CN115361683B - Service access method, SIM card, server and service platform - Google Patents

Service access method, SIM card, server and service platform Download PDF

Info

Publication number
CN115361683B
CN115361683B CN202210998430.1A CN202210998430A CN115361683B CN 115361683 B CN115361683 B CN 115361683B CN 202210998430 A CN202210998430 A CN 202210998430A CN 115361683 B CN115361683 B CN 115361683B
Authority
CN
China
Prior art keywords
authentication information
desensitization
service
sim card
dynamic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210998430.1A
Other languages
Chinese (zh)
Other versions
CN115361683A (en
Inventor
郝兵兵
庄严
杨汉坤
蒋周良
熊伟
余玫佳
徐晏杰
吕宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Internet Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Internet Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Internet Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202210998430.1A priority Critical patent/CN115361683B/en
Publication of CN115361683A publication Critical patent/CN115361683A/en
Application granted granted Critical
Publication of CN115361683B publication Critical patent/CN115361683B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a service access method, a SIM card, a server and a service platform. The method comprises the following steps: and the SIM card acquires authentication information provided by the terminal equipment after the terminal equipment responds to a service request of a target service sent by a service platform, wherein the authentication information comprises user authentication information and/or equipment authentication information. The SIM card generates an electronic certificate containing the communication number and authentication information stored by the SIM card. The SIM card calls a browser of the terminal equipment to initiate a page access request to a server of the browser based on the URL of the target service stored by the SIM card; the server acquires corresponding legal authentication information from the service platform based on the communication number of the electronic pass, verifies the authentication information of the electronic pass based on the legal authentication information, creates a page link of the URL for a browser of the terminal equipment after verification is passed, and a page corresponding to the page link is used for processing the service request.

Description

Service access method, SIM card, server and service platform
Technical Field
The present document relates to the field of internet interaction technologies, and in particular, to a service access method, a SIM card, a server, and a service platform.
Background
H5 refers to the 5 th generation internet hypertext markup language (HyperText Markup Language, html). Unlike traditional web sites made of a large number of pages, H5 has only one single page from top to bottom, so that the web site is more suitable for popularization on mobile terminals.
Since the birth of mobile networks, mobile phone terminals are mainly used for making calls and sending short messages, and SIM cards only realize basic functions such as communication and network access authentication. But with the popularity of 5G technology, mobile operators have introduced the concept of super SIM cards. One of the super SIM cards is energized to provide authentication services for the user. For a scene that a mobile terminal browses H5 pages, how to realize safe and convenient page access authentication on a browser based on a SIM card is a technical problem to be solved currently.
Disclosure of Invention
The invention aims to provide a service access method, an SIM card, a server and a service platform, which can realize safe and convenient page access authentication on a browser of terminal equipment based on the SIM card of the terminal equipment.
In order to achieve the above object, embodiments of the present invention are realized as follows:
in a first aspect, a service access method is provided, applied to a SIM card of a terminal device, including:
After the terminal equipment executes response operation on a service request of a target service sent by a service platform, acquiring authentication information provided by the terminal equipment, wherein the authentication information comprises user authentication information and/or equipment authentication information;
generating an electronic certificate containing the communication number stored by the SIM card and the authentication information;
calling a browser of the terminal equipment to initiate a page access request to a server corresponding to the URL based on the URL of the target service stored by the SIM card; the page access request carries the electronic pass, the communication number of the electronic pass is used for the server to acquire corresponding legal authentication information from the service platform so as to verify the authentication information of the electronic pass based on the legal authentication information, the server creates a page link of the URL for the terminal equipment after verification is passed, and a page corresponding to the page link is used for processing the service request.
In a second aspect, a service access method is provided, applied to a server of a browser, including:
receiving a page access request sent by terminal equipment, wherein the page access request is initiated by a SIM card of the terminal equipment based on a URL (uniform resource locator) of a target service stored by the SIM card after the terminal equipment responds to the service request of the target service sent by a service platform, and the page access request carries an electronic pass which is generated by the SIM card and comprises a communication number stored by the SIM card and an authentication information code stored by the terminal equipment;
Acquiring corresponding legal authentication information from the service platform based on the communication number of the electronic pass, so as to verify the authentication information of the electronic pass based on the legal authentication information;
after the authentication information passes the verification, creating a page link of the URL for a browser of the terminal equipment; and the page corresponding to the page link is used for processing the service request.
In a third aspect, a service access method is provided, applied to a service platform, and includes:
sending a service request of a target service to terminal equipment; after the SIM card of the terminal equipment responds to a service request of a target service sent by a service platform, acquiring authentication information provided by the terminal equipment, and generating an electronic certificate containing a communication number stored by the SIM card and an authentication information code, so as to call a browser of the terminal equipment to initiate a page access request to a server of the browser based on the URL of the target service stored by the SIM card, wherein the page access request carries the electronic certificate;
receiving a communication number in the electronic certificate sent by the server based on the service access request, searching corresponding legal authentication information based on the communication number, and sending the legal authentication information to the server; the server is used for verifying the authentication information of the electronic certificate, and after the verification is passed, the server creates a page link of the URL for a browser of the terminal device, and a page corresponding to the page link is used for processing the service request.
In a fourth aspect, there is provided a SIM card of a terminal device, including:
the authentication information acquisition module is used for acquiring authentication information provided by the terminal equipment after the terminal equipment performs response operation on a service request of a target service sent by a service platform, wherein the authentication information comprises user authentication information and/or equipment authentication information;
the electronic pass generation module is used for generating an electronic pass containing the communication number stored by the SIM card and the authentication information;
the page access module is used for calling the browser of the terminal equipment to initiate a page access request to a server corresponding to the URL based on the URL of the target service stored by the SIM card; the page access request carries the electronic pass, the communication number of the electronic pass is used for the server to acquire corresponding legal authentication information from the service platform so as to verify the authentication information of the electronic pass based on the legal authentication information, the server creates a page link of the URL for the terminal equipment after verification is passed, and a page corresponding to the page link is used for processing the service request.
In a fifth aspect, there is provided a server of a browser, including:
The page access receiving module is used for receiving a page access request sent by the terminal equipment, wherein the page access request is initiated by a SIM card of the terminal equipment based on a URL (uniform resource locator) of a target service stored by the SIM card after the terminal equipment responds to the service request of the target service sent by the service platform, and the page access request carries an electronic pass card which is generated by the SIM card and comprises a communication number stored by the SIM card and an authentication information code stored by the terminal equipment;
the authentication information verification module is used for acquiring corresponding legal authentication information from the service platform based on the communication number of the electronic certificate so as to verify the authentication information of the electronic certificate based on the legal authentication information;
the page link creation module is used for creating the page link of the URL for the browser of the terminal equipment after the authentication information passes the verification; and the page corresponding to the page link is used for processing the service request.
In a sixth aspect, a service platform is provided, including:
the service request module is used for sending a service request of a target service to the terminal equipment; after the SIM card of the terminal equipment responds to a service request of a target service sent by a service platform, acquiring authentication information provided by the terminal equipment, and generating an electronic certificate containing a communication number stored by the SIM card and an authentication information code, so as to call a browser of the terminal equipment to initiate a page access request to a server of the browser based on the URL of the target service stored by the SIM card, wherein the page access request carries the electronic certificate;
The authentication information providing module is used for receiving the communication number in the electronic certificate sent by the server based on the service access request, searching corresponding legal authentication information based on the communication number, and sending the legal authentication information to the server; the server is used for verifying the authentication information of the electronic certificate, and after the verification is passed, the server creates a page link of the URL for a browser of the terminal device, and a page corresponding to the page link is used for processing the service request.
In the scheme of the embodiment of the invention, when the service platform needs the target user to process the service, the service platform sends the service request in a communication mode according to the communication number (such as the mobile phone number) of the target user, and the service request needs the target user to log in a browser page (such as the H5 page) to process the service. Correspondingly, after receiving the service request, the terminal device inserted with the communication number SIM card can decide whether to respond to the service request according to the user operation. And the service request triggers the SIM card to acquire authentication information from the terminal equipment once being responded, and the SIM card invokes a browser of the terminal equipment, and initiates a page access request carrying the authentication information to a server of a page to be accessed by taking the SIM card code as an account number. After receiving the page access request, the server can check the authentication information in the page access request through the service platform, if the authentication is successful, the terminal device inserted with the SIM card is legal, that is, the SIM card is not stolen, and at the moment, a page link taking the SIM card code as an account number is created for the terminal device, so that a user of the terminal device can process the service request of the service platform. In the whole process, a user does not need to manually log in an account when accessing the page, so that the capability of automatically providing identity authentication for the SIM card is reflected; meanwhile, when the SIM card initiates the page access request, authentication information is acquired from the terminal equipment for verification by the server, so that the possibility that the SIM card is stolen for access is avoided, and the safety is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
Fig. 1 is a schematic flow chart of a service access method according to an embodiment of the present invention.
Fig. 2 is a schematic flow chart of a second service access method according to an embodiment of the present invention.
Fig. 3 is a schematic structural diagram of a SIM card according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a server according to an embodiment of the present invention.
Fig. 5 is a schematic structural diagram of a service platform according to an embodiment of the present invention.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the technical solution in the present specification better understood by those skilled in the art, the technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present specification, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.
Super SIM cards are a SIM upgrade product developed by mobile operators to deal with 5G networks. One of the super SIM cards is energized to provide authentication services for the user. For an application scene (not limited to an H5 page) of a terminal logging in the H5 page, how to realize quick page access authentication on a browser based on a SIM card is a technical problem to be solved currently.
In the current process of designing the SIM card-based page access authentication, the problem faced by the developer is that once other people take the SIM card of the user, the SIM card can impersonate the identity access page of the user to perform business operation. Thus, security is an important consideration for scheme priority. Therefore, the invention aims to provide a technical scheme for realizing page access authentication on a browser based on a SIM card on the premise of ensuring safety.
Specifically, the embodiment of the invention provides a service access method, which relates to three execution entities of a service platform, a SIM card of terminal equipment and a server.
Fig. 1 is a schematic flow chart of a service access method applied to a SIM card of a terminal device according to an embodiment of the present invention, including the following steps:
s102, the service platform sends a service request of a target service to the terminal equipment.
In the embodiment of the invention, the service request is initiated by the service platform aiming at the target user. The target user is a registered user of the service platform, and the service platform locally stores the communication number and legal authentication information of the target user.
The legal authentication information comprises user authentication information of a target user and/or equipment authentication information of common terminal equipment. The user authentication information may be, but is not limited to, biometric information such as fingerprint information, face information, iris information, etc.; the device authentication information may be, but is not limited to, a unique identification of the terminal device, such as an IP address, an international mobile equipment identity (International Mobile Equipment Identity, IMEI), etc.
In this step, the service platform sends the service request in a communication manner according to the communication number of the target user. For example, the service platform may use a 5G sms to send a service request to the mobile phone number of the target user.
S104, after the terminal equipment executes response operation to the service request of the target service sent by the service platform, the SIM card acquires authentication information provided by the terminal equipment, wherein the authentication information comprises user authentication information and/or equipment authentication information.
The SIM card in this step refers to the SIM card of the target user communication number. If the target user's SIM card is stolen, the terminal device into which the SIM card is inserted is not the usual terminal device of the target user. In general, if the SIM card is stolen, the authentication information obtained from the terminal device in this step is not legal authentication information stored by the service platform for the target user, and may be checked by the server in a subsequent step.
For some extreme cases, for example, after the SIM card is stolen, the thief steals the user authentication information of the target user and modifies the IP address of the terminal device to the IP address of the target user, the SIM card in this step may be prevented by executing the following manner:
1) The SIM card performs validity check on a system of the terminal equipment based on a system check program stored in the SIM card so as to identify whether the system of the terminal equipment has possibility of falsifying equipment authentication information such as IP, IMEI and the like; for example, if the SIM card verifies that the terminal device does not install a legal system, the response of the service request is ignored.
2) The SIM card invokes the terminal equipment, and initiates the check body detection based on the user authentication information acquired from the terminal equipment; taking fingerprint information as an example, after the SIM card acquires the fingerprint information of the user from the terminal equipment, the terminal equipment can be called to initiate the core detection based on the fingerprint information, if the core detection fails, the fingerprint information of the user of the terminal equipment is not always the fingerprint information provided by the terminal equipment to the SIM card, and the SIM card can ignore the response of the service request.
In addition, the SIM card can also check the service request sent by the service platform so as to ensure whether the source of the service request is reliable. For example, the service request sent by the service platform needs to carry information for verification by the SIM card, such as a timestamp, a message authentication code, and the like. Correspondingly, after the service request is responded, the SIM card can verify the timestamp, the message authentication code and the like in the service request based on the internally stored service request verification program; similarly, if the verification is not passed, the SIM card ignores the response of the service request.
S106, the SIM card generates an electronic certificate containing the communication number and the authentication information stored by the SIM card.
In the embodiment of the invention, the electronic certificate refers to a token required to be carried in a page access request initiated by a browser. In the Html protocol, the server accessed by the browser needs to determine the identity of the user through a token. Because the invention realizes the identity authentication of web page access based on the SIM card, the communication number of the SIM card is required to be used as the user identity to be packaged in the electronic card.
S108, the SIM card calls a browser of the terminal equipment to initiate a page access request to a server corresponding to the URL based on the URL of the target service stored by the SIM card, wherein the page access request carries an electronic certificate.
In the embodiment of the invention, the SIM card can call the browser of the terminal equipment to initiate a page access request to the server corresponding to the URL based on the URL with legal target service stored in the SIM card so as to avoid user operation, thereby simplifying user operation and avoiding the browser from accessing illegal pages.
S110, the server acquires corresponding legal authentication information from the service platform based on the communication number of the electronic pass, so as to verify the authentication information of the electronic pass based on the legal authentication information.
In the embodiment of the invention, the service platform opens the authority of inquiring the legal authentication information of the user to the server. When the service platform receives the page access request, the communication number in the electronic certificate can be sent to the service platform. Correspondingly, the service platform can search the legal authentication information of the target user from the local based on the communication number provided by the server and send the legal authentication information to the server.
The server receives legal authentication information and checks whether the authentication information in the electronic certificate is matched with the legal authentication information; if the authentication information is matched, the authentication information passes the verification, and if the authentication information is not matched, the authentication information does not pass the verification.
S112, after the authentication information passes verification, the server creates a page link of the URL for a browser of the terminal equipment; the page corresponding to the page link is used for processing the service request.
It should be understood that after the creation of the page link is completed, the user of the terminal device may open a web interface of the target service through the browser of the terminal device, so as to process the service request issued by the service platform through the browser platform.
In addition, in the embodiment of the invention, if the authentication information in the electronic certificate does not pass the verification, the server can intercept the page access request so as to avoid creating a page link for the browser of the terminal equipment.
Based on the method of the embodiment of the invention, when the service platform needs the target user to process the service, the service platform sends the service request in a communication mode according to the communication number (such as the mobile phone number) of the target user, and the service request needs the target user to log in a browser page (such as the H5 page) to process the service. Correspondingly, after receiving the service request, the terminal device inserted with the communication number SIM card can decide whether to respond to the service request according to the user operation. And the service request triggers the SIM card to acquire authentication information from the terminal equipment once being responded, and the SIM card invokes a browser of the terminal equipment, and initiates a page access request carrying the authentication information to a server of a page to be accessed by taking the SIM card code as an account number. After receiving the page access request, the server can check the authentication information in the page access request through the service platform, if the authentication is successful, the terminal device inserted with the SIM card is legal, that is, the SIM card is not stolen, and at the moment, a page link taking the SIM card code as an account number is created for the terminal device, so that a user of the terminal device can process the service request of the service platform. In the whole process, a user does not need to manually log in an account when accessing the page, so that the capability of automatically providing identity authentication for the SIM card is reflected; meanwhile, when the SIM card initiates the page access request, authentication information is acquired from the terminal equipment for verification by the server, so that the possibility that the SIM card is stolen for access is avoided, and the safety is ensured.
Further, the authentication information of the terminal device belongs to high-sensitivity data, and exposure to a third party in the transmission process should be avoided. Therefore, the embodiment can also introduce a dynamic code to carry out salifying treatment on the authentication information in the electronic certificate, so that the authentication information provided by each batch of page access requests is not circulated by fixed encryption logic, and the authentication information of the terminal equipment is prevented from being reversely pushed out after the page access requests are intercepted.
The verification scheme for implementing authentication information based on dynamic codes is described below.
Specifically, in the embodiment of the present invention, each service request sent by the service platform has a service request identifier, and the dynamic code may be calculated based on the service request identifier. In this way, page access requests initiated on a per-batch basis provide authentication information for different encryption logic. The dynamic code may be a SIM card provided to the terminal device through the service request after the service platform calculates the dynamic code, or a dynamic code generation algorithm pre-agreed with the service platform may be stored in the SIM card, so that the same dynamic code is calculated and used for each batch of service requests.
In the step S106, the SIM card performs preprocessing on the communication number, the service request identifier and the dynamic code stored in the SIM card based on the preprocessing logic pre-agreed with the service platform, so as to obtain dynamic disturbance information; then, the dynamic disturbance information is used as an initial vector of a Cipher Block Chain (CBC) mode, encryption of the Cipher block chain mode is carried out on the dynamic disturbance information based on a key pre-agreed with a service platform, and a dynamic key corresponding to dynamic encryption logic is obtained; the colleague also performs desensitization processing on the authentication information based on desensitization logic pre-agreed with the service platform to obtain desensitization authentication information, and performs reverse encryption of the password block chain mode on the desensitization authentication information based on the dynamic key by taking the dynamic disturbance information as an initial vector of the password block chain mode to obtain ciphertext desensitization authentication information. Finally, the SIM card generates an electronic certificate containing the communication number, the service request identifier and the ciphertext desensitization authentication information.
Correspondingly, in the above S110, the server obtains the corresponding dynamic key and legal authentication information from the service platform based on the communication number of the electronic certificate and the service request identifier. The legal authentication information is specifically legal desensitization authentication information, and the generation principle is the same as that of the desensitization authentication information. After receiving a communication number and a service request identifier in an electronic certificate sent by a server based on a service access request, the service platform firstly searches a corresponding dynamic code based on the service request identifier and searches legal authentication information corresponding to a target user based on the communication number; then, the service platform performs desensitization processing on the legal authentication information based on preset desensitization logic with the SIM card to obtain the legal desensitization authentication information; and sends the legal desensitization authentication information to the server. Correspondingly, after receiving legal desensitization authentication information, the server can take the ciphertext desensitization authentication information as an initial vector of a password block chain mode, and perform password block chain mode reverse decryption on the ciphertext desensitization authentication information based on a dynamic key to obtain desensitization authentication information; and then verifying the desensitization authentication information based on the legal desensitization authentication information.
As can be seen from the above S106 and S110, the authentication information obtained by the server from both sides of the terminal device and the service platform is a desensitized result, so that the authentication information is prevented from being exposed to the server, and the possibility that the authentication information is utilized by the server or is leaked by the server is further suppressed.
The service method of the embodiment is described in detail below in conjunction with an actual application scenario.
The application scene controls the mobile phone terminal of the user to open the browser H5 page to process the service request issued by the service platform through the signaling channel of the SIM card.
1. Preparation stage
After the target user opens the target service provided by the service platform through the SIM card, writing the key pre-agreed by the service platform, the service identification of the target service and the legal URL corresponding to the target service into the SIM card.
By way of example, the information that the SIM card needs to store is as follows:
SM4 key: 11111111111111111111111111111111;
service identification of the target service: 01;
URL of target service: https:// test.cmccsim.com/cmp.
In addition, after the target user opens the target service through the SIM card, the SIM card also calls a mobile phone terminal of the target user to acquire fingerprint information of the target user and the mobile phone terminal IP, and calculates a hash value of the fingerprint information and an ascll code of the mobile phone terminal IP. And then, the SIM card uploads the hash value of the fingerprint information of the target user and the ascll code value of the mobile phone terminal IP to the service platform for storage. The ascll code value of the mobile phone terminal IP reserved by the service platform aiming at the target user is defined as the ascll code value of the common mobile phone terminal IP of the target user.
2. Application phase
When the target user is required to process the target service, the service platform sends a service request to the mobile phone number of the target user through a short message. The service request carries a service identifier of the target service, a service request identifier and a dynamic code.
As an example, the service request carries information as follows:
service identification: 01;
dynamic code: 22222222222222222222222222222222;
service request identification: a734058C7653DEF0.
After receiving the short message of the service request, the mobile phone terminal inserted into the target user SIM card can respond to the service request based on the operation of the current user, for example: clicking the option of processing the service request in the short message.
After the service request is responded, the SIM card firstly checks the service request, and when the check is passed, the mobile phone terminal acquires the fingerprint information of the current user and the IP of the mobile phone terminal. Here, in order to improve the security level, the fingerprint information may be acquired by calling the mobile phone terminal by the SIM card.
And then, the SIM card encapsulates the mobile phone number of the SIM card, the service request identifier of the service request and the ciphertext result of the hash value of the fingerprint information of the current user plus the code of the mobile phone terminal ip, so as to obtain the electronic certificate token.
The flow of obtaining the ciphertext result is as follows:
the SIM card performs hash calculation on the obtained fingerprint information of the current user to obtain a hash value of the fingerprint information of the current user, and compiles the obtained mobile phone terminal ip to obtain an ascll code of the mobile phone terminal ip.
Specifically, the application scenario is set by using a 16-byte dynamic code, and the hash value of fingerprint information and the ascll code of the mobile phone terminal ip are encrypted into a ciphertext result. If the hash value of the fingerprint information and the ascll code of the mobile phone terminal ip are less than 16 bytes, special characters are used for filling respectively.
The SIM card firstly converts the 16-byte dynamic code into 16-byte dynamic disturbance information. The conversion principle is that based on the pre-processing logic pre-agreed with the service platform, the information of the bytes with the first preset bit number in the dynamic code is replaced by the coding result of the mobile phone number, and the information of the bytes with the second preset bit number in the dynamic code is replaced by the coding result of the service request identifier. Such as: the 3 rd to 4 th bytes in the dynamic code are replaced by BCD codes of the last 4 bits of the mobile phone number, and the 11 th to 12 th bytes are replaced by the leftmost 2 bytes of the service request identifier; and taking the dynamic disturbance information as an initial vector of the CBC, and performing CBC encryption on the dynamic disturbance information obtained by conversion based on the internal key to obtain a dynamic key.
And then, the SIM card performs CBC inverse encryption on the filled ascll code of the terminal ip and the hash value of the fingerprint information by using a dynamic key, so that a ciphertext result of 'the hash value of the fingerprint information of the current user + the code of the mobile phone terminal ip' can be obtained.
As an example:
mobile phone number of SIM card: 1361351221;
service request identification in service request: a734058C7653DEF0;
converted dynamic code: 22221221222222222222A734 22222222;
dynamic key: D9E66AD8C1B369D3BA1AFF8629454EAC;
mobile phone terminal ip:223.104.67.42;
ascll coding of mobile phone terminal ip: 3232332E3130342E36372E3432;
ascll coding of the filled terminal ip: 3232332E3130342E36372E3432000000;
fingerprint information: 023EFA00043EB2000B2E09003465346523343030620E2E050000000101000F2E2000B0A04982010000000000000000000000000000000000000060A0626B010000000A2E200053DEFAEDA9410204F779E04F36F11D9B8008081AE9CC1FFB008D2EF199D0C944102E0000092E2000816BBB062D0D7DB119E5E072E3870FFDEEECCF A057CB5800DD2133C4FF10990D2E04004E 000000040120000E 2521AF57DB2A6F7E8BD9ECDE78DDAC48730F12878F3B54911CFE951E697062E40008344B397CA5112334A950259BC080A61605B9FC2C6548645489306007181E45CD71D617FAA8534DDBFC8652B99CF459063523068FDB9D6A86516D4EFAC1607E9;
The hash value of the fingerprint information is DBCB4FEB;
hash value of the filled fingerprint information: DBCB4FEB000000000000000000000000;
taking the ciphertext result before the reversal: 5B3444B8D4B9428F875DDD297917DB863B612E5B7AC311A8E6773466D4A3C650.
Taking the inverted ciphertext result: a4CBBB472B46BD7078a222D686E82479C49ED1a4853CEE571988CB992B5C39AF.
Finally generated Token:1361351221A734058C7653DEF0A4CBBB472B46BD7078A222D686E82479C49ED1A4853CEE571988CB992B5C39AF.
After the SIM card generates the electronic certificate token, the mobile phone terminal is called to pull up the H5 page by using the browser based on the URL stored in the mobile phone terminal aiming at the target service.
In the application scene, when the mobile phone terminal opens the browser, the mobile phone terminal can prompt the current user of whether to access the H5 page or not, and if the user determines to access, the browser sends a page access request to a corresponding server based on the URL provided by the SIM card.
Alternatively, token may be embedded in the URL of the target service and provided to the server.
As an example:
URL of target service: https:// test.cmccsim.com/cmp;
URL of implant Token: https:// test.cmccsim.com/cmp/? t= 1361351221a734058c7653DEF0A4CBBB472B46BD7078a222D686E82479C49ED1a4853CEE571988CB992B5C39AF.
After receiving the page access request, the server inquires a dynamic code, a hash value of fingerprint information of a target user and a common mobile phone terminal IP from a service platform according to the mobile phone number and the service request identifier in the token, so that the dynamic code is converted into a dynamic key according to the above-described mode, and a ciphertext result in the token is subjected to inverse decryption based on the dynamic key to obtain the hash value of the fingerprint information of the current user of the plaintext and the mobile phone terminal IP;
and then, the server checks the hash value of the fingerprint information obtained from the token and the mobile phone terminal IP based on the hash value of the fingerprint information of the target user and the common mobile phone terminal IP.
If the verification is passed, the server establishes a page link of the URL for the mobile phone terminal based on the service request. If the verification is not passed, the server intercepts the page access request.
It can be seen that in the application scenario, the mobile phone terminal encrypts the mobile phone terminal IP and the fingerprint information of the current user by using different dynamic keys according to the service request issued by the service platform each time, so that each encryption result can be ensured to have different encryption logics, and even if the page access request is intercepted for a long time, the rule cannot be searched for and cracked. In addition, the mobile phone terminal IP and fingerprint information sent by the terminal equipment and the service platform are desensitized by a hash algorithm and an ascll code before exiting the domain, and if the interceptor successfully breaks the token in the page access request, the mobile phone terminal IP and fingerprint information in the plaintext cannot be obtained, so that privacy protection is provided for the user.
Corresponding to the method shown in fig. 1, the embodiment of the invention also provides a SIM card of the terminal equipment. Fig. 3 is a schematic structural diagram of a SIM card 300 according to an embodiment of the present invention, including:
and the authentication information obtaining module 310 is configured to obtain authentication information provided by the terminal device after the terminal device performs a response operation on a service request of a target service sent by the service platform, where the authentication information includes user authentication information and/or device authentication information.
And the electronic certificate generation module 320 is configured to generate an electronic certificate containing the communication number stored in the SIM card and the authentication information.
The page access module 330 is configured to invoke, based on the URL of the target service stored in the SIM card, a browser of the terminal device to initiate a page access request to a server corresponding to the URL; the page access request carries the electronic pass, the communication number of the electronic pass is used for the server to acquire corresponding legal authentication information from the service platform so as to verify the authentication information of the electronic pass based on the legal authentication information, the server creates a page link of the URL for the terminal equipment after verification is passed, and a page corresponding to the page link is used for processing the service request.
Optionally, the service request further carries a service request identifier and a dynamic code generated by the service platform for the service request identifier; the electronic certificate generation module 320 is specifically configured to: preprocessing the communication number, the service request identifier and the dynamic code stored by the SIM card based on preprocessing logic pre-agreed with the service platform to obtain dynamic disturbance information; the dynamic disturbance information is used as an initial vector of a password block chain mode, encryption of the password block chain mode is carried out on the dynamic disturbance information based on a secret key agreed in advance with the service platform, and a dynamic secret key is obtained; based on desensitization logic pre-agreed with the service platform, carrying out desensitization treatment on the authentication information to obtain desensitized authentication information; the dynamic disturbance information is used as an initial vector of a password block chain mode, and the password block chain mode reverse encryption is carried out on the desensitization authentication information based on the dynamic key to obtain ciphertext desensitization authentication information; generating an electronic pass containing the communication number, the service request identifier and the ciphertext desensitization authentication information; the server acquires the dynamic key and the legal authentication information from the service platform based on the communication number of the electronic certificate and the service request identifier, wherein the legal authentication information is specifically legal desensitization authentication information, and the legal desensitization authentication information is obtained by the service platform performing desensitization processing on the locally stored legal authentication information of the communication number based on the desensitization logic; the verification of the authentication information of the electronic certificate by the server based on the legal authentication information means that: the server takes the ciphertext desensitization authentication information as an initial vector of a password block chain mode, performs decryption of the password block chain mode on the ciphertext desensitization authentication information based on the dynamic key to obtain the desensitization authentication information, and performs verification on the desensitization authentication information based on the legal desensitization authentication information.
Optionally, the electronic certificate generation module 320 performs preprocessing on the communication number stored in the SIM card, the service request identifier and the dynamic code based on preprocessing logic pre-agreed with the service platform, so as to obtain dynamic disturbance information, where the dynamic disturbance information includes: based on pre-processing logic pre-agreed with the service platform, replacing the information of bytes with a first preset bit number in the dynamic code with the coding result of the communication number, and replacing the information of bytes with a second preset bit number in the dynamic code with the coding result of the service request identifier, thereby obtaining the dynamic disturbance information.
Obviously, the SIM card of the embodiment of the present invention may be used as an execution body of the steps corresponding to the SIM card in the method shown in fig. 1, so that the steps and corresponding functions of the method shown in fig. 1 may be implemented. Because the principle is the same, the description is not repeated here.
Corresponding to the method shown in fig. 1, the embodiment of the invention also provides a server. Fig. 4 is a schematic structural diagram of a server 400 according to an embodiment of the present invention, including:
the page access receiving module 410 is configured to receive a page access request sent by a terminal device, where the page access request is initiated by a SIM card of the terminal device based on a URL of a target service stored by the SIM card after the terminal device responds to a service request of the target service sent by a service platform, and the page access request carries an electronic certificate, where the electronic certificate is generated by the SIM card and includes a communication number stored by the SIM card and an authentication information code stored by the terminal device.
And the authentication information verification module 420 is configured to obtain corresponding legal authentication information from the service platform based on the communication number of the electronic certificate, so as to verify the authentication information of the electronic certificate based on the legal authentication information.
A page link creation module 430, configured to create a page link of the URL for a browser of the terminal device after the authentication information passes the verification; and the page corresponding to the page link is used for processing the service request.
Optionally, the electronic certificate comprises the communication number, the service request identifier and the ciphertext desensitization authentication information, wherein the ciphertext desensitization authentication information is obtained by encrypting the desensitization authentication information in a password block chain mode based on a dynamic key by using dynamic disturbance information as an initial vector of the password block chain mode by the SIM card; the desensitization authentication information is obtained by carrying out desensitization processing on the authentication information by the SIM card based on desensitization logic pre-agreed with the service platform; the dynamic key is obtained by encrypting the dynamic disturbance information in a cipher block chain mode by using the dynamic disturbance information as an initial vector of the cipher block chain mode by the SIM card based on a key pre-agreed with a service platform; the dynamic disturbance information is obtained by preprocessing the communication number, the service request identifier and the dynamic code stored by the SIM card based on preprocessing logic pre-agreed with the service platform; the authentication information verification module 420 is specifically configured to: acquiring the dynamic key and the legal authentication information from the service platform based on the communication number of the electronic certificate and the service request identifier; the service platform is used for carrying out desensitization processing on the local stored legal authentication information of the communication number based on the desensitization logic; taking the ciphertext desensitization authentication information as an initial vector of a password block chain mode, and performing inverse decryption of the password block chain mode on the ciphertext desensitization authentication information based on the dynamic key to obtain the desensitization authentication information; and verifying the desensitization authentication information based on the legal desensitization authentication information.
Obviously, the server according to the embodiment of the present invention may be used as an execution body of the corresponding steps of the server in the method shown in fig. 1, so that the steps and corresponding functions of the method shown in fig. 1 may be implemented. Because the principle is the same, the description is not repeated here.
Corresponding to the method shown in fig. 1, the embodiment of the invention also provides a service platform. Fig. 5 is a schematic structural diagram of a service platform 500 according to an embodiment of the present invention, including:
a service request module 510, configured to send a service request of a target service to a terminal device; after the terminal equipment responds to a service request of a target service sent by a service platform, the SIM card of the terminal equipment acquires authentication information provided by the terminal equipment, generates an electronic certificate containing a communication number stored by the SIM card and an authentication information code, calls a browser of the terminal equipment to initiate a page access request to a server of the browser based on the URL of the target service stored by the SIM card, wherein the page access request carries the electronic certificate.
An authentication information providing module 520, configured to receive a communication number in the electronic certificate sent by the server based on the service access request, so as to find corresponding legal authentication information based on the communication number, and send the legal authentication information to the server; the server is used for verifying the authentication information of the electronic certificate, and after the verification is passed, the server creates a page link of the URL for a browser of the terminal device, and a page corresponding to the page link is used for processing the service request.
Optionally, the service request further carries a service request identifier and a dynamic code generated by the service platform for the service request identifier; the dynamic code is obtained by encrypting the dynamic disturbance information in a password block chain mode based on an initial vector taking the dynamic disturbance information as the password block chain mode and a key pre-agreed with the IM card by the service platform; the dynamic disturbance information is obtained by preprocessing the communication number, the service request identifier and the dynamic code by the service platform based on preprocessing logic pre-agreed with the SIM card; the electronic notification comprises the communication number, the service request identifier and the electronic certificate of the ciphertext desensitization authentication information; the ciphertext desensitization authentication information is obtained by encrypting the dynamic disturbance information serving as an initial vector of a password block chain mode by the SIM card in the password block chain mode based on a dynamic key; the desensitization authentication information is obtained by carrying out desensitization processing on the authentication information by the SIM card based on desensitization logic pre-agreed with the service platform; the dynamic key is obtained by encrypting the dynamic disturbance information in a cipher block chain mode by using the dynamic disturbance information as an initial vector of the cipher block chain mode by the SIM card based on a key pre-agreed with a service platform; the dynamic disturbance information is obtained by preprocessing the communication number, the service request identifier and the dynamic code stored by the SIM card based on preprocessing logic pre-agreed with the service platform; the authentication information providing module 520 is specifically configured to: receiving a communication number and a service request identifier in the electronic certificate sent by the server based on the service access request, so as to find out the corresponding dynamic code based on the service request identifier and find out the corresponding legal authentication information based on the communication number; based on a pre-determined desensitization logic with the SIM card, carrying out desensitization processing on the legal authentication information to obtain desensitized legal authentication information; the desensitization legal authentication information is used as an initial vector of a password block chain mode, encryption of the password block chain mode is carried out on the desensitization legal authentication information based on the dynamic key, and ciphertext desensitization legal authentication information is obtained; and sending the ciphertext desensitization legal authentication information to the server.
Obviously, the service platform of the embodiment of the invention can be used as an execution main body of the corresponding steps of the service platform in the method shown in fig. 1, so that the steps and corresponding functions of the method shown in fig. 1 can be realized. Because the principle is the same, the description is not repeated here.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present specification. Referring to fig. 6, at the hardware level, the electronic device includes a processor, and optionally an internal bus, a network interface, and a memory. The Memory may include a Memory, such as a Random-Access Memory (RAM), and may further include a non-volatile Memory (non-volatile Memory), such as at least 1 disk Memory. Of course, the electronic device may also include hardware required for other services.
The processor, network interface, and memory may be interconnected by an internal bus, which may be an ISA (Industry Standard Architecture ) bus, a PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus, or EISA (Extended Industry Standard Architecture ) bus, among others. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, only one bi-directional arrow is shown in FIG. 6, but not only one bus or type of bus.
And the memory is used for storing programs. In particular, the program may include program code including computer-operating instructions. The memory may include memory and non-volatile storage and provide instructions and data to the processor.
The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the computer program, and the SIM card is formed on a logic level. Correspondingly, the processor executes the program stored in the memory and is specifically configured to perform the following operations:
after the terminal equipment executes response operation on the service request of the target service sent by the service platform, authentication information provided by the terminal equipment is obtained, wherein the authentication information comprises user authentication information and/or equipment authentication information.
And generating an electronic certificate containing the communication number stored by the SIM card and the authentication information.
Calling a browser of the terminal equipment to initiate a page access request to a server corresponding to the URL based on the URL of the target service stored by the SIM card; the page access request carries the electronic pass, the communication number of the electronic pass is used for the server to acquire corresponding legal authentication information from the service platform so as to verify the authentication information of the electronic pass based on the legal authentication information, the server creates a page link of the URL for the terminal equipment after verification is passed, and a page corresponding to the page link is used for processing the service request.
Alternatively, the processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs, forming the server as described above on a logic level. Correspondingly, the processor executes the program stored in the memory and is specifically configured to perform the following operations:
and receiving a page access request sent by terminal equipment, wherein the page access request is initiated by a SIM card of the terminal equipment based on a URL (uniform resource locator) of a target service stored by the SIM card after the terminal equipment responds to the service request of the target service sent by a service platform, and the page access request carries an electronic pass, and the electronic pass is generated by the SIM card and comprises a communication number stored by the SIM card and an authentication information code stored by the terminal equipment.
And acquiring corresponding legal authentication information from the service platform based on the communication number of the electronic pass so as to verify the authentication information of the electronic pass based on the legal authentication information.
After the authentication information passes the verification, creating a page link of the URL for a browser of the terminal equipment; and the page corresponding to the page link is used for processing the service request.
Or the processor reads the corresponding computer program from the nonvolatile memory to the memory and then runs the computer program, and the service platform is formed on the logic level. Correspondingly, the processor executes the program stored in the memory and is specifically configured to perform the following operations:
sending a service request of a target service to terminal equipment; after the SIM card of the terminal equipment responds to a service request of a target service sent by a service platform, acquiring authentication information provided by the terminal equipment, and generating an electronic certificate containing a communication number stored by the SIM card and an authentication information code, so as to call a browser of the terminal equipment to initiate a page access request to a server of the browser based on the URL of the target service stored by the SIM card, wherein the page access request carries the electronic certificate;
receiving a communication number in the electronic certificate sent by the server based on the service access request, searching corresponding legal authentication information based on the communication number, and sending the legal authentication information to the server; the server is used for verifying the authentication information of the electronic certificate, and after the verification is passed, the server creates a page link of the URL for a browser of the terminal device, and a page corresponding to the page link is used for processing the service request.
The method disclosed in the embodiment shown in fig. 1 of the present specification can be applied to a processor and implemented by the processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method.
Of course, in addition to the software implementation, the electronic device in this specification does not exclude other implementations, such as a logic device or a combination of software and hardware, that is, the execution subject of the following process is not limited to each logic unit, but may also be hardware or a logic device.
Furthermore, an embodiment of the present invention also proposes a computer-readable storage medium storing one or more programs, the one or more programs including instructions.
Wherein the instructions, when executed by a portable electronic device comprising a plurality of applications, cause the portable electronic device to perform the steps of the method shown in fig. 1 performed by the SIM card, comprising:
after the terminal equipment executes response operation on the service request of the target service sent by the service platform, authentication information provided by the terminal equipment is obtained, wherein the authentication information comprises user authentication information and/or equipment authentication information.
And generating an electronic certificate containing the communication number stored by the SIM card and the authentication information.
Calling a browser of the terminal equipment to initiate a page access request to a server corresponding to the URL based on the URL of the target service stored by the SIM card; the page access request carries the electronic pass, the communication number of the electronic pass is used for the server to acquire corresponding legal authentication information from the service platform so as to verify the authentication information of the electronic pass based on the legal authentication information, the server creates a page link of the URL for the terminal equipment after verification is passed, and a page corresponding to the page link is used for processing the service request.
Alternatively, the instructions, when executed by a portable electronic device comprising a plurality of applications, enable the portable electronic device to perform the steps performed by the server in the method of fig. 1, comprising:
and receiving a page access request sent by terminal equipment, wherein the page access request is initiated by a SIM card of the terminal equipment based on a URL (uniform resource locator) of a target service stored by the SIM card after the terminal equipment responds to the service request of the target service sent by a service platform, and the page access request carries an electronic pass, and the electronic pass is generated by the SIM card and comprises a communication number stored by the SIM card and an authentication information code stored by the terminal equipment.
Acquiring corresponding legal authentication information from the service platform based on the communication number of the electronic pass, so as to verify the authentication information of the electronic pass based on the legal authentication information;
after the authentication information passes the verification, creating a page link of the URL for a browser of the terminal equipment; and the page corresponding to the page link is used for processing the service request.
Still further alternatively, the instructions, when executed by a portable electronic device comprising a plurality of applications, cause the portable electronic device to perform the steps performed by the service platform in the method shown in fig. 1, comprising:
Sending a service request of a target service to terminal equipment; after the SIM card of the terminal equipment responds to a service request of a target service sent by a service platform, acquiring authentication information provided by the terminal equipment, and generating an electronic certificate containing a communication number stored by the SIM card and an authentication information code, so as to call a browser of the terminal equipment to initiate a page access request to a server of the browser based on the URL of the target service stored by the SIM card, wherein the page access request carries the electronic certificate;
receiving a communication number in the electronic certificate sent by the server based on the service access request, searching corresponding legal authentication information based on the communication number, and sending the legal authentication information to the server; the server is used for verifying the authentication information of the electronic certificate, and after the verification is passed, the server creates a page link of the URL for a browser of the terminal device, and a page corresponding to the page link is used for processing the service request.
It will be appreciated by those skilled in the art that embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the present specification may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The foregoing is merely an example of the present specification and is not intended to limit the present specification. Various modifications and alterations to this specification will become apparent to those skilled in the art. Any modifications, equivalent substitutions, improvements, or the like, which are within the spirit and principles of the present description, are intended to be included within the scope of the claims of the present description. Moreover, all other embodiments obtained by those skilled in the art without making any inventive effort shall fall within the scope of protection of this document.

Claims (7)

1. A service access method applied to a SIM card of a terminal device, comprising:
After the terminal equipment executes response operation on a service request of a target service sent by a service platform, acquiring authentication information provided by the terminal equipment, wherein the authentication information comprises user authentication information and/or equipment authentication information;
generating an electronic certificate containing the communication number stored by the SIM card and the authentication information;
calling a browser of the terminal equipment to initiate a page access request to a server corresponding to the URL based on the URL of the target service stored by the SIM card; the page access request carries the electronic certificate, the communication number of the electronic certificate is used for the server to acquire corresponding legal authentication information from the service platform so as to verify the authentication information of the electronic certificate based on the legal authentication information, the server creates a page link of the URL for the terminal equipment after verification is passed, and a page corresponding to the page link is used for processing the service request;
the service request also carries a service request identifier and a dynamic code generated by the service platform aiming at the service request identifier;
generating an electronic certificate containing the communication number stored by the SIM card and the authentication information, wherein the electronic certificate comprises the following steps:
Preprocessing the communication number, the service request identifier and the dynamic code stored by the SIM card based on preprocessing logic pre-agreed with the service platform to obtain dynamic disturbance information;
the dynamic disturbance information is used as an initial vector of a password block chain mode, encryption of the password block chain mode is carried out on the dynamic disturbance information based on a secret key agreed in advance with the service platform, and a dynamic secret key is obtained;
based on desensitization logic pre-agreed with the service platform, carrying out desensitization treatment on the authentication information to obtain desensitized authentication information;
the dynamic disturbance information is used as an initial vector of a password block chain mode, and the password block chain mode reverse encryption is carried out on the desensitization authentication information based on the dynamic key to obtain ciphertext desensitization authentication information;
generating an electronic pass containing the communication number, the service request identifier and the ciphertext desensitization authentication information; the server acquires the dynamic key and the legal authentication information from the service platform based on the communication number of the electronic certificate and the service request identifier, wherein the legal authentication information is specifically legal desensitization authentication information, and the legal desensitization authentication information is obtained by the service platform performing desensitization processing on the locally stored legal authentication information of the communication number based on the desensitization logic; the verification of the authentication information of the electronic certificate by the server based on the legal authentication information means that: the server takes the ciphertext desensitization authentication information as an initial vector of a password block chain mode, performs decryption of the password block chain mode on the ciphertext desensitization authentication information based on the dynamic key to obtain the desensitization authentication information, and performs verification on the desensitization authentication information based on the legal desensitization authentication information.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
based on preprocessing logic pre-agreed with the service platform, preprocessing the communication number stored by the SIM card, the service request identifier and the dynamic code to obtain dynamic disturbance information, wherein the dynamic disturbance information comprises:
based on pre-processing logic pre-agreed with the service platform, replacing the information of bytes with a first preset bit number in the dynamic code with the coding result of the communication number, and replacing the information of bytes with a second preset bit number in the dynamic code with the coding result of the service request identifier, thereby obtaining the dynamic disturbance information.
3. A service access method applied to a server, comprising:
receiving a page access request sent by terminal equipment, wherein the page access request is initiated by a SIM card of the terminal equipment based on a URL (uniform resource locator) of a target service stored by the SIM card after the terminal equipment responds to the service request of the target service sent by a service platform, and the page access request carries an electronic certificate which is generated by the SIM card and contains a communication number stored by the SIM card and authentication information stored by the terminal equipment;
Acquiring corresponding legal authentication information from the service platform based on the communication number of the electronic pass, so as to verify the authentication information of the electronic pass based on the legal authentication information;
after the authentication information passes the verification, creating a page link of the URL for a browser of the terminal equipment; the page corresponding to the page link is used for processing the service request;
the service request also carries a service request identifier and a dynamic code generated by the service platform aiming at the service request identifier; the electronic certificate comprises the communication number, the service request identifier and ciphertext desensitization authentication information, wherein the ciphertext desensitization authentication information is obtained by encrypting the desensitization authentication information in a password block chain mode based on a dynamic key by using dynamic disturbance information as an initial vector of the password block chain mode by the SIM card; the desensitization authentication information is obtained by carrying out desensitization processing on the authentication information by the SIM card based on desensitization logic pre-agreed with the service platform; the dynamic key is obtained by encrypting the dynamic disturbance information in a cipher block chain mode by using the dynamic disturbance information as an initial vector of the cipher block chain mode by the SIM card based on a key pre-agreed with a service platform; the dynamic disturbance information is obtained by preprocessing the communication number, the service request identifier and the dynamic code stored by the SIM card based on preprocessing logic pre-agreed with the service platform;
Acquiring corresponding legal authentication information from the service platform based on the communication number of the electronic pass so as to verify the authentication information of the electronic pass based on the legal authentication information, wherein the method comprises the following steps:
acquiring the dynamic key and the legal authentication information from the service platform based on the communication number of the electronic certificate and the service request identifier; the service platform is used for carrying out desensitization processing on the local stored legal authentication information of the communication number based on the desensitization logic;
taking the ciphertext desensitization authentication information as an initial vector of a password block chain mode, and performing inverse decryption of the password block chain mode on the ciphertext desensitization authentication information based on the dynamic key to obtain the desensitization authentication information;
and verifying the desensitization authentication information based on the legal desensitization authentication information.
4. A service access method applied to a service platform, comprising:
sending a service request of a target service to terminal equipment; after the SIM card of the terminal equipment responds to a service request of a target service sent by a service platform, acquiring authentication information provided by the terminal equipment, and generating an electronic certificate containing a communication number stored by the SIM card and an authentication information code, so as to call a browser of the terminal equipment to initiate a page access request to a server of the browser based on the URL of the target service stored by the SIM card, wherein the page access request carries the electronic certificate;
Receiving a communication number in the electronic certificate sent by the server based on the service access request, searching corresponding legal authentication information based on the communication number, and sending the legal authentication information to the server; the server is used for verifying the authentication information of the electronic certificate, and after the verification is passed, the server creates a page link of the URL for a browser of the terminal equipment, and a page corresponding to the page link is used for processing the service request;
the service request also carries a service request identifier and a dynamic code generated by the service platform aiming at the service request identifier; the dynamic code is obtained by encrypting the dynamic disturbance information in a password block chain mode based on an initial vector taking the dynamic disturbance information as the password block chain mode and a key pre-agreed with the SIM card by the service platform; the dynamic disturbance information is obtained by preprocessing the communication number, the service request identifier and the dynamic code by the service platform based on preprocessing logic pre-agreed with the SIM card;
The electronic certificate comprises the communication number, the service request identifier and ciphertext desensitization authentication information; the ciphertext desensitization authentication information is obtained by encrypting the dynamic disturbance information serving as an initial vector of a password block chain mode by the SIM card in the password block chain mode based on a dynamic key; the desensitization authentication information is obtained by carrying out desensitization processing on the authentication information by the SIM card based on desensitization logic pre-agreed with the service platform; the dynamic key is obtained by encrypting the dynamic disturbance information in a cipher block chain mode by using the dynamic disturbance information as an initial vector of the cipher block chain mode by the SIM card based on a key pre-agreed with a service platform; the dynamic disturbance information is obtained by preprocessing the communication number, the service request identifier and the dynamic code stored by the SIM card based on preprocessing logic pre-agreed with the service platform;
receiving the communication number in the electronic certificate sent by the server based on the service access request, so as to find corresponding legal authentication information based on the communication number, and sending the legal authentication information to the server, wherein the method comprises the following steps:
Receiving a communication number and a service request identifier in the electronic certificate sent by the server based on the service access request, so as to find out the corresponding dynamic code based on the service request identifier and find out the corresponding legal authentication information based on the communication number;
based on a pre-determined desensitization logic with the SIM card, carrying out desensitization processing on the legal authentication information to obtain desensitized legal authentication information;
the desensitization legal authentication information is used as an initial vector of a password block chain mode, encryption of the password block chain mode is carried out on the desensitization legal authentication information based on the dynamic key, and ciphertext desensitization legal authentication information is obtained;
and sending the ciphertext desensitization legal authentication information to the server.
5. A SIM card for a terminal device, comprising:
the authentication information acquisition module is used for acquiring authentication information provided by the terminal equipment after the terminal equipment performs response operation on a service request of a target service sent by a service platform, wherein the authentication information comprises user authentication information and/or equipment authentication information;
the electronic pass generation module is used for generating an electronic pass containing the communication number stored by the SIM card and the authentication information;
The page access module is used for calling the browser of the terminal equipment to initiate a page access request to a server corresponding to the URL based on the URL of the target service stored by the SIM card; the page access request carries the electronic certificate, the communication number of the electronic certificate is used for the server to acquire corresponding legal authentication information from the service platform so as to verify the authentication information of the electronic certificate based on the legal authentication information, the server creates a page link of the URL for the terminal equipment after verification is passed, and a page corresponding to the page link is used for processing the service request;
the service request also carries a service request identifier and a dynamic code generated by the service platform aiming at the service request identifier;
the electronic certificate generation module is specifically configured to preprocess the communication number, the service request identifier and the dynamic code stored in the SIM card based on preprocessing logic pre-agreed with the service platform, so as to obtain dynamic disturbance information;
the dynamic disturbance information is used as an initial vector of a password block chain mode, encryption of the password block chain mode is carried out on the dynamic disturbance information based on a secret key agreed in advance with the service platform, and a dynamic secret key is obtained;
Based on desensitization logic pre-agreed with the service platform, carrying out desensitization treatment on the authentication information to obtain desensitized authentication information;
the dynamic disturbance information is used as an initial vector of a password block chain mode, and the password block chain mode reverse encryption is carried out on the desensitization authentication information based on the dynamic key to obtain ciphertext desensitization authentication information;
generating an electronic pass containing the communication number, the service request identifier and the ciphertext desensitization authentication information; the server acquires the dynamic key and the legal authentication information from the service platform based on the communication number of the electronic certificate and the service request identifier, wherein the legal authentication information is specifically legal desensitization authentication information, and the legal desensitization authentication information is obtained by the service platform performing desensitization processing on the locally stored legal authentication information of the communication number based on the desensitization logic; the verification of the authentication information of the electronic certificate by the server based on the legal authentication information means that: the server takes the ciphertext desensitization authentication information as an initial vector of a password block chain mode, performs decryption of the password block chain mode on the ciphertext desensitization authentication information based on the dynamic key to obtain the desensitization authentication information, and performs verification on the desensitization authentication information based on the legal desensitization authentication information.
6. A server, comprising:
the page access receiving module is used for receiving a page access request sent by terminal equipment, wherein the page access request is initiated by a SIM card of the terminal equipment based on a URL (uniform resource locator) of a target service stored by the SIM card after the terminal equipment responds to the service request of the target service sent by a service platform, and the page access request carries an electronic pass card which is generated by the SIM card and contains a communication number stored by the SIM card and authentication information stored by the terminal equipment;
the authentication information verification module is used for acquiring corresponding legal authentication information from the service platform based on the communication number of the electronic certificate so as to verify the authentication information of the electronic certificate based on the legal authentication information;
the page link creation module is used for creating the page link of the URL for the browser of the terminal equipment after the authentication information passes the verification; the page corresponding to the page link is used for processing the service request;
the service request also carries a service request identifier and a dynamic code generated by the service platform aiming at the service request identifier; the electronic certificate comprises the communication number, the service request identifier and ciphertext desensitization authentication information, wherein the ciphertext desensitization authentication information is obtained by encrypting the desensitization authentication information in a password block chain mode based on a dynamic key by using dynamic disturbance information as an initial vector of the password block chain mode by the SIM card; the desensitization authentication information is obtained by carrying out desensitization processing on the authentication information by the SIM card based on desensitization logic pre-agreed with the service platform; the dynamic key is obtained by encrypting the dynamic disturbance information in a cipher block chain mode by using the dynamic disturbance information as an initial vector of the cipher block chain mode by the SIM card based on a key pre-agreed with a service platform; the dynamic disturbance information is obtained by preprocessing the communication number, the service request identifier and the dynamic code stored by the SIM card based on preprocessing logic pre-agreed with the service platform;
The authentication information verification module is specifically configured to: acquiring the dynamic key and the legal authentication information from the service platform based on the communication number of the electronic certificate and the service request identifier; the service platform is used for carrying out desensitization processing on the local stored legal authentication information of the communication number based on the desensitization logic;
taking the ciphertext desensitization authentication information as an initial vector of a password block chain mode, and performing inverse decryption of the password block chain mode on the ciphertext desensitization authentication information based on the dynamic key to obtain the desensitization authentication information;
and verifying the desensitization authentication information based on the legal desensitization authentication information.
7. A service platform, comprising:
the service request module is used for sending a service request of a target service to the terminal equipment; after the SIM card of the terminal equipment responds to a service request of a target service sent by a service platform, acquiring authentication information provided by the terminal equipment, and generating an electronic certificate containing a communication number stored by the SIM card and an authentication information code, so as to call a browser of the terminal equipment to initiate a page access request to a server of the browser based on the URL of the target service stored by the SIM card, wherein the page access request carries the electronic certificate;
The authentication information providing module is used for receiving the communication number in the electronic certificate sent by the server based on the service access request, searching corresponding legal authentication information based on the communication number, and sending the legal authentication information to the server; the server is used for verifying the authentication information of the electronic certificate, and after the verification is passed, the server creates a page link of the URL for a browser of the terminal equipment, and a page corresponding to the page link is used for processing the service request;
the service request also carries a service request identifier and a dynamic code generated by the service platform aiming at the service request identifier; the dynamic code is obtained by encrypting the dynamic disturbance information in a password block chain mode based on an initial vector taking the dynamic disturbance information as the password block chain mode and a key pre-agreed with the SIM card by the service platform; the dynamic disturbance information is obtained by preprocessing the communication number, the service request identifier and the dynamic code by the service platform based on preprocessing logic pre-agreed with the SIM card; the electronic certificate comprises the communication number, the service request identifier and ciphertext desensitization authentication information; the ciphertext desensitization authentication information is obtained by encrypting the dynamic disturbance information serving as an initial vector of a password block chain mode by the SIM card in the password block chain mode based on a dynamic key; the desensitization authentication information is obtained by carrying out desensitization processing on the authentication information by the SIM card based on desensitization logic pre-agreed with the service platform; the dynamic key is obtained by encrypting the dynamic disturbance information in a cipher block chain mode by using the dynamic disturbance information as an initial vector of the cipher block chain mode by the SIM card based on a key pre-agreed with a service platform; the dynamic disturbance information is obtained by preprocessing the communication number, the service request identifier and the dynamic code stored by the SIM card based on preprocessing logic pre-agreed with the service platform;
The authentication information providing module is specifically configured to: receiving a communication number and a service request identifier in the electronic certificate sent by the server based on the service access request, so as to find out the corresponding dynamic code based on the service request identifier and find out the corresponding legal authentication information based on the communication number;
based on a pre-determined desensitization logic with the SIM card, carrying out desensitization processing on the legal authentication information to obtain desensitized legal authentication information;
the desensitization legal authentication information is used as an initial vector of a password block chain mode, encryption of the password block chain mode is carried out on the desensitization legal authentication information based on the dynamic key, and ciphertext desensitization legal authentication information is obtained;
and sending the ciphertext desensitization legal authentication information to the server.
CN202210998430.1A 2022-08-19 2022-08-19 Service access method, SIM card, server and service platform Active CN115361683B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210998430.1A CN115361683B (en) 2022-08-19 2022-08-19 Service access method, SIM card, server and service platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210998430.1A CN115361683B (en) 2022-08-19 2022-08-19 Service access method, SIM card, server and service platform

Publications (2)

Publication Number Publication Date
CN115361683A CN115361683A (en) 2022-11-18
CN115361683B true CN115361683B (en) 2023-07-04

Family

ID=84002692

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210998430.1A Active CN115361683B (en) 2022-08-19 2022-08-19 Service access method, SIM card, server and service platform

Country Status (1)

Country Link
CN (1) CN115361683B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1604485A1 (en) * 2003-03-19 2005-12-14 Way Systems, Inc. System and method for mobile transactions using the bearer independent protocol
CN101751392A (en) * 2008-12-01 2010-06-23 爱思开电讯投资(中国)有限公司 Browser-embedded smart card and method thereof
CN108009443A (en) * 2017-11-30 2018-05-08 广州天鹏计算机科技有限公司 The access method and system of data
CN109089264A (en) * 2018-08-02 2018-12-25 江苏满运软件科技有限公司 A kind of mobile terminal exempts from the method and system of close login
CN112055355A (en) * 2020-09-01 2020-12-08 紫光云(南京)数字技术有限公司 Internet access password management system based on 5G super SIM card

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1604485A1 (en) * 2003-03-19 2005-12-14 Way Systems, Inc. System and method for mobile transactions using the bearer independent protocol
CN101751392A (en) * 2008-12-01 2010-06-23 爱思开电讯投资(中国)有限公司 Browser-embedded smart card and method thereof
CN108009443A (en) * 2017-11-30 2018-05-08 广州天鹏计算机科技有限公司 The access method and system of data
CN109089264A (en) * 2018-08-02 2018-12-25 江苏满运软件科技有限公司 A kind of mobile terminal exempts from the method and system of close login
CN112055355A (en) * 2020-09-01 2020-12-08 紫光云(南京)数字技术有限公司 Internet access password management system based on 5G super SIM card

Also Published As

Publication number Publication date
CN115361683A (en) 2022-11-18

Similar Documents

Publication Publication Date Title
CN112333198B (en) Secure cross-domain login method, system and server
KR100863204B1 (en) Methods and apparatus for providing application credentials
CN111355726B (en) Identity authorization login method and device, electronic equipment and storage medium
CN112131021B (en) Access request processing method and device
CN108243188B (en) Interface access, interface call and interface verification processing method and device
CN108322416B (en) Security authentication implementation method, device and system
CN110266642A (en) Identity identifying method and server, electronic equipment
CN111865882B (en) Micro-service authentication method and system
CN111639327A (en) Authentication method and device for open platform
CN106911684A (en) A kind of method for authenticating and system
CN110278084B (en) eID establishing method, related device and system
CN112131564A (en) Encrypted data communication method, apparatus, device, and medium
CN111565179B (en) Identity verification method and device, electronic equipment and storage medium
CN108768928B (en) Information acquisition method, terminal and server
CN113726774A (en) Client login authentication method, system and computer equipment
CN113204772A (en) Data processing method, device, system, terminal, server and storage medium
CN112039857B (en) Calling method and device of public basic module
CN112565239B (en) Authentication method, device, computer equipment and storage medium for integrating multiple operators
CN113395249A (en) Client login authentication method, system and computer equipment
CN115361683B (en) Service access method, SIM card, server and service platform
CN114866247B (en) Communication method, device, system, terminal and server
CN111083100A (en) Method and system for enhancing login security of Linux operating system based on message pushing
CN113992353B (en) Login certificate processing method and device, electronic equipment and storage medium
CN114024682A (en) Cross-domain single sign-on method, service equipment and authentication equipment
CN113807843A (en) Card binding method, user terminal, server, system and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant