WO2009018685A1 - The device and the method of encrypting and authenticating against trojan horse with one time key - Google Patents

The device and the method of encrypting and authenticating against trojan horse with one time key Download PDF

Info

Publication number
WO2009018685A1
WO2009018685A1 PCT/CN2007/002384 CN2007002384W WO2009018685A1 WO 2009018685 A1 WO2009018685 A1 WO 2009018685A1 CN 2007002384 W CN2007002384 W CN 2007002384W WO 2009018685 A1 WO2009018685 A1 WO 2009018685A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
data
server
key
user
Prior art date
Application number
PCT/CN2007/002384
Other languages
French (fr)
Chinese (zh)
Inventor
Kamfu Wong
Original Assignee
Kamfu Wong
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kamfu Wong filed Critical Kamfu Wong
Priority to CN200780100187.0A priority Critical patent/CN101933287B/en
Priority to PCT/CN2007/002384 priority patent/WO2009018685A1/en
Publication of WO2009018685A1 publication Critical patent/WO2009018685A1/en
Priority to HK11105547.4A priority patent/HK1151402A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the present invention relates to the field of information transmission security, and in particular to an encryption authentication apparatus for authentication and a corresponding authentication method.
  • financial institutions such as banks provide many services that use information technology, such as online banking services, mobile banking services, online securities trading services, etc. These services are generally
  • the user's transaction information is transmitted to the financial institution through the network. After the financial institution verifies the user's transaction information, the corresponding operation is performed according to the information content.
  • Some financial institutions use some two-factor authentication methods to combat hackers, such as using a Token Device, when a user logs into a financial institution's server.
  • the security encoder generates a code.
  • the user In addition to entering the correct user password, the user must enter the correct code to log in to the financial institution's server.
  • These security encoders usually have a built-in key.
  • the security coder When used, the security coder generates a security code by complex algorithm calculation according to factors such as time, and uses the same key in the financial institution's server, according to time. The factor is calculated by the same algorithm to generate a code.
  • the identity of the security coder can be authenticated, and the user password is checked. At the same time, the security code and user password can be authenticated to log in successfully.
  • this two-factor authentication method can improve the problem of network security, there are still some departments. The network security problem has not been properly solved. For example, some hackers use various intrusion methods to place the Trojan horse on the user's computer. When the user connects to the financial institution's server, the Trojan is used to steal the user's data, including the account number. , the account password and the security code entered by the user, etc.
  • Some hackers even create a fake financial institution's website, tricking the user into entering the transaction information on the counterfeit financial institution's website, and then the hacker logs in to the financial institution based on the stolen data. The server, then stealing money from the user's account.
  • the object of the present invention is achieved by using such an encryption authentication device for identity authentication, characterized in that the main structure of the encryption authentication device (1) comprises a main chip (101) and a keyboard (102).
  • various scheduled functions including encrypting data, storing data, Reading the data input by the user through the keyboard (102), displaying the prompt information through the display screen (103), sending the authentication data to the server (4) through the communication interface (104), and encrypting the authentication device
  • the server (4) uses the paired key (B) to decrypt the data and restore the data input by the user, and check the data content, and after verifying, the user's identity authentication is successful, and then the server (4) The corresponding operation is performed according to the data content; and, the main chip (101) further includes a unique device number (105) and a plurality of keys (A) and a plurality of index numbers (C), each index number (C) corresponds to a key (A), and, each index number
  • the encryption authentication device (1) of the present invention uses a disposable key (A) as an encryption and authentication means, and a keyboard (102) is provided on the encryption authentication device (1) for the user to input data. Including the user password, operation instructions, account number and other data, and then encrypt the data with the key (A), and then transmitted to the server (4) via the network (3) through the terminal (2), which is used by the server (4)
  • the key (B) paired with the key (A) decrypts the data and restores the user password, operation instruction, account number and other data, so that even if the data is intercepted by the hacker during the transmission process, the data is encrypted and used.
  • End-of-life key (A) encryption there is no connection between each key (A) and other keys (A), so that the hacker can not crack, plus the data is from the keyboard of the encryption authentication device (1) (102) Input, the encrypted authentication device (1) is physically separated from the user's computer. Even if the hacker uses a Trojan to invade the user's computer, the Trojan can't read the encryption. Means (1) a keyboard on the key input data (102).
  • the server (4) is provided with a plurality of authentication accounts (401), and each authentication account (401) corresponds to an encrypted authentication device (1), and the account is stored in the authentication account (401)
  • Corresponding cryptographic authentication device (1) device number (105) and an account password each authentication account (401) stores multiple keys (B) and multiple index numbers (C), each index number
  • each authentication account (401) corresponds to a key (B)
  • the key (B) in each authentication account (401) is paired with the key ( ⁇ ) in the encrypted authentication device (1) of the account, each The key ( ⁇ ) has a paired key ( ⁇ ), and each pair of paired keys ( ⁇ ) and key ( ⁇ ) have the same index number (C).
  • a plurality of pairs of keys and a plurality of sequential index numbers are generated in a random manner by the server (4) in advance by various methods.
  • each pair of keys is assigned an index number (C), and then each pair of keys is stored together with the assigned index number (C) to the main chip (101) and authentication of the encrypted authentication device (1) Account
  • Another feature of the present invention is that, each time the main chip (101) of the encryption authentication device (1) encrypts the data, an unused key ( ⁇ ) is extracted from the main chip (101) according to a predetermined program. Encryption, and, after the main chip (101) encrypts the data, the key ( ⁇ ) is deleted or discarded or marked as used, so that the key ( ⁇ ) will not be used again by the main chip (101). use. And, each time the server (4) decrypts the data, a key (()) paired with the data is decrypted from the authentication account (401) according to a predetermined program, and the server (4) decrypts the data.
  • the key ( ⁇ ) will be deleted or discarded or marked as used, so that the key ( ⁇ ) will not be used by the server (4) again.
  • using such an encrypted authentication telecommunications system for user identity authentication purposes, particularly for the financial industry including using the aforementioned encryption authentication device (1), terminal (2), network (3), server (4) , wherein the encryption authentication device (1) is independent of the terminal (2) and is disposed separately from the terminal (2), and each encryption authentication device (1) in the system is registered in the server (4) and is respectively
  • the server (4) recognizes that a paired key (A, B) is respectively provided in the encryption authentication device (1) and the server (4), and the encryption process is performed in the encryption authentication device (1), using the key ( A) forming a ciphertext, which is transmitted to the server (4) via the terminal (2) and the network (3), and the server (4) decrypts the ciphertext by using the paired key (B), and the decryption succeeds, and the system is successfully identified. Enter the next scheduled program.
  • the method includes the user logging in to the server (4) by using the terminal (2),
  • the user inputs the account authentication password (1) into the data to be authenticated, and the encrypted authentication device (1) encrypts the data to be authenticated into the ciphertext, and then passes the terminal (2) via the network (3).
  • the ciphertext is transmitted to the server (4), and the server (4) decrypts the ciphertext to restore the data that needs to be authenticated.
  • the server (4) checks that the data to be authenticated is correct, the user's identity authentication is successful, and the server can be logged in (4).
  • the advantage of the encryption authentication device (1) of the present invention is that each key is used only once, and is used up and down, and is not reused, so that the hacker cannot crack the key or data content from the encrypted data, and encrypts
  • the authentication device (1) is provided with a keyboard (102) for the user to input important data. Even if the hacker uses a Trojan horse to invade the user's computer, the hacker cannot steal important data input by the user, and is particularly suitable for applications such as online banking and online transactions.
  • FIG. 1 is a schematic explanatory diagram of the cryptographic authentication apparatus (1) of the present invention.
  • FIG. 2 is a schematic explanatory view showing the outline of another outline of the encryption authentication apparatus (1) of the present invention
  • FIG. 3 is a schematic explanatory diagram of the encryption authentication apparatus (1) having the USB interface (104)
  • FIG. 5 is a block diagram showing an encrypted authentication device (1) having an English keyboard (102);
  • FIG. 5 is a block diagram showing an encrypted authentication device (1) of the present invention
  • Fig. 6 is a schematic explanatory view showing the steps of the encryption authentication device (1) of the present invention and the server (4) in use. '
  • FIG. 1 is a schematic explanatory view of the cryptographic authentication apparatus (1) of the present invention
  • FIG. 2 is a schematic explanatory diagram of another outline of the cryptographic authentication apparatus (1) of the present invention
  • 3 is a schematic explanatory view of the encryption authentication device (1) including the USB interface (104)
  • FIG. 4 is a schematic explanatory view of the encryption authentication device (1) having the English keyboard (102).
  • FIG. 5 is a block diagram showing the structure of the encryption authentication apparatus (1) of the present invention.
  • the main structure of the encryption authentication apparatus (1) shown in the figure includes a main chip (101), a keyboard (102), a display screen (103), a communication interface (104), wherein the main chip (101) is provided with a CPU and a memory, and is connected with other components, and operates according to a predetermined program to implement authentication of the user on the server.
  • (A) Encrypt the data and transmit it to the server (4) through the terminal (2) and the network (3).
  • the server (4) decrypts the data using the paired key (B) to restore the data entered by the user. , and check the content of the data, after verifying that the user's identity is authenticated successfully, then the server
  • the main chip (101) also includes a unique device number ( 105) and a plurality of keys ( A) and a plurality of index numbers (C), each An index number (C) corresponds to a key (A), and each index number (C) is different from each other.
  • the communication interface (104) shown may be a wireless communication device, or a wired communication device, or a Bluetooth device, or an infrared device, or a USB interface, or an SD memory card interface, or a MINI-SD memory.
  • FIG. 6 is a schematic diagram showing the steps of the encryption authentication apparatus (1) and the server (4) in use of the present invention.
  • the server (4) shown in the figure is provided with a plurality of authentication accounts (401).
  • Each authentication account (401) corresponds to an encrypted authentication device (1), and the authentication account (401) stores the device number (105) of the encrypted authentication device (1) corresponding to the account and an account password, and each authentication account (401) stores multiple keys (B) and multiple index numbers (C), Each index number (C) corresponds to a key (B), and the key (B) in each authentication account (401) is paired with the key (A) in the encrypted authentication device (1) of the account.
  • each key (B) has a matching key (A), and each pair of paired keys (A) and keys (B) have the same index number (C).
  • the key (A) and the key (B) are generated in advance by the server (4) in a random manner by various methods.
  • the key (A) is stored in the main chip (101) of the encryption authentication device (1), only the master The chip (101) can have internal access to the key (A) without any external access to secure the key (A).
  • each time the main chip (101) of the encryption authentication device (1) encrypts the data an unused key (A) is extracted from the main chip (101) according to a predetermined program to encrypt the data, and the main chip (101) After encrypting the data, the key (A) is deleted or discarded or marked as used, so that the key (A) is not used again by the main chip (101).
  • each time the server (4) decrypts the data a key paired with the data is extracted from the authentication account (401) according to a predetermined program (B), the data is decrypted, and the server (4) decrypts the data.
  • the key (B) is deleted or discarded or marked as used, so that the key (B) will not be used by the server (4) again. Since the key (A) and the key (B) are used up and down, each key is used only once. When the key (A) in the encryption authentication device (1) is used up, the encryption authentication device is used. (1) If you cannot continue to use it, the user must replace the new encryption authentication device (1). If the encryption authentication device (1) stores 10,000 keys (A) and uses an average of 10 calculations per day, it can be used. 3 years.
  • the key (A) and the key (B) use a one-time password (One Time Pad or Vernam- cipher).
  • the so-called one-time password is a randomly generated secret that is as long as the message.
  • the key, the key and the message are subjected to the "X0R" operation of the bit to generate the ciphertext, and the same key and the appropriate algorithm are applied during the decryption, so that the restored message can be conveniently decrypted due to the key. It is used only once and then discarded, so it cannot be cracked. It is the simplest safe and fast encryption algorithm.
  • the encryption authentication device (1) of the present invention can also adopt other encryption algorithms in addition to the One Time Pad encryption algorithm, and can also achieve the object of the present invention well.
  • the encryption algorithms that can be used include:
  • PKI Public Key Infrastructure
  • the encrypted data content further includes verification data to ensure that the data is not tampered, and the verification data is encrypted.
  • the data is generated by a check algorithm including one of the following:
  • the server (4) uses the same verification algorithm to detect whether the data has been tampered with.
  • the power-on password protection encryption authentication device (1) can also be used without being stolen, that is, the main chip (101) of the encryption authentication device (1) is further provided with a power-on password, each time before using the encryption authentication device (1).
  • the user must enter the correct power-on password through the keyboard (102) in order to perform various operations using the encrypted authentication device (1).
  • the server (4) refers to various types of computer hosts for users to log in, and the server (4) may be an account server of each financial institution, or a bank account system server, or any computer that needs to verify the legality of the user's identity, etc.
  • the terminal device (2) refers to a terminal device connected to the server (4), and may be a terminal device that requires an authenticated user identity, such as a computer, or a computer terminal, or an ATM machine, by the encryption authentication device of the present invention (1) ), the validity of the user identity of the login server (4) can be reliably verified.
  • steps for authenticating by the encrypted authentication device (1) when the user logs in to the server (4) are included, which are steps for authenticating by the encrypted authentication device (1) when the user logs in to the server (4), and the specific steps are as follows:
  • the user uses the terminal (2) to connect to the server (4) via the network (3), enters the account password and other data on the keyboard (102) of the encryption authentication device (1), and encrypts the master in the authentication device (1).
  • the chip (101) calculates the authentication data including the verification data by using a predetermined verification algorithm by the data and device number (105) input by the user, and then extracts an unused key ( ⁇ ) in the main chip (101).
  • the authentication data is encrypted into ciphertext, and the index number (C) corresponding to the key ( ⁇ ) is extracted, and the master chip (101) encrypts the authentication data and deletes or discards or marks the key ( ⁇ ) as use;
  • Encryption authentication device (1) Display the ciphertext together with the index number (C) to the user through the display (103), and then the user enters the login name and the density displayed on the display (103) on the terminal (2).
  • Information such as text content and index number (C);
  • the user enters the login name on the terminal (2), then connects the communication interface (104) of the encrypted authentication device (1) with the terminal (2), and transmits the ciphertext along with the index number (C) via the communication interface (104).
  • the terminal (2) transmits the login name, ciphertext and index number (C) to the server (4) via the network (3);
  • the server (4) finds the user's authentication account (401) from the login name, and extracts the key (B) corresponding to the index number (C) from the authentication account (401) from the index number (C).
  • the decryption restores the authentication data, and the server (4) decrypts the ciphertext and deletes or discards the key (B) as used, and verifies the authentication data and restores the device number through a predetermined verification algorithm (105).
  • the network (3) sends a message to the terminal (2) notifying the user that the server has been successfully logged in (4).
  • the ciphertext in order to facilitate the user to view the content displayed on the display screen (103), the ciphertext can be displayed on the display screen (103) together with the index number (C) in a group of four characters. Separated by a space or "-" between the character group and the character group, it is convenient for the user to view the display content, which can reduce the user's mistake due to the wrong content.
  • the encryption authentication device (1) and the authentication method of the invention are safe and reliable, and the user can input important data through the keyboard (102) on the encryption authentication device (1), even if the hacker uses the Trojan horse program to invade the user's computer, the user can only steal the user at most. In the data entered on the computer keyboard, the hacker is unable to steal important data entered by the user in the encrypted authentication device (1).
  • the implementation of the present invention will bring about great social benefits.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The device, the system and the method of encrypting and authenticating against Trojan horse includes the following steps, the user information including the password, the sum of the transaction, and the number of the account is inputted using the keyboard (102). The user information is encrypted by the key (A), and is sent to the server (4) through the user device (2) and the network (3). The server decrypts the received information with the key (B). Because the key (A) used each time has no relations with other key (A), the information is safe even if it is obtained by the hacker in the process of being transmitted. At the same time, the information is inputted through the keyboard (102) of the device of the encrypting and authenticating (1). The hacker can not obtain the information inputted through the keyboard (102) of the device of the encrypting and authenticating (1) even if the Trojan horse invades into the user's computer.

Description

对抗木马程式用完即弃一次性密钥的加密认证装置和方法 【技术领域】  Encrypted authentication device and method for spoofing a disposable key for a Trojan horse [Technical Field]
本发明涉及信息传送安全领域,特别是涉及一种用于认证的加密认证装 置和相应认证方法。  The present invention relates to the field of information transmission security, and in particular to an encryption authentication apparatus for authentication and a corresponding authentication method.
【背景技术】 【Background technique】
随着时代的进步,资讯科技的应用非常普及,尤其是金融机构如银行等, 提供了很多利用资讯科技的服务, 例如网上银行服务、 手机银行服务、 网 上证券买卖服务等, 这些服务一般是将用户的交易信息通过网络传送到金 融机构, 由金融机构核实用户的交易信息后, 根据信息内容进行相应的操 作。  With the advancement of the times, the application of information technology is very popular. In particular, financial institutions such as banks provide many services that use information technology, such as online banking services, mobile banking services, online securities trading services, etc. These services are generally The user's transaction information is transmitted to the financial institution through the network. After the financial institution verifies the user's transaction information, the corresponding operation is performed according to the information content.
由于现时一般网络的安全性问题, 经常会发生黑客盗用他人账户的事 件, 故此有些金融机构采用一些双因素认证手段来对抗黑客, 例如采用保 安编码器 (Token Device ) , 用户登入金融机构的服务器时, 由保安编码 器产生一个编码, 用户除了要输入正确的用户口令外, 还要输入正确的编 码才能登入金融机构的服务器。 这些保安编码器一般内置有一条密钥, 使 用时由保安编码器根据时间等因素, 通过复杂的算法计算产生一个保安编 码, 而在金融机构的服务器内也采用相同的一条密钥, 根据时间等因素通 过相同的算法计算产生一个编码, 如果金融机构的服务器所产生的编码与 接收到由保安编码器所产生的保安编码相同, 就可认证该保安编码器的身 份, 加上核对用户口令, 要同时通过保安编码和用户口令的认证, 才能成 功登入。 这种双因素认证手段虽然可以改善网络安全的问题, 但仍然有部 份网络保安问题未妥善解决, 例如一些黑客采用各种入侵方法, 将木马程 式置于用户的计算机内, 在用户连线到金融机构的服务器时, 通过木马程 式盗取用户的资料, 包括账户号码、 账户口令和用户输入的保安编码等, 有些黑客甚至制造一个伪冒的金融机构的网站, 欺骗用户在伪冒的金融机 构的网站输入交易资料, 然后黑客根据盗取到资料, 即时登入金融机构的 服务器, 继而盗取用户账户内的钱。 Due to the current security problems of the general network, there are often incidents of hackers stealing other people's accounts. Therefore, some financial institutions use some two-factor authentication methods to combat hackers, such as using a Token Device, when a user logs into a financial institution's server. The security encoder generates a code. In addition to entering the correct user password, the user must enter the correct code to log in to the financial institution's server. These security encoders usually have a built-in key. When used, the security coder generates a security code by complex algorithm calculation according to factors such as time, and uses the same key in the financial institution's server, according to time. The factor is calculated by the same algorithm to generate a code. If the code generated by the financial institution's server is the same as the security code generated by the security codec, the identity of the security coder can be authenticated, and the user password is checked. At the same time, the security code and user password can be authenticated to log in successfully. Although this two-factor authentication method can improve the problem of network security, there are still some departments. The network security problem has not been properly solved. For example, some hackers use various intrusion methods to place the Trojan horse on the user's computer. When the user connects to the financial institution's server, the Trojan is used to steal the user's data, including the account number. , the account password and the security code entered by the user, etc. Some hackers even create a fake financial institution's website, tricking the user into entering the transaction information on the counterfeit financial institution's website, and then the hacker logs in to the financial institution based on the stolen data. The server, then stealing money from the user's account.
此外, 随着计算机技术的发展, 计算机的运算能力越来越强, 一些从前 被认为是安全可靠不可破解的信息加密措施, 也可能通过拥有强大运算能 力的计算机所破解, 令釆用这些信息加密措施的金融机构的安全性受到重 大挑战, 为了保障用户账户的安全, 很多金融机构采用了更复杂的密钥和 算法的加密解密技术, 令经营成本增加, 而且随着计算机技术的发展, 只 要数年时间, 在目前被视为安全可靠的信息加密措施也可能被全面破解, 令金融机构和用户面对相当大的风险, 所以很多人都不敢使用金融机构的 网上交易服务, 这是一个极待解决的问题。  In addition, with the development of computer technology, the computer's computing power is getting stronger and stronger. Some information encryption measures that were previously considered to be safe and reliable and unbreakable may also be cracked by computers with powerful computing power, so that they can be encrypted with these information. The security of financial institutions is a major challenge. In order to protect the security of user accounts, many financial institutions have adopted more complex encryption algorithms for keys and algorithms, which increase operating costs, and with the development of computer technology, In the year, the information encryption measures that are currently regarded as safe and reliable may also be completely cracked, which poses considerable risks for financial institutions and users, so many people are afraid to use the online trading services of financial institutions. This is a pole. The problem to be solved.
【发明内容】 [Summary of the Invention]
本发明的目的,在于提供一种加密认证装置,用于认证用户的身份和交 易资料。  It is an object of the present invention to provide an encryption authentication apparatus for authenticating a user's identity and transaction information.
本发明的目的是这样实现的, 采用这样一种加密认证装置, 用于身份认 证,其特征在于,所述的加密认证装置(1)的主要结构包括有主芯片(101 )、 键盘 (102) 、 显示屏 (103) 、 通讯接口 (104) , 其中, 主芯片 (101 ) 内设有 CPU和存储器, 并与其它各部件相连接, 按预定程序运作, 实现认 证用户在服务器(4)的身份和各项预定功能, 包括将资料加密、储存资料、 通过键盘(102) 读取用户输入的资料、 通过显示屏 (103)显示提示信息、 通过通讯接口 (104) 发送认证资料给服务器 (4) , 以及, 加密认证装 ΪThe object of the present invention is achieved by using such an encryption authentication device for identity authentication, characterized in that the main structure of the encryption authentication device (1) comprises a main chip (101) and a keyboard (102). The display screen (103) and the communication interface (104), wherein the main chip (101) is provided with a CPU and a memory, and is connected with other components, and operates according to a predetermined program to realize the identity of the authenticated user in the server (4). And various scheduled functions, including encrypting data, storing data, Reading the data input by the user through the keyboard (102), displaying the prompt information through the display screen (103), sending the authentication data to the server (4) through the communication interface (104), and encrypting the authentication device
( 1) 将用户通过键盘 (102)输入的资料, 包括用户口令、 操作指令、 账 户号码等资料, 以密钥 (A) 将资料加密, 再通过终端机 (2)和网络 (3) 传送给服务器(4) , 由服务器(4)使用相配对的密钥 (B)将资料解密还 原出用户所输入的资料, 并核对资料内容, 核对无误后表示用户的身份认 证成功, 然后服务器(4)才会根据资料内容进行相应的操作; 以及, 主芯 片 (101 ) 内还包括有一个唯一的装置编号 (105)和多条密钥 (A)和多个 索引号 (C) , 每一个索引号(C)对应一条密钥 (A) , 以及, 各个索引号(1) Encrypt the data entered by the user through the keyboard (102), including the user password, operation command, account number, etc., with the key (A), and then transmit it to the terminal (2) and the network (3). The server (4), the server (4) uses the paired key (B) to decrypt the data and restore the data input by the user, and check the data content, and after verifying, the user's identity authentication is successful, and then the server (4) The corresponding operation is performed according to the data content; and, the main chip (101) further includes a unique device number (105) and a plurality of keys (A) and a plurality of index numbers (C), each index number (C) corresponds to a key (A), and, each index number
(C) 是互不相同的。 (C) are different from each other.
本发明的加密认证装置(1) , 是采用用完即弃一次性的密钥(A)作为 加密和认证手段, 并且在加密认证装置 (1) 上设置有键盘 (102) 供用户 输入资料, 包括用户口令、 操作指令、 账户号码等资料, 然后以密钥 (A) 将资料加密, 再通过终端机 (2) 经网络(3)传送给服务器(4) , 由服务 器(4)使用与该密钥(A)相配对的密钥(B)将资料解密还原出用户口令、 操作指令、 账户号码等资料, 这样在传输过程中即使被黑客截取了资料, 由于资料已经加密, 而且是采用用完即弃的密钥 (A)加密, 每条密钥 (A) 与其他密钥 (A) 之间是没有关连的, 令黑客无法破解, 加上资料是从加密 认证装置 (1 ) 的键盘 ( 102)上输入, 加密认证装覃 ( 1 ) 与用户的计算机 之间是物理上分离的, 即使黑客釆用木马程式入侵用户的计算机, 木马程 式也无法读取加密认证装置 (1 ) 的键盘 (102) 上的按键输入的资料。  The encryption authentication device (1) of the present invention uses a disposable key (A) as an encryption and authentication means, and a keyboard (102) is provided on the encryption authentication device (1) for the user to input data. Including the user password, operation instructions, account number and other data, and then encrypt the data with the key (A), and then transmitted to the server (4) via the network (3) through the terminal (2), which is used by the server (4) The key (B) paired with the key (A) decrypts the data and restores the user password, operation instruction, account number and other data, so that even if the data is intercepted by the hacker during the transmission process, the data is encrypted and used. End-of-life key (A) encryption, there is no connection between each key (A) and other keys (A), so that the hacker can not crack, plus the data is from the keyboard of the encryption authentication device (1) (102) Input, the encrypted authentication device (1) is physically separated from the user's computer. Even if the hacker uses a Trojan to invade the user's computer, the Trojan can't read the encryption. Means (1) a keyboard on the key input data (102).
