Specific embodiment
The embodiment of the present application provides information interacting method and device.
In order that those skilled in the art more fully understand the technical scheme in the application, below in conjunction with the application reality
The accompanying drawing in example is applied, the technical scheme in the embodiment of the present application is clearly and completely described, it is clear that described implementation
Example is only some embodiments of the present application, rather than whole embodiments.Based on the embodiment in the application, this area is common
The every other embodiment that technical staff is obtained under the premise of creative work is not made, should all belong to the application protection
Scope.
The specific implementation of the scheme of the application can be related to the action in client, authenticator module, high in the clouds, and high in the clouds specifically may be used
To only include one end (such as, message distribution services device), it is also possible to including at least two ends (such as, message distribution services device, the visitor
Corresponding service end in family end etc.).
Client, authenticator module may be at same equipment.Equipment residing for client, authenticator module is usually hand
The user terminals such as machine, panel computer, intelligent wearable device, car machine.
Service end, message distribution services device may be at distinct device, it is also possible in same equipment.Service end, message
Equipment residing for Distributor is generally used as the computer of server, computer cluster etc..
Unless otherwise specified, " equipment " mentioned below each means client and equipment residing for authenticator module.
The embodiment of the present application provides three kinds of information interacting methods and device altogether, these three information interacting methods and device
Based on same invention thinking and mutually correspond to, be respectively using the every one end in client, authenticator module, high in the clouds as performing master
What body was described, the acquisition of authentication code can be realized by any of the above-described kind of information interacting method or device, issue and
Displaying, can improve the security of authentication code, reduce the possibility of authentication code leakage.
The scheme to the application is described in detail below.
The schematic flow sheet of the first information interacting method that Fig. 1 is provided for the embodiment of the present application, includes in following equipment
Client, the authenticator module in default trusted context (Trusted Execution Environment, TEE).Figure
Flow in 1 can, when needing to obtain authentication code, be performed according to specific mode triggering.Such as, in client
Business for the first time used in equipment, when needing activation equipment, or, user with same account mobile device client with it is non-
In the corresponding client of mobile device during handover operation, etc..
In the embodiment of the present application, trusted context is the hardware for relying on equipment where it, and it may be usually based in micro-
The operating system of core provides trusted service, can there is various specific implementations, and the application is not limited.Enumerate wherein three kinds
Implementation is as an example:
The first, can provide trusted context, i.e., based on the special of processor CPU using the SVM of intel TXT or AMD
Instruction, there is provided dynamic trust root DRTM is serviced, and realizes trusted context;
Second, using ARM TrustZone or TI M-Shield mechanism, directly provided on central processing unit hardware
Safety zone/insecure area isolation mech isolation test, realize trusted context;
The third, using hypervisor/VMM virtualization mechanisms, there is provided between safety applications/non-security application every
From realizing trusted context.
Explanation to the information interacting method in Fig. 1 is also applied for another several information exchange sides of the embodiment of the present application offer
Method, behind repeat no more.
The executive agent of the flow in Fig. 1 is client, and the flow may comprise steps of:
S101:The client obtains the device authentication mark of the equipment, and the device authentication mark is by the certification
Device module is obtained according to the hardware information of the equipment.
In the embodiment of the present application, client can be that the client of authentication code is arbitrarily needed to use on user terminal
End, such as, and client, the client of instant messaging application, client of electronic bank application of Third-party payment application etc..
In the embodiment of the present application, the equipment and other equipment can be made a distinction according to the hardware information of equipment.With
As a example by mobile phone, hardware information can be International Mobile Equipment Identity code (International Mobile Equipment
Identity, IMEI), physical address etc..
Usually, device authentication mark can be in certain scope (such as, network range, equipment scope, territorial scope
Deng) unique mark its corresponding equipment, specific much the application are not limited scope, depending on specific implementation situation.Such as, if
Implement the scheme of the application in certain country, then for the equipment in the country, as long as its device authentication mark is in the country
It is interior with uniqueness.
In the embodiment of the present application, device authentication mark can be that authenticator module is carried out by the hardware information to equipment
Certain logical operation generation, the logical operation can have various specific implementation methods, and the application is simultaneously not construed as limiting, enumerates
One kind is as an example.
For example, device authentication mark can be generated by performing base64 (Hash (HardID+random)), wherein,
Base64 is a kind of cryptographic algorithm, and Hash represents hash function, and HardID represents used hardware information, random represent with
Machine number.Because generating process is carried out in the trusted context of equipment, therefore, this mode is conducive to improving device authentication mark
The security of knowledge, and be also beneficial to prevent hardware information from revealing.
Certainly, authenticator module can also identify the hardware information of equipment directly as device authentication.
In the embodiment of the present application, client can be obtained by directly or indirectly sending mark to authenticator module
Request, and the device authentication mark that access authentication device module is returned.
S102:Device authentication mark is sent to high in the clouds by the client, is set to described in order to the high in the clouds
After standby checking identity verification passes through, the authentication code shown for the authenticator module is returned to the equipment.
In the embodiment of the present application, high in the clouds is verified by being identified to device authentication, it may be determined that set residing for client
It is standby whether the credible equipment of business to be provided by client, if so, being then verified.
In the embodiment of the present application, high in the clouds is interacted with equipment by internet (IP network).
In the embodiment of the present application, the form of authentication code can have various.Enumerate several as an example, such as, body
Part identifying code can be string number (6 bit digitals, 4 bit digitals etc.), (such as, Chinese character, the English character such as a string of characters
Or the character of other language), a task (such as, exchanges suitable by the 1st character in nine grids and with last character
Sequence, the 2nd character and the 5th character exchange sequence connect the 3rd character and the 8th character with straight line;Nine grids are to need
Want user to be illustrated on interface when carrying out authentication, when user is connected to task described above, is performed according to task definition and just may be used
By authentication), etc..
By the method for Fig. 1, the equipment can be the user terminals such as mobile phone, can be based on to according to the hard of equipment
Being verified for the device authentication mark that part information is obtained, determines that the equipment is really credible equipment, then issue identity to equipment
Identifying code, therefore duplication Mobile phone card, pseudo-base station etc. can be resisted attack, moreover, due to device authentication mark generation with
And the displaying of follow-up authentication code is carried out in trusted context in a device, therefore short message wooden horse, fishing can be resisted
Fish program etc. is attacked.In sum, the scheme of the application can improve the security of authentication code, reduce authentication code and let out
The possibility of dew, can partly or entirely solve the problems of the prior art.
Method based on Fig. 1, the embodiment of the present application additionally provides some specific embodiments of the method, and extension side
Case, is illustrated below.
In the embodiment of the present application, as it was previously stated, high in the clouds can include two ends, message distribution services device, the client pair
The service end answered.Following examples are based primarily upon such case and illustrate.
In this case, for step S102, the high in the clouds includes that message distribution services device, the client are corresponding
Service end;
Device authentication mark is sent to high in the clouds by the client, can specifically be included:The client will be described
Device authentication mark is sent to the service end;
The high in the clouds is returned for the authenticator mould after passing through to the device authentication identity verification to the equipment
The authentication code of block displaying, can specifically include:The service end makes described disappearing by calling the message distribution services device
Breath Distributor is returned for the authenticator module exhibition after passing through to the device authentication identity verification to the equipment
The authentication code shown.
In the embodiment of the present application, the service end is the corresponding service end of client, such as, pay the client of application
Corresponding service end is the service end of the payment application.
Message distribution services device can be a common platform, and in this case, multiple different service ends can be adjusted
With same message distribution services device.Certainly, different service ends can also have the message distribution services device for oneself exclusively enjoying.Need
Illustrate, the short message server of message distribution services device not mobile operator, therefore, the scheme of the application can be unlike existing
There is technology to depend on short message like that to send and receive authentication code, and can be based on internet transmission authentication code.
In the embodiment of the present application, service end is by message call Distributor, the client hair that will can be received
The device authentication mark sent is sent to message distribution services device, and device authentication mark is tested with request message Distributor
Card.Message distribution services device is by device authentication identity verification, it may be determined that whether equipment residing for client is credible equipment,
If so, being then verified.
Specifically, can according to specific mode (such as, factory preset, user's real-name authentication etc., by the equipment with it is another can
Letter equipment is bound etc.), in advance by the device authentication mark of equipment in the registration of message distribution services device, registered equipment is
Credible equipment.In this case, message distribution services device can be identified and registration by by the device authentication in step S102
Device authentication mark be compared, in S102 device authentication mark verify.
For example, for the mode of factory preset, without user intervention, can be identified by producer's registration device authentication, with true
The hardware of locking equipment is in itself believable.This mode is mainly emphasized " credible on hardware view ".
Again for example, for user's real-name authentication mode, can by user in advance for the business of any client, by with
Corresponding service end and message distribution services device are interacted, related identification information (such as, the identity such as real name of registered user
Card number etc.) and device authentication mark, to determine that equipment is believable for the business and the user.This mode is main
Emphasize " credible in service layer ".
In the embodiment of the present application, authentication code can be generated by service end and/or message distribution services device.Typically
Ground, authentication code is related to the business of client or service end (such as, to carry out the business and be desired based on the authentication
Code is authenticated, or, the authentication code is needed based on service related information generation, etc.), in this case, body
Part identifying code can preferably be generated by service end, so advantageously reduce interference of the message distribution services device to the business.
In the embodiment of the present application, for step S101, the device authentication mark that the client is obtained is described
Authenticator module is encrypted and/or signs what is treated, and the purpose being encrypted can be prevented from device authentication
Mark reduces disclosure risk by plaintext transmission, and the purpose for carrying out signature treatment is to prevent from device authentication from identifying illegally to be distorted.
In this case, after message distribution services device subsequently needs correspondingly to be decrypted treatment and/or signature verification process, could be right
Device authentication mark is verified that the key needed for decryption processing and/or signature verification can be by equipment and message distribution services
Device is consulted in advance.
Similarly, the authentication code that the message distribution services device is returned can also be encrypted and/
Or sign what is treated.
In the embodiment of the present application, device authentication mark can also be by authenticator module according to equipment hardware information and visitor
The business information at family end is obtained, and different clients can also preassign different logical operation algorithms, is set for generation
Standby checking is identified.So, it is possible to achieve the device authentication of different clients mark differentiation, and device authentication mark can be with
Change with the change of same client traffic information, be conducive to improving the security of device authentication mark.
In the embodiment of the present application, for information above interaction flow, between the client and the authenticator module
Interaction, and/or interacting between the message distribution services device and the equipment (including but not limited to authenticator module) can
To be that the escape way realized based on predetermined security service in the equipment is carried out, such as, message distribution services device with
Interaction between the equipment is carried out based on the first escape way, and base is interacted between the client and the authenticator module
Carried out in the second escape way, etc..
Reason is, although authenticator module is in trusted context, but client, message distribution services device may not be located
In trusted context, the security service advantageously reduces the interactive risk between this several end with its escape way realized.
The security service can be provided by the functional module independently of above-mentioned several ends, it is also possible to itself be carried by above-mentioned several ends
For the security service can include but is not limited to connection management, access control, session negotiation, connection heartbeat maintenance, safe tunnel
Road, cipher control etc..
It should be noted that above-mentioned escape way can be directed to open system interconnection (Open System
Interconnection, OSI) in model certain one or more layers realize, the corresponding escape way side of implementing of different layers
Formula is different.Such as, for application layer, escape way can be realized based on encryption and/or signature;For transport layer, can be based on
TLS realizes escape way;For Internet, escape way can be realized based on IPSec;For link layer, L2TP can be based on
Realize escape way;Etc..
The schematic flow sheet of second information interacting method that Fig. 2 is provided for the embodiment of the present application.Flow in Fig. 2 is held
Row main body is authenticator module, and the flow may comprise steps of:
S201:The mark that the authenticator module receives the client obtains request.
S202:The authenticator module is identified to the device authentication that the client returns to the equipment, and the equipment is tested
Card mark is obtained by the authenticator module according to the hardware information of the equipment.
S203:The authenticator module shows high in the clouds after passing through to the device authentication identity verification, to the equipment
The authentication code of return, wherein, the device authentication mark of the high in the clouds checking is described in the client is sent to
High in the clouds.
With the method for Fig. 1 it is corresponding due to Fig. 2, therefore, the technique effect of the method for Fig. 2 also method with Fig. 1, base
In the method for Fig. 2, the embodiment of the present application additionally provides some specific embodiments of the method, and expansion scheme, for
The part having been explained above, repeats no more or is only briefly described below.Several information interacting methods below are also
In this way, repeating no more.
In the embodiment of the present application, the high in the clouds can include message distribution services device, the corresponding service of the client
End;
The authentication code of the authenticator module displaying is the message distribution services device to the device authentication
After identity verification passes through, returned to the equipment, wherein, the device authentication mark of the message distribution services device checking
It is to identify the device authentication by the client to be sent to the service end, and the service end calls the message
Distributor and obtain.
In the embodiment of the present application, for step S202, the authenticator module returns to the equipment to the client
Device authentication mark, can specifically include:The authenticator module obtains the equipment according to the hardware information of the equipment
Device authentication mark;The authenticator module is encrypted and/or signature treatment to the device authentication mark for obtaining;Institute
State authenticator module and return to encryption and/or the treated device authentication mark of signature to the client, so as to the visitor
The treated device authentication mark of encryption and/or signature is sent to the service end by family end.
Further, the authenticator module obtains the device authentication of the equipment according to the hardware information of the equipment
Mark, can specifically include:The authenticator module obtains the business information of the client;The authenticator module is according to institute
The hardware information and the business information of equipment are stated, the device authentication mark of the equipment is obtained.
In the embodiment of the present application, the authenticator module displaying message distribution services device is identified to the device authentication
After being verified, to the authentication code that the equipment is returned, can specifically include:The authenticator module obtains the message
Distributor after passing through to the device authentication identity verification, to the equipment return authentication code;The certification
Device module generates credible interface, and the credible interface is in the trusted context;The authenticator module is on the credible boundary
Show the authentication code in face.
Under conditions of credible showing interface, because the isolation and security feature of trusted context can not allow other to enter
Cheng Yunhang, or only allow to specify process to run, therefore can prevent the rogue programs such as short message wooden horse, fishing program from stealing can
Message shown in letter interface.
In the embodiment of the present application, the authentication code that the authenticator module is obtained can be the message distribution
Server is encrypted and/or signs what is treated;Similarly, the authenticator module shows in the credible interface
Before the authentication code, can also carry out:The authenticator module is to encryption and/or the treated authentication of signature
Code is decrypted treatment and/or signature verification process.
In the embodiment of the present application, interacting between the message distribution services device and the equipment is based on the first safety
What passage was carried out, first escape way is realized by security service predetermined in the equipment;And/or, the client with
Interaction between the authenticator module is carried out based on the second escape way, and second escape way is by the equipment
Predetermined security service is realized.
In the embodiment of the present application, the equipment can include user terminal.
The schematic flow sheet of the third information interacting method that Fig. 3 is provided for the embodiment of the present application.Flow in Fig. 3 is held
Row main body is high in the clouds, and the flow may comprise steps of:
S301:High in the clouds obtains the device authentication mark of the equipment that the client sends, the device authentication mark
Obtained according to the hardware information of the equipment by the authenticator module.
S302:The high in the clouds is verified by device authentication mark.
S303:The high in the clouds returns to the equipment and recognizes for described after passing through to the device authentication identity verification
Demonstrate,prove the authentication code of device modules exhibit.
In the embodiment of the present application, the high in the clouds can include message distribution services device, the corresponding service of the client
End;In this case, for step S301, high in the clouds obtains the device authentication mark of the equipment that the client sends,
Can specifically include:The service end obtains the device authentication mark of the equipment that the client sends;
For step S302, the high in the clouds is verified to device authentication mark, can specifically include:The service
Device authentication mark is sent to the message distribution services device, the message by end by message call Distributor
Distributor is verified to the device authentication mark for receiving;
For step S303, the high in the clouds returns to the equipment and uses after passing through to the device authentication identity verification
In the authentication code of authenticator module displaying, can specifically include:The message distribution services device is to the equipment
After checking identity verification passes through, the authentication code shown for the authenticator module is returned to the equipment.
In the embodiment of the present application, the device authentication mark that the client sends is that the authenticator module is carried out
What encryption and/or signature were treated;And/or, the authentication code that the message distribution services device is returned is to carry out
What encryption and/or signature were treated.
In the embodiment of the present application, it has been mentioned hereinbefore that message can preferably be generated by service end.In such case
Under, it is described by the device authentication mark be sent to the message distribution services device after, can also carry out:The service end is in institute
Message distribution services device is stated after passing through to the device authentication identity verification, the authentication code is generated;The service end
The authentication code is sent to the message distribution services device, is returned to the equipment in order to the message distribution services device
Return the authentication code.
In the embodiment of the present application, the device authentication mark that the message distribution services device is received can be described
Authenticator module is encrypted and/or signs what is treated;In this case, the message distribution services device is to described
Before device authentication mark is verified, can also carry out:The message distribution services device is treated to encryption and/or signature
Device authentication mark be decrypted treatment and/or signature verification process.
In the embodiment of the present application, the message distribution services device is returned for the authenticator module exhibition to the equipment
The authentication code shown, can specifically include:The message distribution services device sends to the service end and shows to the equipment
The notification message that checking identity verification passes through;The identity that the message distribution services device reception service end is generated and returned is tested
Card code;The message distribution services device returns to the authentication code to the equipment, shows for the authenticator module.
In the embodiment of the present application, the message distribution services device returns to the authentication code to the equipment, specifically
Can include:The message distribution services device is encrypted and/or signature treatment to the authentication code;The message
Distributor returns to encryption and/or the treated authentication code of signature to the equipment, for the authenticator
Module shows after being decrypted treatment and/or signature verification process.
In the embodiment of the present application, interacting between the message distribution services device and the equipment can be based on first
What escape way was carried out, first escape way is realized by security service predetermined in the equipment;And/or, the client
End can be carried out with interacting between the authenticator module based on the second escape way, and second escape way is by institute
Security service predetermined in equipment is stated to realize.
In the embodiment of the present application, the equipment can include user terminal.
The information interacting method that the embodiment of the present application is provided is illustrated by executive agent of each end respectively above.For
Readily appreciate, the embodiment of the present application is additionally provided under a kind of practical application scene, one kind of above- mentioned information exchange method is specific
Embodiment, illustrates with reference to Fig. 4, Fig. 5, Fig. 6.
Under a kind of practical application scene that Fig. 4 is provided for the embodiment of the present application, a kind of business of above- mentioned information exchange method
Configuration diagram.
In fig. 4, " credible interface+device authentication mark " is to be related to the pass of the scheme of the application in equipment residing for client
One of key section, escape way can be realized based on above-mentioned security service.Each service provider has its right respectively
Such as body should can be issued to client by message distribution services device in service end and corresponding client, each service provider
The message such as part identifying code, on condition that message distribution services device passes through to the device authentication identity verification of equipment residing for client.Its
In, the interaction in Fig. 4 between the parties is all based on internet, network and SMS platform without relying on mobile operator,
Be conducive to neatly being improved using various security strategies the security of business structure, and, the credible interface in business structure
It is also safer compared to short message interface of the prior art.
Under a kind of practical application scene that Fig. 5 is provided for the embodiment of the present application, a kind of technology of above- mentioned information exchange method
Configuration diagram.
In Figure 5, for equipment where client, can mainly realize that following functions (can correspond to corresponding function
Module).
Connection management:It is responsible for establishment, management and the maintenance of network socket connections;
Session negotiation:Consult with message distribution services device when being set up based on socket connections, obtain the key of this session;
Heartbeat is safeguarded:Keep the connection long (company long that such as, can be set up between security service and message distribution services device
Connect) maintenance;
Credible interface:Interface is drawn in secure interface, the requirement according to backstage operation centre, can be six password displays circle
Face can also be other;
Agreement is assembled:Data and safe encryption and decryption and signature, the package dress of Internet are assembled according to business need;
Protocol analysis:The parsing of the Packet analyzing and business data packet of networking layer;
Device data acquisition:Collection:The trust data of equipment where client;
Device keyses:Equipment where client is built-in when dispatching from the factory, there is provided signature interface;
Device id:EM equipment module generates unique ID (such as, above-mentioned device authentication marks of business based on hardware ID
Know) and return;
Encryption and decryption:Key algorithm module.
In Figure 5, message distribution services device is shown for high in the clouds, message distribution services device can mainly realize following work(
Energy (can correspond to corresponding functional module).
Connection management:It is responsible for the management and maintenance of the connection of message distribution services device;
Session negotiation:According to client where equipment negotiation generation and management session key, while ensure session and
The maintenance of connection;
Heartbeat is safeguarded:Ensure connection long;
Agreement is assembled:Assemble the packet of Internet and encapsulate business;
Protocol analysis:Assemble the packet of Internet and parse business;
Device id is managed:The inquiry of device id, discards and increases;
Device keyses are managed:The inquiry of device keyses, discards and increases;
Equipment Risk is managed:The data gathered according to equipment form equipment Risk management;
Access control:The access control called to service end.
Template center:Form message content and exhibition method
Operation centre:Management and operation to message.
Under a kind of practical application scene that Fig. 6 is provided for the embodiment of the present application, one kind interaction of above- mentioned information exchange method
Schematic flow sheet.
In figure 6, untrusted environment is in equipment with trusted context, the functional module reality that security service is specified by
Existing, authenticator module is in trusted context, and authenticator module comprises at least " trusted logic treatment " and " credible showing interface "
Two submodules.Security service keeps length to be connected with message distribution services device by heartbeat.
When the business that client is provided is used in equipment for the first time, by the operation triggering following flow of activation equipment
Execution.Client obtains device authentication and identifies by security service, wherein, device authentication mark is to process mould by trusted logic
Root tuber is generated according to the hardware information of equipment by performing " performing base64 (Hash (HardID+random)) ", and uses equipment
Private key signature after client is returned to by security service.
The device authentication the signed mark that client will be obtained is sent to service end requests verification, service end message call
Distributor, is verified with request message Distributor to the device authentication the signed mark received from client.
Message distribution services device utilizes data (such as, public key, hardware information, the device authentication mark of the equipment being obtained ahead of time
Know etc.) verify whether the signature of currently available device authentication mark is legal, and whether determination equipment is credible equipment.
After message distribution services device passes through to device authentication identity verification, the message signed is issued to security service, pacify
It is complete to service transparent transmission message to trusted logic processing module.
Trusted logic processing module verifies the signature of the message, it is ensured that the message is credible, after being verified, calls credible boundary
Face display module generates credible interface to show the message.
The information interacting method that the embodiment of the present application is provided is illustrated above, based on same invention thinking, this
Application embodiment additionally provides corresponding device, as shown in Fig. 7, Fig. 8, Fig. 9.
The structural representation of a kind of information interactive device corresponding to Fig. 1 that Fig. 7 is provided for the embodiment of the present application, in equipment
Comprising client, the authenticator module in default trusted context, described device is located at the client, including:
Module 701 is obtained, the device authentication mark of the equipment is obtained, the device authentication mark is by the authenticator mould
Root tuber is obtained according to the hardware information of the equipment;
Sending module 702, high in the clouds is sent to by device authentication mark, is tested to the equipment in order to the high in the clouds
After card identity verification passes through, the authentication code shown for the authenticator module is returned to the equipment.
Alternatively, the high in the clouds includes message distribution services device, the corresponding service end of the client;
Device authentication mark is sent to high in the clouds by the sending module 702, is specifically included:
Device authentication mark is sent to the service end by the sending module 702;
The high in the clouds is returned for the authenticator mould after passing through to the device authentication identity verification to the equipment
The authentication code of block displaying, specifically includes:
The service end makes the message distribution services device to the equipment by calling the message distribution services device
After checking identity verification passes through, the authentication code shown for the authenticator module is returned to the equipment.
Alternatively, the device authentication mark that the client is obtained is that the authenticator module is encrypted
And/or sign what is treated;And/or,
The authentication code that the message distribution services device is returned is to be encrypted and/or sign treated
's.
Alternatively, hardware information and the visitor of the device authentication mark by the authenticator module according to the equipment
The business information at family end is obtained.
Alternatively, interacting between the message distribution services device and the equipment is carried out based on the first escape way
, first escape way is realized by security service predetermined in the equipment;And/or,
Interacting between the client and the authenticator module is carried out based on the second escape way, and described second
Escape way is realized by security service predetermined in the equipment.
Alternatively, the equipment includes user terminal.
The structural representation of a kind of information interactive device corresponding to Fig. 2 that Fig. 8 is provided for the embodiment of the present application, in equipment
Comprising client, the authenticator module in default trusted context, described device is located at the authenticator module, including:
Receiver module 801, the mark for receiving the client obtains request;
Return to module 802, the device authentication for returning to the equipment to the client is identified, the device authentication mark by
The authenticator module is obtained according to the hardware information of the equipment;
Display module 803, shows high in the clouds after passing through to the device authentication identity verification, to the body that the equipment is returned
Part identifying code, wherein, the device authentication mark of the high in the clouds checking is to be sent to the high in the clouds by the client.
Alternatively, the high in the clouds includes message distribution services device, the corresponding service end of the client;
The authentication code of the authenticator module displaying is the message distribution services device to the device authentication
After identity verification passes through, returned to the equipment, wherein, the device authentication mark of the message distribution services device checking
It is to identify the device authentication by the client to be sent to the service end, and the service end calls the message
Distributor and obtain.
Alternatively, the module 802 that returns is identified to the device authentication that the client returns to the equipment, specific bag
Include:
The hardware information that module 802 is returned according to the equipment, obtains the device authentication mark of the equipment, to
To device authentication mark be encrypted and/or signature treatment, returned at encryption and/or signature to the client
The device authentication mark managed, so that encryption and/or the treated device authentication of signature are identified and sent by the client
To the service end.
Alternatively, the return module 802 obtains the device authentication mark of the equipment according to the hardware information of the equipment
Know, specifically include:
The module 802 that returns obtains the business information of the client, hardware information according to the equipment and described
Business information, obtains the device authentication mark of the equipment.
Alternatively, the display module 803 shows that high in the clouds after passing through to the device authentication identity verification, sets to described
The standby authentication code for returning, specifically includes:
The display module 803 obtains the message distribution services device after passing through to the device authentication identity verification,
To the authentication code that the equipment is returned, credible interface is generated, the credible interface is in the trusted context, described
Show the authentication code in credible interface.
Alternatively, the authentication code that the authenticator module is obtained is that the message distribution services device is encrypted
What treatment and/or signature were treated;
Before the display module 803 shows the authentication code in the credible interface, to encryption and/or label
The treated authentication code of name is decrypted treatment and/or signature verification process.
Alternatively, interacting between the message distribution services device and the equipment is carried out based on the first escape way
, first escape way is realized by security service predetermined in the equipment;And/or,
Interacting between the client and the authenticator module is carried out based on the second escape way, and described second
Escape way is realized by security service predetermined in the equipment.
Alternatively, the equipment includes user terminal.
The structural representation of a kind of information interactive device corresponding to Fig. 3 that Fig. 9 is provided for the embodiment of the present application, in equipment
Comprising client, the authenticator module in default trusted context, described device is located at high in the clouds, including:
Module 901 is obtained, the device authentication mark of the equipment that the client sends, the device authentication mark is obtained
Knowledge is obtained by the authenticator module according to the hardware information of the equipment;
Authentication module 902, verifies to device authentication mark;
Module 903 is returned to, after 902 pairs of device authentication identity verifications of the authentication module pass through, to the equipment
Return to the authentication code for authenticator module displaying.
Alternatively, described device includes:Message distribution services device, the corresponding service end of the client;The acquisition mould
Block 901 is located at the service end, and the authentication module 902, the return module 903 are located at the message distribution services device;
It is described to obtain the device authentication mark that module 901 obtains the equipment that the client sends, specifically include:
The service end obtains the device authentication mark of the equipment that the client sends;
The device authentication mark of the authentication module 902 pairs is verified, specifically included:
Device authentication mark is sent to the message by the service end by calling the message distribution services device
Distributor;
The message distribution services device is verified to the device authentication mark for receiving;
The return module 903 sets after 902 pairs of device authentication identity verifications of the authentication module pass through to described
The standby authentication code returned for authenticator module displaying, specifically includes:
The message distribution services device is returned for institute after passing through to the device authentication identity verification to the equipment
State the authentication code of authenticator module displaying.
Alternatively, the device authentication mark that the client sends is that the authenticator module is encrypted
And/or sign what is treated;And/or,
The authentication code that the message distribution services device is returned is to be encrypted and/or sign treated
's.
Alternatively, be sent to for device authentication mark described by the service end by message call Distributor
After message distribution services device, in the message distribution services device after passing through to the device authentication identity verification, generation is described
Authentication code, sends the message to the message distribution services device, in order to the message distribution services device to described
Equipment returns to the authentication code.
Alternatively, the device authentication mark that the message distribution services device is received is that the authenticator module is carried out
What encryption and/or signature were treated;
Before the message distribution services device is verified to device authentication mark, at encryption and/or signature
The device authentication mark managed is decrypted treatment and/or signature verification process.
Alternatively, the message distribution services device returns to the authentication code to the equipment, specifically includes:
The message distribution services device sends to the service end and shows that what the device authentication identity verification was passed through leads to
Know message, receive the authentication code that the service end is generated and returned, the authentication code is returned to the equipment, with
In authenticator module displaying.
Alternatively, the message distribution services device returns to the authentication code to the equipment, specifically includes:
The message distribution services device is encrypted and/or signature treatment to the authentication code, is set to described
It is standby to return to encryption and/or the treated authentication code of signature, for the authenticator module be decrypted treatment and/
Or show after signature verification process.
Alternatively, interacting between the message distribution services device and the equipment is carried out based on the first escape way
, first escape way is realized by security service predetermined in the equipment;And/or,
Interacting between the client and the authenticator module is carried out based on the second escape way, and described second
Escape way is realized by security service predetermined in the equipment.
Alternatively, the equipment includes user terminal.
The apparatus and method that the embodiment of the present application is provided are one-to-one, therefore, device also has corresponding side
The similar Advantageous Effects of method, because the Advantageous Effects above to method have been described in detail, therefore, here
Repeat no more the Advantageous Effects of corresponding intrument.
In the nineties in 20th century, can clearly be distinguished for the improvement of a technology be on hardware improvement (for example,
Improvement to circuit structures such as diode, transistor, switches) or software on improvement (for the improvement of method flow).So
And, with the development of technology, the improvement of current many method flows can be considered as directly improving for hardware circuit.
Designer nearly all obtains corresponding hardware circuit by the way that improved method flow is programmed into hardware circuit.Cause
This, it cannot be said that an improvement for method flow cannot be realized with hardware entities module.For example, PLD
(Programmable Logic Device, PLD) (such as field programmable gate array (Field Programmable Gate
Array, FPGA)) it is exactly such a integrated circuit, its logic function is determined by user to device programming.By designer
Voluntarily programming comes a digital display circuit " integrated " on a piece of PLD, without asking chip maker to design and make
Special IC chip.And, nowadays, substitution manually makes IC chip, and this programming is also used instead and " patrolled mostly
Volume compiler (logic compiler) " software realizes that software compiler used is similar when it writes with program development,
And the source code before compiling also handy specific programming language is write, this is referred to as hardware description language
(Hardware Description Language, HDL), and HDL is also not only a kind of, but have many kinds, such as ABEL
(Advanced Boolean Expression Language)、AHDL(Altera Hardware Description
Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL
(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby
Hardware Description Language) etc., that most commonly use at present is VHDL (Very-High-Speed
Integrated Circuit Hardware Description Language) and Verilog.Those skilled in the art also should
This understands, it is only necessary to method flow slightly programming in logic and is programmed into integrated circuit with above-mentioned several hardware description languages,
The hardware circuit for realizing the logical method flow can be just readily available.
Controller can be implemented in any suitable manner, for example, controller can take such as microprocessor or treatment
Device and storage can by the computer of the computer readable program code (such as software or firmware) of (micro-) computing device
Read medium, gate, switch, application specific integrated circuit (Application Specific Integrated Circuit,
ASIC), the form of programmable logic controller (PLC) and embedded microcontroller, the example of controller includes but is not limited to following microcontroller
Device:ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicone Labs C8051F320, deposit
Memory controller is also implemented as a part for the control logic of memory.It is also known in the art that except with
Pure computer readable program code mode is realized beyond controller, can made by the way that method and step is carried out into programming in logic completely
Obtain controller and come real in the form of gate, switch, application specific integrated circuit, programmable logic controller (PLC) and embedded microcontroller etc.
Existing identical function.Therefore this controller is considered a kind of hardware component, and various for realizing to including in it
The device of function can also be considered as the structure in hardware component.Or even, can be by for realizing that the device of various functions is regarded
For that not only can be the software module of implementation method but also can be the structure in hardware component.
System, device, module or unit that above-described embodiment is illustrated, can specifically be realized by computer chip or entity,
Or realized by the product with certain function.It is a kind of typically to realize that equipment is computer.Specifically, computer for example may be used
Think personal computer, laptop computer, cell phone, camera phone, smart phone, personal digital assistant, media play
It is any in device, navigation equipment, electronic mail equipment, game console, tablet PC, wearable device or these equipment
The combination of equipment.
For convenience of description, it is divided into various units with function during description apparatus above to describe respectively.Certainly, this is being implemented
The function of each unit can be realized in same or multiple softwares and/or hardware during application.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method, system or computer program
Product.Therefore, the present invention can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Apply the form of example.And, the present invention can be used and wherein include the computer of computer usable program code at one or more
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) is produced
The form of product.
The present invention is the flow with reference to method according to embodiments of the present invention, equipment (system) and computer program product
Figure and/or block diagram are described.It should be understood that every first-class during flow chart and/or block diagram can be realized by computer program instructions
The combination of flow and/or square frame in journey and/or square frame and flow chart and/or block diagram.These computer programs can be provided
The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that produced for reality by the instruction of computer or the computing device of other programmable data processing devices
The device of the function of being specified in present one flow of flow chart or multiple one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices with spy
In determining the computer-readable memory that mode works so that instruction of the storage in the computer-readable memory is produced and include finger
Make the manufacture of device, the command device realize in one flow of flow chart or multiple one square frame of flow and/or block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented treatment, so as in computer or
The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in individual square frame or multiple square frames.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net
Network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium
Example.
Computer-readable medium includes that permanent and non-permanent, removable and non-removable media can be by any method
Or technology realizes information Store.Information can be computer-readable instruction, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable
Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM),
Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, the storage of tape magnetic rigid disk or other magnetic storage apparatus
Or any other non-transmission medium, can be used to store the information that can be accessed by a computing device.Defined according to herein, calculated
Machine computer-readable recording medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
Also, it should be noted that term " including ", "comprising" or its any other variant be intended to nonexcludability
Comprising so that process, method, commodity or equipment including a series of key elements not only include those key elements, but also wrapping
Include other key elements being not expressly set out, or also include for this process, method, commodity or equipment is intrinsic wants
Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that wanted including described
Also there is other identical element in process, method, commodity or the equipment of element.
It will be understood by those skilled in the art that embodiments herein can be provided as method, system or computer program product.
Therefore, the application can be using the embodiment in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Form.And, the application can be used to be can use in one or more computers for wherein including computer usable program code and deposited
The shape of the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Formula.
The application can be described in the general context of computer executable instructions, such as program
Module.Usually, program module includes performing particular task or realizes routine, program, object, the group of particular abstract data type
Part, data structure etc..The application can also be in a distributed computing environment put into practice, in these DCEs, by
Remote processing devices connected by communication network perform task.In a distributed computing environment, program module can be with
In local and remote computer-readable storage medium including including storage device.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment
Divide mutually referring to what each embodiment was stressed is the difference with other embodiment.Especially for device reality
Apply for example or system embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is joined
See the part explanation of embodiment of the method.
Embodiments herein is the foregoing is only, the application is not limited to.For those skilled in the art
For, the application can have various modifications and variations.It is all any modifications made within spirit herein and principle, equivalent
Replace, improve etc., within the scope of should be included in claims hereof.