CN106209386A

CN106209386A - A kind of methods, devices and systems realizing safety certification

Info

Publication number: CN106209386A
Application number: CN201610885216.XA
Authority: CN
Inventors: 周杰
Original assignee: Bank of China Ltd
Current assignee: Bank of China Ltd
Priority date: 2016-10-10
Filing date: 2016-10-10
Publication date: 2016-12-07
Anticipated expiration: 2036-10-10
Also published as: CN106209386B

Abstract

In the embodiment of the present application, during user uses Network, dynamic password authentication between mobile terminal and server system uses IC-card end to realize, specifically include: after mobile terminal triggers the request of Network, network service request is sent to server system, server system generates random number, and by random number back to mobile terminal, the business information of described random number and description Network is sent to IC-card end by NFC module by mobile terminal, described random number and business information are generated application cryptogram by IC-card end, and the checking information carrying application cryptogram is sent to mobile terminal by NFC module, the business confirmation carrying checking information is sent to server system by mobile terminal, described application cryptogram is verified by server system according to described business confirmation.It follows that use IC-card end to carry out verifying dynamic password, it is more convenient for user operation, is also easy to carry.

Description

A kind of methods, devices and systems realizing safety certification

Technical field

The present invention relates to technical field of network security, particularly relate to a kind of realize the method for safety certification, device and be System.

Background technology

Along with the development of the Internet, occur in that many Networks more sensitive to safety at present, as paid or handing over Easily wait Network.When user uses these Networks, the risk revealed in order to avoid user cipher, client and service Dynamic password authentication can be used between device, ensure the safety of Network with this.Generally, dynamic password authentication uses soft Part mode realizes.But the dynamic password authentication realized with software mode cannot be avoided fishing website, forgery base station, steal mobile phone Etc. illegal means, the malice of dynamic verification code is obtained.

In order to avoid the leakage problem of dynamic password, some Networks at present begin with hardware mode and realize dynamic mouth Make certification.Such as, in the prior art, as a kind of independent hardware device, electronic cipher device is used for using net user The dynamic password authentication between client and server is realized during network business.But, for mobile phone, the panel computer of user's use For mobile terminal, the dynamic verification code obtained by electronic cipher device needs the visitor that user is manually entered on mobile terminal In the end of family, which results in the problem that user operation is inconvenient.Additionally, in the scene of mobile network, electronic cipher device is as one Planting the hardware device independent of customer mobile terminal needs user to carry with, and such user could use network whenever and wherever possible Business, therefore, user needs the number of devices carried also to increased.Again additionally, the cost of electronic cipher device is the highest.

Summary of the invention

The embodiment of the present application technical problem to be solved is to provide and a kind of realize the method for safety certification, device and be System, Yong Hucao inconvenient to carry with the user avoiding prior art to use electronic cipher device to cause to realize dynamic password authentication Make inconvenient and that cost is high defect.

First aspect, it is provided that a kind of method realizing safety certification, is applied to IC-card end, including:

Receiving random number and business information that mobile terminal is sent by near-field communication NFC module, described random number is clothes The business service request initiated for Network in response to described mobile terminal of device system and return to described mobile terminal, institute State business information for describing described Network, described mobile terminal is configured with described NFC module；

Described random number and described business information are encrypted by the key preset based on described IC-card end and AES Computing, generates application cryptogram；

The checking information of described application cryptogram is carried to the transmission of described mobile terminal, in order to institute by described NFC module State server system receive the business confirmation carrying described checking information of described mobile terminal transmission and answer described Verify by ciphertext.

Optionally,

Described random number and described business information are carried out by the described key preset based on described IC-card end and AES Cryptographic calculation, generates application cryptogram, including: utilize the card key of described IC-card end and the counting of described Network to disperse Process key；Kernel-based methods key, uses symmetric key algorithm that described random number is encrypted computing, generates described application close Literary composition；

Described checking information also carry described IC-card use card sequence number, distributed key index DKI, cipher-text versions number and Algorithm identifies, in order to described server system uses described card sequence number, described DKI, described cipher-text versions number and described algorithm mark Know and described application cryptogram is verified.

Optionally, also include:

The card number of described IC-card end is sent to described mobile terminal, in order to described mobile terminal exists by described NFC module Compare the feelings that card number that card number and described server system that described IC-card end sends return for described service request is identical Described random number and described business information is sent by described NFC module to described IC-card end under condition.

Optionally, described Network is online transaction business, and described IC-card end is arranged in the payment possessing payment function On card, described server system is the online payment system for providing payment function for described Payment Card.

Second aspect, it is provided that a kind of method realizing safety certification, is applied to mobile terminal, including:

The service request for Network is sent to server system；

Receive the random number that described server system returns in response to described service request；

Sending described random number and business information by NFC module to IC-card end, described business information is used for describing described Network, described mobile terminal is configured with described NFC module；

The checking information that described IC-card end sends is received by described NFC module；

The business confirmation carrying described checking information is sent, in order to described server system to described server system Application cryptogram is verified by system；

Wherein, described checking information carries described application cryptogram, and described application cryptogram is that described IC-card end group is in described Key and AES that IC-card end is preset are encrypted computing to described random number and described business information and generate.

Optionally, described checking information also carries the card sequence number of described IC-card, distributed key index DKI, cipher-text versions Number and the algorithm mark of described symmetric key algorithm, in order to described server system uses described card sequence number, described DKI, described Described application cryptogram is verified by cipher-text versions number and described algorithm mark；

Wherein, described application cryptogram the most described IC-card end utilizes the card key of described IC-card end and described network industry The counting of business disperses process key Kernel-based methods key to use symmetric key algorithm that described random number is encrypted computing And generate.

Optionally, also include:

After sending described service request to described server system, receive described server system for described business The card number that request returns；

The card number that described IC-card end sends is received by described NFC module；

The card number that relatively described IC-card end sends is the most identical with the card number that described server system returns；

Under identical circumstances, perform described NFC module of passing through and send described random number and business information to IC-card end.

Optionally, also include:

After receiving the card number that described server system returns, show the card number that described server returns, with prompting Described mobile terminal gathers the card number that described IC-card end sends.

Optionally, also include:

After sending for the service request of Network to server system, receive described server system for institute State the authentication mode that service request returns；

It is dynamic password authentication in response to recognizing described authentication mode, performs the card that the described server of described display returns Number.

Optionally, the described business confirmation carrying described checking information to the transmission of described server system, including:

Operate in response to the confirmation for described service request, obtain and confirm that under operation, the business of input confirms described Code；

Described business confirmation is generated based on described checking information and described business confirmation code；

Described business confirmation is sent to described server system.

The third aspect, it is provided that a kind of device realizing safety certification, is configured at IC-card end, including:

Receive unit, for receiving random number and the business information that mobile terminal is sent, institute by near-field communication NFC module State random number to be the service request initiated for Network in response to described mobile terminal of server system and return to described Mobile terminal, described business information is used for describing described Network, and described mobile terminal is configured with described NFC module；

Signal generating unit, is used for the key preset based on described IC-card end and AES to described random number and described business Information is encrypted computing, generates application cryptogram；

First transmitting element, for carrying described application cryptogram by described NFC module to the transmission of described mobile terminal Checking information, in order to described server system receive described mobile terminal send the business carrying described checking information true Recognize information and described application cryptogram is verified.

Fourth aspect, it is provided that a kind of device realizing safety certification, is configured at mobile terminal, including:

First transmitting element, for sending the service request for Network to server system；

First receives unit, for receiving the random number that described server system returns in response to described service request；

Second transmitting element, for sending described random number and business information, described business by NFC module to IC-card end Information is used for describing described Network, and described mobile terminal is configured with described NFC module；

Second receives unit, for receiving, by described NFC module, the checking information that described IC-card end sends；

Second transmitting element, for sending the business confirmation letter carrying described checking information to described server system Breath, in order to application cryptogram is verified by described server system；

5th aspect, it is provided that a kind of system realizing safety certification, including IC-card end, mobile terminal and server system System；

Described IC-card end configures the device provided just like the aforementioned third aspect, and described mobile terminal configuration is just like the aforementioned 4th The device that aspect provides.

In the embodiment of the present application, during user uses Network, between mobile terminal and server system Dynamic password authentication IC-card end can be used to realize, wherein, can be by being arranged in shifting between mobile terminal and IC-card end It is mutual that near-field communication (Near Field Communication is called for short NFC) module in dynamic terminal realizes information.Specifically, Mobile terminal can obtain server system for this after sending for the service request of Network to server system Service request returns random number.Afterwards, mobile terminal can send this random number and this network by NFC module to IC-card end The business information that business is corresponding.This random number and this business information can be entered by IC-card end based on preset key and AES Row cryptographic calculation and generate application cryptogram.After again, mobile terminal can receive carrying of IC-card end transmission by NFC module The checking information of this application cryptogram, and the business confirmation carrying this checking information is sent to server system.So, clothes Business device system just can be by the checking to application cryptogram, it is achieved the safety certification to Network.As can be seen here, with IC-card end As realizing the hardware device of dynamic password authentication, for the mobile terminal such as mobile phone that user is used, panel computer, mobile The information that in terminal, the NFC module of configuration may be used for realizing between mobile terminal and IC-card end is mutual, therefore, and IC-card end and shifting Mutual information between terminal of moving is no need for user and is manually entered, so that user operation is more convenient.Additionally, relative to electricity For sub-scrambler, IC-card is easily portable, and cost is the lowest.

Accompanying drawing explanation

For the technical scheme being illustrated more clearly that in the embodiment of the present invention, in embodiment being described below required for make Accompanying drawing be briefly described, it should be apparent that, below describe in accompanying drawing be only described in the application some implement Example, for those of ordinary skill in the art, it is also possible to obtain other accompanying drawing according to these accompanying drawings.

Fig. 1 is the schematic flow sheet of a kind of method realizing safety certification in the embodiment of the present invention；

Fig. 2 is the schematic flow sheet of a kind of method realizing safety certification in the embodiment of the present invention；

Fig. 3 is the schematic flow sheet of a kind of method realizing safety certification in the embodiment of the present invention；

Fig. 4 is the structural representation of a kind of device realizing safety certification in the embodiment of the present invention；

Fig. 5 is the structural representation of a kind of device realizing safety certification in the embodiment of the present invention；

Fig. 6 is the structural representation of a kind of method realizing safety certification in the embodiment of the present invention.

Detailed description of the invention

Inventor finds through research, carrying out paying by mobile terminal or during the Network such as transaction, in order to hand over Easily safety, dynamic password authentication to be carried out, would generally use the mode of software to realize in prior art, but the side of software Formula realizes to avoid fishing website, forgery base station, stealing the malice acquisition to dynamic verification code of the illegal means such as mobile phone.Therefore In order to avoid dynamic password is revealed, some Networks at present have begun with the mode of hardware.Such as, some Network mesh Before have employed the crypto-device of the form such as U-shield, Ukey, the scrambler of this form needs to be connected to user by USB interface Terminal, this is applicable for the terminal such as PC, kneetop computer, but, mobile terminal does not the most arrange USB interface, because of This, the scrambler of this form is not particularly suited for mobile terminal.There is also the electronic cipher device of a kind of hardware the most at present, Applying electronic scrambler, to when carrying out dynamic password authentication, needs user manually to be arrived by the Password Input shown on electronic cipher device On mobile terminal, although this avoids mobile terminal cannot be obtained the problem of password by USB interface, but it is the operation of user Bring inconvenience, and, this electronic cipher device is also unfavorable for carrying with.

In order to solve the problems referred to above, in embodiments of the present invention, by being configured with mobile terminal and the IC-card end of NFC module Between carry out the safety certification that information realizes concluding the business on mobile terminals alternately, specifically, mobile terminal is to server System sends for obtaining server system after the service request of Network for this service request return random number. Afterwards, mobile terminal can send this random number and business information corresponding to Network by NFC module to IC-card end.IC Card end can be encrypted computing based on preset key and AES to this random number and this business information and generate application Ciphertext.After again, mobile terminal can receive, by NFC module, the checking letter carrying this application cryptogram that IC-card end sends Breath, and the business confirmation carrying this checking information is sent to server system.Based on this, server system can pass through Checking application cryptogram, it is achieved the safety certification to Network.As can be seen here, dynamic password when being traded by IC-card end Safety certification, not only high than the mode safety of pure software, and, on mobile terminal configuration NFC module may be used for reality Existing information between mobile terminal and IC-card end is mutual, and information mutual between such IC-card end and mobile terminal is no need for user It is manually entered, for comparing the electronic cipher device of hardware, easily facilitates user operation.Additionally, for electronic cipher device, IC-card is easily portable, and cost is the lowest.

Below in conjunction with the accompanying drawings, a kind of side realizing safety certification in the embodiment of the present invention is described in detail by embodiment The specific implementation of method, device and system.

Illustrative methods

With reference to Fig. 1, it is shown that the schematic flow sheet of a kind of method realizing safety certification in the embodiment of the present invention.The method Being applied to IC-card end, in the present embodiment, described method such as may comprise steps of:

Step 101: receive the random number that sent by near-field communication NFC module of mobile terminal and business information, described with Machine number is that server system responds the service request initiated for Network with described mobile terminal and returns to described movement Terminal, described business information is used for describing described Network, and described mobile terminal is configured with described NFC module.

When implementing, user can trigger Network at mobile terminal, and mobile terminal is grasped in response to the triggering of user Work can initiate the service request for this Network to the server system that this Network is corresponding.Server system is permissible In response to this service request, feed back random number according to this Network to mobile terminal.Mobile terminal is receiving server system After the random number of system feedback, the business information of this random number and description Network can be sent to IC-card end.Can manage Solving, in the present embodiment, mobile terminal is configured with NFC module, this NFC module can realize near field with IC-card end and lead to Letter, i.e. information between mobile terminal and IC-card end can be realized by the NFC module of configuration on mobile terminal alternately.Such as, In a step 101, mobile terminal can by its NFC module to possess near-field communication condition IC-card end send described at random Number and described business information.

It should be noted that the Network that the present embodiment is mentioned can be any one business merit provided by network Energy.Such as, in a kind of Application Scenarios-Example, described Network can be online transaction business.Specifically, described network is handed over Easily business can be transferred account service, payment transaction, inquiry business or finance services etc..It addition, the business letter that the present embodiment is mentioned Breath represents that in other words, business information can be in the Network that user triggers for the information being described Network Some essential informations comprised.Such as, if described Network is online transaction business, the most described business information can include handing over Easily date, dealing money and/or transaction currency type etc..

In the present embodiment, random number is that server system dynamically generates according to the service request of mobile terminal transmission Data.Wherein, having unique corresponding relation, i.e. server system between random number and service request is that different business please be sought survival The random number become is the most different.

It is understood that the equipment involved by the present embodiment specifically can have multiple possible implementation.Such as, touch Send out Network mobile terminal can be mobile phone, panel computer etc. any one be configured with NFC module and net can be triggered The mobile terminal of network business.And for example, IC-card end can be only fitted to have on the Payment Card of payment function.For another example, server system It can be the online payment system that payment function is provided for described Payment Card.

In a kind of Application Scenarios-Example, the Payment Card being configured with IC-card end can be that financial IC card (such as has IC-card core The bank card of sheet), server system can be the network system of financial business.The mobile terminal being configured with NFC module can be pacified Equipped with the client-side program of financial business, this mobile terminal can be by the client-side program of financial business and financial IC card, gold The network system melting business interacts.

Step 102: the key preset based on described IC-card end and AES are to described random number and described business information It is encrypted computing, generates application cryptogram；

In the present embodiment, IC-card end is all provided with corresponding key, provides application cryptogram for for Network. Wherein, for generating the AES of application cryptogram, such as, can be symmetric encipherment algorithm, can also be and for example asymmetric encryption Algorithm.

When implementing, after IC-card termination receives the next random number of mobile terminal transmission and business information, IC-card end can Random number and business information are encrypted computing by preset key and AES.Concrete step 102 such as may be used To include: utilize the card key of described IC-card end and the counting of described Network to disperse process key；Kernel-based methods is close Key, uses symmetric key algorithm that described random number is encrypted computing, generates described application cryptogram.

Pay it should be noted that be mainly used for off line in view of asymmetric cryptographic key algorithm, and in online payment In the case of, asymmetric cryptographic key algorithm is likely to result in the problem of the electronic cash by mistake detained in client's card, therefore, at net In the case of network business is online transaction business, symmetric encipherment algorithm is more suitable for IC-card end and generates application cryptogram.

In some embodiments of the present embodiment, if Network is online transaction business, IC-card end can be arranged There is transaction counter, count for Network.Specifically, receiving the business letter that mobile terminal sends every time After breath, the number of times of transaction can be added up by IC-card end.When IC-card termination receives random number and the business that mobile terminal sends After information, utilize IC-card end preset card key and applicating counter disperse process close the count results of Network Key；Again on the basis of process key, use symmetric key algorithm, the counting of random number, business information and Network is tied Fruit is encrypted computing, generates application cryptogram.

