CN107248075A

CN107248075A - A kind of method and device for realizing bidirectional authentication of smart secret key equipment and transaction

Info

Publication number: CN107248075A
Application number: CN201710359305.5A
Authority: CN
Inventors: 陆舟; 于华章
Original assignee: Feitian Technologies Co Ltd
Current assignee: Feitian Technologies Co Ltd
Priority date: 2017-05-19
Filing date: 2017-05-19
Publication date: 2017-10-13
Anticipated expiration: 2037-05-19
Also published as: CN107248075B

Abstract

The invention discloses a kind of method and device for realizing bidirectional authentication of smart secret key equipment and transaction, belong to information security field.Methods described includes：When receiving the request for obtaining client certificate, the client certificate list built in intelligent cipher key equipment loopback, client certificate list is indexed including certificate；When receiving the request signed using client certificate, intelligent cipher key equipment is according to the certificate indexed search certificate included in request, according to the determined property client certificate type of the certificate retrieved, if the certificate of two-way authentication, computing that client signature original text is made a summary and signed；If the certificate of transaction, then first judge whether signature original text meets message specification, be, after user key-press confirms Transaction Information, computing that client signature original text is made a summary and signed；Otherwise direct computing that client signature original text is made a summary and signed.Technical scheme in the present invention, greatly improves the security of bidirectional authentication of smart secret key equipment and transaction.

Description

A kind of method and device for realizing bidirectional authentication of smart secret key equipment and transaction

Technical field

The present invention relates to information security field, more particularly to a kind of side for realizing bidirectional authentication of smart secret key equipment and transaction Method and device.

Background technology

With the development of cryptographic technique and computer technology, 1024 RSA Algorithms commonly used at present face serious safety Threaten, State Commercial Cryptography Administration determines to replace RSA Algorithm using the close algorithm of state (SM2 algorithms and SM3 algorithms).Wherein, SM2 algorithms are provided Signature, checking, key such as exchange at the detail, digital signature that SM3 is used in cipher application and checking, message authentication code Generation and checking and the generation of random number, can meet the demand for security of a variety of cipher applications.

Intelligent cipher key equipment can realize that sensitive information to be signed is shown on the liquid crystal of intelligent cipher key equipment, reach Process of exchange has been prevented hacker and has been distorted the security breaches that information is brought by user's controllable state and finding and the effect signed, The lifting of matter has been obtained in level of security.

At present, still it is traded for the most banks of intelligent cipher key equipment using RSA Algorithm and two-way authentication, for intelligence Energy key devices, the close algorithm of state wouldn't support two-way authentication and transaction, and security is seriously threatened.

The content of the invention

The invention aims to solve problems of the prior art there is provided one kind to realize intelligent cipher key equipment Two-way authentication and the method and device of transaction.

The technical solution adopted by the present invention is：

On the one hand, a kind of method for realizing bidirectional authentication of smart secret key equipment and transaction, method includes：

Step S1：When receiving the request of acquisition client certificate of server transmission, in intelligent cipher key equipment loopback The client certificate list put, client certificate list is indexed including certificate；

Step S2：When receiving the request signed using client certificate, intelligent cipher key equipment is included according in request Certificate indexed search certificate, according to the determined property client certificate type of the certificate retrieved, if two-way authentication Certificate, performs step S3；If the certificate of transaction, then step S4 is performed；

Step S3：Intelligent cipher key equipment is made a summary and signed to client signature original text computing, and by client signature As a result client is returned, is terminated；

Step S4：When the client signature original text and judgement request for receiving client transmission, intelligent cipher key equipment is sentenced Whether disconnected client signature original text meets message specification, is then to perform step S5；Otherwise step S6 is performed；

Step S5：Intelligent cipher key equipment parses client signature original text and shows Transaction Information, right after user key-press confirms Client signature original text is made a summary and signed computing, and client signature result is returned into client, is terminated；

Step S6：After intelligent cipher key equipment receives the signature request of client transmission, client signature original text is parsed, Client signature original text is made a summary and signed computing, and signature result is returned into client, terminated.

Specifically, in step S1, after judging client certificate type, in addition to：When receive client transmission it is close When code and checking request, whether intelligent cipher key equipment checking password is correct, if mistake, returns to error message to client, such as Fruit is correct, is returned to client after correct information, waits the client certificate for receiving server transmission.

Specifically, before intelligent cipher key equipment returns to error message to client, in addition to：Intelligent cipher key equipment judges certainly Whether body is locked, is then to open lock, performs intelligent cipher key equipment and verifies whether password is correct, otherwise returns to mistake letter to client Breath.

Specifically, when client signature result being returned into client in step S3, in addition to：Client signature is former Text, client signature result and client certificate are sent to server；

Server receives client signature original text, client signature result and the client certificate of client transmission, adjusts Computing of once making a summary is done to client signature result with summary computing interface.

Further, server receives client signature original text, client signature result and the client of client transmission After certificate, in addition to：Whether server is correct using client certificate verification client signature result；Server authentication client Hold certificate whether legal.

Preferably, also include before step S3：When the client signature original text and judgement that receive client transmission are asked When, intelligent cipher key equipment parsing client signature original text simultaneously judge whether client signature original text meets message specification, be then to Client returns to error message, otherwise returns to correct information to client, performs step S3.

Further, before step S3, in addition to：Client call makes a summary computing interface to the progress of client signature original text Summary computing, and summary result is sent to intelligent cipher key equipment；

Intelligent cipher key equipment is received after the summary result of client transmission, former using summary result as client signature Text, parsing active client signature original text simultaneously judges whether active client signature original text meets message specification, is then to client End returns to error message, otherwise returns to correct information to client, performs step S3.

Closer, when client signature result being returned into client in step S3, in addition to：Client signature is former Text, client signature result and client certificate are sent to server；

Server receives active client signature original text, client signature result and the client card of client transmission Book, calls summary computing interface to do computing of making a summary twice to client signature result.

Specifically, in step S3, when client signature result is returned into client, in addition to：Client is currently supported Symmetric encipherment algorithm return client.

Specifically, client signature result is returned after client in step S3, in addition to：Server selects client branch The AES that the security highest symmetric encipherment algorithm held communicates as two-way authentication, and use client certificate public key pair This AES is encrypted, and encrypted result is sent into client.

Specifically, when receiving the decoding request of client transmission, encrypted result is decrypted intelligent cipher key equipment, And obtained AES return client will be decrypted.

Further, by decrypted result return client after, in addition to：Client passes through production according to AES Random number interface produces a random number and is sent to server as communication key, and using server certificate public key encryption, services Device is received after the encrypted result of client transmission, is decrypted by decryption interface using server certificate private key, and acquisition is two-way to be recognized Demonstrate,prove the communication key of encryption.

Specifically, also include before step S1：User end to server sends two-way authentication connection request, and server will take Business device information, which is sent to client, to be verified, checking does not pass through, and client interrupts two-way authentication establishment of connection, and checking is logical Cross, server sends two-way authentication connection request to client, perform step S1.

Further, server info is specifically included in step S1：Server public key certificate, server signature original text kimonos Business device signature result；

Server info is sent to client before being verified, in addition to：Server passes through generating random number interface Random number is produced as server signature original text, server signature original text is made an abstract after computing by digest interface, to summary Operation result sign obtaining server signature result.

Yet further, server info is sent to client and verified by server, is specifically included：Client validation Whether server certificate public key is legal；Whether client validation server signature result is correct.

Further, whether client validation server certificate public key is legal, specifically includes：Client validation server Whether public key certificate is expired, and whether the CA of client validation issuance server certificate is reliable, client validation publisher certificate Whether can public key correctly untie domain name in the digital signature of the publisher of server certificate, client validation server certificate Match with the actual domain name of server；

Whether client validation server signature result is correct, specifically includes：Client is carried out to server signature original text Summary computing, is verified using server certificate to server signature result.

Specifically, also include before step S4：Client reads intelligent cipher key equipment sequence number, server authentication user letter Whether breath and intelligent cipher key equipment sequence number match, and are to log in internet banking system success, perform step S4, otherwise log in Net silver system System failure.

Specifically, in step S5 and step S6, client signature result is returned after client, in addition to：Client will Client signature original text, client signature result and client certificate are sent to server.

Specifically, server is received after the information of client transmission, in addition to：Client signature original text is carried out once Make a summary computing, and according to user profile and certificate information, compare current certificates whether be this user binding certificate, if not It is, Fail Transaction；If it is, server carries out summary computing to signature original text and verifies whether signature succeeds, it is to transfer accounts Merchandise successfully, otherwise money transfer transactions fail.

Specifically, according to the determined property client certificate type of the certificate retrieved, it is specially：Intelligent cipher key equipment root Judge client certificate type according to the key value of certificate.

On the other hand, a kind of bidirectional authentication of smart secret key equipment and the device of transaction, device include：

First receiving module, the request of the acquisition client certificate sent for the reception server；

Loopback module, for when the first receiving module receive server transmission acquisition client certificate request when, Client certificate list built in loopback, client certificate list is indexed including certificate；

Second receiving module, for receiving the request signed using client certificate；

Module is retrieved, for when the second receiving module receives the request signed using client certificate, according to request In the certificate indexed search certificate that includes；

First judge module, for the determined property client certificate type of the certificate retrieved according to retrieval module；

Computing module, for when the first judge module judges client certificate type for the certificate of two-way authentication, to visitor Family end signature original text is made a summary and signed computing；It is additionally operable to after display module shows Transaction Information, after user key-press confirms, Client signature original text is made a summary and signed computing；

Sending module, the client signature result for computing module to be obtained is sent to client；

3rd receiving module, for when the first judge module judges client certificate type for the certificate of transaction, receiving Client signature original text and judge to ask that client is sent；

Second judge module, client signature original text and judgement for receiving client transmission when the 3rd receiving module During request, judge whether client signature original text meets message specification；

Parsing module, for when the second judge module judges that client signature original text meets message specification, parsing client End signature original text；It is additionally operable to when the 4th receiving module receives the signature request of client transmission, parsing client signature is former Text；

Display module, for showing Transaction Information；

4th receiving module, for when the second judge module judges that client signature original text does not meet message specification, connecing Receive the signature request that client is sent.

Specifically, device also includes：5th receiving module, authentication module, return module and the 6th receiving module；

5th receiving module, password and checking request for receiving client transmission；

Authentication module, for when the 5th receiving module receives password and the checking request that client is sent, verifying close Whether code is correct；

Module is returned to, for when authentication module verifies code error, error message to be returned to client；Work as authentication module When verifying that password is correct, correct information is returned to client；

6th receiving module, for when authentication module checking password is correct, waiting the client for receiving server transmission Hold certificate.

Preferably, device also includes：3rd judge module；

3rd judge module, it is whether locked for judgment means itself；

Authentication module, is additionally operable to when the 3rd judge module judgment means itself are locked, whether just to open lock checking password Really；

Module is returned, is additionally operable to when the 3rd judge module judgment means itself are locked, error message is returned to client.

Specifically, sending module, specifically for：By client signature original text, client signature result and client certificate Send to server.

Specifically, module is returned to be additionally operable to：When the second judge module judges that client signature original text meets message specification, Error message is returned to client；When the second judge module judges that client signature original text does not meet message specification, to client End returns to correct information, runs computing module.

Preferably, device also includes：7th receiving module and it is used as module；

7th receiving module, the summary result for receiving client transmission；

As module, for after the 7th receiving module receives the summary result that client is sent, summary result to be made For client signature original text；

Parsing module, is additionally operable to parse client signature original text；

Second judge module, is additionally operable to judge whether active client signature original text meets message specification；

Module is returned, is additionally operable to when the second judge module judges that active client signature original text meets message specification, to Client returns to error message；When the second judge module judges that active client signature original text does not meet message specification, to visitor Family end returns to correct information；

Computing module, is additionally operable to after module is returned to client return correct information, carry out client signature original text Summary and signature computing.

Specifically, device also includes：8th receiving module；

8th receiving module, the signature request for receiving client transmission.

Specifically, sending module, also particularly useful for：By client signature original text, client signature result and client card Book is sent to server.

Specifically, sending module, specifically for：The symmetric encipherment algorithm that client is currently supported returns to client.

Preferably, device also includes：9th receiving module and deciphering module；

9th receiving module, the decoding request for receiving client transmission；

Deciphering module, for when the 9th receiving module receives the decoding request that client is sent, entering to encrypted result Row decryption, and obtained AES return client will be decrypted.

Specifically, the first judge module, specifically for：Client certificate type is judged according to the key value of certificate.

The beneficial effect that the present invention is obtained is：Using the technical method of the present invention, bidirectional authentication of smart secret key equipment and friendship Easily, the security of two-way authentication and transaction is greatly improved.

Brief description of the drawings

, below will be to embodiment or existing for the clearer explanation embodiment of the present invention or technical scheme of the prior art There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.

Fig. 1 be the embodiment of the present invention two in provide a kind of method for realizing bidirectional authentication of smart secret key equipment；

Fig. 2 be the embodiment of the present invention three in provide a kind of method for realizing bidirectional authentication of smart secret key equipment；

Fig. 3 be the embodiment of the present invention four in provide it is a kind of realize intelligent cipher key equipment transaction method；

Fig. 4 be the embodiment of the present invention seven in provide it is a kind of realize bidirectional authentication of smart secret key equipment and transaction device.

Embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.

Embodiment one

A kind of method for realizing bidirectional authentication of smart secret key equipment and transaction is present embodiments provided, this method includes：

Embodiment two

The present embodiment two provides a kind of method for realizing bidirectional authentication of smart secret key equipment, as shown in figure 1, including：

Step 101：Client installs intelligent cipher key equipment middleware and in Net silver diploma system download signed certificate；

In the present embodiment, intelligent cipher key equipment middleware be it is installed in PC ends, can be by the interface and intelligence of this software The software that energy key devices are interacted.Intelligent cipher key equipment can show pertinent transaction information, and it defines first in design It is secondary directly the summary result outside intelligent cipher key equipment to be signed when being signed with signature algorithm, download signed certificate After end, the summary result no longer obtained when signature algorithm is signed to the intelligent cipher key equipment outside summary computing realized by software Inside signature, all necessary incoming intelligent cipher key equipments of signature original texts, made an abstract, then signed again by intelligent cipher key equipment hardware Name, prevents this intelligent cipher key equipment from being used as other USBKEY.

Step 102：Client sends two-way authentication connection request by network to server；

It should be noted that the server in the present embodiment refers in particular to two-way authentication (SSL) server.

In the present embodiment, the two-way authentication connection request that client is sent includes the version number of bidirectional identification protocol, visitor Required information is communicated between the species for the AES that family end is supported and other server and client sides.

Step 103：Server is received after the request of client, generates server signature original text, and former to server signature After text is signed, server public key certificate, server signature original text and server signature result are issued client by server；

Specifically, in the present embodiment, server is used as signature original text by generating random number interface generation random number, leads to Digest interface is crossed to make an abstract to random number (hash) computing, then to summary (hash) result signature after, server public key is demonstrate,proved Book, server signature original text and server signature result issue client.

In addition, server also transfers the version number of bidirectional identification protocol, the encryption that server is supported to client The species of algorithm and other relevant informations.

For example, signature original text is 123456, the result after the second preset algorithm is summary computing is： FEqNCco3Yq9h5ZUglD3CZJT4lBs=, by the first preset algorithm be signature after result be：

MIIG3gYJKoZIhvcNAQcCoIIGzzCCBssCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCBbwwg gW4MIIEoKADAgECAgo24tUMAAAAAZkuMA0GCSqGSIb3DQEBBQUAMDgxEzARBgoJkiaJk/IsZ。

Step 104：Whether client validation server public key certificate is legal, if it is performs step 105, otherwise interrupts Two-way authentication establishment of connection；

In the present embodiment, client using server be transmitted through come information authentication service device public key certificate legitimacy. Wherein, the legitimacy of authentication server public key certificate is specifically included：Judge whether server public key certificate is expired, judge distribution clothes Whether the CA of business device certificate is reliable, and can judge the public key of publisher's certificate correctly untie the publisher of server public key certificate Digital signature, judges whether the domain name on server public key certificate matches with the actual domain name of server, is to be when judging When then server public key certificate it is legal, otherwise server public key certificate is illegal.

Specifically, when issuing server certificate or client certificate, the certificate being awarded is signed by CA root certificates.Pass through root Certificate or certificate chain, it may be verified that server certificate and the legitimacy of client certificate, reach the purpose of checking certificate legitimacy.

Step 105：Client is carried out using server public key certificate and server signature original text to server signature result Checking, is verified then execution step 106, verifies not by then interrupting two-way authentication establishment of connection；

Specifically, in the present embodiment, client carries out summary computing to signature original text, then calls checking signer Method, summary result, are verified using server public key to signature result, wherein, signature result can call customized interface Verified.

Step 106：Server sends two-way authentication connection request to client；

In the present embodiment, the two-way authentication connection request that server is sent by network to client, including：It is two-way to recognize Required information is communicated between version number, the species of AES and other server and client sides for demonstrate,proving agreement.

Step 107：Intelligent cipher key equipment verifies Pin codes, and checking does not pass through, then interrupts two-way authentication establishment of connection, test Card is by then performing step 108；

Specifically, in the present embodiment, user client input login password after, client by login password send to Whether intelligent cipher key equipment, intelligent cipher key equipment goes this password of comparison identical with itself default password, if identical, verifies Pass through, perform step 108, otherwise interrupt two-way authentication establishment of connection.

More specifically, in the present embodiment, verifying the Pin codes of intelligent cipher key equipment, after Pin codes are verified, signature connects Eloquence can be signed, if checking does not pass through, need to be judged whether intelligent cipher key equipment is locked, is, exits, otherwise be continued to test Whether correct demonstrate,prove Pin codes.

It should be noted that also including before step 108 is performed：The server original text that will sign is sent to intelligent key and set Standby, after intelligent cipher key equipment is received, parsing signature original text judges whether signature original text meets message specification, is to report an error, terminates Two-way authentication, otherwise performs step 108.Because signature original text is random number, original text of being signed in two-way authentication is not met Message specification, i.e., press " confirmation " key, not display information without using intelligent cipher key equipment, only need to verify password.

Step 108：Client is received after the connection request of server transmission, client generation signature original text, and passes through intelligence Energy key devices middleware interface finds the client certificate in intelligent cipher key equipment, and signature interface is passed through using client certificate Signature original text is made a summary and signed computing；

Specifically, in the present embodiment, client is received after server request, and client can first produce random number as label Name original text, client by sign original text be sent to after intelligent cipher key equipment, client call signature interface and send call signature The request of interface carries out summary computing and signature computing to random number to intelligent cipher key equipment, intelligent cipher key equipment.

Generally, client certificate is called to do before signature computing by software interface, summary computing interface is only included Digest instructions, signature interface only includes signature command, but in the present embodiment, signature interface had not only included digest instructions but also comprising label Summary and signature computing are successively realized in name instruction, i.e. signature interface.

It should be noted that in the present embodiment, signature computing is carried out with the close algorithm SM2 of state, SM3 carries out summary fortune Calculate.

In the present embodiment, the signature interface called is SKF_ECCSignData, and interface SKF_ECCSignData is only done Signature, but in order to avoid this intelligent cipher key equipment is used as other USBKEY, in the present embodiment, interface SKF_ ECCSignData both made an abstract, and signed again.Before interface signature, it is necessary to first make an abstract, general summary computing has corresponding interface real It is existing, generate the data of regular length.

Step 109：Signature terminate after, client by client signature original text, client signature result, client certificate and The symmetric encipherment algorithm currently supported is sent to server；

In the present embodiment, which symmetric encipherment algorithm notification server supports to client, determines which is used in server Plant after AES, AES used can be sent to client.

Step 110：Server is once made a summary computing to client signature original text；

For example, the result after summary is fEqNCco3Yq9h5ZUglD3CZJT4lBs=.

Step 111：Whether server is correct using client certificate verification client signature result, is to perform step 112, otherwise interrupt two-way authentication establishment of connection；

In the present embodiment, verify when signature result, it is necessary to first be made an abstract to signature original text, then verify signature result It is whether correct.Specifically, first call verify interfaces to signature original text make an abstract after, to signature result verify.

, it is necessary to first be made an abstract to signature original text when checking signature, then verify.It is also to dislike to signature original text when signature Take, then sign.Make an abstract, be the data for generating regular length.

Step 112：Whether server authentication client certificate is legal, is verified, and server preserves client card temporarily Book, continues executing with step 113, verifies not by interrupting two-way authentication establishment of connection；

In the present embodiment, whether server authentication client certificate is legal specifically includes：Judge that the certificate of client is used Whether the date is effective, is judged as whether the CA of client's offer certificate is reliable, can judge distribution CA public key correctly untie client Whether the distribution CA of certificate digital signature, check the certificate of client in certification revocation list (CRL).

Step 113：The security highest symmetric encipherment algorithm that server selection client is supported is logical as two-way authentication The AES of letter, and this AES is encrypted with client certificate public key, and encrypted result is sent to client；

In the present embodiment, server encrypts interface by server end, and this encryption is calculated using client certificate public key Method is encrypted, after the complete client certificate of server authentication, and the AES of support is sent to server by client.

Step 114：Client is received after encrypted result, is decrypted using client certificate private key, according to server about Fixed AES, a random number is produced by producing random number interface, as communication key, and using server public key to logical Letter key is encrypted, and encrypted result is sent into server；

In the present embodiment, the encrypted result that client is received, is the public affairs using correspondence certificate in intelligent cipher key equipment What key was encrypted, use the corresponding private key of same public key, you can decryption ciphertext, the data before being encrypted, and client is logical Cross decryption interface, be decrypted using encrypted certificate private key.

Step 115：Server receives the encrypted result that client is sent, and is decrypted using privacy key, and acquisition is two-way to be recognized The communication key of encryption is demonstrate,proved, duplex channel is set up, and is terminated.

Specifically, the encrypted result that server is received is produced using the public key encryption of server certificate, using same The corresponding private key of server certificate, you can decryption ciphertext, obtains the data before secret.

In the present embodiment, server is obtained after the communication key of two-way authentication encryption, and server, client are following Communication, all using the symmetric encipherment algorithm and symmetric key encryption appointed, two-way authentication Path Setup success.

Embodiment three

The present embodiment provides a kind of method for realizing bidirectional authentication of smart secret key equipment, as shown in Fig. 2 including：

Step 201：Client installs intelligent cipher key equipment middleware and in Net silver diploma system download signed certificate；

Step 202：Client sends two-way authentication connection request by network to server；

In the present embodiment, the two-way authentication connection request that client is sent includes the version number of bidirectional identification protocol, added Required information is communicated between the species of close algorithm and other server and client sides.

Step 203：Server is received after the request of client, generation signature original text, and to signature original text sign after, Server public key certificate, server signature original text and server signature result are issued client by server；

Specifically, in the present embodiment, server is used as signature original text by generating random number interface generation random number, leads to Digest interface is crossed to make an abstract to random number (hash) computing, then to summary (hash) result signature after, server public key is demonstrate,proved Book, server signature original text, server signature result issue client.

Step 204：Whether client validation server public key certificate is legal, if it is performs step 205, otherwise interrupts Two-way authentication establishment of connection；

In the present embodiment, client using server be transmitted through come information authentication service device public key certificate legitimacy. Wherein, the legitimacy of authentication server public key certificate is specifically included：Judge whether server public key certificate is expired, judge distribution clothes Whether the CA of business device certificate is reliable, and can judge the public key of publisher's certificate correctly untie the publisher of server public key certificate Digital signature, judges whether the domain name on server public key certificate matches with the actual domain name of server.

Specifically, when issuing server certificate or client certificate, the certificate being awarded is signed by CA root certificates.Pass through root Certificate or certificate chain, it may be verified that server certificate and the legitimacy of client certificate, reach checking certificate purpose trusty.

Step 205：Client is carried out using server public key certificate and server signature original text to server signature result Checking, is verified then execution step 206, and checking does not interrupt two-way authentication establishment of connection by then client；

Specifically, in the present embodiment, client carries out summary computing by digest algorithm to signature original text, then calls Endorsement method, summary result are verified, signature result is verified using server public key.

Step 206：Server sends two-way authentication connection request to client；

Step 207：Intelligent cipher key equipment verifies Pin codes, and checking does not pass through, then interrupts two-way authentication establishment of connection, test Card is by then performing step 208；

Specifically, in the present embodiment, user client input login password after, client by login password send to Whether intelligent cipher key equipment, intelligent cipher key equipment goes this password of comparison identical with itself default password, if identical, verifies Pass through, perform step 208, otherwise interrupt two-way authentication establishment of connection.

It should be noted that also including before step 208 is performed：The server original text that will sign is sent to intelligent key and set Standby, after intelligent cipher key equipment is received, parsing signature original text judges whether signature original text meets message specification, is to report an error, terminates Two-way authentication, otherwise performs step 208.Because signature original text is random number, original text of being signed in two-way authentication is not met Message specification, i.e., press " confirmation " key, not display information without using intelligent cipher key equipment, only need to verify password.

Step 208：Client is received after server request, client generation signature original text, and passes through intelligent cipher key equipment Middleware finds the client certificate in intelligent cipher key equipment, calls summary computing interface to carry out summary computing to signature original text；

Specifically, in the present embodiment, client is received after server request, and client can first produce random number as label Name original text, then by computing interface of making a summary, carries out summary computing, generation is solid in the outside of intelligent cipher key equipment to signature original text The data of measured length.

In the present embodiment, the interface called is SKF_DigestInit and SKF_Digest,

SKF_DigestInit interfaces carry out summary initialization, and SKF_Digest interfaces carry out summary computing, two interfaces It is combined, realizes summary computing.

For example, signature original text is 123456, the result after the second preset algorithm is summary computing is： FEqNCco3Yq9h5ZUglD3CZJT4lBs=.

In the present embodiment, called by software interface before client certificate signs, summary computing interface is only comprising plucking Instruct, signature interface only includes signature command, but in the present embodiment, signature interface includes digest instructions, and includes label Summary and signature computing are successively realized in name instruction, i.e. signature interface.In the present embodiment, the signature interface called is SKF_ ECCSignData, interface SKF_ECCSignData only signs, but in order to avoid this intelligent cipher key equipment is as other USBKEY is used, in the present embodiment, and interface SKF_ECCSignData both made an abstract, and signed again.Before interface signature, it is necessary to First make an abstract, general summary computing has corresponding interface realization, generates the data of regular length.

For example, signature original text is 123456, the result after the second preset algorithm is summary computing is：8gkHg+ VRPaWJMzsFDH3RIYK6Ffg=, by the first preset algorithm be signature after result be：

Step 209：Signature terminate after, client by client signature original text, client signature result, client certificate and The symmetric encipherment algorithm currently supported is sent to server；

In the present embodiment, which symmetric encipherment algorithm notification server supports to client, determines which is used in server Plant after AES, algorithm used can be sent to client.

Step 210：Server is made a summary computing twice to client signature original text；

For example, the result after making a summary for the first time is：FEqNCco3Yq9h5ZUglD3CZJT4lBs=, after second is made a summary Result be：8gkHg+VRPaWJMzsFDH3RIYK6Ffg=.

Step 211：Whether server is correct using client certificate verification client signature result, is to perform step 212, otherwise interrupt two-way authentication establishment of connection；

, it is necessary to first be made an abstract to signature original text when checking signature, then verify.It is also first to signature original text when signature Make an abstract, then sign.Make an abstract, be the data for generating regular length.

Step 212：Whether server authentication client certificate is legal, is verified, and server preserves client card temporarily Book, continues executing with step 213, and checking does not interrupt two-way authentication establishment of connection by then server；

In the present embodiment, whether the public key certificate of server authentication client is legal specifically includes：Judge the card of client Whether book use date is effective, is judged as whether the CA of client's offer certificate is reliable, can judge distribution CA public key correctly solve The distribution CA of customer's certificate digital signature is opened, checks the certificate of client whether in certification revocation list (CRL).

Step 213：The security highest symmetric cryptography that server selection client is supported calculates hair method and is used as two-way authentication The AES of communication, and after this AES is encrypted with client certificate, encrypted result is sent to client；

In the present embodiment, server encrypts interface by server end, and this AES is entered using client certificate Row encryption, after the complete client certificate of server authentication, the AES of support is sent to server by client.

Step 214：Client is received after encrypted result, is decrypted using client certificate private key, according to server about Fixed symmetric encipherment algorithm, produces a random number by producing random number interface, as communication key, and uses server public key Encryption is sent to server；

Step 215：Server receives the encrypted result that client is sent, and is decrypted using privacy key, and acquisition is two-way to be recognized The communication key of encryption is demonstrate,proved, duplex channel is set up, and is terminated.

Example IV

A kind of method for realizing intelligent cipher key equipment transaction is present embodiments provided, as shown in figure 3, including：

Step 301：Net silver sales counter installs intelligent cipher key equipment middleware and in Net silver diploma system download signed certificate；

Step 302：Net silver sales counter is bound by intelligent cipher key equipment sequence number, certificate information and user's Net silver account, into Work(is opened an account；

In the present embodiment, certificate information is certificate serial number, validity period of certificate etc.；User's Net silver account is Net silver account Number, such as identification card number or bank's card number etc..

For example, intelligent cipher key equipment Serial No. 100000001, certificate serial number is ABC000001, bank's card number is： 6201 2345 6789 0123。

What deserves to be explained is, user account, intelligent cipher key equipment sequence number and certificate serial number are corresponded.Specifying use On the premise of name in an account book, it is necessary to hold corresponding intelligent cipher key equipment and corresponding certificate, network bank business can be just carried out.

Step 303：When User logs in internet banking system, client reads intelligent cipher key equipment sequence number, server authentication Whether user name, password and intelligent cipher key equipment sequence number match, and are to log in internet banking system success, perform step 304, otherwise Log in internet banking system failure；

In the present embodiment, perform this step before, in addition it is also necessary to user insert intelligent cipher key equipment and input user name, Password.

It should be noted that the server in the present embodiment refers in particular to ebanking server.

Step 304：Intelligent cipher key equipment receives the signature original text that server is transmitted, and judges whether signature original text meets report Literary specification, is then to perform step 305, otherwise performs step 308；

In the present embodiment, signature original text is the Transaction Information transferred accounts.

If for example, signature original text is：

“<Xml version=" 1.0 " encoding=" UTF-8 "><T><D><M><k>

Payee's name：</k><v>Zhang San</v></M><M><k>

Payee's account number：</k><v>955823609076818</v></M><M><k>

The amount of money：</k><v>123.23</v></M></D><E><M><k>

Serial number：</k><v>12345678</v></M></E></T>", then meet message specification；

If signature original text is：" payee's name：Zhang San payee's account number：955823609076818 amount of money：123.23 stream Water number：12345678 ", then do not meet message specification.

Step 305：Intelligent cipher key equipment verifies Pin codes, is verified then execution step 306, and otherwise money transfer transactions fail；

Specifically, in the present embodiment, intelligent cipher key equipment checking Pin codes are by rear, and intelligent cipher key equipment could be carried out Ensuing work, if checking does not pass through, need to judge whether intelligent cipher key equipment is locked, is, exits, and otherwise continue to verify Whether Pin codes are correct, if correctly, performing step 306, otherwise money transfer transactions fail.

Step 306：Intelligent cipher key equipment parses transaction message and shows Transaction Information, judges whether Transaction Information is correct, It is then button confirmation, performs step 307, otherwise money transfer transactions fails, and exit；

Step 307：Signature original text is transmitted to intelligent cipher key equipment by client, and intelligent cipher key equipment calls signature interface, root Signature original text is made a summary and signed computing according to transaction message specification, execution step 310；

Specifically, in the present embodiment, signature original text is transmitted to intelligent cipher key equipment by client, in intelligent cipher key equipment Portion is carried out after summary computing to signature original text, and client finds the visitor in intelligent cipher key equipment by intelligent cipher key equipment middleware Family end certificate, calls signature interface to be parsed according to transaction message specification to signature interface, and signed.

Step 308：Intelligent cipher key equipment verifies Pin codes, is verified then execution step 309, and otherwise money transfer transactions fail；

Specifically, in the present embodiment, intelligent cipher key equipment is verified

By rear, intelligent cipher key equipment could carry out ensuing work, if checking does not pass through, need to judge intelligent key Whether equipment is locked, is, exits, and otherwise continues to verify whether Pin codes are correct, if correctly, performing step 309, otherwise transferring accounts Fail Transaction.

Step 309：Signature original text is transmitted to intelligent cipher key equipment by client, and intelligence is found by intelligent cipher key equipment middleware Client certificate that can be in key devices, calls signature interface signature original text to be made a summary and signed computing；

Step 310：Signature original text, client signature result and client certificate are sent to server by client；

Step 311：Server is once made a summary computing to the signature original text that client is sent；

Step 312：Server compares whether client certificate is card that this user binds according to user name and certificate information Book, if it is, performing step 309, otherwise money transfer transactions fail；

In the present embodiment, server also needs to the corresponding certificate information of checking user.

Step 313：Server to signature original text carry out summary computing and verify signature whether succeed, be then money transfer transactions into Work(, otherwise money transfer transactions failure.

Specifically, in the present embodiment, server receives client-side information, signature original text is carried out after once summary computing Whether correct using client certificate verification signature result, money transfer transactions fail if incorrect, if correctly, server Confirm whether the message format transferred accounts is correct, if correctly, money transfer transactions success, otherwise money transfer transactions failure.

More specifically, in the present embodiment, the transaction for meeting message format is pressed " confirmation " in intelligent cipher key equipment Signed after key successfully, Net silver backstage can be verified；Transaction for not meeting message format, Net silver backstage may determine that Not transfer accounts, checking signature failure.

Embodiment five

The operation that intelligent cipher key equipment carries out execution during two-way authentication is present embodiments provided, including：

Step 401：When receiving the request of acquisition client certificate of server transmission, in intelligent cipher key equipment loopback The client certificate list put, client certificate list is indexed including certificate；

In the present embodiment, also include before step 401：User end to server sends two-way authentication connection request, clothes Business device, which sends server info to client, to be verified, checking does not pass through, and client interrupts two-way authentication establishment of connection, It is verified, server sends two-way authentication connection request to client, performs step 401；

Wherein, server info is specifically included：Server public key certificate, server signature original text and server signature knot Really；

Further, server info is sent to client before being verified, in addition to：Server passes through random number Generate interface and produce random number as server signature original text, server signature original text is made an abstract computing by digest interface Afterwards, summary operation result sign obtaining server signature result.

Further, server info is sent to client and verified by server, is specifically included：Client validation Whether server certificate public key is legal；Whether client validation server signature result is correct；

Yet further, whether client validation server certificate public key is legal, specifically includes：Client validation server Whether public key certificate is expired, and whether the CA of client validation issuance server certificate is reliable, client validation publisher certificate Whether can public key correctly untie domain name in the digital signature of the publisher of server certificate, client validation server certificate Match with the actual domain name of server；

Step 402：When receiving the request signed using client certificate, intelligent cipher key equipment is according to using client The certificate indexed search certificate included in the request of certificate signature, be according to the determined property client certificate of the certificate retrieved The certificate of two-way authentication；

In the present embodiment, according to the determined property client certificate type of the certificate retrieved, it is specially：Intelligent key Equipment judges client certificate type according to the key value of certificate.

For example, the key value of the certificate of two-way authentication is：5；The key value of the certificate of transaction is：4.

Step 403：When the password and checking request for receiving client transmission, whether intelligent cipher key equipment checking password Correctly, if mistake, error message is returned to client, if correctly, correct information is returned to client；

In the present embodiment, before returning to error message to client, in addition to：Whether intelligent cipher key equipment judges itself It is locked, it is then to open lock to verify that whether password is correct, otherwise returns to error message to client again.

Step 404：When the client signature original text and judgement request for receiving client transmission, intelligent cipher key equipment solution Analysis client signature original text simultaneously judges whether client signature original text meets message specification, is that then institute returns to mistake letter to client Breath, otherwise returns to correct information to client；

Step 405：When receiving the signature request of client transmission, intelligent cipher key equipment enters to client signature original text Row summary and signature computing, and client signature result is returned into client；

In the present embodiment, in addition to client signature result is returned into client, in addition to：Client is by client label Name original text, client signature result and client certificate are sent to server；

Specifically, server receives client signature original text, client signature result and the client of client transmission Certificate, calls summary computing interface to do computing of once making a summary to client signature result.

Specifically, server receives client signature original text, client signature result and the client card of client transmission After book, in addition to：Whether server is correct using client certificate verification server signature result；Server authentication client is demonstrate,proved Whether book is legal；

In the present embodiment, when the client signature original text and judgement request for receiving client transmission, intelligent key Equipment parses client signature original text and judges whether client signature original text meets message specification, is, institute returns to client Error message, otherwise returns to correct information to client, performs step 405；

In addition, before step 405 is performed, can also include：Client call makes a summary computing interface to client signature Original text carries out summary computing, and summary result is sent to intelligent cipher key equipment；Intelligent cipher key equipment receives client transmission Summary result after, will summary result as active client sign original text, parsing active client signature original text simultaneously judge work as Whether preceding client signature original text meets message specification, is then to return to error message to client, is otherwise returned just to client Firmly believe breath；

More specifically, when receiving the signature request of client transmission, intelligent cipher key equipment is signed to active client Original text is made a summary and signed computing, and client signature result is returned into client.In addition, client signature result is returned During client, in addition to：Client signature original text, client signature result and client certificate are sent to server；

In the present embodiment, client signature result is returned outside client, in addition to：Pair that client is currently supported AES is claimed to return to client.

Client signature result is returned after client, in addition to：The security highest that server selection client is supported The AES that is communicated as two-way authentication of symmetric encipherment algorithm, and this AES is carried out using client certificate public key Encryption, and encrypted result is sent to client.

Step 406：When receiving the decoding request of client transmission, intelligent cipher key equipment is decrypted, and will decryption As a result client is returned.

Specifically, in the present embodiment, by decrypted result return client after, in addition to：Client is calculated according to encryption Method, is used as communication key, and be sent to clothes using server certificate public key encryption by producing random number interface generation random number Business device, server is received after the encrypted result of client transmission, is decrypted, obtained using server certificate private key by decryption interface Obtain the communication key of two-way authentication encryption.

Embodiment six

The operation performed when intelligent cipher key equipment is traded is present embodiments provided, including：

Step 501：When receiving the request of acquisition client certificate of server transmission, in intelligent cipher key equipment loopback The client certificate list put, client certificate list is indexed including certificate；

Step 502：When receiving the request signed using client certificate, intelligent cipher key equipment is according to using client The certificate indexed search certificate included in the request of certificate signature, be according to the determined property client certificate of the certificate retrieved The certificate of transaction；

Step 502：When the password and checking request for receiving client transmission, whether intelligent cipher key equipment checking password Correctly, if mistake, error message is returned to client, if correctly, correct information is returned to client, step S5 is performed；

Step 503：When the client signature original text and judgement request for receiving client transmission, intelligent cipher key equipment is sentenced It is disconnected whether to meet message specification, it is that then institute returns to error message to client, performs step 504；Otherwise returned just to client Breath is firmly believed, step 505 is performed；

In the present embodiment, before receiving the client signature original text of client transmission and judging request, in addition to： Client reads intelligent cipher key equipment sequence number, and whether server authentication user profile and intelligent cipher key equipment sequence number match, It is to log in success, performs step 503, otherwise login failure.

Step 504：Intelligent cipher key equipment parses client signature original text and shows Transaction Information, after user key-press confirms, After the signature request that client to be received is sent, computing that client signature original text is made a summary and signed, and by client label Name result returns to client；

In the present embodiment, client signature result is returned after client, in addition to：Client is former by client signature Text, client signature result and client certificate are sent to server.

Specifically, server is received after the information of client transmission, and summary is carried out once to client signature original text and is transported Calculate, and according to user profile and certificate information, compare whether current certificates are the certificate of this user binding, if it is not, merchandising Failure；If it is, server to signature original text carry out summary computing and verify signature whether succeed, be then money transfer transactions into Work(, otherwise money transfer transactions failure.

Step 505：Intelligent cipher key equipment is parsed after client signature original text, the signature request that client to be received is sent, Client signature original text is made a summary and signed computing, and signature result is returned into client.

Embodiment seven

A kind of device for realizing bidirectional authentication of smart secret key equipment and transaction is present embodiments provided, as shown in figure 4, bag Include：

First receiving module 601, the request of the acquisition client certificate sent for the reception server；

Loopback module 602, for receiving asking for the acquisition client certificate that server is sent when the first receiving module 601 When asking, the client certificate list built in loopback, client certificate list is indexed including certificate；

Second receiving module 603, for receiving the request signed using client certificate；

Module 604 is retrieved, for being received when the second receiving module 603 during the request using client certificate signature, root According to the certificate indexed search certificate included in the request signed using client certificate；

First judge module 605, for when retrieval module 604 retrieves certificate, according to the attribute of the certificate retrieved Judge client certificate type；

Computing module 606, for judging certificate of the client certificate type for two-way authentication when the first judge module 605 When, computing that client signature original text is made a summary and signed, and client signature result is returned into client；It is additionally operable to when aobvious Show that module 611 is shown after Transaction Information, after user key-press confirms, computing that client signature original text is made a summary and signed, and Client signature result is returned into client；

Sending module 607, the client signature result for computing module 606 to be obtained is sent to client；

3rd receiving module 608, for judging certificate of the client certificate type for transaction when the first judge module 605 When, receive client signature original text and judgement request that client is sent；

Second judge module 609, the client signature original text for receiving client transmission when the 3rd receiving module 608 During with judging request, judge whether client signature original text meets message specification；

Parsing module 610, for when the second judge module 609 judges that client signature original text meets message specification, going back For when the 4th receiving module 612 receives the signature request that client is sent, parsing client signature original text；

Display module 611, for showing Transaction Information；

4th receiving module 612, for judging that client signature original text does not meet message specification when the second judge module 609 When, receive the signature request that client is sent.

In the present embodiment, device also includes：5th receiving module, authentication module, return module and the 6th receiving module；

In the present embodiment, device also includes：3rd judge module；

3rd judge module, it is whether locked for judgment means itself；

Authentication module, is additionally operable to when the 3rd judge module judgment means itself are locked, and opening lock, checking password is again It is no correct；

Specifically, sending module 607, specifically for：By client signature original text, client signature result and client card Book is sent to server.

Specifically, return mechanism is additionally operable to：When the second judge module 609 judges that client signature original text meets message specification When, return to error message to client；When the second judge module 609 judges that client signature original text does not meet message specification, Correct information is returned to client, computing module 606 is run.

Further, device also includes：7th receiving module and it is used as module；

7th receiving module, the summary result for receiving client transmission；

As module, for after the 7th receiving module receives the summary result that client is sent, summary result to be made For active client signature original text；

Parsing module 610, is additionally operable to parsing parsing active client signature original text；

Second judge module 609, is additionally operable to judge whether active client signature original text meets message specification；

Module is returned, is additionally operable to when the second judge module 609 judges that active client signature original text meets message specification, Error message is returned to client；When the second judge module 609 judges that active client signature original text does not meet message specification, Correct information is returned to client.

Further, device also includes：8th receiving module；

8th receiving module, the signature request for receiving client transmission.

More specifically, sending module 607, specifically for：The symmetric encipherment algorithm that client is currently supported returns described Client.

Yet further, device also includes：9th receiving module and deciphering module；

9th receiving module, the decoding request for receiving client transmission；

Specifically, in the present embodiment, the first judge module 605, specifically for：Client is judged according to the key value of certificate Hold certificate type.

The foregoing is only a preferred embodiment of the present invention, but protection scope of the present invention be not limited thereto, Any one skilled in the art is in technical scope disclosed by the invention, the change or replacement that can be readily occurred in, It should all be included within the scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims It is defined.

Claims

1. a kind of method for realizing bidirectional authentication of smart secret key equipment and transaction, it is characterised in that methods described includes：

Step S1：When receiving the request of acquisition client certificate of server transmission, built in intelligent cipher key equipment loopback Client certificate list, the client certificate list is indexed including certificate；

Step S2：When receiving the request signed using client certificate, the intelligent cipher key equipment is according in the request Comprising certificate indexed search certificate, the client certificate type according to the determined property of the certificate retrieved, if double To the certificate of certification, step S3 is performed；If the certificate of transaction, then step S4 is performed；

Step S3：The intelligent cipher key equipment is made a summary and signed to client signature original text computing, and by client signature As a result the client is returned, is terminated；

Step S4：When the client signature original text and judgement request for receiving client transmission, the intelligent cipher key equipment is sentenced Whether disconnected client signature original text meets message specification, is then to perform step S5；Otherwise step S6 is performed；

Step S5：The intelligent cipher key equipment parses the client signature original text and shows Transaction Information, and user key-press confirms Afterwards, the client signature original text is made a summary and signed computing, and client signature result is returned into the client, knot Beam；

Step S6：After the intelligent cipher key equipment receives the signature request that the client is sent, the client is parsed Signature original text, computing that the client signature original text is made a summary and signed, and signature result is returned into the client, knot Beam.

2. according to the method described in claim 1, it is characterised in that in the step S1, judge the client certificate type Afterwards, in addition to：When the password and checking request for receiving client transmission, just whether intelligent cipher key equipment checking password Really, if mistake, error message is returned to the client, if correctly, returned to the client after correct information, is waited Receive the client certificate of server transmission.

3. method according to claim 2, it is characterised in that the intelligent cipher key equipment returns to mistake to the client Before information, in addition to：The intelligent cipher key equipment judges whether itself is locked, is then to open lock, performs the intelligent key Whether device authentication password is correct, otherwise returns to error message to the client.

4. according to the method described in claim 1, it is characterised in that return to client signature result described in the step S3 When the client, in addition to：By the client signature original text, the client signature result and the client card Book is sent to server；

The server receives the client signature original text, the client signature result and the visitor of client transmission Family end certificate, calls summary computing interface to do computing of once making a summary to the client signature result.

5. method according to claim 4, it is characterised in that the server receives the client that the client is sent After signature original text, the client signature result and the client certificate, in addition to：The server uses the client Hold client signature result described in certification authentication whether correct；Whether client certificate is legal described in the server authentication.

6. according to the method described in claim 1, it is characterised in that also include before the step S3：When receiving the visitor When the client signature original text and judgement that family end is sent are asked, the intelligent cipher key equipment parses the client signature original text simultaneously Judge whether the client signature original text meets message specification, be then to return to error message to the client, otherwise to institute State client and return to correct information, perform step S3.

7. according to the method described in claim 1, it is characterised in that before the step S3, in addition to：The client call Computing interface of making a summary carries out summary computing to the client signature original text, and the summary result is sent into close to the intelligence Key equipment；

The intelligent cipher key equipment is received after the summary result that the client is sent, and regard the summary result as visitor Family end signature original text, parses the active client signature original text and simultaneously judges whether the active client signature original text meets report Literary specification, is then to return to error message to the client, otherwise returns to correct information to the client, perform step S3.

8. method according to claim 7, it is characterised in that return to client signature result described in the step S3 During the client, in addition to：By the client signature original text, the client signature result and the client certificate hair Deliver to server；

The server receives active client signature original text, the client signature result and the institute of client transmission Client certificate is stated, calls summary computing interface to do computing of making a summary twice to the client signature result.

9. according to the method described in claim 1, it is characterised in that described to return client signature result in the step S3 When returning the client, in addition to：The symmetric encipherment algorithm that the client is currently supported returns to the client.

10. method according to claim 9, it is characterised in that return client signature result described in the step S3 Return after the client, in addition to：Server selects the security highest symmetric encipherment algorithm conduct that the client is supported The AES of two-way authentication communication, and this AES is encrypted using client certificate public key, and by encrypted result It is sent to the client.

11. method according to claim 10, it is characterised in that when the decoding request for receiving the client transmission When, the encrypted result is decrypted the intelligent cipher key equipment, and the AES return that decryption is obtained is described Client.

12. method according to claim 11, it is characterised in that it is described decrypted result is returned into the client after, Also include：The client is used as communication key according to the AES by producing one random number of random number interface generation, And the server is sent to using server certificate public key encryption, the server receives the encryption that the client is sent As a result after, decrypted by decryption interface using server certificate private key, obtain the communication key of two-way authentication encryption.

13. according to the method described in claim 1, it is characterised in that also include before the step S1：The client is to clothes Business device sends two-way authentication connection request, and server info is sent to the client and verified by the server, verifies Do not pass through, the client interrupts two-way authentication establishment of connection, is verified, the server sends double to the client To certification connection request, step S1 is performed.

14. method according to claim 13, it is characterised in that server info is specifically included described in step S1：Clothes Business device public key certificate, server signature original text and server signature result；

It is described server info is sent to the client verified before, in addition to：The server passes through random number Generate interface and produce random number as server signature original text, server signature original text is made an abstract computing by digest interface Afterwards, summary operation result sign obtaining server signature result.

15. method according to claim 14, it is characterised in that the server sends server info to the visitor Family end is verified, is specifically included：Whether the client validation server certificate public key is legal；Described in the client validation Whether server signature result is correct.

16. method according to claim 15, it is characterised in that whether the client validation server certificate public key closes Method, is specifically included：Whether the client validation server public key certificate is expired, the client validation issuance server certificate CA it is whether reliable, can the public key of client validation publisher certificate correctly untie the number of the publisher of server certificate Word is signed, and whether the domain name in the client validation server certificate matches with the actual domain name of server；

Whether the client validation server signature result is correct, specifically includes：The client is to the server signature Original text carries out summary computing, and server signature result is verified using server certificate.

17. according to the method described in claim 1, it is characterised in that also include before the step S4：The client is read Whether intelligent cipher key equipment sequence number, the server authentication user profile and the intelligent cipher key equipment sequence number match, and are Internet banking system success is then logged in, step S4 is performed, internet banking system failure is otherwise logged in.

18. it is according to the method described in claim 1, it is characterised in that in the step S5 and the step S6, described by client End signature result is returned after the client, in addition to：The client is by the client signature original text, client signature knot Fruit and the client certificate are sent to server.

19. method according to claim 18, it is characterised in that the server receives the letter that the client is sent After breath, in addition to：The client signature original text is once made a summary computing, and according to user profile and certificate information, than To current certificates whether be this user binding certificate, if it is not, Fail Transaction；If it is, the server is to signature Original text carries out summary computing and verifies whether signature succeeds, and is then money transfer transactions success, and otherwise money transfer transactions fail.

20. according to the method described in claim 1, it is characterised in that described in the determined property for the certificate that the basis is retrieved Client certificate type, be specially：The intelligent cipher key equipment judges client certificate type according to the key value of certificate.

21. a kind of device for realizing bidirectional authentication of smart secret key equipment and transaction, it is characterised in that described device includes：

Loopback module, for when first receiving module receive server transmission acquisition client certificate request when, Client certificate list built in loopback, the client certificate list is indexed including certificate；

Module is retrieved, for being received when second receiving module during request using client certificate signature, the basis The certificate indexed search certificate included in the request；

First judge module, for client certificate class described in the determined property of the certificate retrieved according to the retrieval module Type；

Computing module, for when first judge module judges the client certificate type for the certificate of two-way authentication, Client signature original text is made a summary and signed computing；It is additionally operable to after display module shows Transaction Information, user key-press is true After recognizing, computing that the client signature original text is made a summary and signed；

Sending module, the client signature result for the computing module to be obtained is sent to the client；

3rd receiving module, for when first judge module judge the client certificate type for transaction certificate when, Receive client signature original text and judgement request that client is sent；

Second judge module, client signature original text and judgement for receiving client transmission when the 3rd receiving module During request, judge whether the client signature original text meets message specification；

Parsing module, for when the second judge module judges that the client signature original text meets message specification, parsing to be described Client signature original text；It is additionally operable to when the 4th receiving module receives the signature request that the client is sent, parsing is described Client signature original text；

Display module, for showing Transaction Information；

4th receiving module, for judging that the client signature original text does not meet message specification when second judge module When, receive the signature request that the client is sent.

22. device according to claim 21, it is characterised in that described device also includes：5th receiving module, checking mould Block, return module and the 6th receiving module；

The authentication module, for when the 5th receiving module receives password and the checking request that client is sent, testing Whether correct demonstrate,prove password；

The return module, for when the authentication module verifies code error, error message to be returned to the client；When When the authentication module verifies that password is correct, correct information is returned to the client；

6th receiving module, for when authentication module checking password is correct, waiting and receiving server transmission Client certificate.

23. device according to claim 22, it is characterised in that described device also includes：3rd judge module；

3rd judge module, it is whether locked for judgment means itself；

The authentication module, is additionally operable to when the 3rd judge module judgment means itself are locked, and opening lock checking password is It is no correct；

The return module, is additionally operable to when the 3rd judge module judgment means itself are locked, is returned to the client Error message.

24. device according to claim 21, it is characterised in that the sending module, specifically for：By the client Signature original text, the client signature result and the client certificate are sent to server.

25. device according to claim 21, it is characterised in that the return module is additionally operable to：When the described second judgement When module judges that the client signature original text meets message specification, error message is returned to the client；When described second When judge module judges that the client signature original text does not meet message specification, correct information, operation are returned to the client Computing module.

26. device according to claim 21, it is characterised in that described device also includes：7th receiving module and conduct Module；

7th receiving module, for receiving the summary result that the client is sent；

It is described as module, for after the 7th receiving module receives the summary result that the client is sent, It regard the summary result as client signature original text；

The parsing module, is additionally operable to parse the client signature original text；

Second judge module, is additionally operable to judge whether the active client signature original text meets message specification；

The return module, is additionally operable to when second judge module judges that the active client signature original text meets message rule Fan Shi, error message is returned to the client；When second judge module judges the active client signature original text not When meeting message specification, correct information is returned to the client；

The computing module, is additionally operable to after the return module returns to correct information to client, to client signature original text Made a summary and signed computing.

27. device according to claim 26, it is characterised in that described device also includes：8th receiving module；

8th receiving module, for receiving the signature request that the client is sent.

28. device according to claim 27, it is characterised in that the sending module, also particularly useful for：By the client End signature original text, the client signature result and the client certificate are sent to server.

29. device according to claim 21, it is characterised in that the sending module, specifically for：By the client The symmetric encipherment algorithm currently supported returns to the client.

30. device according to claim 29, it is characterised in that described device also includes：9th receiving module and decryption Module；

9th receiving module, for receiving the decoding request that the client is sent；

The deciphering module, for when the 9th receiving module receives the decoding request that the client is sent, to institute State encrypted result to be decrypted, and the obtained AES return client will be decrypted.

31. device according to claim 21, it is characterised in that first judge module, specifically for：According to certificate Key value judge client certificate type.