CN106899571A - Information interacting method and device - Google Patents

Information interacting method and device Download PDF

Info

Publication number
CN106899571A
CN106899571A CN201611190037.0A CN201611190037A CN106899571A CN 106899571 A CN106899571 A CN 106899571A CN 201611190037 A CN201611190037 A CN 201611190037A CN 106899571 A CN106899571 A CN 106899571A
Authority
CN
China
Prior art keywords
equipment
module
client
message distribution
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611190037.0A
Other languages
Chinese (zh)
Other versions
CN106899571B (en
Inventor
孙元博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Advanced New Technologies Co Ltd
Advantageous New Technologies Co Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201611190037.0A priority Critical patent/CN106899571B/en
Priority to CN202010690618.0A priority patent/CN111683103B/en
Publication of CN106899571A publication Critical patent/CN106899571A/en
Application granted granted Critical
Publication of CN106899571B publication Critical patent/CN106899571B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the present application discloses information interacting method and device.Client, the authenticator module in default trusted context are included in equipment, methods described includes:The client obtains the device authentication mark of the equipment, and the device authentication mark is obtained by the authenticator module according to the hardware information of the equipment;Device authentication mark is sent to high in the clouds by the client, in order to the high in the clouds after passing through to the device authentication identity verification, the authentication code shown for the authenticator module is returned to the equipment.Using the embodiment of the present application, the security of authentication code can be improved, reduce the possibility of authentication code leakage.

Description

Information interacting method and device
Technical field
The application is related to computer software technical field, more particularly to information interacting method and device.
Background technology
With the development of mobile Internet, identity authentication code is issued as a kind of identity of auxiliary by SMS Authentication mode is widely used.
But, targetedly some attack meanses bring larger threat to illegal person to the safety of authentication code, than Such as, short message wooden horse, duplication Mobile phone card, pseudo-base station, fishing program etc..
For example, attacker in advance can be planted in the mobile phone of certain user short message wooden horse, when the user mobile phone is received During short message, short message is reconditely sent to attacker by short message wooden horse automatically, then the authentication code for being included in short message can be revealed.
Again for example, attacker can replicate the Mobile phone card of and user by illegal means, it is possible to using what is replicated Mobile phone card synchronously receives the short message of the user, then the authentication code for being included in short message can also be revealed.
It follows that the above-mentioned attack meanses of illegal person are to the authentication code that is issued by SMS in the prior art Safety bring larger threat, cause authentication code easily to be revealed.
The content of the invention
The embodiment of the present application provides information interacting method and device, is used to solve following technical problem:Lead in the prior art Cross the problem of the easy leakage of authentication code that SMS is issued.
In order to solve the above technical problems, what the embodiment of the present application was realized in:
The first information interacting method that the embodiment of the present application is provided, in equipment comprising client, in default credible Authenticator module in environment, methods described includes:
The client obtains the device authentication mark of the equipment, and the device authentication mark is by the authenticator module Hardware information according to the equipment is obtained;
Device authentication mark is sent to high in the clouds by the client, in order to the high in the clouds to the device authentication After identity verification passes through, the authentication code shown for the authenticator module is returned to the equipment.
The first information interactive device that the embodiment of the present application is provided, in equipment comprising client, in default credible Authenticator module in environment, described device is located at the client, including:
Module is obtained, the device authentication mark of the equipment is obtained, the device authentication mark is by the authenticator module Hardware information according to the equipment is obtained;
Sending module, is sent to high in the clouds, in order to the high in the clouds to the device authentication by device authentication mark After identity verification passes through, the authentication code shown for the authenticator module is returned to the equipment.
Second information interacting method that the embodiment of the present application is provided, in equipment comprising client, in default credible Authenticator module in environment, methods described includes:
The mark that the authenticator module receives the client obtains request;
The authenticator module is identified to the device authentication that the client returns to the equipment, the device authentication mark Obtained according to the hardware information of the equipment by the authenticator module;
The authenticator module shows that high in the clouds after passing through to the device authentication identity verification, returns to the equipment Authentication code, wherein, the device authentication mark of the high in the clouds checking is to be sent to the high in the clouds by the client.
Second information interactive device that the embodiment of the present application is provided, in equipment comprising client, in default credible Authenticator module in environment, described device is located at the authenticator module, including:
Receiver module, the mark for receiving the client obtains request;
Module is returned to, the device authentication for returning to the equipment to the client is identified, the device authentication mark is by institute Authenticator module is stated to be obtained according to the hardware information of the equipment;
Display module, shows high in the clouds after passing through to the device authentication identity verification, to the identity that the equipment is returned Identifying code, wherein, the device authentication mark of the high in the clouds checking is to be sent to the high in the clouds by the client.
The third information interacting method that the embodiment of the present application is provided, in equipment comprising client, in default credible Authenticator module in environment, methods described includes:
High in the clouds obtains the device authentication mark of the equipment that the client sends, and the device authentication mark is by described Authenticator module is obtained according to the hardware information of the equipment;
The high in the clouds is verified by device authentication mark;
The high in the clouds is returned for the authenticator mould after passing through to the device authentication identity verification to the equipment The authentication code of block displaying.
The third information interactive device that the embodiment of the present application is provided, in equipment comprising client, in default credible Authenticator module in environment, described device is located at high in the clouds, including:
Module is obtained, the device authentication mark of the equipment that the client sends, the device authentication mark is obtained Obtained according to the hardware information of the equipment by the authenticator module;
Authentication module, verifies to device authentication mark;
Module is returned, after the authentication module passes through to the device authentication identity verification, is returned to the equipment and used In the authentication code of authenticator module displaying.
Above-mentioned at least one technical scheme that the embodiment of the present application is used can reach following beneficial effect:The equipment can To be the user terminals such as mobile phone, the checking that can be based on the device authentication mark to being obtained according to the hardware information of equipment is led to Cross, it is really credible equipment to determine the equipment, then authentication code is issued to equipment, therefore duplication Mobile phone card, puppet can be resisted Base station etc. is attacked, moreover, because the generation of device authentication mark and the displaying of follow-up authentication code are all in equipment In trusted context in carry out, therefore the attack such as short message wooden horse, fishing program can be resisted.In sum, the side of the application Case can improve the security of authentication code, reduce the possibility of authentication code leakage, can partly or entirely solve The problems of the prior art.
Brief description of the drawings
In order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art, below will be to embodiment or existing The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are only this Some embodiments described in application, for those of ordinary skill in the art, are not paying the premise of creative labor Under, other accompanying drawings can also be obtained according to these accompanying drawings.
The schematic flow sheet of the first information interacting method that Fig. 1 is provided for the embodiment of the present application;
The schematic flow sheet of second information interacting method that Fig. 2 is provided for the embodiment of the present application;
The schematic flow sheet of the third information interacting method that Fig. 3 is provided for the embodiment of the present application;
Under a kind of practical application scene that Fig. 4 is provided for the embodiment of the present application, a kind of business of above- mentioned information exchange method Configuration diagram;
Under a kind of practical application scene that Fig. 5 is provided for the embodiment of the present application, a kind of technology of above- mentioned information exchange method Configuration diagram;
Under a kind of practical application scene that Fig. 6 is provided for the embodiment of the present application, one kind interaction of above- mentioned information exchange method Schematic flow sheet;
A kind of structural representation of the information interactive device corresponding to Fig. 1 that Fig. 7 is provided for the embodiment of the present application;
A kind of structural representation of the information interactive device corresponding to Fig. 2 that Fig. 8 is provided for the embodiment of the present application;
A kind of structural representation of the information interactive device corresponding to Fig. 3 that Fig. 9 is provided for the embodiment of the present application.
Specific embodiment
The embodiment of the present application provides information interacting method and device.
In order that those skilled in the art more fully understand the technical scheme in the application, below in conjunction with the application reality The accompanying drawing in example is applied, the technical scheme in the embodiment of the present application is clearly and completely described, it is clear that described implementation Example is only some embodiments of the present application, rather than whole embodiments.Based on the embodiment in the application, this area is common The every other embodiment that technical staff is obtained under the premise of creative work is not made, should all belong to the application protection Scope.
The specific implementation of the scheme of the application can be related to the action in client, authenticator module, high in the clouds, and high in the clouds specifically may be used To only include one end (such as, message distribution services device), it is also possible to including at least two ends (such as, message distribution services device, the visitor Corresponding service end in family end etc.).
Client, authenticator module may be at same equipment.Equipment residing for client, authenticator module is usually hand The user terminals such as machine, panel computer, intelligent wearable device, car machine.
Service end, message distribution services device may be at distinct device, it is also possible in same equipment.Service end, message Equipment residing for Distributor is generally used as the computer of server, computer cluster etc..
Unless otherwise specified, " equipment " mentioned below each means client and equipment residing for authenticator module.
The embodiment of the present application provides three kinds of information interacting methods and device altogether, these three information interacting methods and device Based on same invention thinking and mutually correspond to, be respectively using the every one end in client, authenticator module, high in the clouds as performing master What body was described, the acquisition of authentication code can be realized by any of the above-described kind of information interacting method or device, issue and Displaying, can improve the security of authentication code, reduce the possibility of authentication code leakage.
The scheme to the application is described in detail below.
The schematic flow sheet of the first information interacting method that Fig. 1 is provided for the embodiment of the present application, includes in following equipment Client, the authenticator module in default trusted context (Trusted Execution Environment, TEE).Figure Flow in 1 can, when needing to obtain authentication code, be performed according to specific mode triggering.Such as, in client Business for the first time used in equipment, when needing activation equipment, or, user with same account mobile device client with it is non- In the corresponding client of mobile device during handover operation, etc..
In the embodiment of the present application, trusted context is the hardware for relying on equipment where it, and it may be usually based in micro- The operating system of core provides trusted service, can there is various specific implementations, and the application is not limited.Enumerate wherein three kinds Implementation is as an example:
The first, can provide trusted context, i.e., based on the special of processor CPU using the SVM of intel TXT or AMD Instruction, there is provided dynamic trust root DRTM is serviced, and realizes trusted context;
Second, using ARM TrustZone or TI M-Shield mechanism, directly provided on central processing unit hardware Safety zone/insecure area isolation mech isolation test, realize trusted context;
The third, using hypervisor/VMM virtualization mechanisms, there is provided between safety applications/non-security application every From realizing trusted context.
Explanation to the information interacting method in Fig. 1 is also applied for another several information exchange sides of the embodiment of the present application offer Method, behind repeat no more.
The executive agent of the flow in Fig. 1 is client, and the flow may comprise steps of:
S101:The client obtains the device authentication mark of the equipment, and the device authentication mark is by the certification Device module is obtained according to the hardware information of the equipment.
In the embodiment of the present application, client can be that the client of authentication code is arbitrarily needed to use on user terminal End, such as, and client, the client of instant messaging application, client of electronic bank application of Third-party payment application etc..
In the embodiment of the present application, the equipment and other equipment can be made a distinction according to the hardware information of equipment.With As a example by mobile phone, hardware information can be International Mobile Equipment Identity code (International Mobile Equipment Identity, IMEI), physical address etc..
Usually, device authentication mark can be in certain scope (such as, network range, equipment scope, territorial scope Deng) unique mark its corresponding equipment, specific much the application are not limited scope, depending on specific implementation situation.Such as, if Implement the scheme of the application in certain country, then for the equipment in the country, as long as its device authentication mark is in the country It is interior with uniqueness.
In the embodiment of the present application, device authentication mark can be that authenticator module is carried out by the hardware information to equipment Certain logical operation generation, the logical operation can have various specific implementation methods, and the application is simultaneously not construed as limiting, enumerates One kind is as an example.
For example, device authentication mark can be generated by performing base64 (Hash (HardID+random)), wherein, Base64 is a kind of cryptographic algorithm, and Hash represents hash function, and HardID represents used hardware information, random represent with Machine number.Because generating process is carried out in the trusted context of equipment, therefore, this mode is conducive to improving device authentication mark The security of knowledge, and be also beneficial to prevent hardware information from revealing.
Certainly, authenticator module can also identify the hardware information of equipment directly as device authentication.
In the embodiment of the present application, client can be obtained by directly or indirectly sending mark to authenticator module Request, and the device authentication mark that access authentication device module is returned.
S102:Device authentication mark is sent to high in the clouds by the client, is set to described in order to the high in the clouds After standby checking identity verification passes through, the authentication code shown for the authenticator module is returned to the equipment.
In the embodiment of the present application, high in the clouds is verified by being identified to device authentication, it may be determined that set residing for client It is standby whether the credible equipment of business to be provided by client, if so, being then verified.
In the embodiment of the present application, high in the clouds is interacted with equipment by internet (IP network).
In the embodiment of the present application, the form of authentication code can have various.Enumerate several as an example, such as, body Part identifying code can be string number (6 bit digitals, 4 bit digitals etc.), (such as, Chinese character, the English character such as a string of characters Or the character of other language), a task (such as, exchanges suitable by the 1st character in nine grids and with last character Sequence, the 2nd character and the 5th character exchange sequence connect the 3rd character and the 8th character with straight line;Nine grids are to need Want user to be illustrated on interface when carrying out authentication, when user is connected to task described above, is performed according to task definition and just may be used By authentication), etc..
By the method for Fig. 1, the equipment can be the user terminals such as mobile phone, can be based on to according to the hard of equipment Being verified for the device authentication mark that part information is obtained, determines that the equipment is really credible equipment, then issue identity to equipment Identifying code, therefore duplication Mobile phone card, pseudo-base station etc. can be resisted attack, moreover, due to device authentication mark generation with And the displaying of follow-up authentication code is carried out in trusted context in a device, therefore short message wooden horse, fishing can be resisted Fish program etc. is attacked.In sum, the scheme of the application can improve the security of authentication code, reduce authentication code and let out The possibility of dew, can partly or entirely solve the problems of the prior art.
Method based on Fig. 1, the embodiment of the present application additionally provides some specific embodiments of the method, and extension side Case, is illustrated below.
In the embodiment of the present application, as it was previously stated, high in the clouds can include two ends, message distribution services device, the client pair The service end answered.Following examples are based primarily upon such case and illustrate.
In this case, for step S102, the high in the clouds includes that message distribution services device, the client are corresponding Service end;
Device authentication mark is sent to high in the clouds by the client, can specifically be included:The client will be described Device authentication mark is sent to the service end;
The high in the clouds is returned for the authenticator mould after passing through to the device authentication identity verification to the equipment The authentication code of block displaying, can specifically include:The service end makes described disappearing by calling the message distribution services device Breath Distributor is returned for the authenticator module exhibition after passing through to the device authentication identity verification to the equipment The authentication code shown.
In the embodiment of the present application, the service end is the corresponding service end of client, such as, pay the client of application Corresponding service end is the service end of the payment application.
Message distribution services device can be a common platform, and in this case, multiple different service ends can be adjusted With same message distribution services device.Certainly, different service ends can also have the message distribution services device for oneself exclusively enjoying.Need Illustrate, the short message server of message distribution services device not mobile operator, therefore, the scheme of the application can be unlike existing There is technology to depend on short message like that to send and receive authentication code, and can be based on internet transmission authentication code.
In the embodiment of the present application, service end is by message call Distributor, the client hair that will can be received The device authentication mark sent is sent to message distribution services device, and device authentication mark is tested with request message Distributor Card.Message distribution services device is by device authentication identity verification, it may be determined that whether equipment residing for client is credible equipment, If so, being then verified.
Specifically, can according to specific mode (such as, factory preset, user's real-name authentication etc., by the equipment with it is another can Letter equipment is bound etc.), in advance by the device authentication mark of equipment in the registration of message distribution services device, registered equipment is Credible equipment.In this case, message distribution services device can be identified and registration by by the device authentication in step S102 Device authentication mark be compared, in S102 device authentication mark verify.
For example, for the mode of factory preset, without user intervention, can be identified by producer's registration device authentication, with true The hardware of locking equipment is in itself believable.This mode is mainly emphasized " credible on hardware view ".
Again for example, for user's real-name authentication mode, can by user in advance for the business of any client, by with Corresponding service end and message distribution services device are interacted, related identification information (such as, the identity such as real name of registered user Card number etc.) and device authentication mark, to determine that equipment is believable for the business and the user.This mode is main Emphasize " credible in service layer ".
In the embodiment of the present application, authentication code can be generated by service end and/or message distribution services device.Typically Ground, authentication code is related to the business of client or service end (such as, to carry out the business and be desired based on the authentication Code is authenticated, or, the authentication code is needed based on service related information generation, etc.), in this case, body Part identifying code can preferably be generated by service end, so advantageously reduce interference of the message distribution services device to the business.
In the embodiment of the present application, for step S101, the device authentication mark that the client is obtained is described Authenticator module is encrypted and/or signs what is treated, and the purpose being encrypted can be prevented from device authentication Mark reduces disclosure risk by plaintext transmission, and the purpose for carrying out signature treatment is to prevent from device authentication from identifying illegally to be distorted. In this case, after message distribution services device subsequently needs correspondingly to be decrypted treatment and/or signature verification process, could be right Device authentication mark is verified that the key needed for decryption processing and/or signature verification can be by equipment and message distribution services Device is consulted in advance.
Similarly, the authentication code that the message distribution services device is returned can also be encrypted and/ Or sign what is treated.
In the embodiment of the present application, device authentication mark can also be by authenticator module according to equipment hardware information and visitor The business information at family end is obtained, and different clients can also preassign different logical operation algorithms, is set for generation Standby checking is identified.So, it is possible to achieve the device authentication of different clients mark differentiation, and device authentication mark can be with Change with the change of same client traffic information, be conducive to improving the security of device authentication mark.
In the embodiment of the present application, for information above interaction flow, between the client and the authenticator module Interaction, and/or interacting between the message distribution services device and the equipment (including but not limited to authenticator module) can To be that the escape way realized based on predetermined security service in the equipment is carried out, such as, message distribution services device with Interaction between the equipment is carried out based on the first escape way, and base is interacted between the client and the authenticator module Carried out in the second escape way, etc..
Reason is, although authenticator module is in trusted context, but client, message distribution services device may not be located In trusted context, the security service advantageously reduces the interactive risk between this several end with its escape way realized.
The security service can be provided by the functional module independently of above-mentioned several ends, it is also possible to itself be carried by above-mentioned several ends For the security service can include but is not limited to connection management, access control, session negotiation, connection heartbeat maintenance, safe tunnel Road, cipher control etc..
It should be noted that above-mentioned escape way can be directed to open system interconnection (Open System Interconnection, OSI) in model certain one or more layers realize, the corresponding escape way side of implementing of different layers Formula is different.Such as, for application layer, escape way can be realized based on encryption and/or signature;For transport layer, can be based on TLS realizes escape way;For Internet, escape way can be realized based on IPSec;For link layer, L2TP can be based on Realize escape way;Etc..
The schematic flow sheet of second information interacting method that Fig. 2 is provided for the embodiment of the present application.Flow in Fig. 2 is held Row main body is authenticator module, and the flow may comprise steps of:
S201:The mark that the authenticator module receives the client obtains request.
S202:The authenticator module is identified to the device authentication that the client returns to the equipment, and the equipment is tested Card mark is obtained by the authenticator module according to the hardware information of the equipment.
S203:The authenticator module shows high in the clouds after passing through to the device authentication identity verification, to the equipment The authentication code of return, wherein, the device authentication mark of the high in the clouds checking is described in the client is sent to High in the clouds.
With the method for Fig. 1 it is corresponding due to Fig. 2, therefore, the technique effect of the method for Fig. 2 also method with Fig. 1, base In the method for Fig. 2, the embodiment of the present application additionally provides some specific embodiments of the method, and expansion scheme, for The part having been explained above, repeats no more or is only briefly described below.Several information interacting methods below are also In this way, repeating no more.
In the embodiment of the present application, the high in the clouds can include message distribution services device, the corresponding service of the client End;
The authentication code of the authenticator module displaying is the message distribution services device to the device authentication After identity verification passes through, returned to the equipment, wherein, the device authentication mark of the message distribution services device checking It is to identify the device authentication by the client to be sent to the service end, and the service end calls the message Distributor and obtain.
In the embodiment of the present application, for step S202, the authenticator module returns to the equipment to the client Device authentication mark, can specifically include:The authenticator module obtains the equipment according to the hardware information of the equipment Device authentication mark;The authenticator module is encrypted and/or signature treatment to the device authentication mark for obtaining;Institute State authenticator module and return to encryption and/or the treated device authentication mark of signature to the client, so as to the visitor The treated device authentication mark of encryption and/or signature is sent to the service end by family end.
Further, the authenticator module obtains the device authentication of the equipment according to the hardware information of the equipment Mark, can specifically include:The authenticator module obtains the business information of the client;The authenticator module is according to institute The hardware information and the business information of equipment are stated, the device authentication mark of the equipment is obtained.
In the embodiment of the present application, the authenticator module displaying message distribution services device is identified to the device authentication After being verified, to the authentication code that the equipment is returned, can specifically include:The authenticator module obtains the message Distributor after passing through to the device authentication identity verification, to the equipment return authentication code;The certification Device module generates credible interface, and the credible interface is in the trusted context;The authenticator module is on the credible boundary Show the authentication code in face.
Under conditions of credible showing interface, because the isolation and security feature of trusted context can not allow other to enter Cheng Yunhang, or only allow to specify process to run, therefore can prevent the rogue programs such as short message wooden horse, fishing program from stealing can Message shown in letter interface.
In the embodiment of the present application, the authentication code that the authenticator module is obtained can be the message distribution Server is encrypted and/or signs what is treated;Similarly, the authenticator module shows in the credible interface Before the authentication code, can also carry out:The authenticator module is to encryption and/or the treated authentication of signature Code is decrypted treatment and/or signature verification process.
In the embodiment of the present application, interacting between the message distribution services device and the equipment is based on the first safety What passage was carried out, first escape way is realized by security service predetermined in the equipment;And/or, the client with Interaction between the authenticator module is carried out based on the second escape way, and second escape way is by the equipment Predetermined security service is realized.
In the embodiment of the present application, the equipment can include user terminal.
The schematic flow sheet of the third information interacting method that Fig. 3 is provided for the embodiment of the present application.Flow in Fig. 3 is held Row main body is high in the clouds, and the flow may comprise steps of:
S301:High in the clouds obtains the device authentication mark of the equipment that the client sends, the device authentication mark Obtained according to the hardware information of the equipment by the authenticator module.
S302:The high in the clouds is verified by device authentication mark.
S303:The high in the clouds returns to the equipment and recognizes for described after passing through to the device authentication identity verification Demonstrate,prove the authentication code of device modules exhibit.
In the embodiment of the present application, the high in the clouds can include message distribution services device, the corresponding service of the client End;In this case, for step S301, high in the clouds obtains the device authentication mark of the equipment that the client sends, Can specifically include:The service end obtains the device authentication mark of the equipment that the client sends;
For step S302, the high in the clouds is verified to device authentication mark, can specifically include:The service Device authentication mark is sent to the message distribution services device, the message by end by message call Distributor Distributor is verified to the device authentication mark for receiving;
For step S303, the high in the clouds returns to the equipment and uses after passing through to the device authentication identity verification In the authentication code of authenticator module displaying, can specifically include:The message distribution services device is to the equipment After checking identity verification passes through, the authentication code shown for the authenticator module is returned to the equipment.
In the embodiment of the present application, the device authentication mark that the client sends is that the authenticator module is carried out What encryption and/or signature were treated;And/or, the authentication code that the message distribution services device is returned is to carry out What encryption and/or signature were treated.
In the embodiment of the present application, it has been mentioned hereinbefore that message can preferably be generated by service end.In such case Under, it is described by the device authentication mark be sent to the message distribution services device after, can also carry out:The service end is in institute Message distribution services device is stated after passing through to the device authentication identity verification, the authentication code is generated;The service end The authentication code is sent to the message distribution services device, is returned to the equipment in order to the message distribution services device Return the authentication code.
In the embodiment of the present application, the device authentication mark that the message distribution services device is received can be described Authenticator module is encrypted and/or signs what is treated;In this case, the message distribution services device is to described Before device authentication mark is verified, can also carry out:The message distribution services device is treated to encryption and/or signature Device authentication mark be decrypted treatment and/or signature verification process.
In the embodiment of the present application, the message distribution services device is returned for the authenticator module exhibition to the equipment The authentication code shown, can specifically include:The message distribution services device sends to the service end and shows to the equipment The notification message that checking identity verification passes through;The identity that the message distribution services device reception service end is generated and returned is tested Card code;The message distribution services device returns to the authentication code to the equipment, shows for the authenticator module.
In the embodiment of the present application, the message distribution services device returns to the authentication code to the equipment, specifically Can include:The message distribution services device is encrypted and/or signature treatment to the authentication code;The message Distributor returns to encryption and/or the treated authentication code of signature to the equipment, for the authenticator Module shows after being decrypted treatment and/or signature verification process.
In the embodiment of the present application, interacting between the message distribution services device and the equipment can be based on first What escape way was carried out, first escape way is realized by security service predetermined in the equipment;And/or, the client End can be carried out with interacting between the authenticator module based on the second escape way, and second escape way is by institute Security service predetermined in equipment is stated to realize.
In the embodiment of the present application, the equipment can include user terminal.
The information interacting method that the embodiment of the present application is provided is illustrated by executive agent of each end respectively above.For Readily appreciate, the embodiment of the present application is additionally provided under a kind of practical application scene, one kind of above- mentioned information exchange method is specific Embodiment, illustrates with reference to Fig. 4, Fig. 5, Fig. 6.
Under a kind of practical application scene that Fig. 4 is provided for the embodiment of the present application, a kind of business of above- mentioned information exchange method Configuration diagram.
In fig. 4, " credible interface+device authentication mark " is to be related to the pass of the scheme of the application in equipment residing for client One of key section, escape way can be realized based on above-mentioned security service.Each service provider has its right respectively Such as body should can be issued to client by message distribution services device in service end and corresponding client, each service provider The message such as part identifying code, on condition that message distribution services device passes through to the device authentication identity verification of equipment residing for client.Its In, the interaction in Fig. 4 between the parties is all based on internet, network and SMS platform without relying on mobile operator, Be conducive to neatly being improved using various security strategies the security of business structure, and, the credible interface in business structure It is also safer compared to short message interface of the prior art.
Under a kind of practical application scene that Fig. 5 is provided for the embodiment of the present application, a kind of technology of above- mentioned information exchange method Configuration diagram.
In Figure 5, for equipment where client, can mainly realize that following functions (can correspond to corresponding function Module).
Connection management:It is responsible for establishment, management and the maintenance of network socket connections;
Session negotiation:Consult with message distribution services device when being set up based on socket connections, obtain the key of this session;
Heartbeat is safeguarded:Keep the connection long (company long that such as, can be set up between security service and message distribution services device Connect) maintenance;
Credible interface:Interface is drawn in secure interface, the requirement according to backstage operation centre, can be six password displays circle Face can also be other;
Agreement is assembled:Data and safe encryption and decryption and signature, the package dress of Internet are assembled according to business need;
Protocol analysis:The parsing of the Packet analyzing and business data packet of networking layer;
Device data acquisition:Collection:The trust data of equipment where client;
Device keyses:Equipment where client is built-in when dispatching from the factory, there is provided signature interface;
Device id:EM equipment module generates unique ID (such as, above-mentioned device authentication marks of business based on hardware ID Know) and return;
Encryption and decryption:Key algorithm module.
In Figure 5, message distribution services device is shown for high in the clouds, message distribution services device can mainly realize following work( Energy (can correspond to corresponding functional module).
Connection management:It is responsible for the management and maintenance of the connection of message distribution services device;
Session negotiation:According to client where equipment negotiation generation and management session key, while ensure session and The maintenance of connection;
Heartbeat is safeguarded:Ensure connection long;
Agreement is assembled:Assemble the packet of Internet and encapsulate business;
Protocol analysis:Assemble the packet of Internet and parse business;
Device id is managed:The inquiry of device id, discards and increases;
Device keyses are managed:The inquiry of device keyses, discards and increases;
Equipment Risk is managed:The data gathered according to equipment form equipment Risk management;
Access control:The access control called to service end.
Template center:Form message content and exhibition method
Operation centre:Management and operation to message.
Under a kind of practical application scene that Fig. 6 is provided for the embodiment of the present application, one kind interaction of above- mentioned information exchange method Schematic flow sheet.
In figure 6, untrusted environment is in equipment with trusted context, the functional module reality that security service is specified by Existing, authenticator module is in trusted context, and authenticator module comprises at least " trusted logic treatment " and " credible showing interface " Two submodules.Security service keeps length to be connected with message distribution services device by heartbeat.
When the business that client is provided is used in equipment for the first time, by the operation triggering following flow of activation equipment Execution.Client obtains device authentication and identifies by security service, wherein, device authentication mark is to process mould by trusted logic Root tuber is generated according to the hardware information of equipment by performing " performing base64 (Hash (HardID+random)) ", and uses equipment Private key signature after client is returned to by security service.
The device authentication the signed mark that client will be obtained is sent to service end requests verification, service end message call Distributor, is verified with request message Distributor to the device authentication the signed mark received from client.
Message distribution services device utilizes data (such as, public key, hardware information, the device authentication mark of the equipment being obtained ahead of time Know etc.) verify whether the signature of currently available device authentication mark is legal, and whether determination equipment is credible equipment.
After message distribution services device passes through to device authentication identity verification, the message signed is issued to security service, pacify It is complete to service transparent transmission message to trusted logic processing module.
Trusted logic processing module verifies the signature of the message, it is ensured that the message is credible, after being verified, calls credible boundary Face display module generates credible interface to show the message.
The information interacting method that the embodiment of the present application is provided is illustrated above, based on same invention thinking, this Application embodiment additionally provides corresponding device, as shown in Fig. 7, Fig. 8, Fig. 9.
The structural representation of a kind of information interactive device corresponding to Fig. 1 that Fig. 7 is provided for the embodiment of the present application, in equipment Comprising client, the authenticator module in default trusted context, described device is located at the client, including:
Module 701 is obtained, the device authentication mark of the equipment is obtained, the device authentication mark is by the authenticator mould Root tuber is obtained according to the hardware information of the equipment;
Sending module 702, high in the clouds is sent to by device authentication mark, is tested to the equipment in order to the high in the clouds After card identity verification passes through, the authentication code shown for the authenticator module is returned to the equipment.
Alternatively, the high in the clouds includes message distribution services device, the corresponding service end of the client;
Device authentication mark is sent to high in the clouds by the sending module 702, is specifically included:
Device authentication mark is sent to the service end by the sending module 702;
The high in the clouds is returned for the authenticator mould after passing through to the device authentication identity verification to the equipment The authentication code of block displaying, specifically includes:
The service end makes the message distribution services device to the equipment by calling the message distribution services device After checking identity verification passes through, the authentication code shown for the authenticator module is returned to the equipment.
Alternatively, the device authentication mark that the client is obtained is that the authenticator module is encrypted And/or sign what is treated;And/or,
The authentication code that the message distribution services device is returned is to be encrypted and/or sign treated 's.
Alternatively, hardware information and the visitor of the device authentication mark by the authenticator module according to the equipment The business information at family end is obtained.
Alternatively, interacting between the message distribution services device and the equipment is carried out based on the first escape way , first escape way is realized by security service predetermined in the equipment;And/or,
Interacting between the client and the authenticator module is carried out based on the second escape way, and described second Escape way is realized by security service predetermined in the equipment.
Alternatively, the equipment includes user terminal.
The structural representation of a kind of information interactive device corresponding to Fig. 2 that Fig. 8 is provided for the embodiment of the present application, in equipment Comprising client, the authenticator module in default trusted context, described device is located at the authenticator module, including:
Receiver module 801, the mark for receiving the client obtains request;
Return to module 802, the device authentication for returning to the equipment to the client is identified, the device authentication mark by The authenticator module is obtained according to the hardware information of the equipment;
Display module 803, shows high in the clouds after passing through to the device authentication identity verification, to the body that the equipment is returned Part identifying code, wherein, the device authentication mark of the high in the clouds checking is to be sent to the high in the clouds by the client.
Alternatively, the high in the clouds includes message distribution services device, the corresponding service end of the client;
The authentication code of the authenticator module displaying is the message distribution services device to the device authentication After identity verification passes through, returned to the equipment, wherein, the device authentication mark of the message distribution services device checking It is to identify the device authentication by the client to be sent to the service end, and the service end calls the message Distributor and obtain.
Alternatively, the module 802 that returns is identified to the device authentication that the client returns to the equipment, specific bag Include:
The hardware information that module 802 is returned according to the equipment, obtains the device authentication mark of the equipment, to To device authentication mark be encrypted and/or signature treatment, returned at encryption and/or signature to the client The device authentication mark managed, so that encryption and/or the treated device authentication of signature are identified and sent by the client To the service end.
Alternatively, the return module 802 obtains the device authentication mark of the equipment according to the hardware information of the equipment Know, specifically include:
The module 802 that returns obtains the business information of the client, hardware information according to the equipment and described Business information, obtains the device authentication mark of the equipment.
Alternatively, the display module 803 shows that high in the clouds after passing through to the device authentication identity verification, sets to described The standby authentication code for returning, specifically includes:
The display module 803 obtains the message distribution services device after passing through to the device authentication identity verification, To the authentication code that the equipment is returned, credible interface is generated, the credible interface is in the trusted context, described Show the authentication code in credible interface.
Alternatively, the authentication code that the authenticator module is obtained is that the message distribution services device is encrypted What treatment and/or signature were treated;
Before the display module 803 shows the authentication code in the credible interface, to encryption and/or label The treated authentication code of name is decrypted treatment and/or signature verification process.
Alternatively, interacting between the message distribution services device and the equipment is carried out based on the first escape way , first escape way is realized by security service predetermined in the equipment;And/or,
Interacting between the client and the authenticator module is carried out based on the second escape way, and described second Escape way is realized by security service predetermined in the equipment.
Alternatively, the equipment includes user terminal.
The structural representation of a kind of information interactive device corresponding to Fig. 3 that Fig. 9 is provided for the embodiment of the present application, in equipment Comprising client, the authenticator module in default trusted context, described device is located at high in the clouds, including:
Module 901 is obtained, the device authentication mark of the equipment that the client sends, the device authentication mark is obtained Knowledge is obtained by the authenticator module according to the hardware information of the equipment;
Authentication module 902, verifies to device authentication mark;
Module 903 is returned to, after 902 pairs of device authentication identity verifications of the authentication module pass through, to the equipment Return to the authentication code for authenticator module displaying.
Alternatively, described device includes:Message distribution services device, the corresponding service end of the client;The acquisition mould Block 901 is located at the service end, and the authentication module 902, the return module 903 are located at the message distribution services device;
It is described to obtain the device authentication mark that module 901 obtains the equipment that the client sends, specifically include:
The service end obtains the device authentication mark of the equipment that the client sends;
The device authentication mark of the authentication module 902 pairs is verified, specifically included:
Device authentication mark is sent to the message by the service end by calling the message distribution services device Distributor;
The message distribution services device is verified to the device authentication mark for receiving;
The return module 903 sets after 902 pairs of device authentication identity verifications of the authentication module pass through to described The standby authentication code returned for authenticator module displaying, specifically includes:
The message distribution services device is returned for institute after passing through to the device authentication identity verification to the equipment State the authentication code of authenticator module displaying.
Alternatively, the device authentication mark that the client sends is that the authenticator module is encrypted And/or sign what is treated;And/or,
The authentication code that the message distribution services device is returned is to be encrypted and/or sign treated 's.
Alternatively, be sent to for device authentication mark described by the service end by message call Distributor After message distribution services device, in the message distribution services device after passing through to the device authentication identity verification, generation is described Authentication code, sends the message to the message distribution services device, in order to the message distribution services device to described Equipment returns to the authentication code.
Alternatively, the device authentication mark that the message distribution services device is received is that the authenticator module is carried out What encryption and/or signature were treated;
Before the message distribution services device is verified to device authentication mark, at encryption and/or signature The device authentication mark managed is decrypted treatment and/or signature verification process.
Alternatively, the message distribution services device returns to the authentication code to the equipment, specifically includes:
The message distribution services device sends to the service end and shows that what the device authentication identity verification was passed through leads to Know message, receive the authentication code that the service end is generated and returned, the authentication code is returned to the equipment, with In authenticator module displaying.
Alternatively, the message distribution services device returns to the authentication code to the equipment, specifically includes:
The message distribution services device is encrypted and/or signature treatment to the authentication code, is set to described It is standby to return to encryption and/or the treated authentication code of signature, for the authenticator module be decrypted treatment and/ Or show after signature verification process.
Alternatively, interacting between the message distribution services device and the equipment is carried out based on the first escape way , first escape way is realized by security service predetermined in the equipment;And/or,
Interacting between the client and the authenticator module is carried out based on the second escape way, and described second Escape way is realized by security service predetermined in the equipment.
Alternatively, the equipment includes user terminal.
The apparatus and method that the embodiment of the present application is provided are one-to-one, therefore, device also has corresponding side The similar Advantageous Effects of method, because the Advantageous Effects above to method have been described in detail, therefore, here Repeat no more the Advantageous Effects of corresponding intrument.
In the nineties in 20th century, can clearly be distinguished for the improvement of a technology be on hardware improvement (for example, Improvement to circuit structures such as diode, transistor, switches) or software on improvement (for the improvement of method flow).So And, with the development of technology, the improvement of current many method flows can be considered as directly improving for hardware circuit. Designer nearly all obtains corresponding hardware circuit by the way that improved method flow is programmed into hardware circuit.Cause This, it cannot be said that an improvement for method flow cannot be realized with hardware entities module.For example, PLD (Programmable Logic Device, PLD) (such as field programmable gate array (Field Programmable Gate Array, FPGA)) it is exactly such a integrated circuit, its logic function is determined by user to device programming.By designer Voluntarily programming comes a digital display circuit " integrated " on a piece of PLD, without asking chip maker to design and make Special IC chip.And, nowadays, substitution manually makes IC chip, and this programming is also used instead and " patrolled mostly Volume compiler (logic compiler) " software realizes that software compiler used is similar when it writes with program development, And the source code before compiling also handy specific programming language is write, this is referred to as hardware description language (Hardware Description Language, HDL), and HDL is also not only a kind of, but have many kinds, such as ABEL (Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL (Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language) etc., that most commonly use at present is VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog.Those skilled in the art also should This understands, it is only necessary to method flow slightly programming in logic and is programmed into integrated circuit with above-mentioned several hardware description languages, The hardware circuit for realizing the logical method flow can be just readily available.
Controller can be implemented in any suitable manner, for example, controller can take such as microprocessor or treatment Device and storage can by the computer of the computer readable program code (such as software or firmware) of (micro-) computing device Read medium, gate, switch, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), the form of programmable logic controller (PLC) and embedded microcontroller, the example of controller includes but is not limited to following microcontroller Device:ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicone Labs C8051F320, deposit Memory controller is also implemented as a part for the control logic of memory.It is also known in the art that except with Pure computer readable program code mode is realized beyond controller, can made by the way that method and step is carried out into programming in logic completely Obtain controller and come real in the form of gate, switch, application specific integrated circuit, programmable logic controller (PLC) and embedded microcontroller etc. Existing identical function.Therefore this controller is considered a kind of hardware component, and various for realizing to including in it The device of function can also be considered as the structure in hardware component.Or even, can be by for realizing that the device of various functions is regarded For that not only can be the software module of implementation method but also can be the structure in hardware component.
System, device, module or unit that above-described embodiment is illustrated, can specifically be realized by computer chip or entity, Or realized by the product with certain function.It is a kind of typically to realize that equipment is computer.Specifically, computer for example may be used Think personal computer, laptop computer, cell phone, camera phone, smart phone, personal digital assistant, media play It is any in device, navigation equipment, electronic mail equipment, game console, tablet PC, wearable device or these equipment The combination of equipment.
For convenience of description, it is divided into various units with function during description apparatus above to describe respectively.Certainly, this is being implemented The function of each unit can be realized in same or multiple softwares and/or hardware during application.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method, system or computer program Product.Therefore, the present invention can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware Apply the form of example.And, the present invention can be used and wherein include the computer of computer usable program code at one or more The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) is produced The form of product.
The present invention is the flow with reference to method according to embodiments of the present invention, equipment (system) and computer program product Figure and/or block diagram are described.It should be understood that every first-class during flow chart and/or block diagram can be realized by computer program instructions The combination of flow and/or square frame in journey and/or square frame and flow chart and/or block diagram.These computer programs can be provided The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that produced for reality by the instruction of computer or the computing device of other programmable data processing devices The device of the function of being specified in present one flow of flow chart or multiple one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices with spy In determining the computer-readable memory that mode works so that instruction of the storage in the computer-readable memory is produced and include finger Make the manufacture of device, the command device realize in one flow of flow chart or multiple one square frame of flow and/or block diagram or The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented treatment, so as in computer or The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in individual square frame or multiple square frames.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net Network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium Example.
Computer-readable medium includes that permanent and non-permanent, removable and non-removable media can be by any method Or technology realizes information Store.Information can be computer-readable instruction, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM), Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, the storage of tape magnetic rigid disk or other magnetic storage apparatus Or any other non-transmission medium, can be used to store the information that can be accessed by a computing device.Defined according to herein, calculated Machine computer-readable recording medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
Also, it should be noted that term " including ", "comprising" or its any other variant be intended to nonexcludability Comprising so that process, method, commodity or equipment including a series of key elements not only include those key elements, but also wrapping Include other key elements being not expressly set out, or also include for this process, method, commodity or equipment is intrinsic wants Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that wanted including described Also there is other identical element in process, method, commodity or the equipment of element.
It will be understood by those skilled in the art that embodiments herein can be provided as method, system or computer program product. Therefore, the application can be using the embodiment in terms of complete hardware embodiment, complete software embodiment or combination software and hardware Form.And, the application can be used to be can use in one or more computers for wherein including computer usable program code and deposited The shape of the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) Formula.
The application can be described in the general context of computer executable instructions, such as program Module.Usually, program module includes performing particular task or realizes routine, program, object, the group of particular abstract data type Part, data structure etc..The application can also be in a distributed computing environment put into practice, in these DCEs, by Remote processing devices connected by communication network perform task.In a distributed computing environment, program module can be with In local and remote computer-readable storage medium including including storage device.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment Divide mutually referring to what each embodiment was stressed is the difference with other embodiment.Especially for device reality Apply for example or system embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is joined See the part explanation of embodiment of the method.
Embodiments herein is the foregoing is only, the application is not limited to.For those skilled in the art For, the application can have various modifications and variations.It is all any modifications made within spirit herein and principle, equivalent Replace, improve etc., within the scope of should be included in claims hereof.

Claims (46)

1. a kind of information interacting method, it is characterised in that client, the certification in default trusted context are included in equipment Device module, methods described includes:
The client obtains the device authentication mark of the equipment, the device authentication mark by the authenticator module according to The hardware information of the equipment is obtained;
Device authentication mark is sent to high in the clouds by the client, is identified to the device authentication in order to the high in the clouds After being verified, the authentication code shown for the authenticator module is returned to the equipment.
2. the method for claim 1, it is characterised in that the high in the clouds includes message distribution services device, the client Corresponding service end;
Device authentication mark is sent to high in the clouds by the client, is specifically included:
Device authentication mark is sent to the service end by the client;
The high in the clouds is returned for the authenticator module exhibition after passing through to the device authentication identity verification to the equipment The authentication code shown, specifically includes:
The service end makes the message distribution services device to the device authentication by calling the message distribution services device After identity verification passes through, the authentication code shown for the authenticator module is returned to the equipment.
3. method as claimed in claim 2, it is characterised in that the device authentication mark that the client is obtained is described Authenticator module is encrypted and/or signs what is treated;And/or,
The authentication code that the message distribution services device is returned is encrypted and/or signs treated.
4. the method for claim 1, it is characterised in that the device authentication mark is by the authenticator module according to institute The business information of the hardware information and the client of stating equipment is obtained.
5. method as claimed in claim 2, it is characterised in that interacting between the message distribution services device and the equipment Carried out based on the first escape way, first escape way is realized by security service predetermined in the equipment;With/ Or,
Interacting between the client and the authenticator module is carried out based on the second escape way, second safety Passage is realized by security service predetermined in the equipment.
6. the method as described in any one of Claims 1 to 5, it is characterised in that the equipment includes user terminal.
7. a kind of information interacting method, it is characterised in that client, the certification in default trusted context are included in equipment Device module, methods described includes:
The mark that the authenticator module receives the client obtains request;
The authenticator module is identified to the device authentication that the client returns to the equipment, and the device authentication mark is by institute Authenticator module is stated to be obtained according to the hardware information of the equipment;
The authenticator module shows high in the clouds after passing through to the device authentication identity verification, to the identity that the equipment is returned Identifying code, wherein, the device authentication mark of the high in the clouds checking is to be sent to the high in the clouds by the client.
8. method as claimed in claim 7, it is characterised in that the high in the clouds includes message distribution services device, the client Corresponding service end;
The authentication code of the authenticator module displaying is that the message distribution services device is identified to the device authentication After being verified, returned to the equipment, wherein, the device authentication mark of the message distribution services device checking is logical Cross the client and device authentication mark is sent to the service end, and the service end calls the message distribution Server and obtain.
9. method as claimed in claim 8, it is characterised in that the authenticator module returns to the equipment to the client Device authentication mark, specifically include:
The authenticator module obtains the device authentication mark of the equipment according to the hardware information of the equipment;
The authenticator module is encrypted and/or signature treatment to the device authentication mark for obtaining;
The authenticator module returns to encryption to the client and/or the treated device authentication of signature is identified, so as to The treated device authentication mark of encryption and/or signature is sent to the service end by the client.
10. method as claimed in claim 7, it is characterised in that the authenticator module according to the hardware information of the equipment, The device authentication mark of the equipment is obtained, is specifically included:
The authenticator module obtains the business information of the client;
The authenticator module obtains the device authentication of the equipment according to the hardware information and the business information of the equipment Mark.
11. methods as claimed in claim 8, it is characterised in that the authenticator module displaying high in the clouds is tested to the equipment After card identity verification passes through, to the authentication code that the equipment is returned, specifically include:
The authenticator module obtains the message distribution services device after passing through to the device authentication identity verification, to described The authentication code that equipment is returned;
The authenticator module generates credible interface, and the credible interface is in the trusted context;
The authenticator module shows the authentication code in the credible interface.
12. methods as claimed in claim 11, it is characterised in that the authentication code that the authenticator module is obtained is The message distribution services device is encrypted and/or signs what is treated;
Before the authenticator module shows the authentication code in the credible interface, methods described also includes:
The authenticator module is decrypted treatment and/or signs to encryption and/or the treated authentication code of signature Verification process.
13. methods as claimed in claim 8, it is characterised in that the friendship between the message distribution services device and the equipment Mutually carried out based on the first escape way, first escape way is realized by security service predetermined in the equipment;With/ Or,
Interacting between the client and the authenticator module is carried out based on the second escape way, second safety Passage is realized by security service predetermined in the equipment.
14. method as described in any one of claim 7~13, it is characterised in that the equipment includes user terminal.
15. a kind of information interacting methods, it is characterised in that client, recognizing in default trusted context are included in equipment Card device module, methods described includes:
High in the clouds obtains the device authentication mark of the equipment that the client sends, and the device authentication mark is by the certification Device module is obtained according to the hardware information of the equipment;
The high in the clouds is verified by device authentication mark;
The high in the clouds is returned for the authenticator module exhibition after passing through to the device authentication identity verification to the equipment The authentication code shown.
16. methods as claimed in claim 15, it is characterised in that the high in the clouds includes message distribution services device, the client Hold corresponding service end;
High in the clouds obtains the device authentication mark of the equipment that the client sends, and specifically includes:
The service end obtains the device authentication mark of the equipment that the client sends;
Device authentication mark is verified, is specifically included in the high in the clouds:
Device authentication mark is sent to the message distribution by the service end by calling the message distribution services device Server;
The message distribution services device is verified to the device authentication mark for receiving;
The high in the clouds is returned for the authenticator module exhibition after passing through to the device authentication identity verification to the equipment The authentication code shown, specifically includes:
The message distribution services device is returned to the equipment and recognized for described after passing through to the device authentication identity verification Demonstrate,prove the authentication code of device modules exhibit.
17. methods as claimed in claim 16, it is characterised in that the device authentication mark that the client sends is institute Authenticator module is stated to be encrypted and/or sign what is treated;And/or,
The authentication code that the message distribution services device is returned is encrypted and/or signs treated.
18. methods as claimed in claim 16, it is characterised in that the service end, will by message call Distributor After the device authentication mark is sent to the message distribution services device, methods described also includes:
The service end after passing through to the device authentication identity verification, generates the identity in the message distribution services device Identifying code;
The authentication code is sent to the message distribution services device by the service end, in order to the message distribution services Device returns to the authentication code to the equipment.
19. methods as claimed in claim 16, it is characterised in that the equipment that the message distribution services device is received is tested Card mark is that the authenticator module is encrypted and/or signs treated;
Before the message distribution services device is verified to device authentication mark, methods described also includes:
The message distribution services device device authentication mark treated to encryption and/or signature be decrypted treatment and/ Or signature verification process.
20. methods as claimed in claim 16, it is characterised in that the message distribution services device is returned to the equipment and is used for The authentication code of the authenticator module displaying, specifically includes:
The message distribution services device sends to the service end and shows that the notice passed through to the device authentication identity verification disappears Breath;
The message distribution services device receives the authentication code that the service end is generated and returned;
The message distribution services device returns to the authentication code to the equipment, shows for the authenticator module.
21. methods as claimed in claim 16, it is characterised in that the message distribution services device returns described to the equipment Authentication code, specifically includes:
The message distribution services device is encrypted and/or signature treatment to the authentication code;
The message distribution services device returns to encryption and/or the treated authentication code of signature to the equipment, with Show after the authenticator module is decrypted treatment and/or signature verification process.
22. methods as claimed in claim 16, it is characterised in that the friendship between the message distribution services device and the equipment Mutually carried out based on the first escape way, first escape way is realized by security service predetermined in the equipment;With/ Or,
Interacting between the client and the authenticator module is carried out based on the second escape way, second safety Passage is realized by security service predetermined in the equipment.
23. method as described in any one of claim 15~22, it is characterised in that the equipment includes user terminal.
24. a kind of information interactive devices, it is characterised in that client, recognizing in default trusted context are included in equipment Card device module, described device is located at the client, including:
Obtain module, obtain the device authentication mark of the equipment, the device authentication mark by the authenticator module according to The hardware information of the equipment is obtained;
Sending module, high in the clouds is sent to by device authentication mark, is identified to the device authentication in order to the high in the clouds After being verified, the authentication code shown for the authenticator module is returned to the equipment.
25. devices as claimed in claim 24, it is characterised in that the high in the clouds includes message distribution services device, the client Hold corresponding service end;
Device authentication mark is sent to high in the clouds by the sending module, is specifically included:
Device authentication mark is sent to the service end by the sending module;
The high in the clouds is returned for the authenticator module exhibition after passing through to the device authentication identity verification to the equipment The authentication code shown, specifically includes:
The service end makes the message distribution services device to the device authentication by calling the message distribution services device After identity verification passes through, the authentication code shown for the authenticator module is returned to the equipment.
26. devices as claimed in claim 25, it is characterised in that the device authentication mark that the client is obtained is institute Authenticator module is stated to be encrypted and/or sign what is treated;And/or,
The authentication code that the message distribution services device is returned is encrypted and/or signs treated.
27. devices as claimed in claim 24, it is characterised in that device authentication mark by the authenticator module according to The business information of the hardware information of the equipment and the client is obtained.
28. devices as claimed in claim 25, it is characterised in that the friendship between the message distribution services device and the equipment Mutually carried out based on the first escape way, first escape way is realized by security service predetermined in the equipment;With/ Or,
Interacting between the client and the authenticator module is carried out based on the second escape way, second safety Passage is realized by security service predetermined in the equipment.
29. device as described in any one of claim 24~28, it is characterised in that the equipment includes user terminal.
30. a kind of information interactive devices, it is characterised in that client, recognizing in default trusted context are included in equipment Card device module, described device is located at the authenticator module, including:
Receiver module, the mark for receiving the client obtains request;
Module is returned to, the device authentication for returning to the equipment to the client is identified, the device authentication mark is recognized by described Card device module is obtained according to the hardware information of the equipment;
Display module, shows high in the clouds after passing through to the device authentication identity verification, to the authentication that the equipment is returned Code, wherein, the device authentication mark of the high in the clouds checking is to be sent to the high in the clouds by the client.
31. devices as claimed in claim 30, it is characterised in that the high in the clouds includes message distribution services device, the client Hold corresponding service end;
The authentication code of the authenticator module displaying is that the message distribution services device is identified to the device authentication After being verified, returned to the equipment, wherein, the device authentication mark of the message distribution services device checking is logical Cross the client and device authentication mark is sent to the service end, and the service end calls the message distribution Server and obtain.
32. devices as claimed in claim 31, it is characterised in that the return module returns to the equipment to the client Device authentication mark, specifically include:
The hardware information that module is returned according to the equipment, obtains the device authentication mark of the equipment, to setting for obtaining Standby checking mark is encrypted and/or signature treatment, treated to client return encryption and/or signature Device authentication is identified, so as to the client the treated device authentication mark of encryption and/or signature is sent to it is described Service end.
33. devices as claimed in claim 30, it is characterised in that the return module according to the hardware information of the equipment, The device authentication mark of the equipment is obtained, is specifically included:
It is described to return to the business information that module obtains the client, hardware information and the business letter according to the equipment Breath, obtains the device authentication mark of the equipment.
34. devices as claimed in claim 31, it is characterised in that the display module shows high in the clouds to the device authentication After identity verification passes through, to the authentication code that the equipment is returned, specifically include:
The display module obtains the message distribution services device after passing through to the device authentication identity verification, is set to described The standby authentication code for returning, generates credible interface, and the credible interface is in the trusted context, at the credible interface The middle displaying authentication code.
35. devices as claimed in claim 34, it is characterised in that the authentication code that the authenticator module is obtained is The message distribution services device is encrypted and/or signs what is treated;
Before the display module shows the authentication code in the credible interface, encryption and/or signature are processed The authentication code crossed is decrypted treatment and/or signature verification process.
36. devices as claimed in claim 31, it is characterised in that the friendship between the message distribution services device and the equipment Mutually carried out based on the first escape way, first escape way is realized by security service predetermined in the equipment;With/ Or,
Interacting between the client and the authenticator module is carried out based on the second escape way, second safety Passage is realized by security service predetermined in the equipment.
37. device as described in claim 30~36, it is characterised in that the equipment includes user terminal.
38. a kind of information interactive devices, it is characterised in that client, recognizing in default trusted context are included in equipment Card device module, described device is located at high in the clouds, including:
Module is obtained, the device authentication mark of the equipment that the client sends is obtained, the device authentication mark is by institute Authenticator module is stated to be obtained according to the hardware information of the equipment;
Authentication module, verifies to device authentication mark;
Module is returned, after the authentication module passes through to the device authentication identity verification, is returned for institute to the equipment State the authentication code of authenticator module displaying.
39. devices as claimed in claim 38, it is characterised in that described device includes:Message distribution services device, the client Hold corresponding service end;The acquisition module is located at the service end, and the authentication module, the return module are located at described disappearing Breath Distributor;
It is described to obtain the device authentication mark that module obtains the equipment that the client sends, specifically include:
The service end obtains the device authentication mark of the equipment that the client sends;
The authentication module is verified to device authentication mark, specifically included:
Device authentication mark is sent to the message distribution by the service end by calling the message distribution services device Server;
The message distribution services device is verified to the device authentication mark for receiving;
After the authentication module passes through to the device authentication identity verification, returned to the equipment is used for the return module The authentication code of the authenticator module displaying, specifically includes:
The message distribution services device is returned to the equipment and recognized for described after passing through to the device authentication identity verification Demonstrate,prove the authentication code of device modules exhibit.
40. devices as claimed in claim 39, it is characterised in that the device authentication mark that the client sends is institute Authenticator module is stated to be encrypted and/or sign what is treated;And/or,
The authentication code that the message distribution services device is returned is encrypted and/or signs treated.
41. devices as claimed in claim 39, it is characterised in that the service end, will by message call Distributor After the device authentication mark is sent to the message distribution services device, tested to the equipment in the message distribution services device After card identity verification passes through, the authentication code is generated, the authentication code is sent to the message distribution services device, In order to the message distribution services device authentication code is returned to the equipment.
42. devices as claimed in claim 39, it is characterised in that the equipment that the message distribution services device is received is tested Card mark is that the authenticator module is encrypted and/or signs treated;
It is treated to encryption and/or signature before the message distribution services device is verified to device authentication mark Device authentication mark be decrypted treatment and/or signature verification process.
43. devices as claimed in claim 39, it is characterised in that the message distribution services device returns described to the equipment Authentication code, specifically includes:
The message distribution services device sends to the service end and shows that the notice passed through to the device authentication identity verification disappears Breath, receives the authentication code that the service end is generated and returned, and the authentication code is returned to the equipment, for institute State authenticator module displaying.
44. devices as claimed in claim 39, it is characterised in that the message distribution services device returns described to the equipment Authentication code, specifically includes:
The message distribution services device is encrypted and/or signature treatment to the authentication code, is returned to the equipment Encryption and/or the treated authentication code of signature are returned, treatment is decrypted for the authenticator module and/or is signed Show after name verification process.
45. devices as claimed in claim 39, it is characterised in that the friendship between the message distribution services device and the equipment Mutually carried out based on the first escape way, first escape way is realized by security service predetermined in the equipment;With/ Or,
Interacting between the client and the authenticator module is carried out based on the second escape way, second safety Passage is realized by security service predetermined in the equipment.
46. device as described in any one of claim 38~45, it is characterised in that the equipment includes user terminal.
CN201611190037.0A 2016-12-21 2016-12-21 Information interaction method and device Active CN106899571B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201611190037.0A CN106899571B (en) 2016-12-21 2016-12-21 Information interaction method and device
CN202010690618.0A CN111683103B (en) 2016-12-21 2016-12-21 Information interaction method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611190037.0A CN106899571B (en) 2016-12-21 2016-12-21 Information interaction method and device

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202010690618.0A Division CN111683103B (en) 2016-12-21 2016-12-21 Information interaction method and device

Publications (2)

Publication Number Publication Date
CN106899571A true CN106899571A (en) 2017-06-27
CN106899571B CN106899571B (en) 2020-06-26

Family

ID=59197910

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202010690618.0A Active CN111683103B (en) 2016-12-21 2016-12-21 Information interaction method and device
CN201611190037.0A Active CN106899571B (en) 2016-12-21 2016-12-21 Information interaction method and device

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202010690618.0A Active CN111683103B (en) 2016-12-21 2016-12-21 Information interaction method and device

Country Status (1)

Country Link
CN (2) CN111683103B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108769059A (en) * 2018-06-21 2018-11-06 网易宝有限公司 Method of calibration, device, medium and computing device
CN108881256A (en) * 2018-06-29 2018-11-23 北京旅居四方科技有限公司 Key exchange method, device, water power stake and the network equipment
US20180343251A1 (en) * 2017-11-16 2018-11-29 Qingdao Hisense Electronics Co., Ltd. Processing method and apparatus for remote assistance
CN109614789A (en) * 2018-11-07 2019-04-12 平安科技(深圳)有限公司 A kind of verification method and equipment of terminal device
WO2019095388A1 (en) * 2017-11-16 2019-05-23 青岛海信电器股份有限公司 Remotely-assisted processing method and device
CN110392014A (en) * 2018-04-17 2019-10-29 阿里巴巴集团控股有限公司 Communication means and device between internet of things equipment
CN111741028A (en) * 2020-08-24 2020-10-02 支付宝(杭州)信息技术有限公司 Service processing method, device, equipment and system
CN111835714A (en) * 2017-07-11 2020-10-27 创新先进技术有限公司 Information verification processing method, client and server
CN112929320A (en) * 2019-12-05 2021-06-08 阿里巴巴集团控股有限公司 Information processing method, information processing device, electronic equipment and storage medium
WO2023050524A1 (en) * 2021-09-30 2023-04-06 传仲智能数字科技(上海)有限公司 Im-based user identity authentication method and apparatus, and server and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114124462B (en) * 2021-10-26 2023-12-19 北京达佳互联信息技术有限公司 Verification code transmission method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103856485A (en) * 2014-02-14 2014-06-11 武汉天喻信息产业股份有限公司 System and method for initializing safety indicator of credible user interface
CN104079581A (en) * 2014-07-16 2014-10-01 金红宇 Identity authentication method and device
US20160277363A1 (en) * 2015-03-17 2016-09-22 Ca, Inc. System and method of mobile authentication
WO2016156206A1 (en) * 2015-03-27 2016-10-06 Piksel, Inc Drm addition authentication
CN106027501A (en) * 2016-05-06 2016-10-12 北京芯盾时代科技有限公司 System and method for performing transaction security authentication in mobile device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102625297B (en) * 2011-01-27 2016-01-13 腾讯科技(深圳)有限公司 For identity management method and the device of mobile terminal
CN104243157A (en) * 2013-06-24 2014-12-24 阿里巴巴集团控股有限公司 Method and device for user identity authentication
CN104113551B (en) * 2014-07-28 2017-06-23 百度在线网络技术(北京)有限公司 A kind of platform authorization method, platform service end and applications client and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103856485A (en) * 2014-02-14 2014-06-11 武汉天喻信息产业股份有限公司 System and method for initializing safety indicator of credible user interface
CN104079581A (en) * 2014-07-16 2014-10-01 金红宇 Identity authentication method and device
US20160277363A1 (en) * 2015-03-17 2016-09-22 Ca, Inc. System and method of mobile authentication
WO2016156206A1 (en) * 2015-03-27 2016-10-06 Piksel, Inc Drm addition authentication
CN106027501A (en) * 2016-05-06 2016-10-12 北京芯盾时代科技有限公司 System and method for performing transaction security authentication in mobile device

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835714A (en) * 2017-07-11 2020-10-27 创新先进技术有限公司 Information verification processing method, client and server
US20180343251A1 (en) * 2017-11-16 2018-11-29 Qingdao Hisense Electronics Co., Ltd. Processing method and apparatus for remote assistance
WO2019095388A1 (en) * 2017-11-16 2019-05-23 青岛海信电器股份有限公司 Remotely-assisted processing method and device
CN110392014A (en) * 2018-04-17 2019-10-29 阿里巴巴集团控股有限公司 Communication means and device between internet of things equipment
US11729156B2 (en) 2018-04-17 2023-08-15 Alibaba Group Holding Limited Method and apparatus for communication between internet of things devices
CN108769059A (en) * 2018-06-21 2018-11-06 网易宝有限公司 Method of calibration, device, medium and computing device
CN108881256A (en) * 2018-06-29 2018-11-23 北京旅居四方科技有限公司 Key exchange method, device, water power stake and the network equipment
CN109614789A (en) * 2018-11-07 2019-04-12 平安科技(深圳)有限公司 A kind of verification method and equipment of terminal device
CN109614789B (en) * 2018-11-07 2023-04-14 平安科技(深圳)有限公司 Terminal equipment verification method and equipment
CN112929320A (en) * 2019-12-05 2021-06-08 阿里巴巴集团控股有限公司 Information processing method, information processing device, electronic equipment and storage medium
US11477008B2 (en) 2020-08-24 2022-10-18 Alipay (Hangzhou) Information Technology Co., Ltd. Service processing methods, apparatuses, devices and systems
CN111741028B (en) * 2020-08-24 2020-11-24 支付宝(杭州)信息技术有限公司 Service processing method, device, equipment and system
CN111741028A (en) * 2020-08-24 2020-10-02 支付宝(杭州)信息技术有限公司 Service processing method, device, equipment and system
WO2023050524A1 (en) * 2021-09-30 2023-04-06 传仲智能数字科技(上海)有限公司 Im-based user identity authentication method and apparatus, and server and storage medium

Also Published As

Publication number Publication date
CN106899571B (en) 2020-06-26
CN111683103B (en) 2022-08-30
CN111683103A (en) 2020-09-18

Similar Documents

Publication Publication Date Title
CN106899571A (en) Information interacting method and device
US11258769B2 (en) Provisioning network keys to devices to allow them to provide their identity
US9807066B2 (en) Secure data transmission and verification with untrusted computing devices
CN106599694B (en) Security protection manages method, computer system and computer readable memory medium
CN105959111B (en) Information security big data resource access control system based on cloud computing and trust computing
US20160080157A1 (en) Network authentication method for secure electronic transactions
CN111027632B (en) Model training method, device and equipment
CN110535653A (en) A kind of safe distribution terminal and its means of communication
CN107851167A (en) Protection calculates the technology of data in a computing environment
WO2022247359A1 (en) Cluster access method and apparatus, electronic device, and medium
CN109741063A (en) Digital signature method and device based on block chain
CN111079152B (en) Model deployment method, device and equipment
CN109040079A (en) The establishment of live streaming chained address and verification method and related device
CN109255210A (en) The method, apparatus and storage medium of intelligent contract are provided in block chain network
CN109040069A (en) A kind of dissemination method, delivery system and the access method of cloud application program
CN105281912A (en) Power grid operation scheduling system based on mobile network
CN109358859A (en) The method, apparatus and storage medium of intelligent contract are installed in block chain network
CN108616540A (en) A kind of platform authentication method and system filtering certification with statement formula based on cross-platform Encryption Algorithm
CN112307515A (en) Database-based data processing method and device, electronic equipment and medium
US9864853B2 (en) Enhanced security mechanism for authentication of users of a system
CN104168565A (en) Method for controlling safe communication of intelligent terminal under undependable wireless network environment
CN103885725B (en) A kind of virtual machine access control system and its control method based on cloud computing environment
CN102594564B (en) Equipment for traffic guidance information security management
WO2021129859A1 (en) Two-dimensional code processing method and device
CN106850517A (en) A kind of method, apparatus and system for solving intranet and extranet repeat logon

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20201016

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee after: Innovative advanced technology Co.,Ltd.

Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee before: Advanced innovation technology Co.,Ltd.

Effective date of registration: 20201016

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Patentee after: Advanced innovation technology Co.,Ltd.

Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands

Patentee before: Alibaba Group Holding Ltd.