WO2004059904A1

WO2004059904A1 - System and method for securely access about the mesh network data

Info

Publication number: WO2004059904A1
Application number: PCT/CN2003/001165
Authority: WO
Inventors: Jianqing Wei; Kesi Wei
Original assignee: Jianqing Wei; Kesi Wei
Priority date: 2002-12-31
Filing date: 2003-12-30
Publication date: 2004-07-15
Also published as: AU2003292878A1; CN1455340A

Abstract

The invention discloses a method based on the mesh theory for securely accessing the mesh network data. The mesh theory is: ‘empty’ can not be stolen. Consequently, the invention may get 100% security in the theory. The invention adopts the mechanism of one ‘double’, two ‘empty’ and three ‘inner’ in the data structure; and sets up double accounts in which one is surface and the other is hidden. The account’s relation is in the system, the surface account is empty and the hidden account is true. The data request is transmitted to the empty account through the first channel and the true account is indicated to transmit the data through the second channel. The data is automatically transmitted from the empty account to the true account in the system. According to the condition, the empty account automatically allow the performing request. Even if the two account are both stolen, the data will not be stolen. This invention can be used in securely browsing of the sensitively important data of the network, in the payment system and in the receipt or keeping system of the bank and in the electronic authorization lock of the important location. It can be carry out without change the software and the hardware system. The invention has high security, simply structure, lower cost, easily performing and easily be understood by the people.

Description

Sieve-type network data security access system and method

Technical field

The invention relates to a data processing method for secure access of computer network data. This kind of system called "mesh screen" (MESH SYSTEM), establishes a secure structure for reliable access to network data, so that anyone can enjoy the global safe electronics in the place covered by the communication network. data service. This screen system specifically involves a series of extremely important data processing methods in the field of network security.

technical background

In the online world, customers rely on their accounts and passwords to securely manage their personal world. In the field of virtual electronic network security, the physical secure access method in the real world is still used, which is to lock the door of the physical room. The key to security is this lock. Locked in, lost in lock.

No matter how many locks and keys are on the door, no matter how the keys are encrypted, and no matter how secretive the keys are transmitted to the legal opener, as long as the illegal opener steals the key, unlocks the key, unlocks After the door, the items were stolen naturally. Either the end-to-end SSL protocol or the three-party SET protocol is inseparable from things like accounts, passwords, public keys, and private keys. Even if the most effective IPsec is currently used (because of US security regulations, it can only be used in North America), in the United States, about 700,000 Americans ’credit cards have been stolen on average every year in the past two years, causing losses of 10 More than 100 million US dollars. Considering how much Chinese banks have lost, considering their own credit, they dare not publish publicity.

As we all know, encryption and decryption are always in a process of cyclical changes. Existing security theory holds that, fundamentally, there is no secret that cannot be broken, no lock that cannot be unlocked, and naturally no burglary that cannot be lost. Because it ultimately tied the account's security lifeline to the account number and account password. The network only recognizes accounts and does not recognize people, customers are slightly inadvertent, and they are completely lost. The disadvantage is that it can only control the Internet, but it cannot control the Internet. It focuses on Ding Suo, not on things, on means, not on purpose.

Summary of the Invention

The technical problem to be solved by the present invention is to overcome the shortcomings of the prior art and provide a truly secure network data access system and method.

Confirm this A fundamental difference between the present invention and the prior art is: theoretically, the prior art believes that all network security means are fundamentally insecure and can be cracked; while the present invention theoretically, The objects on the network can not be stolen and can be absolutely secure. The reason is just one word: empty.

There was nothing, and where did it cause dust. One of the fundamental characteristics of the network world is virtuality, which has no trace and no shadow, so it can be empty.

The invention is invented according to the "sieve theory" proposed by the inventors. The theory of sieve eyes believes that: the known network account system is equivalent to a sieve for sieving sand, the account is equivalent to a sieve in a certain position, the data is equivalent to the sand in the sieve, and the password is equivalent to the one blocked on the sieve Put the lock. If someone wants to leak the sand out of a sieve, they must get a matching key to snore the sieve. The sand can be leaked in the sieve at any time and moved to another sieve above the sieve to make the sieve empty. Others can't take a grain of sand even if they have the key. The other screen is not external and can only be controlled by myself. It is equivalent to holding the sand in one's own hand. Only when I release my hand, the sand will flow along the fixed channel to the fixed sieve below. After the lock of the upper sieve is opened, only the lower sieve to which the sand flows is only known to me. This process is a black box for others. If I have forgotten the corresponding relationship between the upper and lower sieve, then this eye becomes invalid, and then only another eye can be opened.

The technical solution of the present invention includes two parts: a system and a method.

The system aspect includes account network database system, communication network system, and communication terminal, forming a network data screening system.

The system structure characteristic of the present invention is reflected in the database structure. Mainly manifested in: one pair two empty three.

One pair is a double account, two empty is an empty account, and three internals are internal accounts and internal correspondence.

In the account network database, a customer has two or more associated accounts, one of which is a one-to-one correspondence between a public explicit account and another hidden implicit account. The corresponding relationship between the explicit account and the implicit account is stored in the database system, only the customer and the computer system know it, and it is not transmitted in the external network. Explicit accounts are usually empty accounts, and implicit accounts are data accounts that store data. Explicit and implicit accounts contact visitors through two channels.

The data processing method includes the following steps: 1. The visitor uses the account and password of the explicit account to send a data request to the explicit account through the communication terminal, and generates a conditional and timed request record in the waiting queue of the explicit account.

2. At the same time, the account owner uses the account number and password of the hidden account to send a data request to the hidden account through the communication terminal to respond to the data request of the hidden account. The hidden account transmits the requested data through the internal fixed channel to the corresponding explicit account of the public fund that belongs to the account in accordance with the request, and waits to match the request. Step 1 and Step 2 are no particular order.

3. After receiving the data from both parties, the explicit account performs pairing and comparison, and the two match, and executes the output request; the two conditions do not match, wait, and if it exceeds the immediate time limit, it is automatically canceled, and the two accounts are restored.

Its rules of procedure define: '

1. The open explicit account and the hidden implicit account respectively contact the customer through two unrelated channels;

2. All data in and out must be performed through open and explicit accounts;

3. The only data channel of the unlisted hidden account is connected to the open explicit account;

4. The hidden account is set to receive only the instruction of the communication terminal set by the owner or the instruction of any terminal. The invention is not an alternative security solution, but a superimposed security solution. All existing information security technology solutions, including firewalls, encryption, authentication, anti-virus, and digital signatures are intact, which is equivalent to a walnut wrapped with a thick layer of security shell. The shell is still the shell. The key is that the walnut Ren took it away and drew it in his palm.

In the case of the theft of an explicit account password used for public trading, the effects are compared:

Prior art: Theft of data from accounts.

The invention: Makes the data intact. Because the account is empty, nothing can be stolen.

Take a step back and say that the account and password of the hidden account located on the internal network is stolen, and the data can only be lost on the other own account. If no one legally requests data from the other account, the data will automatically return to its own Sex account. At this time, for higher security, you can define the account number of the hidden account to your own personal communication terminal, such as a mobile phone, and other portable communication equipment or a fixed phone at home. Not accepted.

Even if something is stolen, two conditions must be met: one is within a short period of time; the other is that the incoming data is consistent with the required data. Take a step back, the account and password of the explicit account and the implicit account are stolen, unless you tell the corresponding relationship of the thief yourself, I do not speak, no one steals anything.

The advantages of the present invention are:

High security: theoretically 100% safe.

Simple structure: Only add a light-dark correspondence and account rules.

Easy to use: As the worry of security is solved, data can be transmitted anytime, anywhere within the coverage of the communication network.

Low cost: There is almost no need to add any cost.

Easy to implement: It can be exaggerated to say that as long as it is a programmer who is very familiar with the original system, it can be implemented in half a day. Easy to understand: Anyone can go out with an empty wallet without fear of being stolen. It is safe to put the wallet in the bank's safe.

Wide market: Because it is easy to be understood by the public and customers are willing to use it, the market is wide.

跗 Illustration

Figure 1 is a schematic diagram of the existing network data access technology

Figure 2 is a schematic diagram of the screen-type network data secure access technology

detailed description

The main steps are:

1. First, keep the original software and hardware system of the computer network unchanged.

2. On the basis of the above, the database adds a data table corresponding to the shading account.

3. Open a corresponding hidden account for an existing account.

4. Transfer the data of the existing account to the hidden account. This account is an open account on the Internet.

5. Define rules for light and dark accounts.

Example 1 Sieve Lock and Sieve Code

For important network accounts, the password is blank, and a blank password is defined as a deadlock. Only when it needs to be opened, the second channel terminal is used to pass the password. Only then can the user account be opened with the passed password. High degree of safety required The content can be empty, and the content is transmitted through the hidden account.

Example 2 sieve webpage

For important and extremely sensitive web pages, use the sieve lock and leave the web page blank. Because there are usually very few people who visit sensitive webpages, a separate browsing room is set up for each visitor, and the webpages to be read are transmitted from the hidden account page by page. All will be destroyed upon exit, and the browsing room will be closed.

Example 3 Online signature and online authorization

Due to the widespread implementation of online government affairs, online commerce, and online office, many business processes require the signature of a person in charge at a level to pass.

For example: The online reimbursement expenses and procedures have been completed, as long as the person in charge signs it, and it is in a foreign country. At this time, the person in charge only needs to send a text message to the hidden account of the system with the mobile phone, and the word is signed. Funds are transferred from the organizational account to the personal account.

Example 4 sieve bank payment system

A secure bank account payment system based on the "sieve" theory. Customers must open a pair of screen accounts when registering: a traditional basic account (such as current passbook, a pass, etc.), a hidden account; a bank card payment account (such as various Credit cards, payment cards, debit cards, debit cards, etc.) are open and explicit accounts. You can also register an account that is already in use as a pair of corresponding accounts, or open a corresponding new empty account for the current bank card. At the same time, a correspondence between the two accounts is known only to the customer and the computer system. All collections and payments are performed through a single payment account. The payment account is empty when there is no receipt or payment. When a customer uses a bank card to use a communication terminal and requests the payment account for payment through the first channel (including computer, P0S, ATM, mobile phone, text message, fixed phone, PDA, E-mail, etc.), a fixed amount is generated in the payment account. Waiting queue at this time, the payer requests the basic account payment through the second pass «(including computer, P0S, ATM, mobile phone, text message, fixed phone, PDA, E-mai l, etc.). The basic account pays the payment to the payment account according to the corresponding relationship built into the account system. The payment account generates a waiting queue with a fixed amount of timing in the opposite direction. Within the set waiting time, the two queue amounts match, and the payment account executes the payment; if they do not match, the account is regularly refunded to the basic account. The first channel is not related to the sequence of the second channel. For example: The customer uses the payment card to withdraw money at the ATM. The current method step is inserting the card, the second is the secret, and the third is the withdrawal. If the card or secret is stolen, the iron surface of the iron surface machine is selfless, and only recognizes the card secret and does not recognize the person, and the payment is correct. If the present invention is used, because the account is empty, no withdrawal can be made under any circumstances except my instructions. The specific operation is: Send a short message to the basic account with your mobile phone: xxx # xxxxxxxxffixxxffia. Among them, the account number is: xxx, (the user name and account number conversion system can be used, and your own communication number can be used as the account number for easy operation). Password: XXXXXXXX; After receiving the text message from the hidden account, the funds will be transferred to the payment account immediately. At this time, if the amount is equal, and the waiting time is reached, the withdrawal can be successful. If it expires, the payment will be returned immediately. At the same time, a short message about the success of the transaction is returned.

For overdraft credit cards, only the corresponding basic account is empty. Under its basic account, you can link various financial assets of yourself and your family to increase the creditworthiness of your credit card. Credit card users can also be generated from non-overdraft card users who have used a certain amount of time and a certain accumulated amount. At the same time, the payment card transaction records can be permanently stored as personal credit information for the customer's life.

The same applies to P0S payment and online payment.

Swipe the card on the fixed P0S machine with the contracted merchant. For the convenience of the customer, the amount in the account as the payment condition and the payment amount may not be equal. As long as it is moderately larger than the payment amount, it can also be accepted.

As the security problem has been fundamentally resolved, no STK card is required, any mobile phone can become a mobile phone P0S, and any small merchant can "swipe" (ie manually enter the card number and other information), and any two individuals can use the mobile phone to implement the mobile phone. Real-time transfers. POS has gained tremendous popularity, enabling mobile-to-mobile bank transaction payments anytime, anywhere. Really realized "the bank on the go". With the ubiquitous trading environment, the development space of banks is unlimited.

This system is especially convenient for telephone booking services, and quite issued an electronic check.

For example, the telephone booking service (including hotels, air tickets, bus tickets, boat tickets, movie tickets and other tickets), the process is:

1. Dial the ticket purchase phone, and inform me of the payment account number, payment password (screen password, one-time payment password, can be specified at will), ID number.

2. Send SMS: account, password, amount, payment account password to basic account. 3. Receive the short message of booking success. At that time, you can get the reservation directly with your ID card. You can even use your ID card as a ticket. It is more convenient if the ID card has a barcode or IC card ID.

In summary, the account security of the sieve-type bank payment system is guaranteed by the following five points −

1. Empty.

2. Transcoding.

3. I authorize it.

4. Time.

5. Amount.

The operation is not complicated, just add a simple, fast and cheap mobile phone text message. This increased operation is trivial compared to the security of funds in the account. It also adds to the customer ’s sense of stability in everything he has.

Example 5 Sieve-type Bank Network Receipt Box System

The bank's network receipt receipt system is actually a mail server, which is the billing system for financial transactions between banks and customers. Its features are: Equipped with sieve lock; one household with two boxes, one empty and one real, following account for life; various communication terminals with personal (including computer, P0S, ATM, mobile phone, short message, fixed phone, PDA, fax, etc.) There is a fixed connection; the content can be classified; generally it can be divided into financial things, citizen things, personal things, business transactions, advertising, etc.

The bank network receipt box system includes a bank bill reconciliation system.

Example: Several accounts were recorded in the bank account of a certain unit, and the bills for these accounts were immediately sent to the unit's bank network receipt box. The receipt box will automatically notify the unit through the set communication system. The unit goes to the receipt box to retrieve the bill, either automatically or manually. Real-time automatic accounting can be basically realized, saving customers' time and costs.

The bank's online receipt receipt system includes an effective advertising scoring system.

Mailboxes on the Internet want to avoid advertising is not easy. By setting up an advertising scoring system, it detects the time when an advertising message is opened on the current page, rewards points, and encourages customers to watch advertisements. The points can be used to offset the network expenses, which is a three-pronged thing.

Embodiment 6 Sieve-type Bank Network Safe Deposit Box System As computers get deeper into our lives, more and more valuable electronic documents are needed, and there is an urgent need for absolute safe and secure network electronic safe deposit boxes. The bank has a natural advantage in establishing a network electronic safe deposit box.

Using the sieve theory, the storage box is divided into two boxes, light and dark. The clear box is empty, the dark box is real, the clear box is outside, the dark box is inside, and the two boxes correspond, but I know it.

It can keep the customer account income and expenditure records for a long time, and gradually form customer credit files.

Example 7 Authorized Network Vault Lock System

Is a special case of the sieve system. It is a system with only one screen for both Internet and offline. Door locks used in important places, such as bank vaults, warehouses, homes, etc.

Claims

Rights request

1. A system and method for securely accessing network data, including an account network database system, a communication network system, and a communication terminal, forming a complete network screen lock system; its characteristics are:

(a) In the account network database described above, a customer has registered two or more associated accounts: one publicly explicit account and one or more privately held implicit accounts;

(b) Public explicit accounts are usually empty accounts, and hidden private accounts are real accounts that store data;

(c) There is a one-to-one or one-to-many correspondence between the explicit account and the implicit account. This relationship is stored inside the network database system. Only the customer and the computer system know it, and it is not transmitted in the external network.

2. The system according to claim 1, wherein the program rules are characterized by:

(a) The public explicit account and the hidden implicit account respectively contact the customer through two unrelated channels;

(b) All data in and out must be made through open and explicit accounts;

(c) the only data entry and exit of the unlisted hidden account is connected to the open explicit account;

(d) The hidden account is set to receive only the instructions from the communication terminal set by the account owner or from any arbitrary communication terminal.

3. A method for securely accessing network data, further comprising the following steps:

(a) The visitor sends a request data 1 to the explicit account through the first channel;

(b) the account owner sends an implicit account number and password that does not contain an explicit account to the implicit account through the second channel, and only the request data 2 related to the request data through the first channel;

(c) The internal processing of the database is as follows: The implicit account transmits the response data to the corresponding explicit account through the only internal fixed channel; the explicit account receives the response data and the request data, and both parties wait for a match within a certain period of time; two After the data matches, the explicit account executes the request; if the data does not match, the request data fails, the request is cancelled, and the response is returned; the visitor and the account owner are notified; the two accounts are restored.

4. The system and method according to claim 1 or 2 or 3, to make a network screen lock, which comprises-the account password must be transmitted through the second channel, and the password can be used to open the network account portal; otherwise, it is A deadlock that cannot be opened.

5. The system according to claim 1 or 2 or 3, to create a sieve lock webpage, comprising: dynamically setting each visitor's isolated, blank access space within the webpage by a corresponding actual Web space, sending a web page to the access space for browsing through the second channel.

6. The system according to claim 1 or 2 or 3, which is made into a sieve bank card, which comprises: the bank card account is empty of funds.

7. The sieve bank card according to claim 7, further comprising: a system for converting an account name and account number or an easy-to-remember alias and account number conversion system

8. The system according to claim 1 or 2 or 3, which is made into a mobile phone POS, which comprises: the mobile phone is a point of sale wireless financial terminal, and the receiving and paying parties use the mobile phone to perform real-time transfer payment.

9. The system according to claim 1 or 2 or 3, which is made into a secure network electronic mailbox system, which constitutes a bank network electronic receipt box system, which includes: the mailbox is empty; a lifetime follow account; and a variety of customers The communication terminal has a fixed connection; the content can be classified and contains an advertising class.

10. The e-mail box according to claim 9, further comprising: an effective advertisement scoring system comprising a score based on a detection time when an advertisement letter is opened on the current page.

11. The electronic mailbox according to claim 9, further comprising: a bank bill reconciliation system.

12. The system according to claim 1 or 2 or 3, which is made into a secure network electronic safe deposit box and constitutes a network financial safe deposit box, which comprises: for maintaining a customer's important financial account transaction records and establishing a personal credit system; As well as other important video, audio, graphics, and electronic documents.