
CN107508686B (en) * | 2017-10-18 | 2020-07-03 | 克洛斯比尔有限公司 | Identity authentication method and system, computing device and storage medium |
CN110913380B (en) * | 2019-12-19 | 2023-09-22 | 飞天诚信科技股份有限公司 | Method and device for communication with Bluetooth equipment based on applet platform |
CN113709055B (en) * | 2020-05-20 | 2023-12-05 | 安徽华米信息科技有限公司 | BLE-based communication method, BLE-based communication device, BLE-based communication equipment, BLE-based communication system and BLE-based storage medium |
CN111740846B (en) * | 2020-08-04 | 2020-11-24 | 飞天诚信科技股份有限公司 | Method and system for realizing smart card information reading of mobile terminal |
CN112291774B (en) * | 2020-12-31 | 2021-03-16 | 飞天诚信科技股份有限公司 | Method and system for communicating with authenticator |
CN115065691B (en) * | 2022-08-18 | 2022-11-01 | 飞天诚信科技股份有限公司 | Communication implementation method and device based on android platform |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1890270A1 (en) * | 2006-08-16 | 2008-02-20 | Research In Motion Limited | Hash of a certificate imported from a smart card |
CN101635743A (en) * | 2009-04-02 | 2010-01-27 | 浙江亚斯特科技有限公司 | System and method using biologic characteristic certification result to validate identity of mobile terminal holder |
CN102752311A (en) * | 2012-07-16 | 2012-10-24 | 天地融科技股份有限公司 | Authentication method, system and device |
CN103001767A (en) * | 2011-09-08 | 2013-03-27 | 北京智慧风云科技有限公司 | User authentication system |
CN105187450A (en) * | 2015-10-08 | 2015-12-23 | 飞天诚信科技股份有限公司 | Authentication method and device based on authentication equipment |
-
2016
- 2016-05-30 CN CN201610368089.6A patent/CN106102058B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1890270A1 (en) * | 2006-08-16 | 2008-02-20 | Research In Motion Limited | Hash of a certificate imported from a smart card |
CN101635743A (en) * | 2009-04-02 | 2010-01-27 | 浙江亚斯特科技有限公司 | System and method using biologic characteristic certification result to validate identity of mobile terminal holder |
CN103001767A (en) * | 2011-09-08 | 2013-03-27 | 北京智慧风云科技有限公司 | User authentication system |
CN102752311A (en) * | 2012-07-16 | 2012-10-24 | 天地融科技股份有限公司 | Authentication method, system and device |
CN105187450A (en) * | 2015-10-08 | 2015-12-23 | 飞天诚信科技股份有限公司 | Authentication method and device based on authentication equipment |
Also Published As
Publication number | Publication date |
---|---|
CN106102058A (en) | 2016-11-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106102058B (en) | A kind of identity identifying method and device | |
CN109150548B (en) | Digital certificate signing and signature checking method and system and digital certificate system | |
CN105847247A (en) | Authentication system and working method thereof | |
US9197420B2 (en) | Using information in a digital certificate to authenticate a network of a wireless access point | |
CN104767616B (en) | A kind of information processing method, system and relevant device | |
WO2017076216A1 (en) | Server, mobile terminal, and internet real name authentication system and method | |
US20140109204A1 (en) | Authentication system via two communication devices | |
EP3609152A1 (en) | Internet-of-things authentication system and internet-of-things authentication method | |
US20070288998A1 (en) | System and method for biometric authentication | |
CN105227537A (en) | Method for authenticating user identity, terminal and service end | |
CN105898743B (en) | A kind of method for connecting network, apparatus and system | |
CN104935441B (en) | A kind of authentication method and relevant apparatus, system | |
JP2012530311A (en) | How to log into a mobile radio network | |
US20230050271A1 (en) | Communication system and computer readable storage medium | |
CN106464690A (en) | Security authentication method, configuration method and related device | |
CN107563712A (en) | A kind of mobile terminal punch card method, device, equipment and system | |
CN108985037A (en) | A kind of auth method, registration terminal and system | |
CN104869121B (en) | A kind of authentication method and device based on 802.1x | |
CN107360124A (en) | Access authentication method and device, WAP and user terminal | |
CN105635075A (en) | Method of registering cloud terminal, cloud terminal, cloud server and cloud system | |
US8601270B2 (en) | Method for the preparation of a chip card for electronic signature services | |
US20100257366A1 (en) | Method of authenticating a user | |
CN107070918B (en) | A kind of network application login method and system | |
JP4631304B2 (en) | Authentication system and authentication method | |
CN105704133A (en) | Method, terminal and server for data synchronism |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |