CN1148035C - Apparatus for securing user's information in mobile communication system connected to internet and method thereof - Google Patents

Apparatus for securing user's information in mobile communication system connected to internet and method thereof

Info

Publication number
CN1148035C
CN1148035C CNB008012245A CN00801224A CN1148035C CN 1148035 C CN1148035 C CN 1148035C CN B008012245 A CNB008012245 A CN B008012245A CN 00801224 A CN00801224 A CN 00801224A CN 1148035 C CN1148035 C CN 1148035C
Authority
CN
China
Prior art keywords
mobile station
web server
key
server
personal information
Prior art date
Application number
CNB008012245A
Other languages
Chinese (zh)
Other versions
CN1316147A (en
Inventor
崔熹昌
金圣恩
Original Assignee
三星电子株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to KR1019990025510A priority Critical patent/KR20010004791A/en
Application filed by 三星电子株式会社 filed Critical 三星电子株式会社
Publication of CN1316147A publication Critical patent/CN1316147A/en
Application granted granted Critical
Publication of CN1148035C publication Critical patent/CN1148035C/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/04Network-specific arrangements or communication protocols supporting networked applications adapted for terminals or networks with limited resources or for terminal portability, e.g. wireless application protocol [WAP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/001Protecting confidentiality, e.g. by encryption or ciphering
    • H04W12/0013Protecting confidentiality, e.g. by encryption or ciphering of user plane, e.g. user traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/04Key management, e.g. by generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0823Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Application independent communication protocol aspects or techniques in packet data networks
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32High level architectural aspects of 7-layer open systems interconnection [OSI] type protocol stacks
    • H04L69/322Aspects of intra-layer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Aspects of intra-layer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer, i.e. layer seven

Abstract

提供一种在通过一个互联网web服务器与web服务器通信的移动通信系统中,用于使从移动台发送的用户秘密信息保密的装置,其中响应于来自移动台和/或web服务器的数据请求选择涉及用户秘密信息的数据,选择的数据被以一个给定的格式加密,加密的数据被直接发送给web服务器和/或移动台,无需业务服务器任何附加的处理操作。 A provided via a mobile communication system in the Internet web server in communication with the web server, confidentiality of secret information for the user of the apparatus transmitted from the mobile station, wherein in response to data from the mobile station and / or the web server request selection involves data of the user's secret information, the selected data, the encrypted data is transmitted to a given encryption format directly to the web server and / or mobile stations, without any additional processing operations of the service server.

Description

连接到互联网的移动通信系统中用户信息保密装置及方法 Connected to the Internet in a mobile communication system and method for user information confidentiality apparatus

技术领域 FIELD

本发明涉及一种用于在和互联网通信的移动通信系统中的用户信息保密装置和方法。 The present invention relates to a confidential user information apparatus and method for Internet communication and a mobile communication system.

背景技术 Background technique

在移动通信中,近来的发展已能够使用户通过互联网,使用无线电通信技术实现所谓的电子贸易。 In mobile communications, recent developments have been able to make the user via the Internet, using radio communication technology called electronic trade. 为了促进在互联网上的电子贸易,当他或她和互联web(网络)服务器进行连接时,它提供了电子贸易的内容,最重要的事情是防止顾客的个人信息的泄漏。 In order to facilitate electronic commerce on the Internet, and when he or she is interconnected web (network) server connection, which provides the content of e-commerce, the most important thing is to prevent the leakage of customers' personal information. 据此,当使用互联网时,安全系统的目的是保密用户的个人信息,以便不受欢迎的用户不会窃取用户的个人信息,例如访问web服务器的口令,具有相关的进行交易的口令的信用卡号等等。 Accordingly, when using the Internet, the purpose of the security system is confidential user's personal information, so that users will not be unwelcome to steal users' personal information, such as passwords to access the web server, the password associated with a transaction of credit card numbers and many more.

在有线互联网通信中使用用于保护秘密信息的传统的安全系统一般采用安全套接字协议层(Secure Socket Layer)(SSL),它是由美国的NetscapeCompany提议的。 Traditional wired Internet communication security system for protecting secret information is used generally use Secure Socket Layer (Secure Socket Layer) (SSL), which is proposed by the United States NetscapeCompany. SSL系统以一种已知的仅由web服务器可读的方式编码来自顾客的信息。 SSL system encoded in a known manner readable only by the web server information from the customer. 然而,由于下面讨论的原因,SSL系统不适合用于无线或移动互联网通信系统。 However, for reasons discussed below, the SSL system is not suitable for mobile Internet or a wireless communication system.

首先,移动台有一个限制的存储容量,在SSL系统中不适合于实现web应用。 First, the mobile station has a limited memory capacity, the SSL system is not suitable for realizing a web application. 因此,传统的移动台未被设计为实现这样的web应用。 Therefore, the conventional mobile station is not designed to achieve such a web application. 第二,为了进行到互联网web服务器的无线连接,移动台首先必需和相关的互联网业务服务器连接,请求web内容业务。 Second, in order to perform a wireless connection to an Internet web server, the mobile station first of all necessary and relevant Internet service server connection request to the web content service. 在这种情况下,为了在整个网络中适当地实现和保护个人信息,在web服务器和业务服务器之间的安全系统应该有与在业务服务器和移动台之间的安全系统相同的标准。 In this case, in order to achieve proper protection and personal information across the network, the security system between the web server and the service server should have safety systems between the service server and the mobile station of the same standard. 然而,传统的安全系统不能在它们之间提供相同的标准。 However, traditional security systems can not provide the same standard between them. 如举例说明的例子,图1描述了一个在传统的安全系统中提供的传统的移动通信网系统。 As illustrated in the example, Figure 1 depicts a conventional mobile communication network system provided in a conventional security system. 如图示,SSL系统被在业务服务器和web服务器之间采用,但是具有不同系统的无线安全系统被在移动台和业务服务器之间采用。 As illustrated, the SSL system is between the service server and the web server uses, the wireless security system having a different system is employed between the mobile station and the service server. 因此,整个网络在其之间没有相同的标准。 Thus, it is not the entire network between the same standard. 据此,先有技术的安全系统有不同的系统和标准,不适合提供用于用户个人信息的保密装置。 Accordingly, the prior art security systems have different systems and standards, the security device is not suitable for providing the user personal information.

如上面所述,被设计来用于有线互联网通信系统的传统的安全系统不适合应用于无线互联网通信系统,因此,阻碍了使用移动通信技术通过互联网的电子贸易市场的迅速发展。 As described above, designed to conventional security systems for wired Internet communication system is not suitable for wireless Internet communication system, therefore, prevents the use of the rapid development of mobile communication technologies via the Internet electronic commerce market.

发明内容 SUMMARY

本发明的一个目的是,提供一种用于当使用移动互联网通信系统实现电子贸易时,使机密用户信息保密的装置和方法,其中先有技术的系统使用在有线互联网通信中采用的SSL系统。 An object of the present invention is to provide a method for using the mobile Internet when a communication system for electronic transactions, and a confidential user information security apparatus and method in which the prior art system uses SSL system using wired Internet communication.

本发明的另一个目的是,提供一种用于机密用户信息的保密装置和方法,其使用相同的标准,实现从移动台到web服务器端到端的安全性,以产生在移动台、业务服务器和web服务器之间的数据流。 Another object of the present invention is to provide an apparatus and method for privacy of confidential information for the user, using the same standard, from a mobile station to a web server-end security, to produce a mobile station, the service server, and data flow between a web server.

为实现本发明的上述目的的一个方面,本发明提供了一种在移动互联网通信系统中的安全交易期间交换的个人信息的保密系统,包括移动台,业务服务器和web(网络)服务器,其中:移动台,用于存储业务服务器的公共密钥,从业务服务器接收web服务器的凭证,通过使用业务服务器的公共密钥来解密凭证,以便检查凭证的版本,通过使用包括在凭证中的、web服务器的公共密钥,来产生使用于安全交易中的会话密钥,以及通过使用所产生的会话密钥和web服务器的公共密钥,来根据安全性加密/解密个人信息;web服务器,用于向业务服务器提供凭证,产生用于解密在移动台中加密的数据的安全密钥,通过使用安全密钥,来解密被加密到公共密钥的会话密钥,把通过解密的会话密钥在移动台中加密并发送的个人信息进行解密;以及业务服务器,位于移动台和w In order to achieve an aspect of the present invention the above object, the present invention provides a security system personal information exchanged during a secure transaction in a mobile Internet communication system including a mobile station, and the Web service server (web) server, wherein: the mobile station, for storing the public key of the service server, the web server receives the certificate from the service server, the service server by using a public key to decrypt the token to the version checking credentials, including by the use in the document, the web server public key, used for generating a secure transaction session key, and the public key using the generated session key and the web server, according to the security of the encryption / decryption personal information; web server configured to service server credentials, generate a security key for decrypting the encrypted data of the mobile station, the session key is encrypted by using the public key of the security key to decrypt the session key by decrypting the encryption in the mobile station and decrypting the personal information transmitted; and a service server located in a mobile station and w eb服务器之间,用于从web服务器接收凭证,当移动台请求安全连接到web服务器时,向移动台发送凭证,以及为在移动台与web服务器之间发送/接收的加密数据提供接口。 Eb between server for receiving credentials from a web server, when the mobile station requests a secure connection to the web server, sending credentials to the mobile station, and the encrypted data is transmitted between the mobile station and the web server / receiving provide an interface.

为实现本发明的上述目的的另一个方面,本发明提供了一种在移动互联网通信系统中的安全交易期间交换的个人信息的保密系统,包括:移动台,从业务服务器接收web服务器的公共密钥,通过使用业务服务器的公共密钥,来产生使用于安全交易中的会话密钥,以及通过使用所产生的会话密钥和web服务器的公共密钥,来根据安全性加密/密个人信息;web服务器,用于产生公共密钥,向业务服务器提供公共密钥,产生用于解密在移动台中加密的数据的安全密钥,通过使用安全密钥,来解密被加密到公共密钥的会话密钥,把通过解密的会话密钥在移动台中加密并发送的个人信息进行解密;以及业务服务器,位于移动台和web服务器之间,用于从web服务器接收公共密钥,当移动台请求安全连接到web服务器时,向移动台发送公共密钥,以及为在移动台与web服务器 In order to achieve another aspect of the present invention the above object, the present invention provides a security system during the exchange of personal information in a mobile Internet transaction a secure communication system, comprising: a mobile station, the web server receiving from the service server public cryptographic key, the public key used by the service server, for use in generating a secure transaction session key, and the public key using the generated session key and the web server, according to the information security of the encryption / personal secret; a web server for generating a common key, the public key to the service providing server, generating a security key for decrypting the encrypted data in the mobile station, the session is encrypted by the public key encrypted using the security key, to decrypt key, the personal information in the decrypted session key and sent by the mobile station decrypts the encrypted; and a service server, located between the mobile station and the web server for receiving the public key from the web server, a secure connection when the mobile station requests when the web server sends the public key to the mobile station, as well as the mobile station with the web server 之间发送/接收的加密数据提供接口。 Between transmitting / receiving encrypted data provide an interface.

为实现本发明的上述目的的又另一个方面,本发明提供了一种用于经一个业务服务器从与一个web服务器通信的移动通信系统的移动台发送的个人信息的保密方法,包括步骤:当移动台请求安全连接到web服务器时,从业务服务器向移动台发送凭证;接收用于从所述移动台或所述web服务器发送所述个人信息的请求;以一个预定的格式可选择地加密所述个人信息,以传送给所述移动台或web服务器中的一个;和由所述移动台或所述web服务器中的一个解密所述加密的个人信息,而不用由所述业务服务器进行任何干涉。 To achieve yet another aspect of the present invention the above object, the present invention provides a method for a service server via the personal information from the secure transmission method and a mobile station of the mobile communication web server communication system, comprising steps of: when the mobile station requests a secure connection to a web server, sent from the service server certificate to the mobile station; receiving a request for the web server transmits the personal information from the mobile station or; a predetermined format to selectively encrypting said personal information, to transmit to a mobile station or said web server; and a decrypting by said mobile station or said web server in the encrypted personal information, without any interference by the service server .

为实现本发明的上述目的的又另一个方面,本发明提供了一种用于在具有移动台、业务服务器、与web服务器的移动互联网通信系统中的个人信息保密方法,其中,所述的web服务器用于产生安全密钥和公共密钥,所述的业务服务器位于web服务器与移动台之间,用于从web服务器接收公共密钥,所述的方法包括步骤:当移动台请求到web服务器的安全交易时,从业务服务器向移动台发送公共密钥;通过使用公共密钥,由移动台产生使用于安全交易中的会话密钥,通过使用所产生的会话密钥和公共密钥,来根据安全性加密个人信息,并通过业务服务器向web服务器发送加密的个人信息;以及通过web服务器,把通过业务服务器接收的、加密的个人信息解密到加密的会话密钥,并通过解密的会话密钥将个人信息进行解密。 To achieve yet another aspect of the present invention the above object, the present invention provides a method for a mobile station having a service server, personal information security method for a mobile Internet communication system with the web server, wherein said web server for generating the security key and a public key, the service server is located between the web server and the mobile station, for receiving a public key from a web server, said method comprising the steps of: when the mobile station requests to the web server when the secure transaction, sent from the service server public key to the mobile station; by using the public key, is generated in use in the secure transaction session key by the mobile station, by using the generated session key and a public key to the security of personal information is encrypted and transmits the encrypted personal information to the web server via a service server; and by a web server, received by the service server, the encrypted personal information to decrypt the encrypted session key, and decrypted by the session secret personal information will be key to decrypt it.

为实现本发明的上述目的的又另一个方面,本发明提供了一种用于在移动互联网通信系统中发送的数据的保密方法,这种类型的通信系统具有一web服务器、用于和所述web服务器交换数据的一个移动台、和与所述移动台和所述web服务器通信的一个代理业务服务器,该方法包括步骤:由所述移动台请求连接,以经所述业务服务器从所述web服务器接收电子数据;响应于所述移动台的所述请求,由所述web服务器产生一个公共密钥和一个保密密钥;由所述web服务器发送所述公共密钥给所述移动台,以在所述移动台中登记;由所述业务服务器发送一个新的凭证给所述移动台;由所述移动台决定在所述移动台中先前登记的凭证与从所述业务服务器接收的新的凭证是否是一样的;如果所述新的凭证与所述先前登记的凭证是一样的,则由所述移动台使用一个由从所述w To achieve the above object of the present invention, yet another aspect, the present invention provides a method for transmitting confidential Internet in a mobile data communication system, this type of communication system having a web server, and for the a web server in a mobile station to exchange data, and a proxy service to the mobile station and a server in communication with the web server, the method comprising the steps of: by the mobile station requests a connection to the service server via the web from a server receiving electronic data; said mobile station in response to the request, generates a public key and a secret key of the web server; sending the public key of the web server to the mobile station to registering in the mobile station; sending, by the service server a new credential to the mobile station; determined by the mobile station whether the mobile station previously registered in the certificate with a new certificate received from the service server are the same; and if the new certificate with the certificate previously registered the same, by the mobile station from using one of said w eb服务器接收的所述公共密钥产生的会话密钥来加密个人信息,和加密所述公共密钥,以产生一个对称密钥,和经所述业务服务器发送所述加密的个人信息和所述产生的对称密钥给所述web服务器;和由所述web服务器解密从所述移动台接收的所述对称密钥,以变换回到所述会话密钥,和使用所述变换的会话密钥和所述保密密钥,解密所述加密的个人信息。 Eb session key to the public key generated by the server receives personal information is encrypted, and the encrypted public key to produce a symmetric key, and through the service server sends the encrypted personal information and the generating a symmetric key to the web server; and said decrypted by the web server receiving from the mobile station symmetric key, transformed back to the session key, and using the transformed session key and the secret key, decrypting the encrypted personal information.

本发明现在将参考附图仅通过例子更明确的描述。 The invention will now by way of example only with reference to the accompanying drawings described more specifically.

附图说明 BRIEF DESCRIPTION

图1是一个示意图,用于说明具有传统的移动安全系统的传统的移动互联网通信系统;图2是一个类似于图1的示意图,说明按照本发明的一个移动安全系统;图3是一个示意图,用于说明在移动互联网通信中按照本发明的安全系统发送一个普通的web文件和秘密数据的过程;和图4是一个流程图,用于说明按照本发明的移动互联网通信使用户信息安全的处理。 FIG 1 is a schematic diagram for explaining the conventional mobile Internet communication system having a conventional mobile security system; FIG. 2 is a schematic view similar to Figure 1, a mobile security system described according to the present invention; FIG. 3 is a schematic, used in the mobile Internet communication in accordance with security system of the present invention transmits a common web files and processes secret data; and FIG. 4 is a flowchart for explaining the present invention in accordance with the mobile Internet communication security processing user information .

具体实施方式 Detailed ways

在下面的描述中,为了解释的目的而不是限制,为了提供一个本发明的准确的理解,提出特定细节,例如特定的结构、接口、技术等等。 In the following description, for purposes of explanation and not limitation, in order to provide a precise understanding of the present invention, a specific details, such as particular structures, interfaces, techniques, and the like. 然而,对那些在本领域内的普通技术人员来说是很明显的,离开这些特定的细节,本发明可能被以另外的实施例实现。 However, those of ordinary skill in the art is obvious, leaving these specific details, the present invention may be implemented in further embodiments. 为了简洁的目的,已知装置、电路详细和方法的描述被省略,以便不会使不必要的细节使本发明的描述模糊。 For brevity, the known device, the detailed description of the circuit, and methods are omitted so as not to cause unnecessary detail description of the invention vague.

为了提供一个保证的标准,声称的消息发送者事实上是真正的消息发送者,数字/电子签名可以使用各种已知的方法加密。 In order to provide a guaranteed standard, the message sender claims that in fact the true sender of the message, the digital / electronic signature can be encrypted using a variety of known methods. 按照本发明适合于应用的加密的算法是Riverst-Shamier-Adleman(RSA)公共密钥算法,在目前的电子贸易安全系统中它是最广泛使用的算法。 Encryption algorithm according to the invention is suitable for the application of Riverst-Shamier-Adleman (RSA) public key algorithm, in the current e-commerce security system, it is the most widely used algorithms. 基于素数因子分解,RSA算法既提供加密又提供电子签名(或加密密钥)。 Based on prime factorization, RSA algorithm provides both encryption and electronic signature (or encryption keys). 即,RSA算法的原理是基于这样的事实,即,更容易计算两个素数“p”和“q”的乘积,但是从乘积“n”中提取出“p”和“q”是困难的,“n”是由“p”和“q”的乘积获得的。 That is, the principle of the RSA algorithm is based on the fact, i.e., easier to compute two prime numbers "p" and the product of "q", but extracted from the product "n" of "p" and "q" is difficult, "n" is a product of "p" and "q" is obtained. 也就是说,使用两个密钥,一个是公共密钥,第二个是保密密钥,以便每当使用保密密钥加密时,仅用公共密钥解密,反之亦然。 That is, using two keys, a public key, a second secret key, so that each time using a secret key encryption, public key decryption only, and vice versa. 在本发明的实施例中,RSA算法产生公共密钥和保密密钥用于加密/解密一个会话密钥。 In an embodiment of the present invention, RSA algorithm generates a public key and a secret key to encrypt / decrypt a session key. 公共密钥由顾客使用加密会话密钥,然后发送加密的会话密钥送回给服务器。 Customers using the public key to encrypt the session key, and then send the encrypted session key is sent back to the server. 服务器用它的保密密钥解密会话密钥和建立与顾客的安全连接。 Server using its secret key to decrypt the session key and establish a secure connection with customers.

此外,在本发明的实施例中,用于产生会话密钥的算法使用SEED(种子)对称密钥算法,SEED对称密钥算法是基于韩国数据加密标准和使用由韩国信息安全机构(KISA)开发的用于公共电子贸易的128位块加密算法。 Further, in the embodiment of the present invention, the algorithm used for generating the SEED (seed) symmetric key algorithms session key, the SEED symmetric key algorithm is based on Korean Data Encryption Standard and used by the Korea Information Security Agency (KISA) Development 128-bit block encryption algorithm used for public electronic trade. SEED对称算法可选的有8、16和32位数据处理,以块加密的方式解密,输入/输出短语(phrase)和输入密钥是128位。 SEED symmetric algorithms 8, 16 and optional 32-bit data processing, to decrypt the block encryption mode, the input / output phrases (phrase) and the input key is 128 bits. 它也被设计来保证微分密码分析学(DC)/线性密码分析学(LC),包括快于数据加密标准(DES)三倍的加密/解密速度。 It is also designed to ensure that the differential cryptanalysis (the DC) / linear cryptanalysis (LC), comprising faster than the Data Encryption Standard (DES) encryption / decryption speed three times. 它的结构是基于Feistel,和内部函数设计为使用由变换非线性函数获得的查寻表。 Its structure Feistel, internal functions and is designed to use a lookup table obtained by the conversion based on a nonlinear function. 在本发明中,SEED对称密钥算法应用12轮,以产生会话密钥,通过它加密用户的信息数据。 In the present invention, the SEED symmetric key algorithm 12 to generate a session key, encrypted with it the user's information data.

按照本发明,在移动互联网通信中,移动台、互联网业务服务器和web服务器可以如下面描述的那样工作。 According to the present invention, in the mobile Internet communication, a mobile station, operates as Internet service and web servers may be as described below.

首先,移动电话被提供一个连接web服务器所需的本发明的安全程序,以接收公共密钥和内部产生在安全交易时使用的会话密钥。 First, the mobile phone is connected to a program of the present invention is required to secure a web server, to receive a public key and an internally generated session key for use in secure transactions. 会话密钥用于加密和解密数据。 Session key used to encrypt and decrypt data. 按照RSA算法和128位SEED算法实现加密。 According to RSA encryption algorithm and 128-bit SEED algorithm. web服务器使用RSA算法产生公共密钥和保密密钥,通过发送公共密钥给移动台,可以使移动台实现安全交易。 web server using the RSA algorithm to generate a public key and a secret key by sending the public key to the mobile station, the mobile station can implement secure transactions. 接收的公共密钥用于产生会话密钥,以加密由移动台发送的数据,移动台使用SEED算法产生会话密钥。 Receiving a public key for generating a session key to encrypt data transmitted by the mobile station, the mobile station generates a session key using the SEED algorithm. 然后,web服务器使用保密密钥解密会话密钥,用于加密由移动台发送的数据。 Then, web server using a secret key to decrypt the session key used to encrypt data transmitted by the mobile station. 也就是说,使用公共密钥加密的数据仅通过使用保密密钥被解密,反之亦然。 That is, data is encrypted using a common key is decrypted only by using the secret key, and vice versa. 因此,web服务器使用RSA保密密钥解密使用SEED算法产生的会话密钥,按照128位对称密钥SEED的加密和解密,解密的会话密钥用于解密加密的数据。 Thus, web servers using the RSA secret key decryption algorithm using a session key generated SEED, SEED symmetric key 128 in accordance with the encryption and decryption, the decrypted session key for decrypting the encrypted data.

按照本发明的实施例,当web服务器产生一对它自己的公共密钥和保密密钥时,在移动台和web服务器之间的数据处理开始。 According to an embodiment of the present invention, when the web server generates a public key and its own secret key, the data processing between the mobile station and the web server started. 公共密钥被发送给业务服务器,然后在请求时被修正并作为凭证发送给移动台。 The public key is transmitted to the service server, then the request is corrected as when the voucher to the mobile station. 对此,移动台已被授权使用,通过转发需要的数据,业务服务器担当在移动台和web服务器之间的媒介。 In this regard, the mobile station is authorized to use, by forwarding the required data, business server acts as an intermediary between the mobile station and the web server. 然后,移动台存储公共密钥,以内部产生一个会话密钥来加密要发送给web服务器的机密数据。 Then, the mobile station stores the public key, to generate an internal session key to encrypt the confidential data to be transmitted to the web server. 为了产生会话密钥,移动台加密接收的公共密钥,以产生要发送给web服务器的对称密钥。 To generate a session key, the mobile station receives a public key encryption to generate a symmetric key to be transmitted to the web server. 此后,web服务器用它自己的保密密钥解密对称密钥。 Since then, web server with its own secret key to decrypt the symmetric key. 用解密的对称密钥,web服务器解密从移动台接收的加密的数据。 Decrypted with a symmetric key, web server decrypts the encrypted data received from the mobile station. 在相反的传送中,web服务器使用从移动台接收的对称密钥加密要被发送给移动台的数据。 In the opposite transmission, web servers using a symmetric encryption key received from the mobile station to be transmitted to the data of the mobile station. 移动台接下来使用先前发送给web服务器的对称密钥来解密从web服务器接收的加密的数据。 Next, the mobile station using the previously transmitted to the web server symmetric key to decrypt the received encrypted data from a web server. 在本发明的实施例中,业务服务器被作为代理服务器设置。 In an embodiment of the present invention, the service server is provided as a proxy server.

在移动互联网通信的每一通路上的数据格式结合附图2描述,其中在移动台、业务服务器和web服务器之间的安全系统使用本发明的移动微安全系统(MMS)。 Each data format on the Internet via the mobile communication described in conjunction with Figure 2, wherein the movable micro-security system (MMS) in the security system of the present invention between the mobile station, service server and a web server. 即,在移动台和web服务器之间采用相同的标准MMS。 That is, between the mobile station and the web server using the same standard MMS. 由于在公共密钥被首次发送给移动台时,web服务器的公共密钥是被以web服务器的保密密钥电子标记的,在移动台和移动通信网络之间的路径不会被电脑黑客使用伪造的公共密钥篡改。 Since the first time when the public key is transmitted to the mobile station, the public key of the web server is an electronic tag to the secret key of the web server, the path between the mobile station and the mobile communication network will not be hackers using false public key tampering. 此外,由移动台加密的数据分组是以128位码的格式,以便电脑黑客不会理解原始文件的内容。 Further, the encrypted data packets by the mobile station is in a format of 128 yards, so hackers will not understand the contents of the original file. 进一步,当电脑黑客经互联网从移动网络移动到业务服务器时,它不会窃取数据分组。 Further, when a hacker from the mobile network to the mobile service server through the Internet, it will not steal data packets. 由于在移动通信网络和业务服务器之间的路径使由移动台加密的数据分组经互联网以128位的格式给业务服务器时,这是可以实现的,因此防止了电脑黑客窃取它的内容。 Since the path between the mobile communication network and a service server that the encrypted data packets by the mobile station to the service server through the Internet when the 128-bit format, which can be achieved, thus preventing the computer from hackers its contents.

此外,通过采用本发明黑客检测系统的防火墙来保护业务服务器的内部网络。 Further, by using the detection system of the present invention, the hacker firewall to protect the internal network service server. 业务服务器将加密的数据从移动台简单地传送到web服务器而不在其中进行任何处理操作。 The service server simply passes the encrypted data from the mobile station to a web server without any processing operations therein. 另外,通常采用一经其传送128位加密数据的专用线来连接业务服务器和web服务器,从而使黑客难以接入。 Further, usually via a dedicated line 128 transfers the encrypted data to the service server and the web server is connected, so that it is difficult to access by hackers.

进一步,因为web服务器接收由移动台按照128位SEED算法随机产生的对称密钥,按照本发明的电脑窃取检测系统被实现。 Further, because the web server receives the symmetric key by the mobile station 128 in accordance with a randomly generated SEED algorithm, according to the present invention, computer theft detection system is implemented. 然后,web服务器使用RSA保密密钥安全地解密从移动台接收的该128位加密数据。 Then, web servers using the RSA secret key 128 securely decrypts the encrypted data received from the mobile station. 以这种方式,移动台的加密数据仅可以由web服务器解密,来自web服务器的加密的数据仅可由移动台解密。 In this manner, the mobile station encrypted data can be decrypted only by the web server, the encrypted data from the web server may decrypt only the mobile station. 后者是可能的,因为web服务器的SEED对称密钥也可以相反的操作被发送给移动台。 The latter is possible because the SEED web server may be a symmetric key operation of the mobile station is transmitted to the opposite.

在被发送之前,在移动台和web服务器之间进行通信时,在发送前,由会话密钥加密每个消息,在接收端由会话密钥解密,其中从移动台产生的会话密钥使用公共密钥被加密和作为对称密钥产生。 Before being transmitted, when the communication between a mobile station and a web server, before sending, by the session key to encrypt each message, on the receiving end decrypts the session key, wherein the session key generated from the mobile station in the public as a symmetric key is encrypted and the key generation. 为此,移动台被安装安全程序,用于和安全业务服务器连接。 For this purpose, the mobile station security program is installed, and for safety services connected to the server. 安全程序的作用是从web服务器接收公共密钥和接下来在内部产生会话密钥去加密个人信息,并从移动台发送给web服务器。 Role of the safety program is received from the web server and the public key to produce a session key to encrypt the following personal information from the mobile station and transmitted to the web server therein. 也就是说,按照RSA加密和128位SEED对称密钥,会话密钥用于加密和解密秘密数据。 That is, according to the 128-bit RSA encryption and SEED symmetric key, the session key for encrypting and decrypting secret data.

图3图示出不用任何加密的一个普通的web文件的传输,和按照本发明的被加密的秘密数据的传输。 FIG 3 illustrates a transmitted without any encryption ordinary web document, and transmission according to the present invention, the encrypted secret data. 即,业务服务器在移动台和web服务器之间通过一个代理服务器发送一个普通web文件,在它们之间发送个人数据而不用任何附加的处理操作。 I.e., normal web service server sends a file through a proxy server between the mobile station and the web server, the transmission of personal data between them without any additional processing operations. 如在图3中示出的,由于在无线互联网通信中可发送和处理限量的数据,按照本发明,两个不同的数据传输可操作。 As shown in FIG. 3, since the Internet can be transmitted in a wireless communication processing and a limited amount of data, according to the present invention, two different data transmission operable. 因此,只有需要对一个不受欢迎的第三者保密的个人/秘密数据直接在移动台和web服务器之间发送。 Therefore, only the need for an unwelcome third party confidential personal / private data sent directly between the mobile station and the web server.

按照本发明的实施例,用图4描述当移动台试图和web服务器连接时用户信息的保密过程,其中在步骤310移动台登记业务服务器接收的公共密钥,它是硬敷(hard-coated)在移动台的web浏览器上。 According to an embodiment of the present invention, with Figure 4 describes the process when a confidential user information when the mobile station attempts connection and a web server, wherein the public key at step 310 the mobile station receives the registration service server, which is a hardcoat (hard-coated) on the web browser of the mobile station. 业务服务器伴随它的凭证版本信息登记公共密钥、凭证和web服务器的地址,它们是按照相应的由web服务器交付的数据周期地修正的。 Business server along with its version information registration certificate address public key certificate and web servers, which are in accordance with the corresponding period of the data delivered by the web server to the amendment. 在步骤312,移动台相应于用户的请求来请求和web页连接,以接收电子文件。 At 312, the mobile station corresponding to the user's request and the steps to request a web page, for receiving the electronic file. 这个请求是通过用于请求电子文件可以访问个人/秘密信息的“得到(GET)”命令直接发送给web服务器的。 This request is a request by the electronic file can access personal / secret information "to get (GET)" command is sent directly to the web server. 这时,业务服务器不对正被发送给web服务器的GET命令进行任何的附加处理操作,这里,web服务器可以是一个银行服务器、一个股票交易服务器等等。 At this time, the service server does the GET command is being sent to a web server any additional processing operations, here, the bank web server may be a server, a stock transaction server and the like.

在步骤314,当从移动电话接收到请求时,被请求连接的web服务器决定要被加密的数据,然后通过业务服务器将结果通知给移动电话。 In step 314, upon receiving a request from the mobile phone, the connection is requested to the web server determines the encrypted data, and then notifies the result to the service server via the mobile telephone. 要被加密的数据包括个人/秘密信息,例如一个口令和一个信用卡号。 To be encrypted data, including personal / confidential information, such as a credit card number and a password. 其它的数据例如用户的注册ID、普通字符信息等等不需要加密,以便加密的数据数量可以减少。 Other data such as a user ID registration, the ordinary character information and the like need not be encrypted, so the encrypted data quantity can be reduced. 这是很有用的,因为和有线互联网通信相比,移动互联网通信要处理的数据的数量是很有限的。 This is useful, because the wired Internet communications and compared, the number of mobile Internet communication data to be processed is very limited. 在步骤316,业务服务器发送周期地由web服务器修正的目前登记的凭证版本给移动台。 In step 316, the service server by the web server periodically transmits the corrected version of the current registration certificate to the mobile station. 凭证版本提供可被用于确认消息源的关于web服务器的主机名、IP地址和公共密钥的更新的信息。 Proof version offers a host name on the web server can be used to confirm the source of the message, updates the IP address and public key. 然后,移动台决定是否接收的凭证版本和先前登记的版本是一样的。 The mobile station then decide whether to release documents received and previously registered version is the same. 先前登记的版本是由移动台从先前访问的相同的web服务器下载的。 Previously registered version is downloaded by the mobile station from the same web server previously visited. 如果它们是一样的,用它先前登记的版本实现加密。 If they are the same, with its previously registered version of encryption.

另一方面,如果是不相同的,移动台请求业务服务器发送一个新版本的凭证。 On the other hand, if it is not identical, the mobile station requests service server sends a new version of the document. 这个请求是由“CERT”命令进行的,它是在移动台和业务服务器之间预先安排的用于发送凭证的协议。 This request is a "CERT" command, which is between a mobile station and the service server for transmitting prearranged protocol credentials. 响应于命令“CERT”,在步骤320,业务服务器发送目前登记的web服务器的凭证。 In response to a command "CERT", at step 320, the service server transmits the web server credentials currently registered. 亦即,如果有一个移动台对一个新的凭证版本的请求,具有周期地从web服务器上(内容服务器)下载的更新的信息的业务服务器(或代理服务器)发送一个响应消息,包括报头(header)和正文。 That is, if there is a mobile station to a new credential release request having periodically from the web server updates (contents server) download service server information (or proxy server) sends a response message, including a header (header ) and text. 在报头中,数字SIGN(由移动台请求的web服务器的公共密钥签名)附于其中,凭证(主机名、IP地址和公共密钥)附于正文部分。 In the header, the digital SIGN (web server public-key signature is requested by the mobile station) attached thereto, the credentials (the host name, IP address and public key) is attached to the body part.

在步骤322,移动台接收来自业务服务器的响应消息,由验证在报头中的数字SIGN鉴别凭证的正文。 In step 322, the mobile station receives a response message from the service server, the authentication header in the digital certificate authentication SIGN body. 即,移动台检查是否数字SIGN相应于web服务器的公共密钥,也检查是否正文被损坏。 That is, the mobile station checks whether the digital SIGN public key corresponding to the web server, checks whether the text is also damaged. 如果数字SIGN得到确认,移动台恢复被包含在凭证中的公共密钥,修正其中的其凭证表。 If the digital SIGN confirmed, the mobile station is included in the public key recovery credential, wherein the correction table of its credentials. 在步骤324,使用包含在凭证中的公共密钥,产生会话密钥,用于用户的信息安全传输。 In step 324, using the public key contained in the document, and generating a session key for secure transmission of user information. 如上面所描述的,按照128位SEED算法产生会话密钥,它用于加密由移动台用户发送的个人数据。 As described above, the session key is generated in accordance with the SEED algorithm 128, which is used to encrypt the personal data transmitted by the mobile station user. 在步骤326,用户的信息被会话密钥加密实现安全数据。 In step 326, the user information is encrypted session key for secure data. 在步骤328,会话被公共密钥加密以产生对称密钥。 In step 328, the session is public key encryption to generate a symmetric key.

在步骤330,由使用公共密钥加密会话密钥获得的对称密钥以及由会话密钥加密的数据经业务服务器被发送给web服务器,当然,业务服务器不对正发送给web服务器的数据进行任何另外的操作,然后,在步骤332,web服务器使用保密密钥解密包含在从移动台接收的用户信息中的对称密钥,以产生一个会话密钥。 In step 330, the symmetric key using the public key encrypted session key obtained by the key is transmitted and the encrypted session data to the web server via a service server, of course, not the service server data being sent to the web server any additional operation, then, at step 332, web server using a secret key to decrypt the symmetric key contained in the user information received from the mobile station to generate a session key. 在步骤334,web服务器使用产生的会话密钥解密用户信息,即,由移动台加密的安全数据,以便可恢复原始数据,从而原始数据可被web服务器处理。 In step 334, the web server using the session key to decrypt the user information generated, i.e., the encrypted security data by the mobile station, in order to restore the original data, so that the original data may be a web server process.

同时,在步骤320,使用散列函数产生一个散列值(即,消息文摘5(MD5))。 Meanwhile, in step 320, using the hash function produces a hash value (i.e., message digest 5 (MD5)). MD5是用于加密的功能协议,其中如果结果与凭证相符,则认为数据传输已正常完成而没有任何外部的电脑黑客。 MD5 is a functional protocol for encryption, wherein if the credentials match with the result, that the data transfer has been normally completed without any external hackers. 对凭证的内容产生128位散列值(即,128位字母序列),用业务服务器的保密密钥加密,然后添加到凭证中。 Content certificate 128 to generate a hash value (i.e., sequence of letters 128), encrypted with the secret key of the service server, and then added to the document. 当移动台接收凭证时,移动台取加密的散列值,用业务服务器的公共密钥解密它。 When the mobile station receives the credentials, the mobile station takes encrypted hash value, decrypting it with the public key of the service server. 然后,为校验凭证还未被窃取,移动台再次产生凭证散列值且将它与解密的散列值比较,如果两者匹配,凭证是有效的。 Then, in order to verify the credentials it has not been stolen mobile generated certificate hash value again and compares it to the decrypted hash value, if the two match, the credential is valid. 据此,一个安全的散列值用于认证消息,保证从业务服务器发送的数据在途中未被窃取,然后,校验web服务器的公共密钥有效,并执行步骤324。 Accordingly, a secure hash value for an authentication message, to ensure that data from the service server sends a theft is not the way, then, the web server public key verification is valid, and step 324 is executed.

虽然先前的描述涉及从移动台发送给web服务器的用户信息,它也适用于需要安全性的用户信息的相反的传输。 While the previous description refers to the user information transmitted from the mobile station to a web server, it also applies to the opposite transmission requires user security information. 在这种情况下,移动台同样可以使用公共密钥和保密密钥解密来自web服务器的加密的信息。 In this case, the mobile station may use the same public key and secret key from the web server decrypts the encrypted information.

此外,用于移动台和web服务器的安全交易应用程序被如下面所描述的那样准备。 In addition, security trading application for a mobile station and a web server that is prepared as described below.

首先,用于通过加密/解密保护用户信息的HTML文件被准备和上载给web服务器。 First of all, for the encryption / decryption to protect user information HTML file is prepared and uploaded to the web server. 通过使用在互联网协议中定义的类属性,由互联网搜索引擎区分需要加密/解密的HTML文件和普通HTML文件。 By using the class attributes defined in the Internet protocol, the Internet search engines distinguish require encryption / decryption and ordinary HTML files HTML files. 这可通过指定类为安全指示符“SCURE”来实现,它表示要被加密的相应字段。 This may be achieved as a safety indicator "SCURE" by specifying a class that represents a corresponding field to be encrypted.

因此,本发明提供一个装置,用于在移动互联网中保密用于电子贸易的用户信息。 Accordingly, the present invention provides a means for mobile Internet user information confidentiality of electronic commerce.

虽然本发明连同实施例伴随附图已加以描述,对那些在本领域中的普通技术人员来说是很清楚,可以进行各种变化和修改而不脱离本发明的宗旨。 While the embodiments of the present invention in conjunction with accompanying drawings have been described, it is apparent to those of ordinary skill in the art, the various changes and modifications may be made without departing from the spirit of the invention.

Claims (18)

1.一种在移动互联网通信系统中的安全交易期间交换的个人信息的保密系统,包括移动台,业务服务器和Web(网络)服务器,其特征在于,其中:移动台,用于存储业务服务器的公共密钥,从业务服务器接收web服务器的凭证,通过使用业务服务器的公共密钥来解密凭证,以便检查凭证的版本,通过使用包括在凭证中的、web服务器的公共密钥,来产生使用于安全交易中的会话密钥,以及通过使用所产生的会话密钥和web服务器的公共密钥,来根据安全性加密/解密个人信息;web服务器,用于向业务服务器提供凭证,产生用于解密在移动台中加密的数据的安全密钥,通过使用安全密钥,来解密被加密到公共密钥的会话密钥,把通过解密的会话密钥在移动台中加密并发送的个人信息进行解密;以及业务服务器,位于移动台和web服务器之间,用于从web服务器接收 A secure transaction exchanged during a mobile Internet communication system, personal information security system including a mobile station, and the Web service server (web) server, wherein, wherein: the mobile station, the service server for storing public key, received from the service server credential web server, by using a public key to decrypt the service server certificate to check the version of the certificate, including through the use of the credential, the public key of the web server, to be produced using secure transaction session key, and the public key by using the generated session key and a web server, according to the security of the encryption / decryption personal information; web server for providing credentials to a service server, generating for decrypting the mobile station in the secure key data encrypted, is encrypted by using a security key to decrypt the session key to the public key, the personal information transmitted by decrypting the decrypted session key and encryption in the mobile station; and service server, a web server located between the mobile station and for receiving from the web server 证,当移动台请求安全连接到web服务器时,向移动台发送凭证,以及为在移动台与web服务器之间发送/接收的加密数据提供接口。 Card, when the mobile station requests a secure connection to the web server, sending credentials to the mobile station, and the encrypted data is transmitted between the mobile station and the web server / receiving provide an interface.
2.如权利要求1所述的系统,其特征在于,其中,当在数据中检测到包括预定类属性的安全指示时,就确定为移动台请求安全连接到web服务器的情况。 2. The system according to claim 1, characterized in that, wherein, when detecting an indication comprises a predetermined safety class attribute in the data, it is determined that the request to the web server where a secure connection for the mobile station.
3.如权利要求2所述的系统,其特征在于,其中所述数据的加密/解密是按照Riverst-Shamier-Adleman(RSA)公共密钥算法RSA算法和SEED对称密钥算法实现的,所述SEED对称密钥算法是基于由韩国信息安全机构(KISA)开发的韩国数据加密标准的。 3. The system according to claim 2, characterized in that, where the encryption / decryption of the data in accordance with Riverst-Shamier-Adleman (RSA) public key algorithm RSA algorithm and a SEED symmetric key algorithm, said SEED symmetric key algorithm is based on the Korea information security agency (KISA) developed by Korea data encryption standard.
4.一种在移动互联网通信系统中的安全交易期间交换的个人信息的保密系统,其特征在于,包括:移动台,从业务服务器接收web服务器的公共密钥,通过使用业务服务器的公共密钥,来产生使用于安全交易中的会话密钥,以及通过使用所产生的会话密钥和web服务器的公共密钥,来根据安全性加密/解密个人信息;web服务器,用于产生公共密钥,向业务服务器提供公共密钥,产生用于解密在移动台中加密的数据的安全密钥,通过使用安全密钥,来解密被加密到公共密钥的会话密钥,把通过解密的会话密钥在移动台中加密并发送的个人信息进行解密;以及业务服务器,位于移动台和web服务器之间,用于从web服务器接收公共密钥,当移动台请求安全连接到web服务器时,向移动台发送公共密钥,以及为在移动台与web服务器之间发送/接收的加密数据提供接口。 4. A during a secure exchange transaction in a mobile communication system, Internet system security of personal information, characterized by comprising: a mobile station, the web server receives the public key from the service server, the service server by using the public key , for use in generating a secure transaction session key, and the public key using the generated session key and the web server, according to the security of the encryption / decryption personal information; a web server for generating a common key, providing to the service server public key, generating a security key for decrypting the encrypted data of the mobile station, the session key is encrypted by using the public key of the security key to decrypt the decrypted by the session key the mobile station transmits the personal information is encrypted and decrypted; and a service server, located between the mobile station and the web server for receiving the public key from the web server, when the mobile station requests a secure connection to the web server, to the mobile station transmits the common key, and the encrypted data are transmitted between the mobile station and the web server / receiving provide an interface.
5.如权利要求4所述的系统,其特征在于,还包括一个业务服务器,用于直接在所述移动台和所述web服务器之间发送所述加密的个人信息,而不用由所述业务服务器进行另外的干涉。 5. The system according to claim 4, characterized in that, further comprising a service server for transmitting the encrypted directly between the mobile station and the web server personal information, instead of by the service server for additional intervention.
6.如权利要求4所述的系统,其特征在于,其中由所述会话密钥进行的所述个人信息的加密/解密是按照Riverst-Shamier-Adleman(RSA)公共密钥算法RSA算法和SEED对称密钥算法实现的,所述SEED对称密钥算法是基于由韩国信息安全机构(KISA)开发的韩国数据加密标准的。 6. The system of claim 4, wherein the encryption / decryption wherein said personal information by said session key in accordance Riverst-Shamier-Adleman (RSA) public key algorithm RSA algorithm and a SEED symmetric key algorithm, said SEED symmetric key algorithm is based on the Korea information security agency (KISA) developed the Korean data encryption standard.
7.一种用于经一个业务服务器从与一个web服务器通信的移动通信系统的移动台发送的个人信息的保密方法,其特征在于,包括步骤:当移动台请求安全连接到web服务器时,从业务服务器向移动台发送凭证;接收用于从所述移动台或所述web服务器发送所述个人信息的请求;以一个预定的格式可选择地加密所述个人信息,以传送给所述移动台或web服务器中的一个;和由所述移动台或所述web服务器中的一个解密所述加密的个人信息,而不用由所述业务服务器进行任何干涉。 7. A method of confidential personal information from the mobile station transmits a mobile communication web server communication system, characterized by a service server, comprising steps of: when the mobile station requests a secure connection to a web server, from service server sends credentials to the mobile station; receiving a request for the personal information from the mobile station or said web server; optionally in a predetermined format the encrypted personal information, for transmission to the mobile station or a web server; by the mobile and a decrypt the encrypted personal information table or the web server, without any interference by the service server.
8.如权利要求7所述的方法,其特征在于,还包括以下步骤,在接收发送所述个人信息的所述请求以后,从所述互联网业务服务器发送一个凭证给所述移动台。 8. The method according to claim 7, characterized in that, further comprising the step of, after receiving the transmission request for the personal information transmitted from the internet service server said credentials to a mobile station.
9.如权利要求8所述的方法,其特征在于,其中所述业务服务器预先登记要被发送给所述移动台的所述web服务器的凭证,以便当所述移动台请求与所述web服务器连接时,存储在所述移动台中的先前登记的凭证被更新。 9. The method according to claim 8, characterized in that, wherein the service server is registered in advance to be transmitted to the mobile station the web credential server, when the mobile station requests to the web server when connected, the memory is updated in the mobile station previously registered certificate.
10.如权利要求7所述的方法,其特征在于,其中按照由所述移动台或所述web服务器进行的发送所述个人信息的所述请求的类属性,可选择地加密/解密所述数据。 10. The method according to claim 7, wherein, wherein the transmission attributes of the class in accordance performed by the mobile station or the web server requests the personal information, selectively encrypt / decrypt the data.
11.如权利要求7所述的方法,其特征在于,其中由所述移动台或所述web服务器进行的所述个人信息的所述加密/解密是按照Riverst-Shamier-Adleman(RSA)公共密钥算法RSA算法和SEED对称密钥算法实现的,所述SEED对称密钥算法是基于由韩国信息安全机构(KISA)开发的韩国数据加密标准的。 11. The method according to claim 7, wherein the encryption of the personal information which is performed by the mobile station or said web server / decryption in accordance Riverst-Shamier-Adleman (RSA) public cryptographic key algorithm RSA algorithm and a SEED symmetric key algorithm, said SEED symmetric key algorithm is based on a Korean data encryption standard Korea information security agency (KISA) is developed.
12.一种用于在具有移动台、业务服务器、与web服务器的移动互联网通信系统中的个人信息保密方法,其中,所述的web服务器用于产生安全密钥和公共密钥,所述的业务服务器位于web服务器与移动台之间,用于从web服务器接收公共密钥,其特征在于,所述的方法包括步骤:当移动台请求到web服务器的安全交易时,从业务服务器向移动台发送公共密钥;通过使用公共密钥,由移动台产生使用于安全交易中的会话密钥,通过使用所产生的会话密钥和公共密钥,来根据安全性加密个人信息,并通过业务服务器向web服务器发送加密的个人信息;以及通过web服务器,把通过业务服务器接收的、加密的个人信息解密到加密的会话密钥,并通过解密的会话密钥将个人信息进行解密。 12. A method for a mobile station having a service server, and the mobile communication system, Internet web server personal information security methods, wherein said web server for generating the security key and a public key, according to the service server is located between the web server and the mobile station, for receiving the public key from the web server, characterized in that the method comprises the step of: when the mobile station requests the web server to the secure transaction, from the service server to the mobile station transmitting the public key; by using the public key generated by the mobile station for use in secure transaction session key, by using the generated session key and a public key to encrypt the personal information based on the security, and the service server through the sends the encrypted personal information to the web server; and by a web server, received by the service server, the encrypted personal information to decrypt the encrypted session key, and decrypted by the session key to decrypt the personal information.
13.如权利要求12所述的方法,其特征在于,还包括如下步骤,由所述业务服务器在所述移动台和所述web服务器之间发送所述加密的个人信息,而不用由所述业务服务器进行另外的干涉。 13. The method according to claim 12, characterized in that, further comprising the step of transmitting the encrypted personal information between the mobile station and the web server, by the service server, rather than by the business server for additional intervention.
14.如权利要求12所述的方法,其特征在于,其中采用所述会话密钥进行的所述个人信息的所述加密/解密是按照Riverst-Shamier-Adleman(RSA)公共密钥算法RSA算法和SEED对称密钥算法实现的,所述SEED对称密钥算法是基于由韩国信息安全机构(KISA)开发的韩国数据加密标准的。 14. The method of claim 12, wherein, wherein the encrypted personal information using the session key / decryption in accordance Riverst-Shamier-Adleman (RSA) public key algorithm RSA algorithm and a SEED symmetric key algorithm, said SEED symmetric key algorithm is based on the Korea information security agency (KISA) developed the Korean data encryption standard.
15.一种用于在移动互联网通信系统中发送的数据的保密方法,这种类型的通信系统具有一web服务器、用于和所述web服务器交换数据的一个移动台、和与所述移动台和所述web服务器通信的一个代理业务服务器,其特征在于,该方法包括步骤:由所述移动台请求连接,以经所述业务服务器从所述web服务器接收电子数据;响应于所述移动台的所述请求,由所述web服务器产生一个公共密钥和一个保密密钥;由所述web服务器发送所述公共密钥给所述移动台,以在所述移动台中登记;由所述业务服务器发送一个新的凭证给所述移动台;由所述移动台决定在所述移动台中先前登记的凭证与从所述业务服务器接收的新的凭证是否是一样的;如果所述新的凭证与所述先前登记的凭证是一样的,则由所述移动台使用一个由从所述web服务器接收的所述公共密钥产生的会话 15. A method for transmitting confidential Internet in a mobile data communication system for this type of communication system having a web server, and the mobile station for a web server to exchange data with the mobile station, and and a proxy server of the web service communication server, wherein, the method comprising the steps of: by the mobile station requests a connection to the service server via the electronic data received from the web server; in response to the mobile station the request generated by the web server a public key and a secret key; and sending the public key of the web server to the mobile station to register the mobile station; by the service the server sends a new credential to the mobile station; determined by the mobile station in the mobile station previously registered certificate with the new certificate is received from the service server is the same; and if the new credential the previously registered credential is the same, by the mobile station to use a session generated by the public key received from the web server 钥来加密个人信息,和加密所述公共密钥,以产生一个对称密钥,和经所述业务服务器发送所述加密的个人信息和所述产生的对称密钥给所述web服务器;和由所述web服务器解密从所述移动台接收的所述对称密钥,以变换回到所述会话密钥,和使用所述变换的会话密钥和所述保密密钥,解密所述加密的个人信息。 Key to encrypt the personal information, and the public encryption key to produce a symmetric key, and through the service server sends the encrypted personal information and the generated symmetric key to the web server; and a from the web server decrypts the symmetric key received by the mobile station, converted back to the session key of the session key, and using the transformation and the secret key, decrypting the encrypted personal information.
16.如权利要求15所述的方法,其特征在于,还包括如下步骤,如果所述新的凭证和所述先前登记的凭证是不一样的,则由所述移动台从所述业务服务器请求所述新的凭证。 16. The method according to claim 15, characterized in that, further comprising the step of, if the new token and the previously registered credentials are not the same, by the mobile station requests service from the server the new credential.
17.如权利要求15所述的方法,其特征在于,还包括步骤,由所述web服务器使用从所述移动台接收的所述对称密钥加密发送给所述移动台的数据;发送所述加密数据给所述移动台,和,由移动台使用先前发送给所述web服务器的所述对称密钥,解密从所述web服务器接收的所述加密的数据。 17. The method according to claim 15, characterized in that, further comprising the step of, by the use of the web server receives from the mobile station to the symmetric key encryption of the data transmitted to the mobile station; transmitting said the encrypted data to the mobile station, and used by the mobile station previously transmitted to the web server of the symmetric key, decrypting the encrypted web server from the received data.
18.如权利要求15所述的方法,其特征在于,其中采用所述会话密钥进行的所述个人信息的所述加密/解密是按照Riverst-Shamier-Adleman(RSA)公共密钥算法RSA算法和SEED对称密钥算法实现的,所述SEED对称密钥算法是基于由韩国信息安全机构(KISA)开发的韩国数据加密标准的。 18. The method according to claim 15, wherein, wherein the encrypted personal information using the session key / decryption in accordance Riverst-Shamier-Adleman (RSA) public key algorithm RSA algorithm and a SEED symmetric key algorithm, said SEED symmetric key algorithm is based on the Korea information security agency (KISA) developed the Korean data encryption standard.
CNB008012245A 1999-06-29 2000-06-29 Apparatus for securing user's information in mobile communication system connected to internet and method thereof CN1148035C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1019990025510A KR20010004791A (en) 1999-06-29 1999-06-29 Apparatus for securing user's informaton and method thereof in mobile communication system connecting with internet

Publications (2)

Publication Number Publication Date
CN1316147A CN1316147A (en) 2001-10-03
CN1148035C true CN1148035C (en) 2004-04-28

Family

ID=19597296

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB008012245A CN1148035C (en) 1999-06-29 2000-06-29 Apparatus for securing user's information in mobile communication system connected to internet and method thereof

Country Status (8)

Country Link
EP (1) EP1101331A4 (en)
JP (1) JP2003503901A (en)
KR (1) KR20010004791A (en)
CN (1) CN1148035C (en)
BR (1) BR0006860A (en)
IL (1) IL141692D0 (en)
TR (1) TR200100592T1 (en)
WO (1) WO2001001644A1 (en)

Families Citing this family (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6893851B2 (en) 2000-11-08 2005-05-17 Surface Logix, Inc. Method for arraying biomolecules and for monitoring cell motility in real-time
US6864065B2 (en) 2000-11-08 2005-03-08 Surface Logix, Inc. Assays for monitoring cell motility in real-time
US7033821B2 (en) 2000-11-08 2006-04-25 Surface Logix, Inc. Device for monitoring cell motility in real-time
US7033819B2 (en) 2000-11-08 2006-04-25 Surface Logix, Inc. System for monitoring cell motility in real-time
JP3593979B2 (en) * 2001-01-11 2004-11-24 富士ゼロックス株式会社 Server and client as well as service providing method involving the authorization control and access privilege proving methods
WO2002076127A1 (en) * 2001-03-16 2002-09-26 Qualcomm Incorporated Method and apparatus for providing secure processing and data storage for a wireless communication device
EP1410296A2 (en) 2001-06-12 2004-04-21 Research In Motion Limited Method for processing encoded messages for exchange with a mobile data communication device
IL159341D0 (en) 2001-06-12 2004-06-01 Research In Motion Ltd System and method for compressing secure e-mail for exchange with a mobile data communication device
JP2004532590A (en) 2001-06-12 2004-10-21 リサーチ イン モーション リミテッドResearch In Motion Limited The system and method of the management and transmission of certificate
JP4552366B2 (en) * 2001-07-09 2010-09-29 日本電気株式会社 Mobile portable terminal, position search system, position search method and program thereof
CA2454218C (en) 2001-07-10 2013-01-15 Research In Motion Limited System and method for secure message key caching in a mobile communication device
CN1138366C (en) * 2001-07-12 2004-02-11 华为技术有限公司 Network structure suitable for encryption at terminals of mobile communication system and its implementation method
CN101232504B (en) 2001-08-06 2012-09-19 捷讯研究有限公司 System and method for processing encoded messages
US20030161472A1 (en) * 2002-02-27 2003-08-28 Tong Chi Hung Server-assisted public-key cryptographic method
CN1191696C (en) * 2002-11-06 2005-03-02 西安西电捷通无线网络通信有限公司 Sefe access of movable terminal in radio local area network an secrete data communication method in radio link
TW200423677A (en) * 2003-04-01 2004-11-01 Matsushita Electric Ind Co Ltd Communication apparatus and authentication apparatus
JP4576210B2 (en) * 2003-12-16 2010-11-04 株式会社リコー Certificate transfer device, certificate transfer system, certificate transfer method, program, and recording medium
US9094429B2 (en) 2004-08-10 2015-07-28 Blackberry Limited Server verification of secure electronic messages
EP1894411A1 (en) * 2005-06-23 2008-03-05 Thomson Licensing Multi-media access device registration system and method
CN101052034A (en) * 2006-04-19 2007-10-10 华为技术有限公司 Method and system for transmitting network event journal protocol message
US7814161B2 (en) 2006-06-23 2010-10-12 Research In Motion Limited System and method for handling electronic mail mismatches
JP2008028868A (en) * 2006-07-24 2008-02-07 Nomura Research Institute Ltd Communication proxy system and communication proxy device
KR100867130B1 (en) 2007-02-23 2008-11-06 (주)코리아센터닷컴 System and method of transmitting/receiving security data
WO2008103000A1 (en) * 2007-02-23 2008-08-28 Koreacenter Co., Ltd System and method of transmitting/receiving security data
SG147345A1 (en) * 2007-05-03 2008-11-28 Ezypay Pte Ltd System and method for secured data transfer over a network from a mobile device
CN101052001B (en) 2007-05-16 2012-04-18 杭州看吧科技有限公司 System and method for P2P network information safety sharing
US8638941B2 (en) * 2008-05-15 2014-01-28 Red Hat, Inc. Distributing keypairs between network appliances, servers, and other network assets
US8375211B2 (en) 2009-04-21 2013-02-12 International Business Machines Corporation Optimization of signing soap body element
CN103716349A (en) * 2012-09-29 2014-04-09 西门子公司 Medical image file transmission system, medical image file transmission method and server
JP2014143568A (en) * 2013-01-24 2014-08-07 Canon Inc Authentication system and authenticator conversion apparatus
JP2014161043A (en) * 2014-04-01 2014-09-04 Thomson Licensing Multimedia access device registration system and method
CN104539654A (en) * 2014-12-05 2015-04-22 江苏大学 Personal data filling system solving method based on privacy protection

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5325419A (en) * 1993-01-04 1994-06-28 Ameritech Corporation Wireless digital personal communications system having voice/data/image two-way calling and intercell hand-off
US5455863A (en) * 1993-06-29 1995-10-03 Motorola, Inc. Method and apparatus for efficient real-time authentication and encryption in a communication system
US5371794A (en) * 1993-11-02 1994-12-06 Sun Microsystems, Inc. Method and apparatus for privacy and authentication in wireless networks
US6009173A (en) * 1997-01-31 1999-12-28 Motorola, Inc. Encryption and decryption method and apparatus
FI113119B (en) * 1997-09-15 2004-02-27 Nokia Corp Method to protect a communication network transmissions
WO1999019822A2 (en) * 1997-10-14 1999-04-22 Microsoft Corporation System and method for discovering compromised security devices
FI105253B (en) * 1997-11-11 2000-06-30 Sonera Oyj The seed generation
FI974341A (en) * 1997-11-26 1999-05-27 Nokia Telecommunications Oy Data Connection Data Protection

Also Published As

Publication number Publication date
BR0006860A (en) 2001-07-10
CN1316147A (en) 2001-10-03
IL141692D0 (en) 2002-03-10
JP2003503901A (en) 2003-01-28
EP1101331A4 (en) 2005-07-06
WO2001001644A1 (en) 2001-01-04
KR20010004791A (en) 2001-01-15
TR200100592T1 (en) 2001-07-23
EP1101331A1 (en) 2001-05-23

Similar Documents

Publication Publication Date Title
Park et al. Secure cookies on the Web
DE60211841T2 (en) Device for updating and revoking the validity of a trade mark in a public-key infrastructure
US5995624A (en) Bilateral authentication and information encryption token system and method
EP1697818B1 (en) Authentication system for networked computer applications
KR100986441B1 (en) Session key security protocol
US8185938B2 (en) Method and system for network single-sign-on using a public key certificate and an associated attribute certificate
US5761311A (en) Blind encryption
DE60314402T2 (en) System and method for storing and receiving cryptographic secrets from different custom end users in a network
US7702916B2 (en) Method and system for secure authentication
US7231526B2 (en) System and method for validating a network session
US7961884B2 (en) Method and system for changing security information in a computer network
US6421768B1 (en) Method and system for authentication and single sign on using cryptographically assured cookies in a distributed computer environment
US5774552A (en) Method and apparatus for retrieving X.509 certificates from an X.500 directory
CN102111274B (en) A platform and method for establishing provable identities while maintaining privacy
EP1391073B1 (en) Method and system for increasing security of a secure connection
US8059818B2 (en) Accessing protected data on network storage from multiple devices
JP4625234B2 (en) User certificate / private key assignment in token-enabled public key infrastructure system
CN1708942B (en) Secure implementation and utilization of device-specific security data
EP1714422B1 (en) Establishing a secure context for communicating messages between computer systems
JP3605501B2 (en) Communication system, a message processing method and a computer system
US7293176B2 (en) Strong mutual authentication of devices
CN1147148C (en) Conditional access system for set-top boxes
US6189096B1 (en) User authentification using a virtual private key
CN1871810B (en) Authentication system, and remotely distributed storage system
CN101416467B (en) Kem-dem encrypted electronic data communication systems

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model
REG Reference to a national code

Ref country code: HK

Ref legal event code: WD

Ref document number: 1037072

Country of ref document: HK

C19 Lapse of patent right due to non-payment of the annual fee