CN110278083A - ID authentication request treating method and apparatus, equipment replacement method and apparatus - Google Patents
ID authentication request treating method and apparatus, equipment replacement method and apparatus Download PDFInfo
- Publication number
- CN110278083A CN110278083A CN201810216813.2A CN201810216813A CN110278083A CN 110278083 A CN110278083 A CN 110278083A CN 201810216813 A CN201810216813 A CN 201810216813A CN 110278083 A CN110278083 A CN 110278083A
- Authority
- CN
- China
- Prior art keywords
- public key
- equipment
- authentication
- signature
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Algebra (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Computer Hardware Design (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephone Function (AREA)
Abstract
This application involves a kind of ID authentication request treating method and apparatus equipment replacement method and apparatus, the ID authentication request processing method includes: foundation and the communication connection of terminal;Receive the ID authentication request that the terminal is forwarded;When the communication connection is using default near field communication mode, then authentication signature is directly generated according to the ID authentication request;When the communication connection is using non-default near field communication mode, then the confirmation instruction to be entered such as, and authentication signature is generated according to the ID authentication request in the confirmation instruction for detecting input;The authentication signature is sent to the terminal;The authentication signature, which is used to indicate the terminal, will respond with carry out authentication in the authentication signature.The safety that portable device carries out secondary identities certification can be improved in scheme provided by the present application.
Description
Technical field
This application involves internet security technical fields, more particularly to a kind of ID authentication request processing method and dress
It sets, equipment replacement method and apparatus.
Background technique
It is a large amount of universal with portable device With the fast development of internet, trojan horse, fishing are faced in terminal applies
When the various safety problems such as fishnet station, more and more users by terminal when being operated, for example logs in application, account pipe
Reason, network trading or resource transfers etc. connect for the safety for ensureing operation often through terminal and the wireless of portable device
It connects, carries out secondary identities certification using portable device, to ensure the safety of operation.It is traditional by portable device into
The scheme of row secondary identities certification, in order to improve treatment effeciency, often portable device is after receiving ID authentication request
Direct automatic signature, to complete secondary identities certification.
However traditional scheme that secondary identities certification is carried out by portable device, it usually can be due to terminal and portable
Equipment signal in communication is intercepted, malicious application calls portable device to be automatically performed signature or portable device loss etc.
Situation, there are security risks.
Summary of the invention
Based on this, it is necessary to which there are the technologies of security risk to ask when for by portable device progress secondary identities certification
Topic provides a kind of ID authentication request processing method, device, computer readable storage medium and computer equipment, equipment replacement
Method, apparatus, computer readable storage medium and computer equipment.
A kind of ID authentication request processing method is applied to portable device, which comprises
Establish the communication connection with terminal;
Receive the ID authentication request that the terminal is forwarded;
When the communication connection is using default near field communication mode, then directly according to the ID authentication request
Generate authentication signature;
When the communication connection is using non-default near field communication mode, then the confirmation instruction to be entered such as, and
Authentication signature is generated according to the ID authentication request in the confirmation instruction for detecting input;
The authentication signature is sent to the terminal;The authentication signature is used to indicate the terminal and signs the certification
Carry out authentication is responded in name.
A kind of ID authentication request processing unit, is applied to portable device, and described device includes:
Module is established, for establishing and the communication connection of terminal;
Receiving module, the ID authentication request forwarded for receiving the terminal;
Generation module is used for when the communication connection is using default near field communication mode, then directly according to institute
It states ID authentication request and generates authentication signature;
The generation module is also used to then wait when the communication connection is using non-default near field communication mode
The confirmation of input instructs, and generates authentication signature according to the ID authentication request in the confirmation instruction for detecting input;
Sending module, for the authentication signature to be sent to the terminal;The authentication signature is used to indicate the end
End will respond with carry out authentication in the authentication signature.
A kind of computer readable storage medium is stored with computer program, when the computer program is executed by processor,
So that the processor executes the step of ID authentication request processing method.
A kind of computer equipment, including memory and processor, the memory are stored with computer program, the calculating
When machine program is executed by the processor, so that the step of processor executes the ID authentication request processing method.
Above-mentioned ID authentication request processing method, device, computer readable storage medium and computer equipment, pass through foundation
With the communication connection of terminal room, the ID authentication request that terminal is forwarded is received.When communication connection is using default short-range communication
When connection type, then authentication signature is directly generated according to ID authentication request.Since default near field communication may insure
The safety of portable device communication, therefore authentication signature directly can be generated according to ID authentication request, realize that quick identity is recognized
Card.When communication connection is using non-default near field communication mode, there may be portable device communications under this environment
Security risk, then the confirmation to be entered instruction such as are recognized in the confirmation instruction for detecting input according to ID authentication request generation
Signed certificate name.Under the communication mode there may be security risk, user is needed actively to do and confirm, regenerates authentication signature, it can be with
Ensure the safety of terminal and portable device communication.It, will certification by communication connection after portable device generates authentication signature
Signature is sent to terminal, and terminal will respond with carry out authentication again in authentication signature.In this way, distinguishing terminal and portable device
Communication connection mode generates authentication signature so that different identifying procedures is respectively adopted, it is auxiliary to be greatly improved portable device progress
Help the safety of authentication.
A kind of equipment replacement method is applied to portable device, which comprises
Obtain the equipment replacement order from service platform;
From the equipment replacement order extract equipment public key and the first equipment public key signature;The first equipment public key signature
It is to be generated using the platform private key of the service platform to the equipment public key encryption;
Read local pre-land public key corresponding with the platform private key;
Equipment public key is decrypted from the first equipment public key signature according to the pre-land public key;
When the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts, then equipment is executed
Resetting movement.
A kind of equipment replacement device, is applied to portable device, and described device includes:
Module is obtained, for obtaining the equipment replacement order from service platform;
Extraction module is used for from the equipment replacement order extract equipment public key and the first equipment public key signature;Described
One equipment public key signature is to be generated using the platform private key of the service platform to the equipment public key encryption;
Read module, for reading local pre-land public key corresponding with the platform private key;
Deciphering module, for decrypting equipment public affairs from the first equipment public key signature according to the pre-land public key
Key;
Execution module, the equipment public key for working as the equipment public key of the equipment public key extracted, local and decrypting are consistent
When, then execute equipment replacement movement.
A kind of computer readable storage medium is stored with computer program, when the computer program is executed by processor,
So that the processor executes the step of equipment replacement method.
A kind of computer equipment, including memory and processor, the memory are stored with computer program, the calculating
When machine program is executed by the processor, so that the step of processor executes the equipment replacement method.
Above equipment remapping method, device, computer readable storage medium and computer equipment, when getting from clothes
When the equipment replacement order of business platform, the platform private key of extract equipment public key and use service platform adds from equipment replacement name
It is dense at the first equipment public key signature.It decrypts and sets from the first equipment public key signature further according to local preset platform public key
Standby public key then can determine whether to obtain when the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts
Equipment replacement name be it is legal, at this time execute equipment replacement movement.In this way, can be simply and efficiently by pre-land public key
Equipment replacement order is authenticated, is avoided through the unsafe problem of terminal storage key.Also, it is needed in portable device
The resetting movement that can also complete portable device is transferred the possession of or write the case where loss, it is hidden to solve safety existing for portable device
Suffer from.
Detailed description of the invention
Fig. 1 is the applied environment figure of ID authentication request processing method in one embodiment;
Fig. 2 is the flow diagram of ID authentication request processing method in one embodiment;
Fig. 3 is the acquisition modes schematic diagram of ID authentication request in one embodiment;
Fig. 4 is flow diagram the step of generating authentication signature according to ID authentication request in one embodiment;
Fig. 5 is flow diagram the step of applying the generation of key pair in one embodiment;
Fig. 6 is the schematic diagram of the corresponding relationship of application identities and cipher key index and application key pair in one embodiment;
Fig. 7 be in one embodiment when communication connection is using non-default near field communication mode, then it is etc. to be entered
Confirmation instruction, and detect input confirmation instruction when according to ID authentication request generate authentication signature the step of process
Schematic diagram;
The flow diagram for the step of Fig. 8 is equipment replacement in one embodiment;
The flow diagram for the step of Fig. 9 is device activation in one embodiment;
Figure 10 is the flow diagram of ID authentication request processing method in another embodiment;
Figure 11 is the interface schematic diagram that user logs into application by mobile terminal using equipment in one embodiment;
Figure 12 is the timing diagram of ID authentication request processing method in one embodiment;
Figure 13 is the flow diagram that portable device carries out ID authentication request processing in one embodiment;
Figure 14 is the flow diagram of one embodiment Plays signature;
Figure 15 is the interface schematic diagram that user's authorization is waited in one embodiment;
Figure 16 is the applied environment figure of equipment replacement method in one embodiment;
Figure 17 is the flow diagram of equipment replacement method in one embodiment;
Figure 18 is that user passes through the interface schematic diagram of mobile terminal initiating equipment resetting request in one embodiment;
Figure 19 is the flow diagram of equipment replacement method in another embodiment;
Figure 20 is the structural block diagram of ID authentication request processing unit in one embodiment;
Figure 21 is the structural block diagram of ID authentication request processing unit in another embodiment;
Figure 22 is the structural block diagram of equipment replacement device in one embodiment;
Figure 23 is the structural block diagram of equipment replacement device in another embodiment;
Figure 24 is the structural block diagram of computer equipment in one embodiment.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, and
It is not used in restriction the application.
Fig. 1 is the applied environment figure of ID authentication request processing method in one embodiment.Referring to Fig.1, the authentication
Request processing method is applied to identity authorization system.The identity authorization system includes terminal 110, server 120 and portable sets
Standby 130.Terminal 110 and server 120 pass through network connection.Terminal 110 and portable device 130 are by presetting short-range communication
Connection type or non-default near field communication mode connect.Terminal 110 specifically can be terminal console or mobile terminal, move
Dynamic terminal specifically can be at least one of mobile phone, tablet computer and laptop etc..Server 120 can use independent clothes
The server cluster of business device either multiple servers composition is realized.Portable device 130 specifically can be Intelligent bracelet, intelligence
Energy glasses, intelligent earphone or smartwatch etc..
As shown in Fig. 2, in one embodiment, providing a kind of ID authentication request processing method.The present embodiment is main
It is applied to the portable device 130 in above-mentioned Fig. 1 in this way to illustrate.Referring to Fig. 2, the ID authentication request processing side
Method specifically comprises the following steps:
S202 establishes the communication connection with terminal.
Wherein, communication connection is to establish data transmission channel to carry out data transmission, and communication connection includes wired communication link
Connect and wirelessly communicate connection.Wherein, wire communication connection such as cable network connection or USB (Universal Serial Bus,
Universal serial bus) interface communication connection etc.;Wireless communication connection, such as the connection of wireless network connection, Bluetooth communication or near field
Communication connection etc..Wherein, Bluetooth communication is ISM band (the Industrial Scientific using 2.4-2.485GHz
Medical Band, industrial scientific medical frequency range) UHF (Ultra High Frequency, superfrequency) airwave communication.
Near-field communication (Near Field Communication, abbreviation NFC) is a kind of wireless communication of short distance high frequency, and working frequency is
13.56MHz。
Specifically, portable device can receive the communication request from terminal, be established and terminal according to communication request
Communication connection.In one embodiment, terminal can actively initiate the connection the request of portable device, and portable device responds this and asks
It asks, portable device can establish the link connection communicated with terminal at this time.By taking bluetooth connection as an example, terminal (main equipment,
The equipment initiated the connection) bluetooth page can be opened from equipment (from equipment, that is, receiving the equipment of connection), portable device can be consolidated
Determine interval scan outer loop.The paging will be responded when the paging that portable device scanning is initiated to terminal.In this way, terminal
Communication connection is just established between portable device.
In one embodiment, terminal can initiate operation to server and ask, and server receives after the operation requests to terminal
Feed back certification request.Terminal can show " Bluetooth communication connection " after receiving certification request on a display screen or " patch cartoon letters connect
Connect " etc. printed words for user select.When user selects Bluetooth communication connection, terminal can open bluetooth equipment and page portable set
It is standby.When user selects patch cartoon letters connection, terminal can open radiofrequency field, for example card reader detection pattern is spent built in unlatching, when
User by portable device close to terminal when, terminal detects portable device, and establishes the communication connection with portable device.
In one embodiment, portable device can also opening network communication pattern, pass through wireless network or finite element network
It establishes and communicates to connect with terminal.It is communicated to connect alternatively, portable device can also be established by USB interface and terminal.
S204 receives the ID authentication request that terminal is forwarded.
Wherein, ID authentication request is the request authenticated to identity, can be authentication instruction or the body of transmission
Part message identifying etc., generally carries authentication information.
In one embodiment, user can be instructed by terminal trigger action.Wherein, operational order, such as user pass through
Terminal logs in using account or carries out network trading etc. by application.Operational order is sent to service by being connected to the network by terminal
Device, server generates corresponding ID authentication request after receiving operational order, and ID authentication request is fed back to terminal.
Wherein, authentication information is carried in ID authentication request.After terminal receives ID authentication request, by being set with portable
Communication connection between standby, is forwarded to portable device for the ID authentication request.
In one embodiment, user can be instructed by portable device trigger action.Portable device by with terminal
Between communication connection, operational order is forwarded to terminal, terminal is forwarded to server again.Server generates after receiving operational order
Corresponding ID authentication request, and ID authentication request is back to terminal.Wherein, identity is carried in ID authentication request to recognize
Demonstrate,prove information.After terminal receives ID authentication request, by the communication connection between portable device, by the ID authentication request
It is forwarded to portable device.
In one embodiment, server, which receives, generates corresponding ID authentication request after operational order, and server is by body
When part certification request returns to terminal, it can be based on request-response mechanism, i.e. requesting party send a request message to responder, respond
Square returning response message is to requesting party.
For example, server can based on 7816-4:2005APDU (Application Protocol Data Unit,
Application Protocol Data Unit) format to terminal send ID authentication request.ID authentication request i.e. request message, request disappear
The message format of breath is as follows:
CLA | INS | P1 | P2 | Lc<request-data> | Le |
Wherein, CLA is the instruction of order classification, and it is " 00 ", specific command position " 80 " that generic command position, which can be preset,.INS
Indicate safety chip order.P1, P2 respectively correspond the first parameter and the second parameter of each order.Lc is request-data
The length of (request message), if Lc is omitted without request-data, request-data is in specific request message
Hold.Le is the greatest hope length of response-data (response message), if Le is saved without desired response-data
Slightly.
Correspondingly, when the ID authentication request that portable device forwards terminal responds, the lattice of response message
Formula is as follows:
Le<response-data> | SW1 | SW2 |
Wherein, Le is the length of response-data (response message), and response-data is specific response message
Content.SW1 and SW2 is two byte status codes.
S206 is when communication connection is using default near field communication mode, then directly raw according to ID authentication request
At authentication signature.
Wherein, the communication connection mode that near field communication mode is the safety of pre-set short distance is preset, when
When being communicated using default near field communication mode, both sides' identity of communication and the content of communication are all safety, no
It is intercepted or the security risks such as pretend to be that information can be generated.The communication connection mode of default short distance, such as USB interface communication connection
Mode or near-field communication connection type etc..Specifically, portable device and terminal, which are established, communicates to connect, when portable device receives
After the ID authentication request forwarded to terminal, it may be determined that the specific transmission mode of the ID authentication request.When the authentication is asked
When Seeking Truth carries out being transmitted to portable device by default near field communication mode, portable device is then directly according to identity
Certification request generates authentication signature.
In one embodiment, portable device can judge whether communication connection mode is default close locally presetting
The Rule of judgment of distance communication connection type.Wherein, Rule of judgment, such as communication distance are less than or equal to pre-determined distance, communication
Channel is channel predetermined or data sink is default device etc..When portable device receives the communication link of ID authentication request
When filling the foot Rule of judgment, it is determined that the communication connection of portable device and terminal room is default near field communication side
Formula.When the communication connection that portable device receives ID authentication request is unsatisfactory for the Rule of judgment, it is determined that portable device
Communication connection with terminal room is non-default near field communication mode.
For example, near-field communication connection type and/or USB interface communication connection mode can be preset in portable device
To preset near field communication mode.When portable device is communicated with the non-contact reader of terminal, then communication link is judged
Connecing mode is default near field communication mode.Alternatively, when portable device and terminal are communicated by USB interface, it can be true
The communication connection for determining portable device and terminal is using default near field communication mode.
In one embodiment, portable device is built-in with NFC antenna, safety chip, bluetooth MCU
(Microcontroller Unit, micro-control unit) and main control MCU.As shown in figure 3, Fig. 3 shows body in one embodiment
The acquisition modes schematic diagram of part certification request.When ID authentication request is to be received by NFC antenna, and be forwarded to safety chip
, then it can determine that the communication connection of portable device and terminal is near-field communication, belong to default near field communication mode.When
ID authentication request is to be received by bluetooth MCU, and be forwarded to safety chip by main control MCU, then can determine portable set
Standby is, since there are the security risks such as information is intercepted for Bluetooth communication, to be consequently belonging to non-default close by Bluetooth communication with terminal
Distance communication connection type.
In one embodiment, ID authentication request carries authentication information, such as parameters for authentication.Wherein, it authenticates
Parameter is to be used to guarantee that each ID authentication request to be unique and effective within a certain period of time by server generation, or make
It fails immediately after.Parameters for authentication, for example the random number that generates at random of server or server are according to current time, terminal mark
Know the ciphertext etc. with generating random number.Portable device can be used local cipher mode and be encrypted parameters for authentication to generate
Authentication signature, for example, generating certification label using the authentication information in private key encryption ID authentication request using local
Name.
S208, when communication connection is using non-default near field communication mode, then the confirmation instruction to be entered such as, and
Authentication signature is generated according to ID authentication request in the confirmation instruction for detecting input.
Wherein, confirmation instruction is to indicate the instruction of confirmation meaning, be can be as caused by triggering predetermined registration operation.Wherein,
Predetermined registration operation can be PIN code (the Personal Identification of pre-set trigger action, input terminal
Number, personal recognition code) or biological characteristic validation etc..Trigger action specifically can be touch operation, cursor operations or
Button operation.Wherein, touch operation can be and touch clicking operation, touches pressing operation or touch slide, touch behaviour
It can be single-touch operation or multiple point touching operation;Cursor operations can be the operation clicked of control cursor or
The operation that control cursor is pressed;Button operation can be operation of virtual key or physical button operation etc..
Specifically, portable device and terminal, which are established, communicates to connect, when portable device receives the body that terminal is forwarded
After part certification request, it may be determined that the specific transmission mode of the ID authentication request.When the ID authentication request is by non-default
When near field communication mode carries out being transmitted to portable device, the confirmation instructions to be entered such as portable device then enters
State, with etc. confirmation instruction to be entered.It is portable to set after user is instructed by portable device or terminal input validation
Standby that confirmation instruction that is itself or being sent by terminal can be detected, then portable device is generated according to ID authentication request and is authenticated
Signature.
In one embodiment, portable device can judge whether communication connection mode is default close locally presetting
The Rule of judgment of distance communication connection type.When the communication connection that portable device receives ID authentication request is unsatisfactory for the judgement
When condition, it is determined that the communication connection of portable device and terminal room is non-default near field communication mode.For example,
It is default short-range communication that near-field communication connection type and/or USB interface communication connection mode, which can be preset, in portable device
Connection type.When portable device and terminal pass through Bluetooth communication or wireless communication, then judge that communication connection mode is
Non-default near field communication mode.
Authentication signature is sent to terminal by S210;Authentication signature, which is used to indicate terminal, will respond with carry out body in authentication signature
Part certification.
In one embodiment, authentication signature is sent to terminal by the communication connection with terminal by portable device.Eventually
After termination receives the authentication signature, authentication signature is reported into server.Server is using the cipher mode phase with authentication signature
Authentication signature is decrypted in the manner of decryption answered, with the data after being decrypted.Server can be by local data to recognizing
Data after the decryption of signed certificate name are compared, to carry out authentication.
In one embodiment, after server is verified the authentication signature that terminal reports, terminal triggering can be performed
Operational order.When server does not pass through the authentication signature verifying that terminal reports, server is then refused to execute terminal triggering
Operational order.
In one embodiment, message format corresponding with the message format of ID authentication request can be used in portable device
Send authentication signature.For example APDU format is used, the format of response message is as follows:
Le<response-data> | SW1 | SW2 |
Wherein, the content of response-data i.e. authentication signature.SW1 and SW2 is two byte status codes.For example, working as
SW1 and SW2 is that " 9000 " coding then indicates order successful execution.There are also other answer codes schematically as follows:
SW1 | SW2 | Meaning |
69 | 85 | Condition is unsatisfactory for |
6A | 80 | Parameter error |
69 | 87 | The cipher key index of mistake |
69 | 86 | It is whether on the scene that user must be tested |
69 | 88 | Parameter transaction is abnormal |
90 | 01 | Wait user's confirmation |
Above-mentioned ID authentication request processing method receives what terminal was forwarded by establishing the communication connection with terminal room
ID authentication request.It is when communication connection is using default near field communication mode, then directly raw according to ID authentication request
At authentication signature.It may insure the safety of portable device communication due to presetting near field communication, it can direct root
Authentication signature is generated according to ID authentication request, realizes quick authentication.When communication connection is connected using non-default short-range communication
When connecing mode, there may be the security risks of portable device communication under this environment, then etc. confirmation to be entered instruction, is being detected
To input confirmation instruction when according to ID authentication request generate authentication signature.There may be the communication modes of security risk
Under, it needs user actively to do and confirms, regenerate authentication signature, can ensure the safety of terminal and portable device communication.Just
After portable device generates authentication signature, authentication signature is sent to terminal by communicating to connect, terminal again reports authentication signature
To carry out authentication.In this way, the communication connection mode of distinguishing terminal and portable device, different certification stream is respectively adopted
Cheng Shengcheng authentication signature is greatly improved the safety that portable device carries out secondary identities certification.
In one embodiment, the step of generating authentication signature according to ID authentication request specifically includes:
S402 is extracted from ID authentication request and is applied key ID information and parameters for authentication.
It wherein, is with using corresponding key using key, key includes private key and public key.One application can correspond to
Multiple groups key, different key purposes is also different, for example key A is used for the authentication that application logs in, and key B is for branch of trading
The authentication etc. paid.Using the identification information that key ID information is using key, being used to unique identification, this applies key.Root
Public key is applied and using private key with using key ID information is corresponding according to that can determine using key ID information.Using key
Identification information can be one of number, letter or symbol etc..Using key ID information can also include application identities and
Cipher key index is uniquely determined by application identities and cipher key index using key, that is, can be with by application identities and cipher key index
It uniquely determines accordingly using public key and using private key.
Specifically, authentication information, authentication information are carried in the received ID authentication request of portable device
Including applying key ID information and parameters for authentication.Wherein, it can be used for determining that corresponding application is public using key ID information
Key and apply private key.Portable device can determine the private key of applying being locally stored accordingly, clothes according to application key ID information
Business device can be corresponding using public key according to determining using key ID information.Parameters for authentication is the parameter generated by server,
For guarantee each ID authentication request be it is unique and within a certain period of time effectively, can be a random number.
In one embodiment, parameters for authentication fails after the completion of the processing of this ID authentication request, to prevent using private
The stolen security risk for generating authentication signature of key generates.Parameters for authentication can be server and refer in the operation for receiving terminal transmission
The random number generated after order.
S404, inquiry apply private key with using key ID information is corresponding.
Specifically, what portable device can locally be prestored according to application key ID information inquiry believes with application key identification
Breath applies private key accordingly.
S406 encrypts parameters for authentication according to application private key and obtains authentication signature.
Specifically, portable device is encrypted according to what is inquired using parameters for authentication of the private key to extraction, is recognized
Signed certificate name.Wherein, ECC (Elliptic Curve Cryptography, elliptic curve encryption algorithm) or SM2 can be used in Encryption Algorithm
Encryption Algorithm (ellipse curve public key cipher algorithm is a kind of rivest, shamir, adelman) etc..
In one embodiment, portable device can be according to the parameters for authentication and application using private key to extraction inquired
Mark etc. is encrypted, and authentication signature is obtained.
In one embodiment, portable device by authentication signature by the communication connection with terminal room, by authentication signature
It is sent to terminal.After terminal receives authentication signature, authentication signature is fed back into server.Server is according to the certification received
Signature applies public key using with using key ID information is corresponding, is decrypted to authentication signature, obtains parameters for authentication.Clothes
The parameters for authentication that the parameters for authentication obtained after decryption and server generate is compared business device, if comparison result is consistent, holds
The operational order of row terminal triggering;If comparison result is inconsistent, refuse to execute.
In above-described embodiment, extract from ID authentication request using key ID information and parameters for authentication, further according to
Private key is applied accordingly using key ID information inquiry, and parameters for authentication is encrypted using private key by what is inquired, is obtained
To authentication signature.In this way, authentication signature just it is related to the authentication information in ID authentication request, also with portable device sheet
It is related that private key is applied on ground accordingly, thus can verify the identity and corresponding information of both sides, substantially increases portable device
Carry out the safety of secondary identities certification.
In one embodiment, ID authentication request processing method further include: after receiving ID authentication request, incite somebody to action this
The count value of ground storage obtains current count value from increasing.Step S406 includes: according to application private key to parameters for authentication and current meter
Numerical value encryption, obtains authentication signature.Step S210 includes: that authentication signature and current count value are sent to end by communicating to connect
End.
Specifically, the built-in counter of portable device or other counting equipments etc., whenever receiving ID authentication request
Afterwards, counter obtains current count value with regard to counting up value certainly, and current count value is stored in local.Portable device can obtain
The current count value being locally stored encrypts parameters for authentication and current count value according to application private key, obtains authentication signature.Lead to again
It crosses the communication connection with terminal and authentication signature and current count value is sent to terminal.
In one embodiment, the authentication signature and current count value that portable device is sent are forwarded to service by terminal
Device.Server uses application public key decryptions authentication signature corresponding with application private key, obtains parameters for authentication and current count value,
Parameters for authentication and current count value that decryption obtains are reported with the parameters for authentication of server storage and portable device respectively
Current count value compares, and when comparison result is all consistent, server then executes the operational order of terminal triggering;If comparison result
Inconsistent, server is then refused to execute.
In one embodiment, the every reception one-time identity authentication request of portable device, the count value of counter is with regard to corresponding
Increase.The count value of counter can be used big hold-carrying to indicate, for example the initial value of counter is 0x00, when from increasing to maximum value
It is counted again since 0x00 again.
In above-described embodiment, by the way that after receiving ID authentication request, the count value being locally stored is worked as from increasing
Preceding count value encrypts parameters for authentication and current count value further according to application private key, obtains authentication signature.Can both it guarantee in this way
Each authentication signature is all different in authentication procedures, prevented also from the Replay Attack to server, further improves
The safety of portable device progress secondary identities certification.
In one embodiment, ID authentication request is sent to after terminal by server and is forwarded by terminal;Authentication signature
It is sent to after terminal with current count value and server is reported to by terminal;Authentication signature, being used to indicate terminal will be in authentication signature
After report to server, application public key decryptions authentication signature corresponding with application key ID information is used by server, is recognized
Parameter and current count value are demonstrate,proved, the parameters for authentication that the parameters for authentication and current count value that decryption is obtained are stored with server respectively
Compare with the current count value reported, to carry out authentication.
In one embodiment, user can be instructed by terminal trigger action, and terminal is by being connected to the network operational order
It is sent to server.Server generates corresponding ID authentication request after receiving operational order, and ID authentication request is returned
It is back to terminal, terminal is forwarded to portable device again.Portable device is after receiving ID authentication request, by what is be locally stored
Count value obtains current count value from increasing.Parameters for authentication and current count value are encrypted according to application private key, obtain authentication signature.
After authentication signature and current count value are sent to terminal, terminal reports to server again.Server uses and applies key mark
Know the corresponding application public key decryptions authentication signature of information, obtain parameters for authentication and current count value, the certification that decryption is obtained is joined
Several and current count value compared with the parameters for authentication of server storage and the current count value reported, is recognized respectively with carrying out identity
Card.When comparison result is all consistent, server then executes the operational order of terminal triggering;If comparison result is inconsistent, service
Device is then refused to execute.
In above-described embodiment, portable device is forwarded to by terminal after server transmission ID authentication request, it is portable to set
It is standby that authentication signature is generated according to ID authentication request, and authentication signature and current count value are sent to terminal, it is reported by terminal
To server.Server is again using applying public key decryptions authentication signature accordingly and being checked, to carry out authentication.This
Terminal may be implemented as operating side in sample, and separation of the portable device as authentication end can ensure the safety of operation.
In one embodiment, ID authentication request processing method further includes the generation step using key pair, the step
It specifically includes:
S502 is obtained and is applied register instruction.
In one embodiment, mountable in portable device to have application.User can be triggered by portable device and be applied
Register instruction, portable device obtain the application register instruction of user's triggering.For example user can pass through the touch of portable device
Screen or key etc. are chosen using sign-on ID and are triggered accordingly using register instruction.
In one embodiment, user can by terminal trigger apply register instruction, terminal by with portable device
Communication connection will be forwarded to portable device using register instruction, so that portable device, which obtains, applies register instruction.
S504 is generated according to application register instruction and is applied key pair;It include applying private key and answering accordingly using key pair
Use public key.
Specifically, portable device is obtained using after register instruction, is generated accordingly according to application register instruction using close
Key pair.It is corresponding using key pair and application identities.It wherein, include using private key and applying public key using key pair.It is portable
Equipment can locally save the application key pair generated, and will carry out reporting disclosure using public key.
In one embodiment, portable device is safeguarded after generating using key pair according to the application key pair of generation
Cipher key index, and cipher key index is saved to local, while also reporting to server.In this way, portable device or server can
It is found accordingly according to application identities and cipher key index using private key or using public key.
S506 is encrypted according to local device private to using public key, and be applied public key signature.
Specifically, device private has been locally stored in portable device.Wherein, portable device one and only one set
Standby private key.Different portable devices, device private are also different.Portable device answers generation according to local device private
It is encrypted with public key, be applied public key signature.
In one embodiment, portable device generating device key pair when being activated.Wherein, device keys are to including
Equipment public key and device private.Device private can be stored in local by portable device, and equipment public key is carried out to report disclosure.
In one embodiment, portable device in process of production can be with built-in device key pair.Device keys are to packet
Include equipment public key and device private.Device private can be stored in local by portable device, and equipment public key is carried out to report disclosure.
S508 will report to server using public key and using public key signature, and be used to indicate server using public key signature
According to the equipment public key decryptions application public key signature stored, when what decryption obtained applies public key consistent using public key with what is reported
When storage report apply public key.
Specifically, portable device can will report to server using public key and using public key signature by network connection,
Alternatively, portable device can will be sent to terminal using public key and using public key signature, then lead to by the communication connection with terminal
It crosses terminal and is forwarded to server.Server is stored after receiving application public key and application public key signature according to server
Equipment public key decryptions application public key signature corresponding with device private, when decryption obtain it is public using public key and the application reported
What storage reported when key is consistent applies public key.
It in above-described embodiment, is generated by application register instruction and applies key pair, public key is applied by device private encryption
To generate using public key signature and report to server.Server is verified by pre-stored equipment public key using public key label
Whether name is correct, and what preservation reported if correct applies public key.In this way, by being encrypted to using public key to generate application
Public key signature can ensure using the source side of public key signature it is legal to transmit using public key, ensure that server stores with this
Application public key be legal and correct.
It in one embodiment, include application identities and cipher key index using key ID information;And/or default low coverage
It include near-field communication connection type from communication connection mode.
Specifically, application identification information may include application identities and cipher key index, according to application identities and cipher key index
It can uniquely determine accordingly using public key or using private key.For example, as shown in fig. 6, Fig. 6 is shown in one embodiment answers
With the schematic diagram of the corresponding relationship of mark and cipher key index and application key pair.It can be true according to application identities 1 and cipher key index 1
It is fixed to apply public key 1 accordingly and apply private key 1;It can be determined accordingly according to application identities 2 and cipher key index 2 using public key 2
With application private key 2;It can be determined accordingly according to application identities 3 and cipher key index 3 using public key 3 and using private key 3.It is portable
Equipment can be found accordingly according to application identities and cipher key index using private key.Server can be according to application identities and key rope
Draw and finds accordingly using public key.
In one embodiment, presetting near field communication mode includes near-field communication connection type, wherein near field is logical
Letter connection type refers to NFC communication connection type.
In one embodiment, step S208 specifically includes the following steps:
S702, when communication connection is using non-default near field communication mode, then triggering is used to indicate input validation
The prompting of instruction acts.
Specifically, when communication connection is using non-default near field communication mode, portable device is then triggered and is used for
Indicate the prompting movement of input validation instruction.Wherein, prompting movement includes opening breath light, opening screen display or open vibration etc..
In one embodiment, when communication connection is using non-default near field communication mode, terminal can also be synchronized
Triggering is used to indicate the prompting movement of input validation instruction, for example the screen of terminal shows that input validation is reminded, opens breath light
Or open vibration etc..
S704 is locally set to the state of the confirmation instruction of detection input.
Specifically, when communication connection is using non-default near field communication mode, portable device will can locally be set
User's authorization is waited at this point, the confirmation of the detectable input of portable device instructs for the confirmation command status of detection input.?
Before the confirmation instruction for detecting input, portable device can be chronically at the state.Alternatively, within a preset period of time, it is portable
When the confirmation command status of input is not detected always in formula equipment, portable device will terminate the process of secondary identities certification, no
It is further continued for executing, can show printed words such as " user's confirmation are not detected ".
S706 exits state in the confirmation instruction for detecting input, and generates authentication signature according to ID authentication request.
In one embodiment, user can directly input validation instructs in a portable device, or inputs at the terminal
The confirmation instruction of input is forwarded to portable device by confirmation instruction, terminal.Portable device refers in the confirmation for detecting input
The state can be exited when enabling, and ID authentication request generates authentication signature based on the received.
In above-described embodiment, when communication connection is using non-default near field communication mode, triggering is used to indicate defeated
The prompting movement for entering confirmation instruction, may remind the user that and authorized.It will be locally set to the state of the confirmation instruction of detection input,
After user's authorization, that is, user has input after confirmation instructs and just generates authentication signature, Ke Yitong according to ID authentication request
The mode of user's participation is crossed to reinforce the safety that portable device carries out secondary identities certification.
In one embodiment, ID authentication request processing method further includes the steps that equipment replacement, which specifically wraps
It includes:
S802 obtains the equipment replacement order from service platform.
Wherein, service platform is security management services platform, for example is based on TUSI (Tencent User Security
Infrastructur, Tencent's user security infrastructure) agreement service platform, be based on FIDO (Fast Identity
Online, quick authentication on line) alliance service platform or be based on IFAA (Internet Finance
Authentiation Alliance, internet finance authentication alliance) service platform etc..Equipment replacement instruction is instruction
The instruction that portable device is reset.Equipment replacement, including what is stored in removing users personal data, removing portable device
Using key pair, device keys pair or formatting portable device etc..
In one embodiment, user can be reset by terminal initiating equipment and be requested, and terminal is by being connected to the network equipment
Resetting request is forwarded to service platform, and server generates corresponding equipment replacement order after receiving equipment replacement request, and will
Equipment replacement order feeds back to terminal.Equipment replacement order is forwarded to portable by terminal by the communication with portable device
Equipment.
In one embodiment, user can be reset by portable device initiating equipment and be requested, and portable device can pass through
Equipment replacement request is reported to service platform by terminal, or directly reports to service platform by network connection.Service platform
After receiving equipment replacement request, corresponding equipment replacement order is generated, and equipment replacement order is fed back to just by terminal
Portable device, or portable device is directly fed back to by network connection.
S804, from equipment replacement order extract equipment public key and the first equipment public key signature;First equipment public key signature is
Equipment public key encryption is generated using the platform private key of service platform.
Specifically, the equipment replacement order that service platform generates may include equipment public key and the first equipment public key signature.
Wherein, equipment public key can be what portable device generated upon activation, and be sent to service platform or service platform
It is pre-stored.First equipment public key signature is that service platform generates equipment public key encryption using platform private key, and encryption is calculated
ECC or SM2 Encryption Algorithm can be used in method.Portable device obtains after the equipment replacement order of service platform, can be from setting
Standby resetting order extract equipment public key and the first equipment public key signature.
S806 reads local pre-land public key corresponding with platform private key.
Specifically, portable device in process of production can in portable device pre-land public key.It is set when portable
The standby equipment replacement order obtained from service platform is extracted from equipment replacement order using the generation of platform private key encryption
After first equipment public key signature, local pre-land public key corresponding with platform private key can be read.
S808 decrypts equipment public key from the first equipment public key signature according to pre-land public key.
It specifically, can be according to pre-land public key from the first equipment public key after portable device reads pre-land public key
Equipment public key is decrypted using corresponding decipherment algorithm in signature.
S810 is then executed when the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts
Equipment replacement movement.
Wherein, equipment replacement movement be reset portable device movement, such as remove users personal data, remove it is portable
Application key pair, device keys pair or formatting portable device for being stored in formula equipment etc..
In one embodiment, the comparable equipment public key extracted of portable device and local equipment public key whether one
It causes, when consistent, then compares the equipment public key decrypted and whether the equipment public key of extraction is consistent, when consistent, then execute and set
Standby resetting acts.
In one embodiment, portable device can compare the equipment public key of extraction, local equipment public key reconciliation two-by-two
Whether close equipment public key out is consistent, when three is consistent, then executes equipment replacement movement.
In above-described embodiment, when getting from the equipment replacement order of service platform, from equipment replacement name
First equipment public key signature of extract equipment public key and the platform private key encryption generation using service platform.Further according to local preset
Platform public key decrypt equipment public key from the first equipment public key signature, equipment public key, local equipment public key when extraction
And the equipment public key that decrypts it is consistent when, then can determine whether the equipment replacement obtained name be it is legal, execute equipment weight at this time
Set movement.In this way, can simply and efficiently be authenticated to equipment replacement order by pre-land public key, avoids and pass through terminal
Store the unsafe problem of key.Also, portable device can also be completed by writing the case where portable device need to be transferred the possession of or lose
Resetting movement, solve security risk existing for portable device.
In one embodiment, ID authentication request processing method further includes the steps that device activation, which specifically wraps
It includes:
S902, receiving device activation instruction.
In one embodiment, carrying out corresponding operation to unactivated portable device can produce device activation instruction.
For example, user can carry out charging operations to unactivated portable device, portable device itself produces device activation at this time
Instruction.
In one embodiment, user can be by with generating device activation instruction, and being set in terminal operation by portable
Device activation instruction is sent to terminal by the standby communication connection with terminal.
S904 instructs generating device key pair according to device activation;Device keys are to including device private and accordingly set
Standby public key.
Specifically, after portable device receiving device activation instruction, generating device key pair is instructed according to device activation.If
Standby key pair and portable equipment identity are corresponding.Wherein, device keys are to including device private and equipment public key.It is portable to set
It is standby locally to save the device keys pair generated, and equipment public key is carried out to report disclosure.
Equipment public key is reported to service platform by S906;The equipment public key reported is for generating the first equipment public key signature.
Specifically, equipment public key can directly be reported to service platform by being connected to the network by portable device.Alternatively, portable
Equipment public key is sent to terminal by the communication connection with terminal by formula equipment, and it is flat that equipment public key is forwarded to service again by terminal
Platform.Service platform encrypts the equipment public key reported using platform private key, and the first equipment public key signature can be generated.
In above-described embodiment, generating device key pair is instructed according to device activation, wherein device keys are to public including equipment
Key and device private.By the way that equipment public key is reported to service platform, it may make that service platform is raw according to the equipment public key reported
At the first equipment public key signature, further generating device resetting order.
In one embodiment, step S906 is specifically included: equipment public key is encrypted according to preset manufacturer's private key,
Obtain the second equipment public key signature;Equipment public key and the second equipment public key signature are transferred to service platform, the second equipment public key
Signature is used to indicate service platform according to manufacturer's public key decryptions the second equipment public key signature, the equipment public key and biography obtained when decryption
The equipment public key of storage transmitting when the equipment public key passed is consistent.
It in one embodiment, can preset manufacturer's private key in the production process of portable device.Portable device according to
Preset manufacturer's private key encrypts the equipment public key of generation, obtains the second equipment public key signature.Portable device is by equipment
Public key and the second equipment public key signature are transferred to service platform.Service platform is according to manufacturer's public key decryptions the second equipment public key label
Name, the equipment public key of storage transmitting when the equipment public key that decryption obtains is consistent with the equipment public key of transmitting.
In above-described embodiment, by preset manufacturer's private key encryption equipment public key with generate the second equipment public key signature and on
It reports to service platform.Whether service platform verifies the second equipment public key signature by pre-stored manufacturer's public key correct, such as
Fruit correctly then saves equipment public key.In this way, being transmitted by being encrypted to equipment public key with generating the second equipment public key signature
Equipment public key, can ensure the source side of the second equipment public key signature be it is legal, ensure that the equipment of service platform storage is public with this
Key is legal and correct.
As shown in Figure 10, in a specific embodiment, ID authentication request processing method the following steps are included:
S1002, receiving device activation instruction.
S1004 instructs generating device key pair according to device activation;Device keys are to including device private and accordingly set
Standby public key.
S1006 encrypts equipment public key according to preset manufacturer's private key, obtains the second equipment public key signature.
Equipment public key and the second equipment public key signature are transferred to service platform by S1008, and the second equipment public key signature is used for
Service platform is indicated according to manufacturer's public key decryptions the second equipment public key signature, when the equipment of decryption obtained equipment public key and transmitting
The equipment public key of storage transmitting when public key is consistent.
S1010 is obtained and is applied register instruction.
S1012 is generated according to application register instruction and is applied key pair;It include applying private key and answering accordingly using key pair
Use public key.
S1014 is encrypted according to local device private to using public key, and be applied public key signature.
S1016 will report to server using public key and using public key signature, and be used to indicate server using public key signature
According to the equipment public key decryptions application public key signature stored, when what decryption obtained applies public key consistent using public key with what is reported
When storage report apply public key.
S1018 establishes the communication connection with terminal;
S1020 receives the ID authentication request that terminal is forwarded.
S1022 is when communication connection is using default near field communication mode, then directly raw according to ID authentication request
At authentication signature.
S1024, when communication connection is using non-default near field communication mode, then triggering is used to indicate input validation
The prompting of instruction acts.
S1026 is locally set to the state of the confirmation instruction of detection input.
S1028 exits state in the confirmation instruction for detecting input, and generates certification label according to ID authentication request
Name.
Authentication signature is sent to terminal by S1030;Authentication signature, which is used to indicate terminal, will respond with carry out body in authentication signature
Part certification.
S1032 obtains the equipment replacement order from service platform.
S1034, from equipment replacement order extract equipment public key and the first equipment public key signature;First equipment public key signature,
It is to be generated using the platform private key of service platform to equipment public key encryption.
S1036 reads local pre-land public key corresponding with platform private key.
S1038 decrypts equipment public key from the first equipment public key signature according to pre-land public key.
S1040 is then held when the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts
The movement of row equipment replacement.
Above-mentioned ID authentication request processing method receives what terminal was forwarded by establishing the communication connection with terminal room
ID authentication request.It is when communication connection is using default near field communication mode, then directly raw according to ID authentication request
At authentication signature.It may insure the safety of portable device communication due to presetting near field communication, it can direct root
Authentication signature is generated according to ID authentication request, realizes quick authentication.When communication connection is connected using non-default short-range communication
When connecing mode, there may be the security risks of portable device communication under this environment, then etc. confirmation to be entered instruction, is being detected
To input confirmation instruction when according to ID authentication request generate authentication signature.There may be the communication modes of security risk
Under, it needs user actively to do and confirms, regenerate authentication signature, can ensure the safety of terminal and portable device communication.Just
After portable device generates authentication signature, authentication signature is sent to terminal by communicating to connect, terminal again reports authentication signature
To carry out authentication.In this way, the communication connection mode of distinguishing terminal and portable device, different certification stream is respectively adopted
Cheng Shengcheng authentication signature is greatly improved the safety that portable device carries out secondary identities certification.
Figure 10 is the flow diagram of ID authentication request method in one embodiment.Although should be understood that Figure 10
Flow chart in each step successively show that but these steps are not inevitable to indicate according to arrow according to the instruction of arrow
Sequence successively execute.Unless expressly stating otherwise herein, there is no stringent sequences to limit for the execution of these steps, these
Step can execute in other order.Moreover, at least part step in Figure 10 may include multiple sub-steps or more
A stage, these sub-steps or stage are not necessarily to execute completion in synchronization, but can hold at different times
Row, the execution sequence in these sub-steps perhaps stage be also not necessarily successively carry out but can be with other steps or other
The sub-step or at least part in stage of step execute in turn or alternately.
In concrete application scene, user can be carried out secondary identities certification login using portable device and be answered by terminal
With.For example, as shown in figure 11, Figure 11 is shown user and is illustrated by mobile terminal using the interface that equipment logs into application
Figure.When the user clicks after " equipment login ", portable device carries out corresponding operation with regard to the above-mentioned ID authentication request method of use,
Authentication signature is reported, to carry out authentication.After certification passes through, the application of terminal operating can then obtain user data, such as
The data such as user name, user's head portrait.
In one embodiment, as shown in figure 12, Figure 12 shows ID authentication request processing method in one embodiment
Timing diagram.User is instructed by terminal trigger action.Operational order is sent to server by being connected to the network by terminal, is serviced
Device generates corresponding ID authentication request after receiving operational order, and ID authentication request is fed back to terminal.Terminal receives
To after ID authentication request, by the communication connection between portable device, which is forwarded to portable set
It is standby.When communication connection is using default near field communication mode, portable device is then directly raw according to ID authentication request
At authentication signature, authentication signature is sent to terminal, terminal is forwarded to server again to carry out authentication.When communication connection is adopted
When with non-default near field communication mode, wait user confirmation, user's input validation instruction it is red, portable device further according to
ID authentication request generates authentication signature, authentication signature is sent to terminal, terminal is forwarded to server again and recognizes to carry out identity
Card.
In one embodiment, portable device includes security application and main control MCU.Terminal is by communication connection, by body
Part certification request is sent to the main control MCU of portable device, and main control MCU is forwarded to security application.Security application judges portable
Whether the communication connection mode of equipment and terminal is default near field communication mode.If so, security application then direct basis
ID authentication request generates authentication signature, and authentication signature is sent to main control MCU, is sent to terminal by main control MCU.If
No, security application then waits user to confirm.At this point, main control MCU can control the screen display prompts movement of portable device, and examine
Survey the confirmation instruction of user's input.Prompt security application generates authentication signature after the confirmation for detecting user instructs.
Wherein, above-mentioned ID authentication request processing method can refer to shown in Figure 13, as Figure 13 is shown in one embodiment
The flow diagram of portable device progress ID authentication request processing.Portable device after receiving ID authentication request,
The communication connection mode of judgement and terminal.When being default near field communication mode, then quickly signature process is walked, that is,
Directly generate authentication signature.When for non-default near field communication mode, then Standard signatures process is walked, generates certification label
Name.Wherein, Standard signatures process is as shown in figure 14, and Figure 14 shows the flow diagram of one embodiment Plays signature.When
When the communication connection of portable device and terminal is non-default near field communication mode, portable device then waits user to award
Power, authorization then generate authentication signature after passing through.The interface schematic diagram of user's authorization refers to Figure 15, and as shown in figure 15, Figure 15 is shown
The interface schematic diagram of user's authorization is waited in one embodiment.Display interface is to prompt to use in terminal display interface on the left of Figure 15
The schematic diagram that family is confirmed on portable devices, the right side Figure 15 are waiting user's input validation instruction of portable terminal
Display interface, user " double-click and confirm " according to guide, and double-clicking portable device can be completed confirmation operation.
Specifically, the request message for the ID authentication request that server is generated according to APDU format is as follows:
Coding | Value |
CLA | “80” |
INS | “32” |
P1 | “00” |
P2 | “00” |
LC | “XX” |
Data field | request-data |
Le | Nothing |
Wherein, the content of request-data can specifically include: reserved field (Control), parameters for authentication
(Challenge), application identities (AppID), cipher key index length (KeyIndex Length) and cipher key index
(KeyIndex)。
In one embodiment, the request message of ID authentication request specifically may is that 8032000000006403DA009
671392A4F83B25CE544E05BCA302549A4CA955BB1E C6E07FEDD57ED036C630DCD2966C433669
1125448BBB25B4FF412A49C732D B2C8ABC1B8581BD710DD2242634EA7B39247189166C535CFD
03E14BE9940269D22EBDDC61CEA78C0E1B7930000.Wherein, " 80320000 " are command headers, comprising CLA,
INS, P1 and P2." 000064 " is LC, i.e. the length of request-data." 03 " is reserved field;
" DA009671392A4F83B25CE544E05BCA302549A4CA955BB1EC6E07FEDD 57E D036C " is parameters for authentication
Challenge;"630DCD2966C4336691125448BBB25B4FF412A49C732DB2C8ABC1B8581BD710DD"
It is application identities AppID;" 22 " are cipher key index length KeyIndex Length;"42634EA7B39247189166C535CF
D03E14BE9940269D22EBD DC61CEA78C0E1B7930000 " is cipher key index KeyIndex.
Portable device is as follows according to the response message content that ID authentication request is fed back:
Le<response-data> | SW1 | SW2 |
Wherein, the content of the response-data of response message may include: that user has mark (User
Presence), current count value (Counter) and authentication signature (Signature).Wherein, user, which exists, is identified as fixed value
"01".In one embodiment, authentication signature includes the following contents: there is mark (User in application identities (AppID), user
Presence), current count value (Counter) and parameters for authentication (Challenge).
In one embodiment, the response message of portable device feedback specifically may is that 0100000001304602210
0FAF11F21DED8C4117009F655DDFF9D0590F75637DFB8F769460539E888C9E947022100C54A60
10F9A294EE6494E3DC352EE57CC0E7607732A2A05C07B0D6044F0036199000.Wherein, " 01 " is to use
There is mark User presence in family." 00000001 " is current count value Counter."3046022100FAF11F21DED8
C4117009F655DDFF9D0590F75637DFB8F769460539E888C9E947022100C54A6010F9A294EE649
4E3DC352EE57CC0E7607732A2A05C07B0D6044F003619 " is authentication signature Signature." 9000 " are lives
Writ state, that is, SW1 and SW2 indicate order successful execution.
Figure 16 is the applied environment figure of equipment replacement method in one embodiment.Referring to Fig.1 6, which answers
For equipment replacement system.The equipment replacement system includes terminal 110, portable device 130 and service platform 140.Terminal 110
Pass through network connection with service platform 140.Service platform 140 can use the either multiple server compositions of independent server
Server cluster is realized.
As shown in figure 17, in one embodiment, a kind of equipment replacement method is provided.The present embodiment is mainly in this way
It is illustrated applied to the portable device 130 in above-mentioned Figure 16.Referring to Fig.1 7, which specifically includes as follows
Step:
S1702 obtains the equipment replacement order from service platform.
In one embodiment, user can be reset by terminal initiating equipment and be requested, and terminal is by being connected to the network equipment
Resetting request is forwarded to service platform, and server generates corresponding equipment replacement order after receiving equipment replacement request, and will
Equipment replacement order feeds back to terminal.Equipment replacement order is forwarded to portable by terminal by the communication with portable device
Equipment.
In one embodiment, user can be reset by portable device initiating equipment and be requested, and portable device can pass through
Equipment replacement request is reported to service platform by terminal, or directly reports to service platform by network connection.Service platform
After receiving equipment replacement request, corresponding equipment replacement order is generated, and equipment replacement order is fed back to just by terminal
Portable device, or portable device is directly fed back to by network connection.
In one embodiment, service platform generates corresponding equipment replacement order after receiving equipment replacement request, takes
When equipment replacement order is fed back to portable device by business platform, it can be based on request-response mechanism, i.e. requesting party sends request and disappears
Cease responder, responder's returning response message to requesting party.
For example, service platform can be ordered based on APDU format to terminal or the resetting of portable device sending device.If
Standby resetting order i.e. request message, the message format of request message are as follows:
CLA | INS | P1 | P2 | Lc<request-data> | Le |
Correspondingly, when the equipment replacement order that portable device forwards terminal responds, the lattice of response message
Formula is as follows:
Le<response-data> | SW1 | SW2 |
When portable device successfully completes equipment replacement, Le<response-data>is sky, is returned only to state encoding,
Such as " 9000 ", indicate order successful execution.
S1704, from equipment replacement order extract equipment public key and the first equipment public key signature;First equipment public key signature is
Equipment public key encryption is generated using the platform private key of service platform.
Specifically, the equipment replacement order that service platform generates may include equipment public key and the first equipment public key signature.
Wherein, equipment public key can be what portable device generated upon activation, and be sent to service platform or service platform
It is pre-stored.First equipment public key signature is that service platform generates equipment public key encryption using platform private key, and encryption is calculated
ECC or SM2 Encryption Algorithm can be used in method.Portable device obtains after the equipment replacement order of service platform, can be from setting
Standby resetting order extract equipment public key and the first equipment public key signature.
S1706 reads local pre-land public key corresponding with platform private key.
Specifically, portable device in process of production can in portable device pre-land public key.It is set when portable
The standby equipment replacement order obtained from service platform is extracted from equipment replacement order using the generation of platform private key encryption
After first equipment public key signature, local pre-land public key corresponding with platform private key can be read.
S1708 decrypts equipment public key from the first equipment public key signature according to pre-land public key.
It specifically, can be according to pre-land public key from the first equipment public key after portable device reads pre-land public key
Equipment public key is decrypted using corresponding decipherment algorithm in signature.
S1710 is then held when the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts
The movement of row equipment replacement.
In one embodiment, the comparable equipment public key extracted of portable device and local equipment public key whether one
It causes, when consistent, then compares the equipment public key decrypted and whether the equipment public key of extraction is consistent, when consistent, then execute and set
Standby resetting acts.
In one embodiment, portable device can compare the equipment public key of extraction, local equipment public key reconciliation two-by-two
Whether close equipment public key out is consistent, when three is consistent, then executes equipment replacement movement.
Above equipment remapping method is ordered when getting from the equipment replacement order of service platform from equipment replacement
Extract equipment public key and the first equipment public key signature generated using the platform private key encryption of service platform in name.Further according to local
Preset platform public key decrypts equipment public key from the first equipment public key signature, equipment public key, local equipment when extraction
When public key and the consistent equipment public key decrypted, then can determine whether obtain equipment replacement name be it is legal, at this time execute set
Standby resetting acts.In this way, can simply and efficiently be authenticated to equipment replacement order by pre-land public key, avoids and pass through
The unsafe problem of terminal storage key.Also, write the case where portable device need to be transferred the possession of or lose can also complete it is portable
The resetting of equipment acts, and solves security risk existing for portable device.
In one embodiment, equipment replacement method further includes the steps that device activation, which specifically includes: reception is set
Standby activation instruction;Generating device key pair is instructed according to device activation;Device keys are to including device private and corresponding equipment
Public key;Equipment public key is reported into service platform;The equipment public key reported is for generating the first equipment public key signature.
In above-described embodiment, generating device key pair is instructed according to device activation, wherein device keys are to public including equipment
Key and device private.By the way that equipment public key is reported to service platform, it may make that service platform is raw according to the equipment public key reported
At the first equipment public key signature, further generating device resetting order.
In one embodiment, the step of equipment public key being reported to service platform specifically includes: according to preset manufacturer
Private key encrypts equipment public key, obtains the second equipment public key signature;Equipment public key and the second equipment public key signature are transmitted
To service platform, the second equipment public key signature is used to indicate service platform according to manufacturer's public key decryptions the second equipment public key signature,
The equipment public key of storage transmitting when the equipment public key that decryption obtains is consistent with the equipment public key of transmitting.
In above-described embodiment, by preset manufacturer's private key encryption equipment public key with generate the second equipment public key signature and on
It reports to service platform.Whether service platform verifies the second equipment public key signature by pre-stored manufacturer's public key correct, such as
Fruit correctly then saves equipment public key.In this way, being transmitted by being encrypted to equipment public key with generating the second equipment public key signature
Equipment public key, can ensure the source side of the second equipment public key signature be it is legal, ensure that the equipment of service platform storage is public with this
Key is legal and correct.
In concrete application scene, user can be reset by terminal initiating equipment and be requested.For example, as shown in figure 18, Figure 18
It shows user and passes through the interface schematic diagram of mobile terminal initiating equipment resetting request.As shown in figure 18, user can click terminal
In " intelligent device management V2 " mark, can point by portable device close to after terminal according to the signal language of terminal " invitation card card "
Hit " resetting " button, triggering equipment replacement request.
As shown in figure 19, in one specifically embodiment, the flow chart of equipment replacement method is as shown in figure 19.It is portable
Equipment pre-land public key in process of production.The generating device key pair in device activation, and equipment public key is reported into clothes
Business platform.The resetting request of terminal initiating equipment, service platform audit generate corresponding equipment replacement order after the approval, and
Portable device is forwarded to by terminal.Portable device according to equipment extract equipment resetting order in equipment public key, and and
The equipment public key generated when activation is compared.If consistent, according to preset platform public key decryptions the first equipment public key signature,
The equipment public key decrypted.Whether the equipment public key after portable device verifying decryption is correct, if correctly, executing equipment weight
Set movement.If incorrect, termination device resetting.
In one embodiment, the command message that portable device receives when pre-land public key is as follows:
F00201000000410410C26685D9ECC1A797CB0E15F7BAC987699E83077CBA131A759906D051694
76F6C85864CE83AC5490DB16752BF2653EB4ECB09688742D BE1819933F6A01F65F2.Wherein,
" F0020100 " is command id." 000041 " is the length of request-data."0410C26685D9ECC1A797CB0E15
F7BAC987699E83077CBA131A759906D05169476F6C85864CE83AC5490DB16752BF2653EB4ECB0
9688742DBE1819933F6A01F65F2 " is platform public key.After portable device receives above-mentioned request message, storage is flat
Platform public key, and feedback response message is as follows: 9000.Wherein, " 9000 " indicate order successful execution.
In one embodiment, during activating portable device, the received device activation instruction of portable device
Message content includes: 80200000000000.Wherein, " 80200000 " are device activation command ids." 000000 " is
The length of request-data.Device activation instructs portable device based on the received, generating device key pair, and returning response
Message is as follows: 0492D868371C9648C09FB745BD33DC113574E2BD150644AAEB75B7BF 32C24444A70F
B00A932964FF781BA434AB7C466CF3FC03DF54CB2A78066342DAEF1A2B2BED9000.Wherein,
“0492D868371C9648C09FB745BD33DC113574E2BD150644AAEB75B7BF32C24444A70FB00A9329
64FF781BA434AB7C466CF3FC03DF54CB2A78066342DAEF1A2B2BED " is equipment public key." 9000 " are loud
Answer state.
In one embodiment, the request message content of the received equipment replacement order of portable device is as follows:
“802E00000000880492D868371C9648C09FB745BD33DC113574E2BD150644AA
EB75B7BF32C24444A70FB00A932964FF781BA434AB7C466CF3FC03DF54CB2A78066342DAEF1A2
B2BED304502203B52FA7C708C4217C18495883EA5082561B7EE142336BB2E0E043DCC8F4A1F2B
022100A3E2B656973C0E460D523B2454B27B80DA31E21432E2E2F80FC508EB6A1EA3B4".Wherein,
" 802E0000 " is command id." 000088 " is the length of request-data."0492D868371C9648C09FB745BD
33DC113574E2BD150644AAEB75B7BF32C24444A70FB00A932964FF781BA434AB7C466CF3FC03D
F54CB2A78066342DAEF1A2B2BED " is equipment public key."304502203B52FA7C708C4217C18495883EA50
82561B7EE142336BB2E0E043DCC8F4A1F2B022100A3E2B656973C0E460D523B2454B27B80DA31
E21432E2E2F80FC508EB6A1EA3B4 " is using the first equipment public key signature obtained after platform private key signature.It is portable
After formula equipment receives above-mentioned request message, is verified according to local equipment public key and preset platform public key, work as verifying
Feedback response message is as follows when success: 9000.Wherein, " 9000 " indicate order successful execution.It, may feedback sound if unsuccessful
Answer message " 6A80 ", expression parameter mistake.
As shown in figure 20, in one embodiment, a kind of ID authentication request processing unit 2000 is provided, comprising: build
Formwork erection block 2001, receiving module 2002, generation module 2003 and sending module 2004.
Module 2001 is established, for establishing and the communication connection of terminal.
Receiving module 2002, the ID authentication request forwarded for receiving terminal.
Generation module 2003 is used for when communication connection is using default near field communication mode, then directly according to body
Part certification request generates authentication signature.
Generation module 2003 is also used to when communication connection is using non-default near field communication mode, then etc. to be entered
Confirmation instruction, and detect input confirmation instruction when according to ID authentication request generate authentication signature.
Sending module 2004, for authentication signature to be sent to terminal;Authentication signature is used to indicate terminal for authentication signature
On respond with carry out authentication.
Above-mentioned ID authentication request processing unit receives what terminal was forwarded by establishing the communication connection with terminal room
ID authentication request.It is when communication connection is using default near field communication mode, then directly raw according to ID authentication request
At authentication signature.It may insure the safety of portable device communication due to presetting near field communication, it can direct root
Authentication signature is generated according to ID authentication request, realizes quick authentication.When communication connection is connected using non-default short-range communication
When connecing mode, there may be the security risks of portable device communication under this environment, then etc. confirmation to be entered instruction, is being detected
To input confirmation instruction when according to ID authentication request generate authentication signature.There may be the communication modes of security risk
Under, it needs user actively to do and confirms, regenerate authentication signature, can ensure the safety of terminal and portable device communication.Just
After portable device generates authentication signature, authentication signature is sent to terminal by communicating to connect, terminal again reports authentication signature
To carry out authentication.In this way, the communication connection mode of distinguishing terminal and portable device, different certification stream is respectively adopted
Cheng Shengcheng authentication signature is greatly improved the safety that portable device carries out secondary identities certification.
In one embodiment, generation module 2003 be also used to extract from ID authentication request using key ID information and
Parameters for authentication;Inquiry applies private key with using key ID information is corresponding;Parameters for authentication is encrypted according to application private key and is obtained
Authentication signature.
In above-described embodiment, extract from ID authentication request using key ID information and parameters for authentication, further according to
Private key is applied accordingly using key ID information inquiry, and parameters for authentication is encrypted using private key by what is inquired, is obtained
To authentication signature.In this way, authentication signature just it is related to the authentication information in ID authentication request, also with portable device sheet
It is related that private key is applied on ground accordingly, thus can verify the identity and corresponding information of both sides, substantially increases portable device
Carry out the safety of secondary identities certification.
In one embodiment, ID authentication request processing unit 2000 further includes counting module 2005.Counting module
2005 for obtaining current count value from increasing for the count value being locally stored after receiving ID authentication request.Generation module
2003 are also used to encrypt parameters for authentication and current count value according to application private key, obtain authentication signature.Sending module 2004 is also
For authentication signature and current count value to be sent to terminal by communicating to connect.
In above-described embodiment, by the way that after receiving ID authentication request, the count value being locally stored is worked as from increasing
Preceding count value encrypts parameters for authentication and current count value further according to application private key, obtains authentication signature.Can both it guarantee in this way
Each authentication signature is all different in authentication procedures, prevented also from the Replay Attack to server, further improves
The safety of portable device progress secondary identities certification.
In one embodiment, ID authentication request is sent to after terminal by server and is forwarded by terminal;Authentication signature
It is sent to after terminal with current count value and server is reported to by terminal;Authentication signature, being used to indicate terminal will be in authentication signature
After report to server, application public key decryptions authentication signature corresponding with application key ID information is used by server, is recognized
Parameter and current count value are demonstrate,proved, the parameters for authentication that the parameters for authentication and current count value that decryption is obtained are stored with server respectively
Compare with the current count value reported, to carry out authentication.
In above-described embodiment, portable device is forwarded to by terminal after server transmission ID authentication request, it is portable to set
It is standby that authentication signature is generated according to ID authentication request, and authentication signature and current count value are sent to terminal, it is reported by terminal
To server.Server is again using applying public key decryptions authentication signature accordingly and being checked, to carry out authentication.This
Terminal may be implemented as operating side in sample, and separation of the portable device as authentication end can ensure the safety of operation.
In one embodiment, ID authentication request processing unit 2000 further includes obtaining module 2006, encrypting module
2007 and reporting module 2008.
Module 2006 is obtained, applies register instruction for obtaining.
Generation module 2003 is also used to be generated according to application register instruction using key pair;It include that application is private using key pair
Key applies public key with corresponding.
Encrypting module 2007, for being encrypted according to local device private to using public key, be applied public key label
Name.
Reporting module 2008 is used for that will apply public key and report to server using public key signature using public key signature
In instruction server according to equipment public key decryptions application the public key signature stored, when decryption obtain using public key with report
The application public key reported is stored when consistent using public key.
It in above-described embodiment, is generated by application register instruction and applies key pair, public key is applied by device private encryption
To generate using public key signature and report to server.Server is verified by pre-stored equipment public key using public key label
Whether name is correct, and what preservation reported if correct applies public key.In this way, by being encrypted to using public key to generate application
Public key signature can ensure using the source side of public key signature it is legal to transmit using public key, ensure that server stores with this
Application public key be legal and correct.
It in one embodiment, include application identities and cipher key index using key ID information;And/or default low coverage
It include near-field communication connection type from communication connection mode.
In one embodiment, generation module 2003 is also used to use non-default near field communication side when communication connection
When formula, then triggering is used to indicate the prompting movement of input validation instruction;Locally it is set to the state of the confirmation instruction of detection input;?
State is exited when detecting the confirmation instruction of input, and authentication signature is generated according to ID authentication request.
In above-described embodiment, when communication connection is using non-default near field communication mode, triggering is used to indicate defeated
The prompting movement for entering confirmation instruction, may remind the user that and authorized.It will be locally set to the state of the confirmation instruction of detection input,
After user's authorization, that is, user has input after confirmation instructs and just generates authentication signature, Ke Yitong according to ID authentication request
The mode of user's participation is crossed to reinforce the safety that portable device carries out secondary identities certification.
As shown in figure 21, in one embodiment, ID authentication request processing unit 2000 further include read module 2009,
Deciphering module 2010 and execution module 2011.
It obtains module 2006 and is also used to obtain the equipment replacement order from service platform.
Module 2006 is obtained to be also used to from equipment replacement order extract equipment public key and the first equipment public key signature;First sets
Standby public key signature is to be generated using the platform private key of service platform to equipment public key encryption.
Read module 2009 is also used to read local pre-land public key corresponding with platform private key.
Deciphering module 2010, for decrypting equipment public key from the first equipment public key signature according to pre-land public key.
Execution module 2011, for when the equipment public key extracted, local equipment public key and the equipment public key decrypted
When consistent, then equipment replacement movement is executed.
In above-described embodiment, when getting from the equipment replacement order of service platform, from equipment replacement name
First equipment public key signature of extract equipment public key and the platform private key encryption generation using service platform.Further according to local preset
Platform public key decrypt equipment public key from the first equipment public key signature, equipment public key, local equipment public key when extraction
And the equipment public key that decrypts it is consistent when, then can determine whether the equipment replacement obtained name be it is legal, execute equipment weight at this time
Set movement.In this way, can simply and efficiently be authenticated to equipment replacement order by pre-land public key, avoids and pass through terminal
Store the unsafe problem of key.Also, portable device can also be completed by writing the case where portable device need to be transferred the possession of or lose
Resetting movement, solve security risk existing for portable device.
In one embodiment, it obtains module 2006 and is also used to receiving device activation instruction.Generation module 2003 is also used to
Generating device key pair is instructed according to device activation;Device keys are to including device private and corresponding equipment public key.Report mould
Block 2008 is also used to equipment public key reporting to service platform;The equipment public key reported is for generating the first equipment public key signature.
In above-described embodiment, generating device key pair is instructed according to device activation, wherein device keys are to public including equipment
Key and device private.By the way that equipment public key is reported to service platform, it may make that service platform is raw according to the equipment public key reported
At the first equipment public key signature, further generating device resetting order.
In one embodiment, reporting module 2008 is also used to add equipment public key according to preset manufacturer's private key
It is close, obtain the second equipment public key signature;Equipment public key and the second equipment public key signature are transferred to service platform, the second equipment is public
Key signature is used to indicate service platform according to manufacturer's public key decryptions the second equipment public key signature, the equipment public key that obtains when decryption and
The equipment public key of storage transmitting when the equipment public key of transmitting is consistent.
In above-described embodiment, by preset manufacturer's private key encryption equipment public key with generate the second equipment public key signature and on
It reports to service platform.Whether service platform verifies the second equipment public key signature by pre-stored manufacturer's public key correct, such as
Fruit correctly then saves equipment public key.In this way, being transmitted by being encrypted to equipment public key with generating the second equipment public key signature
Equipment public key, can ensure the source side of the second equipment public key signature be it is legal, ensure that the equipment of service platform storage is public with this
Key is legal and correct.
As shown in figure 22, in one embodiment, a kind of equipment replacement device 2200 is provided, comprising: obtain module
2201, extraction module 2202, read module 2203, deciphering module 2204 and execution module 2205.
Module 2201 is obtained, for obtaining the equipment replacement order from service platform;
Extraction module 2202 is used for from equipment replacement order extract equipment public key and the first equipment public key signature;First sets
Standby public key signature is to be generated using the platform private key of service platform to equipment public key encryption;
Read module 2203, for reading local pre-land public key corresponding with platform private key;
Deciphering module 2204, for decrypting equipment public key from the first equipment public key signature according to pre-land public key;
Execution module 2205, for when the equipment public key extracted, local equipment public key and the equipment public key decrypted
When consistent, then equipment replacement movement is executed.
Above equipment reset apparatus is ordered when getting from the equipment replacement order of service platform from equipment replacement
Extract equipment public key and the first equipment public key signature generated using the platform private key encryption of service platform in name.Further according to local
Preset platform public key decrypts equipment public key from the first equipment public key signature, equipment public key, local equipment when extraction
When public key and the consistent equipment public key decrypted, then can determine whether obtain equipment replacement name be it is legal, at this time execute set
Standby resetting acts.In this way, can simply and efficiently be authenticated to equipment replacement order by pre-land public key, avoids and pass through
The unsafe problem of terminal storage key.Also, write the case where portable device need to be transferred the possession of or lose can also complete it is portable
The resetting of equipment acts, and solves security risk existing for portable device.
As shown in figure 23, in one embodiment, equipment replacement device 2200 further includes receiving module 2206, generation module
2207 and reporting module 2208:
Receiving module 2206 is used for receiving device activation instruction;
Generation module 2207, for instructing generating device key pair according to device activation;Device keys are to private including equipment
Key and corresponding equipment public key;
Reporting module 2208, for equipment public key to be reported to service platform;The equipment public key reported is for generating first
Equipment public key signature.
In above-described embodiment, generating device key pair is instructed according to device activation, wherein device keys are to public including equipment
Key and device private.By the way that equipment public key is reported to service platform, it may make that service platform is raw according to the equipment public key reported
At the first equipment public key signature, further generating device resetting order.
In one embodiment, reporting module 2208 is also used to add equipment public key according to preset manufacturer's private key
It is close, obtain the second equipment public key signature;Equipment public key and the second equipment public key signature are transferred to service platform, the second equipment is public
Key signature is used to indicate service platform according to manufacturer's public key decryptions the second equipment public key signature, the equipment public key that obtains when decryption and
The equipment public key of storage transmitting when the equipment public key of transmitting is consistent.
In above-described embodiment, by preset manufacturer's private key encryption equipment public key with generate the second equipment public key signature and on
It reports to service platform.Whether service platform verifies the second equipment public key signature by pre-stored manufacturer's public key correct, such as
Fruit correctly then saves equipment public key.In this way, being transmitted by being encrypted to equipment public key with generating the second equipment public key signature
Equipment public key, can ensure the source side of the second equipment public key signature be it is legal, ensure that the equipment of service platform storage is public with this
Key is legal and correct.
Figure 24 shows the internal structure chart of computer equipment in one embodiment.The computer equipment specifically can be figure
Portable device 130 in 1 or Figure 16.As shown in figure 24, it includes passing through system which, which includes the computer equipment,
Processor, memory and the network interface of bus connection.Wherein, memory includes non-volatile memory medium and built-in storage.
The non-volatile memory medium of the computer equipment is stored with operating system, can also be stored with computer program, the computer journey
When sequence is executed by processor, processor may make to realize authentication request processing and/or equipment replacement method.The built-in storage
In can also store computer program, when which is executed by processor, may make processor execute authentication ask
Ask processing and/or equipment replacement method.
It will be understood by those skilled in the art that structure shown in Figure 24, only part relevant to application scheme
The block diagram of structure, does not constitute the restriction for the computer equipment being applied thereon to application scheme, and specific computer is set
Standby may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
In one embodiment, ID authentication request processing unit provided by the present application can be implemented as a kind of computer journey
The form of sequence, computer program can be run in computer equipment as of fig. 24.It can be deposited in the memory of computer equipment
Storage forms each program module of the ID authentication request processing unit and/or equipment replacement device, for example, building shown in Figure 20
Formwork erection block, receiving module, generation module and sending module.Also for example, acquisition module, extraction module shown in Figure 22, reading mould
Block, deciphering module and execution module.The computer program that each program module is constituted executes processor in this specification to retouch
Step in the ID authentication request processing method of each embodiment of the application stated.
For example, computer equipment shown in Figure 24 can be by ID authentication request processing unit as shown in figure 20
It establishes module and executes step S202.Receiving module executes step S204.Computer equipment can execute step by generation module
S206 and S208.Computer equipment can execute step S210 by sending module.
For example, computer equipment shown in Figure 24 can be by ID authentication request processing unit as shown in figure 17
It obtains module and executes step S1702.Computer equipment can execute step S1704 by extraction module.Computer equipment can pass through
Read module executes step S1706.Computer equipment can execute step S1708 by deciphering module.Computer equipment can pass through
Execution module executes step S1710.
In one embodiment, a kind of computer equipment, including memory and processor are provided, is stored in memory
Computer program, when computer program is executed by processor, so that processor executes following steps: passing through the communication with terminal room
Connection receives the ID authentication request that terminal is forwarded;When communication connection is using default near field communication mode, then directly
It connects and authentication signature is generated according to ID authentication request;When communication connection is using non-default near field communication mode, then etc.
Confirmation instruction to be entered, and authentication signature is generated according to ID authentication request in the confirmation instruction for detecting input;Pass through
Authentication signature is sent to terminal by communication connection;Authentication signature be used to indicate terminal will be responded in authentication signature carry out identity recognize
Card.
In one embodiment, computer program is executing processor according to ID authentication request generation authentication signature
Step when specifically execute following steps: extract from ID authentication request using key ID information and parameters for authentication;Inquiry with
Private key is applied accordingly using key ID information;Parameters for authentication is encrypted according to application private key and obtains authentication signature.
In one embodiment, computer program to go back processor execution following steps: asking receiving authentication
After asking, the count value being locally stored is obtained into current count value from increasing;According to application private key to parameters for authentication and current count value
Encryption obtains authentication signature;Authentication signature and current count value are sent to terminal by communicating to connect.
In one embodiment, ID authentication request is sent to after terminal by server and is forwarded by terminal;Authentication signature
It is sent to after terminal with current count value and server is reported to by terminal;Authentication signature, being used to indicate terminal will be in authentication signature
After report to server, application public key decryptions authentication signature corresponding with application key ID information is used by server, is recognized
Parameter and current count value are demonstrate,proved, the parameters for authentication that the parameters for authentication and current count value that decryption is obtained are stored with server respectively
Compare with the current count value reported, to carry out authentication.
In one embodiment, computer program to go back processor execution following steps: obtaining using register instruction;Root
It is generated according to application register instruction and applies key pair;It include using private key and accordingly using public key using key pair;According to local
Device private to encrypting using public key, be applied public key signature;It will be reported to using public key and using public key signature
Server is used to indicate server according to the equipment public key decryptions application public key signature stored using public key signature, works as decryption
What is obtained stores the application public key reported using public key with what is reported using public key when consistent.
It in one embodiment, include application identities and cipher key index using key ID information;And/or default low coverage
It include near-field communication connection type from communication connection mode.
In one embodiment, computer program is executing processor when communication connection is led to using non-default short distance
When believing connection type, then the confirmation to be entered instruction such as, and in the confirmation instruction for detecting input according to ID authentication request
Following steps are specifically executed when generating the step of authentication signature: when communication connection uses non-default near field communication mode
When, then triggering is used to indicate the prompting movement of input validation instruction;Locally it is set to the state of the confirmation instruction of detection input;It is examining
State is exited when measuring the confirmation instruction of input, and authentication signature is generated according to ID authentication request.
In one embodiment, computer program to go back processor execution following steps: obtaining from service platform
Equipment replacement order;From equipment replacement order extract equipment public key and the first equipment public key signature;First equipment public key signature,
It is to be generated using the platform private key of service platform to equipment public key encryption;It is public to read local pre-land corresponding with platform private key
Key;Equipment public key is decrypted from the first equipment public key signature according to pre-land public key;When the equipment public key, local of extraction
When equipment public key and the consistent equipment public key decrypted, then equipment replacement movement is executed.
In one embodiment, computer program to go back processor execution following steps: receiving device activation instruction;Root
Generating device key pair is instructed according to device activation;Device keys are to including device private and corresponding equipment public key;By equipment public affairs
Key reports to service platform;The equipment public key reported is for generating the first equipment public key signature.
In one embodiment, computer program makes processor execute the step that equipment public key is reported to service platform
Following steps are specifically executed when rapid: equipment public key being encrypted according to preset manufacturer's private key, obtains the second equipment public key label
Name;Equipment public key and the second equipment public key signature are transferred to service platform, it is flat that the second equipment public key signature is used to indicate service
Platform is according to manufacturer's public key decryptions the second equipment public key signature, when the equipment public key that decryption obtains is consistent with the equipment public key of transmitting
Store the equipment public key of transmitting.
Above-mentioned computer equipment receives the authentication that terminal is forwarded and asks by establishing the communication connection with terminal room
It asks.When communication connection is using default near field communication mode, then authentication signature is directly generated according to ID authentication request.
It may insure the safety of portable device communication due to presetting near field communication, can directly be asked according to authentication
Authentication signature is sought survival into, realizes quick authentication.When communication connection is using non-default near field communication mode, this ring
There may be the security risk of portable device communication, then the confirmation to be entered instructions such as, in the confirmation for detecting input under border
Authentication signature is generated according to ID authentication request when instruction.Under the communication mode there may be security risk, need to use householder
Dynamic do confirms, regenerates authentication signature, can ensure the safety of terminal and portable device communication.Portable device generation is recognized
After signed certificate name, authentication signature is sent to terminal by communicating to connect, terminal will respond with carry out authentication again in authentication signature.
In this way, the communication connection mode of distinguishing terminal and portable device, generates authentication signature so that different identifying procedures is respectively adopted,
It is greatly improved the safety that portable device carries out secondary identities certification.
In one embodiment, a kind of computer equipment, including memory and processor are provided, is stored in memory
Computer program, when computer program is executed by processor, so that processor executes following steps: obtaining from service platform
Equipment replacement order;From equipment replacement order extract equipment public key and the first equipment public key signature;First equipment public key signature,
It is to be generated using the platform private key of service platform to equipment public key encryption;It is public to read local pre-land corresponding with platform private key
Key;Equipment public key is decrypted from the first equipment public key signature according to pre-land public key;When the equipment public key, local of extraction
When equipment public key and the consistent equipment public key decrypted, then equipment replacement movement is executed.
In one embodiment, computer program to go back processor execution following steps: receiving device activation instruction;Root
Generating device key pair is instructed according to device activation;Device keys are to including device private and corresponding equipment public key;By equipment public affairs
Key reports to service platform;The equipment public key reported is for generating the first equipment public key signature.
In one embodiment, computer program makes processor execute the step that equipment public key is reported to service platform
Following steps are specifically executed when rapid: equipment public key being encrypted according to preset manufacturer's private key, obtains the second equipment public key label
Name;Equipment public key and the second equipment public key signature are transferred to service platform, it is flat that the second equipment public key signature is used to indicate service
Platform is according to manufacturer's public key decryptions the second equipment public key signature, when the equipment public key that decryption obtains is consistent with the equipment public key of transmitting
Store the equipment public key of transmitting.
Above-mentioned computer equipment is named when getting from the equipment replacement order of service platform from equipment replacement
First equipment public key signature of middle extract equipment public key and the platform private key encryption generation using service platform.Further according to local pre-
The platform public key set decrypts equipment public key from the first equipment public key signature, when the equipment public key of extraction, local equipment are public
When key and the consistent equipment public key decrypted, then can determine whether obtain equipment replacement name be it is legal, execute equipment at this time
Resetting movement.In this way, can simply and efficiently be authenticated to equipment replacement order by pre-land public key, avoids and pass through end
The end storage unsafe problem of key.Also, portable set can also be completed by writing the case where portable device need to be transferred the possession of or lose
Standby resetting movement, solves security risk existing for portable device.
A kind of computer readable storage medium, is stored with computer program, real when which is executed by processor
Existing following steps: by the communication connection with terminal room, the ID authentication request that terminal is forwarded is received;When communication connection uses
When default near field communication mode, then authentication signature is directly generated according to ID authentication request;When communication connection is using non-
When default near field communication mode, then the confirmation instruction to be entered such as, and in the confirmation instruction for detecting input according to
ID authentication request generates authentication signature;Authentication signature is sent to terminal by communicating to connect;Authentication signature is used to indicate end
End will respond with carry out authentication in authentication signature.
In one embodiment, computer program is executing processor according to ID authentication request generation authentication signature
Step when specifically execute following steps: extract from ID authentication request using key ID information and parameters for authentication;Inquiry with
Private key is applied accordingly using key ID information;Parameters for authentication is encrypted according to application private key and obtains authentication signature.
In one embodiment, computer program to go back processor execution following steps: asking receiving authentication
After asking, the count value being locally stored is obtained into current count value from increasing;According to application private key to parameters for authentication and current count value
Encryption obtains authentication signature;Authentication signature and current count value are sent to terminal by communicating to connect.
In one embodiment, ID authentication request is sent to after terminal by server and is forwarded by terminal;Authentication signature
It is sent to after terminal with current count value and server is reported to by terminal;Authentication signature, being used to indicate terminal will be in authentication signature
After report to server, application public key decryptions authentication signature corresponding with application key ID information is used by server, is recognized
Parameter and current count value are demonstrate,proved, the parameters for authentication that the parameters for authentication and current count value that decryption is obtained are stored with server respectively
Compare with the current count value reported, to carry out authentication.
In one embodiment, computer program to go back processor execution following steps: obtaining using register instruction;Root
It is generated according to application register instruction and applies key pair;It include using private key and accordingly using public key using key pair;According to local
Device private to encrypting using public key, be applied public key signature;It will be reported to using public key and using public key signature
Server is used to indicate server according to the equipment public key decryptions application public key signature stored using public key signature, works as decryption
What is obtained stores the application public key reported using public key with what is reported using public key when consistent.
It in one embodiment, include application identities and cipher key index using key ID information;And/or default low coverage
It include near-field communication connection type from communication connection mode.
In one embodiment, computer program is executing processor when communication connection is led to using non-default short distance
When believing connection type, then the confirmation to be entered instruction such as, and in the confirmation instruction for detecting input according to ID authentication request
Following steps are specifically executed when generating the step of authentication signature: when communication connection uses non-default near field communication mode
When, then triggering is used to indicate the prompting movement of input validation instruction;Locally it is set to the state of the confirmation instruction of detection input;It is examining
State is exited when measuring the confirmation instruction of input, and authentication signature is generated according to ID authentication request.
In one embodiment, computer program to go back processor execution following steps: obtaining from service platform
Equipment replacement order;From equipment replacement order extract equipment public key and the first equipment public key signature;First equipment public key signature,
It is to be generated using the platform private key of service platform to equipment public key encryption;It is public to read local pre-land corresponding with platform private key
Key;Equipment public key is decrypted from the first equipment public key signature according to pre-land public key;When the equipment public key, local of extraction
When equipment public key and the consistent equipment public key decrypted, then equipment replacement movement is executed.
In one embodiment, computer program to go back processor execution following steps: receiving device activation instruction;Root
Generating device key pair is instructed according to device activation;Device keys are to including device private and corresponding equipment public key;By equipment public affairs
Key reports to service platform;The equipment public key reported is for generating the first equipment public key signature.
In one embodiment, computer program makes processor execute the step that equipment public key is reported to service platform
Following steps are specifically executed when rapid: equipment public key being encrypted according to preset manufacturer's private key, obtains the second equipment public key label
Name;
Equipment public key and the second equipment public key signature are transferred to service platform, the second equipment public key signature is used to indicate clothes
Platform be engaged according to manufacturer's public key decryptions the second equipment public key signature, when the equipment public key one of decryption obtained equipment public key and transmitting
The equipment public key of storage transmitting when cause.
Above-mentioned computer readable storage medium receives the body that terminal is forwarded by establishing the communication connection with terminal room
Part certification request.When communication connection is using default near field communication mode, then directly generated according to ID authentication request
Authentication signature.It may insure the safety of portable device communication due to presetting near field communication, it can direct basis
ID authentication request generates authentication signature, realizes quick authentication.When communication connection uses non-default near field communication
When mode, there may be the security risks of portable device communication under this environment, then etc. confirmation to be entered instruction, is detecting
Authentication signature is generated according to ID authentication request when the confirmation instruction of input.Under the communication mode there may be security risk,
It needs user actively to do to confirm, regenerates authentication signature, can ensure the safety of terminal and portable device communication.It is portable
After equipment generates authentication signature, authentication signature is sent to by terminal by communication connection, terminal will be responded in authentication signature again into
Row authentication.In this way, the communication connection mode of distinguishing terminal and portable device, raw different identifying procedures is respectively adopted
At authentication signature, it is greatly improved the safety that portable device carries out secondary identities certification.
A kind of computer readable storage medium, is stored with computer program, real when which is executed by processor
Existing following steps: the equipment replacement order from service platform is obtained;From equipment replacement order extract equipment public key and first
Equipment public key signature;First equipment public key signature is to be generated using the platform private key of service platform to equipment public key encryption;It reads
Local pre-land public key corresponding with platform private key;It is decrypted and is set from the first equipment public key signature according to pre-land public key
Standby public key;When the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts, then equipment weight is executed
Set movement.
In one embodiment, computer program to go back processor execution following steps: receiving device activation instruction;Root
Generating device key pair is instructed according to device activation;Device keys are to including device private and corresponding equipment public key;By equipment public affairs
Key reports to service platform;The equipment public key reported is for generating the first equipment public key signature.
In one embodiment, computer program makes processor execute the step that equipment public key is reported to service platform
Following steps are specifically executed when rapid: equipment public key being encrypted according to preset manufacturer's private key, obtains the second equipment public key label
Name;Equipment public key and the second equipment public key signature are transferred to service platform, it is flat that the second equipment public key signature is used to indicate service
Platform is according to manufacturer's public key decryptions the second equipment public key signature, when the equipment public key that decryption obtains is consistent with the equipment public key of transmitting
Store the equipment public key of transmitting.
Above-mentioned computer readable storage medium, when getting from the equipment replacement order of service platform, from equipment
Extract equipment public key and the first equipment public key signature generated using the platform private key encryption of service platform in resetting name.Root again
Equipment public key is decrypted from the first equipment public key signature according to local preset platform public key, when the equipment public key of extraction, local
Equipment public key and the consistent equipment public key that decrypts when, then can determine whether the equipment replacement obtained name be it is legal, at this time
Execute equipment replacement movement.In this way, can simply and efficiently be authenticated to equipment replacement order by pre-land public key, avoid
Pass through terminal storage key unsafe problem.Also, writing the case where portable device need to be transferred the possession of or lose can also complete
The resetting of portable device acts, and solves security risk existing for portable device.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a non-volatile computer and can be read
In storage medium, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, provided herein
Each embodiment used in any reference to memory, storage, database or other media, may each comprise non-volatile
And/or volatile memory.Nonvolatile memory may include that read-only memory (ROM), programming ROM (PROM), electricity can be compiled
Journey ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include random access memory
(RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms, such as static state RAM
(SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhanced SDRAM
(ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) directly RAM (RDRAM), straight
Connect memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of above embodiments can be combined arbitrarily, for simplicity of description, not to above-described embodiment
In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance
Shield all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously
The limitation to the application the scope of the patents therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art
For, without departing from the concept of this application, various modifications and improvements can be made, these belong to the guarantor of the application
Protect range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.
Claims (20)
1. a kind of ID authentication request processing method is applied to portable device, which comprises
Establish the communication connection with terminal;
Receive the ID authentication request that the terminal is forwarded;
When the communication connection is using default near field communication mode, then directly generated according to the ID authentication request
Authentication signature;
When the communication connection is using non-default near field communication mode, then the confirmation instruction to be entered such as, and examining
Authentication signature is generated according to the ID authentication request when measuring the confirmation instruction of input;
The authentication signature is sent to the terminal;The authentication signature is used to indicate the terminal will be in the authentication signature
Respond with carry out authentication.
2. the method according to claim 1, wherein described generate authentication signature according to the ID authentication request
Include:
It is extracted from the ID authentication request and applies key ID information and parameters for authentication;
Inquiry is corresponding with the application key ID information to apply private key;
The parameters for authentication is encrypted according to the application private key and obtains authentication signature.
3. according to the method described in claim 2, it is characterized in that, the method also includes:
After receiving the ID authentication request, the count value being locally stored is obtained into current count value from increasing;
Described encrypted according to the application private key to the parameters for authentication obtains authentication signature, comprising:
The parameters for authentication and the current count value are encrypted according to the application private key, obtain authentication signature;
It is described that the authentication signature is sent to the terminal, comprising:
The authentication signature and current count value are sent to the terminal by the communication connection.
4. according to the method described in claim 3, it is characterized in that, the ID authentication request is sent to the end by server
It is forwarded behind end by the terminal;The authentication signature and current count value are reported to after being sent to the terminal by the terminal
The server;
The authentication signature is used to indicate after the authentication signature reports to the server by the terminal, by the service
Device using authentication signature described in application public key decryptions corresponding with the application key ID information, obtain parameters for authentication with currently
Count value will decrypt parameters for authentication and report current that obtained parameters for authentication and current count value are stored with server respectively
Count value compares, to carry out authentication.
5. according to the method described in claim 4, it is characterized in that, the method also includes:
It obtains and applies register instruction;
It is generated according to the application register instruction and applies key pair;The application key pair includes using private key and corresponding application
Public key;
The application public key is encrypted according to local device private, be applied public key signature;
The application public key and the application public key signature are reported into the server, the application public key signature is used to indicate
The server applies public key signature according to the equipment public key decryptions stored, when what decryption obtained applies public key and report
Stored when consistent using public key report apply public key.
6. according to the method described in claim 2, it is characterized in that, the application key ID information includes application identities and close
Key index;And/or the default near field communication mode includes near-field communication connection type.
7. the method according to claim 1, wherein described logical using non-default short distance when the communication connection
When believing connection type, then the confirmation to be entered instruction such as, and in the confirmation instruction for detecting input according to the authentication
Request generates authentication signature, comprising:
When the communication connection is using non-default near field communication mode, then triggering is used to indicate input validation instruction
Prompting movement;
Locally it is set to the state of the confirmation instruction of detection input;
The state is exited in the confirmation instruction for detecting input, and authentication signature is generated according to the ID authentication request.
8. method according to any one of claims 1 to 7, which is characterized in that the method also includes:
Obtain the equipment replacement order from service platform;
From the equipment replacement order extract equipment public key and the first equipment public key signature;The first equipment public key signature is
The equipment public key encryption is generated using the platform private key of the service platform;
Read local pre-land public key corresponding with the platform private key;
Equipment public key is decrypted from the first equipment public key signature according to the pre-land public key;
When the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts, then equipment replacement is executed
Movement.
9. according to the method described in claim 8, it is characterized in that, the method also includes:
Receiving device activation instruction;
Generating device key pair is instructed according to the device activation;The device keys are to including device private and corresponding equipment
Public key;
The equipment public key is reported into the service platform;The equipment public key reported is for generating the first equipment public key signature.
10. according to the method described in claim 9, it is characterized in that, described that the equipment public key reported to the service is flat
Platform, comprising:
The equipment public key is encrypted according to preset manufacturer's private key, obtains the second equipment public key signature;
The equipment public key and the second equipment public key signature are transferred to the service platform, the second equipment public key label
Name is used to indicate the service platform second equipment public key signature according to manufacturer's public key decryptions, when the equipment that decryption obtains is public
The equipment public key of storage transmitting when key is consistent with the equipment public key of transmitting.
11. a kind of equipment replacement method is applied to portable device, which comprises
Obtain the equipment replacement order from service platform;
From the equipment replacement order extract equipment public key and the first equipment public key signature;The first equipment public key signature is to adopt
The equipment public key encryption is generated with the platform private key of the service platform;
Read local pre-land public key corresponding with the platform private key;
Equipment public key is decrypted from the first equipment public key signature according to the pre-land public key;
When the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts, then equipment replacement is executed
Movement.
12. according to the method for claim 11, which is characterized in that the method also includes:
Receiving device activation instruction;
Generating device key pair is instructed according to the device activation;The device keys are to including device private and corresponding equipment
Public key;
The equipment public key is reported into the service platform;The equipment public key reported is for generating the first equipment public key signature.
13. according to the method for claim 12, which is characterized in that described that the equipment public key reported to the service is flat
Platform, comprising:
The equipment public key is encrypted according to preset manufacturer's private key, obtains the second equipment public key signature;
The equipment public key and the second equipment public key signature are transferred to the service platform, the second equipment public key label
Name is used to indicate the service platform second equipment public key signature according to manufacturer's public key decryptions, when the equipment that decryption obtains is public
The equipment public key of storage transmitting when key is consistent with the equipment public key of transmitting.
14. a kind of ID authentication request processing unit, it is applied to portable device, which is characterized in that described device includes:
Module is established, for establishing and the communication connection of terminal;
Receiving module, the ID authentication request forwarded for receiving the terminal;
Generation module is used for when the communication connection is using default near field communication mode, then directly according to the body
Part certification request generates authentication signature;
The generation module is also used to when the communication connection is using non-default near field communication mode, then etc. to be entered
Confirmation instruction, and detect input confirmation instruction when according to the ID authentication request generate authentication signature;
Sending module, for the authentication signature to be sent to the terminal by the communication connection;The authentication signature is used
Carry out authentication will be responded in the authentication signature in the instruction terminal.
15. device according to claim 14, which is characterized in that the generation module is also used to ask from the authentication
Ask extraction using key ID information and parameters for authentication;Inquiry is corresponding with the application key ID information to apply private key;Root
The parameters for authentication is encrypted according to the application private key and obtains authentication signature.
16. device according to claim 15, which is characterized in that the ID authentication request processing unit further includes counting
Module:
Counting module, for after receiving the ID authentication request, the count value being locally stored currently to be counted from increasing
Numerical value;
The generation module is also used to encrypt the parameters for authentication and the current count value according to the application private key, obtains
Authentication signature;
The sending module is also used to that the authentication signature and current count value are sent to the end by the communication connection
End.
17. a kind of equipment replacement device, is applied to portable device, described device includes:
Module is obtained, for obtaining the equipment replacement order from service platform;
Extraction module is used for from the equipment replacement order extract equipment public key and the first equipment public key signature;Described first sets
Standby public key signature is to be generated using the platform private key of the service platform to the equipment public key encryption;
Read module, for reading local pre-land public key corresponding with the platform private key;
Deciphering module, for decrypting equipment public key from the first equipment public key signature according to the pre-land public key;
Execution module, for when the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts, then
Execute equipment replacement movement.
18. device according to claim 17, which is characterized in that described device further include receiving module, generation module and
Reporting module:
Receiving module is used for receiving device activation instruction;
Generation module, for instructing generating device key pair according to the device activation;The device keys are to private including equipment
Key and corresponding equipment public key;
Reporting module, for the equipment public key to be reported to the service platform;The equipment public key reported is for generating first
Equipment public key signature.
19. a kind of computer readable storage medium is stored with computer program, when the computer program is executed by processor,
So that the processor is executed such as the step of any one of claims 1 to 13 the method.
20. a kind of computer equipment, including memory and processor, the memory is stored with computer program, the calculating
When machine program is executed by the processor, so that the processor is executed such as any one of claims 1 to 13 the method
Step.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111315805.1A CN114039734B (en) | 2018-03-16 | 2018-03-16 | Device resetting method and device |
CN201810216813.2A CN110278083B (en) | 2018-03-16 | 2018-03-16 | Identity authentication request processing method and device, and equipment resetting method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810216813.2A CN110278083B (en) | 2018-03-16 | 2018-03-16 | Identity authentication request processing method and device, and equipment resetting method and device |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111315805.1A Division CN114039734B (en) | 2018-03-16 | 2018-03-16 | Device resetting method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110278083A true CN110278083A (en) | 2019-09-24 |
CN110278083B CN110278083B (en) | 2021-11-30 |
Family
ID=67957757
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810216813.2A Active CN110278083B (en) | 2018-03-16 | 2018-03-16 | Identity authentication request processing method and device, and equipment resetting method and device |
CN202111315805.1A Active CN114039734B (en) | 2018-03-16 | 2018-03-16 | Device resetting method and device |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111315805.1A Active CN114039734B (en) | 2018-03-16 | 2018-03-16 | Device resetting method and device |
Country Status (1)
Country | Link |
---|---|
CN (2) | CN110278083B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112887409A (en) * | 2021-01-27 | 2021-06-01 | 珠海格力电器股份有限公司 | Data processing system, method, device, equipment and storage medium |
CN113872765A (en) * | 2020-06-30 | 2021-12-31 | 华为技术有限公司 | Identity credential application method, identity authentication method, equipment and device |
CN113918266A (en) * | 2021-11-23 | 2022-01-11 | 成都泰盟软件有限公司 | Multi-terminal data synchronous response method based on local area network |
WO2022052780A1 (en) * | 2020-09-10 | 2022-03-17 | 华为技术有限公司 | Identity verification method and apparatus, and device and storage medium |
CN114697956A (en) * | 2022-01-26 | 2022-07-01 | 深圳市三诺数字科技有限公司 | Secure communication method based on double links and related equipment thereof |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103401844A (en) * | 2013-07-12 | 2013-11-20 | 天地融科技股份有限公司 | Operation request processing method and system |
CN104580175A (en) * | 2014-12-26 | 2015-04-29 | 深圳市兰丁科技有限公司 | Equipment authorization method and device |
CN105162605A (en) * | 2015-09-28 | 2015-12-16 | 东南大学 | Digital signature and authentication method |
CN105871867A (en) * | 2016-04-27 | 2016-08-17 | 腾讯科技(深圳)有限公司 | Identity authentication method, system and equipment |
CN106330854A (en) * | 2015-06-30 | 2017-01-11 | 三星电子株式会社 | MEthod for performing authentication and electronic device thereof |
CN106326695A (en) * | 2015-06-16 | 2017-01-11 | 联想(北京)有限公司 | Information processing method and electronic device |
CN106357679A (en) * | 2016-10-24 | 2017-01-25 | 北京明华联盟科技有限公司 | Method, system and client for password authentication, and server and intelligent equipment |
CN107423583A (en) * | 2017-07-18 | 2017-12-01 | 北京深思数盾科技股份有限公司 | A kind of software protecting device remapping method and device |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102011118367B4 (en) * | 2011-08-24 | 2017-02-09 | Deutsche Telekom Ag | Method for authenticating a telecommunication terminal comprising an identity module at a server device of a telecommunication network, use of an identity module, identity module and computer program |
CN103281188B (en) * | 2013-05-23 | 2016-09-14 | 天地融科技股份有限公司 | A kind of back up the method and system of private key in electronic signature token |
CN105656624A (en) * | 2016-02-29 | 2016-06-08 | 浪潮(北京)电子信息产业有限公司 | Client side, server and data transmission method and system |
CN106789018B (en) * | 2016-12-20 | 2019-10-08 | 百富计算机技术(深圳)有限公司 | Secret key remote acquisition methods and device |
CN107612940A (en) * | 2017-10-31 | 2018-01-19 | 飞天诚信科技股份有限公司 | A kind of identity identifying method and authentication device |
-
2018
- 2018-03-16 CN CN201810216813.2A patent/CN110278083B/en active Active
- 2018-03-16 CN CN202111315805.1A patent/CN114039734B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103401844A (en) * | 2013-07-12 | 2013-11-20 | 天地融科技股份有限公司 | Operation request processing method and system |
CN104580175A (en) * | 2014-12-26 | 2015-04-29 | 深圳市兰丁科技有限公司 | Equipment authorization method and device |
CN106326695A (en) * | 2015-06-16 | 2017-01-11 | 联想(北京)有限公司 | Information processing method and electronic device |
CN106330854A (en) * | 2015-06-30 | 2017-01-11 | 三星电子株式会社 | MEthod for performing authentication and electronic device thereof |
CN105162605A (en) * | 2015-09-28 | 2015-12-16 | 东南大学 | Digital signature and authentication method |
CN105871867A (en) * | 2016-04-27 | 2016-08-17 | 腾讯科技(深圳)有限公司 | Identity authentication method, system and equipment |
CN106357679A (en) * | 2016-10-24 | 2017-01-25 | 北京明华联盟科技有限公司 | Method, system and client for password authentication, and server and intelligent equipment |
CN107423583A (en) * | 2017-07-18 | 2017-12-01 | 北京深思数盾科技股份有限公司 | A kind of software protecting device remapping method and device |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113872765A (en) * | 2020-06-30 | 2021-12-31 | 华为技术有限公司 | Identity credential application method, identity authentication method, equipment and device |
CN113872765B (en) * | 2020-06-30 | 2023-02-03 | 华为技术有限公司 | Identity credential application method, identity authentication method, equipment and device |
WO2022052780A1 (en) * | 2020-09-10 | 2022-03-17 | 华为技术有限公司 | Identity verification method and apparatus, and device and storage medium |
CN112887409A (en) * | 2021-01-27 | 2021-06-01 | 珠海格力电器股份有限公司 | Data processing system, method, device, equipment and storage medium |
CN113918266A (en) * | 2021-11-23 | 2022-01-11 | 成都泰盟软件有限公司 | Multi-terminal data synchronous response method based on local area network |
CN114697956A (en) * | 2022-01-26 | 2022-07-01 | 深圳市三诺数字科技有限公司 | Secure communication method based on double links and related equipment thereof |
CN114697956B (en) * | 2022-01-26 | 2023-04-11 | 深圳市三诺数字科技有限公司 | Secure communication method and device based on double links |
Also Published As
Publication number | Publication date |
---|---|
CN110278083B (en) | 2021-11-30 |
CN114039734B (en) | 2023-03-24 |
CN114039734A (en) | 2022-02-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110278083A (en) | ID authentication request treating method and apparatus, equipment replacement method and apparatus | |
EP4081921B1 (en) | Contactless card personal identification system | |
CN110177354A (en) | A kind of wireless control method and system of vehicle | |
CN107341387A (en) | For the electronic stamp system and its control method strengthened safely | |
US11159329B2 (en) | Collaborative operating system | |
CN105722013A (en) | Bluetooth pairing method and device | |
CN105634737B (en) | Data transmission method, terminal and system | |
CN110662222B (en) | System and method for peer-to-peer wireless communication | |
CN102945526A (en) | Device and method for improving online payment security of mobile equipment | |
AU2011356179A1 (en) | Method for authenticating first communication equipment by means of second communication equipment | |
CN109274500A (en) | A kind of key downloading method, client, encryption device and terminal device | |
CN106790080A (en) | Secure communication of network method and apparatus between operation system and electronic certificate system | |
CN105325021B (en) | Method and apparatus for remote portable wireless device authentication | |
CA3205906A1 (en) | Establishing authentication persistence | |
CN105741116A (en) | Fast payment method, apparatus and system | |
CN112425116B (en) | Intelligent door lock wireless communication method, intelligent door lock, gateway and communication equipment | |
CN104735651A (en) | Method, system and device for safely transmitting data | |
CN107888376B (en) | NFC authentication system based on quantum communication network | |
CN106790078A (en) | Safety communicating method and device between a kind of SDK and electronic certificate system | |
CN107786978B (en) | NFC authentication system based on quantum encryption | |
CN104506509B (en) | A kind of authentication method based on multifunctional safe certification terminal | |
CN113593088A (en) | Intelligent unlocking method, intelligent lock, mobile terminal and server | |
CN106685931B (en) | Smart card application management method and system, terminal and smart card | |
KR101853970B1 (en) | Method for Relaying Authentication Number | |
CN106789013A (en) | Mutual trust and encipher-decipher method and device between a kind of door lock encryption chip and SDK |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |