CN106209386B

CN106209386B - A kind of methods, devices and systems for realizing safety certification

Info

Publication number: CN106209386B
Application number: CN201610885216.XA
Authority: CN
Inventors: 周杰
Original assignee: Bank of China Ltd
Current assignee: Bank of China Ltd
Priority date: 2016-10-10
Filing date: 2016-10-10
Publication date: 2019-09-27
Anticipated expiration: 2036-10-10
Also published as: CN106209386A

Abstract

In the embodiment of the present application, during user uses network service, dynamic password authentication between mobile terminal and server system is realized using IC card end, it specifically includes: after mobile terminal triggers the request of network service, network service request is sent to server system, server system generates random number, and by random number back to mobile terminal, the business information of the random number and description network service is sent to IC card end by NFC module by mobile terminal, the random number and business information are generated application cryptogram by IC card end, and the verification information for carrying application cryptogram is sent to mobile terminal by NFC module, the business confirmation message for carrying verification information is sent to server system by mobile terminal, server system verifies the application cryptogram according to the business confirmation message.It follows that carrying out verifying dynamic password using IC card end, it is more convenient for user's operation, is also easy to carry.

Description

A kind of methods, devices and systems for realizing safety certification

Technical field

The present invention relates to technical field of network security, more particularly to a kind of method, apparatus for realizing safety certification and are System.

Background technique

With the development of internet, occur many network services more sensitive to safety at present, such as pay or hand over Easily wait network services.When user uses these network services, in order to avoid the risk of user password leakage, client and service Dynamic password authentication can be used between device, guarantee the safety of network service with this.In general, dynamic password authentication is using soft Part mode is realized.But fishing website not can avoid with the dynamic password authentication that software mode is realized, forgery base station, steal mobile phone Etc. illegal means the malice of dynamic verification code is obtained.

In order to avoid the leakage problem of dynamic password, current some network services start to realize dynamic mouth using hardware mode Enable certification.For example, in the prior art, as a kind of independent hardware device, electronic cipher device be used to use net in user The dynamic password authentication between client and server is realized when network business.But for mobile phone, tablet computer that user uses For equal mobile terminals, user is needed to be manually entered into the visitor on mobile terminal by the dynamic verification code that electronic cipher device obtains In the end of family, which results in the problems of user's operation inconvenience.In addition, electronic cipher device is as one in the scene of mobile network Kind needs user to carry independently of the hardware device of customer mobile terminal, and such user could use network whenever and wherever possible Business, therefore, user need the number of devices carried also to increased.Again in addition, the cost of electronic cipher device is also higher.

Summary of the invention

The technical problem to be solved in the embodiments of the present application is that providing a kind of method, apparatus for realizing safety certification and being System realizes caused by dynamic password authentication that user is inconvenient to carry, Yong Hucao to avoid the prior art using electronic cipher device Make inconvenient and defect at high cost.

In a first aspect, providing a kind of method for realizing safety certification, it is applied to IC card end, comprising:

Random number and business information that mobile terminal is sent by near-field communication NFC module are received, the random number is clothes Business device system returns to the mobile terminal for the service request that network service is initiated in response to the mobile terminal, institute Business information is stated for describing the network service, is configured with the NFC module on the mobile terminal；

The random number and the business information are encrypted based on the IC card end preset key and Encryption Algorithm Operation generates application cryptogram；

The verification information for carrying the application cryptogram is sent, to the mobile terminal by the NFC module with toilet Server system is stated to receive the business confirmation message for carrying the verification information of the mobile terminal transmission and answer described It is verified with ciphertext.

Optionally,

The key and Encryption Algorithm preset based on the IC card end carry out the random number and the business information Cryptographic calculation generates application cryptogram, comprising: disperse using the card key at the IC card end and the counting of the network service Process key；Kernel-based methods key carries out cryptographic calculation to the random number using symmetric key algorithm, it is close to generate the application Text；

The verification information also carry the card serial number that the IC card uses, distributed key index DKI, cipher-text versions number and Algorithm mark, so that the server system uses the card serial number, the DKI, the cipher-text versions number and the algorithm mark The application cryptogram is verified in knowledge.

Optionally, further includes:

The card number at the IC card end is sent, to the mobile terminal by the NFC module so that the mobile terminal exists Compare the card number feelings identical with the card number that the server system is returned for the service request that the IC card end is sent The random number and the business information are sent to the IC card end by the NFC module under condition.

Optionally, the network service is online transaction business, and the IC card end configuration is in the payment for having payment function On card, the server system is for providing the online payment system of payment function for the Payment Card.

Second aspect provides a kind of method for realizing safety certification, is applied to mobile terminal, comprising:

The service request for being directed to network service is sent to server system；

Receive the random number that the server system is returned in response to the service request；

The random number and business information are sent to IC card end by NFC module, the business information is described for describing Network service is configured with the NFC module on the mobile terminal；

The verification information that the IC card end is sent is received by the NFC module；

The business confirmation message for carrying the verification information is sent, to the server system so as to the server system System verifies application cryptogram；

Wherein, the verification information carries the application cryptogram, and the application cryptogram is the IC card end group in described The preset key in IC card end and Encryption Algorithm carry out cryptographic calculation to the random number and the business information and generate.

Optionally, the verification information also carries the card serial number of the IC card, distributed key index DKI, cipher-text versions Number and the algorithm of the symmetric key algorithm identify, so that the server system is using the card serial number, DKI, described Cipher-text versions number and algorithm mark verify the application cryptogram；

Wherein, the application cryptogram is specifically the card key and the network industry that the IC card end utilizes the IC card end The counting of business disperses process key out and Kernel-based methods key uses symmetric key algorithm to carry out cryptographic calculation to the random number And generate.

Optionally, further includes:

After sending the service request to the server system, the server system is received for the business Request the card number returned；

The card number that the IC card end is sent is received by the NFC module；

Compare the card number that the IC card end is sent and whether the card number that the server system returns be identical；

Under identical circumstances, the NFC module that passes through is executed to the IC card end transmission random number and business information.

Optionally, further includes:

After receiving the card number that the server system returns, the card number that the server returns is shown, with prompt The mobile terminal acquires the card number that the IC card end is sent.

Optionally, further includes:

After sending the service request for network service to server system, the server system is received for institute State the authentication mode of service request return；

It is dynamic password authentication in response to recognizing the authentication mode, executes the card that the display server returns Number.

It is optionally, described that the business confirmation message for carrying the verification information is sent to the server system, comprising:

In response to being directed to the confirmation operation of the service request, the business confirmation inputted under the confirmation operation is obtained Code；

The business confirmation message is generated based on the verification information and the business confirmation code；

The business confirmation message is sent to the server system.

The third aspect provides a kind of device for realizing safety certification, is configured at IC card end, comprising:

Receiving unit, the random number and business information sent for receiving mobile terminal by near-field communication NFC module, institute Stating random number is described in server system is returned in response to the mobile terminal for the service request that network service is initiated Mobile terminal, the business information is configured with the NFC module on the mobile terminal for describing the network service；

Generation unit, for based on the IC card end preset key and Encryption Algorithm to the random number and the business Information carries out cryptographic calculation, generates application cryptogram；

First transmission unit, for carrying the application cryptogram to mobile terminal transmission by the NFC module Verification information, so as to receive the business for carrying the verification information that the mobile terminal is sent true for the server system Recognize information and the application cryptogram is verified.

Fourth aspect provides a kind of device for realizing safety certification, is configured at mobile terminal, comprising:

First transmission unit, for sending the service request for being directed to network service to server system；

First receiving unit, the random number returned for receiving the server system in response to the service request；

Second transmission unit, for sending the random number and business information, the business to IC card end by NFC module Information is configured with the NFC module on the mobile terminal for describing the network service；

Second receiving unit, for receiving the verification information that the IC card end is sent by the NFC module；

Second transmission unit, for sending the business confirmation letter for carrying the verification information to the server system Breath, so that the server system verifies application cryptogram；

5th aspect, provides a kind of system for realizing safety certification, including IC card end, mobile terminal and server system System；

The IC card end configures the device provided just like the aforementioned third aspect, and the mobile terminal configuration is just like the aforementioned 4th The device that aspect provides.

In the embodiment of the present application, during user uses network service, between mobile terminal and server system Dynamic password authentication can be realized using IC card end, wherein can moved by configuring between mobile terminal and IC card end Near-field communication (Near Field Communication, abbreviation NFC) module in dynamic terminal realizes information exchange.Specifically, Mobile terminal can obtain server system for this after sending the service request for network service to server system Service request returns to random number.Later, mobile terminal can send the random number and the network to IC card end by NFC module The corresponding business information of business.IC card end can based on preset key and Encryption Algorithm to the random number and the business information into Row cryptographic calculation and generate application cryptogram.After again, mobile terminal can receive carrying for IC card end transmission by NFC module The verification information of the application cryptogram, and the business confirmation message for carrying the verification information is sent to server system.In this way, clothes Device system of being engaged in can realize the safety certification to network service by the verifying to application cryptogram.It can be seen that with IC card end It is mobile for the mobile terminals such as mobile phone, tablet computer that user uses as the hardware device for realizing dynamic password authentication The NFC module configured in terminal can be used to implement the information exchange between mobile terminal and IC card end, therefore, IC card end and shifting The information of interaction is just manually entered without user between dynamic terminal, so that user's operation is more convenient.In addition, relative to electricity For sub- scrambler, IC card is easily portable, and cost is also lower.

Detailed description of the invention

To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, the accompanying drawings in the following description is only some implementations as described in this application Example, for those of ordinary skill in the art, is also possible to obtain other drawings based on these drawings.

Fig. 1 is a kind of flow diagram for the method for realizing safety certification in the embodiment of the present invention；

Fig. 2 is a kind of flow diagram for the method for realizing safety certification in the embodiment of the present invention；

Fig. 3 is a kind of flow diagram for the method for realizing safety certification in the embodiment of the present invention；

Fig. 4 is a kind of structural schematic diagram for the device for realizing safety certification in the embodiment of the present invention；

Fig. 5 is a kind of structural schematic diagram for the device for realizing safety certification in the embodiment of the present invention；

Fig. 6 is a kind of structural schematic diagram for the method for realizing safety certification in the embodiment of the present invention.

Specific embodiment

Inventor has found that when the network services such as being paid or being traded by mobile terminal, in order to hand over Easily safety, will usually carry out dynamic password authentication, would generally be realized by the way of software in the prior art, but the side of software Formula realizes the malice acquisition for not can avoid fishing website, forging base station, stealing the illegal means such as mobile phone to dynamic verification code.Therefore In order to avoid dynamic password leakage, current some network services start by the way of hardware.For example, some network service mesh The preceding crypto-device using forms such as U-shield, Ukey, the scrambler of this form need to be connected to user by USB interface Terminal, this be for terminals such as PC, laptop computers it is applicable, still, mobile terminal usually there is no setting USB interface, because This, the scrambler of this form is not particularly suited for mobile terminal.In addition to this at present there is also a kind of electronic cipher device of hardware, When applying electronic scrambler is to dynamic password authentication is carried out, user is needed manually to arrive the Password Input shown on electronic cipher device It is the operation of user although this avoids the problem of mobile terminal can not obtain password by USB interface on mobile terminal Inconvenience is brought, also, this electronic cipher device is also unfavorable for carrying.

To solve the above-mentioned problems, in embodiments of the present invention, by configured with NFC module mobile terminal and IC card end Between carry out information exchange and realize the safety certification traded on mobile terminals, specifically, mobile terminal is to server System can obtain server system for service request return random number after sending the service request for network service. Later, mobile terminal can send the random number and the corresponding business information of network service to IC card end by NFC module.IC Card end can carry out cryptographic calculation to the random number and the business information based on preset key and Encryption Algorithm and generate application Ciphertext.After again, mobile terminal can receive the verifying letter for carrying the application cryptogram of IC card end transmission by NFC module Breath, and the business confirmation message for carrying the verification information is sent to server system.Based on this, server system can pass through Application cryptogram is verified, realizes the safety certification to network service.It can be seen that dynamic password when being traded by IC card end Safety certification, it is not only more highly-safe than the mode of pure software, moreover, the NFC module configured on mobile terminal can be used for reality Information exchange between existing mobile terminal and IC card end, the information interacted between such IC card end and mobile terminal are just not necessarily to user It is manually entered, for the electronic cipher device of hardware, easily facilitates user's operation.In addition, for electronic cipher device, IC card is easily portable, and cost is also lower.

With reference to the accompanying drawing, by embodiment come a kind of side for realizing safety certification in the present invention will be described in detail embodiment Method, the specific implementation of device and system.

Illustrative methods

With reference to Fig. 1, a kind of flow diagram for the method for realizing safety certification in the embodiment of the present invention is shown.This method Applied to IC card end, in the present embodiment, the method for example be may comprise steps of:

Step 101: receive the mobile terminal random number and business information that send by near-field communication NFC module, it is described with Machine number is that server system response is directed to the service request of network service initiation with the mobile terminal and returns to the movement Terminal, the business information is configured with the NFC module on the mobile terminal for describing the network service.

When specific implementation, user can trigger network service in mobile terminal, and mobile terminal is grasped in response to the triggering of user Make that the service request for being directed to the network service can be initiated to the corresponding server system of the network service.Server system can be with In response to the service request, random number is fed back to mobile terminal according to the network service.Mobile terminal is receiving server system After the random number of feedback of uniting, the business information of the random number and description network service can be sent to IC card end.It can manage Solution is configured with NFC module in the present embodiment on mobile terminal, which can realize that near field is logical with IC card end Letter, i.e. information exchange between mobile terminal and IC card end can be realized by the NFC module configured on mobile terminal.For example, In a step 101, mobile terminal can be sent by its NFC module to the IC card end for having near-field communication condition described random The several and business information.

It should be noted that the network service that the present embodiment refers to can be any one business function provided by network Energy.For example, the network service can be online transaction business in a kind of Application Scenarios-Example.Specifically, the network is handed over Easy business can be transferred account service, payment transaction, inquiry business or finance services etc..In addition, the business letter that the present embodiment refers to Breath indicates the information for network service to be described, and in other words, business information can be in the network service of user's triggering The some essential informations for including.For example, the business information may include handing over if the network service is online transaction business Easy date, transaction amount and/or transaction currency type etc..

In the present embodiment, random number is the service request and dynamic generation that server system foundation mobile terminal is sent Data.Wherein, there is unique corresponding relationship, i.e. server system is that different business please seek survival between random number and service request At random number be necessarily different.

It is understood that equipment involved in the present embodiment specifically can be there are many possible implementation.For example, touching The mobile terminal of hair network service can be mobile phone, tablet computer etc., and any one is configured with NFC module and can trigger net The mobile terminal of network business.For another example, IC card end can be only fitted on the Payment Card with payment function.For another example, server system It can be to provide the online payment system of payment function for the Payment Card.

In a kind of Application Scenarios-Example, the Payment Card configured with IC card end can be financial IC card (as having IC card core The bank card of piece), server system can be the network system of financial business.Mobile terminal configured with NFC module can pacify Client-side program equipped with financial business, the mobile terminal can pass through the client-side program and financial IC card, gold of financial business The network system for melting business interacts.

Step 102: based on the IC card end preset key and Encryption Algorithm to the random number and the business information Cryptographic calculation is carried out, application cryptogram is generated；

In the present embodiment, IC card end is all provided with corresponding key, for providing application cryptogram for network service. Wherein, it for generating the Encryption Algorithm of application cryptogram, such as can be symmetric encipherment algorithm, be for another example also possible to asymmetric encryption Algorithm.

When specific implementation, after IC card termination receives the random number and business information that mobile terminal is sent, IC card end can To carry out cryptographic calculation to random number and business information by preset key and Encryption Algorithm.Specific step 102 for example may be used To include: to disperse process key out using the card key at the IC card end and the counting of the network service；Kernel-based methods are close Key carries out cryptographic calculation to the random number using symmetric key algorithm, generates the application cryptogram.

It should be noted that in view of asymmetric cryptographic key algorithm is mainly used for off line payment, and in online payment In the case where, asymmetric cryptographic key algorithm is likely to result in the problem of missing the electronic cash in button client's card, therefore, in net In the case that network business is online transaction business, symmetric encipherment algorithm is more suitable for IC card end and generates application cryptogram.

In some embodiments of the present embodiment, if network service is online transaction business, IC card can be set in end There is transaction counter, for counting to network service.Specifically, in the business letter for receiving mobile terminal transmission every time After breath, IC card end can add up the number of transaction.When IC card termination receives the random number and business of mobile terminal transmission After information, it is close that process out is dispersed to the count results of network service using the preset card key in IC card end and applicating counter Key；Again on the basis of process key, using symmetric key algorithm, to random number, business information and the counting of network service knot Fruit carries out cryptographic calculation, generates application cryptogram.

Step 103: sending the verifying letter for carrying the application cryptogram to the mobile terminal by the NFC module Breath, so that the server system receives the business confirmation message for carrying the verification information of the mobile terminal transmission simultaneously The application cryptogram is verified.

In some embodiments of the present embodiment, the verification information can also for example carry what the IC card used Card serial number, distributed key index DKI, cipher-text versions number and algorithm mark, so as to the server system using the card serial number, The DKI, the cipher-text versions number and algorithm mark verify the application cryptogram.

When specific implementation, after IC card end generates application cryptogram, the verification information for carrying the application cryptogram is sent to shifting Dynamic terminal.Wherein, verification information can also include: card serial number, the distributed key that IC card uses other than carrying application cryptogram Index DKI, cipher-text versions number, algorithm mark etc..Then, mobile terminal sends the business confirmation message for carrying verification information To server system.Server system can based on the verification information in business confirmation message terminal, obtain the application cryptogram, The card serial number, the DKI, the cipher-text versions number and the algorithm mark, and can using the card serial number, the DKI, The cipher-text versions number and algorithm mark verify the application cryptogram.

In some embodiments of the present embodiment, mobile terminal is after the verification information for receiving the transmission of IC card end, also It may include: to show application cryptogram on mobile terminals, and prompt client to confirm network service and input and carry out network service Business confirmation code, wherein business confirmation code is it also will be understood that at trading password.Then, the business that mobile terminal inputs user Confirmation code and verification information are sent to server system.That is, the business confirmation message that server system receives is in addition to packet Containing the business confirmation code that can also be inputted comprising user outside verification information.Wherein, business confirmation code can be user mobile whole It is inputted when confirmation execution network service on end.For example, business confirmation code can be use if network service is online transaction business The trading password of family input.

In the present embodiment, the process that server system verifies the application cryptogram received for example may include: pair The business confirmation code of user's input is verified, and checks whether IC card reports the loss, check credit card issuer random number and IC card number whether by It distorts；If information above is verified, adopted further according to preset credit card issuer key, the card number at the IC card end received and IC card Card serial number disperses card key out, the meter for recycling card key and transaction counter that network service is calculated It calculates result and disperses process key out, then on the basis of process key, using symmetric key algorithm, by random number and business information Generate application cryptogram；It is matched by the application cryptogram generated at IC card end and in the application cryptogram that server system generates, if Successful match, server system judges whether to be able to carry out subsequent network service operation again, if operating successfully, to mobile terminal Feedback prompts information, to prompt customer transaction success；If operation failure, to mobile terminal feedback prompts information, to prompt user The reason of Fail Transaction.If it fails to match, directly to mobile terminal feedback prompts information, to prompt user's verifying dynamic password to lose It loses.

It is understood that passing through IC card end and mobile terminal in the case where network service is online transaction business Between safety certification of the information exchange to realize online transaction business before, user can pass through sales counter, Internetbank or phone Etc. modes bank card account number and IC card end are bound, the authentication traded using realizing signing IC card end as verifying.

It should be noted that when carrying out network service, it, can as user because certain reasons use the IC card of mistake Network service can be will cause executes failure, for this purpose, mobile terminal is first to IC card end in some embodiments of the present embodiment The card number of offer, which is verified, requests application cryptogram to IC card end again, specifically, before step 101 can also include: to pass through The NFC module sends the card number at the IC card end to the mobile terminal, so that the mobile terminal is comparing the IC By described in the card number that card end is sent situation identical with the card number that the server system is returned for the service request NFC module sends the random number and the business information to the IC card end.In addition, if card number and the service of the transmission of IC card end The card number that device system is returned for service request is not identical, and mobile terminal can feed back the information for indicating card number mistake.

It is understood that in the case where network service is online transaction business, if being obtained on mobile terminals from the end IC The card number information successful match getting card number information and being obtained from server system, then it represents that the IC card end is and carries out transaction silver The IC card end that row card account has been contracted.

It should be noted that server system for user provides a variety of authentications sometimes, if user exists in advance Authentication mode is set to the dynamic password authentication at IC card end, mobile terminal can execute the peace at IC card end in server system Full identifying procedure.It specifically, in some embodiments of the present embodiment, such as can also include: mobile terminal to service After device system sends the service request for network service, receive what the server system was returned for the service request Authentication mode；Mobile terminal is dynamic password authentication in response to recognizing the authentication mode, executes the display service The card number that device returns.Specifically, in the case where network service is online transaction business, user initiates to trade by mobile terminal Transaction request is sent to server system by request, mobile terminal.Server system carries out the transaction according to transaction request, judgement Bank card account number whether contracted IC card as authentication means, if having contracted IC card, generate credit card issuer random number, wherein institute State the random number that credit card issuer random number is namely noted above.Server system is by the IC card number of signing, credit card issuer random number With for indicating that the authentication mode of IC card end dynamic password authentication feeds back to mobile terminal, so as to mobile terminal recognizing certification Mode be dynamic password authentication in the case where execute IC card end security authentication process.If unsigned IC card number, server system It may determine that user has contracted the authentication mode of which kind of form, and the authentication mode that user contracts fed back into mobile terminal.

The method provided through this embodiment, user is during carrying out network service, mobile terminal and server system Dynamic password authentication between system realizes that mobile terminal carries out information by NFC module and IC card end using IC card end Interaction, information such as application cryptogram that acquisition for mobile terminal IC card end generates, then IC card end is generated by server system Application cryptogram is verified.Therefore, using IC card as the authenticating device for realizing dynamic password, the mode relative to software is come It says, safety is higher；For electronic cipher device, it is more convenient to operate, and cost is also lower.

With reference to Fig. 2, a kind of flow diagram for the method for realizing safety certification in the embodiment of the present invention is shown.This method Applied to mobile terminal, in the present embodiment, the method for example be may comprise steps of:

Step 201: the service request for being directed to network service is sent to server system.

Step 202: receiving server system in response to the random number and business information, the business information is for describing The network service is configured with the NFC module on the mobile terminal.

Step 203: the random number and business information, the business information are sent to IC card end by the NFC module For describing the network service.

Step 204: the verification information that the IC card end is sent is received by the NFC module.

Step 205: Xiang Suoshu server system sends the business confirmation message for carrying the verification information, so as to described Server system verifies application cryptogram.

It should be noted that network service mentioned by the present embodiment, business information, random number, mobile terminal, IC card end And server system, it is discussed in detail and can be found in the corresponding embodiment of earlier figures 1, details are not described herein.

In some embodiments of the present embodiment, mobile terminal for example can be mobile phone, tablet computer etc. any one Configured with NFC module and the mobile terminal of network service can be triggered, IC card end for example can be only fitted to payment function Payment Card on, server system for example can be to provide the online payment system of payment function for the Payment Card.

In the present embodiment, the process that server system verifies application cryptogram can be found in the corresponding reality of earlier figures 1 The introduction of example is applied, details are not described herein.

In some embodiments of the present embodiment, described test is carried to server system transmission in step 205 The business confirmation message for demonstrate,proving information, can specifically include: mobile terminal is obtained in response to the confirmation operation for the service request Take the business confirmation code inputted under the confirmation operation；Mobile terminal is based on the verification information and the business confirmation code is raw At the business confirmation message；Mobile terminal sends the business confirmation message to the server system.It is understood that After mobile terminal receives the verification information of IC card end transmission, mobile terminal can prompt user to confirm transaction and incoming traffic Confirmation code.After user performs confirmation operation and incoming traffic confirmation code, mobile terminal can be by verification information and business Confirmation code is sent to server system as business confirmation message.

It should be noted that network service be online transaction business in the case where, business confirmation code for example can be into The trading password of the account of row network service.

In the present embodiment, before step 202, the card number at IC card end can be verified, verifying and mobile terminal Whether interactive IC card end is the corresponding IC card of the network service.Specifically, in some embodiments of the present embodiment, also It may include: after sending the service request to the server system, mobile terminal receives the server system needle The card number that the service request is returned；Mobile terminal receives the card number that the IC card end is sent by the NFC module；It is mobile Whether the card number that the terminal IC card end is sent and the card number that the server system returns are identical；In identical situation Under, mobile terminal execution step 203.

More specifically, after mobile terminal sends the service request of network service to server, if having contracted IC card conduct The card number of the IC card of signing is fed back to mobile terminal by the authentication means of dynamic password, server system, and mobile terminal passes through NFC Module is interacted with IC card end, obtains the card number of IC card, by the card number of the IC card of the signing obtained from server with from IC card It holds the card number of the IC card obtained to compare, if the card number of the two is identical, executes step 203.

It should be noted that the card number that server system returns can in the case where network service is online transaction business To correspond to the IC card of the account binding of bankcard network business involved in online transaction business.The card number obtained from IC card end It is the card number that the IC card end of information exchange is carried out with mobile terminal.

In the other embodiment of the present embodiment, on the basis of the card number at mobile terminal verifying IC card end, may be used also To include: mobile terminal after receiving the card number that the server system returns, the card number that the server returns is shown, To prompt the mobile terminal to acquire the card number that the IC card end is sent.

More specifically, after mobile terminal sends the service request of network service to server system, if having contracted IC card As the authentication means of dynamic password, the card number of the IC card of signing is fed back to mobile terminal by server system, in mobile terminal The card number that upper display server returns, at this point, user can select IC card and move according to the card number of the IC card shown on server Dynamic terminal interacts, and mobile terminal obtains the IC card number interacted with mobile terminal by NFC module.

It is understood that being verified in card number of the mobile terminal to IC card end, it is also possible to user and is compared, when When user's confirmation is compared successfully, mobile terminal execution step 203 can be triggered manually.

It, on the server systems can also be to the verifying of the card number at the end IC in the other embodiment of the present embodiment. Specifically, after mobile terminal collects IC card end card number, using the card number at the IC card end as one in business confirmation message Server system is given in distribution, and server system is again compared the card number in the card number of signing and business confirmation message, if It compares successfully, then application cryptogram is verified.

In the present embodiment, server system be the authentication mode that provides of network service can there are many.For example, in addition to IC Blocking as the authentication mode of dynamic password authentication tool can also include the authentication mode of software secret order, electronic cipher device as dynamic Authentication mode of state password authentication tool etc. any one or more can be used for the side of the enterprising Mobile state password authentication of mobile terminal Formula.In the case where server system provides for network service there are many authentication mode, server receive service request it Afterwards, can be to the pre-set authentication mode of mobile terminal feedback user, such mobile terminal is according to the authentication mode received Carry out corresponding safety certification.Specifically, after step 201, can also be wrapped in some embodiments of the present embodiment Include: after sending the service request for network service to server system, mobile terminal receives the server system needle The authentication mode that the service request is returned；Mobile terminal is dynamic password authentication in response to recognizing the authentication mode, Execute the card number that the display server returns.

More specifically, after mobile terminal has sent the service request of network service to server system, server system root The authentication mode of user's signing is determined according to the service request, and the authentication mode is fed back into mobile terminal, if mobile terminal connects The authentication mode received is the dynamic password authentication of IC card, shows the card number of the IC card of user's signing on mobile terminals.But If the authentication mode that mobile terminal receives is other authentication modes in addition to IC card dynamic password, according to specific authenticating party Formula carries out corresponding verification operation.

With reference to Fig. 3, a kind of flow diagram for the method for realizing safety certification in the embodiment of the present invention is shown.In this reality It applies in example, the method for example may include:

Step 301: in response to the trigger action of user, mobile terminal generates the service request for being directed to network service.

Step 302: mobile terminal sends the service request to server system.

Step 303: after server system receives the service request, judging whether authentication mode is IC card dynamic password Certification.

In the present embodiment, the authentication mode of dynamic password can be the dynamic password authentication mode of IC card, be also possible to electricity The authentication mode of sub- scrambler or other authentication modes that can be realized the dynamic password traded on mobile terminal.Therefore, when After server system receives the service request, need to judge whether authentication mode is IC card dynamic password authentication.

Step 304: if authentication mode is IC card dynamic password authentication, generating random number in server system, and will signing Card number, authentication mode and the random number back at the end IC are to mobile terminal.

Step 305: mobile terminal shows the card number at the IC card end, in response to the IC card dynamic password authentication to mention Show that user selects corresponding IC card end to interact with the mobile terminal.

In the present embodiment, mobile terminal judges whether the authentication mode is described according to the authentication mode received IC card dynamic password authentication, if so, the card number of the mobile terminal is shown, to prompt user to select corresponding IC card and movement eventually End interacts.

Step 306: the random number and business information are sent to IC card end by mobile terminal.

Step 307:IC card end group carries out the random number and the business information in preset key and Encryption Algorithm Cryptographic calculation generates application cryptogram.

In the present embodiment, each IC card is provided with corresponding key, for the random number and business received Information is encrypted.Encryption Algorithm for example can be symmetric encipherment algorithm and be also possible to rivest, shamir, adelman.

After IC card termination receives the random number and business information that mobile terminal is sent, pass through the preset key in IC card end Cryptographic calculation is carried out to random number and business information with Encryption Algorithm.Specific step 307 for example may include: to utilize the IC The counting of the card key at card end and the network service disperses process key out；Kernel-based methods key, is calculated using symmetric key Method carries out cryptographic calculation to the random number, generates the application cryptogram.

The verification information for carrying application cryptogram is sent to the mobile terminal by step 308:IC card end.

In the present embodiment, the verification information also carries the card serial number of the IC card use, distributed key indexes DKI, Cipher-text versions number and algorithm identify, so that the server system uses the card serial number, the DKI, the cipher-text versions number The application cryptogram is verified with algorithm mark.

Step 309: the business confirmation message for carrying verification information is sent to the network server by mobile terminal.

In the present embodiment, which includes: the confirmation operation in response to being directed to the service request, Obtain the business confirmation code inputted under the confirmation operation；Based on described in the verification information and business confirmation code generation Business confirmation message；The business confirmation message is sent to the server system.

In the present embodiment, after mobile terminal receives the verification information for carrying application cryptogram, verification information is shown, and The business confirmation code of user's input validation network service is prompted, and using the business confirmation code and the verification information as industry Business confirmation message is sent to server system.

Step 310: network server verifies the application cryptogram according to the business confirmation message.

In the present embodiment, card number of the network server after receiving business confirmation message, according to the IC card end received Judge whether the IC card reports the loss, the business confirmation code of user's input is verified, the IC card of signing is checked and random number is It is no to be tampered.If the IC card is not reported the loss, the business confirmation code is correct, the IC card number and random number of signing are not tampered with, root Disperse card key out according to the card serial number that preset credit card issuer key, the card number at the IC card end and the IC card end use, according to Disperse process key out according to the counting of the card key and network service, then according to the process key, using symmetric key Algorithm generates application cryptogram, the application cryptogram progress that the end IC of the application cryptogram and acquisition that generate in server system is generated Match, if the two application cryptograms are identical, indicates to be proved to be successful.

Step 311: if being proved to be successful, server system judges whether to execute network service, and transaction results are fed back to Mobile terminal.

After being proved to be successful, server system judges whether the subsequent operations such as to execute network service, such as transfer accounts, pay, and Final transaction results are fed back into mobile terminal, to prompt whether customer transaction succeeds.

The method provided through this embodiment, using IC card as realize dynamic password authenticating device and mobile terminal into Row interaction generates business verification information, and test business verification information by server system during interaction Card.Therefore, using IC card as the authenticating device for realizing dynamic password, for the mode of software, safety is higher；Phase For electronic cipher device, it is more convenient to operate, and cost is also lower.

Example devices

With reference to Fig. 4, a kind of structural schematic diagram for the device for realizing safety certification in the embodiment of the present invention is shown.The device It is configured at IC card end, in the present embodiment, described device can specifically include

Receiving unit 401, the random number and business sent for receiving mobile terminal by near-field communication NFC module are believed Breath, the random number are that server system is returned in response to the mobile terminal for the service request that network service is initiated The mobile terminal, the business information is configured with the NFC mould on the mobile terminal for describing the network service Block.

Generation unit 402, for based on the IC card end preset key and Encryption Algorithm to the random number and described Business information carries out cryptographic calculation, generates application cryptogram.

First transmission unit 403, it is close for carrying the application to mobile terminal transmission by the NFC module The verification information of text, so that the server system receives the business for carrying the verification information that the mobile terminal is sent Confirmation message simultaneously verifies the application cryptogram.

Optionally, in the present embodiment, the generation unit, comprising:

Disperse subelement, for dispersing process out using the card key at the IC card end and the counting of the network service Key.

Subelement is generated, Kernel-based methods key is used for, cryptographic calculation is carried out to the random number using symmetric key algorithm, Generate the application cryptogram.

Optionally, in the present embodiment, further includes:

Second transmission unit, for the card number at the IC card end to be sent to the mobile terminal by the NFC module, with Toilet is stated mobile terminal and is returned with the server system for the service request in the card number for comparing the IC card end transmission The random number and the business information are sent to the IC card end by the NFC module in the identical situation of card number returned.

The network service is online transaction business, and the IC card end configuration is on the Payment Card for having payment function, institute Server system is stated as providing the online payment system of payment function for the Payment Card.

The device provided through this embodiment, user is during carrying out network service, mobile terminal and server system Dynamic password authentication between system realizes that mobile terminal carries out information by NFC module and IC card end using IC card end Interaction, information such as application cryptogram that acquisition for mobile terminal IC card end generates, then IC card end is generated by server system Application cryptogram is verified.Therefore, using IC card as the authenticating device for realizing dynamic password, the mode relative to software is come It says, safety is higher；For electronic cipher device, it is more convenient to operate, and cost is also lower.

With reference to Fig. 5, a kind of schematic diagram for realizing safety certification device in the embodiment of the present invention is shown.In the present embodiment In, described device includes:

First transmission unit 501, for sending the service request for being directed to network service to server system；

First receiving unit 502 returns random for receiving the server system in response to the service request Number；

Second transmission unit 503, it is described for sending the random number and business information to IC card end by NFC module Business information is configured with the NFC module on the mobile terminal for describing the network service；

Second receiving unit 504, for receiving the verification information that the IC card end is sent by the NFC module；

Second transmission unit 505, for sending the business confirmation for carrying the verification information to the server system Information, so that the server system verifies application cryptogram；

In the present embodiment, the verification information also carries the card serial number of the IC card, distributed key index DKI, ciphertext The algorithm of version number and the symmetric key algorithm mark, so as to the server system using the card serial number, the DKI, The cipher-text versions number and algorithm mark verify the application cryptogram；

In the present embodiment, second transmission unit is specifically included:

Subelement is obtained, for the confirmation operation in response to being directed to the service request, is obtained under the confirmation operation The business confirmation code of input；

Subelement is generated, for generating the business confirmation message based on the verification information and the business confirmation code；

First transmission sub-unit, for sending the business confirmation message to the server system.

In the present embodiment, further includes:

Second receiving unit, for receiving the service after sending the service request to the server system Device system is directed to the card number that the service request returns.

Third receiving unit, for receiving the card number that the IC card end is sent by the NFC module.

Comparing unit, the card number that is returned with the server system of card number sent for the IC card end whether phase Together.

First execution unit, under identical circumstances, execute it is described by NFC module to IC card end send it is described with Machine number and business information.

Display unit, for after receiving the card number that the server system returns, showing that the server returns Card number, to prompt the mobile terminal to acquire the card number that the IC card end is sent.

4th receiving unit, for receiving institute after sending the service request for network service to server system It states server system and is directed to the authentication mode that the service request returns.

Second execution unit executes the display for being dynamic password authentication in response to recognizing the authentication mode The card number that the server returns.

The equipment provided through this embodiment, user is during carrying out network service, mobile terminal and server system Dynamic password authentication between system realizes that mobile terminal carries out information by NFC module and IC card end using IC card end Interaction, information such as application cryptogram that acquisition for mobile terminal IC card end generates, then IC card end is generated by server system Application cryptogram is verified.Therefore, using IC card as the authenticating device for realizing dynamic password, the mode relative to software is come It says, safety is higher；For electronic cipher device, it is more convenient to operate, and cost is also lower.

It is a kind of structural schematic diagram for the system for realizing safety certification in the embodiment of the present invention with reference to Fig. 6.In the present embodiment In, the system comprises:

IC card end 601, mobile terminal 602 and server system 603.

Wherein, the IC card end configures the device that embodiment corresponding just like Fig. 4 provides, and the mobile terminal configuration has figure The device that 5 corresponding embodiments provide.

The server system, the ciphertext for generating random number and generating to IC card end are verified.

In the present embodiment, after mobile terminal triggers the request of network service, network service request is sent to server system System, server system generate random number, and by random number back to mobile terminal, mobile terminal by NFC module will described in Machine number and the business information of description network service are sent to IC card end, and the random number and business information are generated application by IC card end Ciphertext, and the verification information for carrying application cryptogram is sent to mobile terminal by NFC module, mobile terminal will be carried and be tested The business confirmation message of card information is sent to server system, and server system is according to the business confirmation message to the application Ciphertext is verified.

The system provided through this embodiment, user is during carrying out network service, mobile terminal and server system Dynamic password authentication between system realizes that mobile terminal carries out information by NFC module and IC card end using IC card end Interaction, information such as application cryptogram that acquisition for mobile terminal IC card end generates, then IC card end is generated by server system Application cryptogram is verified.Therefore, using IC card as the authenticating device for realizing dynamic password, the mode relative to software is come It says, safety is higher；For electronic cipher device, it is more convenient to operate, and cost is also lower.

" first " in the titles such as " the first transmission unit " mentioned in the embodiment of the present invention, " the first receiving unit " is only For doing name mark, first sequentially is not represented.The rule is equally applicable to " second " etc..

As seen through the above description of the embodiments, those skilled in the art can be understood that above-mentioned implementation All or part of the steps in example method can add the mode of general hardware platform to realize by software.Based on this understanding, Technical solution of the present invention can be embodied in the form of software products, which can store is situated between in storage In matter, such as read-only memory (English: read-only memory, ROM)/RAM, magnetic disk, CD etc., including some instructions to So that a computer equipment (can be the network communication equipments such as personal computer, server, or router) executes Method described in certain parts of each embodiment of the present invention or embodiment.

All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for method reality For applying example and apparatus embodiments, since it is substantially similar to system embodiment, so describe fairly simple, related place ginseng See the part explanation of system embodiment.Equipment and system embodiment described above is only schematical, wherein making It may or may not be physically separated for the module of separate part description, the component shown as module can be Or it may not be physical module, it can it is in one place, or may be distributed over multiple network units.It can be with Some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment according to the actual needs.The common skill in this field Art personnel can understand and implement without creative efforts.

The above is only a preferred embodiment of the present invention, it is not intended to limit the scope of the present invention.It should refer to Out, for those skilled in the art, under the premise of not departing from the present invention, can also make several improvements And retouching, these modifications and embellishments should also be considered as the scope of protection of the present invention.

Claims

1. a kind of method for realizing safety certification, which is characterized in that be applied to IC card end, comprising:

Random number and business information that mobile terminal is sent by near-field communication NFC module are received, the random number is server System returns to the mobile terminal for the service request that network service is initiated in response to the mobile terminal, the industry Business information is configured with the NFC module on the mobile terminal for describing the network service；The network service be by with What family was triggered on mobile terminals；

Cryptographic calculation is carried out to the random number and the business information based on the IC card end preset key and Encryption Algorithm, Generate application cryptogram；

The verification information for carrying the application cryptogram is sent, to the mobile terminal by the NFC module so as to the clothes Business device system receives the business confirmation message for carrying the verification information that the mobile terminal is sent and close to the application Text is verified.

2. the method according to claim 1, wherein

The key and Encryption Algorithm preset based on the IC card end encrypt the random number and the business information Operation generates application cryptogram, comprising: disperse process out using the card key at the IC card end and the counting of the network service Key；Kernel-based methods key carries out cryptographic calculation to the random number using symmetric key algorithm, generates the application cryptogram；

The verification information also carries card serial number, distributed key index DKI, cipher-text versions number and the algorithm that the IC card uses Mark, so that the server system is using the card serial number, the DKI, the cipher-text versions number and algorithm mark pair The application cryptogram is verified.

3. the method according to claim 1, wherein further include:

The card number at the IC card end is sent, to the mobile terminal by the NFC module so that the mobile terminal is comparing In the card number that the IC card end is sent out situation identical with the card number that the server system is returned for the service request The random number and the business information are sent to the IC card end by the NFC module.

4. the method according to claim 1, wherein the network service is online transaction business, the IC card End configuration is on the Payment Card for having payment function, and the server system is for providing payment function for the Payment Card Online payment system.

5. a kind of method for realizing safety certification, which is characterized in that be applied to mobile terminal, comprising:

The service request for being directed to network service is sent to server system；The network service is touched on mobile terminals by user Hair；

The random number and business information are sent to IC card end by NFC module, the business information is for describing the network Business is configured with the NFC module on the mobile terminal；

The business confirmation message for carrying the verification information is sent, to the server system so as to the server system pair Application cryptogram is verified；

Wherein, the verification information carries the application cryptogram, and the application cryptogram is the IC card end group in the IC card It holds preset key and Encryption Algorithm to carry out cryptographic calculation to the random number and the business information and generates.

6. according to the method described in claim 5, it is characterized in that, the verification information also carries the card sequence of the IC card Number, the algorithm mark of distributed key index DKI, cipher-text versions number and symmetric key algorithm, so as to server system use The card serial number, the DKI, the cipher-text versions number and algorithm mark verify the application cryptogram；

Wherein, the application cryptogram is specifically the card key and the network service that the IC card end utilizes the IC card end Counting disperses process key out and Kernel-based methods key carries out cryptographic calculation to the random number using symmetric key algorithm and gives birth to At.

7. according to the method described in claim 5, it is characterized by further comprising:

After sending the service request to the server system, the server system is received for the service request The card number of return；

The card number that the IC card end is sent is received by the NFC module；

8. the method according to the description of claim 7 is characterized in that further include:

After receiving the card number that the server system returns, the card number that the server returns is shown, described in prompt Mobile terminal acquires the card number that the IC card end is sent.

9. according to the method described in claim 8, it is characterized by further comprising:

After sending the service request for network service to server system, the server system is received for the industry The authentication mode that business request returns；

It is dynamic password authentication in response to recognizing the authentication mode, executes the card number that the display server returns.

10. according to the method described in claim 5, it is characterized in that, it is described carried to server system transmission it is described The business confirmation message of verification information, comprising:

In response to being directed to the confirmation operation of the service request, the business confirmation code inputted under the confirmation operation is obtained；

The business confirmation message is sent to the server system.

11. according to the method described in claim 5, it is characterized in that, the network service is online transaction business, the IC card End configuration is on the Payment Card for having payment function, and the server system is for providing payment function for the Payment Card Online payment system.

12. a kind of device for realizing safety certification, which is characterized in that be configured at IC card end, comprising:

Receiving unit, the random number and business information sent for receiving mobile terminal by near-field communication NFC module, it is described with Machine number is that server system is directed to the service request of network service initiation in response to the mobile terminal and returns to the movement Terminal, the business information is configured with the NFC module on the mobile terminal for describing the network service；It is described Network service is triggered on mobile terminals by user；

Generation unit, for based on the IC card end preset key and Encryption Algorithm to the random number and the business information Cryptographic calculation is carried out, application cryptogram is generated；

First transmission unit, for carrying testing for the application cryptogram to mobile terminal transmission by the NFC module Information is demonstrate,proved, so that the server system receives the business confirmation letter for carrying the verification information that the mobile terminal is sent It ceases and the application cryptogram is verified.

13. a kind of device for realizing safety certification, which is characterized in that be configured at mobile terminal, comprising:

First transmission unit, for sending the service request for being directed to network service to server system；The network service be by What user triggered on mobile terminals；

Second transmission unit, for sending the random number and business information, the business information to IC card end by NFC module For describing the network service, the NFC module is configured on the mobile terminal；

Second transmission unit, for sending the business confirmation message for carrying the verification information to the server system, with Toilet is stated server system and is verified to application cryptogram；

14. a kind of system for realizing safety certification, which is characterized in that including IC card end, mobile terminal and server system；

The IC card end is configured with device as claimed in claim 12, and the mobile terminal configuration has as claimed in claim 13 Device.