WO2014161442A1

WO2014161442A1 - Operation request response method and system for electronic signature token, and electronic signature token

Info

Publication number: WO2014161442A1
Application number: PCT/CN2014/074173
Authority: WO
Inventors: 李东声
Original assignee: 天地融科技股份有限公司
Priority date: 2013-04-03
Filing date: 2014-03-27
Publication date: 2014-10-09
Also published as: CN103220145B; CN103220145A

Abstract

The present invention provides an operation request response method and system for an electronic signature token, and the electronic signature token. The method comprises: an electronic signature token receives a start command, then executes a start operation on the basis thereof; the electronic signature token determines, on the basis of a received operation request, the operation type and/or operation class corresponding to the operation request; and, the electronic signature token determines, on the basis of the operation type and/or operation class, the policy to be used for responding to the operation request, then responds to the operation request on the basis of the determined policy. The steps for responding to the operation request on the basis of the determined policy comprise: the electronic signature token determines, on the basis of the operation type, the key seed matching the operation type, and at least generates a static password value on the basis of the key seed and predetermined event factors; alternatively, the electronic signature token determines, on the basis of the operation class, the event factors matching the operation class, and at least generates a static password value on the basis of a predetermined key seed and event factors.

Description

Method and system for electronic signature token response operation request and electronic signature token

Technical field

The present invention relates to the field of electronic technologies, and in particular, to a method and system for an electronic signature token to respond to an operation request. Electronic signature token.

Background technique

In the prior art, in recent years, along with the rapid development of the Internet and financial information, online banking has its convenience, The advantages of high efficiency and so on are quickly recognized by users and the banking industry. In order to overcome the static password-based authentication method Fully flawed, many online banks use authentication methods based on dynamic password technology.

Dynamic password technology, also known as One Time Password (OTP), is based on password generation. The difference can be divided into time-based dynamic password technology, dynamic password technology based on challenge/response and event factor. technology.

For the OTP in the prior art, in practical applications, the user can perform various operations using a dynamic password, such as Land, transfers, transactions, etc., and for transfers and trading operations, the amount involved is more or less. If the criminals target a certain The class operation request is cracked, and the dynamic password generation strategy is obtained, which is bound to cause other categories in the user. The OTP used in the operation has security risks, so how to ensure the security of user account information is an urgent problem. Problems.

Summary of the invention

The present invention aims to solve the problem of how to protect user account information security.

A method for an electronic signature token to respond to an operation request includes the following steps:

The electronic signature token receives an open instruction, and performs an open operation according to the open instruction;

Determining, according to the received operation request, the type of operation corresponding to the operation request and/or Operation level

Determining, by the electronic signature token, the response to the operation request based on the type of operation and/or the level of operation a policy, responding to the operation request according to the obtained policy;

Wherein the electronic signature token is determined to be responsive to the operation request according to the operation type and/or operation level The used policy, the step of responding to the operation request according to the obtained policy includes:

Determining, by the electronic signature token, a key seed that matches the operation type according to the operation type, at least Generating a dynamic password value based on the key seed and a preset event factor; or

The electronic signature token determines an event factor that matches the operation level according to the operation level, at least Generating a dynamic password value based on a preset key seed and the event factor; or

Determining, by the electronic signature token, a key seed that matches the operation type according to the operation type, according to the An operation level, determining an event factor that matches the operation level, at least according to the key seed and the event cause The child generates a dynamic password value.

In addition, after the electronic signature token responds to the operation request according to the obtained policy, the method further includes:

The electronic signature token updates an event factor stored in the electronic signature token;

After receiving the input dynamic password value, the background system server verifies the dynamic password value and checks After the certificate is passed, the event factor stored in the background system server is updated.

Furthermore, the step of generating a dynamic password value based on at least the key seed and a preset event factor includes: The electronic signature token acquires a challenge code; the electronic signature token is based on the acquired challenge code and the key type The child and the preset event factor generate a dynamic password value;

The step of generating a dynamic password value according to at least a preset key seed and the event factor includes: the electronic The signature token acquires a challenge code; the electronic signature token is based on the acquired challenge code and a preset key seed sum The event factor generates a dynamic password value;

The step of generating a dynamic password value based on at least the key seed and the event factor includes: the electronic signature The token acquires a challenge code; the electronic signature token is based on the acquired challenge code and the key seed and the The event factor generates a dynamic password value.

In addition, the method further includes:

The electronic signature token acquires an effective request instruction, and obtains an effective request code according to the effective request instruction;

Generating, by the electronic signature token, the validation request information according to the validation request code;

The electronic signature token signs the validation request information by using a private key of the electronic signature token to generate First signature data;

After generating the first signature data, the electronic signature token is based on the first signature data and the effective request Finding information to generate a first request data packet;

After generating the first request data packet, the electronic signature token sends the first request data packet to a background system server;

Receiving, by the background system server, the received first request data after receiving the first request data packet Obtaining the first signature data and the validation request information in a package;

The background system server uses the public key corresponding to the private key of the electronic signature token to the first signature data authenticating;

After the background system server verifies that the first signature data is passed, at least the obtained request information is obtained. And the validation request code is generated, and the effective feedback information is generated according to at least the effective request code;

The background system server uses the public key corresponding to the private key of the electronic signature token to validate the feedback information Performing encryption, obtaining an effective feedback data packet, and transmitting the valid feedback data packet to the electronic signature token;

Receiving, by the electronic signature token, the valid feedback data packet, using the private key of the electronic signature token The effect feedback data packet is decrypted, the effective feedback information is obtained, and the effective feedback information is saved;

The electronic signature token generates a first response data packet, and sends the first response data packet to the background system Server

After receiving the first response data packet, the background system server responds to the effective operation.

In addition, the step of generating, by the electronic signature token, the validation request information according to the validation request code includes:

The electronic signature token acquires a classification setting table corresponding to the operation type and a hierarchical setting corresponding to the operation level Placing at least one table in the table;

The electronic signature token is based on at least one of the obtained classification setting table and the rating setting table, and the living Effective request code generation effective request information;

After the background system server verifies that the first signature data is passed, at least the obtained request information is obtained. And the step of generating the effective feedback information according to the validation request code includes:

After the background system server verifies that the first signature data is passed, the background system server obtains the score from the validation request information. At least one of a class setting table and a rating setting table and the validation request code;

The background system server according to at least one of a classification setting table and a rating setting table and the validation request The code generates the valid feedback information.

In addition, the effective feedback information includes: at least one of the classification setting table and the rating setting table, and The mapping relationship corresponding to each table; where:

The mapping relationship of the classification setting table is a mapping relationship between an operation type and a key seed in the classification setting table, And the key seed corresponding to any two operation types is different in two or two;

The mapping relationship of the hierarchical setting table is a mapping relationship between an operation level and an event factor in the hierarchical setting table. And the event factors corresponding to any two operation levels are different.

Further, the electronic signature token generates a first response data packet and transmits the first response data packet to the The steps of the background system server include:

Generating, by the electronic signature token, first response information, using the private key of the electronic signature token to the first response information Signing to obtain the first response signature data;

After generating the first response signature data, the electronic signature token is based on the first response signature data and Generating a first response data packet by the first response information;

After generating the first response data packet, the electronic signature token sends the first response data packet to the background system server;

After the background system server receives the first response data packet, the step of responding to the effective operation includes:

After receiving the first response data packet, the background system server obtains the first response according to the first response data packet The signature data and the first response information should be signed;

The background system server signs the first response by using a public key corresponding to a private key of the electronic signature token The data is verified, and after the verification is passed, the response is validated according to the first response information.

In addition, the method further includes:

The electronic signature token receives an activation instruction and generates an activation request code according to the activation instruction;

The electronic signature token uses the private key of the electronic signature token to sign the activation request code to generate a And signing data, and generating a second request data packet according to the activation request code and the second signature data;

After generating the second request data packet, the electronic signature token sends the second request data packet to the background System server

After receiving the second request data packet, the background system server obtains the stimulus from the second request data packet Activating the request code and the second signature data, and using the public key corresponding to the electronic signature token private key to the second signature Name data for verification;

After the background system server verifies that the second signature data is passed, the background system server generates an activation according to the activation request code. code;

After the background system server generates the activation code, using a public key pair corresponding to the electronic signature token private key Encrypting the activation code, obtaining an encryption activation code, and transmitting the encryption activation code to the electronic signature token;

After receiving the encrypted activation code, the electronic signature token uses the private key of the electronic signature token to add the The secret activation code is decrypted to obtain the decrypted activation code;

The electronic signature token verifies the decrypted activation code;

After the electronic signature token verifies the decrypted activation code, the second response data packet is generated, and the Transmitting the second response data packet to the background system server;

After receiving the second response data packet, the background system server responds to the activation operation.

In addition, the step of verifying, by the electronic signature token, the decrypted activation code includes:

After receiving the decrypted activation code, the electronic signature token utilizes an activation test of the electronic signature token The code generation algorithm generates an activation verification code;

The electronic signature token compares the decrypted activation code and the activation verification code to verify the decrypted Live code; or

Sending, by the background system server, the encrypted activation code and the activation code to the electronic signature token At the time, the electronic signature token decrypts the encrypted activation code according to the private key of the electronic signature token, and obtains the decrypted Activation code, comparing the decrypted activation code with the activation code sent by the background system server, Describe the decrypted activation code.

In addition, after the electronic signature token verifies the decrypted activation code, the second response data packet is generated. And the step of sending the second response data packet to the background system server comprises:

After the electronic signature token verifies the decrypted activation code, the electronic signature token generates a second ring Information, using the private key of the electronic signature token to sign the second response information to obtain second response signature data;

After generating the second response signature data, the electronic signature token is based on the second response signature data and Generating a second response data packet by the second response information;

After generating the second response data packet, the electronic signature token sends the second response data packet to the background system server;

After the background system server receives the second response data packet, the step of responding to the activation operation includes:

After receiving the second response data packet, the background system server obtains the second response according to the second response data packet Signature data and the second response information;

The background system server signs the second response by using a public key corresponding to the private key of the electronic signature token The data is verified, and after the verification is passed, the activation operation is responded to according to the second response information.

In addition, the method further includes:

The electronic signature token acquires a synchronization request instruction, and obtains a synchronization request code according to the synchronization request instruction;

Generating, by the electronic signature token, synchronization request information according to at least the synchronization request code;

The electronic signature token signs the synchronization request information by using a private key of the electronic signature token to generate Third signature data;

After generating the third signature data, the electronic signature token is based on the third signature data and the synchronization request Finding information to generate a third request data packet;

After generating the third request data packet, the electronic signature token sends the third request data packet to the background system server;

Receiving, by the background system server, the received third request data after receiving the third request data packet Obtaining the third signature data and the synchronization request information in a packet;

The background system server uses the public key corresponding to the private key of the electronic signature token to the third signature data authenticating;

After the background system server verifies that the third signature data is passed, at least the synchronization request information is obtained. And obtaining the synchronization request code, and generating synchronization feedback information according to at least the synchronization request code;

The background system server uses the public key corresponding to the private key of the electronic signature token to synchronize the feedback information Performing encryption, obtaining a synchronization feedback data packet, and transmitting the synchronization feedback data packet to the electronic signature token;

Receiving, by the electronic signature token, the synchronization feedback data packet, using the private key of the electronic signature token Step feedback data packet is decrypted, obtaining synchronous feedback information, and saving the synchronous feedback information;

The electronic signature token generates a third response data packet, and sends the third response data packet to the background system Server

After receiving the third response data packet, the background system server responds to the synchronization operation.

Further, the electronic signature token generates a third response data packet, and sends the third response data packet to the The steps of the background system server include:

The electronic signature token generates third response information, and the third response information is obtained by using the private key of the electronic signature token Signing to obtain the third response signature data;

After generating the third response signature data, the electronic signature token is based on the third response signature data and the The third response information generates a third response data packet, and sends the third response data packet to the background system server;

After the background system server receives the third response data packet, the step of responding to the synchronization operation includes:

After receiving the third response data packet, the background system server obtains the third response according to the third response data packet. The signature data and the third response information should be signed;

The background system server signs the third response by using a public key corresponding to the private key of the electronic signature token The data is verified, and after the verification is passed, the synchronization operation is responded to according to the third response information.

In addition, the electronic signature token receives an open command, and the step of performing an open operation according to the open command includes:

The electronic signature token receives a booting instruction, and performs a booting operation according to the booting instruction;

After the electronic signature token is turned on, receiving an externally entered dynamic password mode command, according to the entry Dynamic password mode command, enter dynamic password mode.

An electronic signature token that includes:

a startup module, configured to perform an opening operation according to the opening instruction when receiving an opening instruction;

a determining module, connected to the startup module, configured to determine the operation request according to the received operation request Corresponding operation type and/or operation level;

An execution module, coupled to the determining module, configured to determine a response according to the operation type and/or operation level The policy used by the operation request, responding to the operation request according to the obtained policy,

The execution module is further configured to:

Determining a key seed that matches the operation type according to the operation type, at least according to the key seed and The preset event factor generates a dynamic password value; or

Determining, according to the operation level, an event factor that matches the operation level, at least according to a preset key seed And generating a dynamic password value with the event factor; or

Determining, according to the operation type, a key seed that matches the operation type, and determining, according to the operation level, An event factor that matches the operation level generates a dynamic password value based at least on the key seed and the event factor.

In addition, the electronic signature token further includes:

An update module is coupled to the execution module for updating an event factor stored in the electronic signature token.

In addition, the execution module is configured to perform operations in any of the following manners, including:

The electronic signature token acquires a challenge code; the electronic signature token is based on the acquired challenge code and the The key seed and the preset event factor generate a dynamic password value;

The electronic signature token acquires a challenge code; the electronic signature token is based on the acquired challenge code and a preset Key seed and the event factor generate a dynamic password value;

The electronic signature token acquires a challenge code; the electronic signature token is based on the acquired challenge code and the The key seed and the event factor generate a dynamic password value.

In addition, the electronic signature token further includes:

a first transmission module, configured to obtain an effective request instruction, and obtain an effective request code according to the effective request instruction, Generating the effective request information according to at least the validation request code;

a first signing module, configured to sign the effective request information by using a private key of the electronic signature token Into the first signature data;

a first generation module, connected to the first signature module, configured to generate the first signature data, according to the Generating a first request data packet by describing the first signature data and the validation request information;

The first transmission module is connected to the first generation module, and is configured to: after generating the first request data packet, Transmitting the first request data packet to the background system server;

The first transmission module is configured to receive the valid feedback data packet;

a decryption module, configured to decrypt the effective feedback data packet by using a private key of the electronic signature token to obtain The feedback information is validated, and the effective feedback information is saved;

The first generating module is configured to generate a first response data packet;

The first transmission module is configured to send the first response data packet to the background system server.

Furthermore, the first generation module is used to:

Obtaining at least one of a classification setting table corresponding to the operation type and a rating setting table corresponding to the operation level a table, and generating at least one of the obtained classification setting table and the rating setting table and the effective request code Request information.

In addition, the first generating module is configured to: generate first response information, and use a private key pair of the electronic signature token First response information is signed, obtaining first response signature data, and according to the first response signature data and the A response message generates a first response packet, and the first response packet is sent out.

In addition, the electronic signature token further includes:

a first transmission module, configured to receive an activation instruction, and generate an activation request code according to the activation instruction;

a first signing module, coupled to the first transmission module, configured to use the private key pair of the electronic signature token to Activating the request code for signature to generate second signature data;

a first generating module, connected to the first signature module, configured to perform, according to the activation request code and the second signature Data generating a second request packet;

The first transmission module is configured to send the second request data packet after generating the second request data packet To the background system server;

The first transmission module is configured to receive the encrypted activation code;

a decryption module, configured to decrypt the encrypted activation code by using a private key of the electronic signature token to obtain a decrypted Live code

a first verification module, connected to the decryption module, configured to verify the decrypted activation code;

The first generating module is configured to generate a second response data packet after the decrypted activation code is verified;

The first transmission module is configured to send the second response data packet to the background system server.

Furthermore, the first verification module is used to:

After receiving the decrypted activation code, generating an activation verification code generation algorithm using the electronic signature token Activating a verification code; comparing the decrypted activation code and the activation verification code to verify the decrypted activation code; or When the background system server sends the encrypted activation code together with the activation code to the electronic signature token Decrypting the encrypted activation code according to the private key of the electronic signature token to obtain the decrypted activation code, the comparison Decrypting the activation code and the activation code sent by the background system server to verify the decrypted activation code.

Furthermore, the first generation module is used to:

After the decrypted activation code is verified, the electronic signature token generates second response information, The private key of the electronic signature token signs the second response information to obtain the second response signature data, according to the second ring Generating, by the signature data and the second response information, a second response data packet, and sending the second response data packet to the background System server.

In addition, the electronic signature token further includes:

a first transmission module, configured to acquire a synchronization request instruction, and obtain a synchronization request code according to the synchronization request instruction;

a first generation module, connected to the first transmission module, configured to generate synchronization according to at least the synchronization request code Ask for information;

The first signature module is connected to the first generation module, and is configured to use a private key pair of the electronic signature token The synchronization request information is signed to generate third signature data;

The first generating module, configured to: after generating the third signature data, according to the third signature data and the Synchronizing request information generates a third request data packet;

The first transmission module is configured to send the third request data packet after generating the third request data packet System server

The first transmission module is configured to receive the synchronization feedback data packet;

a decryption module, configured to decrypt the synchronous feedback data packet by using a private key of the electronic signature token to obtain Synchronizing feedback information, saving the synchronization feedback information;

The first generating module is configured to generate a third response data packet;

The first transmission module is configured to send the third response data packet to the background system server.

Furthermore, the first generation module is used to:

Generating a third response message, and signing the third response information by using the private key of the electronic signature token to obtain the third And generating, by the third response signature data, a third response data packet according to the third response signature data and the third response information, And sending the third response data packet.

In addition, the startup module includes:

An execution unit, configured to perform a booting operation according to the booting instruction when receiving a booting instruction;

a processing unit, configured to receive an externally entered dynamic password mode command after booting, according to the entering State password mode command, enter dynamic password mode.

A system for an electronic signature token to respond to an operation request, comprising the electronic signature of any of the above a token and a background system server, wherein the background system server comprises:

An update module, configured to verify the dynamic password value after receiving the input dynamic password value, and verify the After that, the event factor saved in the background system server is updated.

In addition, the background system server further includes:

a second communication module, configured to receive the first request data after receiving the first request data packet Obtaining the first signature data and the validation request information in a package;

a second verification module, configured to use the public key corresponding to the private key of the electronic signature token to the first signature data authenticating;

a second generating module, configured to obtain at least the effective request information after verifying that the first signature data is passed And the validation request code is generated, and the effective feedback information is generated according to at least the effective request code;

An encryption module, configured to perform the effective feedback information by using a public key corresponding to a private key of the electronic signature token Encrypted to obtain the effective feedback data packet;

The second communication module is configured to send the valid feedback data packet to the electronic signature token;

In addition, the second communication module is configured to obtain, according to the first response data packet, after receiving the first response data packet. The first response signature data and the first response information;

The second verification module is configured to use the public key corresponding to the private key of the electronic signature token to the first response The signature data is verified, and after the verification is passed, the response is valid according to the first response information.

In addition, the second generating module is further configured to: after verifying that the first signature data is passed, from the valid request Obtaining at least one of the classification setting table and the rating setting table and the effective request code in the information, and setting according to the classification The effective feedback information is generated by at least one of the table and the rating setting table and the validation request code.

In addition, the background system server further includes:

a second communication module, configured to obtain the stimuli from the second request data packet after receiving the second request data packet a live request code and the second signature data;

a second verification module, configured to enter the second signature data by using a public key corresponding to the electronic signature token private key Line verification

An encryption module, configured to generate an activation code according to the activation request code after verifying that the second signature data is passed, Encrypting the activation code by using a public key corresponding to the electronic signature token private key to obtain an encryption activation code;

The second communication module is configured to send an encryption activation code to the electronic signature token

In addition, the background system server further includes:

The second communication module, configured to obtain the second response packet according to the second response data packet Two-responsive signature data and the second response information;

The second verification module is configured to use the public key corresponding to the private key of the electronic signature token to the second response The signature data is verified, and after the verification is passed, the activation operation is responded to according to the second response information.

In addition, the background system server further includes:

a second communication module, configured to receive the third request data after receiving the third request data packet Obtaining the third signature data and the synchronization request information in a packet;

a second verification module, configured to use the public key corresponding to the private key of the electronic signature token to the third signature data Performing verification, after verifying that the third signature data is passed, obtaining the synchronization request from at least the synchronization request information Performing code, generating synchronization feedback information according to at least the synchronization request code;

An encryption module, configured to perform the synchronization feedback information by using a public key corresponding to a private key of the electronic signature token Encryption to obtain a synchronous feedback packet;

The second communication module is configured to send the synchronization feedback data packet to the electronic signature token.

In addition, the second communication module is configured to obtain, according to the third response data packet, after receiving the third response data packet. The third response signature data and the third response information;

The second verification module is configured to use the public key corresponding to the private key of the electronic signature token to the third response The signature data is verified, and after the verification is passed, the synchronization operation is responded according to the third response information.

It can be seen from the technical solution provided by the above invention that the dynamic password is used in all operations in the prior art. Compared to the same strategy, the embodiment provided by the present invention determines the type of operation and/or operation level corresponding to the operation request. No, further determining the policy corresponding to the operation request, implementing different operation types and/or operation requests corresponding to different dynamic ports The generation strategy is to remove the association between the generation strategies of different operation types and/or operation levels, and to crack a certain The dynamic password generation policy of a certain type of operation request ensures that the OTP used by the user for other types of operations does not exist. Security risks, improve the security of information, and ensure the security of user account information.

DRAWINGS

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following description of the embodiments is required. The drawings are briefly described, and it is obvious that the drawings in the following description are only some embodiments of the present invention, For the ordinary technicians in the field, other works can be obtained according to these drawings without any creative work. Figure.

FIG. 1 is a schematic flowchart diagram of an embodiment of a method for responding to an electronic signature token response operation request according to the present invention;

2 is a schematic diagram of an effective process of an electronic signature token provided by the present invention;

3 is a schematic diagram of an activation process of an electronic signature token provided by the present invention;

4 is a schematic diagram of a synchronization process of an electronic signature token provided by the present invention;

FIG. 5 is a schematic structural diagram of an electronic signature token provided by the present invention.

detailed description

The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. It is to be understood that the described embodiments are only a part of the embodiments of the invention, and not all of the embodiments. Based on this issue All of the other embodiments obtained by those of ordinary skill in the art without creative efforts, All fall within the scope of protection of the present invention.

In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "upper", "lower", "front", The orientation or positional relationship of "post", "left", "right", "vertical", "horizontal", "top", "bottom", "inside", "outside", etc. is Orientation or positional relationship based on the drawings, for the convenience of describing the present invention and simplifying the description, rather than indicating or darkening The device or component referred to must have a specific orientation, be constructed and operated in a specific orientation, and therefore cannot be understood as Limitations of the invention. Moreover, the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying For importance or quantity or location.

In the description of the present invention, it should be noted that the terms "installed", "connected", and unless otherwise specifically defined and defined. "Connection" should be understood in a broad sense, for example, it can be a fixed connection, a detachable connection, or an integral connection; It can be mechanically connected or electrically connected; it can be directly connected or indirectly connected through an intermediate medium. It is the internal connection between the two components. For those of ordinary skill in the art, the above terms can be understood in specific circumstances. The specific meaning in the present invention.

The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.

FIG. 1 is a schematic flowchart diagram of an embodiment of a method for responding to an electronic signature token in response to an operation provided by the present invention. Figure The method embodiment shown in FIG. 1 includes the following steps:

Step 101: The electronic signature token receives an open command, and performs an open operation according to the open command.

Specifically, under the condition that the electronic signature mode and the dynamic password mode coexist, the electronic signature token receives the booting instruction, According to the boot command, the boot operation is performed; after the electronic signature token is turned on, the external input enters the dynamic password mode. The instruction enters the dynamic password mode according to the entry of the dynamic password mode command.

Function switching in the electronic signature mode and the dynamic password mode by receiving an externally entered entry dynamic password, Simple and convenient to implement.

Step 102: The electronic signature token determines, according to the received operation request, an operation type corresponding to the operation request and/or Or operation level;

The operation type may include login, transfer, transaction, and query, but is not limited thereto, and may be preset by the user. The type of operation is further divided on the basis of the above;

The operation level is divided into the ability to control the amount of the account, that is, the ability to control the amount of the account is divided into different levels. No, such as less than 100 yuan, 100 to 1000, 1000 to 5000 and so on.

For example, if the operation request is a login, only the operation type corresponding to the operation request is determined, if the operation is requested, If the transfer is 800 yuan, the operation type and operation level corresponding to the operation request can be determined. Of course, in practical applications, It can be set in advance or the user can choose to manage only the operation level. When the operation request is 200 yuan, only the operation can be determined. This operation requests the corresponding operation level.

Step 103: The electronic signature token determines a policy used to respond to the operation request according to the operation type and/or the operation level;

Specifically, the foregoing policy is that the electronic signature token and the background system server jointly determine and determine.

Step 104: The electronic signature token responds to the operation request according to the obtained policy.

Specifically, responding to the operation request includes any one of the following methods:

Method 1: The electronic signature token determines the key seed that matches the operation type according to the operation type, at least according to the secret The key seed and the preset event factor generate a dynamic password value;

The complexity of the key seed can be controlled according to the impact of the operation type on account security, for example, The operation of login and query is lower than the operation of transaction and transfer, and the complexity of the corresponding password seed It is also simpler than the password seed for transaction and transfer operations. The key seed corresponding to each operation type is different from each other. When the key of an operation type is prevented from being cracked, there is a risk that other types of operations are cracked.

Method 2: The electronic signature token determines an event factor that matches the operation level according to the operation level, at least according to the pre- a key seed and event factor to generate a dynamic password value; or

In comparison, the latter is more random than the former method, which increases the complexity of the event factor. Degree reduces the probability that the event factor is cracked and improves the security of the information.

Manner 3: The electronic signature token determines the key seed that matches the operation type according to the operation type, according to the operation level. No, determine an event factor that matches the operation level, and generate a dynamic password value based on at least the key seed and the event factor;

The third method is the optimization of the first mode and the second mode, and has the above two advantages, further improving the user account information. Safety.

In order to further improve the complexity of the dynamic password value, in the above three ways:

The step of generating a dynamic password value based on at least the key seed and a preset event factor includes: the electronic The signature token acquires a challenge code; the electronic signature token is based on the acquired challenge code and the key seed and pre The event factor is set to generate a dynamic password value;

The higher the operation level, the higher the complexity of the challenge code. On the contrary, if the operation level is lower, the challenge code can be more simple.

The challenge codes of different levels can be taken from the same piece of information, such as user accounts, for example, the operation level is high. The battle code is the last 5 digits of the account, and the challenge code with low operation level is the last 1 digit of the account; of course, the challenge code of different levels is also Can be taken from different information, such as account information, time information, transaction details, etc., such as the challenge level with high operation level Taken from the account information, the challenge code with low operation level is taken from the event information.

Optionally, after the electronic signature token responds to the operation request according to the obtained policy, the method further includes:

After each successful response to the operation request, the background system server and the electronic signature order are guaranteed by updating the event factor. The event factor recorded by the card is consistent, so that the dynamic password generated when the next generation of the dynamic password is triggered is correct. of.

The method implementation provided by the present invention is the same as the dynamic password generation strategy used in all operations in the prior art. The example determines the policy corresponding to the operation request by determining the operation type and/or the operation level corresponding to the operation request, Implement different dynamic password generation strategies for different operation types and/or operation requests, and remove different operation types and/or Or the association between the generation policies corresponding to the operation level, and the generation strategy of the dynamic password for cracking a certain type of operation request, The OTP used to ensure that users perform other types of operations does not pose a security risk, improve the security of information, and ensure the use of The information of the account is safe.

The method embodiments provided by the present invention are further described below:

The process of validating, activating, and synchronizing the electronic signature token used in the present invention may be used in the prior art. Dynamic password token validation, activation, and synchronization process, but to further improve dynamic password mode in electronic signature tokens Security, providing the following solutions, including:

First, the process of validating an electronic signature token is described. The process includes:

Step A01: The electronic signature token receives an open command, and performs an open operation according to the open command;

The instruction to enter the dynamic password mode by external input is performed in the electronic signature mode and the dynamic password mode. Function switching, easy to implement.

Step A02: The electronic signature token acquires an effective request instruction.

The effective command may be obtained after parsing the information of the external input, or may be initiated by default for the first time. Automatically starts when the dynamic password generation mode is activated. Among them, the latter is simpler and more convenient to operate than the former.

Step A03: The electronic signature token obtains the effective request code according to the effective request instruction;

Step A04: The electronic signature token generates the effective request information according to at least the valid request code.

The effective request code may be sent directly as the effective request information, or the effective request code may be After the encryption process, it will be sent out. If encryption processing is adopted, the encryption policy can be an electronic signature token and a background. The server is pre-negotiated, and it can also be selected by an electronic signature token. If it is selected by an electronic signature token, then The sub-signal token sends its selected adjustment policy to the back-end system server.

The present invention preferably optimizes the encrypted request processing code as the effective request information to improve the security of the information.

Optionally, the step further includes:

The electronic signature token acquires at least the classification setting table of the corresponding operation type and the hierarchical setting table of the corresponding operation level a table

The electronic signature token is based on at least one of the obtained classification setting table and the rating setting table, and the effective request code Generate effective request information.

The classification setting table and the rating setting table may receive information input by the user on the keyboard of the electronic signature token. The obtained information may also be imported into the electronic signature token through a peripheral interface.

The user can be satisfied by sending at least one of the classification setting table and the rating setting table to the background system server. Personalized requirement setting; in addition, at least one of the above two tables together with the effective request code generates the effective request information, The user's personalized settings are executed together with the electronic signature token, reducing the number of information interactions and improving processing efficiency.

Step A05: The electronic signature token uses the private key of the electronic signature token to sign the effective request information, and generates the first a signature data;

Specifically, unlike the prior art, the valid request information of this step is sent after being digitally signed and processed. Go, realize the identity authentication of the electronic signature token, in addition, since the electronic signature token itself has a signature function, By using the corresponding key information in the electronic signature mode, the digital signature function can be completed without adding other hardware. Cost is simple and convenient to implement.

Step A06: After generating the first signature data, the electronic signature token is based on the first signature data and the validation request information. Generating a first request packet;

Specifically, the first request data packet may be directly generated without any processing on the first signature data and the validation request information. The at least one of the first signature data and the validation request information may be encrypted, and then the first request data is generated. The package, wherein the latter improves the security of the first request packet compared to the former.

Step A07: After generating the first request data packet, the electronic signature token sends the first request data packet to the background system. Server

Step A08: After receiving the first request data packet, the background system server receives the first request data packet. Obtaining first signature data and validation request information;

Corresponding to step A06, if the first request packet is at least one of the first signature data and the validation request information After the encryption process is performed, the background system server obtains the decryption algorithm and decrypts it by using the decryption algorithm. The above information.

The decryption algorithm may be pre-negotiated, or the background system server may query the electronic signature device. owned.

Step A09: The background system server uses the public key corresponding to the private key of the electronic signature token to enter the first signature data. Line verification

Step A10: After the first system request packet is verified, the background system server obtains at least the valid request information. Effective request code;

Step A11: The background system server generates valid feedback information according to at least the valid request code.

Specifically, when at least one of the classification setting table and the rating setting table is included in step A04, this step specifically include:

After verifying that the first request packet passes, the background system server obtains the classification setting table from the validation request information and At least one of the tables in the rating setting table and the validation request code;

The background system server generates a student according to at least one of the classification setting table and the rating setting table and the effective request code Feedback information.

The effective feedback information includes: a classification setting table, a hierarchical setting table, at least one key seed, and at least one Event factor, and each type of setting in the classification setting table, each level setting in the rating setting table, at least one key a mapping relationship between the seed and at least one event factor, wherein each type setting in the classification setting table respectively corresponds to a different density The key seed, each level setting in the hierarchical setting table respectively corresponds to different event factors.

It can be seen from the above that when at least one of the classification setting table and the rating setting table is received, according to the needs of the user, The configuration information that meets the user's needs is delivered, so that the electronic signature token can be implemented by the user after the configuration information is adopted.

Step A12: The background system server uses the public key corresponding to the private key of the electronic signature token to enter the effective feedback information. Line encryption, obtaining the effective feedback data packet, and sending the valid feedback data packet to the electronic signature token;

Specifically, the effective feedback data packet is sent through the ciphertext, so that the security of the data transmission can be improved.

Step A13: The electronic signature token receives the valid feedback data packet, and the private key pair of the electronic signature token is used to provide feedback. The data packet is decrypted, the effective feedback information is obtained, and the effective feedback information is saved;

Step A14: The electronic signature token generates a first response data packet, and sends the first response data packet to the background system. server;

Specifically, in this step, in order to ensure secure transmission of information, the first response data packet is implemented by the following manner. include:

The electronic signature token generates the first response information, and the first response information is signed by using the private key of the electronic signature token. Obtaining first response signature data;

After generating the first response signature data, the electronic signature token generates the first response signature data and the first response information. Into the first response packet;

Step A15: After receiving the first response data packet, the background system server responds to the effective operation.

Corresponding to step A14, in order to improve the security of the information received by the background system server, the first response packet is After being processed by the digital signature, the background system server receives the first response data packet, according to The first response packet obtains the first response signature data and the first response information, and utilizes a private key pair with the electronic signature token The first public signature key verifies the first response signature data, and after the verification is passed, the response is valid according to the first response information. Work.

Through the processing flow of the first response information in steps A14 and A15, it can be seen that the first response information is passed. Signing ensures the communication security between the electronic signature token and the backend server, which improves the security of the transmission.

The electronic signature token validation process provided by the invention realizes the effectiveness of the electronic signature token through information transmission, and In the technology, the user improves the processing efficiency compared to the entry process of the bank counter; in addition, the electronic signature token passes The digital signature of the information ensures the secure transmission of the user information. Therefore, the effective process provided by the present invention is not only Improve the processing efficiency of the effective process, and ensure the safe transmission of user information.

After the above process is executed, the electronic signature token is validated. The activation process is described below:

The activation process of the electronic signature token includes the following steps:

Step B01, the electronic signature token receives an activation instruction;

The activation command may be input by a user through a button of an electronic signature token.

Step B02, the electronic signature token obtains an activation request code according to the activation instruction;

Step B03: The electronic signature token uses the private key of the electronic signature token to sign the activation request code to generate a second Signature data;

Specifically, unlike the prior art, the activation request code of this step is sent after the digital signature processing. To achieve identity authentication for the electronic signature token, and since the electronic signature token itself has a signature function, By using the corresponding key information in the electronic signature mode, the digital signature function can be completed without adding other hardware. Cost is simple and convenient to implement.

Step B04: The electronic signature token generates a second request data packet according to the activation request code and the second signature data.

Specifically, the second request packet may be directly generated without any processing on the activation request code and the second signature data. The at least one of the activation request code and the second signature data may be encrypted, and then the second request data packet is generated. The latter can provide the security of the second request packet than the former.

Step B05: After generating the second request data packet, the electronic signature token sends the second request data packet to the background system. Server

Step B06: After receiving the second request data packet, the background system server obtains the activation from the second request data packet. Request code and second signature data;

Corresponding to step B04, if the second request packet is at least one of the activation request code and the second signature data After the row encryption process is obtained, the background system server obtains the decryption algorithm, and decrypts the obtained algorithm by using the decryption algorithm. Information. The decryption algorithm may be pre-negotiated, or may be a background system server to an electronic signature device. Queryed.

Step B07: The background system server uses the public key corresponding to the electronic signature token private key to enter the second request packet. Line verification

Step B08: The background system server generates an activation according to the activation request code after verifying that the second request packet passes code;

Step B09: After the background system server generates the activation code, the public key corresponding to the electronic signature token private key is used to stimulate The live code is encrypted, the encrypted activation code is obtained, and the encrypted activation code is sent to the electronic signature token;

Step B10: After receiving the encrypted activation code, the electronic signature token is activated by using the private key of the electronic signature token. The code decryption obtains the decrypted activation code;

For steps B09 and B10, the activation code is validated by sending the ciphertext, which improves the security of data transmission.

Step B11: The electronic signature token verifies the decrypted activation code.

Specifically, this step includes:

After receiving the decrypted activation code, the electronic signature token uses an activation verification code generation algorithm of the electronic signature token. Generate an activation verification code;

The activation verification algorithm may be pre-stored or may be obtained by receiving externally transmitted data;

There are two ways to verify the activation code:

Method 1: the electronic signature token compares the decrypted activation code and the activation verification code to verify the decrypted activation code; or By

Method 2: When the background system server sends the encrypted activation code and the activation code to the electronic signature token, the electronic The signature token decrypts the encrypted activation code according to the private key of the electronic signature token, and obtains the decrypted activation code. The encrypted activation code and the activation code sent by the background system server verify the decrypted activation code.

Specifically, if the activation code and the activation verification code are consistent, it means that the activation code passes verification; otherwise, it indicates activation. The code failed verification.

In the second mode, compared with the first mode, the activated activation code information is activated by the encryption process, which can be prevented. After the information is intercepted during transmission, the risk of information leakage is increased, and the security of the activation code transmission is improved.

Step B12: After the electronic signature token passes the verification of the decrypted activation code, a second response packet is generated, and The second response packet is sent to the background system server;

Specifically, in this step, in order to ensure secure transmission of information, the second response data packet is implemented by the following manner. include:

After the electronic signature token verifies the decrypted activation code, the electronic signature token generates a second response message, which is utilized. The private key of the electronic signature token signs the second response information to obtain the second response signature data;

After generating the second response signature data, the electronic signature token generates the second response signature data and the second response information. Into a second response packet;

Step B13: After the background system server receives the second response data packet, responding to the activation operation

Corresponding to step B12, in order to improve the security of the information received by the background system server, the second ring in this step The data packet is sent after being processed by the digital signature, wherein the background system server receives the second response data. After the packet, obtaining the second response signature data and the second response information according to the second response data packet;

The background system server performs the second response signature data by using the public key corresponding to the private key of the electronic signature token. And, after the verification is passed, respond to the activation operation according to the second response information.

Through the processing flow of the second response information in steps B12 and B13, it can be seen that the second response information is passed. Signing ensures the communication security between the electronic signature token and the backend server, which improves the security of the transmission.

The electronic signature token activation process provided by the invention ensures the user information by digitally signing the information. Secure transmission.

Finally, the electronic signature token synchronization process is described:

Step C01: The electronic signature token acquires a synchronization request instruction;

The activation synchronization request instruction may have a user inputting a key through an electronic signature token.

Step C02: The electronic signature token obtains a synchronization request code according to the synchronization request instruction.

Step C03: The electronic signature token generates synchronization request information according to at least the synchronization request code.

Step C04: The electronic signature token uses the private key of the electronic signature token to sign the synchronization request information, and generates the first Three signature data;

The digital signature method in the prior art is applicable to this step, and details are not described herein again.

Step C05: After generating the third signature data, the electronic signature token is based on the third signature data and the synchronization request information. Generating a third request packet;

Specifically, the third request packet may be directly generated without any processing on the activation request code and the second signature data. The at least one of the activation request code and the second signature data may be encrypted, and then the third request data packet is generated. The latter can improve the security of the second request packet than the former.

Step C06: After generating the third request data packet, the electronic signature token sends the third request data packet to the background system. Server

Step C07: After receiving the third request data packet, the background system server receives the third request data packet. Obtaining third signature data and synchronization request information;

Corresponding to step C05, if the third request packet is at least one of the third signature data and the synchronization request information After the encryption process is performed, the background system server obtains the decryption algorithm and decrypts it by using the decryption algorithm. The above information. The decryption algorithm may be pre-negotiated, or the background system server may set the electronic signature. Prepared by the query.

Step C08: The background system server uses the public key corresponding to the private key of the electronic signature token to enter the third signature data. Line verification

Step C09: After verifying that the third signature data is passed, the background system server obtains at least the synchronization request information. Synchronization request code;

Step C10: The background system server generates synchronization feedback information according to at least the synchronization request code.

The synchronization feedback information may include an event factor, time information, key information, and the like.

Step C11: The background system server uses the public key corresponding to the private key of the electronic signature token to feed the synchronous feedback information. Line encryption, obtaining a synchronization feedback data packet, and sending the synchronization feedback data packet to the electronic signature token;

Step C12: The electronic signature token receives the synchronous feedback data packet, and uses the private key pair of the electronic signature token to synchronize the feedback. The data packet is decrypted, the synchronous feedback information is obtained, and the synchronous feedback information is saved;

Step C13: The electronic signature token generates a third response data packet, and sends the third response data packet to the background system. server;

Specifically, in this step, in order to ensure secure transmission of information, the third response data packet is implemented by the following manner. include:

The electronic signature token generates a third response message, and the third response information is signed by using the private key of the electronic signature token. Obtaining third response signature data;

After generating the third response signature data, the electronic signature token generates the third response signature data and the third response information. Into a third response packet;

Step C15: After receiving the third response data packet, the background system server responds to the synchronization operation.

Corresponding to step C14, in order to improve the security of the information received by the background system server, the third response data packet is After being processed by digital signature processing, which corresponds to the previous step, this step includes:

After receiving the third response data packet, the background system server obtains the third response signature number according to the third response data packet. According to the third response information;

The background system server performs the third response signature data by using the public key corresponding to the private key of the electronic signature token. And, after the verification is passed, respond to the synchronization operation according to the third response information.

Through the processing flow of the third response information in steps C14 and C15, it can be seen that the third response information is passed. Signing ensures the communication security between the electronic signature token and the backend server, which improves the security of the transmission.

The electronic signature token synchronization process provided by the invention ensures the user information by digitally signing the information Secure transmission.

FIG. 5 is a schematic structural diagram of an electronic signature token provided by the present invention. The electronic signature token shown in Figure 5 includes:

The startup module 401 is configured to perform an opening operation according to the opening instruction when receiving the opening instruction;

a determining module 402, connected to the startup module 401, configured to determine the operation according to the received operation request The type of operation and/or the level of operation corresponding to the request;

An execution module 403, connected to the determining module 402, configured to determine according to the operation type and/or operation level Responding to the operation request according to the obtained policy, in response to the obtained policy, including:

Determining, according to the operation type, a key seed that matches the operation type, the electronic signature token according to the An operation level, determining an event factor that matches the operation level, at least according to the key seed and the event cause The child generates a dynamic password value.

The determining module may receive the input operation request through a receiving module that interacts with the user.

The electronic signature token further includes:

The execution module 403 is configured to perform operations in any of the following manners, including:

Manner 1: The electronic signature token acquires a challenge code; the electronic signature token is obtained according to the acquired challenge code And generating the dynamic password value by the key seed and a preset event factor;

Manner 2: the electronic signature token acquires a challenge code; the electronic signature token is obtained according to the acquired challenge code And generating a dynamic password value by using a preset key seed and the event factor;

Manner 3: the electronic signature token acquires a challenge code; the electronic signature token is obtained according to the acquired challenge code And the key seed and the event factor generate a dynamic password value.

The electronic signature token further includes:

The first generation module is configured to:

The valid feedback information includes: the classification setting table, the hierarchical setting table, and at least one key type a child, at least one event factor, and each of the class setting settings, each of the rating settings table Level setting, at least one key seed, at least one event factor mapping relationship, wherein each of the classification setting tables One type of setting respectively corresponds to different key seeds, and each level setting in the hierarchical setting table corresponds to different events respectively. factor.

The first generating module is configured to: generate first response information, and use a private key pair of the electronic signature token First response information is signed, obtaining first response signature data, and according to the first response signature data and the A response message generates a first response packet, and the first response packet is sent out.

The electronic signature token further includes:

The first transmission module is configured to send the second response data packet to the background system server;

The background system server responds to the activation operation after receiving the second response data packet.

The first verification module is used to:

The first generation module is configured to:

The electronic signature token further includes:

a first generation module, connected to the transmission module, configured to generate a synchronization request message according to at least the synchronization request code interest;

The first signature module is connected to the generating module, and configured to use the private key of the electronic signature token to The synchronization request information is signed to generate third signature data;

The first transmission module is configured to send the third response data packet to the background system server;

The background system server responds to the synchronization operation after receiving the third response data packet.

The first generation module is configured to:

The startup module includes:

The electronic signature provided by the present invention is the same as the dynamic password generation strategy used in all operations in the prior art. The token determines the action type corresponding to the operation request by determining the operation type and/or the operation level corresponding to the operation request. Slightly, different operation types and/or operation requests correspond to different dynamic password generation strategies, and different operation types are released. Correlation between the generation strategy corresponding to the operation level and/or the generation strategy of the dynamic password for cracking certain operation requests Slightly, the OTP used by the user to perform other types of operations does not pose a security risk, improve the security of information, and ensure The information of the user account is secure.

Additionally, a system for an electronic signature token responsive to an operational request, including an electronic signature token as described above And a background system server, wherein the background system server comprises:

The background system server further includes:

a second verification module, configured to use the public key corresponding to the private key of the electronic signature token to the first request data The package is verified;

among them:

The second communication module, configured to obtain the first response packet according to the first response data packet a response signature data and the first response information;

among them:

The second generating module is further configured to: after verifying that the first signature data is passed, from the validation request information Obtaining at least one of a classification setting table and a rating setting table and the validation request code, and setting a table according to the classification The at least one table in the rating setting table and the validation request code generate the validation feedback information.

The background system server further includes:

among them:

The second communication module is configured to obtain the first response packet according to the third response data packet after receiving the third response data packet Three-response signature data and the third response information;

Compared with the dynamic password generation strategy used in all operations in the prior art, the system provided by the present invention passes Determining the operation type and/or operation level corresponding to the operation request, thereby determining the policy corresponding to the operation request, and implementing Different dynamic password generation strategies corresponding to operation types and/or operation requests, dismissing different operation types and/or operation levels Correspondence between the corresponding generation strategies, the strategy for generating dynamic passwords for certain types of operation requests, guaranteeing The OTP used by the user for other types of operations does not pose a security risk, improve the security of information, and guarantee the user account. Information security.

Any process or method description in the flowchart or otherwise described herein may be understood to include a a module, segment or portion of code of executable instructions of the plurality of steps for implementing a particular logical function or process, And the scope of the preferred embodiments of the invention includes additional implementations, which may not be in the order shown or discussed. Including the functions performed in a substantially simultaneous manner or in the reverse order depending on the functions involved, which should be It will be understood by those skilled in the art of the embodiments.

It should be understood that portions of the invention may be implemented in hardware, software, firmware or a combination thereof. In the above In a mode, multiple steps or methods may be implemented by software stored in a memory and executed by a suitable instruction execution system or Firmware to achieve. For example, if implemented in hardware, as in another embodiment, it can be used in the art. Any one of the column technologies or a combination thereof: having a logic gate for implementing a logic function on the data signal Discrete logic circuit, ASIC with suitable combination logic gate, Programmable Gate Array (PGA), now Field programmable gate array (FPGA), etc.

One of ordinary skill in the art can understand that all or part of the steps carried by the method of the above embodiment are Instructed by a program to execute related hardware, the program may be stored in a computer readable storage medium. The program, when executed, includes one or a combination of the steps of the method embodiments.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing module, or may be each Units exist physically separately, or two or more units can be integrated into one module. The above integrated module is It can be implemented in the form of hardware or in the form of a software function module. The integrated module if The form of the software function module is implemented and sold as a stand-alone product, or it can be stored in a computer readable Take the storage medium.

The above mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.

In the description of the present specification, the terms "one embodiment", "some embodiments", "example", "specific examples", Or a description of "some examples" and the like means a specific feature, structure, material or feature package described in connection with the embodiment or example. It is included in at least one embodiment or example of the invention. In this specification, the schematic representation of the above terms is not necessarily Refers to the same embodiment or example. Moreover, the specific features, structures, materials, or characteristics described may be in any One or more embodiments or examples are combined in a suitable manner.

Although the embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative, It is to be understood that the invention is not limited by the scope of the invention. Variations, modifications, alterations and variations of the above-described embodiments are possible within the scope of the invention. The scope of the invention is The claims and their equivalents are set forth.

Claims

A method for responding to an operation request by an electronic signature token, comprising the steps of:

The electronic signature token receives an open instruction, and performs an open operation according to the open instruction;

Receiving, by the electronic signature token, an operation request, determining an operation type and/or an operation level corresponding to the operation request              do not;

Determining, by the electronic signature token, the response to the operation request based on the type of operation and/or the level of operation              a policy, responding to the operation request according to the obtained policy;

Wherein the electronic signature token is determined to be responsive to the operation request according to the operation type and/or operation level              The used policy, the step of responding to the operation request according to the obtained policy includes:

Determining, by the electronic signature token, a key seed that matches the operation type according to the operation type, at least              Generating a dynamic password value based on the key seed and a preset event factor; or

The electronic signature token determines an event factor that matches the operation level according to the operation level, at least              Generating a dynamic password value based on a preset key seed and the event factor; or

Determining, by the electronic signature token, a key seed that matches the operation type according to the operation type, according to the              An operation level, determining an event factor that matches the operation level, at least according to the key seed and the event cause              The child generates a dynamic password value.
The method of claim 1 wherein said electronic signature token is responsive to a derived policy              After the operation request, the method further includes:

The electronic signature token updates an event factor stored in the electronic signature token;

After receiving the input dynamic password value, the background system server verifies the dynamic password value and checks              After the certificate is passed, the event factor stored in the background system server is updated.
Method according to claim 1 or 2, characterized in that

The step of generating a dynamic password value based on at least the key seed and a preset event factor includes: the electronic              The signature token acquires a challenge code; the electronic signature token is based on the acquired challenge code and the key seed and pre              The event factor is set to generate a dynamic password value;

The step of generating a dynamic password value according to at least a preset key seed and the event factor includes: the electronic              The signature token acquires a challenge code; the electronic signature token is based on the acquired challenge code and a preset key seed sum              The event factor generates a dynamic password value;

The step of generating a dynamic password value based on at least the key seed and the event factor includes: the electronic signature              The token acquires a challenge code; the electronic signature token is based on the acquired challenge code and the key seed and the              The event factor generates a dynamic password value.
The method of claim 1 further comprising:

The electronic signature token acquires an effective request instruction, and obtains an effective request code according to the effective request instruction;

Generating, by the electronic signature token, the validation request information according to the validation request code;

The electronic signature token signs the validation request information by using a private key of the electronic signature token to generate              First signature data;

After generating the first signature data, the electronic signature token is based on the first signature data and the effective request              Finding information to generate a first request data packet;

After generating the first request data packet, the electronic signature token sends the first request data packet to a background system              server;

Receiving, by the background system server, the received first request data after receiving the first request data packet              Obtaining the first signature data and the validation request information in a package;

The background system server uses the public key corresponding to the private key of the electronic signature token to the first signature data              authenticating;

After the background system server verifies that the first signature data is passed, at least the obtained request information is obtained.              And the validation request code is generated, and the effective feedback information is generated according to at least the effective request code;

The background system server uses the public key corresponding to the private key of the electronic signature token to validate the feedback information              Performing encryption, obtaining an effective feedback data packet, and transmitting the valid feedback data packet to the electronic signature token;

Receiving, by the electronic signature token, the valid feedback data packet, using the private key of the electronic signature token              The effect feedback data packet is decrypted, the effective feedback information is obtained, and the effective feedback information is saved;

The electronic signature token generates a first response data packet, and sends the first response data packet to the background system              Server

After receiving the first response data packet, the background system server responds to the effective operation.
The method according to claim 4, wherein said electronic signature token is at least in accordance with said effect              The steps of requesting code generation effective request information include:

The electronic signature token acquires a classification setting table corresponding to the operation type and a hierarchical setting corresponding to the operation level              Placing at least one table in the table;

The electronic signature token is based on at least one of the obtained classification setting table and the rating setting table, and the living              Effective request code generation effective request information;

After the background system server verifies that the first signature data is passed, at least the obtained request information is obtained.              And the step of generating the effective feedback information according to the validation request code includes:

After the background system server verifies that the first signature data is passed, the background system server obtains the score from the validation request information.              At least one of a class setting table and a rating setting table and the validation request code;

The background system server according to at least one of a classification setting table and a rating setting table and the validation request              The code generates the valid feedback information.
The method according to claim 5, wherein the effective feedback information comprises: the classification setting              a table and at least one table in the rating setting table and a mapping relationship corresponding to each table; wherein:

The mapping relationship of the classification setting table is a mapping relationship between an operation type and a key seed in the classification setting table,                                        And the key seed corresponding to any two operation types is different in two or two;

The mapping relationship of the hierarchical setting table is a mapping relationship between an operation level and an event factor in the hierarchical setting table.              And the event factors corresponding to any two operation levels are different.
A method according to any one of claims 4 to 6, wherein

The electronic signature token generates a first response data packet, and sends the first response data packet to the background system              The steps of the server include:

Generating, by the electronic signature token, first response information, using the private key of the electronic signature token to the first response information              Signing to obtain the first response signature data;

After generating the first response signature data, the electronic signature token is based on the first response signature data and              Generating a first response data packet by the first response information;

After generating the first response data packet, the electronic signature token sends the first response data packet to the background system              server;

After the background system server receives the first response data packet, the step of responding to the effective operation includes:

After receiving the first response data packet, the background system server obtains the first response according to the first response data packet              The signature data and the first response information should be signed;

The background system server signs the first response by using a public key corresponding to a private key of the electronic signature token              The data is verified, and after the verification is passed, the response is validated according to the first response information.
The method of claim 1 further comprising:

The electronic signature token receives an activation instruction and generates an activation request code according to the activation instruction;

The electronic signature token uses the private key of the electronic signature token to sign the activation request code to generate a              And signing data, and generating a second request data packet according to the activation request code and the second signature data;

After generating the second request data packet, the electronic signature token sends the second request data packet to the background              System server

After receiving the second request data packet, the background system server obtains the stimulus from the second request data packet              Activating the request code and the second signature data, and using the public key corresponding to the electronic signature token private key to the second signature              Name data for verification;

After the background system server verifies that the second signature data is passed, the background system server generates an activation according to the activation request code.              code;

After the background system server generates the activation code, using a public key pair corresponding to the electronic signature token private key              Encrypting the activation code, obtaining an encryption activation code, and transmitting the encryption activation code to the electronic signature token;

After receiving the encrypted activation code, the electronic signature token uses the private key of the electronic signature token to add the              The secret activation code is decrypted to obtain the decrypted activation code;

The electronic signature token verifies the decrypted activation code;

After the electronic signature token verifies the decrypted activation code, the second response data packet is generated, and the              Transmitting the second response data packet to the background system server;

After receiving the second response data packet, the background system server responds to the activation operation.
The method of claim 8 wherein said electronic signature token is activated after said decryption              The steps for verifying the code include:

After receiving the decrypted activation code, the electronic signature token utilizes an activation test of the electronic signature token              The code generation algorithm generates an activation verification code;

The electronic signature token compares the decrypted activation code and the activation verification code to verify the decrypted              Live code; or

Sending, by the background system server, the encrypted activation code and the activation code to the electronic signature token              At the time, the electronic signature token decrypts the encrypted activation code according to the private key of the electronic signature token, and obtains the decrypted              Activation code, comparing the decrypted activation code with the activation code sent by the background system server,              Describe the decrypted activation code.
Method according to claim 8 or 9, characterized in that

After the electronic signature token verifies the decrypted activation code, the second response data packet is generated, and the              The step of sending the second response data packet to the background system server includes:

After the electronic signature token verifies the decrypted activation code, the electronic signature token generates a second ring              Information, using the private key of the electronic signature token to sign the second response information to obtain second response signature data;

After generating the second response signature data, the electronic signature token is based on the second response signature data and              Generating a second response data packet by the second response information;

After generating the second response data packet, the electronic signature token sends the second response data packet to the background system              server;

After the background system server receives the second response data packet, the step of responding to the activation operation includes:

After receiving the second response data packet, the background system server obtains the second response according to the second response data packet              Signature data and the second response information;

The background system server signs the second response by using a public key corresponding to the private key of the electronic signature token              The data is verified, and after the verification is passed, the activation operation is responded to according to the second response information.
The method according to any one of claims 8 to 10, wherein the method further comprises:

The electronic signature token acquires a synchronization request instruction, and obtains a synchronization request code according to the synchronization request instruction;

Generating, by the electronic signature token, synchronization request information according to at least the synchronization request code;

The electronic signature token signs the synchronization request information by using a private key of the electronic signature token to generate              Third signature data;

After generating the third signature data, the electronic signature token is based on the third signature data and the synchronization request              Finding information to generate a third request data packet;

After generating the third request data packet, the electronic signature token sends the third request data packet to the background system              server;

Receiving, by the background system server, the received third request data after receiving the third request data packet                                        Obtaining the third signature data and the synchronization request information in a packet;

The background system server uses the public key corresponding to the private key of the electronic signature token to the third signature data              authenticating;

After the background system server verifies that the third signature data is passed, at least the synchronization request information is obtained.              And obtaining the synchronization request code, and generating synchronization feedback information according to at least the synchronization request code;

The background system server uses the public key corresponding to the private key of the electronic signature token to synchronize the feedback information              Performing encryption, obtaining a synchronization feedback data packet, and transmitting the synchronization feedback data packet to the electronic signature token;

Receiving, by the electronic signature token, the synchronization feedback data packet, using the private key of the electronic signature token              Step feedback data packet is decrypted, obtaining synchronous feedback information, and saving the synchronous feedback information;

The electronic signature token generates a third response data packet, and sends the third response data packet to the background system              Server

After receiving the third response data packet, the background system server responds to the synchronization operation.
The method of claim 11 wherein

The electronic signature token generates a third response data packet, and sends the third response data packet to the background system              The steps of the server include:

The electronic signature token generates third response information, and the third response information is obtained by using the private key of the electronic signature token              Signing to obtain the third response signature data;

After generating the third response signature data, the electronic signature token is based on the third response signature data and the              The third response information generates a third response data packet, and sends the third response data packet to the background system server;

After the background system server receives the third response data packet, the step of responding to the synchronization operation includes:

After receiving the third response data packet, the background system server obtains the third response according to the third response data packet.              The signature data and the third response information should be signed;

The background system server signs the third response by using a public key corresponding to the private key of the electronic signature token              The data is verified, and after the verification is passed, the synchronization operation is responded to according to the third response information.
The method according to any one of claims 1 to 12, wherein the electronic signature token is received              And the step of performing an opening operation according to the opening instruction comprises:

The electronic signature token receives a booting instruction, and performs a booting operation according to the booting instruction;

After the electronic signature token is turned on, receiving an externally entered dynamic password mode command, according to the entry              Dynamic password mode command, enter dynamic password mode.
An electronic signature token, comprising:

a startup module, configured to perform an opening operation according to the opening instruction when receiving an opening instruction;

a determining module, connected to the startup module, configured to determine the operation request according to the received operation request              Corresponding operation type and/or operation level;

An execution module, coupled to the determining module, configured to determine a response according to the operation type and/or operation level              The policy used by the operation request, responding to the operation request according to the obtained policy,

The execution module is further configured to:

Determining a key seed that matches the operation type according to the operation type, at least according to the key seed and              The preset event factor generates a dynamic password value; or

Determining, according to the operation level, an event factor that matches the operation level, at least according to a preset key seed              And generating a dynamic password value with the event factor; or

Determining, according to the operation type, a key seed that matches the operation type, and determining, according to the operation level,              An event factor that matches the operation level generates a dynamic password value based at least on the key seed and the event factor.
The electronic signature token of claim 14, wherein the electronic signature token further comprises:

An update module is coupled to the execution module for updating an event factor stored in the electronic signature token.
An electronic signature token according to claim 14 or 15, wherein said execution module is configured to perform              Do one of the following operations, including:

The electronic signature token acquires a challenge code; the electronic signature token is based on the acquired challenge code and the              The key seed and the preset event factor generate a dynamic password value;

The electronic signature token acquires a challenge code; the electronic signature token is based on the acquired challenge code and a preset              Key seed and the event factor generate a dynamic password value;

The electronic signature token acquires a challenge code; the electronic signature token is based on the acquired challenge code and the              The key seed and the event factor generate a dynamic password value.
The electronic signature token of claim 14, wherein the electronic signature token further comprises:

a first transmission module, configured to obtain an effective request instruction, and obtain an effective request code according to the effective request instruction,              Generating the effective request information according to at least the validation request code;

a first signing module, configured to sign the effective request information by using a private key of the electronic signature token              Into the first signature data;

a first generation module, connected to the first signature module, configured to generate the first signature data, according to the              Generating a first request data packet by describing the first signature data and the validation request information;

The first transmission module is connected to the first generation module, and is configured to: after generating the first request data packet,              Transmitting the first request data packet to the background system server;

The first transmission module is configured to receive the valid feedback data packet;

a decryption module, configured to decrypt the effective feedback data packet by using a private key of the electronic signature token to obtain              The feedback information is validated, and the effective feedback information is saved;

The first generating module is configured to generate a first response data packet;

The first transmission module is configured to send the first response data packet to the background system server.
The electronic signature token of claim 17, wherein the first generation module is configured to:

Obtaining at least one of a classification setting table corresponding to the operation type and a rating setting table corresponding to the operation level a table, and generating at least one of the obtained classification setting table and the rating setting table and the effective request code Request information.
The electronic signature token according to claim 18, wherein the effective feedback information comprises:              a classification setting table and at least one table in the hierarchical setting table and a mapping relationship corresponding to each table; wherein:

The mapping relationship of the classification setting table is a mapping relationship between an operation type and a key seed in the classification setting table,              And the key seed corresponding to any two operation types is different in two or two;

The mapping relationship of the hierarchical setting table is a mapping relationship between an operation level and an event factor in the hierarchical setting table.              And the event factors corresponding to any two operation levels are different.
An electronic signature token according to any one of claims 17 to 19, wherein said first generation The module is configured to: generate first response information, and use the private key of the electronic signature token to sign the first response information, Obtaining first response signature data, and generating a first response according to the first response signature data and the first response information a data packet, the first response data packet is sent out.
The electronic signature token of claim 14, wherein the electronic signature token further comprises:

a first transmission module, configured to receive an activation instruction, and generate an activation request code according to the activation instruction;

a first signing module, coupled to the first transmission module, configured to use the private key pair of the electronic signature token to              Activating the request code for signature to generate second signature data;

a first generating module, connected to the first signature module, configured to perform, according to the activation request code and the second signature              Data generating a second request packet;

The first transmission module is configured to send the second request data packet after generating the second request data packet              To the background system server;

The first transmission module is configured to receive the encrypted activation code;

a decryption module, configured to decrypt the encrypted activation code by using a private key of the electronic signature token to obtain a decrypted              Live code

a first verification module, connected to the decryption module, configured to verify the decrypted activation code;

The first generating module is configured to generate a second response data packet after the decrypted activation code is verified;

The first transmission module is configured to send the second response data packet to the background system server.
The electronic signature token of claim 21, wherein the first verification module is configured to:

After receiving the decrypted activation code, generating an activation verification code generation algorithm using the electronic signature token Activating a verification code; comparing the decrypted activation code and the activation verification code to verify the decrypted activation code; or When the background system server sends the encrypted activation code together with the activation code to the electronic signature token Decrypting the encrypted activation code according to the private key of the electronic signature token to obtain the decrypted activation code, the comparison Decrypting the activation code and the activation code sent by the background system server to verify the decrypted activation code.
The electronic signature token according to claim 21 or 22, wherein said first generation module is to:

After the decrypted activation code is verified, the electronic signature token generates second response information, The private key of the electronic signature token signs the second response information to obtain the second response signature data, according to the second ring Generating, by the signature data and the second response information, a second response data packet, and sending the second response data packet to the background System server.
The electronic signature token of claim 14, wherein the electronic signature token further comprises:

a first transmission module, configured to acquire a synchronization request instruction, and obtain a synchronization request code according to the synchronization request instruction;

a first generation module, connected to the first transmission module, configured to generate synchronization according to at least the synchronization request code              Ask for information;

The first signature module is connected to the first generation module, and is configured to use a private key pair of the electronic signature token              The synchronization request information is signed to generate third signature data;

The first generating module, configured to: after generating the third signature data, according to the third signature data and the              Synchronizing request information generates a third request data packet;

The first transmission module is configured to send the third request data packet after generating the third request data packet              System server

The first transmission module is configured to receive the synchronization feedback data packet;

a decryption module, configured to decrypt the synchronous feedback data packet by using a private key of the electronic signature token to obtain              Synchronizing feedback information, saving the synchronization feedback information;

The first generating module is configured to generate a third response data packet;

The first transmission module is configured to send the third response data packet to the background system server.
The electronic signature token of claim 24, wherein the first generation module is configured to:

Generating a third response message, and signing the third response information by using the private key of the electronic signature token to obtain the third And generating, by the third response signature data, a third response data packet according to the third response signature data and the third response information, And sending the third response data packet.
The electronic signature token according to any one of claims 14 to 15, wherein the startup module              include:

An execution unit, configured to perform a booting operation according to the booting instruction when receiving a booting instruction;

a processing unit, configured to receive an externally entered dynamic password mode command after booting, according to the entering              State password mode command, enter dynamic password mode.
A system for responding to an operation request by an electronic signature token, comprising: claims 14 to 26 Any of the electronic signature tokens and the background system server, wherein the background system server comprises:

An update module, configured to verify the dynamic password value after receiving the input dynamic password value, and verify the After that, the event factor saved in the background system server is updated.
The system of claim 27, wherein the background system server further comprises:

a second communication module, configured to receive the first request data after receiving the first request data packet              Obtaining the first signature data and the validation request information in a package;

a second verification module, configured to use the public key corresponding to the private key of the electronic signature token to the first signature data              authenticating;

a second generating module, configured to obtain at least the effective request information after verifying that the first signature data is passed                                        And the validation request code is generated, and the effective feedback information is generated according to at least the effective request code;

An encryption module, configured to perform the effective feedback information by using a public key corresponding to a private key of the electronic signature token              Encrypted to obtain the effective feedback data packet;

The second communication module is configured to send the valid feedback data packet to the electronic signature token;
The system of claim 28 wherein:

The second communication module, configured to obtain the first response packet according to the first response data packet              a response signature data and the first response information;

The second verification module is configured to use the public key corresponding to the private key of the electronic signature token to the first response              The signature data is verified, and after the verification is passed, the response is valid according to the first response information.
The system of claim 28 wherein:

The second generating module is further configured to: after verifying that the first signature data is passed, from the validation request information Obtaining at least one of a classification setting table and a rating setting table and the validation request code, and setting a table according to the classification The at least one table in the rating setting table and the validation request code generate the validation feedback information.
The system of claim 27, wherein the background system server further comprises:

a second communication module, configured to obtain the stimuli from the second request data packet after receiving the second request data packet              a live request code and the second signature data;

a second verification module, configured to enter the second signature data by using a public key corresponding to the electronic signature token private key              Line verification

An encryption module, configured to generate an activation code according to the activation request code after verifying that the second signature data is passed,              Encrypting the activation code by using a public key corresponding to the electronic signature token private key to obtain an encryption activation code;

The second communication module is configured to send an encryption activation code to the electronic signature token
The system of claim 31, wherein the background system server further comprises:

The second communication module, configured to obtain the second response packet according to the second response data packet              Two-responsive signature data and the second response information;

The second verification module is configured to use the public key corresponding to the private key of the electronic signature token to the second response              The signature data is verified, and after the verification is passed, the activation operation is responded to according to the second response information.
The system of claim 27, wherein the background system server further comprises:

a second communication module, configured to receive the third request data after receiving the third request data packet              Obtaining the third signature data and the synchronization request information in a packet;

a second verification module, configured to use the public key corresponding to the private key of the electronic signature token to the third signature data              Performing verification, after verifying that the third signature data is passed, obtaining the synchronization request from at least the synchronization request information              Performing code, generating synchronization feedback information according to at least the synchronization request code;

An encryption module, configured to perform the synchronization feedback information by using a public key corresponding to a private key of the electronic signature token              Encryption to obtain a synchronous feedback packet;

The second communication module is configured to send the synchronization feedback data packet to the electronic signature token.
The system of claim 33 wherein:

The second communication module is configured to obtain the first response packet according to the third response data packet after receiving the third response data packet              Three-response signature data and the third response information;

The second verification module is configured to use the public key corresponding to the private key of the electronic signature token to the third response              The signature data is verified, and after the verification is passed, the synchronization operation is responded according to the third response information.