CN202026311U - Data processing system - Google Patents

Data processing system Download PDF

Info

Publication number
CN202026311U
CN202026311U CN2010206656115U CN201020665611U CN202026311U CN 202026311 U CN202026311 U CN 202026311U CN 2010206656115 U CN2010206656115 U CN 2010206656115U CN 201020665611 U CN201020665611 U CN 201020665611U CN 202026311 U CN202026311 U CN 202026311U
Authority
CN
China
Prior art keywords
unit
module
authentication code
handling system
communication unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CN2010206656115U
Other languages
Chinese (zh)
Inventor
赵茂林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING ZHONGCHUANG ZHIXIN TECHNOLOGY CO LTD
Original Assignee
BEIJING ZHONGCHUANG ZHIXIN TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING ZHONGCHUANG ZHIXIN TECHNOLOGY CO LTD filed Critical BEIJING ZHONGCHUANG ZHIXIN TECHNOLOGY CO LTD
Priority to CN2010206656115U priority Critical patent/CN202026311U/en
Application granted granted Critical
Publication of CN202026311U publication Critical patent/CN202026311U/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Abstract

The utility model discloses a data processing system which comprises a first module of a digital signature device, a second module which with the function of a gateway and communication with the first module through a first channel and a third module used for submitting signature information, wherein the third module is in communication with the second module through a second channel and is directly in communication with the first module via a third channel. In the premise of establishing the first channel, the second channel and the third channel, a fourth channel is established between the first module and the third module through the second module; and the first module is called to carry out digital signature operation by the third module through the established fourth channel, or data is read from or written in the first module by the third module through the established fourth channel. The digital signature device comprises a first input unit, a first output unit, a first communication unit, an identity verifying unit, a first authentication code unit and a digital signature unit used for executing digital signature after user identity information passes the verification.

Description

Data handling system
Technical field
The utility model relates to a kind of data handling system, relates in particular to a kind of data handling system with the digital signature device that comprises the authentication code unit.
Background technology
In recent years, along with the variation of professional channel, be used for telephone terminal that e commerce transactions uses, sales counter that the someone serves, have people or channels such as unattended POS terminal, unattended ATM terminal all to need submission information to allow user's signature confirm to guarantee information security.This just needs the user can both receive signing messages at any time and adds their confirmation.
Yet in traditional e commerce transactions was used, the data of submissions such as just that the user is operated Internet access terminals such as traditional PC (PC), notebook computer were carried out digital signature.Development along with mobile Internet and various mobile computing devices, remove outside the computing terminals such as traditional PC, notebook computer, computing terminals such as smart mobile phone, panel computer, e-book are all more and more universal, use and also on these emerging network computing equipments, shift more and more, for example, the transfer of e commerce transactions application.Transfer in the process of emerging terminal in the signature application, traditional signature device such as USBKEY are (promptly, the signature device that communicates with usb mode and host computer) and TFKEY (promptly, the signature device that communicates with Micro SD interface mode and host computer) also there is unsafe factor, and is difficult to cooperate well to satisfy the requirement that the user can both receive signing messages and add their confirmation at any time with these emerging terminals.
Fig. 1 is a kind of structure and corresponding basic operation flow process thereof of traditional signature system.As shown in Figure 1, traditional signature system is made of user terminal 102, signature apparatus 103 and service server 104 usually.Adopt computer external interface between user terminal 102 and the signature apparatus 103, be connected as USB interface, UART serial ports, infrared interface and/or blue tooth interface etc.User terminal 102 conducts interviews to service server 104 by the Internet.User terminal 102 communicates with service server 104 and signature apparatus 103 respectively according to user 101 demand.The basic operation flow process of this signature system comprises: at step S105, user 101 submits to user terminal 102 with service request data; At step S106, user terminal 102 sends to signature apparatus 103 to the information of needs signature; At step S107,103 pairs of signature apparatus need the information of signature to carry out digital signature, and the information after will signing is then submitted to user terminal 102; At step S108, information sent to service server 104 together with service request data after user terminal 102 will be signed; At step S109, the information behind 104 pairs of signatures that receive of service server is verified, and according to verifying that the result carries out corresponding service processing, subsequently service processing result is sent to user terminal 102.At last, user terminal 102 display business results.
Because as the aforementioned emerging terminal of user terminal and traditional terminal Peripheral Interface disunity, above-mentioned traditional signatures system shown in Figure 1 just is difficult to insert these emerging terminals.For example, panel computer and smart mobile phone do not have the USB main interface, the USBKEY that belongs to the USB slave unit can't be connected on these equipment as signature apparatus.
In addition, traditional signature apparatus with the access way of user terminal on adopt computer external interface, this just needs the corresponding apparatus driver to cooperate.Along with the increase of terminal type, the driver quantity of required exploitation is very big, thereby has increased the manpower cost and the cost of system development and application.
Therefore, just need a kind of safer, more reliable data handling system that reads and/or write of carrying out digital signature or data.
In addition, reasonable is a kind ofly can be used for the carried out digital signature of various emerging terminals or the data handling system that reads and/or write of data.
Have again, be preferably, need a kind ofly can satisfy the data handling system that reads and/or write that the user receives signing messages and the carried out digital signature that adds their confirmation or data at any time easily.
Summary of the invention
The utility model can overcome above-mentioned one or more shortcoming that prior art exists.
According to the utility model, a kind of data handling system comprises: first module, and described first module comprises digital signature device; Play second module of gateway effect, described second module communicates by first passage and described first module; And the three module that is used to carry out the signing messages submission, described three module communicates by second channel and described second module, and directly communicate with described first module by third channel, wherein, at described first passage, under the prerequisite that described second channel and described third channel are all set up, between described first module and described three module, set up four-way via described second module, the four-way that described three module passes through to be set up calls described first module to carry out the digital signature operation, and the four-way that perhaps described three module passes through to be set up reads the data in described first module or write data in described first module.Described digital signature device comprises: first input unit; First output unit; First communication unit, described first communication unit is used for communicating with the outside; The digital signature unit, described digital signature unit links to each other respectively with described first output unit, described first communication unit and described first input unit, and be used for after the user confirms the information of described needs signature through the information of described first input unit affirmation needs signature or from the outside through described first communication unit, the described information that needs to sign being carried out digital signature and being sent the information after the digital signature to outside via described first communication unit; Identity authenticating unit, described identity authenticating unit links to each other respectively with described first communication unit, described first input unit and described first output unit, and be used to verify from the subscriber identity information of described first input unit or the subscriber identity information that transmits through described first communication unit from the outside, and will verify that the result exports to described first output unit and sends the outside to via described first communication unit; And the first authentication code unit, the described first authentication code unit links to each other respectively with described first input unit, described first communication unit and described first output unit, and be used for producing first authentication code by first connection request of described first input unit initiation or according to the user from the outside through second connection request that described first communication unit is initiated according to the user, and described first authentication code exported to described first output unit, wherein said digital signature unit carries out described digital signature after the subscriber identity information checking is correct.
In addition, in above-mentioned data handling system, whether the first authentication code unit further is used for comparison identical with described first authentication code via the authentication code that described first communication unit (3037) transmits from the outside, and the first authentication code comparison result is exported to described first output unit.Optionally, whether the first authentication code unit further is used for sending described first authentication code to described second module via described first communication unit, with identical from the authentication code of described three module input with the user via first authentication code that described first communication unit transmits by described second module comparison.
In addition, in above-mentioned data handling system, first output unit can comprise following one of at least: show output unit, first audio output unit and projection output unit.
Also have, in above-mentioned data handling system, first input unit can be used to import the information of needs signature, the information of confirming the needs signature, input subscriber identity information or initiate first connection request.Here, first input unit can be a key device.Be preferably, first input unit can also comprise be used to import subscriber identity information with lower device one of at least: fingerprint acquisition device, vocal print harvester, iris capturing device and recognition of face harvester.
Have, in above-mentioned data handling system, the first authentication code unit is in each authentication code unit that produces the first different authentication codes that connects, and also can be to produce the authentication code unit of random number as first authentication code again.
In addition, in above-mentioned data handling system, this digital signature device can be the mobile digital signature apparatus, and wherein said first communication unit can be the radio communication device that is built-in with mobile radio communication WAP (wireless access protocol) stack.The radio communication device that is built-in with mobile radio communication WAP (wireless access protocol) stack can be the mobile communication wireless protocol stack radio communication device one of at least that is built-in with following standard: GPRS, EDGE, narrowband CDMA, CDMA2000, WCDMA, TD-SCDMA and LTE.First communication unit can be the radio communication device that also is built-in with network protocol stack, for example TCP/IP.
Have again, in above-mentioned data handling system, the digital signature unit further be used for from the outside through described first communication unit or send to described first output unit from the information of the needs of described first input unit signature.Optionally, the digital signature unit further is used for sending to described first output unit the information that need sign from the part through described first communication unit of outside with from the information that another part of described first input unit need be signed.
Also have; in above-mentioned data handling system; this digital signature device can also comprise the first safety function unit; described first communication unit links to each other respectively with described digital signature unit, described identity authenticating unit and the described first authentication code unit via the described first safety function unit and communicates, and the described first safety function unit is used for the data of described first communication unit transmission are protected.
Preferably, in above-mentioned data handling system, digital signature unit, identity authenticating unit and the first authentication code unit can be integrated in the same chips.Under the situation that the first safety function unit is arranged, the first safety function unit also can be integrated in the above-mentioned same chips.
In addition, in above-mentioned data handling system, this digital signature device one of can also comprise with lower device at least: blue tooth interface device and USB are from interface arrangement.
In addition, in above-mentioned data handling system, second module can comprise: the second communication unit that communicates with described first module; The third communication unit that communicates with described three module; And the second authentication code unit, the described second authentication code unit links to each other respectively with described third communication unit with described first communication unit, and be used for producing second authentication code by the 3rd connection request of described first input unit initiation or the 4th connection request of initiating through described third communication unit from three module, send described second authentication code to described first output unit via described second communication unit, described first passage and described first communication unit according to the user according to the user.
Also have, in above-mentioned data handling system, the second authentication code unit can be each authentication code unit that produces the second different authentication codes, also can be to produce the authentication code unit of random number as second authentication code.