Step 103: the checking carrying described application cryptogram to the transmission of described mobile terminal by described NFC module is believed Breath, in order to described server system receives the business confirmation carrying described checking information of described mobile terminal transmission also Described application cryptogram is verified.

In some embodiments of the present embodiment, described checking information such as can also carry what described IC-card used Card sequence number, distributed key index DKI, cipher-text versions number and algorithm mark, in order to the described server system described card sequence number of employing, Described application cryptogram is verified by described DKI, described cipher-text versions number and described algorithm mark.

When implementing, after IC-card end generates application cryptogram, it is sent to the checking information carrying this application cryptogram move Dynamic terminal.Wherein, checking information is in addition to carrying application cryptogram, it is also possible to including: the card sequence number of IC-card employing, distributed key Index DKI, cipher-text versions number, algorithm mark etc..Then, the business confirmation carrying checking information is sent by mobile terminal To server system.Server system can be based on the checking information in business confirmation terminal, it is thus achieved that described application cryptogram, Described card sequence number, described DKI, described cipher-text versions number and described algorithm mark, it is possible to use described card sequence number, described DKI, Described application cryptogram is verified by described cipher-text versions number and described algorithm mark.

In some embodiments of the present embodiment, mobile terminal is after receiving the checking information that IC-card end sends, also May include that and show application cryptogram on mobile terminals, and Network input carry out Network to point out client to confirm Business confirmation code, wherein, business confirmation code is it also will be understood that become trading password.Then, the business that user is inputted by mobile terminal Confirmation code and checking information are sent to server system.It is to say, the business confirmation that server system receives is except bag Containing the business confirmation code that can also comprise user's input outside checking information.Wherein, business confirmation code can be that user is mobile whole Confirm to perform input during Network on end.Such as, if Network is online transaction business, business confirmation code can be to use The trading password of family input.

In the present embodiment, it is right that the process that the application cryptogram received is verified by server system such as may include that The business confirmation code of user's input is verified, checks whether IC-card is reported the loss, check credit card issuer random number and IC-card number whether by Distort；If information above is all verified, the card number of IC-card end and the IC-card that further according to default credit card issuer key, receive are adopted Card sequence number disperse card key, recycling card key and transaction counter carry out calculated meter to Network Calculate result and disperse process key, then on the basis of process key, use symmetric key algorithm, by random number and business information Generate application cryptogram；The application cryptogram generated at IC-card end and the application cryptogram generated at server system are mated, if The match is successful, and server system judges whether to carry out follow-up Network operation, if operating successfully, to mobile terminal again Feedback prompts information, to point out customer transaction success；If operation failure, to mobile terminal feedback prompts information, to point out user The reason of Fail Transaction.If it fails to match, directly to mobile terminal feedback prompts information, to point out user's verifying dynamic password to lose Lose.

It is understood that in the case of Network is online transaction business, by IC-card end and mobile terminal Between information realize online transaction business alternately safety certification before, user can pass through sales counter, Net silver or phone Etc. mode, bank card account number and IC-card end are bound, to realize the signing IC-card end authentication as checking transaction.

It should be noted that when carrying out Network, as user because some reason uses the IC-card of mistake, can That can cause Network performs failure, to this end, in some embodiments of the present embodiment, mobile terminal is first to IC-card end The card number provided carries out verifying asks application cryptogram to IC-card end again, concrete, can also include before step 101: pass through Described NFC module sends the card number of described IC-card end to described mobile terminal, in order to described mobile terminal is comparing described IC Pass through described in the case of card number that card number and the described server system that card end sends returns for described service request is identical NFC module sends described random number and described business information to described IC-card end.If additionally, the card number of IC-card end transmission and service The card number that device system returns for service request differs, and mobile terminal can feed back the information for representing card number mistake.

It is understood that in the case of Network is online transaction business, if obtaining from IC end on mobile terminals Get card number information and from server system obtain card number information the match is successful, then it represents that this IC-card end is and is traded silver The IC-card end that row card account has been contracted.

It should be noted that server system has provided the user multiple authentication sometimes, if user exists in advance Authentication mode has been set in server system the dynamic password authentication of IC-card end, and mobile terminal can perform the peace of IC-card end Full identifying procedure.Specifically, in some embodiments of the present embodiment, such as, can also include: mobile terminal is to service After device system sends for the service request of Network, receive what described server system returned for described service request Authentication mode；Mobile terminal is dynamic password authentication in response to recognizing described authentication mode, performs the described described service of display The card number that device returns.Specifically, in the case of Network is online transaction business, user initiates transaction by mobile terminal Request, transaction request is sent to server system by mobile terminal.Server system is according to transaction request, it is judged that carry out this transaction Bank card account number IC-card of whether having contracted as authentication means, if having contracted IC-card, then generate credit card issuer random number, Qi Zhongsuo State credit card issuer random number i.e. random number noted above.Server system is by the IC-card number of signing, credit card issuer random number With for representing that the authentication mode of IC-card end dynamic password authentication feeds back to mobile terminal, in order to mobile terminal is recognizing certification Mode is the security authentication process performing IC-card end in the case of dynamic password authentication.If not contracting IC-card number, server system May determine that user has contracted the authentication mode of which kind of form, and the authentication mode that user contracts is fed back to mobile terminal.

The method provided by the present embodiment, user during carrying out Network, mobile terminal and server system Dynamic password authentication between system uses IC-card end and realizes, and mobile terminal carries out information by NFC module and IC-card end Mutual, the information such as application cryptogram that acquisition for mobile terminal IC-card end generates, then IC-card end is generated by server system Application cryptogram is verified.Therefore, use IC-card as realizing the authenticating device of dynamic password, come relative to the mode of software Saying, safety is higher；For electronic cipher device, it is more convenient to operate, and cost is the lowest.

With reference to Fig. 2, it is shown that the schematic flow sheet of a kind of method realizing safety certification in the embodiment of the present invention.The method Being applied to mobile terminal, in the present embodiment, described method such as may comprise steps of:

Step 201: send the service request for Network to server system.

Step 202: receive server system and be used for describing in response to described random number and business information, described business information Described Network, described mobile terminal is configured with described NFC module.

Step 203: send described random number and business information, described business information to IC-card end by described NFC module For describing described Network.

Step 204: receive the checking information that described IC-card end sends by described NFC module.

Step 205: send the business confirmation carrying described checking information to described server system, in order to described Application cryptogram is verified by server system.

It should be noted that Network mentioned by the present embodiment, business information, random number, mobile terminal, IC-card end And server system, the embodiment that can be found in earlier figures 1 correspondence is discussed in detail, does not repeats them here.

In some embodiments of the present embodiment, mobile terminal can be such as mobile phone, panel computer etc. any one Being configured with NFC module and can trigger the mobile terminal of Network, IC-card end such as can be only fitted to have payment function Payment Card on, server system can be such as described Payment Card provide payment function online payment system.

In the present embodiment, the process that application cryptogram is verified by server system can be found in the reality of earlier figures 1 correspondence Execute the introduction of example, do not repeat them here.

In some embodiments of the present embodiment, step 205 sends to described server system and tests described in carrying The business confirmation of card information, specifically may include that mobile terminal operates in response to the confirmation for described service request, obtains It is taken at the described business confirmation code confirming the lower input of operation；Mobile terminal is raw based on described checking information and described business confirmation code Become described business confirmation；Mobile terminal sends described business confirmation to described server system.It is understood that After mobile terminal receives the checking information that IC-card end sends, mobile terminal can point out user to confirm transaction incoming traffic Confirmation code.After user performs confirmation operation incoming traffic confirmation code, mobile terminal can be by checking information and business Confirmation code is sent to server system as business confirmation.

It should be noted that in the case of Network is online transaction business, business confirmation code can be such as into The trading password of the account of row Network.

In the present embodiment, before step 202, the card number of IC-card end can be verified, checking and mobile terminal Whether mutual IC-card end is the IC-card that this Network is corresponding.Concrete, in some embodiments of the present embodiment, also May include that, after sending described service request to described server system, mobile terminal receives described server system pin The card number that described service request is returned；Mobile terminal receives, by described NFC module, the card number that described IC-card end sends；Mobile The card number that terminal more described IC-card end sends is the most identical with the card number that described server system returns；In identical situation Under, mobile terminal performs step 203.

More specifically, mobile terminal is after server sends the service request of Network, if having contracted IC-card conduct The authentication means of dynamic password, the card number of the IC-card of signing is fed back to mobile terminal by server system, and mobile terminal passes through NFC Module interacts with IC-card end, obtains the card number of IC-card, by the card number of the IC-card of signing that obtains from server with from IC-card The card number of the IC-card that end obtains contrasts, if the card number of the two is identical, performs step 203.

It should be noted that in the case of Network is online transaction business, the card number that server system returns can The IC-card bound with the account corresponding to the bankcard network business involved by online transaction business.The card number obtained from IC-card end It is to carry out the card number of the mutual IC-card end of information with mobile terminal.

In the other embodiment of the present embodiment, on the basis of the card number of mobile terminal checking IC-card end, also may be used To include: mobile terminal, after receiving the card number that described server system returns, shows the card number that described server returns, To point out described mobile terminal to gather the card number that described IC-card end sends.

More specifically, mobile terminal is after server system sends the service request of Network, if having contracted IC-card As the authentication means of dynamic password, the card number of the IC-card of signing is fed back to mobile terminal by server system, at mobile terminal The card number that upper display server returns, now, user can select IC-card and shifting according to the card number of the IC-card of display on server Dynamic terminal interacts, and mobile terminal obtains the IC-card number interacted with mobile terminal by NFC module.

It is understood that the card number of IC-card end is verified at mobile terminal, it is also possible to be that user compares, when When user confirms comparison success, can manually trigger mobile terminal and perform step 203.

In the other embodiment of the present embodiment, on the server systems can also be to the checking of the card number of IC end. Concrete, after mobile terminal collects IC-card end card number, using the card number of this IC-card end as in business confirmation Server system is given in distribution, and the card number in the card number contracted and business confirmation is compared by server system again, if Comparison success, then application cryptogram is verified.

In the present embodiment, the authentication mode that server system provides for Network can have multiple.Such as, except IC Block the authentication mode as dynamic password authentication instrument and can also include that the authentication mode of software secret order, electronic cipher device are as dynamic Any one or more such as the authentication mode of state password authentication instrument can be used for the side of mobile terminal enterprising Mobile state password authentication Formula.Be in the case of Network is provided with multiple authentication mode at server system, server receive service request it After, the authentication mode that can pre-set to mobile terminal feedback user, such mobile terminal is according to the authentication mode received Carry out corresponding safety certification.Concrete, in some embodiments of the present embodiment, after step 201, it is also possible to bag Including: after sending for the service request of Network to server system, mobile terminal receives described server system pin The authentication mode that described service request is returned；Mobile terminal is dynamic password authentication in response to recognizing described authentication mode, Perform the card number that the described server of described display returns.

More specifically, after mobile terminal have sent the service request of Network to server system, server system root Determine, according to this service request, the authentication mode that user contracts, and this authentication mode is fed back to mobile terminal, if mobile terminal connects The authentication mode received is the dynamic password authentication of IC-card, shows the card number of the IC-card that user contracts on mobile terminals.But, If the authentication mode that mobile terminal receives is other authentication mode in addition to IC-card dynamic password, according to concrete authenticating party Formula, carries out corresponding verification operation.

With reference to Fig. 3, it is shown that the schematic flow sheet of a kind of method realizing safety certification in the embodiment of the present invention.In this reality Executing in example, described method such as may include that

Step 301: in response to the trigger action of user, mobile terminal generates the service request for Network.

Step 302: mobile terminal sends described service request to server system.

Step 303: after server system receives described service request, it is judged that whether authentication mode is IC-card dynamic password Certification.

In the present embodiment, the authentication mode of dynamic password can be in the dynamic password authentication mode being IC-card, it is also possible to be electricity The authentication mode of sub-scrambler or other be capable of on mobile terminal the authentication mode of dynamic password of transaction.Therefore, when After server system receives described service request, need to judge whether authentication mode is IC-card dynamic password authentication.

Step 304: if authentication mode is IC-card dynamic password authentication, generates random number at server system, and will signing The card number of IC end, authentication mode and described random number back are to mobile terminal.

Step 305: mobile terminal, in response to described IC-card dynamic password authentication, shows the card number of described IC-card end, to carry Show that user selects corresponding IC-card end to interact with described mobile terminal.

In the present embodiment, mobile terminal is according to the authentication mode received, it may be judged whether whether this authentication mode is described IC-card dynamic password authentication, if so, shows the card number of described mobile terminal, to point out user to select corresponding IC-card whole with mobile End interacts.

Step 306: described random number and business information are sent to IC-card end by mobile terminal.

Described random number and described business information are carried out by step 307:IC card end group in preset key and AES Cryptographic calculation, generates application cryptogram.

In the present embodiment, each IC-card is provided with corresponding key, is used for the random number received and business Information is encrypted.AES can be such as symmetric encipherment algorithm can also be rivest, shamir, adelman.

After IC-card termination receives the next random number of mobile terminal transmission and business information, by the key that IC-card end is preset With AES, random number and business information are encrypted computing.Concrete step 307 such as may include that and utilizes described IC The card key of card end and the counting of described Network disperse process key；Kernel-based methods key, uses symmetric key to calculate Method is encrypted computing to described random number, generates described application cryptogram.

The checking information carrying application cryptogram is sent to described mobile terminal by step 308:IC card end.

In the present embodiment, described checking information also carries the card sequence number of described IC-card employing, distributed key indexes DKI, Cipher-text versions number and algorithm identify, in order to described server system uses described card sequence number, described DKI, described cipher-text versions number With described algorithm mark, described application cryptogram is verified.

Step 309: the business confirmation carrying checking information is sent to the described webserver by mobile terminal.

In the present embodiment, this step concrete implementation method includes: operate in response to the confirmation for described service request, Obtain and confirm the business confirmation code of input under operation described；Generate described based on described checking information and described business confirmation code Business confirmation；Described business confirmation is sent to described server system.

In the present embodiment, after mobile terminal receives and carries the checking information of application cryptogram, show checking information, and The business confirmation code of prompting user's this Network of input validation, and using described business confirmation code and described checking information as industry Business confirmation is sent to server system.

Step 310: described application cryptogram is verified by the webserver according to described business confirmation.

In the present embodiment, the webserver is after receiving business confirmation, according to the card number of the IC-card end received Judge whether described IC-card is reported the loss, the business confirmation code of user's input is verified, check that the IC-card of signing and random number are No it is tampered.If described IC-card is not reported the loss, described business confirmation code correct, the IC-card number of signing and random number are not tampered with, root The card sequence number used according to preset credit card issuer key, the card number of described IC-card end and described IC-card end disperses card key, depends on Disperse process key according to the counting of described card key and Network, then according to described process key, use symmetric key Algorithm generates application cryptogram, the application cryptogram of the IC end of the application cryptogram generated at server system and acquisition generation is carried out Joining, if the two application cryptogram is identical, expression is proved to be successful.

Step 311: if being proved to be successful, server system judges whether to perform Network, and transaction results is fed back to Mobile terminal.

After being proved to be successful, server system judges whether to perform Network, such as, transfer accounts, the subsequent operation such as payment, and Final transaction results is fed back to mobile terminal, to point out customer transaction the most successful.

The method provided by the present embodiment, uses IC-card to enter with mobile terminal as the authenticating device realizing dynamic password Row is mutual, during mutual, generate business checking information, and is tested business checking information by server system Card.Therefore, using IC-card as realizing the authenticating device of dynamic password, for the mode of software, safety is higher；Phase For electronic cipher device, it is more convenient to operate, and cost is the lowest.

Example devices

With reference to Fig. 4, it is shown that the structural representation of a kind of device realizing safety certification in the embodiment of the present invention.This device Being configured at IC-card end, in the present embodiment, described device specifically can include

Receive unit 401, for receiving random number and the business letter that mobile terminal is sent by near-field communication NFC module Breath, described random number is the service request initiated for Network in response to described mobile terminal of server system and returns to Described mobile terminal, described business information is used for describing described Network, and described mobile terminal is configured with described NFC mould Block.

Signal generating unit 402, for based on the preset key of described IC-card end and AES to described random number and described Business information is encrypted computing, generates application cryptogram.

First transmitting element 403, close for carrying described application by described NFC module to the transmission of described mobile terminal The checking information of literary composition, in order to described server system receives the business carrying described checking information that described mobile terminal sends Described application cryptogram is also verified by confirmation.

Optionally, in the present embodiment, described signal generating unit, including:

Dispersion subelement, for utilizing the card key of described IC-card end and the counting of described Network to disperse process Key.

Generate subelement, for Kernel-based methods key, use symmetric key algorithm that described random number is encrypted computing, Generate described application cryptogram.

Optionally, in the present embodiment, also include:

Second transmitting element, for being sent the card number of described IC-card end to described mobile terminal by described NFC module, with Toilet is stated mobile terminal and is returned for described service request with described server system at the card number comparing the transmission of described IC-card end By described NFC module to described IC-card end transmission described random number and described business information in the case of the card number that returns is identical.

Described Network is online transaction business, and described IC-card end is arranged on the Payment Card possessing payment function, institute State server system for the online payment system for providing payment function for described Payment Card.

The device provided by the present embodiment, user during carrying out Network, mobile terminal and server system Dynamic password authentication between system uses IC-card end and realizes, and mobile terminal carries out information by NFC module and IC-card end Mutual, the information such as application cryptogram that acquisition for mobile terminal IC-card end generates, then IC-card end is generated by server system Application cryptogram is verified.Therefore, use IC-card as realizing the authenticating device of dynamic password, come relative to the mode of software Saying, safety is higher；For electronic cipher device, it is more convenient to operate, and cost is the lowest.

With reference to Fig. 5, it is shown that a kind of schematic diagram realizing safety certification device in the embodiment of the present invention.At the present embodiment In, described device includes:

First transmitting element 501, for sending the service request for Network to server system；

First receives unit 502, random for receive that described server system returns in response to described service request Number；

Second transmitting element 503, for sending described random number and business information by NFC module to IC-card end, described Business information is used for describing described Network, and described mobile terminal is configured with described NFC module；

Second receives unit 504, for receiving, by described NFC module, the checking information that described IC-card end sends；

Second transmitting element 505, confirms for sending the business carrying described checking information to described server system Information, in order to application cryptogram is verified by described server system；

In the present embodiment, described checking information also carries the card sequence number of described IC-card, distributed key index DKI, ciphertext Version number and described symmetric key algorithm algorithm mark, in order to described server system use described card sequence number, described DKI, Described application cryptogram is verified by described cipher-text versions number and described algorithm mark；

In the present embodiment, described second transmitting element specifically includes:

Obtain subelement, for operating in response to the confirmation for described service request, obtain and confirm under operation described The business confirmation code of input；

Generate subelement, for generating described business confirmation based on described checking information and described business confirmation code；

First sends subelement, for sending described business confirmation to described server system.

In the present embodiment, also include:

Second receives unit, for, after sending described service request to described server system, receiving described service The card number that device system returns for described service request.

3rd receives unit, for receiving, by described NFC module, the card number that described IC-card end sends.

Comparing unit, the card number that the card number sent for relatively described IC-card end and described server system return whether phase With.

First performance element, under identical circumstances, perform described by NFC module to IC-card end send described with Machine number and business information.

Display unit, for, after receiving the card number that described server system returns, showing that described server returns Card number, with point out described mobile terminal gather described IC-card end send card number.

4th receives unit, for after sending for the service request of Network to server system, receives institute State the authentication mode that server system returns for described service request.

Second performance element, for being dynamic password authentication in response to recognizing described authentication mode, performs described display The card number that described server returns.

The equipment provided by the present embodiment, user during carrying out Network, mobile terminal and server system Dynamic password authentication between system uses IC-card end and realizes, and mobile terminal carries out information by NFC module and IC-card end Mutual, the information such as application cryptogram that acquisition for mobile terminal IC-card end generates, then IC-card end is generated by server system Application cryptogram is verified.Therefore, use IC-card as realizing the authenticating device of dynamic password, come relative to the mode of software Saying, safety is higher；For electronic cipher device, it is more convenient to operate, and cost is the lowest.

With reference to Fig. 6, for the structural representation of the system realizing safety certification a kind of in the embodiment of the present invention.At the present embodiment In, described system includes:

IC-card end 601, mobile terminal 602 and server system 603.

Wherein, the device of the embodiment offer that the configuration of described IC-card end is corresponding just like Fig. 4, described mobile terminal configuration has figure The device that the embodiment of 5 correspondences provides.

Described server system, is used for generating random number and the ciphertext generating IC-card end is verified.

In the present embodiment, after mobile terminal triggers the request of Network, network service request is sent to server system System, server system generates random number, and by random number back to mobile terminal, mobile terminal by NFC module by described with The business information of machine number and description Network is sent to IC-card end, and described random number and business information are generated application by IC-card end Ciphertext, and the checking information carrying application cryptogram is sent to mobile terminal by NFC module, mobile terminal will carry and test The business confirmation of card information is sent to server system, server system according to described business confirmation to described application Ciphertext is verified.

The system provided by the present embodiment, user during carrying out Network, mobile terminal and server system Dynamic password authentication between system uses IC-card end and realizes, and mobile terminal carries out information by NFC module and IC-card end Mutual, the information such as application cryptogram that acquisition for mobile terminal IC-card end generates, then IC-card end is generated by server system Application cryptogram is verified.Therefore, use IC-card as realizing the authenticating device of dynamic password, come relative to the mode of software Saying, safety is higher；For electronic cipher device, it is more convenient to operate, and cost is the lowest.

" the first transmitting element " mentioned in the embodiment of the present invention is, " first " in titles such as " first receive unit " is It is used for doing name mark, does not represent first sequentially.This rule is equally applicable to " second " etc..

As seen through the above description of the embodiments, those skilled in the art is it can be understood that arrive above-mentioned enforcement All or part of step in example method can add the mode of general hardware platform by software and realize.Based on such understanding, Technical scheme can embody with the form of software product, and this computer software product can be stored in storage and be situated between In matter, such as read only memory (English: read-only memory, ROM)/RAM, magnetic disc, CD etc., including some instructions in order to One computer equipment (can be personal computer, server, or the network communication equipment such as such as router) is performed Each embodiment of the present invention or the method described in some part of embodiment.

Each embodiment in this specification all uses the mode gone forward one by one to describe, identical similar portion between each embodiment Dividing and see mutually, what each embodiment stressed is the difference with other embodiments.Real especially for method For executing example and apparatus embodiments, owing to it is substantially similar to system embodiment, so describing fairly simple, relevant part ginseng See that the part of system embodiment illustrates.Equipment described above and system embodiment are only schematically, Qi Zhongzuo The module illustrated for separating component can be or may not be physically separate, and the parts shown as module can be Or may not be physical module, i.e. may be located at a place, or can also be distributed on multiple NE.Permissible Select some or all of module therein to realize the purpose of the present embodiment scheme according to the actual needs.The common skill in this area Art personnel, in the case of not paying creative work, are i.e. appreciated that and implement.

The above is only the preferred embodiment of the present invention, is not intended to limit protection scope of the present invention.Should refer to Go out, for those skilled in the art, under the premise of not departing from the present invention, it is also possible to make some improvement And retouching, these improvements and modifications also should be regarded as protection scope of the present invention.

Claims

1. the method realizing safety certification, it is characterised in that be applied to IC-card end, including:

Receiving random number and business information that mobile terminal is sent by near-field communication NFC module, described random number is server Service request that system is initiated for Network in response to described mobile terminal and return to described mobile terminal, described industry Business information is used for describing described Network, and described mobile terminal is configured with described NFC module；

The key preset based on described IC-card end and AES are encrypted computing to described random number and described business information, Generate application cryptogram；

The checking information of described application cryptogram is carried to the transmission of described mobile terminal, in order to described clothes by described NFC module Business device system receives the business confirmation carrying described checking information close to described application that described mobile terminal sends Literary composition is verified.

Method the most according to claim 1, it is characterised in that

Described random number and described business information are encrypted by the described key preset based on described IC-card end and AES Computing, generates application cryptogram, including: utilize the card key of described IC-card end and the counting of described Network to disperse process Key；Kernel-based methods key, uses symmetric key algorithm that described random number is encrypted computing, generates described application cryptogram；

Described checking information also carries card sequence number, distributed key index DKI, cipher-text versions number and the algorithm that described IC-card uses Mark, in order to described server system uses described card sequence number, described DKI, described cipher-text versions number and described algorithm mark right Described application cryptogram is verified.

Method the most according to claim 1, it is characterised in that also include:

The card number of described IC-card end is sent to described mobile terminal, in order to described mobile terminal is comparing by described NFC module Go out card number that card number and described server system that described IC-card end sends return for described service request identical in the case of Described random number and described business information is sent to described IC-card end by described NFC module.

Method the most according to claim 1, it is characterised in that described Network is online transaction business, described IC-card End is arranged on the Payment Card possessing payment function, and described server system is for for providing payment function for described Payment Card Online payment system.

5. the method realizing safety certification, it is characterised in that be applied to mobile terminal, including:

The service request for Network is sent to server system；

Sending described random number and business information by NFC module to IC-card end, described business information is used for describing described network Business, described mobile terminal is configured with described NFC module；

The business confirmation carrying described checking information is sent, in order to described server system pair to described server system Application cryptogram is verified；

Wherein, described checking information carries described application cryptogram, and described application cryptogram is that described IC-card end group is in described IC-card Hold preset key and AES that described random number and described business information are encrypted computing and are generated.

Method the most according to claim 5, it is characterised in that described checking information also carries the card sequence of described IC-card Number, distributed key index DKI, the algorithm mark of cipher-text versions number and described symmetric key algorithm, in order to described server system Use described card sequence number, described DKI, described cipher-text versions number and described algorithm mark that described application cryptogram is verified；

Wherein, described application cryptogram the most described IC-card end utilizes the card key of described IC-card end and described Network Counting disperses process key Kernel-based methods key to use symmetric key algorithm described random number to be encrypted computing and gives birth to Become.

Method the most according to claim 5, it is characterised in that also include:

After sending described service request to described server system, receive described server system for described service request The card number returned；

Method the most according to claim 7, it is characterised in that also include:

After receiving the card number that described server system returns, show the card number that described server returns, described with prompting Mobile terminal gathers the card number that described IC-card end sends.

Method the most according to claim 8, it is characterised in that also include:

After sending for the service request of Network to server system, receive described server system for described industry The authentication mode that business request returns；

It is dynamic password authentication in response to recognizing described authentication mode, performs the card number that the described server of described display returns.

Method the most according to claim 5, it is characterised in that described send to described server system carry described The business confirmation of checking information, including:

Operate in response to the confirmation for described service request, obtain and confirm the business confirmation code of input under operation described；

Described business confirmation is sent to described server system.

11. methods according to claim 5, it is characterised in that described Network is online transaction business, described IC-card End is arranged on the Payment Card possessing payment function, and described server system is for for providing payment function for described Payment Card Online payment system.

12. 1 kinds of devices realizing safety certification, it is characterised in that be configured at IC-card end, including:

Receive unit, for receiving random number and the business information that mobile terminal is sent by near-field communication NFC module, described with Machine number is the service request initiated for Network in response to described mobile terminal of server system and returns to described movement Terminal, described business information is used for describing described Network, and described mobile terminal is configured with described NFC module；

Signal generating unit, is used for the key preset based on described IC-card end and AES to described random number and described business information It is encrypted computing, generates application cryptogram；

First transmitting element, for carrying testing of described application cryptogram by described NFC module to the transmission of described mobile terminal Card information, in order to described server system receives the business confirmation letter carrying described checking information that described mobile terminal sends Described application cryptogram is also verified by breath.

13. 1 kinds of devices realizing safety certification, it is characterised in that be configured at mobile terminal, including:

Second transmitting element, for sending described random number and business information, described business information by NFC module to IC-card end For describing described Network, described mobile terminal is configured with described NFC module；

Second transmitting element, for sending the business confirmation carrying described checking information to described server system, with Toilet is stated server system and is verified application cryptogram；

14. 1 kinds of systems realizing safety certification, it is characterised in that include IC-card end, mobile terminal and server system；

Described IC-card end is configured with device as claimed in claim 12, and described mobile terminal configuration has as claimed in claim 13 Device.