CN109328348A - A kind of service authentication method, system and relevant device - Google Patents

Abstract

A kind of service authentication method, system and relevant device, wherein the service authentication method includes: the business to be certified that mobile terminal determines user's triggering, obtain the first biological information that user is directed to business to be certified input, first key information is generated using the corresponding key schedule of business to be certified and the first biological information, the certification request of the identification information for carrying user for business to be certified is sent to service server, receive the response for the certification request that service server is sent, the first verification result is obtained according to the response of first key information and certification request, the first verification result is sent to service server, so that service server obtains corresponding second biological information of identification information of user from biological information management server, and according to the second biological information, the response of certification request and first Verification result is treated authentication business and is authenticated.Safety, versatile business authentication may be implemented by this method.

Description

A kind of service authentication method, system and relevant device Technical field

The present invention relates to biometrics field more particularly to a kind of service authentication methods, system and relevant device.

Background technique

In recent years, biometrics are quickly grown, on the mobile terminals such as smart phone, tablet computer using more and more, such as, it is used to the certification, including the payment of unlocked by fingerprint, fingerprint, recognition of face of business etc. such as log in, pay using biological informations such as fingerprint, face, irises.However in above-mentioned business authentication scheme, mobile terminal will store the biological informations such as the fingerprint, face, iris of user in safety chip mostly, these biological informations are possible to by Brute Force, and safety is poor.In addition, differing greatly between the scheme of different business certification, specific application scenarios can only be confined to, the versatility of scheme is poor.Therefore, how to provide it is a kind of safety, versatile business authentication scheme have become urgent problem to be solved.

Summary of the invention

The embodiment of the invention discloses a kind of service authentication method, system and relevant devices, for realizing safety, versatile business authentication.

First aspect of the embodiment of the present invention discloses a kind of service authentication method, is applied to open wireless access system, which includes service server, biological information management server and mobile terminal, this method comprises:

Mobile terminal determines the business to be certified of user's triggering, first key information is generated for the first biological information of business to be certified input using the corresponding key schedule of business to be certified and user, and the certification request for being directed to business to be certified is sent to service server, wherein, certification request carries the identification information of user, such as, user name, name, mailbox, cell-phone number, one of employee number and identification card number etc. are a variety of, mobile terminal receives the response for the certification request that service server is sent, it specifically can be a random number, and the first verification result is obtained according to the response of first key information and certification request.

Mobile terminal sends the first verification result to service server, allows service server special from biology Levy corresponding second biological information of identification information that information management server obtains user, and the second verification result is generated according to the response of the second biological information and certification request, authentication business is treated using the first verification result and the second verification result to be authenticated, it can be seen that, by transferring to biological information management server uniformly to store and manage biological information, and mobile terminal side does not store biological information, when carrying out business authentication, mobile terminal side generates a verification result according to the biological information that user is newly entered, service server side then also generates a verification result according to the biological information obtained from biological information management server, service server can determine whether business authentication passes through by judging whether the two verification results match i.e., so as to realize safety, it is versatile Business authentication.

Optionally, different business is preset with corresponding business safety grade, the type and/or quantity for the biological information that different business security level needs user to input can be different, the concrete mode of first biological information of acquisition for mobile terminal user input can be with are as follows: mobile terminal determines the business safety grade of business to be certified, and the input prompt for the corresponding biological information of business safety grade for exporting business to be certified, and then obtain the first biological information of user response input prompt and input, by the differentiation for doing business safety grade to different business, and the biological information for needing user to input respective type and/or quantity can be further improved the safety of business authentication.

Optionally, for different user, different initialization interfaces can be adapted to after mobile terminal-opening, initialization showing interface has the business that user can be used, mobile terminal can prompt the biological information of user's input specified type before entering the corresponding interface of user, obtain the third biological information of user's input, and the second key information is generated using preset key schedule and third biological information, user right rank acquisition request is sent to service server to obtain the user right rank of active user, user right rank acquisition request carries the identification information of user, such as, user name, name, mailbox, cell-phone number, one of employee number and identification card number etc. are a variety of.

Mobile terminal receives the response for the user right rank acquisition request that service server is sent, it specifically can be a random number, and the second verification result is obtained according to the response of the second key information and user right rank acquisition request, the second verification result is sent to service server, so that service server obtains corresponding 4th biological information of identification information of user from biological information management server, and in the case where being verified according to the response of the 4th biological information and user right rank acquisition request to the second verification result, obtain Take the corresponding user right rank of identification information at family.

Mobile terminal receives the user right rank that service server is sent, and the corresponding initialization interface of user is exported according to user right rank, initialization showing interface has business workable for user, then user can select above-mentioned business to be certified from business workable for user, the division of user right rank is carried out to user, different initialization interfaces can be adapted to for different user, with by service display workable for different user to user, it provides flexible, personalized mobile terminal usage mode, realize that same mobile terminal can be by the independent use of different user, it will not have an impact between each other.

Optionally, mobile terminal receives the authentication result for the business to be certified that service server is sent, when authentication result is that certification passes through, it can use the corresponding encryption key generating algorithm of business to be certified and first key information generate encryption key message, it can use encryption key message and treat the data of authentication business and encrypted, and the data of encrypted business to be certified are sent to service server, to indicate that service server is decrypted using data of second biological information to encrypted business to be certified, to easily realize that the data for treating authentication business carry out encryption and decryption.

Second aspect of the embodiment of the present invention discloses a kind of service authentication method, is applied to open wireless access system, which includes service server, biological information management server and mobile terminal, this method comprises:

Service server receives the certification request for business to be certified that mobile terminal is sent, certification request carries the identification information of user, the response of certification request is sent to mobile terminal, mobile terminal is allowed to obtain the first verification result according to the response of first key information and certification request, first key information is generated by mobile terminal using the first biological information that the corresponding key schedule of business to be certified and user input.

Service server receives the first verification result that mobile terminal is sent, corresponding second biological information of identification information of user is obtained from biological information management server, the second verification result is obtained according to the response of the second biological information and certification request, and authentication business certification is treated with determination in the matched situation of the second verification result in the first verification result and is passed through, it can be seen that, by transferring to biological information management server uniformly to store and manage biological information, and mobile terminal side does not store biological information, when carrying out business authentication, mobile terminal side generates a verification result according to the biological information that user is newly entered, service server side is then also generated according to the biological information obtained from biological information management server One verification result, service server can determine whether business authentication passes through by judging whether the two verification results match i.e., so as to realize safety, versatile business authentication.

Optionally, the implementation for corresponding second biological information of identification information that service server obtains user from biological information management server may is that service server sends biological information acquisition request to biological information management server, biological information acquisition request carries the identification information of user and the identification information of service server, so that the identification information of biological information management server queries user and corresponding second biological information of the identification information of service server.

Service server receives the second biological information that biological information management server is sent.

Optionally, for different user, different initialization interfaces can be adapted to after mobile terminal-opening, initialization showing interface has the business that user can be used, service server receives the user right rank acquisition request that mobile terminal is sent when detecting the initialization operation of user's input, user right rank acquisition request carries the identification information of user, the response of user right rank acquisition request is sent to mobile terminal, so that mobile terminal obtains third verification result according to the response of the second key information and user right rank acquisition request, second key information is generated by mobile terminal using the 4th biological information that preset key schedule and user input.

Service server receives the third verification result that mobile terminal is sent, the corresponding third biological information of identification information of user is obtained from biological information management server, the 4th verification result is obtained according to the response of third biological information and user right rank acquisition request, and in third verification result user right rank corresponding with the identification information of user is obtained in the 4th matched situation of verification result, user right rank is sent to mobile terminal, to which mobile terminal can export the corresponding initialization interface of user according to user right rank, to show business workable for user, user can select above-mentioned business to be certified from business workable for user, the division of user right rank is carried out to user, different initialization interfaces can be adapted to for different user, with by service display workable for different user to user , flexible, personalized mobile terminal usage mode is provided, realizes that same mobile terminal can will not be had an impact between each other by the independent use of different user.

Optionally, service server sends the authentication result that business authentication to be certified passes through to mobile terminal under the first verification result and the matched situation of the second verification result, so that mobile terminal utilizes business pair to be certified The encryption key generating algorithm and first key information answered generate encryption key message, service server receives the data using the encrypted business to be certified of encryption key message that mobile terminal is sent, and can use the second biological information and the data of encrypted business to be certified are decrypted, to easily realize that the data for treating authentication business carry out encryption and decryption.

The third aspect of the embodiment of the present invention discloses a kind of mobile terminal, is applied to open wireless access system, which includes service server, biological information management server and mobile terminal, which includes:

Determining module, for determining the business to be certified of user's triggering.

Module is obtained, the first biological information for being directed to business to be certified input for obtaining user.

Processing module, for generating first key information using the corresponding key schedule of business to be certified and the first biological information.

Sending module, for sending the certification request for being directed to business to be certified to service server, certification request carries the identification information of user.

Receiving module, the response of the certification request for receiving service server transmission.

Processing module is also used to obtain the first verification result according to the response of first key information and certification request.

Sending module, it is also used to send the first verification result to service server, corresponding second biological information of identification information of user is obtained to indicate service server from biological information management server, so that service server is according to the second biological information, the response of certification request and the first verification result are treated authentication business and are authenticated, it can be seen that, by transferring to biological information management server uniformly to store and manage biological information, and mobile terminal side does not store biological information, when carrying out business authentication, mobile terminal side generates a verification result according to the biological information that user is newly entered, service server side then also generates a verification result according to the biological information obtained from biological information management server, service server is by judging whether the two verification results match Determine whether business authentication passes through, so as to realize safety, versatile business authentication.

Optionally, obtaining module may include acquiring unit and output unit, in which:

Acquiring unit, for obtaining the corresponding business safety grade of business to be certified.

Output unit, the input for the corresponding biological information of outgoing traffic security level prompt.

Acquiring unit, the first biological information for being also used to obtain user response input prompt and inputting, by doing the differentiation of business safety grade to different business, and the biological information for needing user to input respective type and/or quantity can be further improved the safety of business authentication.

Optionally, mobile terminal further includes output module, in which:

Module is obtained, is also used to obtain the user right rank of user from service server.

Output module, for exporting the corresponding initialization interface of user according to user right rank, the corresponding initialization showing interface of user has business workable for user.

Determining module, the business to be certified triggered from business workable for user specifically for determining user, the division of user right rank is carried out to user, different initialization interfaces can be adapted to for different user, with by service display workable for different user to user, flexibly, personalized mobile terminal usage mode is provided, realizes that same mobile terminal can will not be had an impact between each other by the independent use of different user.

Optionally, receiving module is also used to receive the authentication result of the business to be certified of service server transmission.

Processing module is also used to generate encryption key message using the corresponding encryption key generating algorithm of business to be certified and first key information when authentication result passes through for certification.

Processing module, the data for being also used to be treated authentication business using encryption key message are encrypted.

Sending module is also used to the data of encrypted business to be certified being sent to service server, to indicate that service server is decrypted using data of second biological information to encrypted business to be certified.

Fourth aspect of the embodiment of the present invention discloses a kind of service server, is applied to open wireless access system, which includes service server, biological information management server and mobile terminal, which includes:

Receiving module, for receiving the certification request for business to be certified of mobile terminal transmission, certification request carries the identification information of user.

Sending module, for sending the response for certification request to mobile terminal, to indicate that mobile terminal obtains the first verification result according to the response of first key information and certification request, first key information is that mobile terminal is generated using the first biological information that the corresponding key schedule of business to be certified and user input.

Receiving module is also used to receive the first verification result of mobile terminal transmission.

Module is obtained, for obtaining the corresponding second biological information processing module of identification information of user from biological information management server, for obtaining the second verification result according to the response of the second biological information and certification request.

Authentication module, it is authenticated for treating authentication business according to the first verification result and the second verification result, and authentication business certification is treated with determination in the matched situation of the second verification result in the first verification result and is passed through, it can be seen that, by transferring to biological information management server uniformly to store and manage biological information, and mobile terminal side does not store biological information, when carrying out business authentication, mobile terminal side generates a verification result according to the biological information that user is newly entered, service server side then also generates a verification result according to the biological information obtained from biological information management server, service server can determine whether business authentication passes through by judging whether the two verification results match i.e., so as to realize safety, versatile business authentication.

Optionally, obtaining module includes:

Transmission unit, for sending biological information acquisition request to biological information management server, biological information acquisition request carries the identification information of user and the identification information of service server, to indicate corresponding second biological information of identification information of the identification information and service server of biological information management server queries user.

Receiving unit, for receiving the second biological information of biological information management server transmission.

Optionally, receiving module, is also used to receive the user right rank acquisition request that mobile terminal is sent when detecting the initialization operation of user's input, and user right rank acquisition request carries the identification information of user.

Module is obtained, is also used to obtain the corresponding third biological information of identification information of user from biological information management server.

Processing module is also used to determine the corresponding user right rank of the identification information of user according to third biological information.

Sending module is also used to send user right rank to mobile terminal, to indicate that mobile terminal according to user right rank, exports the corresponding initialization interface of user, the corresponding initialization showing interface of user has user Workable business, wherein, business to be certified is the business that user selects from business workable for user, the division of user right rank is carried out to user, it can be adapted to different initialization interfaces for different user, by service display workable for different user to user, provide flexible, personalized mobile terminal usage mode, realize that same mobile terminal can will not be had an impact between each other by the independent use of different user.

Optionally, sending module, is also used to send the authentication result of business to be certified to mobile terminal, and authentication result is to be used to indicate mobile terminal when certification passes through to generate encryption key message using the corresponding encryption key generating algorithm of business to be certified and first key information.

Receiving module is also used to receive the data using the encrypted business to be certified of encryption key message of mobile terminal transmission.

Processing module is also used to be decrypted using data of second biological information to encrypted business to be certified, to easily realize that the data for treating authentication business carry out encryption and decryption.

The 5th aspect of the embodiment of the present invention discloses a kind of mobile terminal, applied to open wireless access system, the system includes service server, biological information management server and mobile terminal, the mobile terminal includes: processor, biological identification chip, transceiver and memory, processor, biological identification chip, transceiver is connected with memory by bus, memory is stored with executable program code, transceiver is used for messaging by the control of processor, biological identification chip and processor are for calling executable program code, execute service authentication method described in any one of above-mentioned first aspect.

The 6th aspect of the embodiment of the present invention discloses a kind of service server, applied to open wireless access system, the system includes service server, biological information management server and mobile terminal, it includes: processor, transceiver and memory that this, which states service server, processor, transceiver and memory are connected by bus, memory is stored with executable program code, transceiver is used for messaging by the control of processor, processor executes service authentication method described in any one of above-mentioned second aspect for calling executable program code.

The 7th aspect of the embodiment of the present invention discloses a kind of service authentication system, it include: service server described in any one of mobile terminal described in any one of biological information management server, the above-mentioned third aspect and above-mentioned 5th aspect, biological information management server provides the query service of biological information for storing biological information, and to service server.

In the embodiment of the present invention, mobile terminal determines the business to be certified of user's triggering, first key information is generated using the first biological information of the corresponding key schedule of the business to be certified and user's input, the certification request for being directed to the business to be certified is sent to service server, the certification request carries the identification information of the user, and receive the response of the certification request of service server transmission, the first verification result is obtained according to the response of the first key information and the certification request, and first verification result is sent to the service server, so that corresponding second biological information of identification information that the service server obtains the user from biological information management server, the service server is according to second biological information, the response of the certification request and first verification result carry out the business to be certified Safety, versatile business authentication may be implemented in certification.

Detailed description of the invention

To describe the technical solutions in the embodiments of the present invention more clearly, the drawings to be used in the embodiments are briefly described below, apparently, drawings in the following description are only some embodiments of the invention, for those of ordinary skill in the art, without any creative labor, it is also possible to obtain other drawings based on these drawings.

Fig. 1 is a kind of configuration diagram of open wireless access system disclosed by the embodiments of the present invention；

Fig. 2 is a kind of flow diagram of service authentication method disclosed by the embodiments of the present invention；

Fig. 3 is a kind of structural schematic diagram of mobile terminal disclosed by the embodiments of the present invention；

Fig. 4 is a kind of structural schematic diagram of service server disclosed by the embodiments of the present invention；

Fig. 5 is the structural schematic diagram of another mobile terminal disclosed by the embodiments of the present invention；

Fig. 6 is the structural schematic diagram of another service server disclosed by the embodiments of the present invention；

Fig. 7 is a kind of structural schematic diagram of service authentication system disclosed by the embodiments of the present invention.

Specific embodiment

Following will be combined with the drawings in the embodiments of the present invention, and technical scheme in the embodiment of the invention is clearly and completely described, it is clear that the described embodiment is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, every other embodiment obtained by those of ordinary skill in the art without making creative efforts, shall fall within the protection scope of the present invention.

Description and claims of this specification and term " first " in above-mentioned attached drawing, " second ", " third " and " the 4th " etc. are not use to describe a particular order for distinguishing different objects.In addition, term " includes " and " having " and their any deformations, it is intended that cover and non-exclusive include.Such as it contains the process, method, system, product or equipment of a series of steps or units and is not limited to listed step or unit, but optionally further comprising the step of not listing or unit, or optionally further comprising other step or units intrinsic for these process, methods, product or equipment.When use in this specification and in the appended claims, term " includes " and "comprising" indicate described feature, entirety, step, operation, the presence of element and/or component, but one or more of the other feature, entirety, step, operation, the presence or addition of element, component and/or its set is not precluded.

The embodiment of the invention discloses a kind of service authentication method, system and relevant devices, for realizing the certification of quickly and safely finishing service.It is described in detail separately below.

Referring to Fig. 1, being a kind of configuration diagram of open wireless access system provided in an embodiment of the present invention.Open wireless access system as described in this embodiment, including service server, biological information management server, radio network controller, infrastructure services layer, in which:

Biological information management server provides the query service of biological information to legal entities such as service server, radio network controllers for storing the biological information of user.

Service server passes through business authentication process corresponding with the interaction completion of biological information management server for the service request according to mobile terminal.

Radio network controller, for by the way that the control ability of wireless network is independent, service is externally provided in the form of services, it include: storage service, service, base station mirroring service (load of base station image file goes to load), virtual machine service (starting, stopping, pause, snapshot of virtual machine etc.) are calculated in real time, BTS management service, the data exchange service etc. between base station.

Infrastructure services layer, it is the wireless base station device being made of general hardware platform, wireless base system is realized in a manner of pure software, pass through virtualization technology, virtualization is realized on general hardware platform, wireless base station software is stored in radio network controller or base station equipment in a manner of virtual machine file, by way of virtual machine loaded virtual machine file, starts wireless base station software.

In some possible embodiments, for some enclosed application scenarios, such as a company or in-house, service server can be also used for storage user biological information, i.e., service server can simultaneously integrated bio characteristic information management server function.

Referring to Fig. 2, a kind of flow diagram of the service authentication method provided for the embodiment of the present invention based on the framework of open wireless access system shown in FIG. 1.Service authentication method as described in this embodiment, comprising:

201, mobile terminal determines the business to be certified of user's triggering.

Wherein, mobile terminal can provide multiple business for users to use, can specifically include the business that need to be authenticated and do not need the business authenticated, the service identification that need to be authenticated can be stored into authentication business identification list.Wherein, the business that need to be authenticated can specifically include but be not limited to account registering service, payment transaction, wireless network access service etc..

Specifically, user can trigger starting target service according to current demand from the usable business that mobile terminal provides, it whether there is the mark of target service in the above-mentioned authentication business identification list of mobile terminal enquiry, if there is, it then determines that target service is authenticated, and target service is determined as task to be certified.

202, the first biological information that user described in acquisition for mobile terminal inputs for the business to be certified, and first key information is generated using the corresponding key schedule of business to be certified and first biological information.

Wherein, biological information can specifically include but be not limited to fingerprint, palmmprint, face, iris, retina, sound, vein, gait, gene etc..

Specifically, user described in acquisition for mobile terminal can be with for the implementation of the first biological information of the business to be certified input in step 202 are as follows:

The corresponding business safety grade of acquisition for mobile terminal business to be certified, exports the input prompt of the corresponding biological information of the business safety grade, and obtains input prompt described in user response and the first biological information of input.

Wherein, for different types of business to be certified, user can be accordingly needed to input corresponding biological information, for example, can be to delineation of activities business safety grade, the higher business pair of business safety grade Biological information in requisition for input is finer, identify that difficulty is bigger, if the service security rank of business to be certified is lower (such as registering service of social account), then input the biological informations such as fingerprint, sound, if the service security rank of business to be certified is higher (such as registering service of payment account, bank account), need to input the finer biological information such as iris, gait.Certainly, it is also possible to, the higher business of business safety grade is more to the type of the biological information in requisition for input, such as, the higher business of business safety grade is in requisition for inputting two or more biological information (such as fingerprint+iris), and the lower business of business safety grade is in requisition for inputting a kind of biological information (such as fingerprint).

Specifically, " biological information that Business-Business security level-need to input " this mapping table can be locally stored in mobile terminal, the business safety grade of user's business to be certified to be triggered is obtained from mapping table, the corresponding biological information of the business safety grade is inquired from mapping table again, the input prompt of the corresponding biological information of the business safety grade is exported, and obtains the first biological information of user response input prompt and input.Certainly, mobile terminal can also be after determining the business to be certified that user to be triggered, the business safety grade of business to be certified is inquired to the corresponding service server of business to be certified, and need the biological information of the corresponding input of user, and then the input prompt of biological information is exported, and obtain the first biological information that user response input is prompted and inputted.

It should be noted that mobile terminal does not store the biological information of user locally, the biological information that user can be effectively prevented is stolen.

Wherein, a variety of key schedules suitable for different business process can be locally stored in mobile terminal, for example including key schedule needed for the processes such as mobile communications network access and communication encryption, it logs in payment and carries out key schedule needed for the process such as paying using APP or using payment APP, and key schedule needed for the corresponding interface initialization process of user, etc. on mobile terminal.If there is the operation flow newly increased, mobile terminal can increase the corresponding key schedule of storage newly.

Specifically, mobile terminal, which corresponds to required key schedule and the first biological information using the business to be certified being locally stored, generates corresponding key information (i.e. first key information).

203, the mobile terminal sends the certification request for being directed to the business to be certified to service server, and the certification request carries the identification information of the user.

Wherein, user is before using the business on mobile terminal and mobile terminal, Notified body need to be advanceed to or site carries out corresponding registration operation, according to the difference of business when registration operation, Notified body or site submit the identification information and biological information of corresponding user to biological information management server, biological information management server is stored with the biological information of the mapping table and registered users of " business-user identification information-biological information " corresponding to different business.The identification information of user specifically can be one of user name, name, mailbox, cell-phone number, employee number and identification card number etc. or a variety of.

204, the service server receives the certification request that the mobile terminal is sent, and generates the response of the certification request.

205, the service server sends the response of the certification request to the mobile terminal.

206, the mobile terminal receives the response for the certification request that the service server is sent, and obtains the first verification result according to the response of the first key information and the certification request.

Specifically, mobile terminal sends the certification request for being directed to the business to be certified to the corresponding service server of business to be certified, after service server receives the certification request of mobile terminal transmission, the response of the certification request of generation specifically can be a random parameter RAND, after mobile terminal receives the response of certification request, the response of the first key information and certification request that are generated before using mutually applicable algorithm obtains a verification result SRES (i.e. the first verification result).

207, the mobile terminal sends first verification result to the service server.

208, the service server receives first verification result that the mobile terminal is sent.

209, corresponding second biological information of identification information that the service server obtains the user from biological information management server.

In specific implementation, service server sends biological information acquisition request to biological information management server, biological information acquisition request carries the identification information of user and the identification information (or the business information currently carried out) of service server, biological information management server is inquired under the business currently carried out from the mapping table of " business-user identification information-biological information ", corresponding second biological information of the identification information of user, and the second biological information is returned into service server.

In some possible embodiments, the biology spy to guarantee the storage of biological information management server The safety of reference breath, service server is when requesting biological information to biological information management server, biological information can not be directly returned to service server by biological information management server, but the main feature of biological information (such as characteristic value of biological information) is only returned into service server, to prevent service server malice from stealing the biological information of user, to fully ensure that the safe and reliable of business authentication.

210, the service server obtains the second verification result according to the response of second biological information and the certification request, the business to be certified is authenticated according to first verification result and second verification result, and the business authentication to be certified is passed through in first verification result and determination in the matched situation of the second verification result.

Specifically, after service server gets the second biological information from biological information management server, it can use identical with mobile terminal side key schedule (i.e. above-mentioned business to be certified corresponding key schedule), key information is generated according to the second biological information, and then mutually applicable algorithm is recycled to obtain the second verification result according to the response of key information and certification request, if the second verification result that the first verification result and service server side that mobile terminal side obtains obtain matches, then service server can determine that the user is legitimate user, and it treats the certification of authentication business and passes through, mobile terminal is allowed to carry out the operation flow of business to be certified；Otherwise, service server determines that the user is illegal user, and the certification for treating authentication business does not pass through.

In some possible embodiments, biological information management server can also directly be stored with the mapping table of " business-user identification information-key information ", and registered users correspond to the key information of different business, wherein, key information is to utilize key schedule needed for business as biological information management server, it is generated according to the corresponding biological information of the identification information of business and user, key information needed for corresponding service can be directly obtained from biological information management server to service server, eliminate the step of service server side generates key information, to which verification result can be obtained according to from the response of the biological information management server key information got and certification request, it can accelerate to authenticate speed.

211, the service server sends the authentication result of the business to be certified to the mobile terminal.

Wherein, service server sends authentication result to mobile terminal, to notify mobile terminal for be certified Whether the certification of business passes through.

In some possible embodiments, before executing step 201, following steps can also be performed:

S30, the mobile terminal send user right rank acquisition request to the service server when detecting the initialization operation of user's input, and the user right rank acquisition request carries the identification information of the user.

Wherein, service server here can be dedicated for initializing the server at interface on mobile terminal.After mobile terminal-opening, when prompt user inputs the biological information of specified type before entering the corresponding interface of the user, user can also be prompted to input its identification information, the identification information of user specifically can be one of user name, name, mailbox, cell-phone number, employee number and identification card number etc. or a variety of.

Specifically, user can be operated by modes input initializations such as gesture, acoustic control, pressing specified buttons, 4th biological information of the input of user described in the acquisition for mobile terminal, and the second key information is generated using preset key schedule and the 4th biological information.

Wherein, for different user, different initialization interfaces can be adapted to after mobile terminal-opening, initialization showing interface has the business that user can be used, it can be specifically distinguish by user right rank, user right rank is higher, workable type of business is more, or, content workable for same business is more comprehensive, for example, the same APP, the lower user of user right rank can only use its limited function, and its whole function then can be used in the higher user of user right rank.

Specifically, after mobile terminal-opening, user can be prompted to input the biological information of specified type before entering the corresponding interface of the user, such as fingerprint, or fingerprint, face alternative, and the 4th biological information of user's input is obtained, recycle the preset key schedule stored on mobile terminal and the 4th biological information to generate corresponding key information (i.e. the second key information).

Wherein, preset key schedule can be exclusively used in the corresponding interface initialization process of user needed for key schedule.

S31, the service server receive the user right rank acquisition request, and generate the response of the user right rank acquisition request.

S32, the service server send the response of the user right rank acquisition request to the mobile terminal.

S33, the mobile terminal receive the response for the user right rank acquisition request that the service server is sent, and obtain third verification result according to the response of second key information and the user right rank acquisition request.

Specifically, mobile terminal sends user right rank acquisition request to service server to obtain the Permission Levels of active user, after service server receives the user right rank acquisition request of mobile terminal transmission, the response of the user right rank acquisition request of generation specifically can be a random parameter RAND, mobile terminal obtains a verification result SRES (i.e. third verification result) according to the response of the second key information and user right rank acquisition request using mutually applicable algorithm.

S34, the mobile terminal send the third verification result to the service server.

S35, the service server receive the third verification result that the mobile terminal is sent.

The corresponding third biological information of the identification information that S36, the service server obtain the user from the biological information management server, obtains the 4th verification result according to the response of the third biological information and the user right rank acquisition request.

In specific implementation, service server sends the identification information and the current business information (i.e. user corresponding interface initialize) that carries out of user to biological information management server, under the business that biological information management server queries currently carry out, the corresponding third biological information of the identification information of user, after service server gets third biological information from biological information management server, it can use key schedule (i.e. above-mentioned preset key schedule) identical with mobile terminal side, key information is generated according to third biological information, and then mutually applicable algorithm is recycled to obtain the 4th verification result according to the response of key information and user right rank acquisition request.

S37, the service server obtain the corresponding user right rank of the identification information of the user under the third verification result and the matched situation of the 4th verification result, and send the user right rank to the mobile terminal.

S38, the mobile terminal export the corresponding initialization interface of the user according to the user right rank, and the corresponding initialization showing interface of the user has business workable for the user.

Specifically, service server can determine that the user is legitimate user, according to the mark of the user if the 4th verification result that third verification result and service server side that mobile terminal side obtains obtain matches Know the corresponding user right rank of acquisition of information, and the user right rank is sent to mobile terminal.

Wherein, mobile terminal side can store the mapping table of " user right rank-workable business ", business workable for mobile terminal can determine the user according to the mapping table of " user right rank-workable business " after getting the user right rank from service server, by exporting business workable for the corresponding initialization showing interface user of the user, the user can choose above-mentioned business to be certified from business workable for the user, realizing same mobile terminal can be by the independent use of different user, it will not have an impact between each other.

For example, the mapping table of " user right rank-workable business " can be as shown in table 1 below:

User right rank	1	2	3
The business of can be used	APP1	APP1、APP2	APP1、APP2、APP3

Table 1

Wherein, 3 user right ranks are shared in table 1, numerical value is bigger, and Permission Levels are higher, assuming that 3 APP (i.e. APP1 are equipped on mobile terminal altogether, APP2, APP3), the user that user right rank is 1 can only use wherein 1 APP (i.e. APP1), wherein 2 APP (i.e. APP1 can be used in the user that user right rank is 2, APP2), all 3 APP can be used in the user that user right rank is 3, mobile terminal, which can choose, is only initializing APP (i.e. business) workable for showing interface active user, assuming that the user right rank of active user is 2, then in initialization showing interface APP1 and APP2 application icon.Certainly, mobile terminal can choose the APP in initialization showing interface whole, if active user is to some APP without access right, no operating right can be prompted when then active user attempts using this APP, or, the application icon of APP by active user without access right becomes grey, to distinguish over APP workable for active user.

In some possible embodiments, the mapping table of " user right rank-workable business " also can store in service server side, after i.e. service server gets the corresponding user right rank of identification information of user, business workable for inquiring user according to the mapping table of " user right rank-workable business ", then service lists workable for user (including workable service identification) are handed down to shifting Dynamic terminal.

In some possible embodiments, it after executing step 211, also executes the following steps:

S40, the mobile terminal generate encryption key message using the corresponding encryption key generating algorithm of business to be certified and the first key information when the authentication result is that certification passes through.

S41, the mobile terminal are encrypted using data of the encryption key message to the business to be certified, and the data of the encrypted business to be certified are sent to the service server.

S42, the service server receive the data using the encrypted business to be certified of the encryption key message that the mobile terminal is sent, and are decrypted using data of second biological information to the encrypted business to be certified.

Specifically, when the authentication result that service server returns is that certification passes through, mobile terminal can carry out the operation flow of business to be certified with service server, and cryptographic operation can be carried out to the data (such as communication service data) carried out in operation flow to be certified, such as, mobile terminal can use the corresponding encryption key generating algorithm of business to be certified and above-mentioned first key information generates encryption key, the data for recycling encryption key to treat in authentication business process are encrypted, and service server can use the corresponding decruption key generating algorithm of business to be certified, decruption key is generated according to the second biological information (or corresponding key information) obtained from biological information management server, it is decrypted using the data of decruption key business to be certified encrypted to mobile terminal.

Again for example, by taking mobile terminal does mobile communications network networking certification as an example, service server can be carrier server, user opens the mobile communications network connection switch of mobile terminal at this time, mobile terminal prompts user to input corresponding biological information (such as face), after the face for getting user's input, face information is converted into key information using certification corresponding key schedule is networked, such as, international mobile subscriber identity (International Mobile Subscriber Identification Number, IMSI), authentication key (Key identifier, Ki) etc., mobile terminal is started by way of sending certification request to carrier server to be taken with operator Networking identifying procedure between business device, carrier server returns to a random parameter RAND generated in real time to mobile terminal, the key informations such as random number that mobile terminal is returned according to carrier server and IMSI, Ki for obtaining before calculate a verification result SRES (being denoted as the first SRES) using the related algorithm (such as A3 algorithm) for the certification that networks.

Wherein, user is when networking application cell-phone number, the Notified body or site that operator can be arrived are registered, the face information of upload user is to biological information management server, biological information management server can establish the mapping table of " mobile communications network networking-user identification information-face ", and store face information, here the identification information of user can preferably be cell-phone number or identification card number, assuming that the identification information of user is cell-phone number, then what biological information management server was established is the mapping table of " mobile communications network networking-cell-phone number-face ", user can be with input handset number before or after inputting face, certification request carries the cell-phone number of user's input, carrier server obtains corresponding face information from biological information management server using cell-phone number And calculate a verification result (being denoted as the 2nd SRES) with above-mentioned random parameter RAND according to face information using A3 algorithm etc., carrier server compares the first SRES and whether the 2nd SRES is consistent, if consistent, it then determines that user is legitimate user, allows accessing mobile communication network, if inconsistent, it then determines that user is illegal user, and refuses accessing mobile communication network.

Further, if carrier server determines that user is legitimate user, allow accessing mobile communication network, then mobile terminal can use certain communication encryption algorithm (such as A8 algorithm) and calculate encryption key Kc according to key informations such as Ki, to which the communication data sent using Kc opposite direction carrier server is encrypted, and carrier server then generates decruption key according to the face information and related algorithm that get from biological information management server, encrypted communication data is decrypted, to safely and reliably complete the encryption and decryption of communication data.It can be seen that, existing client identification module (Subscriber Identification Module can be replaced by doing mobile communications network by biological information and networking to authenticate, SIM) block, i.e., mobile terminal can also realize that accessing mobile communication network is surfed the Internet, made a phone call, sent short messages currently without installation SIM card after biological information authenticates and passes through.

Again for example, by taking the bank APP that user opens on mobile terminal as an example, service server can be bank server, when mobile terminal detects that user is directed to the start-up operation of bank APP, user is prompted to input corresponding biological information (such as iris), after the iris for getting user's input, iris information is converted into key information using banking corresponding key schedule, including encrypting and decryption private key information etc., mobile terminal send certification request to bank server to start identifying procedure.

Wherein, user when opening an account, registered, upload user by the Notified body or site that need to arrive bank Iris information to biological information management server, biological information management server can establish the mapping table of " banking-user identification information-iris ", and store iris information, here the identification information of user can preferably be cell-phone number or identification card number, assuming that the identification information of user is identification card number, then what biological information management server was established is the mapping table of " banking-identification card number-iris ", user can also input identification card number before or after inputting iris, certification request carries the identification card number of user's input, bank server obtains corresponding iris information from biological information management server using identification card number, the response of a certification request can be returned to mobile terminal at this time, the random parameter RAND that is generated in real time including one and random number Hash HASH, the Hash HASH of random number and random number is by public key encryption, the Hash HASH of mobile terminal calculating random number, and the Hash HASH for the random number for using the response that private key solves certification request including, if the Hash HASH of the calculated random number of mobile terminal is identical with the Hash HASH of the random number solved using private key, mobile terminal can Confirm Bank's server identity it is legal.

Further, the algorithm that mobile terminal is arranged using mobile terminal and bank server, random number that response according to certification request includes and verification result SRES (being denoted as the first SRES) and corresponding Hash HASH are calculated using the key information that iris information is converted to, then with being sent to bank server after private key encryption.Bank server utilizes the algorithm of above-mentioned agreement, the nonce count that response according to the iris information and certification request obtained from biological information management server includes calculates a verification result (being denoted as the 2nd SRES) and corresponding Hash HASH, after public key decryptions, if it is identical with the calculated Hash HASH of bank server to verify the Hash HASH that mobile terminal is sent, then bank server compares the first SRES and whether the 2nd SRES is consistent, if consistent, then determine that user is legitimate user, allow bank APP starting and user's operation bank APP, if inconsistent, then determine that user is illegal user, refuse bank APP starting and/or refusal user's operation bank APP.

In the embodiment of the present invention, mobile terminal determines the business to be certified of user's triggering, first key information is generated using the first biological information that the corresponding key schedule of business to be certified and user input, and the certification request for being directed to the business to be certified is sent to service server, the certification request carries the identification information of the user, service server generates the response of the certification request, and the response of the certification request is sent to the mobile terminal, which obtains the first verifying knot according to the response of the first key information and the certification request Fruit, and first verification result is sent to the service server, the service server passes through corresponding second biological information of the identification information for obtaining the user from biological information management server, and the second verification result is obtained according to the response of second biological information and the certification request, if first verification result is matched with second verification result, then the service server determines that the user is legal, authentication result to the business to be certified is that certification passes through, if first verification result and second verification result mismatch, then the service server determines that the user is illegal, authentication result to the business to be certified is that certification does not pass through.It can be seen that, by transferring to biological information management server uniformly to store and manage biological information, and mobile terminal side does not store biological information, when carrying out business authentication, mobile terminal side generates a verification result according to the biological information that user is newly entered, service server side then also generates a verification result according to the biological information obtained from biological information management server, service server can determine whether business authentication passes through by judging whether the two verification results match i.e., so as to realize safety, versatile business authentication.

Referring to Fig. 3, a kind of structural schematic diagram of the mobile terminal provided for the embodiment of the present invention based on the framework of open wireless access system shown in FIG. 1.Mobile terminal as described in this embodiment, comprising:

Determining module 301, for determining the business to be certified of user's triggering.

Module 302 is obtained, for obtaining the user for the first biological information of the business input to be certified.

Processing module 303, for generating first key information using the corresponding key schedule of business to be certified and first biological information.

Sending module 304, for sending the certification request for being directed to the business to be certified to the service server, the certification request carries the identification information of the user.

Receiving module 305, for receiving the response for the certification request that the service server is sent.

The processing module 303 is also used to obtain the first verification result according to the response of the first key information and the certification request.

The sending module 304 is also used to send first verification result to the service server, and the mark letter of the user is obtained to indicate the service server from the biological information management server Corresponding second biological information is ceased, so that the service server authenticates the business to be certified according to second biological information, the response of the certification request and first verification result.

In some possible embodiments, the acquisition module 302 includes acquiring unit 3020 and output unit 3021, in which:

The acquiring unit 3020, for obtaining the corresponding business safety grade of the business to be certified.

The output unit 3021, the input for exporting the corresponding biological information of the business safety grade prompt.

The acquiring unit 3020 is also used to obtain input prompt described in the user response and the first biological information of input.

In some possible embodiments, the mobile terminal further includes output module 306, in which:

The acquisition module 302 is also used to obtain the user right rank of the user from the service server.

The output module 306, for according to the user right rank, exporting the corresponding initialization interface of the user, the corresponding initialization showing interface of the user has business workable for the user.

The determining module 301, the business to be certified triggered from business workable for the user specifically for the determination user.

In some possible embodiments, the receiving module 305 is also used to receive the authentication result for the business to be certified that the service server is sent.

The processing module 303 is also used to generate encryption key message using the corresponding encryption key generating algorithm of business to be certified and the first key information when the authentication result passes through for certification.

The processing module 303 is also used to encrypt using data of the encryption key message to the business to be certified.

The sending module 304 is also used to the data of the encrypted business to be certified being sent to the service server, to indicate that the service server is decrypted using data of second biological information to the encrypted business to be certified.

It is understood that the function of each functional module of the mobile terminal of the present embodiment can be implemented according to the method in above method embodiment, the correlation that specific implementation process is referred to above method embodiment is retouched It states, details are not described herein again.

In the embodiment of the present invention, mobile terminal determines the business to be certified of user's triggering, first key information is generated using the first biological information that the corresponding key schedule of business to be certified and user input, the certification request for being directed to the business to be certified is sent to service server, the certification request carries the identification information of the user, and receive the response of the certification request of service server transmission, the first verification result is obtained according to the response of the first key information and the certification request, and first verification result is sent to the service server, to indicate corresponding second biological information of identification information that the service server obtains the user from biological information management server, and according to second biological information, the response of the certification request and first verification result authenticate the business to be certified.It can be seen that, by transferring to biological information management server uniformly to store and manage biological information, and mobile terminal side does not store biological information, when carrying out business authentication, mobile terminal side generates a verification result according to the biological information that user is newly entered, service server side then also generates a verification result according to the biological information obtained from biological information management server, service server can determine whether business authentication passes through by judging whether the two verification results match i.e., so as to realize safety, versatile business authentication.

Referring to Fig. 4, a kind of structural schematic diagram of the service server provided for the embodiment of the present invention based on the framework of open wireless access system shown in FIG. 1.Service server as described in this embodiment, comprising:

Receiving module 401, the certification request for business to be certified sent for receiving the mobile terminal, the certification request carry the identification information of user.

Sending module 402, for sending the response for the certification request to the mobile terminal, to indicate that the mobile terminal obtains the first verification result according to the response of first key information and the certification request, the first key information is that the mobile terminal is generated using the first biological information that the corresponding key schedule of business to be certified and the user input.

The receiving module 401 is also used to receive first verification result that the mobile terminal is sent.

Obtain module 403, corresponding second biological information of identification information for obtaining the user from the biological information management server.

Processing module 404, for responding according to second biological information and the certification request To the second verification result.

Authentication module 405 passes through the business authentication to be certified for being authenticated according to first verification result and second verification result to the business to be certified, and in first verification result and determination in the matched situation of the second verification result.

In some possible embodiments, the acquisition module 403 includes:

Transmission unit 4030, for sending biological information acquisition request to the biological information management server, the biological information acquisition request carries the identification information of the user and the identification information of the service server, to indicate corresponding second biological information of identification information of the identification information and the service server of user described in the biological information management server queries.

Receiving unit 4031, second biological information sent for receiving the biological information management server.

In some possible embodiments, the receiving module 401, it is also used to receive the user right rank acquisition request that the mobile terminal is sent when detecting the initialization operation of user's input, the user right rank acquisition request carries the identification information of the user.

The acquisition module 403, the corresponding third biological information of identification information for being also used to obtain the user from the biological information management server.

The processing module 404 is also used to determine the corresponding user right rank of identification information of the user according to the third biological information.

The sending module 402, it is also used to send the user right rank to the mobile terminal, to indicate the mobile terminal according to the user right rank, the corresponding initialization interface of the user is exported, the corresponding initialization showing interface of the user has business workable for the user.

In specific implementation, receiving module 401 receives the user right rank acquisition request that mobile terminal is sent, user right rank acquisition request carries the identification information of user, sending module 402 sends the response of user right rank acquisition request to mobile terminal, so that mobile terminal obtains third verification result according to the response of the second key information and user right rank acquisition request, the second key information is generated by mobile terminal using the 4th biological information that preset key schedule and user input.Receiving module 401 receives the third verification result that mobile terminal is sent, and obtains the corresponding third biological information of identification information that module 403 obtains user from biological information management server, processing module 404 is according to third biological information and user The response of Permission Levels acquisition request obtains the 4th verification result, module 403 is obtained in third verification result user right rank corresponding with the identification information of user is obtained in the 4th matched situation of verification result, sending module 402 sends user right rank to mobile terminal, so that mobile terminal exports the corresponding initialization interface of user according to user right rank, the corresponding initialization showing interface of user has business workable for user, and business to be certified is triggered from workable business from user.

In some possible embodiments, the sending module 402, it is also used to send the authentication result of the business to be certified to the mobile terminal, the authentication result is to be used to indicate the mobile terminal when certification passes through to generate encryption key message using the corresponding encryption key generating algorithm of business to be certified and the first key information.

The receiving module 401 is also used to receive the data using the encrypted business to be certified of the encryption key message that the mobile terminal is sent.

The processing module 404 is also used to be decrypted using data of second biological information to the encrypted business to be certified.

It is understood that each functional module of the service server of the present embodiment, the function of unit can be implemented according to the method in above method embodiment, specific implementation process is referred to the associated description of above method embodiment, and details are not described herein again.

In the embodiment of the present invention, service server determines the business to be certified of user's triggering, receive the certification request for business to be certified that mobile terminal is sent, the certification request carries the identification information of user, generate the response of the certification request, and the response of the certification request is sent to the mobile terminal, to indicate that the mobile terminal obtains the first verification result according to the response of first key information and the certification request.The service server receives first verification result of mobile terminal transmission, and corresponding second biological information of identification information for obtaining the user from biological information management server, and then the second verification result is obtained according to the response of second biological information and the certification request, and pass through to the business authentication to be certified in first verification result and determination in the matched situation of the second verification result.It can be seen that, by transferring to biological information management server uniformly to store and manage biological information, and mobile terminal side does not store biological information, when carrying out business authentication, mobile terminal side generates a verification result according to the biological information that user is newly entered, service server side then also generates a verification result according to the biological information obtained from biological information management server, and service server can determine industry by judging whether the two verification results match Whether business certification passes through, so as to realize safety, versatile business authentication.

Referring to Fig. 5, the structural schematic diagram of another mobile terminal provided for the embodiment of the present invention based on the framework of open wireless access system shown in FIG. 1.Mobile terminal as described in this embodiment, it include: transceiver 501, processor 502, memory 503, output equipment 504, input equipment 505, sensor 506 and biological identification chip 507, above-mentioned processor 502 is connect by bus with transceiver (Transceiver) 501, output equipment 504, input equipment 505, sensor 506 and biological identification chip 507.

Wherein, above-mentioned transceiver 501 is specifically as follows radio-frequency transmitter or radio frequency chip, for passing through 508 receiving and transmitting signal 509 of antenna, specifically, transceiver 501 may include the transmitting path (Transmitter, TX) integrated and receiver (Receiver, RX).Above-mentioned processor 502 be specifically as follows baseband processor, baseband chip, digital signal processor (Digital Signal Processor, DSP) or including baseband processor and application processor in interior system on chip (SOC) etc..Above-mentioned memory 503 is the memory device of mobile terminal, for storing program and data.It is understood that memory 503 herein can be high speed RAM memory, it is also possible to non-labile memory (non-volatile memory), for example, at least a magnetic disk storage；It optionally can also be that at least one is located remotely from the storage device of aforementioned processor 502.

Wherein, above-mentioned output equipment 504 may include display.Above-mentioned input equipment 505 can be touch panel, microphone etc., and touch panel includes touch screen and touch screen etc..The sensor 506 specifically includes sensor for acquiring the biological informations such as fingerprint, palmmprint, face, iris, retina, sound, vein, gait, gene, such as fingerprint sensor, imaging sensor etc..Above-mentioned biological identification chip 507 is used to store a variety of key schedules suitable for different business process, for example including key schedule needed for the processes such as mobile communications network access and communication encryption, it logs in payment and carries out key schedule needed for the process such as paying using APP or using payment APP, and key schedule needed for the corresponding interface initialization process of user, etc. on mobile terminal.Certainly, above-mentioned a variety of key schedules also can store in memory 503.

Wherein, above-mentioned biological identification chip 507 is also desirably integrated into above-mentioned processor 502, and the correlation function of biological identification chip 507 is executed by processor 502.

Above-mentioned memory 503, is used to store a set of program code, and above-mentioned biological identification chip 507 and processor 502 call the program code stored in memory 503, performs the following operations:

Processor 502, for determining the business to be certified of user's triggering.

Biological identification chip 507, for obtaining the user for the first biological information of the business input to be certified.

The biological identification chip 507 is also used to generate first key information using the corresponding key schedule of business to be certified and first biological information.

Transceiver 501, for sending the certification request for being directed to the business to be certified to service server, the certification request carries the identification information of the user.

The transceiver 501 is also used to receive the response for the certification request that the service server is sent.

The biological identification chip 507 is also used to obtain the first verification result according to the response of the first key information and the certification request.

The transceiver 501, it is also used to send first verification result to the service server, to indicate corresponding second biological information of identification information that the service server obtains the user from biological information management server, so that the service server authenticates the business to be certified according to second biological information, the response of the certification request and first verification result.

In some possible embodiments, the biological identification chip 507 obtains the user for the concrete mode of the first biological information of the business input to be certified are as follows:

Obtain the corresponding business safety grade of the business to be certified.

Export the input prompt of the corresponding biological information of the business safety grade.

The first biological information for obtaining input prompt described in the user response and inputting.

In some possible embodiments,

The processor 502 is also used to obtain the user right rank of the user from the service server by the transceiver 501.

Output equipment 504, for according to the user right rank, exporting the corresponding initialization interface of the user, the corresponding initialization showing interface of the user has business workable for the user.

The processor 502, the business to be certified triggered from business workable for the user specifically for the determination user.

In some possible embodiments, the transceiver 501 is also used to receive the authentication result for the business to be certified that the service server is sent.

The biological identification chip 507 is also used to generate encryption key message using the corresponding encryption key generating algorithm of business to be certified and the first key information when the authentication result passes through for certification.

The biological identification chip 507 is also used to encrypt using data of the encryption key message to the business to be certified.

The transceiver 501 is also used to the data of the encrypted business to be certified being sent to the service server, to indicate that the service server is decrypted using data of second biological information to the encrypted business to be certified.

In specific implementation, the implementation of mobile terminal described in an a kind of embodiment of service authentication method provided in an embodiment of the present invention can be performed in transceiver 501, processor 502, memory 503, output equipment 504, sensor 506 and biological identification chip 507 described in the embodiment of the present invention, also the implementation of mobile terminal described in a kind of first embodiment of mobile terminal provided in an embodiment of the present invention can be performed, details are not described herein.

In the embodiment of the present invention, mobile terminal determines the business to be certified of user's triggering, first key information is generated using the first biological information that the corresponding key schedule of business to be certified and user input, the certification request for being directed to the business to be certified is sent to service server, the certification request carries the identification information of the user, and receive the response of the certification request of service server transmission, the first verification result is obtained according to the response of the first key information and the certification request, and first verification result is sent to the service server, to indicate corresponding second biological information of identification information that the service server obtains the user from biological information management server, and according to second biological information, the response of the certification request and first verification result authenticate the business to be certified.It can be seen that, by transferring to biological information management server uniformly to store and manage biological information, and mobile terminal side does not store biological information, when carrying out business authentication, mobile terminal side generates a verification result according to the biological information that user is newly entered, and service server side is then according to the biological information obtained from biological information management server A verification result is generated, service server can determine whether business authentication passes through by judging whether the two verification results match i.e., so as to realize safety, versatile business authentication.

Referring to Fig. 6, the structural schematic diagram of another service server provided for the embodiment of the present invention based on the framework of open wireless access system shown in FIG. 1.Service server as described in this embodiment, comprising: transceiver 601, processor 602 and memory 603, above-mentioned processor 602 are connect by bus with transceiver 601 and memory 603.

Wherein, above-mentioned transceiver 601 is specifically as follows radio frequency chip, including transmitting path, for sending signal 605 by antenna 604.Above-mentioned processor 602 is specifically as follows baseband processor, baseband chip, DSP or SOC including baseband processor and application processor etc..

Above-mentioned memory 603, is used to store a set of program code, and above-mentioned processor 602 is used to call the program code stored in memory 603, performs the following operations:

Transceiver 601, for receiving the certification request for business to be certified of mobile terminal transmission, the certification request carries the identification information of user.

The transceiver 601, it is also used to send the response for the certification request to the mobile terminal, to indicate that the mobile terminal obtains the first verification result according to the response of first key information and the certification request, the first key information is that the mobile terminal is generated using the first biological information that the corresponding key schedule of business to be certified and the user input.

The transceiver 601 is also used to receive first verification result that the mobile terminal is sent.

Processor 602, corresponding second biological information of identification information for obtaining the user from biological information management server.

The processor 602 is also used to obtain the second verification result according to the response of second biological information and the certification request.

The processor 602, it is also used to authenticate the business to be certified according to first verification result and second verification result, and the business authentication to be certified is passed through in first verification result and determination in the matched situation of the second verification result.

In some possible embodiments, the processor 602 is specifically used for:

Biological information acquisition request is sent to biological information management server by the transceiver 601, the biological information acquisition request carries the identification information of the user and the identification information of the service server, to indicate corresponding second biological information of identification information of the identification information and the service server of user described in the biological information management server queries.

Second biological information that the biological information management server is sent is received by the transceiver 601.

In some possible embodiments, the transceiver 601, it is also used to receive the user right rank acquisition request that the mobile terminal is sent when detecting the initialization operation of user's input, the user right rank acquisition request carries the identification information of the user.

The processor 602, the corresponding third biological information of the identification information for being also used to obtain the user from the biological information management server by the transceiver 601.

The processor 602 is also used to determine the corresponding user right rank of identification information of the user according to the third biological information.

The transceiver 601, it is also used to send the user right rank to the mobile terminal, to indicate the mobile terminal according to the user right rank, the corresponding initialization interface of the user is exported, the corresponding initialization showing interface of the user has business workable for the user.

In specific implementation, transceiver 601 receives the user right rank acquisition request that mobile terminal is sent, user right rank acquisition request carries the identification information of user, transceiver 601 sends the response of user right rank acquisition request to mobile terminal, so that mobile terminal obtains third verification result according to the response of the second key information and user right rank acquisition request, the second key information is generated by mobile terminal using the 4th biological information that preset key schedule and user input.Transceiver 601 receives the third verification result that mobile terminal is sent, processor 602 obtains the corresponding third biological information of identification information of user by transceiver 601 from biological information management server, the 4th verification result is obtained according to the response of third biological information and user right rank acquisition request, processor 602 is in third verification result user right rank corresponding with the identification information of user is obtained in the 4th matched situation of verification result, user right rank is sent to mobile terminal by transceiver 601, so that mobile terminal exports the corresponding initialization interface of user according to user right rank, the corresponding initialization showing interface of user has business workable for user, from user from can Business to be certified is triggered in the business used.

In some possible embodiments, the transceiver 601, it is also used to send the authentication result of the business to be certified to the mobile terminal, the authentication result is to be used to indicate the mobile terminal when certification passes through to generate encryption key message using the corresponding encryption key generating algorithm of business to be certified and the first key information.

The transceiver 601 is also used to receive the data using the encrypted business to be certified of the encryption key message that the mobile terminal is sent.

The processor 602 is also used to be decrypted using data of second biological information to the encrypted business to be certified.

In specific implementation, implementation described in an a kind of embodiment of service authentication method provided in an embodiment of the present invention can be performed in transceiver 601, processor 602 and memory 603 described in the embodiment of the present invention, also the implementation of service server described in a kind of first embodiment of service server provided in an embodiment of the present invention can be performed, details are not described herein.

In the embodiment of the present invention, service server receives the certification request for business to be certified that mobile terminal is sent, the certification request carries the identification information of user, generate the response of the certification request, and the response of the certification request is sent to the mobile terminal, to indicate that the mobile terminal obtains the first verification result according to the response of first key information and the certification request.The service server receives first verification result of mobile terminal transmission, and corresponding second biological information of identification information for obtaining the user from biological information management server, and then the second verification result is obtained according to the response of second biological information and the certification request, and pass through to the business authentication to be certified in first verification result and determination in the matched situation of the second verification result.It can be seen that, by transferring to biological information management server uniformly to store and manage biological information, and mobile terminal side does not store biological information, when carrying out business authentication, mobile terminal side generates a verification result according to the biological information that user is newly entered, service server side then also generates a verification result according to the biological information obtained from biological information management server, service server can determine whether business authentication passes through by judging whether the two verification results match i.e., so as to realize safety, versatile business authentication.

Referring to Fig. 7, a kind of structural schematic diagram of the service authentication system provided for the embodiment of the present invention based on the framework of open wireless access system shown in FIG. 1.Service authentication system as described in this embodiment, comprising: biological information management server 701, mobile terminal 702 and service server 703, in which:

Biological information management server 701 provides the query service of the biological information for storing biological information, and to service server 703.

Mobile terminal 702, for determining the business to be certified of user's triggering.

Mobile terminal 702 for obtaining the user for the first biological information of the business input to be certified, and generates first key information using the corresponding key schedule of business to be certified and first biological information.

The mobile terminal 702 is also used to send the certification request for being directed to the business to be certified to service server, and the certification request carries the identification information of the user.

Service server 703, the certification request sent for receiving the mobile terminal, and generate the response of the certification request.

The service server 703 is also used to send the response of the certification request to the mobile terminal.

The mobile terminal 702, is also used to receive the response for the certification request that the service server is sent, and obtains the first verification result according to the response of the first key information and the certification request.

The mobile terminal 702 is also used to send first verification result to the service server.

The service server 703 is also used to receive first verification result that the mobile terminal is sent.

The service server 703, corresponding second biological information of the identification information for being also used to obtain the user from biological information management server 701, the second verification result is obtained according to the response of second biological information and the certification request, the business to be certified is authenticated according to first verification result and second verification result, and the business authentication to be certified is passed through in first verification result and determination in the matched situation of the second verification result.

The service server 703 is also used to send the authentication result of the business to be certified to the mobile terminal.

In some possible embodiments, the mobile terminal 702, is also used to obtain business pair to be certified The business safety grade answered, exports the input prompt of the corresponding biological information of the business safety grade, and obtains input prompt described in user response and the first biological information of input.

In some possible embodiments, the mobile terminal 702, it is also used to obtain the 4th biological information of user's input when detecting the initialization operation of user's input, and generates the second key information using preset key schedule and the 4th biological information.

The mobile terminal 702 is also used to send user right rank acquisition request to the service server, and the user right rank acquisition request carries the identification information of the user.

The service server 703 is also used to receive the user right rank acquisition request that the mobile terminal is sent, and generates the response of the user right rank acquisition request.

The service server 703 is also used to send the response of the user right rank acquisition request to the mobile terminal.

The mobile terminal 702, is also used to receive the response for the user right rank acquisition request that the service server is sent, and obtains third verification result according to the response of second key information and the user right rank acquisition request.

The mobile terminal 702 is also used to send the third verification result to the service server.

The service server 703 is also used to receive the third verification result that the mobile terminal is sent.

The service server 703, the corresponding third biological information of identification information for being also used to obtain the user from the biological information management server 701, obtains the 4th verification result according to the response of the third biological information and the user right rank acquisition request.

The service server 703 is also used to obtain the corresponding user right rank of the identification information of the user under the third verification result and the matched situation of the 4th verification result, and sends the user right rank to the mobile terminal.

The mobile terminal 702, is also used to according to the user right rank, exports the corresponding initialization interface of the user, and the corresponding initialization showing interface of the user has business workable for the user.

In some possible embodiments, the mobile terminal 702 is also used to believe when the authentication result passes through for certification using the corresponding encryption key generating algorithm of business to be certified and the first key Breath generates encryption key message.

The mobile terminal 702 is also used to be encrypted using data of the encryption key message to the business to be certified, and the data of the encrypted business to be certified is sent to the service server.

The service server 703, it is also used to receive the data using the encrypted business to be certified of the encryption key message that the mobile terminal is sent, decryption key information is generated according to second biological information, and is decrypted using data of the decryption key information to the encrypted business to be certified.

In the embodiment of the present invention, mobile terminal determines the business to be certified of user's triggering, first key information is generated using the first biological information that the corresponding key schedule of business to be certified and user input, and the certification request for being directed to the business to be certified is sent to service server, the certification request carries the identification information of the user, service server generates the response of the certification request, and the response of the certification request is sent to the mobile terminal, the mobile terminal obtains the first verification result according to the response of the first key information and the certification request, and first verification result is sent to the service server, the service server passes through corresponding second biological information of the identification information for obtaining the user from biological information management server, and second is obtained according to the response of second biological information and the certification request Verification result, if first verification result is matched with second verification result, then the service server determines that the user is legal, authentication result to the business to be certified is that certification passes through, if first verification result and second verification result mismatch, then the service server determines that the user is illegal, and the authentication result to the business to be certified is that certification does not pass through.It can be seen that, by transferring to biological information management server uniformly to store and manage biological information, and mobile terminal side does not store biological information, when carrying out business authentication, mobile terminal side generates a verification result according to the biological information that user is newly entered, service server side then also generates a verification result according to the biological information obtained from biological information management server, service server can determine whether business authentication passes through by judging whether the two verification results match i.e., so as to realize safety, versatile business authentication.

It should be noted that for simple description, therefore, it is stated as a series of action combinations for each embodiment of the method above-mentioned, but those skilled in the art should understand that, the present invention is not by described Sequence of movement limitation because according to the present invention, certain some step can be performed in other orders or simultaneously.Secondly, those skilled in the art should also know that, the embodiments described in the specification are all preferred embodiments, and related actions and modules are not necessarily necessary for the present invention.

Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is relevant hardware can be instructed to complete by program, the program can be stored in a computer readable storage medium, storage medium may include: flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random Access Memory, RAM), disk or CD etc..

A kind of service authentication method, system and relevant device is provided for the embodiments of the invention above to be described in detail, used herein a specific example illustrates the principle and implementation of the invention, and the above description of the embodiment is only used to help understand the method for the present invention and its core ideas；At the same time, for those skilled in the art, according to the thought of the present invention, there will be changes in the specific implementation manner and application range, in conclusion the contents of this specification are not to be construed as limiting the invention.

Claims (19)

1. A kind of service authentication method, which is characterized in that be applied to open wireless access system, the system comprises service server, biological information management server and mobile terminals, which comprises

   The mobile terminal determines the business to be certified of user's triggering；

   The first biological information that user described in the acquisition for mobile terminal inputs for the business to be certified, and first key information is generated using the corresponding key schedule of business to be certified and first biological information；

   The mobile terminal sends the certification request for being directed to the business to be certified to the service server, and the certification request carries the identification information of the user；

   The mobile terminal receives the response for the certification request that the service server is sent, and obtains the first verification result according to the response of the first key information and the certification request；

   The mobile terminal sends first verification result to the service server, to indicate corresponding second biological information of identification information that the service server obtains the user from the biological information management server, so that the service server authenticates the business to be certified according to second biological information, the response of the certification request and first verification result.
2. The method according to claim 1, wherein first biological information of the user described in the acquisition for mobile terminal for the business input to be certified, comprising:

   The corresponding business safety grade of business to be certified described in the acquisition for mobile terminal；

   The mobile terminal exports the input prompt of the corresponding biological information of the business safety grade；

   First biological information of input prompt and input described in user response described in the acquisition for mobile terminal.
3. Method according to claim 1 or 2, which is characterized in that before the mobile terminal determines the business to be certified of user's triggering, the method also includes:

   The mobile terminal obtains the user right rank of the user from the service server；

   The mobile terminal exports the corresponding initialization interface of the user according to the user right rank, The corresponding initialization showing interface of the user has business workable for the user；

   Wherein, the mobile terminal determines the business to be certified of user's triggering, comprising:

   The mobile terminal determines the business to be certified that the user triggers from business workable for the user.
4. Method described in any one of claim 1 to 3, which is characterized in that after the mobile terminal sends first verification result to the service server, the method also includes:

   The mobile terminal receives the authentication result for the business to be certified that the service server is sent；

   The mobile terminal generates encryption key message using the corresponding encryption key generating algorithm of business to be certified and the first key information when the authentication result is that certification passes through；

   The mobile terminal is encrypted using data of the encryption key message to the business to be certified, and the data of the encrypted business to be certified are sent to the service server, to indicate that the service server is decrypted using data of second biological information to the encrypted business to be certified.
5. A kind of service authentication method, which is characterized in that be applied to open wireless access system, the system comprises service server, biological information management server and mobile terminals, which comprises

   The service server receives the certification request for business to be certified that the mobile terminal is sent, and the certification request carries the identification information of user；

   The service server sends the response for the certification request to the mobile terminal, to indicate that the mobile terminal obtains the first verification result according to the response of first key information and the certification request, the first key information is that the mobile terminal is generated using the corresponding key schedule of business to be certified and the user for the first biological information of the business input to be certified；

   The service server receives first verification result that the mobile terminal is sent；

   Corresponding second biological information of the identification information that the service server obtains the user from the biological information management server；

   The service server is obtained according to the response of second biological information and the certification request Second verification result；

   The service server authenticates the business to be certified according to first verification result and second verification result, and passes through in first verification result and determination in the matched situation of the second verification result to the business authentication to be certified.
6. According to the method described in claim 5, it is characterized in that, corresponding second biological information of identification information that the service server obtains the user from the biological information management server, comprising:

   The service server sends biological information acquisition request to the biological information management server, the biological information acquisition request carries the identification information of the user and the identification information of the service server, to indicate corresponding second biological information of identification information of the identification information and the service server of user described in the biological information management server queries；

   The service server receives second biological information that the biological information management server is sent.
7. Method according to claim 5 or 6, which is characterized in that before the service server receives the certification request for business to be certified that the mobile terminal is sent, the method also includes:

   The service server receives the user right rank acquisition request that the mobile terminal is sent when detecting the initialization operation of user's input, and the user right rank acquisition request carries the identification information of the user；

   The corresponding third biological information of the identification information that the service server obtains the user from the biological information management server, and determine according to the third biological information the corresponding user right rank of identification information of the user；

   The service server sends the user right rank to the mobile terminal, to indicate the mobile terminal according to the user right rank, export the corresponding initialization interface of the user, the corresponding initialization showing interface of the user has business workable for the user.
8. The method according to any one of claim 5~7, which is characterized in that the method also includes:

   The service server sends the authentication result of the business to be certified to the mobile terminal, and the authentication result is to be used to indicate the mobile terminal when certification passes through to generate encryption key message using the corresponding encryption key generating algorithm of business to be certified and the first key information；

   The service server receives the data using the encrypted business to be certified of the encryption key message that the mobile terminal is sent；

   The service server generates decryption key information according to second biological information, and is decrypted using data of the decryption key information to the encrypted business to be certified.
9. A kind of mobile terminal, which is characterized in that be applied to open wireless access system, the system comprises service server, biological information management server and the mobile terminal, the mobile terminal includes:

   Determining module, for determining the business to be certified of user's triggering；

   Module is obtained, for obtaining the user for the first biological information of the business input to be certified；

   Processing module, for generating first key information using the corresponding key schedule of business to be certified and first biological information；

   Sending module, for sending the certification request for being directed to the business to be certified to the service server, the certification request carries the identification information of the user；

   Receiving module, for receiving the response for the certification request that the service server is sent；

   The processing module is also used to obtain the first verification result according to the response of the first key information and the certification request；

   The sending module, it is also used to send first verification result to the service server, to indicate corresponding second biological information of identification information that the service server obtains the user from the biological information management server, so that the service server authenticates the business to be certified according to second biological information, the response of the certification request and first verification result.
10. Mobile terminal according to claim 9, which is characterized in that the acquisition module includes acquiring unit and output unit, in which:

    The acquiring unit, for obtaining the corresponding business safety grade of the business to be certified；

    The output unit, the input for exporting the corresponding biological information of the business safety grade prompt；

    The acquiring unit is also used to obtain input prompt described in the user response and the first biological information of input.
11. Mobile terminal according to claim 9 or 10, which is characterized in that the mobile terminal further includes output module, in which:

    The acquisition module is also used to obtain the user right rank of the user from the service server；

    The output module, for according to the user right rank, exporting the corresponding initialization interface of the user, the corresponding initialization showing interface of the user has business workable for the user；

    The determining module, the business to be certified triggered from business workable for the user specifically for the determination user.
12. The mobile terminal according to any one of claim 9~11, which is characterized in that

    The receiving module is also used to receive the authentication result for the business to be certified that the service server is sent；

    The processing module is also used to generate encryption key message using the corresponding encryption key generating algorithm of business to be certified and the first key information when the authentication result passes through for certification；

    The processing module is also used to encrypt using data of the encryption key message to the business to be certified；

    The sending module is also used to the data of the encrypted business to be certified being sent to the service server, to indicate that the service server is decrypted using data of second biological information to the encrypted business to be certified.
13. A kind of service server, which is characterized in that be applied to open wireless access system, the system comprises the service server, biological information management server and mobile terminal, the service server includes:

    Receiving module, the certification request for business to be certified sent for receiving the mobile terminal, the certification request carry the identification information of user；

    Sending module, for sending the response for the certification request to the mobile terminal, to indicate that the mobile terminal obtains the first verification result according to the response of first key information and the certification request, the first key information is that the mobile terminal is generated using the first biological information that the corresponding key schedule of business to be certified and the user input；

    The receiving module is also used to receive first verification result that the mobile terminal is sent；

    Obtain module, corresponding second biological information of identification information for obtaining the user from the biological information management server；

    Processing module, for obtaining the second verification result according to the response of second biological information and the certification request；

    Authentication module passes through the business authentication to be certified for being authenticated according to first verification result and second verification result to the business to be certified, and in first verification result and determination in the matched situation of the second verification result.
14. Service server according to claim 13, which is characterized in that the acquisition module includes:

    Transmission unit, for sending biological information acquisition request to the biological information management server, the biological information acquisition request carries the identification information of the user and the identification information of the service server, to indicate corresponding second biological information of identification information of the identification information and the service server of user described in the biological information management server queries；

    Receiving unit, second biological information sent for receiving the biological information management server.
15. Service server described in 3 or 14 according to claim 1, which is characterized in that

    The receiving module, is also used to receive the user right rank acquisition request that the mobile terminal is sent when detecting the initialization operation of user's input, and the user right rank acquisition request carries the identification information of the user；

    The acquisition module, the corresponding third biological information of identification information for being also used to obtain the user from the biological information management server；

    The processing module is also used to determine the corresponding user right rank of identification information of the user according to the third biological information；

    The sending module, it is also used to send the user right rank to the mobile terminal, to indicate the mobile terminal according to the user right rank, the corresponding initialization interface of the user is exported, the corresponding initialization showing interface of the user has business workable for the user.
16. Service server described in any one of 3~15 according to claim 1, which is characterized in that

    The sending module, it is also used to send the authentication result of the business to be certified to the mobile terminal, the authentication result is to be used to indicate the mobile terminal when certification passes through to generate encryption key message using the corresponding encryption key generating algorithm of business to be certified and the first key information；

    The receiving module is also used to receive the data using the encrypted business to be certified of the encryption key message that the mobile terminal is sent；

    The processing module is also used to be decrypted using data of second biological information to the encrypted business to be certified.
17. A kind of mobile terminal, it is characterized in that, applied to open wireless access system, the system comprises service server, biological information management server and the mobile terminals, the mobile terminal includes: processor, biological identification chip, transceiver and memory, the processor, the biological identification chip, the transceiver are connected with the memory by bus, the memory is stored with executable program code, the transceiver is used for messaging, the biological identification chip and described by the control of the processor Processor executes service authentication method as described in any one of claims 1 to 4 for calling the executable program code.
18. A kind of service server, it is characterized in that, applied to open wireless access system, the system comprises the service servers, biological information management server and mobile terminal, the service server includes: processor, transceiver and memory, the processor, the transceiver is connected with the memory by bus, the memory is stored with executable program code, the transceiver is used for messaging by the control of the processor, the processor is for calling the executable program code, execute the service authentication method as described in any one of claim 5~8.
19. A kind of service authentication system, it is characterized in that, it include: biological information management server, the mobile terminal as described in any one of claim 9~12 and the service server as described in any one of claim 13~16, the biological information management server provides the query service of the biological information to the service server for storing biological information.