在设置方面, 服务器(4) 内设有多个认证账户 (401 ) , 每一个认证账 户 (401)对应一个加密认证装置(1 ) , 认证账户 (401 ) 内储存有该账户 所对应的加密认证装置 (1) 的装置编号 (105 ) 和一个账户密码, 每一认 证账户 (401 ) 内储存有多条密钥 (B)和多个索引号 (C) , 每一个索引号In terms of setting, the server (4) is provided with a plurality of authentication accounts (401), and each authentication account (401) corresponds to an encrypted authentication device (1), and the account is stored in the authentication account (401) Corresponding cryptographic authentication device (1) device number (105) and an account password, each authentication account (401) stores multiple keys (B) and multiple index numbers (C), each index number
(C) 对应一条密钥 (B) , 以及, 每一认证账户 (401 ) 内的密钥 (B) 与 该账户的加密认证装置(1) 内的密钥 (Α) 成配对关系, 每一条密钥 (Β) 有一条相配对的密钥 (Α) , 每一对相配对的密钥(Α)和密钥 (Β)它们所 对应的索引号 (C)是相同的。 使用本发明的加密认证装置 (1 ) 前, 要预 先由服务器(4)通过各种方法随机方式产生多对密钥和多个顺序的索引号(C) corresponds to a key (B), and the key (B) in each authentication account (401) is paired with the key (Α) in the encrypted authentication device (1) of the account, each The key (Β) has a paired key (Α), and each pair of paired keys (Α) and key (Β) have the same index number (C). Before using the cryptographic authentication apparatus (1) of the present invention, a plurality of pairs of keys and a plurality of sequential index numbers are generated in a random manner by the server (4) in advance by various methods.
(C) , 每一对密钥分配一个索引号 (C) , 然后将每一对密钥分别连同所 分配的索引号 (C)储存到加密认证装置(1) 的主芯片 (101) 和认证账户(C), each pair of keys is assigned an index number (C), and then each pair of keys is stored together with the assigned index number (C) to the main chip (101) and authentication of the encrypted authentication device (1) Account
(401 )内,储存到主芯片(101 )的称为密钥(Α),而储存到认证账户(401) 的称为密钥 (Β) , 如果釆用的加密算法是非对称密码算法, 密钥 (Α) 和 密钥(Β)就是一对互相配对的密钥,如果采用的加密算法是对称密码算法, 密钥 (Α)和密钥 (Β)就是一对相同的密钥, 当使其中一条密钥 (Α) 将资 料加密后, 可以使用与该密钥 (Α) 相配对的密钥 (Β) 将资料解密。 (401), the key (Α) stored in the main chip (101) and the key (Β) stored in the authentication account (401), if the encryption algorithm used is an asymmetric cryptographic algorithm, dense The key (Α) and the key (Β) are a pair of keys that are paired with each other. If the encryption algorithm used is a symmetric cryptographic algorithm, the key (Α) and the key (Β) are the same pair of keys. One of the keys (Α), after encrypting the data, can decrypt the data using the key (Β) paired with the key (Α).
本发明的另一特征是, 加密认证装置(1)的主芯片(101 )每次将资料 加密时, 会按预定程序从主芯片 (101 ) 内提取一条未用的密钥 (Α) 将资 料加密, 以及, 主芯片 (101 ) 将资料加密后, 就会将该条密钥 (Α) 删除 或弃置或标记为已用, 使该条密钥 (Α) 不会再次被主芯片 (101 ) 使用。 以及, 服务器 (4)每次将资料解密时, 会按预定程序从认证账户 (401 ) 内提取一条与该资料相配对的密钥 (Β) 将资料解密, 以及, 服务器 (4) 将资料解密后, 就会将该条密钥(Β)删除或弃置或标记为已用, 使该条密 钥 (Β) 不会再次被服务器(4) 使用。 以及, 采用这样一种加密认证电讯系统, 用于用户身份认证用途, 特别 用于金融业, 包括釆用前面所述的加密认证装置 (1) 、 终端机 (2) 、 网 络 (3) 、 服务器(4) , 其中, 加密认证装置 (1 ) 独立于终端机 (2) , 与终端机 (2) 相分离设置, 本系统中各加密认证装置 (1 ) 分别在服务器 (4) 内登记及被服务器 (4)所识别, 在加密认证装置 (1 )和服务器 (4) 内分别设有相配对的密钥(A, B), 加密过程在加密认证装置(1)中进行, 利用密钥 (A)形成密文, 经终端机 (2) 及网络(3)传输至服务器(4) , 服务器 (4) 利用相配对的密钥 (B) 解密密文, 解密成功则识别成功, 所 述系统进入后面预定程序。 Another feature of the present invention is that, each time the main chip (101) of the encryption authentication device (1) encrypts the data, an unused key (Α) is extracted from the main chip (101) according to a predetermined program. Encryption, and, after the main chip (101) encrypts the data, the key (Α) is deleted or discarded or marked as used, so that the key (Α) will not be used again by the main chip (101). use. And, each time the server (4) decrypts the data, a key (()) paired with the data is decrypted from the authentication account (401) according to a predetermined program, and the server (4) decrypts the data. After that, the key (Β) will be deleted or discarded or marked as used, so that the key (Β) will not be used by the server (4) again. And, using such an encrypted authentication telecommunications system for user identity authentication purposes, particularly for the financial industry, including using the aforementioned encryption authentication device (1), terminal (2), network (3), server (4) , wherein the encryption authentication device (1) is independent of the terminal (2) and is disposed separately from the terminal (2), and each encryption authentication device (1) in the system is registered in the server (4) and is respectively The server (4) recognizes that a paired key (A, B) is respectively provided in the encryption authentication device (1) and the server (4), and the encryption process is performed in the encryption authentication device (1), using the key ( A) forming a ciphertext, which is transmitted to the server (4) via the terminal (2) and the network (3), and the server (4) decrypts the ciphertext by using the paired key (B), and the decryption succeeds, and the system is successfully identified. Enter the next scheduled program.
以及, 采用这样一种加密认证方法, 釆用前面所述的加密认证装置, 用 于身份认证等用途, 其特征在于, 所述的方法包括用户使用终端机(2)登 入服务器 (4) 时, 用户预先在加密认证装置 (1 ) 上输入账户密码等需要 认证的资料, 由加密认证装置 (1 )将需要认证的资料加密为密文, 然后通 过终端机 (2) 经网络 (3 ) 将该密文传送到服务器 (4) , 由服务器 (4) 将密文解密还原出需要认证的资料, 服务器(4)核对需要认证的资料无误 后, 用户的身份认证成功, 可以登入服务器 (4) 。  And adopting such an encryption authentication method, using the encryption authentication device described above for identity authentication and the like, wherein the method includes the user logging in to the server (4) by using the terminal (2), The user inputs the account authentication password (1) into the data to be authenticated, and the encrypted authentication device (1) encrypts the data to be authenticated into the ciphertext, and then passes the terminal (2) via the network (3). The ciphertext is transmitted to the server (4), and the server (4) decrypts the ciphertext to restore the data that needs to be authenticated. After the server (4) checks that the data to be authenticated is correct, the user's identity authentication is successful, and the server can be logged in (4).
这样就实现了本发明的目的。  This achieves the object of the present invention.
本发明的加密认证装置 (1 ) 的优点是每条密钥只会使用一次, 用完即 弃, 不会重复使用, 使黑客不能从加密后的资料中破解出密钥或资料内容, 而且加密认证装置 (1 )上设有键盘 (102) 供用户输入重要资料, 即使黑 客采用木马程式入侵用户的计算机, 也无法盗取用户输入的重要资料, 特 别适合于网上银行、 网上交易等应用范围。 【附图说明】 The advantage of the encryption authentication device (1) of the present invention is that each key is used only once, and is used up and down, and is not reused, so that the hacker cannot crack the key or data content from the encrypted data, and encrypts The authentication device (1) is provided with a keyboard (102) for the user to input important data. Even if the hacker uses a Trojan horse to invade the user's computer, the hacker cannot steal important data input by the user, and is particularly suitable for applications such as online banking and online transactions. [Description of the Drawings]
图 1是本发明的加密认证装置 (1 ) 的形像化示意说明图;  1 is a schematic explanatory diagram of the cryptographic authentication apparatus (1) of the present invention;
图 2是本发明的加密认证装置 (1 ) 的另一外形的形像化示意说明图; 图 3是具备 USB接口(104)的加密认证装置(1)的形像化示意说明图; 图 4是具备英文键盘(102)的加密认证装置(1)的形像化示意说明图; 图 5是本发明的加密认证装置 (1 ) 的方框结构说明图;  2 is a schematic explanatory view showing the outline of another outline of the encryption authentication apparatus (1) of the present invention; FIG. 3 is a schematic explanatory diagram of the encryption authentication apparatus (1) having the USB interface (104); FIG. 5 is a block diagram showing an encrypted authentication device (1) having an English keyboard (102); FIG. 5 is a block diagram showing an encrypted authentication device (1) of the present invention;
图 6是本发明的加密认证装置(1) 的与服务器(4)在使用时的步骤示 意说明图。 '  Fig. 6 is a schematic explanatory view showing the steps of the encryption authentication device (1) of the present invention and the server (4) in use. '
图中, 相同的数字代表相同的系统、 装置、 部件器件, 方法步骤用圆圈 的数字和带箭头的直线所标出。 附图是示意性的, 用以说明本发明的加密 认证装置 (1) 的主要特征和使用时的操作步骤。  In the figures, the same numerals represent the same systems, devices, and components. The method steps are indicated by the number of the circle and the line with the arrow. The drawings are schematic for explaining the main features of the encryption authentication device (1) of the present invention and the operational steps in use.
【具体实施方式】 【detailed description】
下面结合附图, 对本发明的方法作进一步详细说明。  The method of the present invention will be further described in detail below with reference to the accompanying drawings.
参阅图 1至图 4, 图 1是本发明的加密认证装置 (1) 的形像化示意说 明图, 图 2是本发明的加密认证装置(1 )的另一外形的形像化示意说明图, 图 3是具备 USB接口 (104) 的加密认证装置 (1 ) 的形像化示意说明图, 图 4是具备英文键盘 (102) 的加密认证装置 (1 ) 的形像化示意说明图, 图 1至图 4中示出了加密认证装置(1 )不同外形的实施方式的形像化示意 说明图,图中示出的加密认证装置(1)除了外形不相同外,它们的键盘(102) 按键也有分别, 加密认证装置 (1 ) 的键盘 (102)可以是包含数字按键的 键盘 (102) 、 或包含英文字母按键的键盘 (102) 、 或包含数字和英文字 母的键盘 (102) 。 参阅图 5, 图 5是本发明的加密认证装置 (1) 的方框结构说明图, 图 中示出的加密认证装置(1 )的主要结构包括有主芯片(101)、键盘(102)、 显示屏 (103) 、 通讯接口 (104) , 其中, 主芯片 (101 ) 内设有 CPU和存 储器, 并与其它各部件相连接, 按预定程序运作, 实现认证用户在服务器1 to 4, FIG. 1 is a schematic explanatory view of the cryptographic authentication apparatus (1) of the present invention, and FIG. 2 is a schematic explanatory diagram of another outline of the cryptographic authentication apparatus (1) of the present invention. 3 is a schematic explanatory view of the encryption authentication device (1) including the USB interface (104), and FIG. 4 is a schematic explanatory view of the encryption authentication device (1) having the English keyboard (102). 1 to 4 show an avatar schematic illustration of an embodiment of a different configuration of the cryptographic authentication device (1), the cryptographic authentication device (1) shown in the figure, except for the different shapes, their keyboards (102) There are also buttons, and the keyboard (102) of the encryption authentication device (1) may be a keyboard (102) containing numeric keys, or a keyboard (102) containing English alphabetic keys, or a keyboard (102) containing numbers and English letters. Referring to FIG. 5, FIG. 5 is a block diagram showing the structure of the encryption authentication apparatus (1) of the present invention. The main structure of the encryption authentication apparatus (1) shown in the figure includes a main chip (101), a keyboard (102), a display screen (103), a communication interface (104), wherein the main chip (101) is provided with a CPU and a memory, and is connected with other components, and operates according to a predetermined program to implement authentication of the user on the server.
(4)的身份和各项预定功能,包括将资料加密、储存资料、通过键盘(102) 读取用户输入的资料、通过显示屏(103)显示提示信息、通过通讯接口(104) 发送认证资料给服务器 (4) , 以及, 加密认证装置 (1 ) 将用户通过键盘(4) The identity and various predetermined functions, including encrypting the data, storing the data, reading the data input by the user through the keyboard (102), displaying the prompt information through the display screen (103), and sending the authentication data through the communication interface (104) To the server (4), and, the encrypted authentication device (1) passes the user through the keyboard
( 102)输入的资料, 包括用户口令、 操作指令、 账户号码等资料, 以密钥(102) Input data, including user password, operation instruction, account number, etc., with key
(A) 将资料加密, 再通过终端机 (2) 和网络 (3) 传送给服务器 (4) , 由服务器 (4) 使用相配对的密钥 (B) 将资料解密还原出用户所输入的资 料, 并核对资料内容, 核对无误后表示用户的身份认证成功, 然后服务器(A) Encrypt the data and transmit it to the server (4) through the terminal (2) and the network (3). The server (4) decrypts the data using the paired key (B) to restore the data entered by the user. , and check the content of the data, after verifying that the user's identity is authenticated successfully, then the server
(4)才会根据资料内容进行相应的操作; 以及, 主芯片 (101 ) 内还包括 有一个唯一的装置编号 (105 )和多条密钥 (A)和多个索引号 (C) , 每一 个索引号(C)对应一条密钥(A) , 以及, 各个索引号(C)是互不相同的。 (4) will perform corresponding operations according to the data content; and, the main chip (101) also includes a unique device number ( 105) and a plurality of keys ( A) and a plurality of index numbers (C), each An index number (C) corresponds to a key (A), and each index number (C) is different from each other.
继续参阅图 5, 图中示出的通讯接口 (104) 可以是无线通讯装置、 或 有线通讯装置、 或蓝芽装置、 或红外线装置、 或 USB接口、 或 SD记忆卡接 口、 或 MINI-SD记忆卡接口、 或 MMC记忆卡接口、 或 RS-MMC记忆卡接口、 或 RS- 232接口、 或 PS2键盘接口。  With continued reference to FIG. 5, the communication interface (104) shown may be a wireless communication device, or a wired communication device, or a Bluetooth device, or an infrared device, or a USB interface, or an SD memory card interface, or a MINI-SD memory. Card interface, or MMC memory card interface, or RS-MMC memory card interface, or RS-232 interface, or PS2 keyboard interface.
参阅图 6, 图 6是本发明的加密认证装置 (1 )与服务器(4)在使用时 的步骤示意说明图, 图中示出的服务器(4) 内设有多个认证账户 (401) , 每一个认证账户 (401 )对应一个加密认证装置 (1 ) , 认证账户 (401) 内 储存有该账户所对应的加密认证装置 (1 ) 的装置编号 (105) 和一个账户 密码, 每一认证账户 (401 ) 内储存有多条密钥 (B) 和多个索引号 (C) , 每一个索引号 (C)对应一条密钥(B) , 以及, 每一认证账户 (401 ) 内的 密钥 (B)与该账户的加密认证装置 (1) 内的密钥 (A) 成配对关系, 每一 条密钥 (B)有一条相配对的密钥(A) , 每一对相配对的密钥 (A) 和密钥 (B) 它们所对应的索引号 (C) 是相同的。 密钥 (A) 和密钥 (B) 是由服 务器 (4)预先通过各种方法随机方式产生, 当密钥 (A) 储存到加密认证 装置 (1 ) 的主芯片 (101 ) 后, 只有主芯片 (101 ) 才能对密钥 (A) 作内 部访问, 而不允许任何外部的访问, 以保证密钥 (A) 的安全。 Referring to FIG. 6, FIG. 6 is a schematic diagram showing the steps of the encryption authentication apparatus (1) and the server (4) in use of the present invention. The server (4) shown in the figure is provided with a plurality of authentication accounts (401). Each authentication account (401) corresponds to an encrypted authentication device (1), and the authentication account (401) stores the device number (105) of the encrypted authentication device (1) corresponding to the account and an account password, and each authentication account (401) stores multiple keys (B) and multiple index numbers (C), Each index number (C) corresponds to a key (B), and the key (B) in each authentication account (401) is paired with the key (A) in the encrypted authentication device (1) of the account. Relationship, each key (B) has a matching key (A), and each pair of paired keys (A) and keys (B) have the same index number (C). The key (A) and the key (B) are generated in advance by the server (4) in a random manner by various methods. When the key (A) is stored in the main chip (101) of the encryption authentication device (1), only the master The chip (101) can have internal access to the key (A) without any external access to secure the key (A).
此外, 加密认证装置(1 ) 的主芯片(101)每次将资料加密时, 会按预 定程序从主芯片 (101 ) 内提取一条未用的密钥 (A) 将资料加密, 以及, 主芯片 (101 ) 将资料加密后, 就会将该条密钥 (A)删除或弃置或标记为 已用, 使该条密钥(A)不会再次被主芯片(101 )使用。 以及, 服务器(4) 每次将资料解密时, 会按预定程序从认证账户 (401 ) 内提取一条与该资料 相配对的密钥 (B) 将资料解密, 以及, 服务器 (4) 将资料解密后, 就会 将该条密钥 (B) 删除或弃置或标记为已用, 使该条密钥 (B) 不会再次被 服务器(4)使用。 由于密钥 (A)和密钥 (B) 是用完即弃的, 每一条密钥 只会使用一次, 当加密认证装置 (1 ) 内的密钥 (A) 全部用完后, 加密认 证装置 (1) 就不能继续使用, 用户必须更换新的加密认证装置 (1 ) , 如 果加密认证装置 (1) 内储存有 1万条密钥 (A) , 以平均每天使用 10次计 算, 大约可以使用 3年。  In addition, each time the main chip (101) of the encryption authentication device (1) encrypts the data, an unused key (A) is extracted from the main chip (101) according to a predetermined program to encrypt the data, and the main chip (101) After encrypting the data, the key (A) is deleted or discarded or marked as used, so that the key (A) is not used again by the main chip (101). And, each time the server (4) decrypts the data, a key paired with the data is extracted from the authentication account (401) according to a predetermined program (B), the data is decrypted, and the server (4) decrypts the data. After that, the key (B) is deleted or discarded or marked as used, so that the key (B) will not be used by the server (4) again. Since the key (A) and the key (B) are used up and down, each key is used only once. When the key (A) in the encryption authentication device (1) is used up, the encryption authentication device is used. (1) If you cannot continue to use it, the user must replace the new encryption authentication device (1). If the encryption authentication device (1) stores 10,000 keys (A) and uses an average of 10 calculations per day, it can be used. 3 years.
在加密解密算法方面,密钥(A)和密钥(B)是采用一次性密码(One Time Pad或称为 Vernam- cipher) , 所谓一次性密码是通过使用与讯息一样长的 随机生成的密钥, 将密钥与讯息进行位元的 "X0R"运算产生密文, 解密时 应用同一密钥和适当的演算法, 就可以方便地解密还原出讯息, 由于密钥 只使用一次, 然后就被丢弃, 所以是无法破解的, 是最简单安全和快速的 加密算法。本发明的加密认证装置(1 )除了可以采用一次性密码(One Time Pad)加密算法外, 也可以采用其他的加密算法, 也可很好地实现本发明的 目的, 可以采用的加密算法包括: In terms of encryption and decryption algorithms, the key (A) and the key (B) use a one-time password (One Time Pad or Vernam- cipher). The so-called one-time password is a randomly generated secret that is as long as the message. The key, the key and the message are subjected to the "X0R" operation of the bit to generate the ciphertext, and the same key and the appropriate algorithm are applied during the decryption, so that the restored message can be conveniently decrypted due to the key. It is used only once and then discarded, so it cannot be cracked. It is the simplest safe and fast encryption algorithm. The encryption authentication device (1) of the present invention can also adopt other encryption algorithms in addition to the One Time Pad encryption algorithm, and can also achieve the object of the present invention well. The encryption algorithms that can be used include:
1. 数据力口密标准 (Data Encryption Standard - DES) ;  1. Data Encryption Standard (DES);
2. 三重数据加密标准 (Triple - DES ) ;  2. Triple Data Encryption Standard ( Triple - DES ) ;
3. RSA加密演算法 (RSA algorithm) ;  3. RSA encryption algorithm (RSA algorithm);
4. 一次性密码 (One Time Pad) ;  4. One Time Pad;
5. 公钥基础架构 (Public Key Infrastructure - PKI ) 。  5. Public Key Infrastructure (PKI).
本发明的加密认证装置(1 ) 的主芯片(101 )将资料加密前, 被加密的 资料内容还包括有校验资料, 以保障资料不会被窜改, 所述的校验资料是 由被加密的资料通过包括如下其中之一的校验算法所产生:  Before the main chip (101) of the encryption authentication device (1) of the present invention encrypts the data, the encrypted data content further includes verification data to ensure that the data is not tampered, and the verification data is encrypted. The data is generated by a check algorithm including one of the following:
1. 循环冗余码 (CRC)算法;  1. Cyclic Redundancy Code (CRC) algorithm;
2. 摘要演算法 (Message-Digest Algorithm) ;  2. Abstract algorithm (Message-Digest Algorithm);
3. 消息认证码 (Message authentication code) 算法;  3. Message authentication code algorithm;
4. 安全杂凑标准 (Secure Hash Standard) 算法。  4. Secure Hash Standard algorithm.
以及, 在服务器(4)将加密资料解密后, 服务器(4)采用相同的校验 算法就可检测资料有没有被窜改。  And, after the server (4) decrypts the encrypted data, the server (4) uses the same verification algorithm to detect whether the data has been tampered with.
更进一步, 还可以采用开机口令保护加密认证装置 (1 ) 不会被盗用, 即在加密认证装置 (1 ) 的主芯片 (101 )还设有开机口令, 每次使用加密 认证装置 (1 ) 前, 使用者必须通过键盘 (102) 输入正确的开机口令, 才 能使用加密认证装置 (1 )进行各项操作。 在本说明书中, 服务器 (4) 是指供用户登入的各类计算机主机, 服务 器(4)可以是各金融机构的账户服务器、 或银行账户系统服务器、 或任何 需要验证用户身份合法性的计算机等, 而终端机 (2) 是指与服务器 (4) 相连线的终端设备, 可以是计算机、 或计算机终端、 或 ATM机等需要认证 用户身份的终端设备, 通过本发明的加密认证装置 (1 ) , 就能可靠地验证 登入服务器(4) 的用户身份的合法性。 Further, the power-on password protection encryption authentication device (1) can also be used without being stolen, that is, the main chip (101) of the encryption authentication device (1) is further provided with a power-on password, each time before using the encryption authentication device (1). The user must enter the correct power-on password through the keyboard (102) in order to perform various operations using the encrypted authentication device (1). In this specification, the server (4) refers to various types of computer hosts for users to log in, and the server (4) may be an account server of each financial institution, or a bank account system server, or any computer that needs to verify the legality of the user's identity, etc. The terminal device (2) refers to a terminal device connected to the server (4), and may be a terminal device that requires an authenticated user identity, such as a computer, or a computer terminal, or an ATM machine, by the encryption authentication device of the present invention (1) ), the validity of the user identity of the login server (4) can be reliably verified.
继续参阅图 6, 图中示出包括如下的步骤, 是用户登入服务器 (4) 时, 通过加密认证装置(1 )迸行认证的步骤, 具体的步骤如下:  Continuing to refer to FIG. 6, the following steps are included, which are steps for authenticating by the encrypted authentication device (1) when the user logs in to the server (4), and the specific steps are as follows:
1. 用户使用终端机 (2) 通过网络 (3) 连线到服务器 (4) , 在加密 认证装置(1 ) 的键盘(102) 上输入账户密码等资料, 加密认证装 置 (1 ) 内的主芯片 (101) 将用户输入的资料和装置编号 (105) 通过预定的校验算法计算出包含校验资料的认证资料, 然后在主芯 片 (101 ) 内提取一条未用的密钥 (Α)将认证资料加密为密文, 并 提取出该密钥 (Α) 所对应的索引号 (C) , 主芯片 (101 ) 将认证 资料加密后将该条密钥 (Α) 删除或弃置或标记为已用;  1. The user uses the terminal (2) to connect to the server (4) via the network (3), enters the account password and other data on the keyboard (102) of the encryption authentication device (1), and encrypts the master in the authentication device (1). The chip (101) calculates the authentication data including the verification data by using a predetermined verification algorithm by the data and device number (105) input by the user, and then extracts an unused key (Α) in the main chip (101). The authentication data is encrypted into ciphertext, and the index number (C) corresponding to the key (Α) is extracted, and the master chip (101) encrypts the authentication data and deletes or discards or marks the key (Α) as use;
2. 加密认证装置 (1 ) 通过显示屏 (103 ) 将密文连同索引号 (C) 显 示给用户看,然后用户在终端机(2)上输入登入名称、显示屏(103) 所显示的密文内容和索引号 (C) 等资料;  2. Encryption authentication device (1) Display the ciphertext together with the index number (C) to the user through the display (103), and then the user enters the login name and the density displayed on the display (103) on the terminal (2). Information such as text content and index number (C);
或;  Or
用户在终端机 (2) 上输入登入名称, 然后将加密认证装置 (1 ) 的 通讯接口 (104) 与终端机 (2) 连接, 将密文连同索引号 (C) 通 过通讯接口 (104) 传送到终端机 (2) ; 3. 终端机 (2) 通过网络 (3) 将登入名称、 密文和索引号 .(C) 传送 到服务器 (4) ; The user enters the login name on the terminal (2), then connects the communication interface (104) of the encrypted authentication device (1) with the terminal (2), and transmits the ciphertext along with the index number (C) via the communication interface (104). To the terminal (2); 3. The terminal (2) transmits the login name, ciphertext and index number (C) to the server (4) via the network (3);
4. 服务器(4)从登入名称找到用户的认证账户(401), 从索引号(C) ' 在该认证账户 (401 ) 内提取对应该索引号 (C) 的密钥 (B) 将密 文解密还原出认证资料,服务器(4)将密文解密后将该条密钥(B) 删除或弃置或标记为已用, 并通过预定的校验算法校验认证资料和 还原出装置编号 (105) 和账户密码等资料, 校验无误后表示认证 资料没有被窜改过, 服务器(4)核对装置编号 (105) 和账户密码 等资料无误后, 表示用户的身份认证成功, 然后服务器 (4) 通过 网络(3) 向终端机(2)发出信息, 通知用户已经成功登入了服务 器 (4) 。  4. The server (4) finds the user's authentication account (401) from the login name, and extracts the key (B) corresponding to the index number (C) from the authentication account (401) from the index number (C). The decryption restores the authentication data, and the server (4) decrypts the ciphertext and deletes or discards the key (B) as used, and verifies the authentication data and restores the device number through a predetermined verification algorithm (105). ) and account password and other information, after verifying that the authentication data has not been tampered with, the server (4) check device number (105) and account password and other information is correct, indicating that the user's identity authentication is successful, then the server (4) passed The network (3) sends a message to the terminal (2) notifying the user that the server has been successfully logged in (4).
在本实施例步骤中, 为了方便用户査看显示屏 (103)所显示的内容, 可将密文连同索引号 (C) 以每四个字符一组的方式在显示屏 (103) 上显 示, 在字符组与字符组之间以一个空格或 "-"作分隔, 方便用户査看显示 内容, 可减少用户因看错内容而出错。  In the step of the embodiment, in order to facilitate the user to view the content displayed on the display screen (103), the ciphertext can be displayed on the display screen (103) together with the index number (C) in a group of four characters. Separated by a space or "-" between the character group and the character group, it is convenient for the user to view the display content, which can reduce the user's mistake due to the wrong content.
本发明的加密认证装置 (1 ) 和认证方法安全可靠, 用户可通过加密认 证装置 (1 )上的键盘 (102) 输入重要资料, 即使黑客采用木马程式入侵 用户的计算机, 最多只能盗取用户在计算机键盘输入的资料, 黑客是无法 盗取用户在加密认证装置(1) 输入的重要资料。 本发明的实施, 会带来巨 大的良好的社会效益。  The encryption authentication device (1) and the authentication method of the invention are safe and reliable, and the user can input important data through the keyboard (102) on the encryption authentication device (1), even if the hacker uses the Trojan horse program to invade the user's computer, the user can only steal the user at most. In the data entered on the computer keyboard, the hacker is unable to steal important data entered by the user in the encrypted authentication device (1). The implementation of the present invention will bring about great social benefits.

Claims

权利要求  Rights request
1. 一种加密认证装置, 用于身份认证, 其特征在于, 所述的加密认证装置An encryption authentication apparatus for identity authentication, characterized in that the encryption authentication apparatus
( 1)的主要结构包括有主芯片(101)、键盘(102)、显示屏(103) 、 通讯接口 (104) , 其中, 主芯片 (101) 内设有 CPU和存储器, 并与 其它各部件相连接, 按预定程序运作, 实现认证用户在服务器(4) 的 身份和各项预定功能, 包括通过键盘(102)读取用户输入的资料、 储 存资料、 加密资料、 通过显示屏(103) 显示提示信息、 通过通讯接口The main structure of (1) includes a main chip (101), a keyboard (102), a display screen (103), and a communication interface (104), wherein the main chip (101) is provided with a CPU and a memory, and other components. Connected, operating according to a predetermined program, realizing the identity of the authenticated user in the server (4) and various predetermined functions, including reading user input data, storing data, encrypting data through the keyboard (102), and displaying through the display screen (103) Prompt message, via communication interface
( 104) 发送认证资料给服务器(4) ; (104) Send authentication information to the server (4);
以及,  as well as,
加密认证装置(1)将用户通过键盘(102)输入的资料, 包括用户口令、 操作指令、 账户号码等资料, 以密钥 (A)将资料加密, 再通过终端机 (2)和网络(3)传送给服务器(4) , 由服务器(4)使用相配对的密 钥 (B)将资料解密还原出用户所输入的资料, 并核对资料内容, 核对 无误后表示用户的身份认证成功, 然后服务器 (4)才会根据资料内容 迸行相应的操作。  The encryption authentication device (1) encrypts the data by the key (A) by the data input by the user through the keyboard (102), including the user password, the operation instruction, the account number, and the like, and then passes through the terminal (2) and the network (3). ) is transmitted to the server (4), and the server (4) decrypts the data using the paired key (B) to restore the data input by the user, and checks the data content, and after verifying, the user's identity authentication succeeds, and then the server (4) The corresponding operation will be carried out according to the data content.
2. 如权利要求 1所述的加密认证装置, 其特征在于, 所述的主芯片(101) 内还包括有一个唯一的装置编号 (105) 和多条密钥 (A) 和多个索引 号 (C) , 每一个索引号 (C)对应一条密钥 (A) , 以及, 各个索引号 (C) 是互不相同的。 2. The cryptographic authentication apparatus according to claim 1, wherein said main chip (101) further comprises a unique device number (105) and a plurality of keys (A) and a plurality of index numbers. (C), each index number (C) corresponds to a key (A), and each index number (C) is different from each other.
3. 如权利要求 2所述的加密认证装置, 其特征在于, 所述的主芯片(101 ) 每次将资料加密时, 会按预定程序从主芯片 (101 ) 内提取一条未用的 密钥 (A) 将资料加密, 以及, 主芯片 (101 ) 将资料加密后, 就会将 该条密钥 (A)删除或弃置或标记为已用, 使该条密钥 (A) 不会再次 被主芯片 (101 ) 使用。 3. The cryptographic authentication device according to claim 2, wherein each time the main chip (101) encrypts the data, an unused key is extracted from the main chip (101) according to a predetermined program. (A) Encrypt the data, and after the main chip (101) encrypts the data, the key (A) is deleted or discarded or marked as used, so that the key (A) will not be used again. The main chip (101) is used.
4. 如权利要求 1所述的加密认证装置, 其特征在于, 所述的主芯片(101 ) 还设有开机口令, 每次使用加密认证装置(1 ) 前, 使用者必须通过键 盘 (102) 输入正确的开机口令, 才能使用加密认证装置 (1 ) 进行各 项操作。 4. The encryption authentication device according to claim 1, wherein the main chip (101) further has a power-on password, and the user must pass the keyboard (102) before using the encryption authentication device (1) each time. Enter the correct power-on password to use the encrypted authentication device (1) for each operation.
5. 如权利要求 1或 2或 3或 4所述的加密认证装置, 其特征在于,所述的 主芯片 (101 )将资料加密时, 可以采用包括如下的其中之一的加密算 法: The cryptographic authentication apparatus according to claim 1 or 2 or 3 or 4, wherein when said main chip (101) encrypts data, an encryption algorithm including one of the following may be employed:
1. 数据加密标准 (Data Encryption Standard - DES) ;  1. Data Encryption Standard (DES);
2. 三重数据加密标准(Triple - DES) ;  2. Triple Data Encryption Standard (Triple - DES);
3. RSA加密演算法 (RSA algorithm) ;  3. RSA encryption algorithm (RSA algorithm);
4. 一次性密码 (One Time Pad) ;  4. One Time Pad;
5. 公钥基础架构 (Public Key Infrastructure - PKI) 。  5. Public Key Infrastructure (PKI).
6. 如权利要求 1或 2或 3或 4所述的加密认证装置, 其特征在于,所述的 主芯片 (101 ) 将资料加密前, 被加密的资料内容还包括有校验资料, 以保障资料不会被窜改。 The cryptographic authentication device according to claim 1 or 2 or 3 or 4, wherein before the main chip (101) encrypts the data, the encrypted data content further includes verification data to ensure The information will not be tampered with.
7. 如权利要求 6所述的加密认证装置,其特征在于,所述的校验资料是由 被加密的资料通过包括如下其中之一的校验算法所产生: 7. The cryptographic authentication device of claim 6, wherein the verification data is generated by the encrypted data by a verification algorithm comprising one of:
1. 循环冗余码 (CRC) 算法;  1. Cyclic Redundancy Code (CRC) algorithm;
2. 摘要演算法 (Message-Digest Algorithm) ;  2. Abstract algorithm (Message-Digest Algorithm);
3. 消息认证码 (Message authentication code)算法;  3. Message authentication code algorithm;
4. 安全杂凑标准 (Secure Hash Standard) 算法。  4. Secure Hash Standard algorithm.
8. 如权利要求 1所述的加密认证装置,其特征在于,所述的通讯接口(104) 可以是无线通讯装置、 或有线通讯装置、 或蓝芽装置、 或红外线装置、 或 USB接口、 或 SD记忆卡接口、 或 MINI- SD记忆卡接口、 或醒 C记忆 卡接 、 或 RS- MMC记忆卡接口、 或 RS- 232接口、 或 PS2键盘接口。 8. The cryptographic authentication device of claim 1, wherein the communication interface (104) can be a wireless communication device, or a wired communication device, or a Bluetooth device, or an infrared device, or a USB interface, or SD memory card interface, or MINI-SD memory card interface, or wake up C memory card, or RS-MMC memory card interface, or RS-232 interface, or PS2 keyboard interface.
9. 一种加密认证电讯系统, 用于用户身份认证用途, 特别用于金融业, 包 括釆用如权利要求 1-8所述加密认证装置(1 ) , 以及终端机 (2) 、 网络(3)、服务器(4),其中,加密认证装置(1 )独立于终端机(2), 与终端机 (2) 相分离设置, 本系统中各加密认证装置(1 ) 分别在服 务器 (4) 内登记及被服务器(4)所识别, 在加密认证装置(1 )和服 务器 (4) 内分别设有相配对的密钥 (A, B) , 加密过程在加密认证装. 置 (1 ) 中进行, 利用密钥 (A)形成密文, 经终端机(2) 及网络 (3) 传输至服务器(4) , 服务器(4)利用相配对的密钥 (B) 解密密文, 解密成功则识别成功, 所述系统进入后面预定程序。 9. An encrypted authentication telecommunications system for user identity authentication, in particular for the financial industry, comprising an encryption authentication device (1) according to claims 1-8, and a terminal (2), network (3) And a server (4), wherein the encryption authentication device (1) is independent of the terminal (2) and is disposed separately from the terminal (2), wherein each encryption authentication device (1) in the system is in the server (4) Registered and identified by the server (4), respectively, a paired key (A, B) is provided in the encrypted authentication device (1) and the server (4), and the encryption process is performed in the encrypted authentication device (1). The ciphertext is formed by using the key (A), transmitted to the server (4) via the terminal (2) and the network (3), and the server (4) decrypts the ciphertext by using the paired key (B), and the decryption succeeds to identify Upon success, the system enters a later predetermined procedure.
10.如权利要求 9所述的加密认证电讯系统,其特征在于,所述的月艮务器 (4) 内设有多个认证账户 (401) , 每一个认证账户 (401)对应一个加密 认证装置 (1) , 认证账户 (401) 内储存有该账户所对应的加密认证 装置 (1) 的装置编号 (105) 和一个账户密码, 每一认证账户 (401) 内储存有多条密钥 (B)和多个索引号 (C) , 每一个索引号 (C)对应 一条密钥 (B) , 10. The encrypted authentication telecommunications system according to claim 9, wherein said server (4) is provided with a plurality of authentication accounts (401), and each authentication account (401) corresponds to an encrypted authentication. In the device (1), the authentication account (401) stores the device number (105) of the encrypted authentication device (1) corresponding to the account and an account password, and each authentication account (401) stores multiple keys ( B) and a plurality of index numbers (C), each index number (C) corresponding to a key (B),
以及,  as well as,
每一认证账户 (401) 内的密钥 (B) 与该账户的加密认证装置(1) 内 的密钥(A)成配对关系, 每一条密钥(B)有一条相配对的密钥(A), 每一对相配对的密钥 (A) 和密钥 (B) 它们所对应的索引号 (C) 是相 同的。  The key (B) in each authentication account (401) is paired with the key (A) in the encrypted authentication device (1) of the account, and each key (B) has a matching key ( A), each pair of paired key (A) and key (B) their corresponding index number (C) is the same.
11. 如权利要求 9所述的加密认证电讯系统,其特征在于,所述的服务器 (4) 每次将资料解密时, 会按预定程序从认证账户 (401) 内提取一条与该 资料相配对的密钥 (B) 将资料解密, 以及, 服务器 (4)将资料解密 后, 就会将该条密钥(B)删除或弃置或标记为已用, 使该条密钥 (B) 不会再次被服务器 (4) 使用。 11. The cryptographic authentication telecommunications system according to claim 9, wherein the server (4) extracts a pair of the data from the authentication account (401) according to a predetermined procedure each time the server decrypts the data. The key (B) decrypts the data, and after the server (4) decrypts the data, the key (B) is deleted or discarded or marked as used, so that the key (B) does not Used again by the server (4).
12. 一种加密认证方法, 采用如权利要求 1至 10任一项所述的加密认证装 置, 用于身份认证等用途, 其特征在于, 所述的方法包括用户使用终 端机 (2) 登入服务器(4) 时, 用户预先在加密认证装置(1)上输入 账户密码等需要认证的资料, 由加密认证装置(1)将需要认证的资料 加密为密文, 然后通过终端机 (2) 经网络 (3) 将该密文传送到服务 器 (4) , 由服务器 (4)将密文解密还原出需要认证的资料, 服务器 (4)核对需要认证的资料无误后, 用户的身份认证成功, 可以登入服 务器(4) 。 An encryption authentication method, using the encryption authentication device according to any one of claims 1 to 10, for identity authentication or the like, characterized in that the method comprises the user logging in to the server using the terminal (2) (4), the user enters the account authentication password (1) into the data to be authenticated, such as the account password, and the encrypted authentication device (1) encrypts the data to be authenticated into the ciphertext, and then passes through the network through the terminal (2). (3) Transfer the ciphertext to the service (4), the server (4) decrypts the ciphertext to restore the data to be authenticated, and the server (4) checks that the information to be authenticated is correct, the user's identity is successfully authenticated, and the server can be logged in (4).
13.如权利要求 12所述的加密认证方法, 用于身份认证等用途, 其特征在 于, 所述的方法包括如下的步骤, 是用户登入服务器 (4) 时, 通过加 密认证装置 (1) 进行认证的步骤, 具体的步骤如下: The encryption authentication method according to claim 12, which is used for identity authentication or the like, wherein the method comprises the following steps: when the user logs in to the server (4), the encryption authentication device (1) performs The steps for certification, the specific steps are as follows:
1. 用户使用终端机 (2)通过网络(3)连线到服务器(4) , 在加密 认证装置 (1) 的键盘 (102)上输入账户密码等资料, 加密认证装 置 (1) 内的主芯片 (101)将用户输入的资料和装置编号 (105) 通过预定的校验算法计算出包含校验资料的认证资料, 然后在主芯 片 (101) 内提取一条未用的密钥 (A) 将认证资料加密为密文, 并 提取出该密钥 (A) 所对应的索引号 (C) , 主芯片 (101) 将认证 资料加密后将该条密钥 (A)删除或弃置或标记为已用;  1. The user uses the terminal (2) to connect to the server (4) via the network (3), and enters the account password and other data on the keyboard (102) of the encryption authentication device (1) to encrypt the master in the authentication device (1). The chip (101) calculates the authentication data including the verification data by using a predetermined verification algorithm by the data and device number (105) input by the user, and then extracts an unused key (A) in the main chip (101). The authentication data is encrypted into ciphertext, and the index number (C) corresponding to the key (A) is extracted, and the master chip (101) encrypts the authentication data and deletes or discards or marks the key (A) as use;
2. 加密认证装置 (1) 通过显示屏 (103) 将密文连同索引号 (C) 显 示给用户看,然后用户在终端机(2)上输入登入名称、显示屏(103) 所显示的密文内容和索引号 (C)等资料;  2. Encryption authentication device (1) Display the cipher text together with the index number (C) to the user through the display (103), and then the user enters the login name and the density displayed on the display (103) on the terminal (2). Information such as text content and index number (C);
或;  Or
用户在终端机 (2)上输入登入名称, 然后将加密认证装置 (1) 的 通讯接口 (104) 与终端机 (2)连接, 将密文连同索引号 (C) 通 过通讯接口 (104) 传送到终端机 (2) ;  The user enters the login name on the terminal (2), and then connects the communication interface (104) of the encrypted authentication device (1) with the terminal (2), and transmits the ciphertext along with the index number (C) through the communication interface (104). To the terminal (2);
3. 终端机 (2) 通过网络 (3) 将登入名称、 密文和索引号 (C) 传送 到服务器 (4) ; 3. The terminal (2) transmits the login name, ciphertext and index number (C) to the server (4) via the network (3);
4. 服务器(4)从登入名称找到用户的认证账户(401 ), 从索引号(C) 在该认证账户 (401 ) 内提取对应该索引号 (C) 的密钥 (B) 将密 文解密还原出认证资料,服务器(4)将密文解密后将该条密钥(B) 删除或弃置或标记为已用, 并通过预定的校验算法校验认证资料和 还原出装置编号 (105) 和账户密码等资料, 校验无误后表示认证 资料没有被窜改过, 服务器(4) 核对装置编号 (105)和账户密码 等资料无误后, 表示用户的身份认证成功, 然后服务器 (4) 通过 网络(3) 向终端机(2)发出信息, 通知用户已经成功登入了服务 器(4) 。 4. The server (4) finds the user's authentication account (401) from the login name, extracts the key corresponding to the index number (C) from the authentication account (401) from the index number (C), and decrypts the ciphertext. After the authentication data is restored, the server (4) decrypts the ciphertext and deletes or discards the key (B) as used, and verifies the authentication data and restores the device number through a predetermined verification algorithm (105) And the account password and other information, after verifying that the authentication data has not been tampered with, the server (4) check the device number (105) and account password and other information is correct, indicating that the user's identity authentication is successful, then the server (4) through the network (3) Send a message to the terminal (2) notifying the user that the server has been successfully logged in (4).
PCT/CN2007/002384 2007-08-08 2007-08-08 The device and the method of encrypting and authenticating against trojan horse with one time key WO2009018685A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN200780100187.0A CN101933287B (en) 2007-08-08 2007-08-08 The encrypting and authenticating apparatus and method of the disposable one time key of antagonism wooden horse formula
PCT/CN2007/002384 WO2009018685A1 (en) 2007-08-08 2007-08-08 The device and the method of encrypting and authenticating against trojan horse with one time key
HK11105547.4A HK1151402A1 (en) 2007-08-08 2011-06-02 The device and the method of encrypting and authenticating against trojan horse with one time key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2007/002384 WO2009018685A1 (en) 2007-08-08 2007-08-08 The device and the method of encrypting and authenticating against trojan horse with one time key

Publications (1)

Publication Number Publication Date
WO2009018685A1 true WO2009018685A1 (en) 2009-02-12

Family

ID=40340930

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/002384 WO2009018685A1 (en) 2007-08-08 2007-08-08 The device and the method of encrypting and authenticating against trojan horse with one time key

Country Status (3)

Country Link
CN (1) CN101933287B (en)
HK (1) HK1151402A1 (en)
WO (1) WO2009018685A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112242013A (en) * 2019-07-18 2021-01-19 冯成光 Communication system using random code encryption

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721541B (en) * 2016-01-13 2018-11-16 大连楼兰科技股份有限公司 The method and its system of long-range control vehicle

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1332425A (en) * 2000-07-10 2002-01-23 黄金富 Confirming payment method adopting dynamic cipher and corresponding electronic device
WO2002045339A1 (en) * 2000-11-29 2002-06-06 Temasek Polytechnic Enhance authorization system and method for computer security
CN1427351A (en) * 2001-12-17 2003-07-02 北京兆日科技有限责任公司 User's identity authentication method of dynamic electron cipher equipment and its resources sharing system
CN1588846A (en) * 2004-09-08 2005-03-02 中国工商银行 Dynamic encrypting device in network and its password identification method
CN1622508A (en) * 2004-12-13 2005-06-01 刘云清 One-time password table based one-time password generation and authentication system and method
WO2007051769A1 (en) * 2005-11-02 2007-05-10 Gemplus Method for the secure deposition of digital data, associated method for recovering digital data, associated devices for implementing methods, and system comprising said devices
CN1992592A (en) * 2005-12-30 2007-07-04 腾讯科技(深圳)有限公司 System and method of dynamic password identification

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI102235B (en) * 1996-01-24 1998-10-30 Nokia Telecommunications Oy Management of authentication keys in a mobile communication system
JP2004500613A (en) * 1999-04-12 2004-01-08 デジタル メディア オン ディマンド, インコーポレイテッド Secure e-commerce system
KR20010011667A (en) * 1999-07-29 2001-02-15 이종우 Keyboard having secure function and system using the same
CN100589381C (en) * 2004-12-14 2010-02-10 中兴通讯股份有限公司 User identity secret-keeping method in communication system
CN1851740A (en) * 2006-06-02 2006-10-25 上海华申智能卡应用系统有限公司 Bank net business processing method based on traditional terminal transaction form
CN1921392B (en) * 2006-09-19 2015-03-04 飞天诚信科技股份有限公司 Intelligent key equipment

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1332425A (en) * 2000-07-10 2002-01-23 黄金富 Confirming payment method adopting dynamic cipher and corresponding electronic device
WO2002045339A1 (en) * 2000-11-29 2002-06-06 Temasek Polytechnic Enhance authorization system and method for computer security
CN1427351A (en) * 2001-12-17 2003-07-02 北京兆日科技有限责任公司 User's identity authentication method of dynamic electron cipher equipment and its resources sharing system
CN1588846A (en) * 2004-09-08 2005-03-02 中国工商银行 Dynamic encrypting device in network and its password identification method
CN1622508A (en) * 2004-12-13 2005-06-01 刘云清 One-time password table based one-time password generation and authentication system and method
WO2007051769A1 (en) * 2005-11-02 2007-05-10 Gemplus Method for the secure deposition of digital data, associated method for recovering digital data, associated devices for implementing methods, and system comprising said devices
CN1992592A (en) * 2005-12-30 2007-07-04 腾讯科技(深圳)有限公司 System and method of dynamic password identification

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112242013A (en) * 2019-07-18 2021-01-19 冯成光 Communication system using random code encryption

Also Published As

Publication number Publication date
CN101933287B (en) 2015-11-25
HK1151402A1 (en) 2012-01-27
CN101933287A (en) 2010-12-29

Similar Documents

Publication Publication Date Title
JP5981610B2 (en) Network authentication method for electronic transactions
US8365262B2 (en) Method for automatically generating and filling in login information and system for the same
US6073237A (en) Tamper resistant method and apparatus
EP0986209B1 (en) Remote authentication system
WO2017164159A1 (en) 1:n biometric authentication, encryption, signature system
CN112425114B (en) Password manager protected by public key-private key pair
US8251286B2 (en) System and method for conducting secure PIN debit transactions
TWI512524B (en) System and method for identifying users
EP2188942A2 (en) Information protection device
CN101334884A (en) Method and system for enhancing bank transfer safety
KR20130131682A (en) Method for web service user authentication
WO2007121631A1 (en) System and method of electronic bank safety certification based on cpk
CN101335754B (en) Method for information verification using remote server
CN103929308B (en) Information Authentication method applied to rfid card
TW201108696A (en) Account identification system, method and peripheral device of performing function thereof
US20140258718A1 (en) Method and system for secure transmission of biometric data
CN101819614A (en) System and method for enhancing network transaction safety by utilizing voice verification USBKey
TW201223225A (en) Method for personal identity authentication utilizing a personal cryptographic device
CN108401494B (en) Method and system for transmitting data
CN106100854A (en) The reverse authentication method of terminal unit based on authority's main body and system
US11405387B1 (en) Biometric electronic signature authenticated key exchange token
CN108667801A (en) A kind of Internet of Things access identity safety certifying method and system
CN101547098B (en) Method and system for security certification of public network data transmission
KR101616795B1 (en) Method for manage private key file of public key infrastructure and system thereof
WO2009018685A1 (en) The device and the method of encrypting and authenticating against trojan horse with one time key

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200780100187.0

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07800687

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07800687

Country of ref document: EP

Kind code of ref document: A1