CN1897027A - Authentication services using mobile device - Google Patents

Authentication services using mobile device Download PDF

Info

Publication number
CN1897027A
CN1897027A CNA2006100737704A CN200610073770A CN1897027A CN 1897027 A CN1897027 A CN 1897027A CN A2006100737704 A CNA2006100737704 A CN A2006100737704A CN 200610073770 A CN200610073770 A CN 200610073770A CN 1897027 A CN1897027 A CN 1897027A
Authority
CN
China
Prior art keywords
user
supplier
transaction server
authentication
mobile device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2006100737704A
Other languages
Chinese (zh)
Inventor
雅尼斯·拉布罗
乔纳森·拉塞尔·阿格雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujitsu Ltd
Original Assignee
Fujitsu Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujitsu Ltd filed Critical Fujitsu Ltd
Publication of CN1897027A publication Critical patent/CN1897027A/en
Pending legal-status Critical Current

Links

Images

Abstract

A method, and an apparatus performing the method, is provided by authenticating a mobile device communicably connectable to a wireless network by an authentication parameter from a secure transaction server (STS), as a mobile device authenticator; providing an STS correlation between a personal identification entry (PIE) and the mobile device authenticator; and inputting, by a user, the PIE and a provider action, to the mobile device authenticator to transmit a transformed secure user authenticable authorization request to the STS over the wireless network to authorize an action with a provider.

Description

Use the authentication service of mobile device
Technical field
The present invention relates to wireless device or computing equipment as authenticating party (authenticator) (for example mobile phone user's authenticating party).
Background technology
Dual factors (tow-factor) authentications is a kind of like this safe handling, that is, wherein the user provides two kinds of identification types or means of identification, and is wherein a kind of typically such as the physical markings (token) of card, and another kind of typically such as the memory content of security code.Under this linguistic context, these two factors that relate to are mentioned as or are called as the thing that thing that the user has and user know sometimes.The common example of two-factor authentication is a bank card: this card itself is a physical articles, and PIN(Personal Identification Number) is the given data as second factor, and itself and bank card match.
The hardware tab maker can be used for second factor authentication at business system.Yet the hardware tab maker only generates the mark that the holder of user or hardware tab maker will use, and coming provides this mark to authenticate by hand.For example, it is " physical markings " that two-factor authentication can require second factor, promptly, the thing that the user has, it can produce (that is, showing) the second factor mark (as numeric string), makes the holder of " physical markings " that the terminal that provides the visit of require service can be provided.Yet the shortcoming of hardware tab maker is, loses or stolen hardware tab maker can be used to breach security or be used to fraud.Another shortcoming is the additional physical markings that the requirement user management is used for authentication purpose.Another shortcoming is need a plurality of hardware tab makers for a plurality of authentications of different system.In addition, the hardware tab maker is not enough to prevent webpage counterfeit (phishing), and this is because use the hardware tab maker still to be subjected to the attack of " go-between (man in middle) " type easily as the two-factor authentication of second factor.
Therefore, need safer and more effectively the user is authenticated.
Summary of the invention
The present invention relates to wireless device or wireless computer device as authenticating party.Mobile phone user's authenticating party for example.
The device that a kind of method is provided through the following steps and carries out this method: be used to the parameters for authentication from secure transaction server (STS), the mobile device authentication that can be connected to wireless network communicatedly is the mobile device authenticating party; Provide correlativity between individual identification clauses and subclauses (PIE) and the mobile device authenticating party to STS; By the user PIE and supplier action is input to the mobile device authenticating party, but transmitting secured user's authentication authorization request to STS through conversion by wireless network, with to and the supplier between action authorize.
A kind of equipment, comprise for supplier system, secure transaction server and reliable wireless communication device, based on parameters for authentication, wireless communicator is controlled: receive user's individual identification clauses and subclauses (PIE) and supplier's action according to following processing from secure transaction server (STS); But and to the wireless transmission of STS through the conversion secured user's authentication authorization request, with to and the supplier system between action authorize.A kind of equipment, comprise supplier system, secure transaction server and device, this device is used to receive user's individual identification clauses and subclauses (PIE) and supplier's system acting, but and to the wireless transmission of STS through the conversion secured user's authentication authorization request, with to and the supplier system between action authorize.
Above-mentioned and others and advantage will partly be set forth in following instructions, and will partly understand from instructions, perhaps can know from the practice of described embodiment.
Description of drawings
Above-mentioned aspect and advantage and others and advantage will be from understanding below in conjunction with becoming the description of accompanying drawing to embodiment and being more readily understood:
Fig. 1 is the computer system drawings that the mobile device authentication service is provided according to the embodiment of the invention,
Fig. 2 submits (UPTF SAS to according to the general pervasive transaction framework security negotiation of the execution mobile device authentication service of the embodiment of the invention, Universal Pervasive Transaction FrameworkSecure Agreement Submission) functional block diagram of system architecture
Fig. 3 be according to the embodiment of the invention submit to (SAS) agreement that the figure of the UPTF authentication request message of mobile device authentication service is provided based on security negotiation,
Fig. 4 is the system flow that the mobile device authenticating party is provided according to the embodiment of the invention,
Fig. 5 is the system flow according to the dual factors authentification of user that is used for access computer systems of the embodiment of the invention,
Fig. 6 A be according to the embodiment of the invention be used for the system flow of mobile device via the authentication of the dual factors customer transaction of mobile device connecting wireless network,
Fig. 6 B be according to the embodiment of the invention be used for the system flow of mobile device via the authentication of the dual factors preauthorization customer transaction of mobile device connecting wireless network,
Fig. 6 C is the system flow according to the dual factors customer transaction authentication that is used for mobile device off-line (leaving wireless network) of the embodiment of the invention,
Fig. 6 D is the system flow of dual factors customer transaction authentication that is used to not have the mobile device off-line (leaving wireless network) that clock synchronization requires according to the embodiment of the invention,
Fig. 7 is the system flow of the authentification of user that visits computer system via the mobile device and the UPTF of mobile device connecting wireless network according to the use of the embodiment of the invention,
Fig. 8 is according to the use of the embodiment of the invention system flow via the authority to pay of the Web transaction of the mobile device of mobile device connecting wireless network,
Fig. 9 A is the system flow of concluding the business via the mobile device and the ATM (Automatic Teller Machine) (ATM) of mobile device connecting wireless network according to the use of the embodiment of the invention, and
Fig. 9 B uses according to another embodiment of the present invention via the mobile device of mobile device connecting wireless network and the system flow that UPTF comes and ATM (Automatic Teller Machine) (ATM) is concluded the business.
Embodiment
Describe current embodiment of the present invention now in detail, its example illustrates in the accompanying drawings, and wherein identical label all refers to identical key element in the whole text.Below by the reference accompanying drawing embodiment is described, with the explaination the present invention.
Following spread all over the formula computing environment and will comprise the user who carries such as the wireless messages calculation element (mobile device) of cellular phone or PDA(Personal Digital Assistant), described wireless messages calculation element can be wirelessly and service and the devices communicating and the interaction of the variation that runs in any particular moment and place.Spreading all over formula, to calculate the vital condition occur on market be to conclude the business reliably or safely and efficiently.
For example, on the Internet, " webpage is counterfeit " (being called card deception or sign deception sometimes) is a kind of like this swindle, wherein, the swindler sends out and from legal source (for example seems, (comprise EBAY, PAYPAL, MSN, YAHOO, BESTBUY from bank or the largest website some, and AMERICA ONLINE)) seem to be legal Email, to do one's utmost individual and the financial information of " counterfeit " (phish pronounces to be " fish ") from the recipient of this illegal Email.
Described embodiment provides authentication service,, is used to visit the authentication service such as, but not limited to the physical environment (position) of computer system, buildings etc. that is.According to described embodiment, " visit " is meant the limited physical environment granted access of (for example comprising (but being not limited to) computer system).According to described embodiment, " supplier " is meant the supplier position.Described embodiment provide a kind of at such as access transaction, paying, transfer accounts etc. needs Additional Verification to increase security or to improve any authentication service that spreads all over the transaction of formula computing environment of current available authentication.For example, as single factor or dual factors transaction authentication, exist at authentication service in the transaction of site promoter (as be used for the login transaction of access computer systems or at payment transaction) via the purchase of website.For example, the owner in the website suspects have under the situation of swindle, as working as the third party for example by the counterfeit sign of having stolen the validated user of website of webpage, and when the third party attempted to conclude the business by disguising oneself as validated user (for example login, pay, transfer accounts etc.), two-factor authentication needed second factor to come transaction is authenticated.
Fig. 1 is the figure of computer system 100 that is used to provide the mobile device authentication service according to the embodiment of the invention.Among the embodiment of Miao Shuing, user 102 uses mobile wireless device 104 to authenticate herein.Mobile wireless device 104 is any mobile wireless computing equipment or mobile radio computing equipment, includes but not limited to: the mobile phone of wirelessly communicate by letter with secure transaction server 120 (for example, wireless Internet 105 or mobile telephone network).According to an aspect of present embodiment, mobile device 104 can be wirelessly communicates with supplier such as supplier's computer system 106.Embodiment described herein relates to the mobile wireless computing equipment user's electronic authentication service that is used to carry out transaction.According to the aspect of described embodiment, authentication service is based on general formula transaction framework security negotiation submission (UPTF SAS) agreement that spreads all over.The general formula transaction framework (UPTF) that spreads all over is to be used for moving the framework that transaction that (radio) equipment initiates authenticates.More specifically, UPTF SAS agreement has been discussed in following relevant pending trial U.S. Patent application: submitted on January 31st, 2005 11/045, No. 484, submitted on June 11st, 2003 10/458, No. 205, submitted on July 29th, 2003 10/628, No. 584, submitted on July 29th, 2003 10/628, No. 569, and 10/628, No. 583 of submitting on July 29th, 2003, by reference whole disclosures of all these applications are herein incorporated hereby.More specifically; an aspect according to described embodiment; wireless mobile computing device 104 is according to a side or authentication view more in many ways (promptly; in exemplary embodiments; be made into right and/or plural authentication view) transaction the user's electronic authentication service is provided, wherein, the authentication view be shielded relatively (for example with time, user and software; encrypt), (checking each other) of coupling, and parties anonymity.
Fig. 2 is the general functional block diagram that spreads all over formula transaction framework security negotiation submission (UPTF SAS) system 200 architectures that is used to carry out the mobile device authentication service according to the embodiment of the invention.In Fig. 2 and other accompanying drawing, color indicates and is used for giving prominence to described feature/notion, for example the communication channel of a class or a kind of possibility type.For example, communication channel can be VPN (virtual private network) (VPN), mobile phone or cellular network, is unknown with respect to any known type Computer Data Communication network perhaps.The general formula transaction framework (UPTF) that spreads all over has defined a kind of system architecture and the communication security agreement that (SAS) agreement is submitted in security negotiation to that is called that is used to transmit these views based on independence and anonymous deal negotiation view.Mainly, UPTF provides the container that can carry each view of trade agreement safely (vessel), in the case, utilization may be by the dangerous section communication network of forming, as wireless Internet, mobile telephone network or cellular link, the each side that checking relates to from transaction is to third-party mandate of being trusted and/or authenticating transactions (being called authentication service jointly).When being used to authenticate, as mobile device authenticating party 104, authenticating transactions side is that user 102 and user want the supplier 106 (for example, website operator, computer system) that visits.The typical case that " authentication " consults view can comprise: " user A, transactional marking.”
In Fig. 2, UPTF SAS agreement is used symmetric key 352 C, mMethod is carried out encrypt/decrypt to transaction message, and wherein key 352 C, mBe only can produce, and need not between each side, to transmit key by individual side's mobile device 104 and the third party's (for example being embodied as STS 120) who is trusted.In other words, UPTF SAS provides implicit authentification of user, because, to the deciphering of transmit leg encrypting messages transmit leg is authenticated by the third party (as STS 120) who is trusted.SAS guarantees the authentication of each side is verified, even and each side distrusts each other, and the message of coming My World can be transmitted to the third party by the opposing party and verify (deciding according to situation), and during transmitting, the privacy of information is kept (parties anonymity).Whether consistent each other UPTF provide and make the third party 120 who is trusted come separate views the mechanism of authentication verification.
In Fig. 2, from the authenticating transactions view that is received from each side, extract the authenticating transactions data at STS 120, and after 120 pairs of authenticating transactions data that received of STS are verified, need further action, for example can be undertaken alternately by third party 120 who is trusted and the financial institution that is associated with user-pay people 102 and supplier (businessman) payee 106, thereby carry out the account transfer of the designated amounts between user-pay people 102 and the supplier payee 106, realize described action.
In Fig. 2, mobile authentication service system architecture based on UPTF comprises: the user 102, its operation UPTF equipment (is also referred to as the general formula traction equipment-UPTD) of spreading all over, as be loaded with move that identification (ID) is used or the mobile phone 104 of mobile authentication service software 108 (after this be called mobile ID and use, it can be implemented) in software and/or computing hardware; The supplier 106, and it operates another equipment 205 based on UPTF; Secure transaction server (STS) 120; And, also have several non-safety and safety (deciding) communication channel between them according to situation for the optional many financial institutions of additional transactions (not shown).Typically, according to present embodiment, STS 120 as shown in Figure 2 is a logical separation with separating of supplier 106, they can be embodied as the entity (deciding according to situation) of an entity or separation respectively.
In Fig. 2, according to an aspect of present embodiment described herein, STS 120 utilizes 350 pairs of mobile devices 104 of parameters for authentication to authenticate, so that mobile device authenticating party 104 to be provided.The parameters for authentication of STS is the secret information encrypted of message that is used for contact between each user 102 mobile device authenticating parties 104 and the supplier 106, and this secret information is stored among the DB 203.STS120 receives the independent UPTF SAS authenticating transactions view (hereinafter will describe in more detail) that generates about the authenticating transactions between them from user 102 and supplier 106.STS 120 can decode to two views based on the information and the information that is stored in STS 120 databases 203 from UPTF SAS authenticating transactions message.After successful decoding, STS 120 checking view message be original, believable, comprise prospective users 102 and supplier 106, and the information field in the authentication view is consistent each other.STS 120 can be the daily record of undeniable purpose reservation message communication behavior.Therefore, the mobile ID of mobile device authenticating party 104 uses 108 based on being called as the general general framework of formula transaction framework (UPTF), general architecture and the new security protocol of spreading all over, described new security protocol is used to use mobile device, carries out safety by wireless-transmission network and consults in many ways.Described framework is designed to be devoted to be directed to specially the aspect (comprising wireless, environment) of the several keys that spread all over formula communication of anticipation.
In Fig. 2, the mobile ID application 108 of mobile device 104 communicates with STS 120 via radio communication channel 210, described radio communication channel 210 typically is non-safe, and can be wireless Internet 105, mobile telephone network, Local wireless network or aforesaid combination in any.In addition, message based on wireless UPTF SAS can be in wireless channel 210, the SMS message of coming and going between use and the STS120, perhaps use HTTP(Hypertext Transport Protocol), perhaps web service call, perhaps other known wireless information transmission service, perhaps aforesaid any combination is transmitted.Supplier 106 can separate or cooperate (deciding according to situation) with STS 120, and supplier 106 can be connected with STS 120 communicatedly by the communication channel 220 of known safe, non-safe or aforesaid any combination.
Fig. 3 be according to the embodiment of the invention be used to the mobile device authentication service is provided submit the figure of the UPTF authentication request message of (SAS) agreement to based on security negotiation.The SAS agreement is used to encrypt and submits view based on the authenticating transactions of expectation UPTF to.The message structure of SAS and encryption mechanism are designed to spread all over formula in non-safety and communicate by letter the security feature of a plurality of expectations is provided (comprising environment wireless, that be used for concluding the business), for example:
Authentication: consult each side and authentication and authenticate each other, this is the integration of negotiation group;
Anonymous: as consult each side and can keep anonymous each other, and individual and/or other number of the account relevant information not to disclose the opposing party;
The protection of negotiate content: negotiation is maintained secrecy, its be anti-tamper, can not reproduce, and provide the character of strong non-repudiation.Particularly, use the time dependence device-specific key that continuously changes to come each view is encrypted.
The SAS algorithm of bottom is very suitable for using the system of the low-cost subscriber equipment with limited computational resource, and the complexity that makes the user use minimizes.In addition, use SAS necessary a part of information, particularly PIE, be not permanent storage on mobile device authenticating party 102, and be not included in any data transmission, therefore, if mobile device authenticating party 102 is lost or be stolen, just can't use mobile device authenticating party 104.Other details and the encryption mechanism of SAS are provided with reference to Fig. 3 hereinafter.
Fig. 3 illustrates the inner structure of authentication view message 402,404 (that is UPTF SAS authenticating transactions message) and generates and handles.Supplier 106 comprises supplier's equipment 205, has realized the transaction message based on supplier UPTF on supplier's equipment 205.View 402,404 based on UPTF SAS can be embodied as the mobile authentication service software 108 that mobile ID uses or carries out in mobile device authenticating party 102 in software and/or computing hardware.Since from user 102 and supplier's 106 view the 402, the 404th, symmetrical, so only describe user 202 view 402.The following describes the identifier that uses among Fig. 3:
DIDc: device id is used for the unique identifier (consumer (c) or source parties) of mobile device authenticating party 104.
DIDm: device id, the unique identifier of supplier's 106 equipment (businessman (m) or destination parties).
RSN: random sequence number.
TS: local current markers (timestamp).
TID: transaction id, distribute to the unique identification number of negotiation, keep by STS 120 and discern corresponding UPTF and consult view 402,404.
MD: eap-message digest
PIE: the individual identification clauses and subclauses, clauses and subclauses are encrypted in the input that user and STS 120 keep, as alpha-numeric string.Herein in the exemplary embodiments of Miao Shuing, PIE is only kept by user and STS 120, and to the transaction the opposing party and/or any financial institution all be unknown, and/or the opposing party and/or any financial institution of can't help to conclude the business all keep, and PIE temporarily is used as intermediate parameters by user 102 mobile device authenticating party 104, is used for authentification of user view 402 is encrypted.More specifically, PIE is not included in the transaction message (for example, UPTF SAS message and/or based on the informational message of SAS), and therefore mobile ID uses 108 and do not send this PIE.PIE can right and wrong safety, is essentially the short letter numeric string such as 4 bit digital.The user any attempt to conclude the business in the input PIE.Preferentially, when the user uses the client device 104 of carrying out mobile ID application 108 to carry out the registration of authentication service, issue PIE to the user.The user also can select PIE at this moment.Yet PIE is the information of a high safety in some sense, because never transmit PIE term of execution of the UPTF agreement, only user and STS 120 know this PIE, and should protect the secret of PIE well.PIE can be input on the mobile device authenticating party 104 in the mode of safety by the user, and perhaps PIE can use biological specificity confirming equipment (as fingerprint sensor) to come determinacy ground to generate.For example, the calculating that the finger print data that receives from fingerprint sensor is applied can be used for generating the PIE that the user is sent to STS 120 at first.Attempt whenever to conclude the business the user, the user is placed on its finger on the fingerprint sensor, generates PIE thus.PIE is not kept in the permanent storage portion of mobile device authenticating party 104, but as generating the required intermediate parameters of encryption key be used to conclude the business, and mobile device 104 should not keep PIE and reaches the period that surpasses the transaction execution time of determining according to application standard.If specific embodiment of the present invention uses a kind of like this PIE of form, it is not easy to the user and imports for each negotiation transaction, and equipment need store its user's PIN, and then storage part must be safe and anti-tamper.According to present embodiment on the other hand, PIE can be user 102 biological characteristic authentication input data.
As shown in Figure 3, view 402 comprises ciphertext part (or encryption section) 406 and visible (for example expressly) part 408.Expressly part 408 comprises: the DIDc of the mobile device authenticating party 104 of TID, generation view 402 and the local current markers (TS) of equipment 104.In other function of Miao Shuing, TS is used to also prevent that transaction from repeating herein.Encryption section 406 comprises two keies: the DIDm of supplier's 106 equipment that relate in consulting (authenticating transactions) data and consulting.DIDm is used to provide the hope of UPTF agreement to verify that the minimum of characteristic must benchmark domain.Therefore, the user can use 108 parameters for authentication RSN and the identifier that comprises mobile device authenticating party 104 according to PIE and mobile ID, parties identifier and transaction identifiers are (for example, identifier and/or other transaction related data, as auth type, payment etc.) transaction message, carry out the authenticating transactions of mobile device authenticating party 104 and parties, thus based on the mobile ID application 108 at mobile device authenticating party 104 places and the combination of STS 120, user 102 PIE and parameters for authentication related, and user 102, the exchange of the transaction message between supplier 106 and the STS 120 provides mobile device authenticating party 104.
At first, the Pseudo-random number generator of mobile device 104 is utilized DIDc and is obtained the TS of the part of negotiation data (and/or be provided as) from 104 machine clocks of mobile device, generates the RSN of dependence time.Therefore, the parameter of maker is special to each equipment 104.PIE (illustrating with orange among Fig. 3) according to RSN and user's input generates encryption key K subsequently, and wherein PIE is provided or generated by STS 120.At first, use function F to merge RSN and PIE, and subsequently result's (typically being string) application hash function H generated encryption key:
K=H(F((PIE,RSN))
Message digest function can be applied to negotiation data, DIDm and DIDc, generate the MD of view.MD can be by guaranteeing there is not further tightening security property of other content that can distort or revise view 402 by any way.To utilize the cryptographic algorithm of encryption key K to be applied to MD, negotiation data, DIDc and DIDm subsequently, generating the ciphertext part of view 402, as among Fig. 3 with shown in the peachiness.For further protection, the SAS agreement uses random message to fill, and attacks (" known-text " attack) so that further prevent " known ciphertext ".An aspect according to present embodiment described herein, present embodiment uses advanced encryption standard (AES) to encrypt, use is used for carrying out random number based on the key entry hashing of the scheme of message authentication (HMAC) and generates, and is used for the SHA1 Secure Hash Algorithm of hash function.
STS 120 has the function that each equipment 104 uses and the priori of special parameter in encryption, make when partly combining with the plaintext of message 402,404, can be decrypted message 402,404 by putting upside down above-mentioned processing.For example, STS 120 recovers DIDc and TS from the plaintext part 408 of view 402, and these are used for searching other parameter of the consumer's 102 that can be stored in STS 120 databases 203 PIE and RSN maker.These are used to calculate RSN.Can use the method identical to calculate encryption key K subsequently with the method for equipment 104 generation encryption keys.Subsequently the ciphertext part 406 of view message 402 is decoded.
But after the whole application domains that obtain user's 102 views 402, the DIDm and the TID that comprise in user's 102 views 402 of decoding before STS 120 uses, the location is used for supplier's 106 views 404 of same transaction.After finishing similar decryption processing, with the decoded domain of the negotiation data of supplier's 106 views 404 with compare from the corresponding domain of user's 102 views 402.If all applicable corresponding domain couplings (corresponding according to Application Design) think that then the view 402,404 that is received is by checking.Carry out further subsequently and handle, and trigger outside the execution as required.
From STS 120 to the user 102 or any response of supplier 106 be to encrypt by the parameter that STS 120 uses identical encryption method and use to be used for the TS of destination equipment 104,205 and former transaction.Have only predetermined recipient to be decrypted, guaranteed the authentication of secret protection and STS 120 like this response message.
At this another example of encryption key generation of UPTF SAS is described.In Fig. 3, use view 402, key K EYc is the hash of RSNc and PIEc; The key generative process is as follows in detail:
When STS creates new mobile device authentication service number of the account (for example) when creating (for example initialization) when mobile ID uses 108, the initialization data of creating at RSNc by STS 120.
Particularly:
1, uses software service function generation 128 seeds at random.
2, when new mobile device authentication service number of the account is created, also use software service function creation 160 initialization markers at random.Therefore, STS 120 can or provide particular random to count initiation parameter and initialization markers for equipment 104 generations, and the two is used 108 by mobile ID and offers equipment 104 (for example, the mobile device authenticating party 104).
When creating new number of the account at STS 120 places, PIE can be created as follows by STS 120: using software service function creation 32 byte random values, is the decimal value string with each byte conversion, and contacts that it all produces long string.Intercept 4 numerical digits at random from this string and create PIE.
When encrypting when needs establishment key so that to transaction message, the following step takes place:
1, generate 160 current markers as follows:
A, will the current time change bunchiness, for example will convert 16 character strings the current time to, for example: 5:04pm, Jan 26,2006 can be write as " 0000170401262006 ".
B, employing string and one-way function are exported another value, for example by using the SHA1 algorithm that the current time string is carried out hash, produce 160 outputs.
2, initialization markers and current markers are carried out nonequivalence operation, produce 160 outputs.This operation comes down to calculate definitely a kind of form of poor (for example, the definite conversion between two values) between two time values.
3, use 128 seed software authentication parameters as data, and scale value calculate HMAC result's (160 place value) as key when using through XOR two.The result of HMAC is RSNc.The use of HMAC provides unpredictability in RSNc generates.
4, preceding 128 of intercepting HMAC result, it is combined (for example serial connection) with 32 PIE (coming from 4 numerical digit string conversion), to form 160 place values.
5, calculate hash (SHA1) value of 160 bit streams in operation 4, and intercept preceding 128 final keys of conduct.
In the encryption section of message, used the transaction hash (having filling) partly of the message of application SHA1 (alternatively, can use CRC).
In the above-described embodiments, the value that multidigit is provided is as non-limiting example, and the invention is not restricted to the value of certain bits.Therefore, shown in reference Fig. 2 and 3, transaction based on UPTF SAS needs equipment 104 and operation of equipment side, and equipment 104 is provided for determining the equipment special parameter of the specific and time specific key of equipment, and operation of equipment side provides only to STS 120 and the known fixedly PIE in operation side.Can need the two combination by the encryption transaction request of STS 120 verifications.Intercept and capture (perhaps more a plurality of) transaction message and successfully its deciphering is not sufficient to infer PIE or the equipment special parameter that adopts in the key generative process.And, because the paired negotiation notion of the transaction that STS 120 handles, so do not reuse the key of dependence time.
Fig. 4 be the embodiment of the invention mobile device authenticating party 104 system flow of (that is, " service is provided " comprises to user and interconnected system assign action) is provided.In Fig. 4, use mobile phone as example mobile device authenticating party 104.At operation 450 places, method comprises that user 102 signs in to the existing account number at supplier 106 places.At operation 452 places, the user selects 104 services of mobile device authenticating party, and this service is to use 108 requests from the mobile ID that supplier 106 downloads according to embodiment.Yet, embodiment is not limited to download to mobile phone 104 configuration of mobile ID application 108, and mobile device authenticating party 104 can activate by other technology such as (but being not limited to) pre installation software package and/or computing hardware (for example integrated circuit), can be by the mobile device authenticating party 104 of STS 120 authentications as long as provide.At operation 454 places, supplier's 106 equipment 205 can be connected with STS 120 communicatedly, so that mobile device authenticating party 104 to be provided.
In Fig. 4, method further comprises at operation 454 places: at the STS place, utilize the software authentication parameter that mobile ID is used 108 and be initialized as reliable mobile ID application 108.In addition, at operation 454 places,, the identifier of individual identification clauses and subclauses (PIE) (for example PIN) and mobile phone 104 is used 108 with reliable mobile ID be associated at STS 120 places.At operation 456 places, PIN can be sent to user 102.Certainly, at operation 450 places, user 102 can provide PIN.At operation 458 places, reliable mobile ID is installed in mobile phone 104 uses 108.According to an aspect of this enforcement, at operation 458 places, mobile phone 104 uses reliable mobile ID and uses 108 download link reception Short Message Service (SMS).At operation 462 places, user 102 can download reliable mobile ID and use 108.When being installed in reliable mobile ID application 108 in the mobile phone 104, the user can use PIE (for example PIN) to carry out and be installed at mobile phone 104 places reliable mobile ID uses 108, carries out the mobile phone authenticating transactions, as mobile device authenticating party 104.
According to the aspect of embodiment described herein, at operation 454 places, select one or more software authentication parameter, it can be the establishment and the initial time of (but being not limited to) such as the new seed of new random seed number.At operation 454 places, STS 120 stores the unique identifier (being called device id or DID) of mobile phone 104 in database 203, it for example can be the mobile phone number of mobile phone 104, the global unique identifier (GUID) that generates more at random, mobile phone carrier wave (deciding) according to situation, perhaps software authentication parameter, and the PIE that generates, perhaps aforesaid any combination.According to the aspect of described embodiment, mobile phone number also can be used as the device identifier of mobile phone 104.STS 120 uses the unique identifier (device id (DID)) of mobile phone 104 that transaction message is used 108 with reliable mobile ID and is associated (promptly, DID is associated with the software authentication parameter and the PIE that are stored in STS 120 places), make STS 120 can generate the key corresponding with equipment 104 with DID.Mobile Directory Number can be used to utilize mobile phone 104 to transmit short messages (for example notice etc.), and (for example, Short Message Service (SMS) comprises (and/or) Multimedia Message service (MMS)).Mobile phone 104 can be the mobile phone that can utilize the Internet according to known technology.According to the aspect of embodiment described herein, authenticating transactions message is tied to the unique combination of user 102 and mobile device authenticating party 104, be tied to the user by PIE, and use 108 software authentication Wire Parameters to equipment 104 by reliable mobile ID.Especially, transaction is based on the encrypting messages of SAS, and can use 108 software authentication parameter by PIE and reliable mobile ID, dates back to the combination of user 102 and equipment 104 from this encrypting messages.
Next the authenticating transactions that uses mobile device 104 is described.Fig. 5 is the system flow according to the authentification of user that is used for access computer systems of the embodiment of the invention.Fig. 5 is the Trading Authorization (for example login) to the website.Described two kinds of situations, a kind of mobile phone 104 that is to use is as the second factor authentication instrument, and another kind is to use mobile phone 104 as single factors (being also referred to as single signature).
In Fig. 5, method comprises: be used to from the parameters for authentication of secure transaction server (STS) 120 mobile device that can be connected to wireless network communicatedly be authenticated, as mobile device authenticating party 104 (referring to Fig. 4); Will be such as the related STS 120 that offers between the individual identification clauses and subclauses (PIE) of PIN and the mobile device authenticating party 104 (referring to Fig. 4); By the user PIE and supplier's action are input to mobile device authenticating party 104, but so that send secured user's authentication authorization request to STS 120 through conversion by wireless network, come to and the supplier between the action at (or at supplier place) authorize (that is, be used to carry out and the supplier between the subscriber authorisation of action).
More specifically, in Fig. 5, at operation 503 places, website 106 that himself is authenticated is ready in user 102 visit.For example in order to login, user 102 these users' of input username and password is to sign in to the website.The website shows and to have the page of " please marquis " slightly message, and simultaneously, at operation 504 places, supplier's website sends to STS 120 to UPTF message, authenticates view as the supplier, and this moment, STS 120 waited for the authentification of user views.As mentioned above, based on the each side of the authenticating transactions of UPTF all based on the known parameters for authentication operation reliable apparatus/software of STS 120, like this, in the case, as mentioned above, all generate can be by STS 120 authentication and can be by the STS 120 UPTF message of checking mutually for mobile device authenticating party 104 and supplier's 106 equipment 205.At operation 506 places, the mobile ID that the user starts on the mobile phone 104 uses 108, selects supplier (for example bank) and action (for example login) to be authorized, and imports user's PIN subsequently.At operation 506 places, mobile ID uses 108 and generates UPTF message and send it to STS 120.At operation 508 places, STS 120 compares the message of mobile phone and the message from supplier 106 that receives before, and if two message unanimities, then STS 102 responds supplier 106 for certain.At operation 510 places, supplier 106 checks and approves login request of users when receiving positive response, and authorized user is to the visit of user account number, and the web displaying that then will have a usersaccount information is given the user.Therefore, mobile device authenticating party 104 is except that second factor authentication first factor of the user's of website place input username and password.
Alternatively, in Fig. 5, if authentication application 108 as single signature, substitute two-factor authentication, then at operation 502 places, the user can be at first in place, website input user's mobile phone number but not supplier's specific usernames and password.Supplier 106 can use known technology to verify whether the user has the right to use it to declare the phone of having the right to use.For example, in the case, in the moment more early, the user has registered mobile number to supplier 106, and at this constantly more early, has carried out the authentication of some forms and guaranteed that this mobile number is to be associated with the owner of specific account numbers.Then, utilized after supplier's specific usernames and password sign in to user account number the user, the user can provide user's mobile phone number, and the supplier sends to this specific moves number to the SMS with unique number.This SMS comprises the unique number that length enough is difficult to guess out, and user expectation obtains this numeral, so that submit to the supplier website after a while when it has signed in to its account number.At this, the SMS that the supplier provides only is used to verify whether the user has the right to use this user to declare this mobile phone of having the right to use.
According to described embodiment, mobile device authenticating party 104 carry out reliable mobile ID use 108 provide that the time drives, rely on equipment, rely on input and the outer certification mark of band that can be used for the single factor and/or second factor authentication of user.According to the aspect of described embodiment, mobile device authenticating party 104 requires the user to import PIN (only to the user known and be not stored on the mobile phone), prevents that thus unauthorized user from using described mobile phone to carry out single factor and/or two-factor authentication.According to described embodiment on the other hand, authentication has been adopted by transmit (its be used to submit to the network of first factor or channel different) outside the band that transmits on the wireless network such as wireless network 105, prevents thus or has reduced the situation of stealing in fact.Therefore, for example, method described herein further authenticates possible fraudulent trading by based on embodiment described herein, has prevented the counterfeit and counterfeit consequence of webpage of webpage.An aspect according to described embodiment, mobile ID uses 108 and can submit on January 31st, 2005, the relevant pending trial U.S. Patent application 1I/045 that is entitled as " WIRELESSWALLET ", wireless wallet (wireless wallet) software of discussing in No. 484 (by reference its content being herein incorporated).
At this following four exemplary methods of two-factor authentication are described more specifically.If use in combination with another kind of authentication method, these methods should be regarded as the second factor authentication method.Alternatively, if be not used in combination with another kind of authentication method, then these methods should only be regarded as authentication method (being called single factor alternatively).As authentication method, they can be applied in various environment, as are used to authorize the visit to computer system, carry out the action that requires mandate, carry out financial transaction, the transaction at the ATM place, etc.
Fig. 6 A is according to the system flow of the embodiment of the invention by the dual factors customer transaction authentication of the mobile device of mobile device connecting wireless network.Fig. 6 A is corresponding to Fig. 5.Fig. 6 B is the system flow according to the dual factors preauthorization customer transaction authentication of the mobile device that passes through the mobile device connecting wireless network of the embodiment of the invention.Fig. 6 B is corresponding to 9 (hereinafter describing in detail).Fig. 6 A and 6B, preceding two kinds of methods require the user to have for example to comprise the mobile wireless device (as mobile phone) of J2ME function and Web function.Can be used in and to install on the mobile phone and executable any language (as Java 2 platforms, Micro Edition (J2ME), BREW (BREW)), any other Languages (can be installed on the mobile phone, make it possible on mobile phone, carry out application with this language compilation) or aforesaid any combination, be programmed in the software of the present invention and/or the computing hardware able to programme that realize in the mobile device.Two kinds of methods all need the web that is used to authenticate to visit (on-line authentication).
In Fig. 6 A, promptly in first method, at operation 602 places, the user at first attempts the transaction (for example login) at website terminal (T) 106 places, and at operation 604 places, the website generates UPTF1 message, and sends it to STS 120.Simultaneously, at operation 605 places, require the user to confirm transaction possible in the set time section from its wireless wallet.At operation 606 places, STS 120 sends the transaction List Table of confirmation request to mobile device authenticating party 104 (M) by wireless network.At operation 608 places, the user starts wireless wallet, and the transaction that need confirm based on the transaction List Table inspection that is received.At operation 610 places, the user selects transaction to be confirmed, and at operation 612 places, the user imports user PIN with generation UPTF2 message, and sends it to STS 120 by wireless network.At operation 614 places, STS 120 authenticates and verifies UPTF1 and UPTF2 by to UPTF1 with UPTF2 is decrypted and relatively more corresponding authenticating transactions view 402,404.At operation 614 places, if authenticating transactions view the 402, the 404th can authenticate and can verify mutually that then STS notifies website (T) thus.At operation 616 places, if the website receives certainly or true Authorization result, then transaction is checked and approved in this website.
In Fig. 6 B, promptly in second method, at operation 620 places, the transaction of the certain type of user's pre-authentication, and the user has set time section (for example 3 minutes), and the user can attempt the transaction at 106 places, website (T) during this set time section.At operation 620 places, the user starts wireless wallet and selects with the preauthorization transaction, and at operation 622 places, the user imports PIN, and wireless wallet generation UPTF 1 message 402, and it is sent to STS120 by wireless network.At operation 624 places, the user attempts the transaction at (T) 106 places in the website, and at operation 626 places, and the website generates the UPTF2 message 404 of the transaction that is used to relate to the user, and it is sent to STS 120 by wireless network.Operation 628 and 630 and be used to check and approve the user to attempt the operation 614 and 616 of the transaction carried out similar.
Fig. 6 C and 6D, i.e. third party's method and cubic method, only need can executive software equipment or mobile device, for example the J2ME functional telephone makes the user needn't be connected to network and realizes authentication (off-line).Cubic method is that with respect to the advantage of third party's method clock is synchronous when not required.
In 6C, at operation 640 places, the user attempts the transaction of supplier 106 places (for example website (T) 106).At operation 642 places, web site requests user provides the further authentication or second factor.In the case, at operation 644 places, move mobile ID and use 108 or have a user of mobile phone 104 of the wireless wallet (deciding) of mobile ID application characteristic according to situation, to at first from the parties menu, select them to be ready by the parties of its authentication (" ABC " bank for example, " ABC " auction, and select type of action subsequently " XYZ " credit card etc.).Then, at operation 644 places, the user selects " certification mark " option and user at mobile device authenticating party 104 places input PIN.At operation 646 places, mobile phone 104 generates and shows 352 (as mentioned above) of UPTF key, and this UPTF key 352 can be used as certification mark K.At operation 648 places, the user imports K.At operation 650 places, website 106 requires STS 120 to confirm the user's of current time K, because as mentioned above, UPTF key 352 is the dependence time, and present embodiment also relies on the equipment time synchronized.At operation 652 places, STS 120 generates K ' at user and current time, and K ' and K are compared.At operation 652 places, if K ' and K because of identical or in scope (according to application standard) can verify mutually that then STS 120 authenticated and STS 120 notify true authentication result to website 106.At operation 654 places, transaction is checked and approved in response to the true authentification of user result who receives from STS 120 in website 106.
In Fig. 6 C,,, be not to use UPTF key 352 as " certification mark ", and be to use UPTF key 352 to encrypt transaction at operation 646 places according to an aspect of present embodiment.Transaction has the content of " type of action " that require such as UPTF; And UPTF message has comprised the identifier and the user identifier of another parties according to protocol specification." type of action " can for example be whether the user thinks " login " or " transferring accounts ", perhaps any other action of another parties definition and permission.Therefore, at operation 646 places, mobile ID uses 108 and produces 402 (as mentioned above) of encrypting and authenticating view message, and the conversion that will produce the string shorter than the encryption section of UPTF message 402 alternatively presents to the user, and operate 648 places can be used as input authentication mark K.For example, can produce certification mark to the encryption section application message abstract function of UPTF message 402.STS 120 will use identical conversion, produce at this user, at this moment, at and particular transaction party between the certification mark of action.
Fig. 6 D is according to the embodiment of the invention, the system flow of the dual factors customer transaction authentication that the no clock synchronization of the mobile device of off-line (from wireless network) requires.At operation 660 places, the user attempts the transaction that supplier 106 (as website (T)) locates.At operation 662 places, transaction content comprises random number " R " and " type of action " (as " type of action " of UPTF requirement) that T 106 provides; And the identifier of other parties and user's identifier have been comprised according to the UPTF message 402,404 of protocol specification." type of action " can be that for example whether the user thinks " login " or " transferring accounts ", perhaps any other action of other parties definition and permission.At operation 664 places, website 106 shows R to the user, and at operation 666 places, website 106 request users use wireless wallet or the mobile ID that R is input to operation on mobile phone 104 in 108 (deciding according to situation).At operation 667 places, website 106 provides R to STS 120.At operation 668 places, the user of mobile phone 104 at first selects it to be ready by the parties of its authentication (for example, " ABC " bank, " ABC " auction, " XYZ " credit card etc.) from the parties menu, and selects type of action subsequently.More specifically, at operation 668 places, the user selects " certification mark " option, and the user is at the input PIN of mobile device authenticating party 104 places and " R ".At operation 670 places, mobile ID uses 108 and creates UPTF message 402U R, wherein R is the content of UPTF transaction, and based on U R, generate certification mark K R, and show K RMore specifically, at operation 670 places, by T Init=T CurrentCalculate U R, and K RBe based on U R" certification mark " that generates.In other words, at operation 670 places, from UPTF message U R402 derive " certification mark ".For example, from U R" the certification mark K that derives R" can be hash, summary, the predetermined length (for example 7 characters) that intercepts and/or convert to and form (for example numeral).In other words, after generating encrypting messages 402, alternatively, the user is presented in the conversion that generates the string shorter than the encryption section of UPTF message, and used as " certification mark " K RAt operation 672 places, use same transitions by STS 120, utilize random number R to produce at this user, at this action with at the certification mark of particular transaction party.Operation 672 (it can take place in any time after STS 120 receives R from website 106), STS 120 generates the certification mark K ' that is used for user U R, described certification mark K ' RBased on passing through T Init=T CurrentThe UPTF message U ' that calculates R404.At operation 672 places, with K ' ROffer website 106, and at operation 674 places, the user is with K RBe input in the website 106.At operation 676 places, if K R=K ' R, then transaction is checked and approved in website 106.According to present embodiment on the other hand, STS 120 can carry out K R=K ' RCertification mark checking.An aspect according to Fig. 6 D embodiment, provide " certification mark " that relies on R by substitute the time with R (can be the R that is used for any mark), rather than as Fig. 6 C embodiment, use UPTF key 352 conducts " certification mark " of dependence time, so do not need UPTF message clock synchronization.
Fig. 7 is the system flow of the authentification of user that visits computer system according to the use of embodiment of the invention mobile device and the UPTF by the mobile device connecting wireless network.A purpose is to guarantee that the user signs in to their account number at website supplier 106 places, and needn't import the username/password combination at specific user's specific website 106 places.According to an aspect of present embodiment, website supplier 106 has signed or has registered to the operator of STS 120, receives the authentication service that STS operator provides.This is the situation of single login (SSO), and this is meant that mobile ID uses 108 the only resources as the action of the user's who is used to authenticate access websites 106 identity or checking user request.
User's experience is described.Suppose that user 102 attempts to sign in to their account No. 106.At operation 702 places, user 102 uses its (type computer on the table, perhaps kneetop computer is on perhaps different with its mobile phone 104 equipment) browser to enter website of bank 106, and select login.Typically, at operation 702 places, website 106 provides a mobile ID login option, as an optional display icon, is used for the user and authorizes by 104 pairs one actions of mobile device authenticating party.At operation 704 places, bank server 106 (205) sends UPTF message 404 (requests transaction marks) to STS 120, and at operation 706 places, receive unique code, be preferably the numeral (transactional marking 1) of 5 or 6 numerical digits, at operation 708 places this code is offered the user subsequently, for example it is presented on the login page of website 106.Transactional marking can be shown as CAPTSHA (" distinguishing computing machine and human full-automatic openly turing test ", term known in this field), make that only the mankind can read this numeral.
Then, at operation 710 places, user 102 starts mobile ID authentication application 108 on its mobile device 104, and imports the transactional marking that offers this user 102 by webpage 106 in application 108.Then, at operation 710 places, the user is at mobile device 104 input its PIE (for example PIN).At operation 710 places, software 108 is created on the UPTF message 402 that comprises transactional marking 1 in its transaction content, and UPTF message 402 is wirelessly transmitted to STS 120.UPTF message can also expressly comprise transactional marking 1 in the part at it, to quicken the processing of STS 120.
At operation 712 places, as mentioned above, STS 120 sends message 404 (requests transaction labeled message 402) with bank and sends message 402 with the user and compare, and if two transaction message consistent or can verify each other that then STS 120 sends response to user and bank server 205.At operation 712 places, to the response of bank server 205, the response of for example checking and approving transaction can comprise the user's 102 who is used to send the UPTF message 402 with transactional marking 1 user identifier (for example phone number).
If at operation 712 places, the response of STS 120 is sure, then at operation 714 places, website of bank 106 will be used the page displayed before the user profile renewal of operating the account number that user identifier that 712 places receive from STS 120 is associated with bank.At this, user 102 is considered to through authentication, and the user can pass through its account number of browser access.
Though in Fig. 7, STS 120 has created transactional marking 1, also can create transactional marking 1 by supplier 106.Generally speaking, that is, under the situation of using mobile ID application 108 authenticated in a plurality of websites 106, preferably, STS 120 generates transactional markings 1 and guarantees the uniqueness of each transactional marking 1, so that further resist the swindle that hereinafter will describe.
Resist swindle: if user A does not key in phone 4 with unique code transactional marking 1, but input transactional marking 2 (similar but inequality with transactional marking 1) then very serious risk can occur.In the case, generate new unique code if assailant B is written into bank's webpage randomly again, and be written into the page that is associated with transactional marking 2 by chance, then the assailant B page will be updated to the page of user A account.
Exist following method to prevent this attack, make can not involve user A:
At first, STS 120 can generate because of changing numerical digit or clicking wrong button (for example having clicked adjacent buttons) (adopting the mobile phone button design) the mistake typewriting that causes the unique code of recovery capability being arranged.The target of STS be generate fully each other " away from " unique code, to prevent wrong input code.
STS can write down IP address or the IP scope that is used to visit specific account numbers, and they and the IP scope of STS ID that is used for specific mobile phone number (user's mobile phone is used identification DID) and/or cellular network provider are made into right.
The method that prevents this attack that needs user A to help is as follows: when response user mobile, STS also sends Validation Code.Identical Validation Code also can send to bank.Before showing account, the user is requested to import this Validation Code to its webpage of watching.Imported transactional marking 2 if the A mistake has been keyed in transactional marking 1, then when the renewal of the page of assailant B and when requiring Validation Code, assailant B can not the input validation code, because this Validation Code is the mobile phone that is input to A in using.
The less method of bothering but still needing the user to assist is, before showing account on the webpage, problem that only has correct account number possessor to know of inquiry account number possessor, for example: the numerical portion of its address, apartment number, birth month, last 4 numerical digits of SSN perhaps are used for last 4 numerical digits of the mobile phone number of access websites.Do not know that the assailant who will show whose account number only has very remote chance to make correct conjecture.The assailant not only needs user error to key in the enough fortune of its unique code, and assailant's code of also needing mistake to key in is presented at the enough fortune on its page, and correctly guesss out some out of Memory that they only can select at random subsequently.
Another kind method is to receive after STS response upgraded with the page on above-knee/desktop computer of confirming the user inquiry mobile subscriber.If user's negative response (use to move and use), then STS can notify webpage supplier (for example bank) to stop the session that is associated with this unique code of mobile subscriber's input.In the case, assailant B can see the account number page momently, but bank server 205 will be based on user's Negative Acknowledgement and stopped session.
Certainly any combination of these methods also is fine.
Fig. 8 is the system flow of the authority to pay bought according to the use of the embodiment of the invention web by the mobile device of mobile device connecting wireless network.According to the aspect of described embodiment, be provided for 106 methods of buying from the website.
User 102 can 106 select buy from the website usually as it, and up to its decision payment, this moment, typically user 102 needed checking and approving of its payment information of input and transaction.At operation 802 places, website 106 shows the option that utilizes its mobile phone 104 to pay to the user.At operation 802 places, user 102 selects to utilize its mobile phone 104 to pay, at this moment, at operation 804a place, website 106 (technical server 205 for operation website 106, this server is associated with the supplier 106 of website) send the UPTF message 404 (requests transaction mark) that has trade comment and treat payment to STS 120, and regain unique code (being preferably 5 or 6 numerical digits) (transactional marking 1), subsequently at operation 806 places, this unique code is shown to the user on the payment page, use the parameter of transactional marking 1 as this transaction, the request user checks and approves from the payment of its mobile phone 104.
Then, at operation 808 places, the user starts the mobile ID authentication application 108 on its mobile phone 104, and will offer via website 106 in user's the transactional marking input application 108 at operation 806 places.Subsequently, at operation 808 places, user 102 its PIN of input.At operation 808 places, software 108 is created on the UPTF message 402 that comprises transactional marking 1 in its transaction content, and UPTF message 402 is wirelessly sent to STS 120.UPTF message 402 can also expressly partly comprise transactional marking 1 at it, to improve the processing speed of STS 120.
At operation 804b place, STS compares (as mentioned above) with the message 404 that website 106 sends with messages sent by users 402, if and two Transaction Informations are consistent or can verify mutually, then STS 120 determines that the user has authorized the supplier (businessman) 106 who is associated to the transaction of being indicated by transactional marking 1, the transaction of being indicated by transactional marking 1 is paid, and STS 120 sends to relevant financial structure to transaction to carry out.In addition, alternatively, STS 120 can utilize the tabulation of the account number that can be used in purchase to respond mobile device 104, makes the mobile subscriber can select the account number that will use.In addition, STS 120 sends positive response to user and Website server.At operation 810 places, supplier 106 can send the approved for payment notice to the user via the website.Response to businessman can comprise mobile subscriber's name and Shipping Address (if transaction needs transporting of physics commodity).The benefit of this method is, the consumer needn't share this consumer's Financial Information with businessman, and the consumer needn't import any sensitive information on the website, and this provides in the website is protection under the situation of rogue website.
Fig. 9 A and 9B are according to the use of embodiment of the invention mobile device and UPTF and the system flow of concluding the business with ATM (Automatic Teller Machine) (ATM) by the mobile device connecting wireless network.Provide and used mobile device 104 to carry out transaction with ATM, and do not needed the user its bank card is submitted to ATM to carry out this transaction method.Certainly, mobile device 104 also can be used for the following situation except card, and wherein the transaction approval from mobile phone 104 is used as second factor authentication, perhaps shortens the pre-authorization of the consumed time of ATM own.
Use mobile phone 104, withdraw the money or to carry out other transaction method as follows with ATM from ATM:
In Fig. 9 A, at operation 902 places, user's 102 ground as usual convergence ATM (Automatic Teller Machine) (ATM) 106, and attempt to carry out the transaction of for example extracting cash.Unique difference is: user 102 selects " user's mobile phone " and its transaction of beginning under the situation of not brushing bank card in the user interface of opening the ATM application.Determine its details of attempting to conclude the business (for example extract $100 from the current account number, perhaps Cun Ru $123.45 perhaps inquires about the account number remaining sum) afterwards the user, ATM requires the user from its mobile device 104 checking transaction.At this moment, at operation 904 places, ATM 106 is used for the transactional marking of user's transaction of appointment on ATM by UPTF message 404 (requests transaction mark) from STS 120 requests.At operation 906 places, ATM receives the response UPTF message 404 with the particular transaction mark that is preferably the 5-6 bit digital from STS 120, and transactional marking is provided (for example showing) give the user.Then, at operation 908 places, ATM 106 will send to STS 120 to the UPTF information 404 of being authorized by the transaction of transactional marking sign.Alternatively, ATM106 is to STS requests transaction mark, also can be thought to be used for Trading Authorization by the transaction of particular transaction mark sign by STS, thus, avoids operating 908.Simultaneously possibly, at operation 910 places, user (consumer) 102 starts it and moves ID application 108 at mobile device 104 places, and input transactional marking and its PIE wirelessly send the UPTF subscriber authorisation transaction message 402 that comprises transactional marking to STS 120.STS 120 will operate 910 UPTF subscriber authorisation transaction message 402 and the ATM authorized transactions message 404 of operating 908, perhaps verify mutually with the requests transaction labeled message (if having omitted operation 908 (deciding according to situation)) at operation 906 places.STS 120 based on the transaction verification of success, sends affirmation code to mobile device 104 and ATM 106 at operation 912,914 places.At operation 914 places, after STS 120 received the confirmation, ATM determined deal at ATM, for example discharged the appointment cash to the user.In fact, mobile ID authentication 102 has substituted bank card as certification mark.
Alternatively, ATM can be when the beginning of user and ATM alternately, promptly just the user after selecting " use mobile phone " on the ATM user interface, show transactional marking.In the case, just after ATM shows transactional marking and before any particular transaction of execution, the user carries out above-mentioned steps.In the case, transactional marking is not only effective to specific action, and ATM is received the confirmation behind the code beginning and specifies the whole session phase of " finishing " effective on ATM up to the user.
In Fig. 9 B, another aspect according to present embodiment, the user needn't use its bank card, and with the user interface interaction of ATM 106 before, when for example waiting in line, perhaps before the user arrives ATM the place ahead, be in or in car, can conclude the business with ATM 106 and visit account number function, particularly cash withdrawal.Can be in any case mutual with ATM the user, realize or finish the ATM transaction of authorizing by mobile phone 104.The user can change according to application standard from the time that mobile device 104 authorized transactions and user arrive between the ATM, but generally understood the user at the appointed time in the section, implemented ATM at ATM place and concluded the business.When user's preparation was mutual with ATM, the user walked close to ATM, selected to withdraw the money on ATM by mobile option, and only imported checking or affirmation code (hereinafter will describe in detail) that it receives from STS 120.ATM responds by finishing the transaction that before begins or ask, for example the cash amount of request before user's payment.
More specifically, the operation 920 places, user 102 with the ATM user interface interaction before be in the zone of ATM 106, may wait in line.ATM (in visibility region, promptly adjacent with its sign) (physically) illustrates the digital ATM_ID 922 of this specific ATM of unique identification.STS120 knows this ATM by the ATM identifier.ATM can also determine (if for example mobile phone 104 is equipped with GPS or station-keeping ability) automatically by user's position, perhaps can use in 108 at mobile ID and from the pre-stored item list, select by the user, perhaps joining mobile ID from the user uses 108 the item list and selects, perhaps from the tabulation that the postcode of user's position (user imports postcode) provides, select, perhaps the information editing's of the specific cell that connects according to user's mobile phone 104 tabulation is selected, and perhaps selects according to aforesaid combination in any.Then, at operation 924 places, user 102 starts mobile ID authentication application 108 on its mobile device 104, and alternatively, imports ATM identifier (number of seeing as the user (ATM_ID 922)) in 108 using on ATM.Then, at operation 924 places, the user imports its PIE at mobile device 104 places.At operation 924 places, move to use 108 and be created on the UPTF information 402 that comprises ATM_ID in its transaction content, and send it to STS 120 and conclude the business as subscriber authorisation.UPTF information also can expressly comprise ATM_ID in the part at it, to improve the processing speed of STS.At operation 926 places, STS 120 sends identification to the ATM by the ATM_ID sign and attempts to carry out with ATM mutual user's information and the details of requests transaction and the transactional marking that is used to indicate this particular transaction.ATM determines that this ATM whether can be actual carries out the transaction of being asked for designated user, and if to be defined as be that then at operation 928 places, ATM is to STS120 transmission ATM authorized transactions UPTF message 404, to carry out the transaction by transactional marking was identified.STS 120 verifies UPTF subscriber authorisation transaction message 402 mutually with ATM authorized transactions message 404, and STS 120 confirms code based on the checking of success to mobile device 104 and ATM 106 transmissions at operation 930,932 places.In case the user physically appears at ATM and sentences with the user interface of ATM106 and carry out alternately, the user must finish transaction at ATM place input validation code.According to an aspect of present embodiment, confirm that code can be the transactional marking of ATM generation before.
In all above-mentioned variations, mobile ID application 108 can both be used for the transaction with a plurality of different banks and credit card number.On mobile phone 104, authorized the user after concluding the business, can only its card be inserted among the ATM and (need not on ATM, to import PIN or import any other content) transaction of authorizing before ATM will only carry out thereafter.
According to the aspect of embodiment, next description use mobile device 104 and ATM carry out the modified example based on the authenticating transactions of UPTF.Described modified example relates to the transaction of using mobile device and ATM, but when to ATM authenticated self, the user relies on the Near Field Communication of some form to authenticate, rather than to the ATM input information.
The user perhaps in the short time before arriving ATM, asks foregoing transaction when waiting in line.As user during near ATM, its phone with Near Field Communication (NFC) function is facing to the ATM with NFC function, described transaction with ATM of NFC function by request before carrying out, and for example the cash amount of request responds before the user by offering.NFC be the identification phone and and then identification prepare to implement the phone owner's of transaction means.NFC has substituted the needs of keying in confirmation code effectively.Certainly, conclude the business designated and the process authentication, so transaction can not influenced by NFC or be affected by NFC.NFC is meant all kinds of short range radio frequency local communications, as RFID, contactless smart card, NFC chip, IR, bluetooth, WLAN or provide any technology based on approaching identification, perhaps aforesaid any combination etc.In addition, phone can show the bar code that can be read by the ATM that is equipped with the reader that can read bar code, perhaps can be to the ATM of corresponding outfit " broadcast " sound signal.In addition, user's biological characteristic recognition information can be used in to ATM identifying user oneself as face recognition, palmmprint, fingerprint etc.
According to authentication method, can suppose that two negotiation sides use SAS to create their negotiation message or view based on UPTF SAS.SAS partly refers to how to create and encrypt independent message, promptly how to utilize the key of a side PIE generation dependence time, subsequently this key is used for each message is encrypted.The modified example of all method is that the side (as supplier 106) except that mobile device 104 can use the method except that SAS that negotiation message is sent to STS 120.In non-limiting example, according to the aspect of UPTF embodiment, supplier 106 can be right according to the typical private/public key of PKI system, utilizes supplier 106 private key that the UPTF negotiation message is encrypted, and transmit the UPTF negotiation message with STS 120.Certainly, the content of negotiation message itself remains the negotiation message according to UPTF.Though in the above-described embodiments, transactional marking is a numeral, embodiment is not limited to this configuration, and can use any identifier to identify transaction and it is tied to the user.
According to the aspect of embodiment, provide the non-UPTF method that is used for authentification of user.Non-UPTF method is used for according to Fig. 5 and the described same application of 6A.A purpose is for user security ground signs in to its account number at the place, website, is used for the username/password combination of this specific user at this specific website place and needn't import.
Each of these websites 106 is all registered to the operator of STS 120, the authentication service that provides with the operator that receives by STS.This means at each website, user's normal login and password (account number) and this user's mobile phone number are associated.This method can be used in the user to site certificate himself, but need not to use mobile ID to use 108, but rely on mobile device 104 to put through interactive voice response (VIR) system and/or wireless information, as comprise the SMS of MMS based on the UPTF agreement.
For example, user 102 by mobile device 104 to sending SMS with the known number that the authentication that signs in to specific website (or its set) is associated.The user also can comprise the PIE that (by authentication service 120) issued in advance in SMS.After certificate server 120 received SMS, the website was with the user account number recording user, thereby used SMS to check and approve transaction with the supplier.As additional safety practice (sending under the situation of SMS from the mode of specific mobile phone number with counterfeit SMS) the assailant, certificate server 120 can by to a SMS from mobile phone number send SMS and respond; This SMS response needs for example to confirm by the link that the user is followed among the SMS.Perhaps, certificate server can be by number sending SMS and respond to moving, and described SMS comprises the code that the user need key on the website, described website is associated user record to the telephone number with the mobile phone that is used for sending a SMS account number.
Substitute SMS, the user can call the IVR system, and keys in its PIE in the IVR system; Certificate server is by number sending SMS or code (with identical before) with URL and respond to moving, and described moving number discerned the calling of IVR system by (using same call person ID function).
According to embodiment, a kind of method comprises: the supplier registers to the secure transaction server (STS) that is used for the authentification of user service, to carry out the action at supplier place; User radio ground sends user-authorization-request to STS; STS authenticates the user according to the user-authorization-request of wireless transmission; And STS sends the authentification of user service result according to authentication to the supplier, authorizes with the action to supplier place.According to described method, wirelessly sending user-authorization-request to STS comprises: the user wirelessly sends user-authorization-request with Short Message Service (SMS) to STS, perhaps the user imports the user-authorization-request that comprises individual identification clauses and subclauses (PIE), perhaps aforesaid any combination via interactive voice response (IVR) system.
According to non-embodiment based on UPTF on the other hand, provide the method for buying from mobile phone.The browser that the user runs on the mobile device is bought, and need not to key in username/password combination or financial institute information at the place, website that takes place to buy.This method is suitable for the user submits the financial instrument that is used to buy to machine or personnel after purchase situation.
The account number of the entity of the mobile payment of providing service has been provided the owner of mobile phone (user), and the user registered authentication means to the supplier, as credit card, debit card, driver's license or some other this instrument.
When registering for the service of using mobile phone to pay, user and supplier know and will be used for from the mobile phone of its mobile phone of buying number.Alternatively, the supplier can make the user needn't key in URL (typical difficult task) in the browser of its mobile phone to customer-furnished mobile phone number transmission SMS (having to the link of the website that can buy).
When mobile device is bought, the user points to supplier's website with the browser on its mobile device 104, perhaps points to the website related with the supplier, perhaps points to the website of the payment between acceptance and the supplier.When buying, input its mobile phone number (relative) in the list that the supplier of user in the browser of mobile device 104 submits to the username/password combination clauses and subclauses of mobile device 104, so that identify himself, and one of the means of payment known altogether of selection and supplier are as method of payment.For the reason of safety, the website does not show specific account numbers information, only shows the pet name of registration account number.Typically, these actions occur on the page of the supplier 106 " service " in the browser of phone 104.
To what (for example film ticket of buying at film ticket) when paying, the user submits to personnel or the machine that can verify that this authentication means is associated with aforementioned purchase to the authentication means of supplier's registration when the user collects.The benefit of this method is that when buying, the user only needs to key in digital clauses and subclauses (10), and this is easier than keying in username/password combination.
Described method provides and has prevented fraudulent trading, i.e. security under the situation that except the correct owner of mobile phone someone attempts to buy, this is to finish transaction because must submit with the authentication means that the mobile phone of importing when the purchase number is associated.In addition, the user can conclude the business by other mobile phone except its oneself mobile phone the web browser of PC operation (perhaps by), and this is because must submit to authentication means to finish purchase.
In modified example of the present invention, substitute and use the authentication means of when payment, physically submitting to, the mobile phone that sends to appointment when buying is described in the SMS and the optional transaction that will have unique transaction identifiers.When and if only if user has been undertaken checking and approving by this SMS being made response, just can finish transaction.Alternatively, the user can enclose the PIE of supplier's issue in SMS; Described PIE is to serve when registering to issue by the supplier the user, and is not stored on the mobile phone 104.
Above-mentioned example in view of preferred embodiment, the device that is suitable for using in carrying out embodiment described herein can be any computing equipment or machine, as (in non-limiting example) programmable electronics device, it can be stored, retrieval and deal with data, allow to move (wireless or radio) and communicate by letter, and have the assembly that one or more can connect communicatedly, promptly with other computing equipment, computing machine/computation processor, as: CPU (central processing unit) (CPUs); Input block/device (for example being used for microphone, keyboard/keypad, fixed-point apparatus (for example mouse, pointer, stylus), touch-screen of voice command/control etc. etc.); Output unit/device (for example, computer display screens (comprising its user interface), loudspeaker, printer etc.) as graphic user interface; Computer network interface comprises its known communication protocols (for example, mobile phone (voice/data (the Internet)) (cellular radio network, satellite etc.) network, radio-frequency technique, LAN (Local Area Network) etc.); And recording medium (any known recording medium, as volatibility and/or nonvolatile memory (random access memory), hard disk, flash memory, magnetic/CD etc.), be used for canned data/instruction, as software (for example, operating system, wireless wallet software etc.) and/or data, be used for execution by computing equipment (as computing machine/computation processor and/or electronic circuit).Described embodiment provides method, equipment (computer system) and/or computer-readable medium for using the authentification of user service of mobile radio data communication device.
A large amount of feature and advantage of embodiment described herein may be obvious that from describe in detail, therefore, should cover the true spirit that falls into embodiment and whole these feature and advantage of the embodiment in the scope by claims and equivalent thereof.In addition, because those skilled in the art can expect a large amount of modifications and modified example, thus do not wish embodiment is limited to accurate structure and operation illustrated and that describe, thereby can all be considered as having fallen into whole suitable modification and modified examples described
In the scope of embodiment.

Claims (31)

1, a kind of method may further comprise the steps:
Be used to the mobile device authentication that parameters for authentication from secure transaction server can be connected to wireless network communicatedly and be the mobile device authenticating party;
Provide mutual relationship between individual identification clauses and subclauses and the mobile device authenticating party to secure transaction server; And
The user is to mobile device authenticating party input individual identification clauses and subclauses and supplier's action, but to transmit secured user's authentication authorization request to secure transaction server through conversion by wireless network, come to and the supplier between action authorize.
2, method according to claim 1 further may further comprise the steps:
Generation is at supplier's transactional marking; With
The user is to mobile device authenticating party input individual identification clauses and subclauses and transactional marking, with based on individual identification clauses and subclauses, transactional marking and parameters for authentication, but transmit secured user's authentication authorization request by wireless network to secure transaction server through conversion, as to and the supplier between the subscriber authorisation of action.
3, method according to claim 2, wherein, the supplier comprises physical environment, computer system or aforesaid any combination, and described method further may further comprise the steps:
As and the supplier between action, the user attempts visiting supplier's computer system;
Attempt visiting supplier's computer system in response to the user, secure transaction server receives supplier's authentication request;
In response to receiving supplier's authentication request, secure transaction server transmits the transactional marking that generates to supplier's computer system; And
Secure transaction server is verified supplier's authentication request and visit supplier's subscriber authorisation;
Secure transaction server transmits the authentification of user result according to described checking to supplier's computer system; And
According to the authentification of user result who transmits from secure transaction server, authorized user visit supplier computer system.
4, method according to claim 3, wherein, the step that the user attempts visiting supplier's computer system may further comprise the steps: submit an operational motion request to supplier's computer system.
5, method according to claim 3, wherein, the mobile device authenticating party is the mobile phone that can be connected communicatedly with mobile telephone network, wireless Internet or aforesaid any combination as wireless network, and described method further may further comprise the steps:
The Mobile Directory Number that supplier's computer system will be used to visit the user cipher of this computer system and user name and mobile phone associate and
When the user attempted visiting supplier's computer system, the user only imported Mobile Directory Number at supplier's computer systems division.
6, method according to claim 3, wherein, the step that the user attempts visiting supplier's computer system may further comprise the steps: use username and password to sign in to supplier's computer system.
7, method according to claim 3, wherein, wireless network is the Internet, and described method further may further comprise the steps:
But secure transaction server writes down the Internet Protocol address that transmits a plurality of mobile device authenticating parties of user's authentication authorization request to secure transaction server,
Wherein, secure transaction server further may further comprise the steps supplier's authentication request and visit supplier's the step verified of subscriber authorisation: the Internet Protocol address of each mobile device authenticating party is compared with corresponding parameters for authentication.
8, method according to claim 3, wherein, the step that transmits the authentification of user result to supplier's computer system further may further comprise the steps: transmit Validation Code by secure transaction server to the mobile device authenticating party and to supplier's computer system,
Wherein, supplier's computer system is authorized visit in response to authentification of user result and user's input validation code of secure transaction server.
9, method according to claim 3, wherein, supplier's computer system comprises the internet website log-on webpage, and transactional marking is presented on this log-on webpage, as distinguishing computing machine and human full-automatic openly turing test.
10, method according to claim 1, wherein, the mobile device authenticating party is and the mobile phone that can be connected communicatedly as the mobile telephone network of wireless network or wireless Internet or aforesaid any combination.
11, method according to claim 1, wherein, the individual identification clauses and subclauses are 4 or the more Personal Identification Number, user's biological characteristic recognition information of multidigit, perhaps aforesaid any combination.
12, method according to claim 1 wherein, but be user's payment authorization by wireless network to the secured user's authentication authorization request through conversion that secure transaction server transmits, and described method further may further comprise the steps:
Secure transaction server is verified supplier's Payment Request and user's payment authorization; With
Secure transaction server is set the payment to the supplier.
13, method according to claim 3, wherein, supplier's computer system is ATM (Automatic Teller Machine) or website or aforesaid any combination.
14, method according to claim 1 wherein, but is abideed by the general formula transaction framework security negotiation committing protocol that spreads all over by the secured user's authentication authorization request through conversion that wireless network transmits to secure transaction server.
15, method according to claim 1 wherein, but be the user key that changes in time and change with parameters for authentication through secured user's authentication authorization request of conversion, and described method further may further comprise the steps:
The user presents the supplier with user key;
The supplier sends user key to secure transaction server;
Secure transaction server generates the user key at the secure transaction server generation of current time in response to receiving the user key that the supplier submits to;
The user key that secure transaction server is generated is verified with the coupling between the user key of supplier's submission; And
Secure transaction server is according to the described supplier's authenticated that is verified as.
16, method according to claim 1 further may further comprise the steps:
Generation is at supplier's transactional marking, and wherein, this transactional marking is known for secure transaction server;
The user is to mobile device authenticating party input individual identification clauses and subclauses and transactional marking, with based on individual identification clauses and subclauses, transactional marking and parameters for authentication, but generates secured user's authentication authorization request through conversion, the certification mark that generates as the user;
The user locates to present the certification mark that the user generates the supplier;
The supplier sends the certification mark that the user generates to secure transaction server;
Secure transaction server generates the authentification of user mark that secure transaction server generates in response to the certification mark that the user who receives supplier's submission generates; And
Coupling between the certification mark of user's generation that the authentification of user mark that secure transaction server is generated and supplier submit to is verified; And
Secure transaction server is according to the described supplier's authenticated that is verified as.
17, a kind of method may further comprise the steps:
The supplier registers to the secure transaction server that is used for the authentification of user service, to carry out the action at supplier place;
The user is to the wireless transmission user-authorization-request of secure transaction server;
Secure transaction server authenticates the user according to the user-authorization-request of wireless transmission; And
Secure transaction server transmits the authentification of user service result according to described authentication to the supplier, so that the action at supplier place is authorized.
18, method according to claim 17, wherein, step to the wireless transmission user-authorization-request of secure transaction server may further comprise the steps: the user with Short Message Service to the wireless transmission user-authorization-request of secure transaction server, perhaps the user comprises the user-authorization-request of individual identification clauses and subclauses, perhaps aforesaid any combination by interactive voice response system input.
19, method according to claim 17, wherein, register step may further comprise the steps: the user profile and the user's mobile phone number that will be used to carry out the action at supplier place associate.
20, method according to claim 17, wherein, with the wireless transmission user-authorization-request of Short Message Service, and described method further may further comprise the steps:
After authentication, secure transaction server is to the user's of wireless transmission user-authorization-request wireless number, and Short Message Service is confirmed in wireless transmission; With
The user confirms confirming Short Message Service according in following one or more,, follows the link of confirming in the Short Message Service that is, perhaps locates the code that comprises in the input validation Short Message Service the supplier.
21, a kind of method may further comprise the steps:
The user is used for the user's mobile device of mobile device payment transaction to website supplier registration;
The user registers authentication means to the website supplier;
The user uses the mobile device of registration to buy from the website supplier according to the processing that comprises the following steps:
By the mobile device access websites,
When buying at the place, website, import the mobile number of the mobile device of registration at the mobile device place,
In the method for payment of mobile device place selection to the supplier, and
Authentication means by submission supplier registration is paid the bill for buying, and finishes purchase.
22, method according to claim 21 further may further comprise the steps:
When buying, the website supplier comprises the purchase affirmation Short Message Service of transactional marking to the wireless transmission of mobile device; With
Confirm that to buying Short Message Service responds for buying payment, finishes purchase thus by mobile device.
23, a kind of method may further comprise the steps:
Be used to the parameters for authentication from secure transaction server, the mobile device authentication that can be connected to wireless network communicatedly is the mobile device authenticating party;
Provide mutual relationship between individual identification clauses and subclauses and the mobile device authenticating party to secure transaction server;
For the transaction of user's ATM (automatic teller machine) provides the mobile device users authentication;
ATM (Automatic Teller Machine) is used for the transactional marking of the mobile device users authentication of user's ATM (Automatic Teller Machine) transaction from the secure transaction server request, and this transactional marking is presented the user;
The user is according to transactional marking in request, from the transaction of user's mobile device authenticating party checking user ATM (Automatic Teller Machine);
ATM (Automatic Teller Machine) transmits the ATM (Automatic Teller Machine) Trading Authorization to secure transaction server, so that the mobile device users authentication of being concluded the business by user's ATM (automatic teller machine) of transactional marking sign is authorized;
The user is to mobile device authenticating party input individual identification clauses and subclauses and transactional marking, with based on individual identification clauses and subclauses, transactional marking and parameters for authentication, but transmit secured user's authentication authorization request by wireless network to secure transaction server, as subscriber authorisation to the transaction of user's ATM (Automatic Teller Machine) through conversion;
Secure transaction server is verified ATM (Automatic Teller Machine) Trading Authorization and the Trading Authorization of user's ATM (Automatic Teller Machine);
Secure transaction server transmits the authentification of user result according to described checking to ATM (Automatic Teller Machine); And
According to authentification of user result, finish the transaction of user's ATM (Automatic Teller Machine) from secure transaction server.
24, a kind of method may further comprise the steps:
Be used to the parameters for authentication from secure transaction server, the mobile device authentication that can be connected to wireless network communicatedly is the mobile device authenticating party;
Provide mutual relationship between individual identification clauses and subclauses and the mobile device authenticating party to secure transaction server;
The identification ATM (automatic teller machine);
The ATM (Automatic Teller Machine) identifier that the user imports the individual identification clauses and subclauses and discerns according to ATM (Automatic Teller Machine) to the mobile device authenticating party, with based on individual identification clauses and subclauses, ATM (Automatic Teller Machine) identifier and parameters for authentication, but transmit secured user's authentication authorization request by wireless network to secure transaction server, as subscriber authorisation to the mobile device users authentication of user's ATM (Automatic Teller Machine) transaction through conversion;
Secure transaction server transmits the ATM (Automatic Teller Machine) Transaction Information that comprises transactional marking to ATM (Automatic Teller Machine), as the ATM (Automatic Teller Machine) Trading Authorization based on the transaction of user's ATM (Automatic Teller Machine);
Secure transaction server is verified ATM (Automatic Teller Machine) Trading Authorization and the Trading Authorization of user's ATM (Automatic Teller Machine); And
Secure transaction server transmits the affirmation code according to described checking to mobile device authenticating party and ATM (Automatic Teller Machine);
The user confirms code to the ATM (Automatic Teller Machine) submission, finishes the transaction of user's ATM (Automatic Teller Machine).
25, method according to claim 24 wherein, confirms that to the ATM (Automatic Teller Machine) submission step of code may further comprise the steps: use the low coverage identification with ATM (Automatic Teller Machine).
26, a kind of equipment comprises:
The reliable wireless communication processor, based on parameters for authentication, described equipment is controlled according to the processing that comprises the following steps from secure transaction server:
Receive user's individual identification clauses and subclauses and supplier's action and
But to the wireless transmission of secure transaction server through the conversion secured user's authentication authorization request, with to and the supplier between action authorize.
27, equipment according to claim 26 wherein, but comprises through the safety authentication authorization request of conversion:
The user is to equipment input individual identification clauses and subclauses and transactional marking, with based on individual identification clauses and subclauses, transactional marking and parameters for authentication, but to the described secured user's authentication authorization request of the wireless transmission of secure transaction server through conversion, as to and the supplier between the subscriber authorisation of action.
28, equipment according to claim 26, wherein, the supplier is environment, computer system, website, ATM (Automatic Teller Machine) or aforesaid any combination.
29, equipment according to claim 26, wherein, wireless transmission comprises: by the radio communication of mobile telephone network or wireless Internet or aforesaid any combination.
30, equipment according to claim 26, wherein, the individual identification clauses and subclauses are 4 or the more Personal Identification Number, user's biological characteristic recognition information or aforesaid any combination of multidigit.
31, a kind of equipment comprises:
The supplier system;
Secure transaction server; And
The reliable wireless communication device, based on parameters for authentication, wireless communicator is controlled according to the processing that comprises the following steps from secure transaction server:
Receive user's individual identification clauses and subclauses and supplier's system acting and
But to the wireless transmission of secure transaction server through the conversion secured user's authentication authorization request, with to and the supplier system between action authorize.
CNA2006100737704A 2005-04-08 2006-04-10 Authentication services using mobile device Pending CN1897027A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US66937505P 2005-04-08 2005-04-08
US60/669,375 2005-04-08
US11/388,202 2006-03-24

Publications (1)

Publication Number Publication Date
CN1897027A true CN1897027A (en) 2007-01-17

Family

ID=37609550

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2006100737704A Pending CN1897027A (en) 2005-04-08 2006-04-10 Authentication services using mobile device

Country Status (1)

Country Link
CN (1) CN1897027A (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103814381A (en) * 2011-05-06 2014-05-21 荷兰远程识别有限公司 Method and system for allowing access to a protected part of a web application
CN103975615A (en) * 2011-12-16 2014-08-06 英特尔公司 Login via near field communication with automatically generated login information
CN104012132A (en) * 2011-10-25 2014-08-27 拓普合公司 Two-factor authentication systems and methods
CN104429036A (en) * 2011-10-12 2015-03-18 科技商业管理有限公司 System for secure ID authentication
CN105282098A (en) * 2014-06-20 2016-01-27 中国电信股份有限公司 Information processing method, terminal, platform and system
CN105447364A (en) * 2015-04-30 2016-03-30 北京天诚盛业科技有限公司 Remote biological recognition registering method, device and system
CN106063276A (en) * 2014-03-04 2016-10-26 百乐立公司 Methods and systems for rapid webpage access
CN106874719A (en) * 2016-12-28 2017-06-20 北京握奇智能科技有限公司 A kind of license confirmation method and mobile terminal device based on accelerometer
US9832649B1 (en) 2011-10-12 2017-11-28 Technology Business Management, Limted Secure ID authentication
CN107730256A (en) * 2011-09-09 2018-02-23 熊楚渝 Multiple-factor multi-channel id authentication and transaction control and multi-option payment system and method
CN108122114A (en) * 2017-12-25 2018-06-05 同济大学 For abnormal repeat business fraud detection method, system, medium and equipment
CN109034818A (en) * 2018-06-19 2018-12-18 阿里巴巴集团控股有限公司 The method and device for generating payment label, being verified using payment label
CN109255211A (en) * 2017-07-12 2019-01-22 波音公司 Mobile security countermeasure
CN109493188A (en) * 2018-11-27 2019-03-19 湖南共睹互联网科技有限责任公司 Method of commerce, device, storage medium and the electronic equipment of identity-based verifying
CN110719252A (en) * 2018-07-13 2020-01-21 利普埃克斯伯特有限公司 Methods, systems, and computer readable media for authorizing transactions over a communication channel
CN113014400A (en) * 2015-02-17 2021-06-22 维萨国际服务协会 Secure authentication of users and mobile devices
CN114253414A (en) * 2020-09-24 2022-03-29 Ncr公司 System and method for contactless PIN entry

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103814381A (en) * 2011-05-06 2014-05-21 荷兰远程识别有限公司 Method and system for allowing access to a protected part of a web application
CN107730256A (en) * 2011-09-09 2018-02-23 熊楚渝 Multiple-factor multi-channel id authentication and transaction control and multi-option payment system and method
US9832649B1 (en) 2011-10-12 2017-11-28 Technology Business Management, Limted Secure ID authentication
CN104429036A (en) * 2011-10-12 2015-03-18 科技商业管理有限公司 System for secure ID authentication
CN104012132B (en) * 2011-10-25 2016-02-17 拓普合公司 Two-factor authentication system and method
CN104012132A (en) * 2011-10-25 2014-08-27 拓普合公司 Two-factor authentication systems and methods
CN103975615A (en) * 2011-12-16 2014-08-06 英特尔公司 Login via near field communication with automatically generated login information
CN106063276A (en) * 2014-03-04 2016-10-26 百乐立公司 Methods and systems for rapid webpage access
CN105282098A (en) * 2014-06-20 2016-01-27 中国电信股份有限公司 Information processing method, terminal, platform and system
CN113014400A (en) * 2015-02-17 2021-06-22 维萨国际服务协会 Secure authentication of users and mobile devices
CN105447364A (en) * 2015-04-30 2016-03-30 北京天诚盛业科技有限公司 Remote biological recognition registering method, device and system
CN105447364B (en) * 2015-04-30 2019-01-25 上海眼神信息服务有限公司 The method, apparatus and system that remote biometric identification logs in
CN106874719A (en) * 2016-12-28 2017-06-20 北京握奇智能科技有限公司 A kind of license confirmation method and mobile terminal device based on accelerometer
CN109255211A (en) * 2017-07-12 2019-01-22 波音公司 Mobile security countermeasure
CN109255211B (en) * 2017-07-12 2023-09-15 波音公司 Mobile security countermeasure
CN108122114A (en) * 2017-12-25 2018-06-05 同济大学 For abnormal repeat business fraud detection method, system, medium and equipment
CN109034818A (en) * 2018-06-19 2018-12-18 阿里巴巴集团控股有限公司 The method and device for generating payment label, being verified using payment label
CN109034818B (en) * 2018-06-19 2022-05-13 创新先进技术有限公司 Method and device for generating payment mark and method and device for verifying payment mark
CN110719252A (en) * 2018-07-13 2020-01-21 利普埃克斯伯特有限公司 Methods, systems, and computer readable media for authorizing transactions over a communication channel
CN110719252B (en) * 2018-07-13 2023-07-18 利普埃克斯伯特有限公司 Method, system and medium for authorizing transactions over a communication channel
CN109493188A (en) * 2018-11-27 2019-03-19 湖南共睹互联网科技有限责任公司 Method of commerce, device, storage medium and the electronic equipment of identity-based verifying
CN109493188B (en) * 2018-11-27 2021-01-26 湖南共睹互联网科技有限责任公司 Transaction method and device based on identity authentication, storage medium and electronic equipment
CN114253414A (en) * 2020-09-24 2022-03-29 Ncr公司 System and method for contactless PIN entry

Similar Documents

Publication Publication Date Title
JP5066827B2 (en) Method and apparatus for authentication service using mobile device
CN1897027A (en) Authentication services using mobile device
US10586229B2 (en) Anytime validation tokens
JP6021923B2 (en) Secure authentication method and system for online transactions
CN106875173B (en) Method for authenticating transaction
JP5407104B2 (en) Method and apparatus for physical POS transaction
US8843757B2 (en) One time PIN generation
AU2012303620B2 (en) System and method for secure transaction process via mobile device
JP6704919B2 (en) How to secure your payment token
US20130054473A1 (en) Secure Payment Method, Mobile Device and Secure Payment System
US20100153273A1 (en) Systems for performing transactions at a point-of-sale terminal using mutating identifiers
TR201810238T4 (en) The appropriate authentication method and apparatus for the user using a mobile authentication application.
CN1908981A (en) Wireless computer wallet for physical point of sale (pos) transactions
JP6743276B2 (en) System and method for end-to-end key management
US20220131845A1 (en) Decentralized Processing Of Interactions On Delivery
CN111615105A (en) Information providing method, information obtaining method, information providing device, information obtaining device and terminal
WO2016118087A1 (en) System and method for secure online payment using integrated circuit card
US20170032360A9 (en) Systems and methods for enrolling a token in an online authentication program
KR101659847B1 (en) Method for two channel authentication using smart phone
JP7267278B2 (en) Payment card authentication
KR20130095363A (en) A cash remittance method based on digital codes using hash function and electronic signature
Ortiz-Yepes Enhancing Authentication in eBanking with NFC-enabled mobile phones
AU2015200701B2 (en) Anytime validation for verification tokens
EP1547298B1 (en) Systems and methods for secure authentication of electronic transactions

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20070117