CN106686585A - Binding method and system - Google Patents
Binding method and system Download PDFInfo
- Publication number
- CN106686585A CN106686585A CN201611118802.8A CN201611118802A CN106686585A CN 106686585 A CN106686585 A CN 106686585A CN 201611118802 A CN201611118802 A CN 201611118802A CN 106686585 A CN106686585 A CN 106686585A
- Authority
- CN
- China
- Prior art keywords
- binding
- client
- service end
- digital certificate
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0246—Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols
- H04L41/0273—Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols using web services for network management, e.g. simple object access protocol [SOAP]
- H04L41/0293—Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols using web services for network management, e.g. simple object access protocol [SOAP] for accessing web services by means of a binding identification of the management service or element
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
Abstract
An embodiment of the invention discloses a binding method and system. The method includes the steps in which, a client acquires device information if detecting a binding request, the device information including a device identification code and a communication number corresponding to an SIM card; the client sends the device information to a server in an encrypted manner so that the server assigns a verification number corresponding to the device information; the server uses the verification number to perform call verification with the client; if the call verification is successful, the server binds the communication number corresponding to the SIM card and the device identification code; and the server returns the binding result to the client. According to the embodiment of the invention, the legitimacy of the binding of the SIM card and the terminal device can be verified by means of call verification, man-in-the-middle attacks and pseudo base station attacks can be effectively prevented, the real-time performance and security of the binding process is also improved, and thus, the use safety of the terminal device is ensured.
Description
Technical field
The present invention relates to electronic technology field, more particularly to a kind of binding method and system.
Background technology
It is widely available with intelligent terminals such as smart mobile phones, in order to ensure the legal use intelligent terminal of user sets
It is standby, generally require to set on client identification module (Subscriber Identification Module, SIM) card and intelligent terminal
It is standby to be bound so that SIM legal operation on intelligent terminal.
At present, judge SIM whether on intelligent terminal the method for legal operation mainly by short message verification code and
The mode that system interface is called, but the mode real-time of short message verification code is poor, causes poor user experience, while fill in testing manually
Card code is also easily caused asks the safety that the identifying code obtained on other intelligent terminals is filled up on this intelligent terminal
Topic, and the mode that system interface is called there is also the safety problem that system interface is kidnapped by malicious code, therefore, existing SIM
There is potential safety hazard in the binding method of card and intelligent terminal, it is impossible to ensure the communication security of intelligent terminal, cause to get over
The security incident for carrying out more intelligent terminals occurs.
The content of the invention
The embodiment of the present invention provides a kind of binding method and system, can be by way of call verification by SIM and end
End equipment carries out legal bind, improves binding safety and the safety in utilization of terminal unit.
In a first aspect, embodiments providing a kind of binding method, the binding method includes:
If client detects bind request, facility information is obtained, wherein, the facility information includes equipment mark code
With the corresponding communicating number of client identification module card;
The facility information is sent to service end by the client by cipher mode so that the service end distributes institute
State the corresponding checking number of facility information;
The service end carries out call verification using the checking number with the client;
If the call verification success, the service end is by the corresponding communicating number of the client identification module card and institute
State equipment mark code to be bound;
Binding result is returned to the client by the service end.
On the other hand, a kind of binding system is embodiments provided, the binding system includes client and service end,
The client and the service end are attached by network;
The client includes:
Acquiring unit, if for detecting bind request, obtaining facility information, wherein, the facility information includes setting
Standby identification code and the corresponding communicating number of client identification module card;
Transmitting element, for the facility information to be sent to into service end by cipher mode;
First authentication unit, for completing call verification with the service end using checking number;
The service end includes:
Allocation unit, for distributing the facility information the corresponding checking number;
Second authentication unit, for carrying out the call verification with the client using the checking number;
Binding unit, if for the call verification success, by the corresponding communicating number of the client identification module card
Bound with the equipment mark code;
Returning unit, for binding result to be returned to into the client.
If the client of the embodiment of the present invention detects bind request, acquisition includes that equipment mark code is corresponding with SIM
Communicating number facility information, and the facility information is sent to into service end by cipher mode, service end distributes the equipment
The corresponding checking number of information, and call verification is carried out using the checking number and client, if call verification success, services
End confirms SIM legal operation in the corresponding client of the equipment mark code, by the corresponding termination number of SIM and equipment mark
Know code to be bound, and binding result is returned to into client, the side that the technical scheme of the embodiment of the present invention passes through call verification
Formula carries out the binding legitimate verification of SIM and terminal unit, can effectively prevent man-in-the-middle attack (Man-in-the-
Middle Attack, MITM) and pseudo-base station attack, and real-time and the safety of binding procedure are improved, so as to ensure that terminal sets
Standby safety in utilization.
Description of the drawings
In order to be illustrated more clearly that embodiment of the present invention technical scheme, below embodiment will be described needed for be used
Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are some embodiments of the present invention, general for this area
For logical technical staff, on the premise of not paying creative work, can be with according to these other accompanying drawings of accompanying drawings acquisition.
Fig. 1 is a kind of schematic flow diagram of binding method that the embodiment of the present invention one is provided;
Fig. 2 is a kind of schematic flow diagram of binding method that the embodiment of the present invention two is provided;
Fig. 3 is a kind of schematic block diagram of binding system that the embodiment of the present invention three is provided;
Fig. 4 is a kind of binding system terminal schematic block diagram that the embodiment of the present invention four is provided..
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation is described, it is clear that described embodiment is a part of embodiment of the invention, rather than the embodiment of whole.Based on this
Embodiment in bright, the every other enforcement that those of ordinary skill in the art are obtained under the premise of creative work is not made
Example, belongs to the scope of protection of the invention.
It should be appreciated that when using in this specification and in the appended claims, term " including " and "comprising" are indicated
The presence of described feature, entirety, step, operation, element and/or component, but it is not precluded from one or more of the other feature, whole
The presence or addition of body, step, operation, element, component and/or its set.
It is also understood that mesh of the term used in this description of the invention merely for the sake of description specific embodiment
And be not intended to limit the present invention.As used in description of the invention and appended claims, unless on
Other situations are hereafter clearly indicated, otherwise " one " of singulative, " one " and " being somebody's turn to do " is intended to include plural form.
It will be further appreciated that, the term "and/or" used in description of the invention and appended claims is
Refer to any combinations of one or more in the associated item listed and be possible to combination, and including these combinations.
As in this specification and in the appended claims as use, term " if " can be according to context quilt
Be construed to " when ... " or " once " or " in response to determining " or " in response to detecting ".Similarly, phrase " if it is determined that " or
" if detecting [described condition or event] " can be interpreted to mean according to context " once it is determined that " or " in response to true
It is fixed " or " once detecting [described condition or event] " or " in response to detecting [described condition or event] ".
In implementing, the terminal described in the embodiment of the present invention including but not limited to such as has touch sensitive surface
Other of the mobile phone of (for example, touch-screen display and/or touch pad), laptop computer or tablet PC etc are just
Portable device.It is to be further understood that in certain embodiments, the equipment not portable communication device, but with touching
Touch the desk computer of sensing surface (for example, touch-screen display and/or touch pad).
In discussion below, the terminal for including display and touch sensitive surface is described.It is, however, to be understood that
It is that terminal can include one or more of the other physical user-interface device of such as physical keyboard, mouse and/or control-rod.
Terminal supports various application programs, such as it is following in one or more:Drawing application program, demonstration application journey
Sequence, word-processing application, website create application program, disk imprinting application program, spreadsheet applications, game application
Program, telephony application, videoconference application, email application, instant messaging applications, exercise
Support application program, photo management application program, digital camera application program, digital camera application program, web-browsing application
Program, digital music player application and/or video frequency player application program.
The various application programs that can be performed in terminal can be public using at least one of such as touch sensitive surface
Physical user-interface device.Can adjust among applications and/or in corresponding application programs and/or change and touch sensitive table
The corresponding information shown in the one or more functions and terminal in face.So, the public physical structure of terminal (for example, is touched
Sensing surface) can support that there are the various application programs of user interface directly perceived and transparent for a user.
Embodiment one:
Refer to Fig. 1, Fig. 1 is a kind of schematic flow diagram of binding method that the embodiment of the present invention one is provided, the present embodiment
Executive agent include client and service end, wherein, client can be terminal, and it can be specifically mobile phone or other intelligence
The equipment such as energy terminal, service end can be the functional module of server or server.Binding method shown in Fig. 1 can include
Following steps:
If S101, client detect bind request, facility information is obtained, wherein, the facility information includes equipment mark
Know code and the corresponding communicating number of client identification module card.
Specifically, when user inserts on client identification module (Subscriber Identification Module, SIM) card
After entering client, bind request can be triggered, client detects that bind request then obtains equipment mark code and SIM is corresponding
Communicating number.
When client is mobile phone terminal, the corresponding communicating number of SIM can be the corresponding phone number of SIM.
It should be noted that equipment mark code can be central processing unit (Central Processing Unit, CPU)
Identification code, because each client corresponds to unique CPU identification codes, CPU identification codes can be with unique mark client, therefore can
Using with CPU identification codes as equipment mark code.But because client can also include other chips.Such as safety chip, safety
By using fixed commercial cipher algorithm, realizing the encryption and decryption to data, for example, safety chip can use state to chip
Produce A3 chips.Terminal with safety chip can be encrypted to communication process, it is ensured that communication security, while being stored in safety
Information Security in chip is higher, is difficult to be stolen, and each safety chip carries unique serial number when dispatching from the factory, therefore
Client can be uniquely corresponding to safety chip, it is also possible to using the serial number of safety chip in client as device identification
Code unique mark client, is not limited herein.
Facility information is sent to service end by S102, client by cipher mode so that service end distributes the equipment letter
Cease corresponding checking number.
Specifically, the facility information comprising equipment mark code and the corresponding communicating number of SIM is passed through encryption by client
Mode be sent to service end, service end is received after the facility information, is that the facility information distributes corresponding checking number.
Multiple checking numbers it should be noted that service end can prestore, after facility information is received, service end can be with
A checking number is randomly choosed from the multiple checking numbers for prestoring corresponding with the facility information.
S103, service end carry out call verification using checking number and client.
Specifically, service end carries out call verification using the checking number that step S102 is distributed with client, by client
The checking number is dialed at end, and service end completes call verification to the mode that the calling legitimacy of client is verified.
If S104, call verification success, service end is tied up the corresponding communicating number of SIM and equipment mark code
It is fixed.
Specifically, if call verification success, service end confirms that SIM is closed in the corresponding client of equipment mark code
Method is run, and service end is bound the corresponding communicating number of SIM and equipment mark code, and preserves binding information, the binding
Information can include facility information and binding relationship, the binding relationship be the corresponding communicating number of SIM and equipment mark code it
Between unique corresponding relation.
If call verification fails, service end assert SIM Hacking Run in the corresponding client of equipment mark code,
Bindings are not carried out.
Binding result is returned to client by S105, service end.
Specifically, if the call verification success of step S104, service end returns to the binding result of binding success
Client, if the call verification failure of step S104, the binding result of Bind Failed is returned to client by server.
Client is received after binding result, if binding result is binding success, client allows user in this visitor
Family end is communicated using the SIM, if binding result is Bind Failed, client thinks that the SIM is illegal, will forbid
User is communicated in this client using the SIM.
Knowable to the binding method of above-mentioned Fig. 1 examples, in the present embodiment, if client detects bind request, obtain
Including equipment mark code and the facility information of the corresponding communicating number of SIM, and the facility information is sent by cipher mode
To service end, service end distributes the facility information corresponding checking number, and is called with client using the checking number
Checking, if call verification success, service end confirms SIM legal operation in the corresponding client of the equipment mark code, will
The corresponding termination number of SIM and equipment mark code are bound, and binding result is returned to into client, the embodiment of the present invention
Technical scheme the binding legitimate verification of SIM and terminal unit is carried out by way of call verification, can effectively prevent
Man-in-the-middle attack and pseudo-base station are attacked, and improve real-time and the safety of binding procedure, so as to ensure the use of terminal unit
Safety.
Embodiment two:
Refer to Fig. 2, Fig. 2 is a kind of schematic flow diagram of binding method that the embodiment of the present invention two is provided, the present embodiment
Executive agent include client and service end, wherein, client can be terminal, and it can be specifically mobile phone or other intelligence
The equipment such as energy terminal, service end can be the functional module of server or server.Binding method shown in Fig. 2 can include
Following steps:
S201, client generate Binding key pair according to equipment mark code, and the Binding key is to including binding public key and tying up
Determine private key.
Specifically, client in starting up, can obtain the equipment mark code of this client, and using the equipment mark
Know code to generate Binding key pair by asymmetric key algorithm and preserve, the Binding key is to private including binding public key and binding
Key.
It should be noted that equipment mark code can be CPU identification codes, because each client corresponds to unique CPU
Identification code, CPU identification codes with unique mark client, therefore can use CPU identification codes as equipment mark code.But due to visitor
Family end can also include other chips.Such as safety chip, safety chip is by the way that using fixed commercial cipher algorithm, it is right to realize
The encryption and decryption of data, for example, safety chip can use domestic A3 chips.Terminal with safety chip can be to communication
Process is encrypted, it is ensured that communication security, while the Information Security being stored in safety chip is higher, is difficult to be stolen, often
Individual safety chip all carries unique serial number when dispatching from the factory, therefore client can also may be used with uniquely corresponding to safety chip
The serial number of safety chip is not limited herein as equipment mark code unique mark client using in using client.
S202, client are using equipment mark code and bind public key, to service end application digital certificate.
Specifically, client, can be by step to service end application digital certificate using equipment mark code and binding public key
Rapid S2021 is completed to step S2024, is described in detail as follows:
Equipment mark code and binding public key are sent to service end by S2021, client.
Specifically, the binding public key that client generates equipment mark code and step S201, is sent to by internet message
Service end.
S2022, service end generate digital certificate, the digital certificate bag using the equipment mark code and binding public key for receiving
Include equipment mark code and binding public key.
Specifically, service end receives the equipment mark code and binding public key of client transmission, awards to e-business certification
Power mechanism (CA, Certificate Authority) application digital certificate, CA will generate public including equipment mark code and binding
The digital certificate of key is handed down to service end.
The unique corresponding relation between equipment mark code and digital certificate is saved as the correspondence for prestoring for S2023, service end
Relation.
Specifically, service end receives the digital certificate that CA is issued, by equipment mark code preservation corresponding with digital certificate.
The digital certificate of generation is sent to client by S2024, service end.
Specifically, the digital certificate that the CA for receiving is issued is sent to client by service end.
If S203, client detect bind request, facility information is obtained, wherein, the facility information includes equipment mark
Know code and the corresponding communicating number of SIM.
Specifically, after SIM is inserted client by user, bind request can be triggered, client detects binding please
Ask and then obtain equipment mark code and the corresponding communicating number of SIM.
When client is mobile phone terminal, the corresponding communicating number of SIM can be the corresponding phone number of SIM.
S204, client are signed using the binding private key of the Binding key centering for prestoring to facility information, and will be signed
Facility information after name is sent to service end.
Specifically, client is carried out using the facility information that the binding private key that step S201 is generated gets to step S203
Signature, and the facility information after signature is sent to into service end by internet message.
Facility information after signature can by the corresponding communicating number of SIM, the time of bind request, equipment mark code,
Random information and signature value are constituted, wherein signature value can by the corresponding communicating number of SIM, the time of bind request,
Hash algorithm is carried out after equipment mark code and random information combination to be calculated.
It should be noted that the facility information after signature can be sent to service by client by way of internet message
End, it is also possible to facility information is sent to into service end by note or other communication modes, is not limited herein.
S205, service end obtain equipment mark code from the facility information for receiving.
Specifically, secondary section receives the facility information after the signature of client transmission, ties according to the composition of the facility information
Structure, from extraction equipment identification code in the facility information and the corresponding communicating number of SIM.
S206, service end obtain the corresponding digital certificate of CPU identification codes from the corresponding relation for prestoring, wherein, prestore
Corresponding relation is the unique corresponding relation between equipment mark code and digital certificate.
Specifically, the corresponding numeral card of equipment mark code is obtained in the corresponding relation that service end is preserved according to step S2023
Book,
S207, service end are using the binding public key in the corresponding digital certificate of equipment mark code to the facility information that receives
Carry out sign test.
Specifically, according to step S206 obtain digital certificate in comprising equipment mark code and binding public key, service end root
Sign test is carried out to the facility information after the signature that receives according to the binding public key.
If S208, sign test success, the corresponding checking number of service end distributing equipment information.
Specifically, if sign test success, service end can confirm that client send message integrity and could not
Recognizing property, it was demonstrated that the message is that the corresponding client of the equipment mark code sends, therefore client is right for the facility information distribution
The checking number answered, and by distribution checking number, equipment mark code it is corresponding with SIM corresponding communicating number preservation.
Multiple checking numbers it should be noted that service end can prestore, after facility information is received, service end can be with
A checking number is randomly choosed from the multiple checking numbers for prestoring corresponding with the facility information.
S209, service end are encrypted to form ciphertext using binding public key to verifying number, and the ciphertext is sent to into visitor
Family end.
Specifically, service end is disappeared after being encrypted to the checking number that step S208 is distributed using binding public key by network
Breath is sent to client.
S210, client are decrypted using binding private key to the ciphertext for receiving, and obtain checking number, and are tested according to this
Card number initiates call request.
Specifically, client is decrypted using the checking number after binding private key pair encryption, obtains the checking number, and
Call request is carried out using the checking number.
S211, service end detect call request, obtain the corresponding calling number of the call request and called number.
Specifically, service end detects the call request of client, and the call request is hung up, and according to the call request
Message obtains the corresponding calling number of the call request and called number.
If S212, calling number are consistent with the corresponding communicating number of SIM, and called number is consistent with checking number,
Then service end confirms call verification success.
Specifically, service end is according to corresponding logical to the checking number, equipment mark code and the SIM that distribute in step 208
The corresponding preservation relation of signal code, if judging that the calling number of call request is consistent with the corresponding communicating number of SIM, while
The called number of call request is consistent with the checking number of distribution, then confirm the call verification success.
If S213, call verification success, service end is tied up the corresponding communicating number of SIM and equipment mark code
It is fixed.
Specifically, if service end judges call verification success according to step S212, confirm SIM in equipment mark code
Legal operation in corresponding client, service end is bound the corresponding communicating number of SIM and equipment mark code, and is preserved
Binding information, the binding information can include facility information and binding relationship, and the binding relationship is the corresponding communicating number of SIM
Unique corresponding relation and equipment mark code between.
If service end judges that call verification fails according to step S212, assert that SIM is corresponding in equipment mark code
Hacking Run in client, does not carry out bindings.
Binding result is returned to client by S214, service end.
Specifically, if service end judges call verification success according to step S212, by the binding result of binding success
Client is returned to, if service end judges that call verification fails according to step S212, the binding result of Bind Failed is returned
Back to client.
Client is received after binding result, if binding result is binding success, client allows user in this visitor
Family end is communicated using the SIM, if binding result is Bind Failed, client thinks that the SIM is illegal, will forbid
User is communicated in this client using the SIM.
Knowable to the binding method of above-mentioned Fig. 2 examples, in the present embodiment, client is first in starting up according to equipment
Identification code generates the Binding key pair comprising binding public key and binding private key, and using equipment mark code and binding public key to service
End application digital certificate, when SIM is inserted client by user, bind request is triggered, if client detects the binding
Request, then obtain the facility information for including equipment mark code and the corresponding communicating number of SIM, and using binding private key to equipment
Information is signed, and the facility information after signature is sent to into service end, and service end is obtained from the facility information for receiving and set
Standby identification code, and the corresponding digital certificate for prestoring is obtained according to the equipment mark code, service end is used in the digital certificate
Binding public key carries out sign test to the facility information for receiving, and distributes the facility information corresponding checking number if sign test success;
Service end is encrypted to form ciphertext using binding public key to verifying number, and the ciphertext is sent to into client, and client makes
The ciphertext for receiving is decrypted with binding private key, obtains checking number, and call request, clothes are initiated according to the checking number
Business end detects and obtain after call request the corresponding calling number of the call request and called number, and if judge calling number with
The corresponding communicating numbers of SIM are consistent, and called number is consistent with checking number, then confirm call verification success;If calling is tested
Demonstrate,prove successfully, then service end confirms SIM legal operation in the corresponding client of the equipment mark code, by SIM corresponding end
End number and equipment mark code are bound, and binding result is returned to into client, and the technical scheme of the embodiment of the present invention is led to
Crossing the mode of call verification carries out the binding legitimate verification of SIM and terminal unit, can effectively prevent man-in-the-middle attack and
Pseudo-base station is attacked, and improves real-time and the safety of binding procedure, so as to ensure the safety in utilization of terminal unit.Meanwhile,
By unsymmetrical key Digital Signature Algorithm, facility information is signed and sign test, complete the integrity of data-message with not
Falsifiability confirmation, further enhances the safety of the message transmission in binding procedure, by client in each starting up
When regenerate Binding key pair and to the mode of service end application digital certificate so that the number used in follow-up binding procedure
To with ageing, original Binding key pair and digital certificate will be by after client restarts for word certificate and Binding key
Refresh, so as to reduce the risk illegally usurped, further enhance the safety of binding procedure.
Embodiment three:
Fig. 3 is referred to, Fig. 3 is a kind of binding system schematic block diagram that the embodiment of the present invention three is provided.For convenience of description,
Illustrate only the part related to the embodiment of the present invention.The security authentication systems 300 of Fig. 3 examples can be that previous embodiment one is carried
For a kind of binding method executive agent.The binding system 300 of Fig. 3 examples mainly includes client 31 and server
32, client 31 and server 32 are attached by network.
Client 31 mainly includes:Acquiring unit 311, the authentication unit 313 of transmitting element 312 and first.Each unit is detailed
It is described as follows:
Acquiring unit 311, if for detecting bind request, obtaining facility information, wherein, the facility information includes setting
Standby identification code and the corresponding communicating number of SIM;
Transmitting element 312, for the facility information that acquiring unit 311 gets to be sent to into service end by cipher mode
32;
First authentication unit 313, the checking number and service end 32 for being distributed using service end 32 completes call verification;
Service end 32 mainly includes:Allocation unit 321, the second authentication unit 322, binding unit 323 and returning unit
324.Each unit describes in detail as follows::
Allocation unit 321, for distributing the corresponding checking number of facility information of the transmission of transmitting element 312;
Second authentication unit 322, checking number and the client 31 for being distributed using allocation unit 321 is carried out calling and is tested
Card;
Binding unit 323, if for the call verification success of the second authentication unit 322, by the corresponding messenger of SIM
Code and equipment mark code are bound;
Returning unit 324, for the binding result of binding unit 323 to be returned to into client 31.
The each unit of client 31 and server 32 realizes the mistake of respective function in the binding system 300 that the present embodiment is provided
Journey, specifically refers to the description of aforementioned embodiment illustrated in fig. 1, and here is omitted.
Knowable to the binding system 300 of above-mentioned Fig. 3 examples, in the present embodiment, if client detects bind request, obtain
The facility information including equipment mark code and the corresponding communicating number of SIM is taken, and the facility information is sent out by cipher mode
Service end is given, service end distributes the facility information corresponding checking number, and is exhaled with client using the checking number
Checking is cried, if call verification success, service end confirms SIM legal operation in the corresponding client of the equipment mark code,
The corresponding termination number of SIM and equipment mark code are bound, and binding result is returned to into client, the present invention is implemented
The technical scheme of example carries out the binding legitimate verification of SIM and terminal unit by way of call verification, can effectively prevent
Only man-in-the-middle attack and pseudo-base station are attacked, and improve real-time and the safety of binding procedure, so as to ensure making for terminal unit
Use safety.
Example IV:
Fig. 4 is referred to, Fig. 4 is a kind of binding system schematic block diagram that the embodiment of the present invention four is provided.For convenience of description,
Illustrate only the part related to the embodiment of the present invention.The security authentication systems 400 of Fig. 4 examples can be that previous embodiment two is carried
For a kind of binding method executive agent.The binding system 400 of Fig. 4 examples mainly includes client 41 and server 42, visitor
Family end 41 and server 42 are attached by network.
Client 41 mainly includes:Acquiring unit 411, the authentication unit 413 of transmitting element 412 and first.Each unit is detailed
It is described as follows:
Acquiring unit 411, if for detecting bind request, obtaining facility information, wherein, the facility information includes setting
Standby identification code and the corresponding communicating number of SIM;
Transmitting element 412, for the facility information that acquiring unit 411 gets to be sent to into service end by cipher mode
42;
First authentication unit 413, the checking number and service end 42 for being distributed using service end 42 completes call verification;
Service end 42 mainly includes:Allocation unit 421, the second authentication unit 422, binding unit 423 and returning unit
424.Each unit describes in detail as follows::
Allocation unit 421, for distributing the corresponding checking number of facility information of the transmission of transmitting element 412;
Second authentication unit 422, checking number and the client 41 for being distributed using allocation unit 421 is carried out calling and is tested
Card;
Binding unit 423, if for the call verification success of the second authentication unit 422, by the corresponding messenger of SIM
Code and equipment mark code are bound;
Returning unit 424, for the binding result of binding unit 423 to be returned to into client 41.
Further, transmitting element 412 includes:
Signature unit 4121, for using the binding private key of the Binding key centering for prestoring, getting to acquiring unit 411
Facility information signed, and the facility information after signature is sent to into service end 42, wherein, Binding key is to including binding
Public key and binding private key;
Allocation unit 421 includes:
Identification code extraction unit 4211, for obtaining equipment mark code in the facility information that sends from transmitting element 412;
Digital certificate acquiring unit 4212, for obtaining the corresponding numeral card of equipment mark code from the corresponding relation for prestoring
Book, wherein, the corresponding relation is the unique corresponding relation between equipment mark code and digital certificate, and the digital certificate includes equipment
Identification code and binding public key;
Sign test unit 4213, for the binding public key in the digital certificate that got using digital certificate acquiring unit 4212
Sign test is carried out to facility information;
Storage unit 4214, if for the sign test success of sign test unit 4213, the corresponding checking number of distributing equipment information
Code.
Further, the second authentication unit 422 includes:
Ciphering unit 4221, to be formed for being encrypted to the checking number that storage unit 4214 is distributed using binding public key
Ciphertext, and the ciphertext is sent to into client 41;
Call number acquiring unit 4222, for detecting the call request of the initiation of client 41, obtains the call request
Corresponding calling number and called number;
Unit 4223 is proved to be successful, if the calling number obtained for call number acquiring unit 4222 and communicating number one
Cause, and the called number that call number acquiring unit 4222 is obtained is consistent with checking number, then confirm call verification success;
First authentication unit 413 includes:
Decryption unit 4131, the ciphertext for being sent using binding private key pair encryption unit 4221 is decrypted, and acquisition is tested
Card number, and call request is initiated according to the checking number.
Further, client 41 also includes:
Key to signal generating unit 414, for generating Binding key pair according to equipment mark code;
Applying digital certificate unit 415, for close to the binding that signal generating unit 414 is generated using equipment mark code and key
The binding public key of key centering, to service end 42 digital certificate is applied for;
Service end 42 also includes:
Digital certificate processing unit 425, the numeral card that the applying digital certificate unit 415 for processing client 41 sends
The application of book.
Further, applying digital certificate unit 415 is additionally operable to:
Equipment mark code and binding public key are sent to into service end 42;
Digital certificate processing unit 425 includes:
Digital certificate signal generating unit 4251, for the equipment mark code that sent using applying digital certificate unit 415 and is tied up
Determine public key and generate digital certificate;
Corresponding relation storage unit 4252, for the numeral for generating equipment mark code and digital certificates constructing unit 4251
Unique corresponding relation between certificate saves as the corresponding relation for prestoring;
Digital certificate issuance unit 4253, for the digital certificate that digital certificate signal generating unit 4251 is generated to be sent to into visitor
Family end 41.
The each unit of client 41 and server 42 realizes the mistake of respective function in the binding system 400 that the present embodiment is provided
Journey, specifically refers to the description of aforementioned embodiment illustrated in fig. 2, and here is omitted.
Knowable to the binding system 400 of above-mentioned Fig. 4 examples, in the present embodiment, client first in starting up according to
Equipment mark code generate comprising binding public key and binding private key Binding key pair, and using equipment mark code and binding public key to
Service end application digital certificate, when SIM is inserted client by user, bind request is triggered, if client detects this
Bind request, then obtain the facility information for including equipment mark code and the corresponding communicating number of SIM, and using binding private key pair
Facility information is signed, and the facility information after signature is sent to into service end, and service end is obtained from the facility information for receiving
Taking equipment identification code, and the corresponding digital certificate for prestoring is obtained according to the equipment mark code, service end uses the digital certificate
In binding public key sign test is carried out to the facility information for receiving, if sign test success if distribute the facility information it is corresponding checking number
Code;Service end is encrypted to form ciphertext using binding public key to verifying number, and the ciphertext is sent to into client, client
The ciphertext for receiving is decrypted using binding private key, obtains checking number, and call request is initiated according to the checking number,
Service end is detected and obtain after call request the corresponding calling number of the call request and called number, and if judgement calling number
It is consistent with the corresponding communicating numbers of SIM, and called number is consistent with checking number, then confirm call verification success;If calling
It is proved to be successful, then service end confirms SIM legal operation in the corresponding client of the equipment mark code, and SIM is corresponding
Termination number and equipment mark code are bound, and binding result is returned to into client, the technical scheme of the embodiment of the present invention
The binding legitimate verification of SIM and terminal unit is carried out by way of call verification, man-in-the-middle attack can be effectively prevented
Attack with pseudo-base station, and improve real-time and the safety of binding procedure, so as to ensure the safety in utilization of terminal unit.Together
When, by unsymmetrical key Digital Signature Algorithm, facility information is signed and sign test, complete the integrity of data-message with
Non-repudiation confirmation, further enhances the safety of the message transmission in binding procedure, is opened in start every time by client
Binding key pair is regenerated when dynamic and to the mode of service end application digital certificate so that used in follow-up binding procedure
Digital certificate and Binding key are to ageing, original Binding key pair and digital certificate general after client restarts
It is refreshed, so as to reduce the risk illegally usurped, further enhances the safety of binding procedure.
Those of ordinary skill in the art are it is to be appreciated that the list of each example with reference to the embodiments described herein description
Unit and algorithm steps, can with electronic hardware, computer software or the two be implemented in combination in, in order to clearly demonstrate hardware
With the interchangeability of software, according to function the composition and step of each example have been generally described in the above description.This
A little functions are performed with hardware or software mode actually, depending on the application-specific and design constraint of technical scheme.Specially
Industry technical staff can use different methods to realize described function to each specific application, but this realization is not
It is considered as beyond the scope of this invention.
Those skilled in the art can be understood that, for convenience of description and succinctly, foregoing description is
The specific work process of system, client, server and unit, may be referred to the corresponding process in preceding method embodiment, here
Repeat no more.
In several embodiments provided herein, it should be understood that disclosed system and method, it can be passed through
Its mode is realized.For example, system embodiment described above is only schematic, for example, the division of the unit, and only
Only a kind of division of logic function, can there is other dividing mode when actually realizing, such as multiple units or component can be tied
Close or be desirably integrated into another system, or some features can be ignored, or do not perform.In addition, shown or discussed phase
Coupling or direct-coupling or communication connection between mutually can be INDIRECT COUPLING or the communication by some interfaces, device or unit
Connection, or electricity, machinery or other forms connections.
Step in present invention method can according to actual needs carry out order adjustment, merge and delete.
Unit in embodiment of the present invention terminal can according to actual needs be merged, divides and deleted.
The unit as separating component explanation can be or may not be it is physically separate, it is aobvious as unit
The part for showing can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be according to the actual needs selected to realize embodiment of the present invention scheme
Purpose.
In addition, each functional unit in each embodiment of the invention can be integrated in a processing unit, it is also possible to
It is that unit is individually physically present, or two or more units are integrated in a unit.It is above-mentioned integrated
Unit both can be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit is realized.
If the integrated unit is realized using in the form of SFU software functional unit and as independent production marketing or used
When, during a computer read/write memory medium can be stored in.Based on such understanding, technical scheme is substantially
Prior art is contributed part in other words, or all or part of the technical scheme can be in the form of software product
Embody, the computer software product is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, server, or network equipment etc.) performs the complete of each embodiment methods described of the invention
Portion or part steps.And aforesaid storage medium includes:USB flash disk, portable hard drive, read only memory (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can store journey
The medium of sequence code.
The above, the only specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, any
Those familiar with the art the invention discloses technical scope in, various equivalent modifications can be readily occurred in or replaced
Change, these modifications or replacement all should be included within the scope of the present invention.Therefore, protection scope of the present invention should be with right
The protection domain of requirement is defined.
Claims (10)
1. a kind of binding method, it is characterised in that the binding method includes:
If client detects bind request, facility information is obtained, wherein, the facility information includes equipment mark code and visitor
The corresponding communicating number of family identification module card;
The facility information is sent to service end by the client by cipher mode so that set described in the service end distribution
The corresponding checking number of standby information;
The service end carries out call verification using the checking number with the client;
If the call verification success, the service end is by the corresponding communicating number of the client identification module card and described sets
Standby identification code is bound;
Binding result is returned to the client by the service end.
2. binding method according to claim 1, it is characterised in that the client is by the facility information by encryption
Mode is sent to service end so that the service end is distributed the corresponding checking number of the facility information and included:
The client is signed using the binding private key of the Binding key centering for prestoring to the facility information, and will signature
The facility information afterwards is sent to the service end, wherein, the Binding key is to private including binding public key and the binding
Key;
The service end obtains the equipment mark code from the facility information;
The service end obtains the corresponding digital certificate of the equipment mark code from the corresponding relation for prestoring, wherein, it is described right
Should be related to for the unique corresponding relation between the equipment mark code and the digital certificate, the digital certificate includes described setting
Standby identification code and the binding public key;
The service end using the digital certificate in the binding public key sign test is carried out to the facility information;
If sign test success, the service end distributes the facility information corresponding checking number.
3. binding method according to claim 2, it is characterised in that the service end using the checking number with it is described
Client carries out call verification to be included:
The service end is encrypted to form ciphertext using the binding public key to the checking number, and the ciphertext is sent
To the client;
The client is decrypted using the binding private key to the ciphertext, obtains the checking number, and according to described
Checking number initiates call request;
The service end detects the call request, obtains the corresponding calling number of the call request and called number;
If the calling number is consistent with the communicating number, and the called number is consistent with the checking number, then institute
State service end and confirm the call verification success.
4. the binding method according to any one of claims 1 to 3, it is characterised in that if the terminal detect binding please
Ask, then obtain before facility information, the binding method also includes:
The client generates the Binding key pair according to the equipment mark code;
The client uses the equipment mark code and the binding public key, to digital certificate described in the service end application.
5. binding method according to claim 4, it is characterised in that the client uses the equipment mark code and institute
Binding public key is stated, is included to digital certificate described in the service end application:
The equipment mark code and the binding public key are sent to the service end by the client;
The service end generates the digital certificate using the equipment mark code and the binding public key;
Unique corresponding relation between the equipment mark code and the digital certificate is saved as described prestoring by the service end
Corresponding relation;
The digital certificate is sent to the client by the service end.
6. a kind of binding system, it is characterised in that the binding system includes client and service end, the client and described
Service end is attached by network;
The client includes:
Acquiring unit, if for detecting bind request, obtaining facility information, wherein, the facility information includes equipment mark
Know code and the corresponding communicating number of client identification module card;
Transmitting element, for the facility information to be sent to into service end by cipher mode;
First authentication unit, the checking number and the service end for being distributed using the service end completes call verification;
The service end includes:
Allocation unit, for distributing the facility information the corresponding checking number;
Second authentication unit, for carrying out the call verification with the client using the checking number;
Binding unit, if for the call verification success, by the corresponding communicating number of the client identification module card and institute
State equipment mark code to be bound;
Returning unit, for binding result to be returned to into the client.
7. binding system according to claim 6, it is characterised in that the transmitting element includes:
Signature unit, for being signed to the facility information using the binding private key of the Binding key centering for prestoring, and will
The facility information after signature is sent to the service end, wherein, the Binding key is to including binding public key and described tying up
Determine private key;
The allocation unit includes:
Identification code extraction unit, for obtaining the equipment mark code from the facility information;
Digital certificate acquiring unit, for obtaining the corresponding digital certificate of the equipment mark code from the corresponding relation for prestoring,
Wherein, the corresponding relation is the unique corresponding relation between the equipment mark code and the digital certificate, the numeral card
School bag includes the equipment mark code and the binding public key;
Sign test unit, sign test is carried out for the binding public key in using the digital certificate to the facility information;
Storage unit, if for sign test success, distributing the facility information the corresponding checking number.
8. binding system according to claim 7, it is characterised in that second authentication unit includes:
Ciphering unit, for being encrypted to form ciphertext to the checking number using the binding public key, and by the ciphertext
It is sent to the client;
Call number acquiring unit, for detecting the call request that the client is initiated, obtains the call request correspondence
Calling number and called number;
Be proved to be successful unit, if it is consistent with the communicating number for the calling number, and the called number with it is described
Checking number is consistent, then confirm the call verification success;
First authentication unit includes:
Decryption unit, for being decrypted to the ciphertext using the binding private key, obtains the checking number, and according to institute
State checking number and initiate call request.
9. the binding system according to any one of claim 6 to 8, it is characterised in that the client also includes:
Key to signal generating unit, for generating the Binding key pair according to the equipment mark code;
Applying digital certificate unit, for using the equipment mark code and the binding public key, to the service end application institute
State digital certificate;
The service end also includes:
Digital certificate processing unit, for processing the application of the digital certificate of the client.
10. binding system according to claim 9, it is characterised in that the applying digital certificate unit is additionally operable to:
The equipment mark code and the binding public key are sent to into the service end;
The digital certificate processing unit includes:
Digital certificate signal generating unit, for generating the digital certificate using the equipment mark code and the binding public key;
Corresponding relation storage unit, for the unique corresponding relation between the equipment mark code and the digital certificate to be preserved
For the corresponding relation for prestoring;
Digital certificate issuance unit, for the digital certificate to be sent to into the client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611118802.8A CN106686585A (en) | 2016-12-07 | 2016-12-07 | Binding method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611118802.8A CN106686585A (en) | 2016-12-07 | 2016-12-07 | Binding method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106686585A true CN106686585A (en) | 2017-05-17 |
Family
ID=58867956
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611118802.8A Withdrawn CN106686585A (en) | 2016-12-07 | 2016-12-07 | Binding method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106686585A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109474592A (en) * | 2018-11-08 | 2019-03-15 | 蓝信移动(北京)科技有限公司 | Public key binding method and system |
| CN110365705A (en) * | 2019-07-31 | 2019-10-22 | 中国联合网络通信集团有限公司 | Bind the change method and system of mobile terminal number |
| CN110611563A (en) * | 2018-06-15 | 2019-12-24 | 富泰华工业(深圳)有限公司 | Equipment identification code distribution method and device and Internet of things equipment |
| CN111355852A (en) * | 2018-12-21 | 2020-06-30 | 西安佰才邦网络技术有限公司 | Method and equipment for acquiring contact number based on block chain |
| CN116634384A (en) * | 2023-07-21 | 2023-08-22 | 广东匠芯创科技有限公司 | Terminal equipment searching method, system and storage medium thereof |
| WO2023246286A1 (en) * | 2022-06-23 | 2023-12-28 | 中兴通讯股份有限公司 | Method, apparatus and system for restricting set-card separation, and storage medium and electronic apparatus |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090106551A1 (en) * | 2006-04-25 | 2009-04-23 | Stephen Laurence Boren | Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks |
| CN104333455A (en) * | 2014-11-26 | 2015-02-04 | 肖龙旭 | Secrete communication system and method for smart phone |
| CN106027738A (en) * | 2016-07-05 | 2016-10-12 | 北京奇虎科技有限公司 | Method and device for synchronizing call records and mobile terminal |
| CN106130956A (en) * | 2016-06-03 | 2016-11-16 | 谢渤 | A kind of telephone authentication method and apparatus |
-
2016
- 2016-12-07 CN CN201611118802.8A patent/CN106686585A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090106551A1 (en) * | 2006-04-25 | 2009-04-23 | Stephen Laurence Boren | Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks |
| CN104333455A (en) * | 2014-11-26 | 2015-02-04 | 肖龙旭 | Secrete communication system and method for smart phone |
| CN106130956A (en) * | 2016-06-03 | 2016-11-16 | 谢渤 | A kind of telephone authentication method and apparatus |
| CN106027738A (en) * | 2016-07-05 | 2016-10-12 | 北京奇虎科技有限公司 | Method and device for synchronizing call records and mobile terminal |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110611563A (en) * | 2018-06-15 | 2019-12-24 | 富泰华工业(深圳)有限公司 | Equipment identification code distribution method and device and Internet of things equipment |
| CN110611563B (en) * | 2018-06-15 | 2022-09-06 | 富泰华工业(深圳)有限公司 | Equipment identification code distribution method and device and Internet of things equipment |
| CN109474592A (en) * | 2018-11-08 | 2019-03-15 | 蓝信移动(北京)科技有限公司 | Public key binding method and system |
| CN111355852A (en) * | 2018-12-21 | 2020-06-30 | 西安佰才邦网络技术有限公司 | Method and equipment for acquiring contact number based on block chain |
| CN111355852B (en) * | 2018-12-21 | 2024-04-05 | 西安佰才邦网络技术有限公司 | Method and equipment for acquiring contact number based on blockchain |
| CN110365705A (en) * | 2019-07-31 | 2019-10-22 | 中国联合网络通信集团有限公司 | Bind the change method and system of mobile terminal number |
| WO2023246286A1 (en) * | 2022-06-23 | 2023-12-28 | 中兴通讯股份有限公司 | Method, apparatus and system for restricting set-card separation, and storage medium and electronic apparatus |
| CN116634384A (en) * | 2023-07-21 | 2023-08-22 | 广东匠芯创科技有限公司 | Terminal equipment searching method, system and storage medium thereof |
| CN116634384B (en) * | 2023-07-21 | 2023-11-03 | 广东匠芯创科技有限公司 | Terminal equipment searching method, system and storage medium thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106453330B (en) | A kind of identity authentication method and system | |
| CN106850200B (en) | A kind of safety method, system and the terminal of digital cash of the use based on block chain | |
| CN106686585A (en) | Binding method and system | |
| CN109150548B (en) | Digital certificate signing and signature checking method and system and digital certificate system | |
| US20190165947A1 (en) | Signatures for near field communications | |
| CN109472166A (en) | A kind of electronic signature method, device, equipment and medium | |
| CN106535184A (en) | Key management method and system | |
| CN106302544A (en) | A kind of safe verification method and system | |
| CN105246073B (en) | The access authentication method and server of wireless network | |
| CN104023032B (en) | Application based on credible performing environment technology is limited discharging method, server and terminal | |
| CN109600223A (en) | Verification method, Activiation method, device, equipment and storage medium | |
| CN102843669B (en) | Data access method and device | |
| CN102984115B (en) | A kind of network security method and client-server | |
| CN107113613B (en) | Server, mobile terminal, network real-name authentication system and method | |
| CN104579649A (en) | Identity recognition method and system | |
| CN104967597A (en) | Third-party application message authentication method and system based on secure channel | |
| CN103684797B (en) | User and the association authentication method and system of subscriber terminal equipment | |
| CN110620763B (en) | Mobile identity authentication method and system based on mobile terminal APP | |
| CN104468099A (en) | Dynamic password generating method and device based on CPK (Combined Public Key) and dynamic password authentication method and device based on CPK (Combined Public Key) | |
| CN106790208A (en) | A kind of communication encrypting method and device | |
| CN108335105A (en) | Data processing method and relevant device | |
| CN107995200A (en) | A kind of certificate issuance method, identity identifying method and system based on smart card | |
| CN108804935A (en) | A kind of safety encryption storage system and method based on TrustZone | |
| CN106851613A (en) | Service request method, the verification method of business handling number and its terminal | |
| CN106685945A (en) | Service request processing method, verifying method of service handling number, and terminal thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20170517 |
|
| WW01 | Invention patent application withdrawn after publication |