Moreover, in above-mentioned data handling system, the user from the described first input unit input authentication sign indicating number and transmit via described first communication unit under the situation of authentication code of input, the described second authentication code unit further is used to compare the user from described first input unit input and whether identical with described second authentication code via the authentication code of described first communication unit transmission, and sends the second authentication code comparison result to described first output unit via described second communication unit, described first passage and described first communication unit.The user not from the described first input unit input authentication sign indicating number but from described three module input authentication sign indicating number and transmit via described third communication unit under the situation of authentication code of input, whether the authentication code that the described second authentication code unit further is used to compare the described input that the user transmits from described three module input and via described third communication unit is identical with described second authentication code, and sends this second authentication code comparison result to described three module via described third communication unit and described second channel.Initiate described first connection request or initiate described second connection request through described first communication unit by described first input unit the user from described three module, so that producing described first authentication code and send described first authentication code to the described second authentication code unit via described first communication unit and described second communication unit, the described first authentication code unit substitutes under the situation of comparing the described first authentication code unit, whether the authentication code that the described second authentication code unit further is used to compare user's input is identical with described first authentication code, and with this first authentication code comparison result via described third communication unit, send described three module to described second channel, perhaps with this first authentication code comparison result via described second communication unit, described first passage and described first communication unit send described first output unit to.
Have again, in above-mentioned data handling system, second module can also comprise data buffer storage unit, described data buffer storage unit links to each other with described third communication unit with described second communication unit respectively, and is used for the data that buffer memory reads from described first module via described second communication unit and described first communication unit.In addition, data buffer storage unit can be to be used for non-sensitive information partial data buffer unit in described first module of buffer memory.This is used for non-sensitive information partial data buffer unit in described first module of buffer memory can be to be used for the data buffer storage unit of the digital certificate that does not comprise private key in described first module of buffer memory.
In addition; in above-mentioned data handling system; second module can also comprise the second safety function unit, and described second communication unit links to each other with the described second authentication code unit via the described second safety function unit, and is used for the data of described second communication unit transmission are protected.Having under the situation of data buffer storage unit, the second communication unit links to each other with described data buffer storage unit with the described second authentication code unit via the described second safety function unit, and is used for the data of described second communication unit transmission are protected.
In addition, in above-mentioned data handling system, three module can comprise: believe the unit with the four-way that described second module communicates; Second output unit; Second input unit; And signing messages commit unit, described signing messages commit unit links to each other with described second output unit, described second input unit and described four-way letter unit respectively, and is used for through described four-way letter unit, the four-way of being set up and described second module information of described needs signature being submitted to described first module to carry out described digital signature operation or described reading or the said write data manipulation.
In addition, above-mentioned data handling system can also comprise four module, described four module be used for to by the five-way road after the described described digital signature that receives of described three module information verify, the result handles the business datum that receives from described three module according to this checking, and result is sent to described three module.Four module can comprise: the 6th communication unit that communicates with described three module; Signature verification unit, described signature verification unit links to each other with described the 6th communication unit, and be used for verifying, and should verify that the result sent to described Service Processing Unit and sends to described three module through described the 6th communication unit from the information of described three module after the described digital signature that described the 6th communication unit receives; And Service Processing Unit, described Service Processing Unit links to each other with described signature verification unit, and be used for the business datum that receives from described three module being handled, and described result sent to described three module through described the 6th communication unit according to request according to this checking result.Under the situation that four module is arranged, three module can comprise: believe the unit with the four-way that described second module communicates; Believe the unit with described four module by the five-way that described five-way road communicates; Second output unit; Second input unit; The signing messages commit unit, described signing messages commit unit links to each other with described second output unit, described second input unit and described four-way letter unit respectively, and is used for through described four-way letter unit, the four-way of being set up and described second module information of described needs signature being submitted to described first module to carry out the digital signature operation or to read or write data manipulation; And business datum commit unit, wherein said business datum commit unit links to each other with described second output unit, described second input unit and described five-way letter unit respectively, is used for utilizing the business datum of described second input unit input to submit to described four module through described five-way letter unit and described five-way road the user.
In addition, in above-mentioned data handling system, second output unit can comprise following one of at least: show output unit, audio output unit and projection output unit.
Also have, in above-mentioned data handling system, three module can be realized by one of following: desktop computer, notebook computer, panel computer, mobile phone, personal digital assistant, ATM and POS machine.
In addition, in above-mentioned data handling system, four-way is the passage that disconnects after described digital signature operation is finished.
By adopting data handling system of the present utility model, can make operation system safer, more reliable.
In addition, data handling system of the present utility model can be used for various emerging terminals, makes the manpower cost and the cost of system development and application be minimized.
Further,, can make the user receive signing messages at any time easily and add their confirmation, for example move, digital signature easily by adopting data handling system of the present utility model.
It should be apparent that to one skilled in the art, on the basis of foregoing, can make various modifications, conversion or combination them.
According to following accompanying drawing and detailed description, the utility model and corresponding other system, device, feature and advantage will be to those skilled in the art or become apparent.The application is intended to make all these and other system, device, feature and advantage to be included in this description.Be to be understood that; the generality of this paper front is described and following detailed all is exemplary with indicative; be intended to provide further understanding, but should be considered to be restriction technical scheme required for protection without any thing as to technical scheme required for protection.
Description of drawings
Below, for understanding the utility model better, will describe each exemplary embodiment of the present utility model in conjunction with the accompanying drawings in detail.
Fig. 1 is the structure chart of the traditional data handling system that can be used for digital signature, wherein also schematically illustrates each step mark of its basic operation flow process;
Fig. 2 is the overall structure figure according to a kind of data handling system of an exemplary embodiment of the utility model;
Fig. 3 is the structure chart according to first module instance in the data handling system of an exemplary embodiment of the utility model;
Fig. 4 is the structure chart according to second module instance in the data handling system of an exemplary embodiment of the utility model;
Fig. 5 is the structure chart according to three module example in the data handling system of an exemplary embodiment of the utility model;
Fig. 6 is the structure chart according to four module example in the data handling system of an exemplary embodiment of the utility model;
Fig. 7 is the overall structure figure according to an example of the data handling system of an exemplary embodiment of the utility model;
Fig. 8 is the structure chart according to an example of digital signature device of the present utility model;
Fig. 9 A is the flow chart according to first kind of method for building up example of four-way in the example of the data handling system of an exemplary embodiment of the utility model;
Fig. 9 B is the flow chart according to the another kind of method for building up example of four-way in the example of the data handling system of an exemplary embodiment of the utility model;
Figure 10 A is the flow chart according to first kind of disconnect method example of four-way in the example of the data handling system of an exemplary embodiment of the utility model;
Figure 10 B is the flow chart according to the another kind of disconnect method example of four-way in the example of the data handling system of an exemplary embodiment of the utility model;
Figure 11 A is the flow chart according to the first method example of authentication in the example of the data handling system of an exemplary embodiment of the utility model;
Figure 11 B is the flow chart according to the another kind of method example of authentication in the example of the data handling system of an exemplary embodiment of the utility model;
Figure 12 is the flow chart according to reading word certificate example in the example of the data handling system of an exemplary embodiment of the utility model; And
Figure 13 is the flow chart that carries out the business datum signature in the example according to the data handling system of an exemplary embodiment of the utility model and handle example.
Embodiment
Each execution mode now with reference to this paper is described in detail, and illustrates the example in the accompanying drawing.For its thought is conveyed to those of ordinary skills, provide after this these execution modes of introducing as an example.Therefore, these execution modes can be implemented with different forms, thereby are not limited to these execution modes described here.And, in any possible place, in whole specification and accompanying drawing, will use identical Reference numeral to represent same or analogous parts.
Fig. 2 is the overall structure figure according to a kind of data handling system of an exemplary embodiment of the utility model.This data handling system for example can be a kind of digital signature system.As shown in Figure 2, this digital signature system can comprise first module 203, second module 205 and the three module 202.First module 203 can comprise digital signature device of the present utility model (will be discussed in more detail below) thus in order to realize digital signature of the present utility model operation, second module 205 can play the gateway effect, and three module 202 can be used to submit to signing messages and business datum.First module 203 communicates by the first passage C211 and second module 205, and second module 205 communicates by second channel C212 and three module 202, and three module 202 also directly communicates with first module 203 by third channel C213.
First passage C211 can set up by sharing key between first module 203 and second module 205, and for example this key can carry out writing when equipment is issued initialization in first module 203 and second module 205.Second channel C212 can be the escape way that is based upon on the SSL VPN agreement basis.Third channel C213 can obtain (for example look and read) security information and sets up to the mode of this security information of input unit input of three module 202 from the output unit (for example display unit) of first module 203 by the user.Certainly, the mode of these foundation is not limited thereto, and any mode of setting up that those skilled in the art can expect may be used to the utility model.Under the situation that first passage C211, second channel C212 and third channel C213 set up, between first module 203 and three module 202, set up four-way C214 via second module 205.In the utility model, three module 202 calls the function of first module 203 to carry out digital signature operation of the present utility model by four-way C214, perhaps read the data in first module 203 or in first module 203, write data, can make digital signature system safer, more reliable thus.Four-way for example can see below the described flow process of Fig. 9 A-9B and be set up like that.
Optionally, this digital signature system may further include four module 204, is used for the information behind the signature is verified and business is handled.In this case, four module 204 is by the information row checking of five-way road C215 after to the digital signature that receives from three module 202, the result handles the business datum that receives from described three module 202 according to checking, and result is sent to three module 202.Like this, this digital signature system also has service processing function except the function with the efficient public security system set up.
First module instance: based on the digital signature device of mobile communications network
First module for example can be the digital signature device based on mobile communications network as shown in Figure 3.Certainly, the form of first module of the present utility model and environment for use etc. are not limited in this, and those skilled in the art can make various modifications and conversion to it after reading and understanding the utility model.Fig. 3 is according to the structure chart of first module in the data handling system of an exemplary embodiment of the utility model as an example of the digital signature device that has mobile communication function.As shown in Figure 3, digital signature device can comprise first display unit 3031, first input unit 3032, digital signature unit 3033, identity authenticating unit 3034, the first authentication code unit 3035, the first safety function unit 3036 and first mobile comm unit 3037.
First display unit 3031 links to each other with digital signature unit 3033, identity authenticating unit 3034 and the first authentication code unit 3035 respectively, first input unit 3032 links to each other with identity authenticating unit 3034 with digital signature unit 3033, the first authentication code unit 3035 respectively, digital signature unit 3033, identity authenticating unit 3034 and the first authentication code unit 3035 also link to each other with the first safety function unit 3036 separately, and the first safety function unit 3036 also links to each other with first mobile comm unit 3037.
The user can confirm the information that the user need sign by first input unit 3032, can also import all or part of information that needs signature, also can import subscriber identity information and/or initiate to produce first authentication code.First input unit can key device form realize.Use key device identical, and its cost is low with existing banking equipment such as code keypad operating habit.Certainly, first input unit is not limited to this, also can comprise other input unit parts that those skilled in the art can expect or substitute, for example fingerprint sensor, vocal print harvester, iris capturing device or recognition of face harvester etc. by it.Use the mode of these biomedical information acquisitions can allow the user need not to remember authentication information such as password, and biological information can not lose, be difficult to forge, its fail safe is stronger.
Identity authenticating unit 3034 can be verified the subscriber identity information from first input unit 3032, the perhaps subscriber identity information that transmits through the first safety function unit 3036 of three module, and identity information verified that the result exports to the first safety function unit 3036 and first display unit 3031, can start digital signature unit 3033 after the subscriber identity information checking is correct and carry out signature operation.
The information of the needs signature that 3033 pairs of digital signature unit transmit through the first safety function unit 3036 from first input unit 3032 and/or from three module is carried out digital signature.Before signature, will need the information of digital signature to export to first display unit 3031, and being shown to the user, thereby the user can be confirmed by 3032 pairs of these information of first input unit.The digital signature unit can carry out digital signature by the association key and the algorithm of built-in digital signature, also can carry out digital signature by other modes known to those skilled in the art.
The first authentication code unit 3035 initiates to produce first authentication code according to connection request, and first authentication code is exported to first display unit 3031.This connection request can be that the user passes through 3032 initiations of first input unit as previously mentioned, also can be that the user initiates and transmits via the first safety function unit by second input unit of three module as described later.Preferably, safer preventing that authentication code from revealing because of change in time for making system, each to connect first authentication code that is produced all different.More preferably, further safety is to prevent that working as time authentication code is revealed in order to make system, and first authentication code can be a random number.
In addition, the first authentication code unit further compares first authentication code of current generation and user by the authentication code of second input unit input of three module, comparison result is exported to first display unit 3031, and comparison result is passed to second module by the first safety function unit 3036.Optionally, under the situation of doing the authentication code comparison by the aftermentioned second authentication code unit, the first safety function unit 3036 can be exported to first authentication code of current generation in the first authentication code unit, so that the second authentication code unit of second module can receive this authentication code and compare by the authentication code of second input unit input of three module with the user.
First mobile comm unit 3037 communicates with the outside.First mobile comm unit 3037 can built-in at least a mobile radio communication WAP (wireless access protocol) stack, as: the mobile communication wireless protocol stack of standards such as GPRS, EDGE, narrowband CDMA, CDMA2000, WCDMA, TD-SCDMA or LTE.Thus, digital signature device of the present utility model can be set up with second module in any zone that has mobile communications network wireless signal and/or network signal to cover and communicate by letter, can make the user receive signing messages at any time easily and add their confirmation, for example move, digital signature easily.First mobile comm unit is built-in network protocols stack (as TCP/IP) further, so that the network protocol stack of the utilization equity that gateway can be convenient and first module establish a communications link.
First display unit 3031 can show various data, for example, from the needs of digital signature unit 3033 carry out the information of digital signature, from first authentication code of the first authentication code unit 3035 or (described later) second authentication code with from the authentication code comparison result of the first authentication code unit 3035, also can optionally show from the subscriber identity information of identity authenticating unit 3034 and/or identity information checking result or the like.Certainly, other output blocks that first display unit also can be expected by those skilled in the art substitute, for example audio output part etc.
The data that the first safety function unit 3036 transmits between can the second communication unit to first mobile comm unit 3037 and (described later) second module are protected.Particularly, the related datas such as user profile, authentication code and/or authentication information before and after the 3036 pairs of digital signature in the first safety function unit are protected.Can also be built-in or obtaining with the second module cipher key shared and algorithm and set up safer first passage in the first safety function unit 3036, perhaps can set up safer first passage by mode well known to those skilled in the art.It is pointed out that as described later the first safety function unit 3036 is not necessary, the first safety function unit can be removed the second safety function unit in aftermentioned second module.Under the first safety function unit, 3036 non-existent situations, digital signature unit 3033, identity authenticating unit 3034 and first authentication ' unit 3035 directly are connected with first mobile comm unit 3037, and all exchanges data are also directly carried out with first mobile comm unit 3037.
Preferably, digital signature unit 3033, identity authenticating unit 3034, the first authentication code unit 3035 and the first safety function unit 3036 can be integrated in the same chips, so that the structure of digital signature device is simpler, more portable.And this implementation is sealed the circulation of information more, and system is more safe and reliable.
Fig. 8 is the structure chart according to an example of digital signature device of the present utility model.As shown in Figure 8, this digital signature device can comprise master cpu (built-in cryptographic algorithm and safe storage function) 801, liquid crystal indicator 802, wireless modem chipset (containing SIM card) 803 and antenna 804, button and finger print input device 805, data and charging inlet device 806 and be used for battery 807 to the power supply of this device.Integrated digital signature unit, identity authenticating unit, the first authentication code unit and the first safety function unit in the master cpu 801; Wireless modem chipset 803 is corresponding to first wireless communication unit; Liquid crystal indicator 802 is corresponding to first display unit; And button and finger print input device 805 are corresponding to first input unit.Master cpu 801 directly links to each other respectively with liquid crystal indicator 802, wireless modem N chipset 803, button and finger print input device 805, data and charging inlet 806.Certainly, this signature apparatus can further include traditional and the interface arrangement user terminal direct communication, and for example bluetooth, USB are from interface etc., so that satisfy the demand that the user connects tradition.
Second module instance: security gateway
Second module for example can be a security gateway as shown in Figure 4.Certainly, the form of second module of the present utility model and environment for use etc. are not limited in this, and those skilled in the art can make various modifications and conversion to it after reading and understanding the utility model.As mentioned above, second module can play the effect of gateway, and for the strengthening system fail safe, security gateway is a better implementation.Fig. 4 is according to the structure chart of second module in the data handling system of an exemplary embodiment of the utility model as an example of security gateway.As shown in Figure 4, this security gateway can comprise: the second communication unit 4051 that communicates with first module 203; The third communication unit 4055 that communicates with three module 202; The second safety function unit 4052; Data buffer storage unit 4054; With the second authentication code unit 4053.
The second safety function unit 4052 links to each other with second communication unit 4051, data buffer storage unit 4054 links to each other with third communication unit 4055 with the second safety function unit 4052 respectively, and the second authentication code unit 4053 links to each other with third communication unit 4055 with the second safety function unit 4052 respectively.
The second safety function unit 4052 can be used for further guaranteeing that the first passage between first module and second module is safe.For example, the second safety function unit can use relevant key and algorithm that the data of transmitting in the first passage are carried out encryption and decryption, guarantees the fail safe of first passage.In fact as general gateway, can save the second safety function unit 4052.When saving the second safety function unit 4052, data buffer storage unit 4054, the second authentication code unit 4053 directly link to each other with second communication unit 4051 respectively.
Data buffer storage unit 4054 can be used for storing the nonsensitive data (digital certificate that does not for example comprise private key) that flows to second module in the four-way from first module, like this, if three module need repeatedly read same nonsensitive data from first module, just can all read at every turn, and can read from the data buffer storage unit second module from first module.Can reduce data traffic between first module 203 and second module like this, raise the efficiency.Certainly, the nonsensitive data of the utility model indication is not limited to not comprise the digital certificate of private key, and any available non-sensitive information known to those skilled in the art may be used to the utility model.It is pointed out that data buffer storage unit 4054 can save.Under the situation that does not have data buffer storage unit 4054, all information that three module reads from first module all directly read from first module.
The second authentication code unit 4053 can initiate to produce second authentication code according to connection request, and second authentication code is exported to first display unit of first module.This connection request can be first input unit initiation that the user passes through first module as previously mentioned, also can be that the user initiates and transmits via the first safety function unit by second input unit of three module as described later.Preferably, safer preventing that authentication code from revealing because of change in time for making system, each to connect second authentication code that is produced all different.More preferably, further safety is to prevent that working as time authentication code is revealed in order to make system, and second authentication code can be a random number.
In addition, the second authentication code unit 4053 can also be imported second authentication code and the user of current generation by second input unit of three module authentication code compares, and comparison result exported to first display unit of first module, and comparison result is passed to three module by third communication unit 4055.Optionally, under the situation of doing the authentication code comparison by the aforementioned first authentication code unit, the second safety function unit 4052 can be exported to second authentication code of current generation in the second authentication code unit, so that the first authentication code unit of first module can receive this authentication code and compare by the authentication code of second input unit input of three module with the user.
The structure of second communication unit can be identical or similar with the structure of first mobile comm unit, for avoiding repetition, repeats no more here.
Third communication unit can be any communicating devices that realizes that those skilled in the art can expect.Three module example: user terminal
Three module for example can be a kind of user terminal as shown in Figure 5.Certainly, the form of three module of the present utility model and environment for use etc. are not limited in this, and those skilled in the art can make various modifications and conversion to it after reading and understanding the utility model.Fig. 5 is as a kind of structure chart of an example of user terminal according to three module in the data handling system of an exemplary embodiment of the utility model.Can generate the information that needs signature on this user terminal, the information behind the signature can be sent to service server with business datum.As shown in Figure 5, this user terminal can comprise: believe unit 5024 with the four-way that second module 205 communicates; Second display unit 5022; Second input unit 5021; Signing messages commit unit 5023; With business datum commit unit 5025.
Second display unit 5022 links to each other with business datum commit unit 5025 with signing messages commit unit 5023 respectively, second input unit 5021 links to each other with business datum commit unit 5025 with signing messages commit unit 5023 respectively, signing messages commit unit 5023 links to each other with professional commit unit with four-way letter unit 5024 respectively, and business datum commit unit 5025 links to each other with five-way letter unit 5026.
As previously mentioned, the user can initiate to produce first or second authentication code by all or part of information, the subscriber identity information that needs signature of first input unit input of first module, also can not carry out these operations by this first input unit.Do not need under the information state of signature by first input unit input of first module the user, the user can need the information of signature by second input unit, 5021 inputs of three module.In addition, under the information state that the user need sign by the first input unit importation of first module, the user can import the information that remainders need be signed by second input unit 5021 of three module.Do not import under the situation of subscriber identity information by first input unit of first module the user, the user can be by second input unit, the 5021 input subscriber identity informations of three module.Do not initiate to produce under the situation of first authentication code or second authentication code by first input unit of first module the user, the user can initiate to produce first authentication code or second authentication code by second input unit 5021 of three module.Second input unit 5021 can key device form realize.Because traditional computer equipment all is to adopt keyboard as input mode, adopt key device to make conventional computer device can be used as user terminal.Certainly, second input unit 5021 is not limited to this, also can be corresponding to the configuration of first input unit, comprise other input unit parts that those skilled in the art can expect or substitute, for example fingerprint sensor, vocal print harvester, iris capturing device or recognition of face harvester etc. by it.Use the mode of this class biomedical information acquisition can allow the user need not to remember authentication information such as password, and biological information can not lose, be difficult to forge, its fail safe is stronger.
Second display unit 5022 can show various data, for example, from the data of the needs of signing messages commit unit 5023 signature, from the business datum of business datum commit unit 5025, authentication code, authentication code comparison result and/or subscriber identity information of user's input or the like.Certainly, other output blocks that second display unit also can be expected by those skilled in the art substitute, for example audio output part etc.
Signing messages commit unit 5023 carries out need the information of digital signature and submits to first module 203 to carry out the digital signature operation or first module 203 is write data and/or sense data operation through four-way letter unit 5024, the four-way C214 that is set up and second module 205.Four-way C214 and the four-way letter unit 5024 of information behind the signature through being set up sends back signing messages commit unit 5023.
Optionally, also have in data handling system under the situation of service processing function, that is to say, further comprise in data handling system and to be used for business handled and (as previously mentioned the information behind the signature, information behind the signature is by first module information of needs signature to be carried out generating after the digital signature, and be transferred to three module through four-way) under the situation of the four module 204 verified, the signing messages commit unit sends the information after signing to the business datum commit unit, and the information of business datum commit unit 5025 behind 5026 signatures in five-way letter unit is submitted to four module 204 together with business datum.
The 4th can be any communicating devices that realizes that those skilled in the art can expect to five-way letter unit.
This user terminal can be by desktop computer, notebook computer, panel computer, mobile phone, personal digital assistant, ATM or the arbitrary realization of POS machine, but is not limited to this, as long as can using of can expecting of those skilled in the art.These user terminals all are existing terminals, need not to make any change, save system's construction cost.
It is pointed out that at one and can realize digital signature and need not to carry out in the system of Business Processing that the business datum commit unit is omissible.
Four module example: service server
As mentioned above, also have in data handling system under the situation of service processing function, this system can also have and is used for business is handled and to the four module verified of information behind the signature.Four module for example can be a kind of service server as shown in Figure 6.Certainly, the form of four module of the present utility model and environment for use etc. are not limited in this, and those skilled in the art can make various modifications and conversion to it after reading and understanding the utility model.Fig. 6 is the structure chart according to four module in the data handling system of an exemplary embodiment of the utility model.As shown in Figure 6, this service server can comprise: the 6th communication unit 6043 that communicates with three module 202; Service Processing Unit 6041; With signature verification unit 6042.
Signature verification unit 6042 links to each other respectively with Service Processing Unit 6041 with the 6th communication unit 6043.
Signature verification unit 6042 can be used for information and the business datum from after the digital signature of five-way letter unit 5026 that receive from the 6th communication unit 6043 are verified, and will verify that the result sends to the 6th communication unit 6043 and Service Processing Unit 6041 respectively.
Service Processing Unit 6041 is used for carrying out Business Processing and sending result to the 6th communication unit 6043 according to this checking result.
More than about according to the data handling system of an exemplary embodiment of the utility model detailed respectively exemplified its each module.Below, the example and the operating process thereof of the digital signature system of such data treatment system are described in conjunction with Fig. 7 and Fig. 9 A-12.
Fig. 7 is the overall structure figure according to an example of digital signature system of the data handling system of an exemplary embodiment of the utility model.As shown in Figure 7, be first module based on the digital signature device 703 of mobile communications network, security gateway 705 is second module, the user terminal that can surf the Net for example notebook computer 702 is a three module, and service server 704 is a four module.Represent based on the digital signature device 703 of mobile communications network and the first passage between the security gateway 705 with C711; Represent second channel between security gateway and the notebook computer 702 with C712; Represent notebook computer 702 and based on the third channel between the digital signature device 703 of mobile communications network with C713, wherein third channel C713 can look sense information and this information is set up in the input unit input of three module from the output unit of first module by the user.The shared key that writes when preferably, first passage C711 can be by device initialize as previously mentioned at security gateway 705 and between based on the digital signature device 703 of mobile communications network is realized its further fail safe.
Below, the operating process of this example will be described in conjunction with Fig. 9 A-Figure 12.In operating process, signature apparatus at first will be connected with user terminal sets up four-way.After setting up, four-way can carry out the operation of authentication.After the authentication operation success, user terminal just can carry out the read-write of signature apparatus and carry out the digital signature operation.The user can select to disconnect being connected of four-way between signature apparatus and the user terminal after action required was finished.
The connection procedure example 1 of signature apparatus and user terminal
As previously mentioned, in the utility model, three module calls first module to carry out digital signature operation of the present utility model by four-way, perhaps reads the data in first module or write data in first module, can make data handling system safer, more reliable thus.Therefore, an example of the foundation of four-way at first is described here.
Fig. 9 A is the flow chart according to first kind of method for building up example of four-way in the example of the data handling system of an exemplary embodiment of the utility model.
Shown in Fig. 9 A, from step S900.At step S901, the user for example initiates to connect by notebook computer 702, sets up second channel C712.For example, setting up a SSL between user's notebook computer 702 and security gateway 705 connects.
Then, at step S902, the user is input to the equipment number of the account on the notebook computer 702.
Then, at step S903, notebook computer 702 is mentioned connection request by second channel C712 to security gateway 705.
At step S904, security gateway 705 with set up first passage C711 based on the digital signature device 703 of mobile communications network by foregoing shared key accordingly.If can't be connected (for example under the situation of user's shutdown, or under the situation of number of the account input error) with corresponding digital signature apparatus 703, then arrive step S909, connection failure disconnects second channel C712, and this operation finishes at step S911 at this point., arrives first passage step S905 if effectively setting up, security gateway 705 and signature apparatus 703 are shared second authentication code that first authentication code that the first authentication code unit produces or the second authentication code unit produce by first passage, and with its first display unit that is presented at signature apparatus 703 for example on the LCDs.
At step S906, the user is in input equipment number of the account on the notebook computer 702 and be presented at authentication code on the display screen of signature apparatus 703, and notebook computer 702 sends to security gateway 705 with this authentication code with the equipment number of the account by second channel C712.
At step S907, security gateway 705 will be compared with the authentication code of sharing by first passage C711 from the authentication code of second channel C712, if two authentication code differences, then arrive step S910, connection failure, and disconnect first passage C711 and second channel 712, and it is invalid that this connects the shared authentication code that is generated, and this operation finishes at step S912 at this point.If two authentication codes are identical, then arrive step S908, successful connection is set up four-way C714 through security gateway between signature apparatus 703 and the notebook computer 702, and this operation finishes at step S913 at this point.
The connection procedure example 2 of signature apparatus and user terminal
Perhaps, four-way also can be taked other the mode of setting up, the another kind of method for building up example shown in Fig. 9 B for example according to four-way in the example of the data handling system of an exemplary embodiment of the utility model, certainly, the utility model is not limited to this, and those skilled in the art obviously can make other modification and conversion according to these methods.The another kind of method for building up example of four-way is described below in conjunction with Fig. 9 B.
Fig. 9 B is the flow chart according to the another kind of method for building up example of four-way in the example of the data handling system of an exemplary embodiment of the utility model.
Shown in Fig. 9 B, from step S920.At step S921, the user for example initiates to connect based on the digital signature device 703 of mobile communications network.For example, the user initiates to connect by the button of digital signature device 703.
Then, at step S922, digital signature device 703 initiates to set up first passage C711 with security gateway 705 by foregoing shared key.If step S927 is then arrived in connection failure (for example under the bad situation of no network signal or network signal), this operation finishes at step S929 at this point.If, step S923 is then arrived in successful connection, security gateway 705 is shared first authentication code of first authentication code unit generation or second authentication code that the second authentication code unit produces with signature apparatus 703 by first passage, and it is presented on the LCDs of signature apparatus 703.
At step S924, the user is in input equipment number of the account on the notebook computer 702 and be presented at authentication code on the display screen of signature apparatus 703, and notebook computer 702 sends to security gateway 705 with this authentication code with the equipment number of the account by second channel C712.
At step S925, security gateway 705 will be from the authentication code of second channel C712 and the checking of comparing by the shared authentication code of first passage C711, if two authentication code differences, then arrive step S928, connection failure, disconnect first passage C711, it is invalid that this connects the shared authentication code that generates, and this operation finishes at step S930 at this point.If two authentication codes are identical, then arrive step S926, successful connection is set up four-way C714 through security gateway between signature apparatus 703 and the notebook computer 702, and this operation finishes at step S931 at this point.
Four-way disconnects process example 1
Preferably, four-way C714 can disconnect after the digital signature operation is finished, shown in Figure 10 A and 10B, with further guarantee when time operation do not influenced or utilize by external unsafe factor, thereby the data handling system of making and operation safe thereof, reliably.First kind of disconnect method example of four-way at first is described in conjunction with Figure 10 A below.
Figure 10 A is the flow chart according to first kind of disconnect method example of four-way in the example of the data handling system of an exemplary embodiment of the utility model.
Shown in Figure 10 A, from step S1000.At step S1001, the user for example initiates the disconnection of four-ways by notebook computer 702, to disconnect and being connected of signature apparatus 703.For example, the user is by clicking corresponding button at the interface of notebook computer, or does corresponding input on keyboard of notebook computer.
Then, at step S1002, notebook computer 702 is submitted to security gateway 705 to the equipment number of the account that will disconnect signature apparatus by second channel C712.
Then, at step S1003, security gateway 705 disconnects first passage C711, second channel C712 and four-way C714 to disconnection information notice notebook computer 702 and signature apparatus 703, and the authentication code that this operation has been produced is invalid, and this operation finishes at step S1004 at this point.
Four-way disconnects process example 2
Perhaps, four-way also can be taked other disconnect mode, the another kind of disconnect method example shown in Figure 10 B for example according to four-way in the example of the data handling system of an exemplary embodiment of the utility model, certainly, the utility model is not limited to this, and those skilled in the art obviously can make other modification and conversion according to these methods.The another kind of disconnect method example of four-way is described below in conjunction with Figure 10 B.
Figure 10 B is the flow chart according to the another kind of disconnect method example of four-way in the example of the data handling system of an exemplary embodiment of the utility model.
Shown in Figure 10 B, from step S1010.At step S1011, the user for example initiates the disconnection of four-way by press corresponding button on signature apparatus 703, to disconnect and being connected of notebook computer 702.
Then, at step S1012, signature apparatus 703 proposes the disconnection request to security gateway 705.
Then, at step S1013, security gateway 705 disconnects first passage C711, second channel C712 and four-way C714 to disconnection information notice notebook computer 702 and signature apparatus 703, and the authentication code that this operation has been produced is invalid, and this operation finishes at step S1014 at this point.
Authentication process itself example 1
After four-way is set up, need carry out an authentication process itself, authentication by after can carry out digital signature.Shown in Figure 11 A and 11B, authentication process itself can guarantee that user and equipment holder are corresponding, prevents the hidden danger of generation when equipment is stolen, thus the data handling system of making and operation safe thereof, reliable.The first method example of authentication at first is described in conjunction with Figure 11 A below.
Figure 11 A is the flow chart according to the first method example of authentication in the example of the data handling system of an exemplary embodiment of the utility model.
Shown in Figure 11 A, from step S1100.In step 1101, the user for example imports PIN code as user identity (checking) information in for example PIN code (PIN) input frame on notebook computer 702.
Then, at step S1102, subscriber identity information passes to signature apparatus 703 by four-way C714.
Then, at step S1103, signature apparatus 703 utilizes the subscriber identity information that receives to carry out authentication.
At last, at step S1104, signature apparatus 703 passes to user's notebook computer 702 to the result of authentication by four-way C714, and this operation finishes at step S1105 at this point.
Authentication process itself example 2
Perhaps, authentication process itself also can be taked other mode, the another kind of method example shown in Figure 11 B for example according to authentication in the example of the data handling system of an exemplary embodiment of the utility model, certainly, the utility model is not limited to this, and those skilled in the art obviously can make other modification and conversion according to these methods.Another kind of method example below in conjunction with Figure 11 B explanation authentication.
Figure 11 B is the flow chart according to the another kind of method example of authentication in the example of the data handling system of an exemplary embodiment of the utility model.
Shown in Figure 11 B, from step S1110.In step 1111, the user for example imports PIN code as subscriber identity information in for example PIN code (PIN) input frame on signature apparatus 703.
Then, at step S1112, the subscriber identity information of 703 pairs of above-mentioned inputs of signature apparatus carries out authentication.
At last, at step S1113, signature apparatus is presented at the authentication result on for example display unit of signature apparatus, and by four-way C714 the result of authentication is passed to user's notebook computer 702, and this operation finishes at step S1114 at this point.
Reading word certificate example
As previously mentioned, in the utility model, under the situation that four-way is set up, and under the prerequisite of its authentication success, three module calls first module to carry out digital signature operation of the present utility model by four-way, perhaps reads the data in first module or write data in first module 203.Therefore, illustrate that in conjunction with Figure 12 and Figure 13 the process of reading word certificate and data handling system are having service processing function respectively below, that is, have the process instance that four module for example carries out professional signature and handles under the example case of service server.Certainly, the utility model is not limited to this, and those skilled in the art obviously can make other modification and conversion according to it.
Figure 12 is the flow chart according to reading word certificate example in the example of the data handling system of an exemplary embodiment of the utility model.
As shown in figure 12, from step S1200.At step S1201, the user for example initiates to read digital certificate by a corresponding button that reads on the certificate application interface that clicks on the notebook computer 702, and notebook computer 702 will ask to offer security gateway 705 with the equipment number of the account by four-way C712.
At step S1202, whether security gateway 705 is inquired about the corresponding digital certificate according to the equipment number of the account and is buffered in the gateway.If no, then arrive step S1206, from signature apparatus 703, read digital certificate data by four-way C711, then to step S1205.If have, then directly arrive step S1203.
At step S1203, security gateway 705 reads its certificate characteristic value by four-way from device.
At step S1204, security gateway 705 compares according to characteristic value that reads and the characteristic value that is stored in the gateway, judges whether it is up-to-date certificate.If not, then arrive step S1206, from signature apparatus 703, read digital certificate data by four-way C711, then to step S1205.If then directly arrive step S1205.
At step S1205, security gateway 705 returns to notebook computer 702 by four-way with digital certificate data, and this operation finishes at step S1207 at this point.
The example that information is signed
Below the explanation data handling system is having service processing function, that is, under the situation that four-way successfully is set up, have four module and for example carry out professional the signature and an example of the process of processing under the example case of service server.Figure 13 is the flow chart that carries out the business datum signature in the example according to the data handling system of an exemplary embodiment of the utility model and handle example.Certainly, the utility model is not limited to this, and those skilled in the art obviously can make other modification and conversion according to it.
As shown in figure 13, from step S1300.At step S1301, the user is in the information and the business datum of the relevant needs signature of notebook computer 702 inputs.
At step S1302, notebook computer 702 sends to signature apparatus 703 to the message part of needs signature by four-way C714.
At step S1303, the user need to confirm the information of signature and this information is carried out digital signature on signature apparatus 703.
At step S1304, the information behind the signature turns back to notebook computer 702 by four-way C714.
At step S1305, notebook computer 702 sends to service server 704 to signature back information and business datum by five-way road C715.
At step S1306, the industry of going forward side by side of the information behind service server 704 certifying signatures be engaged in to be handled, and after finishing service processing result is returned to notebook computer 702 by five-way road C715, and this operation finishes at step S1307 at this point.
The front has exemplified in detail in conjunction with each execution mode of the present utility model digital signature device of the present utility model and data handling system has been described.By adopting digital signature device of the present utility model and data handling system, can make data handling system safer, credible.
In addition, digital signature device of the present utility model and data handling system can be used for various emerging terminals, make the manpower cost and the cost of system development and application be minimized.
Further, by adopting digital signature device of the present utility model and data handling system, can make that the user moves, digital signature easily.
The front is described the utility model in detail in conjunction with exemplary embodiment of the present utility model; but it will be appreciated by those skilled in the art that; these exemplary embodiment and example should be as the restrictions to protection range of the present utility model, those to one skilled in the art clearly modification, conversion and replacement all should drop in the protection range of the present utility model.

Claims (37)

1. data handling system is characterized in that comprising:
First module (203), described first module comprises digital signature device, described digital signature device comprises:
First input unit (3032);
First output unit (3031);
First communication unit (3037), described first communication unit is used for communicating with the outside;
Digital signature unit (3033), described digital signature unit links to each other respectively with described first output unit, described first communication unit and described first input unit, and be used for after the user confirms the information of described needs signature through the information of described first input unit affirmation needs signature or from the outside through described first communication unit, the described information that needs to sign being carried out digital signature and being sent the information after the digital signature to outside via described first communication unit;
Identity authenticating unit (3034), described identity authenticating unit links to each other respectively with described first communication unit, described first input unit and described first output unit, and be used to verify from the subscriber identity information of described first input unit or the subscriber identity information that transmits through described first communication unit from the outside, and will verify that the result exports to described first output unit and sends the outside to via described first communication unit; And
The first authentication code unit (3035), the described first authentication code unit links to each other respectively with described first input unit, described first communication unit and described first output unit, and be used for producing first authentication code by first connection request of described first input unit initiation or according to the user from the outside through second connection request that described first communication unit is initiated according to the user, and described first authentication code exported to described first output unit
Wherein said digital signature unit (3033) carries out described digital signature after the subscriber identity information checking is correct;
Play second module (205) of gateway effect, described second module communicates by first passage (C211) and described first module; And
Be used to carry out the three module (202) that signing messages is submitted to, described three module communicates by second channel (C212) and described second module, and directly communicates with described first module by third channel (C213),
Wherein, under the prerequisite that described first passage, described second channel and described third channel are all set up, between described first module and described three module, set up four-way (C214) via described second module, the four-way that described three module passes through to be set up calls described first module to carry out the digital signature operation, and the four-way that perhaps described three module passes through to be set up reads the data in described first module or write data in described first module.
2. data handling system as claimed in claim 1, it is characterized in that, whether the described first authentication code unit (3035) also is used for comparison identical with described first authentication code via the authentication code that described first communication unit (3037) transmits from the outside, and the first authentication code comparison result is exported to described first output unit.
3. data handling system as claimed in claim 1, it is characterized in that, whether the described first authentication code unit (3035) also is used for sending described first authentication code to described second module via described first communication unit, with identical from the authentication code of described three module input with the user via first authentication code that described first communication unit (3037) transmits by described second module comparison.
4. as the arbitrary described data handling system of claim 1-3, it is characterized in that, described first output unit (3031) comprise following one of at least: show output unit, first audio output unit and projection output unit.
5. as the arbitrary described data handling system of claim 1-3, it is characterized in that described first input unit (3032) is the information that is used to import the needs signature, the information of confirming the needs signature, input subscriber identity information or the input unit of initiating first connection request.
6. as the arbitrary described data handling system of claim 1-3, it is characterized in that described first input unit (3032) is a key device.
7. as the arbitrary described data handling system of claim 1-3, it is characterized in that, described first input unit (3032) also comprise be used to import subscriber identity information with lower device one of at least: fingerprint acquisition device, vocal print harvester, iris capturing device and recognition of face harvester.
8. as the arbitrary described data handling system of claim 1-3, it is characterized in that the described first authentication code unit (3035) is in each authentication code unit that produces the first different authentication codes that connects.
9. as the arbitrary described data handling system of claim 1-3, it is characterized in that the described first authentication code unit (3035) is to produce the authentication code unit of random number as first authentication code.
10. as the arbitrary described data handling system of claim 1-3, it is characterized in that, described digital signature device is the mobile digital signature apparatus, and wherein said first communication unit (3037) is the radio communication device that is built-in with mobile radio communication WAP (wireless access protocol) stack.
11. data handling system as claimed in claim 10, it is characterized in that the described radio communication device that is built-in with mobile radio communication WAP (wireless access protocol) stack is the mobile communication wireless protocol stack radio communication device one of at least that is built-in with following standard: GPRS, EDGE, narrowband CDMA, CDMA2000, WCDMA, TD-SCDMA and LTE.
12., it is characterized in that described first communication unit (3037) is the radio communication device that also is built-in with network protocol stack as claim 10 or 11 described data handling systems.
13., it is characterized in that described first communication unit (3037) is the radio communication device that also is built-in with TCP/IP as claim 10 or 11 described data handling systems.
14. as the arbitrary described data handling system of claim 1-3, it is characterized in that, described digital signature unit also be used for from the outside through described first communication unit or send to described first output unit from the information of the needs of described first input unit signature.
15. as the arbitrary described data handling system of claim 1-3, it is characterized in that described digital signature unit also is used for sending to described first output unit the information that need sign from the part through described first communication unit of outside with from the information that another part of described first input unit need be signed.
16. as the arbitrary described data handling system of claim 1-3; it is characterized in that; described digital signature device also comprises the first safety function unit (3036); described first communication unit (3037) links to each other respectively with described digital signature unit (3033), described identity authenticating unit (3034) and the described first authentication code unit (3035) via the described first safety function unit and communicates, and the described first safety function unit is used for the data of described first communication unit transmission are protected.
17., it is characterized in that described digital signature unit (3033), described identity authenticating unit (3034) and the described first authentication code unit (3035) are integrated in the same chips as the arbitrary described data handling system of claim 1-3.
18. data handling system as claimed in claim 16, it is characterized in that described digital signature unit (3033), described identity authenticating unit (3034), the described first authentication code unit (3035) and the described first safety function unit (3036) are integrated in the same chips.
19., it is characterized in that described digital signature device one of also comprises with lower device at least: blue tooth interface device and USB are from interface arrangement as the arbitrary described data handling system of claim 1-3.
20., it is characterized in that described second module (205) comprising as the arbitrary described data handling system of claim 1-3:
The second communication unit (4051) that communicates with described first module (203);
The third communication unit (4055) that communicates with described three module (202); And
The second authentication code unit (4053), the described second authentication code unit links to each other respectively with described third communication unit with described first communication unit, and be used for producing second authentication code by the 3rd connection request of described first input unit initiation or the 4th connection request of initiating through described third communication unit from three module, send described second authentication code to described first output unit via described second communication unit (4051), described first passage (C211) and described first communication unit (3037) according to the user according to the user.
21. data handling system as claimed in claim 20 is characterized in that, the described second authentication code unit (4053) is each authentication code unit that produces the second different authentication codes.
22., it is characterized in that the described second authentication code unit (4053) is to produce the authentication code unit of random number as second authentication code as the arbitrary described data handling system of claim 20.
23. as the arbitrary described data handling system of claim 20, it is characterized in that, the user from the described first input unit input authentication sign indicating number and transmit via described first communication unit under the situation of authentication code of input, whether the described second authentication code unit (4053) also is used to compare the user identical with described second authentication code from described first input unit input and the authentication code that transmits via described first communication unit (3037), and with the second authentication code comparison result via described second communication unit (4051), described first passage (C211) and described first communication unit (3037) send described first output unit to.
24. as the arbitrary described data handling system of claim 20, it is characterized in that, the user not from the described first input unit input authentication sign indicating number but from described three module input authentication sign indicating number and transmit via described third communication unit under the situation of authentication code of input, whether the authentication code that the described second authentication code unit also is used to compare the described input that the user transmits from described three module input and via described third communication unit identical with described second authentication code, and with this second authentication code comparison result via described third communication unit, (C212) sends described three module to described second channel.
25. as the arbitrary described data handling system of claim 20, it is characterized in that, initiate described first connection request or initiate described second connection request through described first communication unit by described first input unit the user from described three module, so that producing described first authentication code and send described first authentication code to the described second authentication code unit via described first communication unit and described second communication unit, the described first authentication code unit substitutes under the situation of comparing the described first authentication code unit, whether the authentication code that the described second authentication code unit also is used to compare user's input is identical with described first authentication code, and with this first authentication code comparison result via described third communication unit, (C212) sends described three module to described second channel, perhaps with this first authentication code comparison result via described second communication unit, described first passage (C211) and described first communication unit send described first output unit to.
26. as the arbitrary described data handling system of claim 20, it is characterized in that, described second module also comprises data buffer storage unit (4054), described data buffer storage unit links to each other with described third communication unit with described second communication unit respectively, and is used for the data that buffer memory reads from described first module via described second communication unit and described first communication unit.
27. data handling system as claimed in claim 26 is characterized in that, described data buffer storage unit (4054) is to be used for non-sensitive information partial data buffer unit in described first module of buffer memory (203).
28. data handling system as claimed in claim 27, it is characterized in that the described non-sensitive information partial data buffer unit that is used in described first module of buffer memory is to be used for the data buffer storage unit of the digital certificate that does not comprise private key in described first module of buffer memory.
29. as the arbitrary described data handling system of claim 20; it is characterized in that; described second module also comprises the second safety function unit (4052); described second communication unit links to each other with the described second authentication code unit via the described second safety function unit, and is used for the data of described second communication unit transmission are protected.
30. as the arbitrary described data handling system of claim 26; it is characterized in that; described second module also comprises the second safety function unit (4052); described second communication unit links to each other with described data buffer storage unit with the described second authentication code unit via the described second safety function unit, and is used for the data of described second communication unit transmission are protected.
31., it is characterized in that described three module (202) comprising as the arbitrary described data handling system of claim 1-3:
Believe unit (5024) with the four-way that described second module (205) communicates;
Second output unit (5022);
Second input unit (5021); And
Signing messages commit unit (5023), described signing messages commit unit links to each other with described second output unit, described second input unit and described four-way letter unit respectively, and is used for through described four-way letter unit, the four-way of being set up and described second module information of described needs signature being submitted to described first module to carry out described digital signature operation or described reading or the said write data manipulation.
32. as the arbitrary described data handling system of claim 1-3, it is characterized in that described data handling system also comprises four module (204), described four module be used for to by five-way road (C215) after the described described digital signature that receives of described three module information verify, the result handles the business datum that receives from described three module according to this checking, and result is sent to described three module.
33. data handling system as claimed in claim 32 is characterized in that, described three module (202) comprising:
Believe unit (5024) with the four-way that described second module (205) communicates;
Believe unit (5026) with described four module (204) by the five-way that described five-way road (C215) communicates;
Second output unit (5022);
Second input unit (5021);
Signing messages commit unit (503), described signing messages commit unit links to each other with described second output unit, described second input unit and described four-way letter unit respectively, and is used for through described four-way letter unit, the four-way of being set up and described second module information of described needs signature being submitted to described first module to carry out the digital signature operation or to read or write data manipulation; And business datum commit unit (5025), wherein said business datum commit unit links to each other with described second output unit, described second input unit and described five-way letter unit respectively, is used for utilizing the business datum of described second input unit input to submit to described four module through described five-way letter unit and described five-way road the user.
34. data handling system as claimed in claim 31 is characterized in that, described second output unit (5022) comprise following one of at least: show output unit, audio output unit and projection output unit.
35. data handling system as claimed in claim 32 is characterized in that, described four module (204) comprising:
The 6th communication unit (6043) that communicates with described three module (202);
Signature verification unit (6042), described signature verification unit links to each other with described the 6th communication unit, and be used for verifying, and should verify that the result sent to described Service Processing Unit and sends to described three module through described the 6th communication unit from the information of described three module after the described digital signature that described the 6th communication unit receives; And
Service Processing Unit (6041), described Service Processing Unit links to each other with described signature verification unit, and be used for the business datum that receives from described three module being handled, and described result sent to described three module through described the 6th communication unit according to request according to this checking result.
36., it is characterized in that described three module (202) is realized by one of following: desktop computer, notebook computer, panel computer, mobile phone, personal digital assistant, ATM and POS machine as the arbitrary described data handling system of claim 1-3.
37., it is characterized in that described four-way (C214) is the passage that disconnects as the arbitrary described data handling system of claim 1-3 after described digital signature operation is finished.
CN2010206656115U 2010-12-17 2010-12-17 Data processing system Expired - Lifetime CN202026311U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010206656115U CN202026311U (en) 2010-12-17 2010-12-17 Data processing system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010206656115U CN202026311U (en) 2010-12-17 2010-12-17 Data processing system

Publications (1)

Publication Number Publication Date
CN202026311U true CN202026311U (en) 2011-11-02

Family

ID=44851244

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010206656115U Expired - Lifetime CN202026311U (en) 2010-12-17 2010-12-17 Data processing system

Country Status (1)

Country Link
CN (1) CN202026311U (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102780561A (en) * 2011-11-30 2012-11-14 北京数字认证股份有限公司 Method and system for achieving user-informed digital signature by using mobile terminal

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102780561A (en) * 2011-11-30 2012-11-14 北京数字认证股份有限公司 Method and system for achieving user-informed digital signature by using mobile terminal

Similar Documents

Publication Publication Date Title
CN101465019B (en) Method and system for implementing network authentication
CN101394615B (en) Mobile payment terminal and payment method based on PKI technique
CN202026326U (en) Digital signature device
EP2764465A1 (en) A dongle device with rechargeable power supply for a secure electronic transaction
CN101692277A (en) Biometric encrypted payment system and method for mobile communication equipment
CN102983973B (en) Transaction system and method for commerce
CN101790166A (en) Digital signing method based on mobile phone intelligent card
JP2016103260A (en) Authentication method using nfc authentication card
WO2017076270A1 (en) Smart card having function of one time password (otp), and work method therefor
KR20200002483U (en) Intelligent wallet apparatus
CN110659470B (en) Authentication method and authentication system for off-line physical isolation
CN103297237A (en) Identity registration method, identity authentication method, identity registration system, identity authentication system, personal authentication equipment and authentication server
CN106709534A (en) Anti-counterfeit verification system of electronic certificate
CN102546540B (en) Data processing method
CN202026311U (en) Data processing system
CN102136057A (en) 2.4G/13.56M safety radio frequency card reader and authentication method thereof
CN105989481B (en) Data interaction method and system
CN103390140A (en) Mobile terminal and information security control method thereof
JP2020184290A (en) Intelligent wallet device and method for operating the same
CN102571337A (en) Data processing method
CN105405010B (en) Transaction device, transaction system using the same and transaction method
CN114840833A (en) Device and method for authenticating positive copy of electronic certificate
CN106157037B (en) Mobile payment method and mobile payment equipment
CN203243360U (en) Identity registration system
CN101609391A (en) The PIN code secured inputting method of a kind of USB KEY

Legal Events

Date Code Title Description
C14 Grant of patent or utility model
GR01 Patent grant
DD01 Delivery of document by public notice

Addressee: Beijing Zhongchuang Zhixin Technology Co.,Ltd.

Document name: Notification of Passing Examination on Formalities

DD01 Delivery of document by public notice

Addressee: Beijing Zhongchuang Zhixin Technology Co.,Ltd.

Document name: Notification to Pay the Fees

CX01 Expiry of patent term

Granted publication date: 20111102

CX01 Expiry of patent term