CN110278083A - ID authentication request treating method and apparatus, equipment replacement method and apparatus - Google Patents

ID authentication request treating method and apparatus, equipment replacement method and apparatus Download PDF

Info

Publication number
CN110278083A
CN110278083A CN201810216813.2A CN201810216813A CN110278083A CN 110278083 A CN110278083 A CN 110278083A CN 201810216813 A CN201810216813 A CN 201810216813A CN 110278083 A CN110278083 A CN 110278083A
Authority
CN
China
Prior art keywords
public key
equipment
authentication
signature
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810216813.2A
Other languages
Chinese (zh)
Other versions
CN110278083B (en
Inventor
唐小飞
申子熹
王强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202111315805.1A priority Critical patent/CN114039734B/en
Priority to CN201810216813.2A priority patent/CN110278083B/en
Publication of CN110278083A publication Critical patent/CN110278083A/en
Application granted granted Critical
Publication of CN110278083B publication Critical patent/CN110278083B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Algebra (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephone Function (AREA)

Abstract

This application involves a kind of ID authentication request treating method and apparatus equipment replacement method and apparatus, the ID authentication request processing method includes: foundation and the communication connection of terminal;Receive the ID authentication request that the terminal is forwarded;When the communication connection is using default near field communication mode, then authentication signature is directly generated according to the ID authentication request;When the communication connection is using non-default near field communication mode, then the confirmation instruction to be entered such as, and authentication signature is generated according to the ID authentication request in the confirmation instruction for detecting input;The authentication signature is sent to the terminal;The authentication signature, which is used to indicate the terminal, will respond with carry out authentication in the authentication signature.The safety that portable device carries out secondary identities certification can be improved in scheme provided by the present application.

Description

ID authentication request treating method and apparatus, equipment replacement method and apparatus
Technical field
This application involves internet security technical fields, more particularly to a kind of ID authentication request processing method and dress It sets, equipment replacement method and apparatus.
Background technique
It is a large amount of universal with portable device With the fast development of internet, trojan horse, fishing are faced in terminal applies When the various safety problems such as fishnet station, more and more users by terminal when being operated, for example logs in application, account pipe Reason, network trading or resource transfers etc. connect for the safety for ensureing operation often through terminal and the wireless of portable device It connects, carries out secondary identities certification using portable device, to ensure the safety of operation.It is traditional by portable device into The scheme of row secondary identities certification, in order to improve treatment effeciency, often portable device is after receiving ID authentication request Direct automatic signature, to complete secondary identities certification.
However traditional scheme that secondary identities certification is carried out by portable device, it usually can be due to terminal and portable Equipment signal in communication is intercepted, malicious application calls portable device to be automatically performed signature or portable device loss etc. Situation, there are security risks.
Summary of the invention
Based on this, it is necessary to which there are the technologies of security risk to ask when for by portable device progress secondary identities certification Topic provides a kind of ID authentication request processing method, device, computer readable storage medium and computer equipment, equipment replacement Method, apparatus, computer readable storage medium and computer equipment.
A kind of ID authentication request processing method is applied to portable device, which comprises
Establish the communication connection with terminal;
Receive the ID authentication request that the terminal is forwarded;
When the communication connection is using default near field communication mode, then directly according to the ID authentication request Generate authentication signature;
When the communication connection is using non-default near field communication mode, then the confirmation instruction to be entered such as, and Authentication signature is generated according to the ID authentication request in the confirmation instruction for detecting input;
The authentication signature is sent to the terminal;The authentication signature is used to indicate the terminal and signs the certification Carry out authentication is responded in name.
A kind of ID authentication request processing unit, is applied to portable device, and described device includes:
Module is established, for establishing and the communication connection of terminal;
Receiving module, the ID authentication request forwarded for receiving the terminal;
Generation module is used for when the communication connection is using default near field communication mode, then directly according to institute It states ID authentication request and generates authentication signature;
The generation module is also used to then wait when the communication connection is using non-default near field communication mode The confirmation of input instructs, and generates authentication signature according to the ID authentication request in the confirmation instruction for detecting input;
Sending module, for the authentication signature to be sent to the terminal;The authentication signature is used to indicate the end End will respond with carry out authentication in the authentication signature.
A kind of computer readable storage medium is stored with computer program, when the computer program is executed by processor, So that the processor executes the step of ID authentication request processing method.
A kind of computer equipment, including memory and processor, the memory are stored with computer program, the calculating When machine program is executed by the processor, so that the step of processor executes the ID authentication request processing method.
Above-mentioned ID authentication request processing method, device, computer readable storage medium and computer equipment, pass through foundation With the communication connection of terminal room, the ID authentication request that terminal is forwarded is received.When communication connection is using default short-range communication When connection type, then authentication signature is directly generated according to ID authentication request.Since default near field communication may insure The safety of portable device communication, therefore authentication signature directly can be generated according to ID authentication request, realize that quick identity is recognized Card.When communication connection is using non-default near field communication mode, there may be portable device communications under this environment Security risk, then the confirmation to be entered instruction such as are recognized in the confirmation instruction for detecting input according to ID authentication request generation Signed certificate name.Under the communication mode there may be security risk, user is needed actively to do and confirm, regenerates authentication signature, it can be with Ensure the safety of terminal and portable device communication.It, will certification by communication connection after portable device generates authentication signature Signature is sent to terminal, and terminal will respond with carry out authentication again in authentication signature.In this way, distinguishing terminal and portable device Communication connection mode generates authentication signature so that different identifying procedures is respectively adopted, it is auxiliary to be greatly improved portable device progress Help the safety of authentication.
A kind of equipment replacement method is applied to portable device, which comprises
Obtain the equipment replacement order from service platform;
From the equipment replacement order extract equipment public key and the first equipment public key signature;The first equipment public key signature It is to be generated using the platform private key of the service platform to the equipment public key encryption;
Read local pre-land public key corresponding with the platform private key;
Equipment public key is decrypted from the first equipment public key signature according to the pre-land public key;
When the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts, then equipment is executed Resetting movement.
A kind of equipment replacement device, is applied to portable device, and described device includes:
Module is obtained, for obtaining the equipment replacement order from service platform;
Extraction module is used for from the equipment replacement order extract equipment public key and the first equipment public key signature;Described One equipment public key signature is to be generated using the platform private key of the service platform to the equipment public key encryption;
Read module, for reading local pre-land public key corresponding with the platform private key;
Deciphering module, for decrypting equipment public affairs from the first equipment public key signature according to the pre-land public key Key;
Execution module, the equipment public key for working as the equipment public key of the equipment public key extracted, local and decrypting are consistent When, then execute equipment replacement movement.
A kind of computer readable storage medium is stored with computer program, when the computer program is executed by processor, So that the processor executes the step of equipment replacement method.
A kind of computer equipment, including memory and processor, the memory are stored with computer program, the calculating When machine program is executed by the processor, so that the step of processor executes the equipment replacement method.
Above equipment remapping method, device, computer readable storage medium and computer equipment, when getting from clothes When the equipment replacement order of business platform, the platform private key of extract equipment public key and use service platform adds from equipment replacement name It is dense at the first equipment public key signature.It decrypts and sets from the first equipment public key signature further according to local preset platform public key Standby public key then can determine whether to obtain when the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts Equipment replacement name be it is legal, at this time execute equipment replacement movement.In this way, can be simply and efficiently by pre-land public key Equipment replacement order is authenticated, is avoided through the unsafe problem of terminal storage key.Also, it is needed in portable device The resetting movement that can also complete portable device is transferred the possession of or write the case where loss, it is hidden to solve safety existing for portable device Suffer from.
Detailed description of the invention
Fig. 1 is the applied environment figure of ID authentication request processing method in one embodiment;
Fig. 2 is the flow diagram of ID authentication request processing method in one embodiment;
Fig. 3 is the acquisition modes schematic diagram of ID authentication request in one embodiment;
Fig. 4 is flow diagram the step of generating authentication signature according to ID authentication request in one embodiment;
Fig. 5 is flow diagram the step of applying the generation of key pair in one embodiment;
Fig. 6 is the schematic diagram of the corresponding relationship of application identities and cipher key index and application key pair in one embodiment;
Fig. 7 be in one embodiment when communication connection is using non-default near field communication mode, then it is etc. to be entered Confirmation instruction, and detect input confirmation instruction when according to ID authentication request generate authentication signature the step of process Schematic diagram;
The flow diagram for the step of Fig. 8 is equipment replacement in one embodiment;
The flow diagram for the step of Fig. 9 is device activation in one embodiment;
Figure 10 is the flow diagram of ID authentication request processing method in another embodiment;
Figure 11 is the interface schematic diagram that user logs into application by mobile terminal using equipment in one embodiment;
Figure 12 is the timing diagram of ID authentication request processing method in one embodiment;
Figure 13 is the flow diagram that portable device carries out ID authentication request processing in one embodiment;
Figure 14 is the flow diagram of one embodiment Plays signature;
Figure 15 is the interface schematic diagram that user's authorization is waited in one embodiment;
Figure 16 is the applied environment figure of equipment replacement method in one embodiment;
Figure 17 is the flow diagram of equipment replacement method in one embodiment;
Figure 18 is that user passes through the interface schematic diagram of mobile terminal initiating equipment resetting request in one embodiment;
Figure 19 is the flow diagram of equipment replacement method in another embodiment;
Figure 20 is the structural block diagram of ID authentication request processing unit in one embodiment;
Figure 21 is the structural block diagram of ID authentication request processing unit in another embodiment;
Figure 22 is the structural block diagram of equipment replacement device in one embodiment;
Figure 23 is the structural block diagram of equipment replacement device in another embodiment;
Figure 24 is the structural block diagram of computer equipment in one embodiment.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, and It is not used in restriction the application.
Fig. 1 is the applied environment figure of ID authentication request processing method in one embodiment.Referring to Fig.1, the authentication Request processing method is applied to identity authorization system.The identity authorization system includes terminal 110, server 120 and portable sets Standby 130.Terminal 110 and server 120 pass through network connection.Terminal 110 and portable device 130 are by presetting short-range communication Connection type or non-default near field communication mode connect.Terminal 110 specifically can be terminal console or mobile terminal, move Dynamic terminal specifically can be at least one of mobile phone, tablet computer and laptop etc..Server 120 can use independent clothes The server cluster of business device either multiple servers composition is realized.Portable device 130 specifically can be Intelligent bracelet, intelligence Energy glasses, intelligent earphone or smartwatch etc..
As shown in Fig. 2, in one embodiment, providing a kind of ID authentication request processing method.The present embodiment is main It is applied to the portable device 130 in above-mentioned Fig. 1 in this way to illustrate.Referring to Fig. 2, the ID authentication request processing side Method specifically comprises the following steps:
S202 establishes the communication connection with terminal.
Wherein, communication connection is to establish data transmission channel to carry out data transmission, and communication connection includes wired communication link Connect and wirelessly communicate connection.Wherein, wire communication connection such as cable network connection or USB (Universal Serial Bus, Universal serial bus) interface communication connection etc.;Wireless communication connection, such as the connection of wireless network connection, Bluetooth communication or near field Communication connection etc..Wherein, Bluetooth communication is ISM band (the Industrial Scientific using 2.4-2.485GHz Medical Band, industrial scientific medical frequency range) UHF (Ultra High Frequency, superfrequency) airwave communication. Near-field communication (Near Field Communication, abbreviation NFC) is a kind of wireless communication of short distance high frequency, and working frequency is 13.56MHz。
Specifically, portable device can receive the communication request from terminal, be established and terminal according to communication request Communication connection.In one embodiment, terminal can actively initiate the connection the request of portable device, and portable device responds this and asks It asks, portable device can establish the link connection communicated with terminal at this time.By taking bluetooth connection as an example, terminal (main equipment, The equipment initiated the connection) bluetooth page can be opened from equipment (from equipment, that is, receiving the equipment of connection), portable device can be consolidated Determine interval scan outer loop.The paging will be responded when the paging that portable device scanning is initiated to terminal.In this way, terminal Communication connection is just established between portable device.
In one embodiment, terminal can initiate operation to server and ask, and server receives after the operation requests to terminal Feed back certification request.Terminal can show " Bluetooth communication connection " after receiving certification request on a display screen or " patch cartoon letters connect Connect " etc. printed words for user select.When user selects Bluetooth communication connection, terminal can open bluetooth equipment and page portable set It is standby.When user selects patch cartoon letters connection, terminal can open radiofrequency field, for example card reader detection pattern is spent built in unlatching, when User by portable device close to terminal when, terminal detects portable device, and establishes the communication connection with portable device.
In one embodiment, portable device can also opening network communication pattern, pass through wireless network or finite element network It establishes and communicates to connect with terminal.It is communicated to connect alternatively, portable device can also be established by USB interface and terminal.
S204 receives the ID authentication request that terminal is forwarded.
Wherein, ID authentication request is the request authenticated to identity, can be authentication instruction or the body of transmission Part message identifying etc., generally carries authentication information.
In one embodiment, user can be instructed by terminal trigger action.Wherein, operational order, such as user pass through Terminal logs in using account or carries out network trading etc. by application.Operational order is sent to service by being connected to the network by terminal Device, server generates corresponding ID authentication request after receiving operational order, and ID authentication request is fed back to terminal. Wherein, authentication information is carried in ID authentication request.After terminal receives ID authentication request, by being set with portable Communication connection between standby, is forwarded to portable device for the ID authentication request.
In one embodiment, user can be instructed by portable device trigger action.Portable device by with terminal Between communication connection, operational order is forwarded to terminal, terminal is forwarded to server again.Server generates after receiving operational order Corresponding ID authentication request, and ID authentication request is back to terminal.Wherein, identity is carried in ID authentication request to recognize Demonstrate,prove information.After terminal receives ID authentication request, by the communication connection between portable device, by the ID authentication request It is forwarded to portable device.
In one embodiment, server, which receives, generates corresponding ID authentication request after operational order, and server is by body When part certification request returns to terminal, it can be based on request-response mechanism, i.e. requesting party send a request message to responder, respond Square returning response message is to requesting party.
For example, server can based on 7816-4:2005APDU (Application Protocol Data Unit, Application Protocol Data Unit) format to terminal send ID authentication request.ID authentication request i.e. request message, request disappear The message format of breath is as follows:
CLA INS P1 P2 Lc<request-data> Le
Wherein, CLA is the instruction of order classification, and it is " 00 ", specific command position " 80 " that generic command position, which can be preset,.INS Indicate safety chip order.P1, P2 respectively correspond the first parameter and the second parameter of each order.Lc is request-data The length of (request message), if Lc is omitted without request-data, request-data is in specific request message Hold.Le is the greatest hope length of response-data (response message), if Le is saved without desired response-data Slightly.
Correspondingly, when the ID authentication request that portable device forwards terminal responds, the lattice of response message Formula is as follows:
Le<response-data> SW1 SW2
Wherein, Le is the length of response-data (response message), and response-data is specific response message Content.SW1 and SW2 is two byte status codes.
S206 is when communication connection is using default near field communication mode, then directly raw according to ID authentication request At authentication signature.
Wherein, the communication connection mode that near field communication mode is the safety of pre-set short distance is preset, when When being communicated using default near field communication mode, both sides' identity of communication and the content of communication are all safety, no It is intercepted or the security risks such as pretend to be that information can be generated.The communication connection mode of default short distance, such as USB interface communication connection Mode or near-field communication connection type etc..Specifically, portable device and terminal, which are established, communicates to connect, when portable device receives After the ID authentication request forwarded to terminal, it may be determined that the specific transmission mode of the ID authentication request.When the authentication is asked When Seeking Truth carries out being transmitted to portable device by default near field communication mode, portable device is then directly according to identity Certification request generates authentication signature.
In one embodiment, portable device can judge whether communication connection mode is default close locally presetting The Rule of judgment of distance communication connection type.Wherein, Rule of judgment, such as communication distance are less than or equal to pre-determined distance, communication Channel is channel predetermined or data sink is default device etc..When portable device receives the communication link of ID authentication request When filling the foot Rule of judgment, it is determined that the communication connection of portable device and terminal room is default near field communication side Formula.When the communication connection that portable device receives ID authentication request is unsatisfactory for the Rule of judgment, it is determined that portable device Communication connection with terminal room is non-default near field communication mode.
For example, near-field communication connection type and/or USB interface communication connection mode can be preset in portable device To preset near field communication mode.When portable device is communicated with the non-contact reader of terminal, then communication link is judged Connecing mode is default near field communication mode.Alternatively, when portable device and terminal are communicated by USB interface, it can be true The communication connection for determining portable device and terminal is using default near field communication mode.
In one embodiment, portable device is built-in with NFC antenna, safety chip, bluetooth MCU (Microcontroller Unit, micro-control unit) and main control MCU.As shown in figure 3, Fig. 3 shows body in one embodiment The acquisition modes schematic diagram of part certification request.When ID authentication request is to be received by NFC antenna, and be forwarded to safety chip , then it can determine that the communication connection of portable device and terminal is near-field communication, belong to default near field communication mode.When ID authentication request is to be received by bluetooth MCU, and be forwarded to safety chip by main control MCU, then can determine portable set Standby is, since there are the security risks such as information is intercepted for Bluetooth communication, to be consequently belonging to non-default close by Bluetooth communication with terminal Distance communication connection type.
In one embodiment, ID authentication request carries authentication information, such as parameters for authentication.Wherein, it authenticates Parameter is to be used to guarantee that each ID authentication request to be unique and effective within a certain period of time by server generation, or make It fails immediately after.Parameters for authentication, for example the random number that generates at random of server or server are according to current time, terminal mark Know the ciphertext etc. with generating random number.Portable device can be used local cipher mode and be encrypted parameters for authentication to generate Authentication signature, for example, generating certification label using the authentication information in private key encryption ID authentication request using local Name.
S208, when communication connection is using non-default near field communication mode, then the confirmation instruction to be entered such as, and Authentication signature is generated according to ID authentication request in the confirmation instruction for detecting input.
Wherein, confirmation instruction is to indicate the instruction of confirmation meaning, be can be as caused by triggering predetermined registration operation.Wherein, Predetermined registration operation can be PIN code (the Personal Identification of pre-set trigger action, input terminal Number, personal recognition code) or biological characteristic validation etc..Trigger action specifically can be touch operation, cursor operations or Button operation.Wherein, touch operation can be and touch clicking operation, touches pressing operation or touch slide, touch behaviour It can be single-touch operation or multiple point touching operation;Cursor operations can be the operation clicked of control cursor or The operation that control cursor is pressed;Button operation can be operation of virtual key or physical button operation etc..
Specifically, portable device and terminal, which are established, communicates to connect, when portable device receives the body that terminal is forwarded After part certification request, it may be determined that the specific transmission mode of the ID authentication request.When the ID authentication request is by non-default When near field communication mode carries out being transmitted to portable device, the confirmation instructions to be entered such as portable device then enters State, with etc. confirmation instruction to be entered.It is portable to set after user is instructed by portable device or terminal input validation Standby that confirmation instruction that is itself or being sent by terminal can be detected, then portable device is generated according to ID authentication request and is authenticated Signature.
In one embodiment, portable device can judge whether communication connection mode is default close locally presetting The Rule of judgment of distance communication connection type.When the communication connection that portable device receives ID authentication request is unsatisfactory for the judgement When condition, it is determined that the communication connection of portable device and terminal room is non-default near field communication mode.For example, It is default short-range communication that near-field communication connection type and/or USB interface communication connection mode, which can be preset, in portable device Connection type.When portable device and terminal pass through Bluetooth communication or wireless communication, then judge that communication connection mode is Non-default near field communication mode.
Authentication signature is sent to terminal by S210;Authentication signature, which is used to indicate terminal, will respond with carry out body in authentication signature Part certification.
In one embodiment, authentication signature is sent to terminal by the communication connection with terminal by portable device.Eventually After termination receives the authentication signature, authentication signature is reported into server.Server is using the cipher mode phase with authentication signature Authentication signature is decrypted in the manner of decryption answered, with the data after being decrypted.Server can be by local data to recognizing Data after the decryption of signed certificate name are compared, to carry out authentication.
In one embodiment, after server is verified the authentication signature that terminal reports, terminal triggering can be performed Operational order.When server does not pass through the authentication signature verifying that terminal reports, server is then refused to execute terminal triggering Operational order.
In one embodiment, message format corresponding with the message format of ID authentication request can be used in portable device Send authentication signature.For example APDU format is used, the format of response message is as follows:
Le<response-data> SW1 SW2
Wherein, the content of response-data i.e. authentication signature.SW1 and SW2 is two byte status codes.For example, working as SW1 and SW2 is that " 9000 " coding then indicates order successful execution.There are also other answer codes schematically as follows:
SW1 SW2 Meaning
69 85 Condition is unsatisfactory for
6A 80 Parameter error
69 87 The cipher key index of mistake
69 86 It is whether on the scene that user must be tested
69 88 Parameter transaction is abnormal
90 01 Wait user's confirmation
Above-mentioned ID authentication request processing method receives what terminal was forwarded by establishing the communication connection with terminal room ID authentication request.It is when communication connection is using default near field communication mode, then directly raw according to ID authentication request At authentication signature.It may insure the safety of portable device communication due to presetting near field communication, it can direct root Authentication signature is generated according to ID authentication request, realizes quick authentication.When communication connection is connected using non-default short-range communication When connecing mode, there may be the security risks of portable device communication under this environment, then etc. confirmation to be entered instruction, is being detected To input confirmation instruction when according to ID authentication request generate authentication signature.There may be the communication modes of security risk Under, it needs user actively to do and confirms, regenerate authentication signature, can ensure the safety of terminal and portable device communication.Just After portable device generates authentication signature, authentication signature is sent to terminal by communicating to connect, terminal again reports authentication signature To carry out authentication.In this way, the communication connection mode of distinguishing terminal and portable device, different certification stream is respectively adopted Cheng Shengcheng authentication signature is greatly improved the safety that portable device carries out secondary identities certification.
In one embodiment, the step of generating authentication signature according to ID authentication request specifically includes:
S402 is extracted from ID authentication request and is applied key ID information and parameters for authentication.
It wherein, is with using corresponding key using key, key includes private key and public key.One application can correspond to Multiple groups key, different key purposes is also different, for example key A is used for the authentication that application logs in, and key B is for branch of trading The authentication etc. paid.Using the identification information that key ID information is using key, being used to unique identification, this applies key.Root Public key is applied and using private key with using key ID information is corresponding according to that can determine using key ID information.Using key Identification information can be one of number, letter or symbol etc..Using key ID information can also include application identities and Cipher key index is uniquely determined by application identities and cipher key index using key, that is, can be with by application identities and cipher key index It uniquely determines accordingly using public key and using private key.
Specifically, authentication information, authentication information are carried in the received ID authentication request of portable device Including applying key ID information and parameters for authentication.Wherein, it can be used for determining that corresponding application is public using key ID information Key and apply private key.Portable device can determine the private key of applying being locally stored accordingly, clothes according to application key ID information Business device can be corresponding using public key according to determining using key ID information.Parameters for authentication is the parameter generated by server, For guarantee each ID authentication request be it is unique and within a certain period of time effectively, can be a random number.
In one embodiment, parameters for authentication fails after the completion of the processing of this ID authentication request, to prevent using private The stolen security risk for generating authentication signature of key generates.Parameters for authentication can be server and refer in the operation for receiving terminal transmission The random number generated after order.
S404, inquiry apply private key with using key ID information is corresponding.
Specifically, what portable device can locally be prestored according to application key ID information inquiry believes with application key identification Breath applies private key accordingly.
S406 encrypts parameters for authentication according to application private key and obtains authentication signature.
Specifically, portable device is encrypted according to what is inquired using parameters for authentication of the private key to extraction, is recognized Signed certificate name.Wherein, ECC (Elliptic Curve Cryptography, elliptic curve encryption algorithm) or SM2 can be used in Encryption Algorithm Encryption Algorithm (ellipse curve public key cipher algorithm is a kind of rivest, shamir, adelman) etc..
In one embodiment, portable device can be according to the parameters for authentication and application using private key to extraction inquired Mark etc. is encrypted, and authentication signature is obtained.
In one embodiment, portable device by authentication signature by the communication connection with terminal room, by authentication signature It is sent to terminal.After terminal receives authentication signature, authentication signature is fed back into server.Server is according to the certification received Signature applies public key using with using key ID information is corresponding, is decrypted to authentication signature, obtains parameters for authentication.Clothes The parameters for authentication that the parameters for authentication obtained after decryption and server generate is compared business device, if comparison result is consistent, holds The operational order of row terminal triggering;If comparison result is inconsistent, refuse to execute.
In above-described embodiment, extract from ID authentication request using key ID information and parameters for authentication, further according to Private key is applied accordingly using key ID information inquiry, and parameters for authentication is encrypted using private key by what is inquired, is obtained To authentication signature.In this way, authentication signature just it is related to the authentication information in ID authentication request, also with portable device sheet It is related that private key is applied on ground accordingly, thus can verify the identity and corresponding information of both sides, substantially increases portable device Carry out the safety of secondary identities certification.
In one embodiment, ID authentication request processing method further include: after receiving ID authentication request, incite somebody to action this The count value of ground storage obtains current count value from increasing.Step S406 includes: according to application private key to parameters for authentication and current meter Numerical value encryption, obtains authentication signature.Step S210 includes: that authentication signature and current count value are sent to end by communicating to connect End.
Specifically, the built-in counter of portable device or other counting equipments etc., whenever receiving ID authentication request Afterwards, counter obtains current count value with regard to counting up value certainly, and current count value is stored in local.Portable device can obtain The current count value being locally stored encrypts parameters for authentication and current count value according to application private key, obtains authentication signature.Lead to again It crosses the communication connection with terminal and authentication signature and current count value is sent to terminal.
In one embodiment, the authentication signature and current count value that portable device is sent are forwarded to service by terminal Device.Server uses application public key decryptions authentication signature corresponding with application private key, obtains parameters for authentication and current count value, Parameters for authentication and current count value that decryption obtains are reported with the parameters for authentication of server storage and portable device respectively Current count value compares, and when comparison result is all consistent, server then executes the operational order of terminal triggering;If comparison result Inconsistent, server is then refused to execute.
In one embodiment, the every reception one-time identity authentication request of portable device, the count value of counter is with regard to corresponding Increase.The count value of counter can be used big hold-carrying to indicate, for example the initial value of counter is 0x00, when from increasing to maximum value It is counted again since 0x00 again.
In above-described embodiment, by the way that after receiving ID authentication request, the count value being locally stored is worked as from increasing Preceding count value encrypts parameters for authentication and current count value further according to application private key, obtains authentication signature.Can both it guarantee in this way Each authentication signature is all different in authentication procedures, prevented also from the Replay Attack to server, further improves The safety of portable device progress secondary identities certification.
In one embodiment, ID authentication request is sent to after terminal by server and is forwarded by terminal;Authentication signature It is sent to after terminal with current count value and server is reported to by terminal;Authentication signature, being used to indicate terminal will be in authentication signature After report to server, application public key decryptions authentication signature corresponding with application key ID information is used by server, is recognized Parameter and current count value are demonstrate,proved, the parameters for authentication that the parameters for authentication and current count value that decryption is obtained are stored with server respectively Compare with the current count value reported, to carry out authentication.
In one embodiment, user can be instructed by terminal trigger action, and terminal is by being connected to the network operational order It is sent to server.Server generates corresponding ID authentication request after receiving operational order, and ID authentication request is returned It is back to terminal, terminal is forwarded to portable device again.Portable device is after receiving ID authentication request, by what is be locally stored Count value obtains current count value from increasing.Parameters for authentication and current count value are encrypted according to application private key, obtain authentication signature. After authentication signature and current count value are sent to terminal, terminal reports to server again.Server uses and applies key mark Know the corresponding application public key decryptions authentication signature of information, obtain parameters for authentication and current count value, the certification that decryption is obtained is joined Several and current count value compared with the parameters for authentication of server storage and the current count value reported, is recognized respectively with carrying out identity Card.When comparison result is all consistent, server then executes the operational order of terminal triggering;If comparison result is inconsistent, service Device is then refused to execute.
In above-described embodiment, portable device is forwarded to by terminal after server transmission ID authentication request, it is portable to set It is standby that authentication signature is generated according to ID authentication request, and authentication signature and current count value are sent to terminal, it is reported by terminal To server.Server is again using applying public key decryptions authentication signature accordingly and being checked, to carry out authentication.This Terminal may be implemented as operating side in sample, and separation of the portable device as authentication end can ensure the safety of operation.
In one embodiment, ID authentication request processing method further includes the generation step using key pair, the step It specifically includes:
S502 is obtained and is applied register instruction.
In one embodiment, mountable in portable device to have application.User can be triggered by portable device and be applied Register instruction, portable device obtain the application register instruction of user's triggering.For example user can pass through the touch of portable device Screen or key etc. are chosen using sign-on ID and are triggered accordingly using register instruction.
In one embodiment, user can by terminal trigger apply register instruction, terminal by with portable device Communication connection will be forwarded to portable device using register instruction, so that portable device, which obtains, applies register instruction.
S504 is generated according to application register instruction and is applied key pair;It include applying private key and answering accordingly using key pair Use public key.
Specifically, portable device is obtained using after register instruction, is generated accordingly according to application register instruction using close Key pair.It is corresponding using key pair and application identities.It wherein, include using private key and applying public key using key pair.It is portable Equipment can locally save the application key pair generated, and will carry out reporting disclosure using public key.
In one embodiment, portable device is safeguarded after generating using key pair according to the application key pair of generation Cipher key index, and cipher key index is saved to local, while also reporting to server.In this way, portable device or server can It is found accordingly according to application identities and cipher key index using private key or using public key.
S506 is encrypted according to local device private to using public key, and be applied public key signature.
Specifically, device private has been locally stored in portable device.Wherein, portable device one and only one set Standby private key.Different portable devices, device private are also different.Portable device answers generation according to local device private It is encrypted with public key, be applied public key signature.
In one embodiment, portable device generating device key pair when being activated.Wherein, device keys are to including Equipment public key and device private.Device private can be stored in local by portable device, and equipment public key is carried out to report disclosure.
In one embodiment, portable device in process of production can be with built-in device key pair.Device keys are to packet Include equipment public key and device private.Device private can be stored in local by portable device, and equipment public key is carried out to report disclosure.
S508 will report to server using public key and using public key signature, and be used to indicate server using public key signature According to the equipment public key decryptions application public key signature stored, when what decryption obtained applies public key consistent using public key with what is reported When storage report apply public key.
Specifically, portable device can will report to server using public key and using public key signature by network connection, Alternatively, portable device can will be sent to terminal using public key and using public key signature, then lead to by the communication connection with terminal It crosses terminal and is forwarded to server.Server is stored after receiving application public key and application public key signature according to server Equipment public key decryptions application public key signature corresponding with device private, when decryption obtain it is public using public key and the application reported What storage reported when key is consistent applies public key.
It in above-described embodiment, is generated by application register instruction and applies key pair, public key is applied by device private encryption To generate using public key signature and report to server.Server is verified by pre-stored equipment public key using public key label Whether name is correct, and what preservation reported if correct applies public key.In this way, by being encrypted to using public key to generate application Public key signature can ensure using the source side of public key signature it is legal to transmit using public key, ensure that server stores with this Application public key be legal and correct.
It in one embodiment, include application identities and cipher key index using key ID information;And/or default low coverage It include near-field communication connection type from communication connection mode.
Specifically, application identification information may include application identities and cipher key index, according to application identities and cipher key index It can uniquely determine accordingly using public key or using private key.For example, as shown in fig. 6, Fig. 6 is shown in one embodiment answers With the schematic diagram of the corresponding relationship of mark and cipher key index and application key pair.It can be true according to application identities 1 and cipher key index 1 It is fixed to apply public key 1 accordingly and apply private key 1;It can be determined accordingly according to application identities 2 and cipher key index 2 using public key 2 With application private key 2;It can be determined accordingly according to application identities 3 and cipher key index 3 using public key 3 and using private key 3.It is portable Equipment can be found accordingly according to application identities and cipher key index using private key.Server can be according to application identities and key rope Draw and finds accordingly using public key.
In one embodiment, presetting near field communication mode includes near-field communication connection type, wherein near field is logical Letter connection type refers to NFC communication connection type.
In one embodiment, step S208 specifically includes the following steps:
S702, when communication connection is using non-default near field communication mode, then triggering is used to indicate input validation The prompting of instruction acts.
Specifically, when communication connection is using non-default near field communication mode, portable device is then triggered and is used for Indicate the prompting movement of input validation instruction.Wherein, prompting movement includes opening breath light, opening screen display or open vibration etc..
In one embodiment, when communication connection is using non-default near field communication mode, terminal can also be synchronized Triggering is used to indicate the prompting movement of input validation instruction, for example the screen of terminal shows that input validation is reminded, opens breath light Or open vibration etc..
S704 is locally set to the state of the confirmation instruction of detection input.
Specifically, when communication connection is using non-default near field communication mode, portable device will can locally be set User's authorization is waited at this point, the confirmation of the detectable input of portable device instructs for the confirmation command status of detection input.? Before the confirmation instruction for detecting input, portable device can be chronically at the state.Alternatively, within a preset period of time, it is portable When the confirmation command status of input is not detected always in formula equipment, portable device will terminate the process of secondary identities certification, no It is further continued for executing, can show printed words such as " user's confirmation are not detected ".
S706 exits state in the confirmation instruction for detecting input, and generates authentication signature according to ID authentication request.
In one embodiment, user can directly input validation instructs in a portable device, or inputs at the terminal The confirmation instruction of input is forwarded to portable device by confirmation instruction, terminal.Portable device refers in the confirmation for detecting input The state can be exited when enabling, and ID authentication request generates authentication signature based on the received.
In above-described embodiment, when communication connection is using non-default near field communication mode, triggering is used to indicate defeated The prompting movement for entering confirmation instruction, may remind the user that and authorized.It will be locally set to the state of the confirmation instruction of detection input, After user's authorization, that is, user has input after confirmation instructs and just generates authentication signature, Ke Yitong according to ID authentication request The mode of user's participation is crossed to reinforce the safety that portable device carries out secondary identities certification.
In one embodiment, ID authentication request processing method further includes the steps that equipment replacement, which specifically wraps It includes:
S802 obtains the equipment replacement order from service platform.
Wherein, service platform is security management services platform, for example is based on TUSI (Tencent User Security Infrastructur, Tencent's user security infrastructure) agreement service platform, be based on FIDO (Fast Identity Online, quick authentication on line) alliance service platform or be based on IFAA (Internet Finance Authentiation Alliance, internet finance authentication alliance) service platform etc..Equipment replacement instruction is instruction The instruction that portable device is reset.Equipment replacement, including what is stored in removing users personal data, removing portable device Using key pair, device keys pair or formatting portable device etc..
In one embodiment, user can be reset by terminal initiating equipment and be requested, and terminal is by being connected to the network equipment Resetting request is forwarded to service platform, and server generates corresponding equipment replacement order after receiving equipment replacement request, and will Equipment replacement order feeds back to terminal.Equipment replacement order is forwarded to portable by terminal by the communication with portable device Equipment.
In one embodiment, user can be reset by portable device initiating equipment and be requested, and portable device can pass through Equipment replacement request is reported to service platform by terminal, or directly reports to service platform by network connection.Service platform After receiving equipment replacement request, corresponding equipment replacement order is generated, and equipment replacement order is fed back to just by terminal Portable device, or portable device is directly fed back to by network connection.
S804, from equipment replacement order extract equipment public key and the first equipment public key signature;First equipment public key signature is Equipment public key encryption is generated using the platform private key of service platform.
Specifically, the equipment replacement order that service platform generates may include equipment public key and the first equipment public key signature. Wherein, equipment public key can be what portable device generated upon activation, and be sent to service platform or service platform It is pre-stored.First equipment public key signature is that service platform generates equipment public key encryption using platform private key, and encryption is calculated ECC or SM2 Encryption Algorithm can be used in method.Portable device obtains after the equipment replacement order of service platform, can be from setting Standby resetting order extract equipment public key and the first equipment public key signature.
S806 reads local pre-land public key corresponding with platform private key.
Specifically, portable device in process of production can in portable device pre-land public key.It is set when portable The standby equipment replacement order obtained from service platform is extracted from equipment replacement order using the generation of platform private key encryption After first equipment public key signature, local pre-land public key corresponding with platform private key can be read.
S808 decrypts equipment public key from the first equipment public key signature according to pre-land public key.
It specifically, can be according to pre-land public key from the first equipment public key after portable device reads pre-land public key Equipment public key is decrypted using corresponding decipherment algorithm in signature.
S810 is then executed when the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts Equipment replacement movement.
Wherein, equipment replacement movement be reset portable device movement, such as remove users personal data, remove it is portable Application key pair, device keys pair or formatting portable device for being stored in formula equipment etc..
In one embodiment, the comparable equipment public key extracted of portable device and local equipment public key whether one It causes, when consistent, then compares the equipment public key decrypted and whether the equipment public key of extraction is consistent, when consistent, then execute and set Standby resetting acts.
In one embodiment, portable device can compare the equipment public key of extraction, local equipment public key reconciliation two-by-two Whether close equipment public key out is consistent, when three is consistent, then executes equipment replacement movement.
In above-described embodiment, when getting from the equipment replacement order of service platform, from equipment replacement name First equipment public key signature of extract equipment public key and the platform private key encryption generation using service platform.Further according to local preset Platform public key decrypt equipment public key from the first equipment public key signature, equipment public key, local equipment public key when extraction And the equipment public key that decrypts it is consistent when, then can determine whether the equipment replacement obtained name be it is legal, execute equipment weight at this time Set movement.In this way, can simply and efficiently be authenticated to equipment replacement order by pre-land public key, avoids and pass through terminal Store the unsafe problem of key.Also, portable device can also be completed by writing the case where portable device need to be transferred the possession of or lose Resetting movement, solve security risk existing for portable device.
In one embodiment, ID authentication request processing method further includes the steps that device activation, which specifically wraps It includes:
S902, receiving device activation instruction.
In one embodiment, carrying out corresponding operation to unactivated portable device can produce device activation instruction. For example, user can carry out charging operations to unactivated portable device, portable device itself produces device activation at this time Instruction.
In one embodiment, user can be by with generating device activation instruction, and being set in terminal operation by portable Device activation instruction is sent to terminal by the standby communication connection with terminal.
S904 instructs generating device key pair according to device activation;Device keys are to including device private and accordingly set Standby public key.
Specifically, after portable device receiving device activation instruction, generating device key pair is instructed according to device activation.If Standby key pair and portable equipment identity are corresponding.Wherein, device keys are to including device private and equipment public key.It is portable to set It is standby locally to save the device keys pair generated, and equipment public key is carried out to report disclosure.
Equipment public key is reported to service platform by S906;The equipment public key reported is for generating the first equipment public key signature.
Specifically, equipment public key can directly be reported to service platform by being connected to the network by portable device.Alternatively, portable Equipment public key is sent to terminal by the communication connection with terminal by formula equipment, and it is flat that equipment public key is forwarded to service again by terminal Platform.Service platform encrypts the equipment public key reported using platform private key, and the first equipment public key signature can be generated.
In above-described embodiment, generating device key pair is instructed according to device activation, wherein device keys are to public including equipment Key and device private.By the way that equipment public key is reported to service platform, it may make that service platform is raw according to the equipment public key reported At the first equipment public key signature, further generating device resetting order.
In one embodiment, step S906 is specifically included: equipment public key is encrypted according to preset manufacturer's private key, Obtain the second equipment public key signature;Equipment public key and the second equipment public key signature are transferred to service platform, the second equipment public key Signature is used to indicate service platform according to manufacturer's public key decryptions the second equipment public key signature, the equipment public key and biography obtained when decryption The equipment public key of storage transmitting when the equipment public key passed is consistent.
It in one embodiment, can preset manufacturer's private key in the production process of portable device.Portable device according to Preset manufacturer's private key encrypts the equipment public key of generation, obtains the second equipment public key signature.Portable device is by equipment Public key and the second equipment public key signature are transferred to service platform.Service platform is according to manufacturer's public key decryptions the second equipment public key label Name, the equipment public key of storage transmitting when the equipment public key that decryption obtains is consistent with the equipment public key of transmitting.
In above-described embodiment, by preset manufacturer's private key encryption equipment public key with generate the second equipment public key signature and on It reports to service platform.Whether service platform verifies the second equipment public key signature by pre-stored manufacturer's public key correct, such as Fruit correctly then saves equipment public key.In this way, being transmitted by being encrypted to equipment public key with generating the second equipment public key signature Equipment public key, can ensure the source side of the second equipment public key signature be it is legal, ensure that the equipment of service platform storage is public with this Key is legal and correct.
As shown in Figure 10, in a specific embodiment, ID authentication request processing method the following steps are included:
S1002, receiving device activation instruction.
S1004 instructs generating device key pair according to device activation;Device keys are to including device private and accordingly set Standby public key.
S1006 encrypts equipment public key according to preset manufacturer's private key, obtains the second equipment public key signature.
Equipment public key and the second equipment public key signature are transferred to service platform by S1008, and the second equipment public key signature is used for Service platform is indicated according to manufacturer's public key decryptions the second equipment public key signature, when the equipment of decryption obtained equipment public key and transmitting The equipment public key of storage transmitting when public key is consistent.
S1010 is obtained and is applied register instruction.
S1012 is generated according to application register instruction and is applied key pair;It include applying private key and answering accordingly using key pair Use public key.
S1014 is encrypted according to local device private to using public key, and be applied public key signature.
S1016 will report to server using public key and using public key signature, and be used to indicate server using public key signature According to the equipment public key decryptions application public key signature stored, when what decryption obtained applies public key consistent using public key with what is reported When storage report apply public key.
S1018 establishes the communication connection with terminal;
S1020 receives the ID authentication request that terminal is forwarded.
S1022 is when communication connection is using default near field communication mode, then directly raw according to ID authentication request At authentication signature.
S1024, when communication connection is using non-default near field communication mode, then triggering is used to indicate input validation The prompting of instruction acts.
S1026 is locally set to the state of the confirmation instruction of detection input.
S1028 exits state in the confirmation instruction for detecting input, and generates certification label according to ID authentication request Name.
Authentication signature is sent to terminal by S1030;Authentication signature, which is used to indicate terminal, will respond with carry out body in authentication signature Part certification.
S1032 obtains the equipment replacement order from service platform.
S1034, from equipment replacement order extract equipment public key and the first equipment public key signature;First equipment public key signature, It is to be generated using the platform private key of service platform to equipment public key encryption.
S1036 reads local pre-land public key corresponding with platform private key.
S1038 decrypts equipment public key from the first equipment public key signature according to pre-land public key.
S1040 is then held when the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts The movement of row equipment replacement.
Above-mentioned ID authentication request processing method receives what terminal was forwarded by establishing the communication connection with terminal room ID authentication request.It is when communication connection is using default near field communication mode, then directly raw according to ID authentication request At authentication signature.It may insure the safety of portable device communication due to presetting near field communication, it can direct root Authentication signature is generated according to ID authentication request, realizes quick authentication.When communication connection is connected using non-default short-range communication When connecing mode, there may be the security risks of portable device communication under this environment, then etc. confirmation to be entered instruction, is being detected To input confirmation instruction when according to ID authentication request generate authentication signature.There may be the communication modes of security risk Under, it needs user actively to do and confirms, regenerate authentication signature, can ensure the safety of terminal and portable device communication.Just After portable device generates authentication signature, authentication signature is sent to terminal by communicating to connect, terminal again reports authentication signature To carry out authentication.In this way, the communication connection mode of distinguishing terminal and portable device, different certification stream is respectively adopted Cheng Shengcheng authentication signature is greatly improved the safety that portable device carries out secondary identities certification.
Figure 10 is the flow diagram of ID authentication request method in one embodiment.Although should be understood that Figure 10 Flow chart in each step successively show that but these steps are not inevitable to indicate according to arrow according to the instruction of arrow Sequence successively execute.Unless expressly stating otherwise herein, there is no stringent sequences to limit for the execution of these steps, these Step can execute in other order.Moreover, at least part step in Figure 10 may include multiple sub-steps or more A stage, these sub-steps or stage are not necessarily to execute completion in synchronization, but can hold at different times Row, the execution sequence in these sub-steps perhaps stage be also not necessarily successively carry out but can be with other steps or other The sub-step or at least part in stage of step execute in turn or alternately.
In concrete application scene, user can be carried out secondary identities certification login using portable device and be answered by terminal With.For example, as shown in figure 11, Figure 11 is shown user and is illustrated by mobile terminal using the interface that equipment logs into application Figure.When the user clicks after " equipment login ", portable device carries out corresponding operation with regard to the above-mentioned ID authentication request method of use, Authentication signature is reported, to carry out authentication.After certification passes through, the application of terminal operating can then obtain user data, such as The data such as user name, user's head portrait.
In one embodiment, as shown in figure 12, Figure 12 shows ID authentication request processing method in one embodiment Timing diagram.User is instructed by terminal trigger action.Operational order is sent to server by being connected to the network by terminal, is serviced Device generates corresponding ID authentication request after receiving operational order, and ID authentication request is fed back to terminal.Terminal receives To after ID authentication request, by the communication connection between portable device, which is forwarded to portable set It is standby.When communication connection is using default near field communication mode, portable device is then directly raw according to ID authentication request At authentication signature, authentication signature is sent to terminal, terminal is forwarded to server again to carry out authentication.When communication connection is adopted When with non-default near field communication mode, wait user confirmation, user's input validation instruction it is red, portable device further according to ID authentication request generates authentication signature, authentication signature is sent to terminal, terminal is forwarded to server again and recognizes to carry out identity Card.
In one embodiment, portable device includes security application and main control MCU.Terminal is by communication connection, by body Part certification request is sent to the main control MCU of portable device, and main control MCU is forwarded to security application.Security application judges portable Whether the communication connection mode of equipment and terminal is default near field communication mode.If so, security application then direct basis ID authentication request generates authentication signature, and authentication signature is sent to main control MCU, is sent to terminal by main control MCU.If No, security application then waits user to confirm.At this point, main control MCU can control the screen display prompts movement of portable device, and examine Survey the confirmation instruction of user's input.Prompt security application generates authentication signature after the confirmation for detecting user instructs.
Wherein, above-mentioned ID authentication request processing method can refer to shown in Figure 13, as Figure 13 is shown in one embodiment The flow diagram of portable device progress ID authentication request processing.Portable device after receiving ID authentication request, The communication connection mode of judgement and terminal.When being default near field communication mode, then quickly signature process is walked, that is, Directly generate authentication signature.When for non-default near field communication mode, then Standard signatures process is walked, generates certification label Name.Wherein, Standard signatures process is as shown in figure 14, and Figure 14 shows the flow diagram of one embodiment Plays signature.When When the communication connection of portable device and terminal is non-default near field communication mode, portable device then waits user to award Power, authorization then generate authentication signature after passing through.The interface schematic diagram of user's authorization refers to Figure 15, and as shown in figure 15, Figure 15 is shown The interface schematic diagram of user's authorization is waited in one embodiment.Display interface is to prompt to use in terminal display interface on the left of Figure 15 The schematic diagram that family is confirmed on portable devices, the right side Figure 15 are waiting user's input validation instruction of portable terminal Display interface, user " double-click and confirm " according to guide, and double-clicking portable device can be completed confirmation operation.
Specifically, the request message for the ID authentication request that server is generated according to APDU format is as follows:
Coding Value
CLA “80”
INS “32”
P1 “00”
P2 “00”
LC “XX”
Data field request-data
Le Nothing
Wherein, the content of request-data can specifically include: reserved field (Control), parameters for authentication (Challenge), application identities (AppID), cipher key index length (KeyIndex Length) and cipher key index (KeyIndex)。
In one embodiment, the request message of ID authentication request specifically may is that 8032000000006403DA009 671392A4F83B25CE544E05BCA302549A4CA955BB1E C6E07FEDD57ED036C630DCD2966C433669 1125448BBB25B4FF412A49C732D B2C8ABC1B8581BD710DD2242634EA7B39247189166C535CFD 03E14BE9940269D22EBDDC61CEA78C0E1B7930000.Wherein, " 80320000 " are command headers, comprising CLA, INS, P1 and P2." 000064 " is LC, i.e. the length of request-data." 03 " is reserved field; " DA009671392A4F83B25CE544E05BCA302549A4CA955BB1EC6E07FEDD 57E D036C " is parameters for authentication Challenge;"630DCD2966C4336691125448BBB25B4FF412A49C732DB2C8ABC1B8581BD710DD" It is application identities AppID;" 22 " are cipher key index length KeyIndex Length;"42634EA7B39247189166C535CF D03E14BE9940269D22EBD DC61CEA78C0E1B7930000 " is cipher key index KeyIndex.
Portable device is as follows according to the response message content that ID authentication request is fed back:
Le<response-data> SW1 SW2
Wherein, the content of the response-data of response message may include: that user has mark (User Presence), current count value (Counter) and authentication signature (Signature).Wherein, user, which exists, is identified as fixed value "01".In one embodiment, authentication signature includes the following contents: there is mark (User in application identities (AppID), user Presence), current count value (Counter) and parameters for authentication (Challenge).
In one embodiment, the response message of portable device feedback specifically may is that 0100000001304602210 0FAF11F21DED8C4117009F655DDFF9D0590F75637DFB8F769460539E888C9E947022100C54A60 10F9A294EE6494E3DC352EE57CC0E7607732A2A05C07B0D6044F0036199000.Wherein, " 01 " is to use There is mark User presence in family." 00000001 " is current count value Counter."3046022100FAF11F21DED8 C4117009F655DDFF9D0590F75637DFB8F769460539E888C9E947022100C54A6010F9A294EE649 4E3DC352EE57CC0E7607732A2A05C07B0D6044F003619 " is authentication signature Signature." 9000 " are lives Writ state, that is, SW1 and SW2 indicate order successful execution.
Figure 16 is the applied environment figure of equipment replacement method in one embodiment.Referring to Fig.1 6, which answers For equipment replacement system.The equipment replacement system includes terminal 110, portable device 130 and service platform 140.Terminal 110 Pass through network connection with service platform 140.Service platform 140 can use the either multiple server compositions of independent server Server cluster is realized.
As shown in figure 17, in one embodiment, a kind of equipment replacement method is provided.The present embodiment is mainly in this way It is illustrated applied to the portable device 130 in above-mentioned Figure 16.Referring to Fig.1 7, which specifically includes as follows Step:
S1702 obtains the equipment replacement order from service platform.
In one embodiment, user can be reset by terminal initiating equipment and be requested, and terminal is by being connected to the network equipment Resetting request is forwarded to service platform, and server generates corresponding equipment replacement order after receiving equipment replacement request, and will Equipment replacement order feeds back to terminal.Equipment replacement order is forwarded to portable by terminal by the communication with portable device Equipment.
In one embodiment, user can be reset by portable device initiating equipment and be requested, and portable device can pass through Equipment replacement request is reported to service platform by terminal, or directly reports to service platform by network connection.Service platform After receiving equipment replacement request, corresponding equipment replacement order is generated, and equipment replacement order is fed back to just by terminal Portable device, or portable device is directly fed back to by network connection.
In one embodiment, service platform generates corresponding equipment replacement order after receiving equipment replacement request, takes When equipment replacement order is fed back to portable device by business platform, it can be based on request-response mechanism, i.e. requesting party sends request and disappears Cease responder, responder's returning response message to requesting party.
For example, service platform can be ordered based on APDU format to terminal or the resetting of portable device sending device.If Standby resetting order i.e. request message, the message format of request message are as follows:
CLA INS P1 P2 Lc<request-data> Le
Correspondingly, when the equipment replacement order that portable device forwards terminal responds, the lattice of response message Formula is as follows:
Le<response-data> SW1 SW2
When portable device successfully completes equipment replacement, Le<response-data>is sky, is returned only to state encoding, Such as " 9000 ", indicate order successful execution.
S1704, from equipment replacement order extract equipment public key and the first equipment public key signature;First equipment public key signature is Equipment public key encryption is generated using the platform private key of service platform.
Specifically, the equipment replacement order that service platform generates may include equipment public key and the first equipment public key signature. Wherein, equipment public key can be what portable device generated upon activation, and be sent to service platform or service platform It is pre-stored.First equipment public key signature is that service platform generates equipment public key encryption using platform private key, and encryption is calculated ECC or SM2 Encryption Algorithm can be used in method.Portable device obtains after the equipment replacement order of service platform, can be from setting Standby resetting order extract equipment public key and the first equipment public key signature.
S1706 reads local pre-land public key corresponding with platform private key.
Specifically, portable device in process of production can in portable device pre-land public key.It is set when portable The standby equipment replacement order obtained from service platform is extracted from equipment replacement order using the generation of platform private key encryption After first equipment public key signature, local pre-land public key corresponding with platform private key can be read.
S1708 decrypts equipment public key from the first equipment public key signature according to pre-land public key.
It specifically, can be according to pre-land public key from the first equipment public key after portable device reads pre-land public key Equipment public key is decrypted using corresponding decipherment algorithm in signature.
S1710 is then held when the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts The movement of row equipment replacement.
In one embodiment, the comparable equipment public key extracted of portable device and local equipment public key whether one It causes, when consistent, then compares the equipment public key decrypted and whether the equipment public key of extraction is consistent, when consistent, then execute and set Standby resetting acts.
In one embodiment, portable device can compare the equipment public key of extraction, local equipment public key reconciliation two-by-two Whether close equipment public key out is consistent, when three is consistent, then executes equipment replacement movement.
Above equipment remapping method is ordered when getting from the equipment replacement order of service platform from equipment replacement Extract equipment public key and the first equipment public key signature generated using the platform private key encryption of service platform in name.Further according to local Preset platform public key decrypts equipment public key from the first equipment public key signature, equipment public key, local equipment when extraction When public key and the consistent equipment public key decrypted, then can determine whether obtain equipment replacement name be it is legal, at this time execute set Standby resetting acts.In this way, can simply and efficiently be authenticated to equipment replacement order by pre-land public key, avoids and pass through The unsafe problem of terminal storage key.Also, write the case where portable device need to be transferred the possession of or lose can also complete it is portable The resetting of equipment acts, and solves security risk existing for portable device.
In one embodiment, equipment replacement method further includes the steps that device activation, which specifically includes: reception is set Standby activation instruction;Generating device key pair is instructed according to device activation;Device keys are to including device private and corresponding equipment Public key;Equipment public key is reported into service platform;The equipment public key reported is for generating the first equipment public key signature.
In above-described embodiment, generating device key pair is instructed according to device activation, wherein device keys are to public including equipment Key and device private.By the way that equipment public key is reported to service platform, it may make that service platform is raw according to the equipment public key reported At the first equipment public key signature, further generating device resetting order.
In one embodiment, the step of equipment public key being reported to service platform specifically includes: according to preset manufacturer Private key encrypts equipment public key, obtains the second equipment public key signature;Equipment public key and the second equipment public key signature are transmitted To service platform, the second equipment public key signature is used to indicate service platform according to manufacturer's public key decryptions the second equipment public key signature, The equipment public key of storage transmitting when the equipment public key that decryption obtains is consistent with the equipment public key of transmitting.
In above-described embodiment, by preset manufacturer's private key encryption equipment public key with generate the second equipment public key signature and on It reports to service platform.Whether service platform verifies the second equipment public key signature by pre-stored manufacturer's public key correct, such as Fruit correctly then saves equipment public key.In this way, being transmitted by being encrypted to equipment public key with generating the second equipment public key signature Equipment public key, can ensure the source side of the second equipment public key signature be it is legal, ensure that the equipment of service platform storage is public with this Key is legal and correct.
In concrete application scene, user can be reset by terminal initiating equipment and be requested.For example, as shown in figure 18, Figure 18 It shows user and passes through the interface schematic diagram of mobile terminal initiating equipment resetting request.As shown in figure 18, user can click terminal In " intelligent device management V2 " mark, can point by portable device close to after terminal according to the signal language of terminal " invitation card card " Hit " resetting " button, triggering equipment replacement request.
As shown in figure 19, in one specifically embodiment, the flow chart of equipment replacement method is as shown in figure 19.It is portable Equipment pre-land public key in process of production.The generating device key pair in device activation, and equipment public key is reported into clothes Business platform.The resetting request of terminal initiating equipment, service platform audit generate corresponding equipment replacement order after the approval, and Portable device is forwarded to by terminal.Portable device according to equipment extract equipment resetting order in equipment public key, and and The equipment public key generated when activation is compared.If consistent, according to preset platform public key decryptions the first equipment public key signature, The equipment public key decrypted.Whether the equipment public key after portable device verifying decryption is correct, if correctly, executing equipment weight Set movement.If incorrect, termination device resetting.
In one embodiment, the command message that portable device receives when pre-land public key is as follows: F00201000000410410C26685D9ECC1A797CB0E15F7BAC987699E83077CBA131A759906D051694 76F6C85864CE83AC5490DB16752BF2653EB4ECB09688742D BE1819933F6A01F65F2.Wherein, " F0020100 " is command id." 000041 " is the length of request-data."0410C26685D9ECC1A797CB0E15 F7BAC987699E83077CBA131A759906D05169476F6C85864CE83AC5490DB16752BF2653EB4ECB0 9688742DBE1819933F6A01F65F2 " is platform public key.After portable device receives above-mentioned request message, storage is flat Platform public key, and feedback response message is as follows: 9000.Wherein, " 9000 " indicate order successful execution.
In one embodiment, during activating portable device, the received device activation instruction of portable device Message content includes: 80200000000000.Wherein, " 80200000 " are device activation command ids." 000000 " is The length of request-data.Device activation instructs portable device based on the received, generating device key pair, and returning response Message is as follows: 0492D868371C9648C09FB745BD33DC113574E2BD150644AAEB75B7BF 32C24444A70F B00A932964FF781BA434AB7C466CF3FC03DF54CB2A78066342DAEF1A2B2BED9000.Wherein, “0492D868371C9648C09FB745BD33DC113574E2BD150644AAEB75B7BF32C24444A70FB00A9329 64FF781BA434AB7C466CF3FC03DF54CB2A78066342DAEF1A2B2BED " is equipment public key." 9000 " are loud Answer state.
In one embodiment, the request message content of the received equipment replacement order of portable device is as follows: “802E00000000880492D868371C9648C09FB745BD33DC113574E2BD150644AA EB75B7BF32C24444A70FB00A932964FF781BA434AB7C466CF3FC03DF54CB2A78066342DAEF1A2 B2BED304502203B52FA7C708C4217C18495883EA5082561B7EE142336BB2E0E043DCC8F4A1F2B 022100A3E2B656973C0E460D523B2454B27B80DA31E21432E2E2F80FC508EB6A1EA3B4".Wherein, " 802E0000 " is command id." 000088 " is the length of request-data."0492D868371C9648C09FB745BD 33DC113574E2BD150644AAEB75B7BF32C24444A70FB00A932964FF781BA434AB7C466CF3FC03D F54CB2A78066342DAEF1A2B2BED " is equipment public key."304502203B52FA7C708C4217C18495883EA50 82561B7EE142336BB2E0E043DCC8F4A1F2B022100A3E2B656973C0E460D523B2454B27B80DA31 E21432E2E2F80FC508EB6A1EA3B4 " is using the first equipment public key signature obtained after platform private key signature.It is portable After formula equipment receives above-mentioned request message, is verified according to local equipment public key and preset platform public key, work as verifying Feedback response message is as follows when success: 9000.Wherein, " 9000 " indicate order successful execution.It, may feedback sound if unsuccessful Answer message " 6A80 ", expression parameter mistake.
As shown in figure 20, in one embodiment, a kind of ID authentication request processing unit 2000 is provided, comprising: build Formwork erection block 2001, receiving module 2002, generation module 2003 and sending module 2004.
Module 2001 is established, for establishing and the communication connection of terminal.
Receiving module 2002, the ID authentication request forwarded for receiving terminal.
Generation module 2003 is used for when communication connection is using default near field communication mode, then directly according to body Part certification request generates authentication signature.
Generation module 2003 is also used to when communication connection is using non-default near field communication mode, then etc. to be entered Confirmation instruction, and detect input confirmation instruction when according to ID authentication request generate authentication signature.
Sending module 2004, for authentication signature to be sent to terminal;Authentication signature is used to indicate terminal for authentication signature On respond with carry out authentication.
Above-mentioned ID authentication request processing unit receives what terminal was forwarded by establishing the communication connection with terminal room ID authentication request.It is when communication connection is using default near field communication mode, then directly raw according to ID authentication request At authentication signature.It may insure the safety of portable device communication due to presetting near field communication, it can direct root Authentication signature is generated according to ID authentication request, realizes quick authentication.When communication connection is connected using non-default short-range communication When connecing mode, there may be the security risks of portable device communication under this environment, then etc. confirmation to be entered instruction, is being detected To input confirmation instruction when according to ID authentication request generate authentication signature.There may be the communication modes of security risk Under, it needs user actively to do and confirms, regenerate authentication signature, can ensure the safety of terminal and portable device communication.Just After portable device generates authentication signature, authentication signature is sent to terminal by communicating to connect, terminal again reports authentication signature To carry out authentication.In this way, the communication connection mode of distinguishing terminal and portable device, different certification stream is respectively adopted Cheng Shengcheng authentication signature is greatly improved the safety that portable device carries out secondary identities certification.
In one embodiment, generation module 2003 be also used to extract from ID authentication request using key ID information and Parameters for authentication;Inquiry applies private key with using key ID information is corresponding;Parameters for authentication is encrypted according to application private key and is obtained Authentication signature.
In above-described embodiment, extract from ID authentication request using key ID information and parameters for authentication, further according to Private key is applied accordingly using key ID information inquiry, and parameters for authentication is encrypted using private key by what is inquired, is obtained To authentication signature.In this way, authentication signature just it is related to the authentication information in ID authentication request, also with portable device sheet It is related that private key is applied on ground accordingly, thus can verify the identity and corresponding information of both sides, substantially increases portable device Carry out the safety of secondary identities certification.
In one embodiment, ID authentication request processing unit 2000 further includes counting module 2005.Counting module 2005 for obtaining current count value from increasing for the count value being locally stored after receiving ID authentication request.Generation module 2003 are also used to encrypt parameters for authentication and current count value according to application private key, obtain authentication signature.Sending module 2004 is also For authentication signature and current count value to be sent to terminal by communicating to connect.
In above-described embodiment, by the way that after receiving ID authentication request, the count value being locally stored is worked as from increasing Preceding count value encrypts parameters for authentication and current count value further according to application private key, obtains authentication signature.Can both it guarantee in this way Each authentication signature is all different in authentication procedures, prevented also from the Replay Attack to server, further improves The safety of portable device progress secondary identities certification.
In one embodiment, ID authentication request is sent to after terminal by server and is forwarded by terminal;Authentication signature It is sent to after terminal with current count value and server is reported to by terminal;Authentication signature, being used to indicate terminal will be in authentication signature After report to server, application public key decryptions authentication signature corresponding with application key ID information is used by server, is recognized Parameter and current count value are demonstrate,proved, the parameters for authentication that the parameters for authentication and current count value that decryption is obtained are stored with server respectively Compare with the current count value reported, to carry out authentication.
In above-described embodiment, portable device is forwarded to by terminal after server transmission ID authentication request, it is portable to set It is standby that authentication signature is generated according to ID authentication request, and authentication signature and current count value are sent to terminal, it is reported by terminal To server.Server is again using applying public key decryptions authentication signature accordingly and being checked, to carry out authentication.This Terminal may be implemented as operating side in sample, and separation of the portable device as authentication end can ensure the safety of operation.
In one embodiment, ID authentication request processing unit 2000 further includes obtaining module 2006, encrypting module 2007 and reporting module 2008.
Module 2006 is obtained, applies register instruction for obtaining.
Generation module 2003 is also used to be generated according to application register instruction using key pair;It include that application is private using key pair Key applies public key with corresponding.
Encrypting module 2007, for being encrypted according to local device private to using public key, be applied public key label Name.
Reporting module 2008 is used for that will apply public key and report to server using public key signature using public key signature In instruction server according to equipment public key decryptions application the public key signature stored, when decryption obtain using public key with report The application public key reported is stored when consistent using public key.
It in above-described embodiment, is generated by application register instruction and applies key pair, public key is applied by device private encryption To generate using public key signature and report to server.Server is verified by pre-stored equipment public key using public key label Whether name is correct, and what preservation reported if correct applies public key.In this way, by being encrypted to using public key to generate application Public key signature can ensure using the source side of public key signature it is legal to transmit using public key, ensure that server stores with this Application public key be legal and correct.
It in one embodiment, include application identities and cipher key index using key ID information;And/or default low coverage It include near-field communication connection type from communication connection mode.
In one embodiment, generation module 2003 is also used to use non-default near field communication side when communication connection When formula, then triggering is used to indicate the prompting movement of input validation instruction;Locally it is set to the state of the confirmation instruction of detection input;? State is exited when detecting the confirmation instruction of input, and authentication signature is generated according to ID authentication request.
In above-described embodiment, when communication connection is using non-default near field communication mode, triggering is used to indicate defeated The prompting movement for entering confirmation instruction, may remind the user that and authorized.It will be locally set to the state of the confirmation instruction of detection input, After user's authorization, that is, user has input after confirmation instructs and just generates authentication signature, Ke Yitong according to ID authentication request The mode of user's participation is crossed to reinforce the safety that portable device carries out secondary identities certification.
As shown in figure 21, in one embodiment, ID authentication request processing unit 2000 further include read module 2009, Deciphering module 2010 and execution module 2011.
It obtains module 2006 and is also used to obtain the equipment replacement order from service platform.
Module 2006 is obtained to be also used to from equipment replacement order extract equipment public key and the first equipment public key signature;First sets Standby public key signature is to be generated using the platform private key of service platform to equipment public key encryption.
Read module 2009 is also used to read local pre-land public key corresponding with platform private key.
Deciphering module 2010, for decrypting equipment public key from the first equipment public key signature according to pre-land public key.
Execution module 2011, for when the equipment public key extracted, local equipment public key and the equipment public key decrypted When consistent, then equipment replacement movement is executed.
In above-described embodiment, when getting from the equipment replacement order of service platform, from equipment replacement name First equipment public key signature of extract equipment public key and the platform private key encryption generation using service platform.Further according to local preset Platform public key decrypt equipment public key from the first equipment public key signature, equipment public key, local equipment public key when extraction And the equipment public key that decrypts it is consistent when, then can determine whether the equipment replacement obtained name be it is legal, execute equipment weight at this time Set movement.In this way, can simply and efficiently be authenticated to equipment replacement order by pre-land public key, avoids and pass through terminal Store the unsafe problem of key.Also, portable device can also be completed by writing the case where portable device need to be transferred the possession of or lose Resetting movement, solve security risk existing for portable device.
In one embodiment, it obtains module 2006 and is also used to receiving device activation instruction.Generation module 2003 is also used to Generating device key pair is instructed according to device activation;Device keys are to including device private and corresponding equipment public key.Report mould Block 2008 is also used to equipment public key reporting to service platform;The equipment public key reported is for generating the first equipment public key signature.
In above-described embodiment, generating device key pair is instructed according to device activation, wherein device keys are to public including equipment Key and device private.By the way that equipment public key is reported to service platform, it may make that service platform is raw according to the equipment public key reported At the first equipment public key signature, further generating device resetting order.
In one embodiment, reporting module 2008 is also used to add equipment public key according to preset manufacturer's private key It is close, obtain the second equipment public key signature;Equipment public key and the second equipment public key signature are transferred to service platform, the second equipment is public Key signature is used to indicate service platform according to manufacturer's public key decryptions the second equipment public key signature, the equipment public key that obtains when decryption and The equipment public key of storage transmitting when the equipment public key of transmitting is consistent.
In above-described embodiment, by preset manufacturer's private key encryption equipment public key with generate the second equipment public key signature and on It reports to service platform.Whether service platform verifies the second equipment public key signature by pre-stored manufacturer's public key correct, such as Fruit correctly then saves equipment public key.In this way, being transmitted by being encrypted to equipment public key with generating the second equipment public key signature Equipment public key, can ensure the source side of the second equipment public key signature be it is legal, ensure that the equipment of service platform storage is public with this Key is legal and correct.
As shown in figure 22, in one embodiment, a kind of equipment replacement device 2200 is provided, comprising: obtain module 2201, extraction module 2202, read module 2203, deciphering module 2204 and execution module 2205.
Module 2201 is obtained, for obtaining the equipment replacement order from service platform;
Extraction module 2202 is used for from equipment replacement order extract equipment public key and the first equipment public key signature;First sets Standby public key signature is to be generated using the platform private key of service platform to equipment public key encryption;
Read module 2203, for reading local pre-land public key corresponding with platform private key;
Deciphering module 2204, for decrypting equipment public key from the first equipment public key signature according to pre-land public key;
Execution module 2205, for when the equipment public key extracted, local equipment public key and the equipment public key decrypted When consistent, then equipment replacement movement is executed.
Above equipment reset apparatus is ordered when getting from the equipment replacement order of service platform from equipment replacement Extract equipment public key and the first equipment public key signature generated using the platform private key encryption of service platform in name.Further according to local Preset platform public key decrypts equipment public key from the first equipment public key signature, equipment public key, local equipment when extraction When public key and the consistent equipment public key decrypted, then can determine whether obtain equipment replacement name be it is legal, at this time execute set Standby resetting acts.In this way, can simply and efficiently be authenticated to equipment replacement order by pre-land public key, avoids and pass through The unsafe problem of terminal storage key.Also, write the case where portable device need to be transferred the possession of or lose can also complete it is portable The resetting of equipment acts, and solves security risk existing for portable device.
As shown in figure 23, in one embodiment, equipment replacement device 2200 further includes receiving module 2206, generation module 2207 and reporting module 2208:
Receiving module 2206 is used for receiving device activation instruction;
Generation module 2207, for instructing generating device key pair according to device activation;Device keys are to private including equipment Key and corresponding equipment public key;
Reporting module 2208, for equipment public key to be reported to service platform;The equipment public key reported is for generating first Equipment public key signature.
In above-described embodiment, generating device key pair is instructed according to device activation, wherein device keys are to public including equipment Key and device private.By the way that equipment public key is reported to service platform, it may make that service platform is raw according to the equipment public key reported At the first equipment public key signature, further generating device resetting order.
In one embodiment, reporting module 2208 is also used to add equipment public key according to preset manufacturer's private key It is close, obtain the second equipment public key signature;Equipment public key and the second equipment public key signature are transferred to service platform, the second equipment is public Key signature is used to indicate service platform according to manufacturer's public key decryptions the second equipment public key signature, the equipment public key that obtains when decryption and The equipment public key of storage transmitting when the equipment public key of transmitting is consistent.
In above-described embodiment, by preset manufacturer's private key encryption equipment public key with generate the second equipment public key signature and on It reports to service platform.Whether service platform verifies the second equipment public key signature by pre-stored manufacturer's public key correct, such as Fruit correctly then saves equipment public key.In this way, being transmitted by being encrypted to equipment public key with generating the second equipment public key signature Equipment public key, can ensure the source side of the second equipment public key signature be it is legal, ensure that the equipment of service platform storage is public with this Key is legal and correct.
Figure 24 shows the internal structure chart of computer equipment in one embodiment.The computer equipment specifically can be figure Portable device 130 in 1 or Figure 16.As shown in figure 24, it includes passing through system which, which includes the computer equipment, Processor, memory and the network interface of bus connection.Wherein, memory includes non-volatile memory medium and built-in storage. The non-volatile memory medium of the computer equipment is stored with operating system, can also be stored with computer program, the computer journey When sequence is executed by processor, processor may make to realize authentication request processing and/or equipment replacement method.The built-in storage In can also store computer program, when which is executed by processor, may make processor execute authentication ask Ask processing and/or equipment replacement method.
It will be understood by those skilled in the art that structure shown in Figure 24, only part relevant to application scheme The block diagram of structure, does not constitute the restriction for the computer equipment being applied thereon to application scheme, and specific computer is set Standby may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
In one embodiment, ID authentication request processing unit provided by the present application can be implemented as a kind of computer journey The form of sequence, computer program can be run in computer equipment as of fig. 24.It can be deposited in the memory of computer equipment Storage forms each program module of the ID authentication request processing unit and/or equipment replacement device, for example, building shown in Figure 20 Formwork erection block, receiving module, generation module and sending module.Also for example, acquisition module, extraction module shown in Figure 22, reading mould Block, deciphering module and execution module.The computer program that each program module is constituted executes processor in this specification to retouch Step in the ID authentication request processing method of each embodiment of the application stated.
For example, computer equipment shown in Figure 24 can be by ID authentication request processing unit as shown in figure 20 It establishes module and executes step S202.Receiving module executes step S204.Computer equipment can execute step by generation module S206 and S208.Computer equipment can execute step S210 by sending module.
For example, computer equipment shown in Figure 24 can be by ID authentication request processing unit as shown in figure 17 It obtains module and executes step S1702.Computer equipment can execute step S1704 by extraction module.Computer equipment can pass through Read module executes step S1706.Computer equipment can execute step S1708 by deciphering module.Computer equipment can pass through Execution module executes step S1710.
In one embodiment, a kind of computer equipment, including memory and processor are provided, is stored in memory Computer program, when computer program is executed by processor, so that processor executes following steps: passing through the communication with terminal room Connection receives the ID authentication request that terminal is forwarded;When communication connection is using default near field communication mode, then directly It connects and authentication signature is generated according to ID authentication request;When communication connection is using non-default near field communication mode, then etc. Confirmation instruction to be entered, and authentication signature is generated according to ID authentication request in the confirmation instruction for detecting input;Pass through Authentication signature is sent to terminal by communication connection;Authentication signature be used to indicate terminal will be responded in authentication signature carry out identity recognize Card.
In one embodiment, computer program is executing processor according to ID authentication request generation authentication signature Step when specifically execute following steps: extract from ID authentication request using key ID information and parameters for authentication;Inquiry with Private key is applied accordingly using key ID information;Parameters for authentication is encrypted according to application private key and obtains authentication signature.
In one embodiment, computer program to go back processor execution following steps: asking receiving authentication After asking, the count value being locally stored is obtained into current count value from increasing;According to application private key to parameters for authentication and current count value Encryption obtains authentication signature;Authentication signature and current count value are sent to terminal by communicating to connect.
In one embodiment, ID authentication request is sent to after terminal by server and is forwarded by terminal;Authentication signature It is sent to after terminal with current count value and server is reported to by terminal;Authentication signature, being used to indicate terminal will be in authentication signature After report to server, application public key decryptions authentication signature corresponding with application key ID information is used by server, is recognized Parameter and current count value are demonstrate,proved, the parameters for authentication that the parameters for authentication and current count value that decryption is obtained are stored with server respectively Compare with the current count value reported, to carry out authentication.
In one embodiment, computer program to go back processor execution following steps: obtaining using register instruction;Root It is generated according to application register instruction and applies key pair;It include using private key and accordingly using public key using key pair;According to local Device private to encrypting using public key, be applied public key signature;It will be reported to using public key and using public key signature Server is used to indicate server according to the equipment public key decryptions application public key signature stored using public key signature, works as decryption What is obtained stores the application public key reported using public key with what is reported using public key when consistent.
It in one embodiment, include application identities and cipher key index using key ID information;And/or default low coverage It include near-field communication connection type from communication connection mode.
In one embodiment, computer program is executing processor when communication connection is led to using non-default short distance When believing connection type, then the confirmation to be entered instruction such as, and in the confirmation instruction for detecting input according to ID authentication request Following steps are specifically executed when generating the step of authentication signature: when communication connection uses non-default near field communication mode When, then triggering is used to indicate the prompting movement of input validation instruction;Locally it is set to the state of the confirmation instruction of detection input;It is examining State is exited when measuring the confirmation instruction of input, and authentication signature is generated according to ID authentication request.
In one embodiment, computer program to go back processor execution following steps: obtaining from service platform Equipment replacement order;From equipment replacement order extract equipment public key and the first equipment public key signature;First equipment public key signature, It is to be generated using the platform private key of service platform to equipment public key encryption;It is public to read local pre-land corresponding with platform private key Key;Equipment public key is decrypted from the first equipment public key signature according to pre-land public key;When the equipment public key, local of extraction When equipment public key and the consistent equipment public key decrypted, then equipment replacement movement is executed.
In one embodiment, computer program to go back processor execution following steps: receiving device activation instruction;Root Generating device key pair is instructed according to device activation;Device keys are to including device private and corresponding equipment public key;By equipment public affairs Key reports to service platform;The equipment public key reported is for generating the first equipment public key signature.
In one embodiment, computer program makes processor execute the step that equipment public key is reported to service platform Following steps are specifically executed when rapid: equipment public key being encrypted according to preset manufacturer's private key, obtains the second equipment public key label Name;Equipment public key and the second equipment public key signature are transferred to service platform, it is flat that the second equipment public key signature is used to indicate service Platform is according to manufacturer's public key decryptions the second equipment public key signature, when the equipment public key that decryption obtains is consistent with the equipment public key of transmitting Store the equipment public key of transmitting.
Above-mentioned computer equipment receives the authentication that terminal is forwarded and asks by establishing the communication connection with terminal room It asks.When communication connection is using default near field communication mode, then authentication signature is directly generated according to ID authentication request. It may insure the safety of portable device communication due to presetting near field communication, can directly be asked according to authentication Authentication signature is sought survival into, realizes quick authentication.When communication connection is using non-default near field communication mode, this ring There may be the security risk of portable device communication, then the confirmation to be entered instructions such as, in the confirmation for detecting input under border Authentication signature is generated according to ID authentication request when instruction.Under the communication mode there may be security risk, need to use householder Dynamic do confirms, regenerates authentication signature, can ensure the safety of terminal and portable device communication.Portable device generation is recognized After signed certificate name, authentication signature is sent to terminal by communicating to connect, terminal will respond with carry out authentication again in authentication signature. In this way, the communication connection mode of distinguishing terminal and portable device, generates authentication signature so that different identifying procedures is respectively adopted, It is greatly improved the safety that portable device carries out secondary identities certification.
In one embodiment, a kind of computer equipment, including memory and processor are provided, is stored in memory Computer program, when computer program is executed by processor, so that processor executes following steps: obtaining from service platform Equipment replacement order;From equipment replacement order extract equipment public key and the first equipment public key signature;First equipment public key signature, It is to be generated using the platform private key of service platform to equipment public key encryption;It is public to read local pre-land corresponding with platform private key Key;Equipment public key is decrypted from the first equipment public key signature according to pre-land public key;When the equipment public key, local of extraction When equipment public key and the consistent equipment public key decrypted, then equipment replacement movement is executed.
In one embodiment, computer program to go back processor execution following steps: receiving device activation instruction;Root Generating device key pair is instructed according to device activation;Device keys are to including device private and corresponding equipment public key;By equipment public affairs Key reports to service platform;The equipment public key reported is for generating the first equipment public key signature.
In one embodiment, computer program makes processor execute the step that equipment public key is reported to service platform Following steps are specifically executed when rapid: equipment public key being encrypted according to preset manufacturer's private key, obtains the second equipment public key label Name;Equipment public key and the second equipment public key signature are transferred to service platform, it is flat that the second equipment public key signature is used to indicate service Platform is according to manufacturer's public key decryptions the second equipment public key signature, when the equipment public key that decryption obtains is consistent with the equipment public key of transmitting Store the equipment public key of transmitting.
Above-mentioned computer equipment is named when getting from the equipment replacement order of service platform from equipment replacement First equipment public key signature of middle extract equipment public key and the platform private key encryption generation using service platform.Further according to local pre- The platform public key set decrypts equipment public key from the first equipment public key signature, when the equipment public key of extraction, local equipment are public When key and the consistent equipment public key decrypted, then can determine whether obtain equipment replacement name be it is legal, execute equipment at this time Resetting movement.In this way, can simply and efficiently be authenticated to equipment replacement order by pre-land public key, avoids and pass through end The end storage unsafe problem of key.Also, portable set can also be completed by writing the case where portable device need to be transferred the possession of or lose Standby resetting movement, solves security risk existing for portable device.
A kind of computer readable storage medium, is stored with computer program, real when which is executed by processor Existing following steps: by the communication connection with terminal room, the ID authentication request that terminal is forwarded is received;When communication connection uses When default near field communication mode, then authentication signature is directly generated according to ID authentication request;When communication connection is using non- When default near field communication mode, then the confirmation instruction to be entered such as, and in the confirmation instruction for detecting input according to ID authentication request generates authentication signature;Authentication signature is sent to terminal by communicating to connect;Authentication signature is used to indicate end End will respond with carry out authentication in authentication signature.
In one embodiment, computer program is executing processor according to ID authentication request generation authentication signature Step when specifically execute following steps: extract from ID authentication request using key ID information and parameters for authentication;Inquiry with Private key is applied accordingly using key ID information;Parameters for authentication is encrypted according to application private key and obtains authentication signature.
In one embodiment, computer program to go back processor execution following steps: asking receiving authentication After asking, the count value being locally stored is obtained into current count value from increasing;According to application private key to parameters for authentication and current count value Encryption obtains authentication signature;Authentication signature and current count value are sent to terminal by communicating to connect.
In one embodiment, ID authentication request is sent to after terminal by server and is forwarded by terminal;Authentication signature It is sent to after terminal with current count value and server is reported to by terminal;Authentication signature, being used to indicate terminal will be in authentication signature After report to server, application public key decryptions authentication signature corresponding with application key ID information is used by server, is recognized Parameter and current count value are demonstrate,proved, the parameters for authentication that the parameters for authentication and current count value that decryption is obtained are stored with server respectively Compare with the current count value reported, to carry out authentication.
In one embodiment, computer program to go back processor execution following steps: obtaining using register instruction;Root It is generated according to application register instruction and applies key pair;It include using private key and accordingly using public key using key pair;According to local Device private to encrypting using public key, be applied public key signature;It will be reported to using public key and using public key signature Server is used to indicate server according to the equipment public key decryptions application public key signature stored using public key signature, works as decryption What is obtained stores the application public key reported using public key with what is reported using public key when consistent.
It in one embodiment, include application identities and cipher key index using key ID information;And/or default low coverage It include near-field communication connection type from communication connection mode.
In one embodiment, computer program is executing processor when communication connection is led to using non-default short distance When believing connection type, then the confirmation to be entered instruction such as, and in the confirmation instruction for detecting input according to ID authentication request Following steps are specifically executed when generating the step of authentication signature: when communication connection uses non-default near field communication mode When, then triggering is used to indicate the prompting movement of input validation instruction;Locally it is set to the state of the confirmation instruction of detection input;It is examining State is exited when measuring the confirmation instruction of input, and authentication signature is generated according to ID authentication request.
In one embodiment, computer program to go back processor execution following steps: obtaining from service platform Equipment replacement order;From equipment replacement order extract equipment public key and the first equipment public key signature;First equipment public key signature, It is to be generated using the platform private key of service platform to equipment public key encryption;It is public to read local pre-land corresponding with platform private key Key;Equipment public key is decrypted from the first equipment public key signature according to pre-land public key;When the equipment public key, local of extraction When equipment public key and the consistent equipment public key decrypted, then equipment replacement movement is executed.
In one embodiment, computer program to go back processor execution following steps: receiving device activation instruction;Root Generating device key pair is instructed according to device activation;Device keys are to including device private and corresponding equipment public key;By equipment public affairs Key reports to service platform;The equipment public key reported is for generating the first equipment public key signature.
In one embodiment, computer program makes processor execute the step that equipment public key is reported to service platform Following steps are specifically executed when rapid: equipment public key being encrypted according to preset manufacturer's private key, obtains the second equipment public key label Name;
Equipment public key and the second equipment public key signature are transferred to service platform, the second equipment public key signature is used to indicate clothes Platform be engaged according to manufacturer's public key decryptions the second equipment public key signature, when the equipment public key one of decryption obtained equipment public key and transmitting The equipment public key of storage transmitting when cause.
Above-mentioned computer readable storage medium receives the body that terminal is forwarded by establishing the communication connection with terminal room Part certification request.When communication connection is using default near field communication mode, then directly generated according to ID authentication request Authentication signature.It may insure the safety of portable device communication due to presetting near field communication, it can direct basis ID authentication request generates authentication signature, realizes quick authentication.When communication connection uses non-default near field communication When mode, there may be the security risks of portable device communication under this environment, then etc. confirmation to be entered instruction, is detecting Authentication signature is generated according to ID authentication request when the confirmation instruction of input.Under the communication mode there may be security risk, It needs user actively to do to confirm, regenerates authentication signature, can ensure the safety of terminal and portable device communication.It is portable After equipment generates authentication signature, authentication signature is sent to by terminal by communication connection, terminal will be responded in authentication signature again into Row authentication.In this way, the communication connection mode of distinguishing terminal and portable device, raw different identifying procedures is respectively adopted At authentication signature, it is greatly improved the safety that portable device carries out secondary identities certification.
A kind of computer readable storage medium, is stored with computer program, real when which is executed by processor Existing following steps: the equipment replacement order from service platform is obtained;From equipment replacement order extract equipment public key and first Equipment public key signature;First equipment public key signature is to be generated using the platform private key of service platform to equipment public key encryption;It reads Local pre-land public key corresponding with platform private key;It is decrypted and is set from the first equipment public key signature according to pre-land public key Standby public key;When the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts, then equipment weight is executed Set movement.
In one embodiment, computer program to go back processor execution following steps: receiving device activation instruction;Root Generating device key pair is instructed according to device activation;Device keys are to including device private and corresponding equipment public key;By equipment public affairs Key reports to service platform;The equipment public key reported is for generating the first equipment public key signature.
In one embodiment, computer program makes processor execute the step that equipment public key is reported to service platform Following steps are specifically executed when rapid: equipment public key being encrypted according to preset manufacturer's private key, obtains the second equipment public key label Name;Equipment public key and the second equipment public key signature are transferred to service platform, it is flat that the second equipment public key signature is used to indicate service Platform is according to manufacturer's public key decryptions the second equipment public key signature, when the equipment public key that decryption obtains is consistent with the equipment public key of transmitting Store the equipment public key of transmitting.
Above-mentioned computer readable storage medium, when getting from the equipment replacement order of service platform, from equipment Extract equipment public key and the first equipment public key signature generated using the platform private key encryption of service platform in resetting name.Root again Equipment public key is decrypted from the first equipment public key signature according to local preset platform public key, when the equipment public key of extraction, local Equipment public key and the consistent equipment public key that decrypts when, then can determine whether the equipment replacement obtained name be it is legal, at this time Execute equipment replacement movement.In this way, can simply and efficiently be authenticated to equipment replacement order by pre-land public key, avoid Pass through terminal storage key unsafe problem.Also, writing the case where portable device need to be transferred the possession of or lose can also complete The resetting of portable device acts, and solves security risk existing for portable device.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the program can be stored in a non-volatile computer and can be read In storage medium, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, provided herein Each embodiment used in any reference to memory, storage, database or other media, may each comprise non-volatile And/or volatile memory.Nonvolatile memory may include that read-only memory (ROM), programming ROM (PROM), electricity can be compiled Journey ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms, such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) directly RAM (RDRAM), straight Connect memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of above embodiments can be combined arbitrarily, for simplicity of description, not to above-described embodiment In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance Shield all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously The limitation to the application the scope of the patents therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art For, without departing from the concept of this application, various modifications and improvements can be made, these belong to the guarantor of the application Protect range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.

Claims (20)

1. a kind of ID authentication request processing method is applied to portable device, which comprises
Establish the communication connection with terminal;
Receive the ID authentication request that the terminal is forwarded;
When the communication connection is using default near field communication mode, then directly generated according to the ID authentication request Authentication signature;
When the communication connection is using non-default near field communication mode, then the confirmation instruction to be entered such as, and examining Authentication signature is generated according to the ID authentication request when measuring the confirmation instruction of input;
The authentication signature is sent to the terminal;The authentication signature is used to indicate the terminal will be in the authentication signature Respond with carry out authentication.
2. the method according to claim 1, wherein described generate authentication signature according to the ID authentication request Include:
It is extracted from the ID authentication request and applies key ID information and parameters for authentication;
Inquiry is corresponding with the application key ID information to apply private key;
The parameters for authentication is encrypted according to the application private key and obtains authentication signature.
3. according to the method described in claim 2, it is characterized in that, the method also includes:
After receiving the ID authentication request, the count value being locally stored is obtained into current count value from increasing;
Described encrypted according to the application private key to the parameters for authentication obtains authentication signature, comprising:
The parameters for authentication and the current count value are encrypted according to the application private key, obtain authentication signature;
It is described that the authentication signature is sent to the terminal, comprising:
The authentication signature and current count value are sent to the terminal by the communication connection.
4. according to the method described in claim 3, it is characterized in that, the ID authentication request is sent to the end by server It is forwarded behind end by the terminal;The authentication signature and current count value are reported to after being sent to the terminal by the terminal The server;
The authentication signature is used to indicate after the authentication signature reports to the server by the terminal, by the service Device using authentication signature described in application public key decryptions corresponding with the application key ID information, obtain parameters for authentication with currently Count value will decrypt parameters for authentication and report current that obtained parameters for authentication and current count value are stored with server respectively Count value compares, to carry out authentication.
5. according to the method described in claim 4, it is characterized in that, the method also includes:
It obtains and applies register instruction;
It is generated according to the application register instruction and applies key pair;The application key pair includes using private key and corresponding application Public key;
The application public key is encrypted according to local device private, be applied public key signature;
The application public key and the application public key signature are reported into the server, the application public key signature is used to indicate The server applies public key signature according to the equipment public key decryptions stored, when what decryption obtained applies public key and report Stored when consistent using public key report apply public key.
6. according to the method described in claim 2, it is characterized in that, the application key ID information includes application identities and close Key index;And/or the default near field communication mode includes near-field communication connection type.
7. the method according to claim 1, wherein described logical using non-default short distance when the communication connection When believing connection type, then the confirmation to be entered instruction such as, and in the confirmation instruction for detecting input according to the authentication Request generates authentication signature, comprising:
When the communication connection is using non-default near field communication mode, then triggering is used to indicate input validation instruction Prompting movement;
Locally it is set to the state of the confirmation instruction of detection input;
The state is exited in the confirmation instruction for detecting input, and authentication signature is generated according to the ID authentication request.
8. method according to any one of claims 1 to 7, which is characterized in that the method also includes:
Obtain the equipment replacement order from service platform;
From the equipment replacement order extract equipment public key and the first equipment public key signature;The first equipment public key signature is The equipment public key encryption is generated using the platform private key of the service platform;
Read local pre-land public key corresponding with the platform private key;
Equipment public key is decrypted from the first equipment public key signature according to the pre-land public key;
When the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts, then equipment replacement is executed Movement.
9. according to the method described in claim 8, it is characterized in that, the method also includes:
Receiving device activation instruction;
Generating device key pair is instructed according to the device activation;The device keys are to including device private and corresponding equipment Public key;
The equipment public key is reported into the service platform;The equipment public key reported is for generating the first equipment public key signature.
10. according to the method described in claim 9, it is characterized in that, described that the equipment public key reported to the service is flat Platform, comprising:
The equipment public key is encrypted according to preset manufacturer's private key, obtains the second equipment public key signature;
The equipment public key and the second equipment public key signature are transferred to the service platform, the second equipment public key label Name is used to indicate the service platform second equipment public key signature according to manufacturer's public key decryptions, when the equipment that decryption obtains is public The equipment public key of storage transmitting when key is consistent with the equipment public key of transmitting.
11. a kind of equipment replacement method is applied to portable device, which comprises
Obtain the equipment replacement order from service platform;
From the equipment replacement order extract equipment public key and the first equipment public key signature;The first equipment public key signature is to adopt The equipment public key encryption is generated with the platform private key of the service platform;
Read local pre-land public key corresponding with the platform private key;
Equipment public key is decrypted from the first equipment public key signature according to the pre-land public key;
When the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts, then equipment replacement is executed Movement.
12. according to the method for claim 11, which is characterized in that the method also includes:
Receiving device activation instruction;
Generating device key pair is instructed according to the device activation;The device keys are to including device private and corresponding equipment Public key;
The equipment public key is reported into the service platform;The equipment public key reported is for generating the first equipment public key signature.
13. according to the method for claim 12, which is characterized in that described that the equipment public key reported to the service is flat Platform, comprising:
The equipment public key is encrypted according to preset manufacturer's private key, obtains the second equipment public key signature;
The equipment public key and the second equipment public key signature are transferred to the service platform, the second equipment public key label Name is used to indicate the service platform second equipment public key signature according to manufacturer's public key decryptions, when the equipment that decryption obtains is public The equipment public key of storage transmitting when key is consistent with the equipment public key of transmitting.
14. a kind of ID authentication request processing unit, it is applied to portable device, which is characterized in that described device includes:
Module is established, for establishing and the communication connection of terminal;
Receiving module, the ID authentication request forwarded for receiving the terminal;
Generation module is used for when the communication connection is using default near field communication mode, then directly according to the body Part certification request generates authentication signature;
The generation module is also used to when the communication connection is using non-default near field communication mode, then etc. to be entered Confirmation instruction, and detect input confirmation instruction when according to the ID authentication request generate authentication signature;
Sending module, for the authentication signature to be sent to the terminal by the communication connection;The authentication signature is used Carry out authentication will be responded in the authentication signature in the instruction terminal.
15. device according to claim 14, which is characterized in that the generation module is also used to ask from the authentication Ask extraction using key ID information and parameters for authentication;Inquiry is corresponding with the application key ID information to apply private key;Root The parameters for authentication is encrypted according to the application private key and obtains authentication signature.
16. device according to claim 15, which is characterized in that the ID authentication request processing unit further includes counting Module:
Counting module, for after receiving the ID authentication request, the count value being locally stored currently to be counted from increasing Numerical value;
The generation module is also used to encrypt the parameters for authentication and the current count value according to the application private key, obtains Authentication signature;
The sending module is also used to that the authentication signature and current count value are sent to the end by the communication connection End.
17. a kind of equipment replacement device, is applied to portable device, described device includes:
Module is obtained, for obtaining the equipment replacement order from service platform;
Extraction module is used for from the equipment replacement order extract equipment public key and the first equipment public key signature;Described first sets Standby public key signature is to be generated using the platform private key of the service platform to the equipment public key encryption;
Read module, for reading local pre-land public key corresponding with the platform private key;
Deciphering module, for decrypting equipment public key from the first equipment public key signature according to the pre-land public key;
Execution module, for when the equipment public key of extraction, local equipment public key and the consistent equipment public key that decrypts, then Execute equipment replacement movement.
18. device according to claim 17, which is characterized in that described device further include receiving module, generation module and Reporting module:
Receiving module is used for receiving device activation instruction;
Generation module, for instructing generating device key pair according to the device activation;The device keys are to private including equipment Key and corresponding equipment public key;
Reporting module, for the equipment public key to be reported to the service platform;The equipment public key reported is for generating first Equipment public key signature.
19. a kind of computer readable storage medium is stored with computer program, when the computer program is executed by processor, So that the processor is executed such as the step of any one of claims 1 to 13 the method.
20. a kind of computer equipment, including memory and processor, the memory is stored with computer program, the calculating When machine program is executed by the processor, so that the processor is executed such as any one of claims 1 to 13 the method Step.
CN201810216813.2A 2018-03-16 2018-03-16 Identity authentication request processing method and device, and equipment resetting method and device Active CN110278083B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202111315805.1A CN114039734B (en) 2018-03-16 2018-03-16 Device resetting method and device
CN201810216813.2A CN110278083B (en) 2018-03-16 2018-03-16 Identity authentication request processing method and device, and equipment resetting method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810216813.2A CN110278083B (en) 2018-03-16 2018-03-16 Identity authentication request processing method and device, and equipment resetting method and device

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202111315805.1A Division CN114039734B (en) 2018-03-16 2018-03-16 Device resetting method and device

Publications (2)

Publication Number Publication Date
CN110278083A true CN110278083A (en) 2019-09-24
CN110278083B CN110278083B (en) 2021-11-30

Family

ID=67957757

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201810216813.2A Active CN110278083B (en) 2018-03-16 2018-03-16 Identity authentication request processing method and device, and equipment resetting method and device
CN202111315805.1A Active CN114039734B (en) 2018-03-16 2018-03-16 Device resetting method and device

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202111315805.1A Active CN114039734B (en) 2018-03-16 2018-03-16 Device resetting method and device

Country Status (1)

Country Link
CN (2) CN110278083B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112887409A (en) * 2021-01-27 2021-06-01 珠海格力电器股份有限公司 Data processing system, method, device, equipment and storage medium
CN113872765A (en) * 2020-06-30 2021-12-31 华为技术有限公司 Identity credential application method, identity authentication method, equipment and device
CN113918266A (en) * 2021-11-23 2022-01-11 成都泰盟软件有限公司 Multi-terminal data synchronous response method based on local area network
WO2022052780A1 (en) * 2020-09-10 2022-03-17 华为技术有限公司 Identity verification method and apparatus, and device and storage medium
CN114697956A (en) * 2022-01-26 2022-07-01 深圳市三诺数字科技有限公司 Secure communication method based on double links and related equipment thereof

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103401844A (en) * 2013-07-12 2013-11-20 天地融科技股份有限公司 Operation request processing method and system
CN104580175A (en) * 2014-12-26 2015-04-29 深圳市兰丁科技有限公司 Equipment authorization method and device
CN105162605A (en) * 2015-09-28 2015-12-16 东南大学 Digital signature and authentication method
CN105871867A (en) * 2016-04-27 2016-08-17 腾讯科技(深圳)有限公司 Identity authentication method, system and equipment
CN106330854A (en) * 2015-06-30 2017-01-11 三星电子株式会社 MEthod for performing authentication and electronic device thereof
CN106326695A (en) * 2015-06-16 2017-01-11 联想(北京)有限公司 Information processing method and electronic device
CN106357679A (en) * 2016-10-24 2017-01-25 北京明华联盟科技有限公司 Method, system and client for password authentication, and server and intelligent equipment
CN107423583A (en) * 2017-07-18 2017-12-01 北京深思数盾科技股份有限公司 A kind of software protecting device remapping method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102011118367B4 (en) * 2011-08-24 2017-02-09 Deutsche Telekom Ag Method for authenticating a telecommunication terminal comprising an identity module at a server device of a telecommunication network, use of an identity module, identity module and computer program
CN103281188B (en) * 2013-05-23 2016-09-14 天地融科技股份有限公司 A kind of back up the method and system of private key in electronic signature token
CN105656624A (en) * 2016-02-29 2016-06-08 浪潮(北京)电子信息产业有限公司 Client side, server and data transmission method and system
CN106789018B (en) * 2016-12-20 2019-10-08 百富计算机技术(深圳)有限公司 Secret key remote acquisition methods and device
CN107612940A (en) * 2017-10-31 2018-01-19 飞天诚信科技股份有限公司 A kind of identity identifying method and authentication device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103401844A (en) * 2013-07-12 2013-11-20 天地融科技股份有限公司 Operation request processing method and system
CN104580175A (en) * 2014-12-26 2015-04-29 深圳市兰丁科技有限公司 Equipment authorization method and device
CN106326695A (en) * 2015-06-16 2017-01-11 联想(北京)有限公司 Information processing method and electronic device
CN106330854A (en) * 2015-06-30 2017-01-11 三星电子株式会社 MEthod for performing authentication and electronic device thereof
CN105162605A (en) * 2015-09-28 2015-12-16 东南大学 Digital signature and authentication method
CN105871867A (en) * 2016-04-27 2016-08-17 腾讯科技(深圳)有限公司 Identity authentication method, system and equipment
CN106357679A (en) * 2016-10-24 2017-01-25 北京明华联盟科技有限公司 Method, system and client for password authentication, and server and intelligent equipment
CN107423583A (en) * 2017-07-18 2017-12-01 北京深思数盾科技股份有限公司 A kind of software protecting device remapping method and device

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113872765A (en) * 2020-06-30 2021-12-31 华为技术有限公司 Identity credential application method, identity authentication method, equipment and device
CN113872765B (en) * 2020-06-30 2023-02-03 华为技术有限公司 Identity credential application method, identity authentication method, equipment and device
WO2022052780A1 (en) * 2020-09-10 2022-03-17 华为技术有限公司 Identity verification method and apparatus, and device and storage medium
CN112887409A (en) * 2021-01-27 2021-06-01 珠海格力电器股份有限公司 Data processing system, method, device, equipment and storage medium
CN113918266A (en) * 2021-11-23 2022-01-11 成都泰盟软件有限公司 Multi-terminal data synchronous response method based on local area network
CN114697956A (en) * 2022-01-26 2022-07-01 深圳市三诺数字科技有限公司 Secure communication method based on double links and related equipment thereof
CN114697956B (en) * 2022-01-26 2023-04-11 深圳市三诺数字科技有限公司 Secure communication method and device based on double links

Also Published As

Publication number Publication date
CN110278083B (en) 2021-11-30
CN114039734B (en) 2023-03-24
CN114039734A (en) 2022-02-11

Similar Documents

Publication Publication Date Title
CN110278083A (en) ID authentication request treating method and apparatus, equipment replacement method and apparatus
EP4081921B1 (en) Contactless card personal identification system
CN110177354A (en) A kind of wireless control method and system of vehicle
CN107341387A (en) For the electronic stamp system and its control method strengthened safely
US11159329B2 (en) Collaborative operating system
CN105722013A (en) Bluetooth pairing method and device
CN105634737B (en) Data transmission method, terminal and system
CN110662222B (en) System and method for peer-to-peer wireless communication
CN102945526A (en) Device and method for improving online payment security of mobile equipment
AU2011356179A1 (en) Method for authenticating first communication equipment by means of second communication equipment
CN109274500A (en) A kind of key downloading method, client, encryption device and terminal device
CN106790080A (en) Secure communication of network method and apparatus between operation system and electronic certificate system
CN105325021B (en) Method and apparatus for remote portable wireless device authentication
CA3205906A1 (en) Establishing authentication persistence
CN105741116A (en) Fast payment method, apparatus and system
CN112425116B (en) Intelligent door lock wireless communication method, intelligent door lock, gateway and communication equipment
CN104735651A (en) Method, system and device for safely transmitting data
CN107888376B (en) NFC authentication system based on quantum communication network
CN106790078A (en) Safety communicating method and device between a kind of SDK and electronic certificate system
CN107786978B (en) NFC authentication system based on quantum encryption
CN104506509B (en) A kind of authentication method based on multifunctional safe certification terminal
CN113593088A (en) Intelligent unlocking method, intelligent lock, mobile terminal and server
CN106685931B (en) Smart card application management method and system, terminal and smart card
KR101853970B1 (en) Method for Relaying Authentication Number
CN106789013A (en) Mutual trust and encipher-decipher method and device between a kind of door lock encryption chip and SDK

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant