WO2015018249A1 - Method and system for verifying identity of dynamic password token - Google Patents

Method and system for verifying identity of dynamic password token Download PDF

Info

Publication number
WO2015018249A1
WO2015018249A1 PCT/CN2014/081697 CN2014081697W WO2015018249A1 WO 2015018249 A1 WO2015018249 A1 WO 2015018249A1 CN 2014081697 W CN2014081697 W CN 2014081697W WO 2015018249 A1 WO2015018249 A1 WO 2015018249A1
Authority
WO
WIPO (PCT)
Prior art keywords
verification
dynamic password
identity
verification value
token
Prior art date
Application number
PCT/CN2014/081697
Other languages
French (fr)
Chinese (zh)
Inventor
李东声
Original Assignee
天地融科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天地融科技股份有限公司 filed Critical 天地融科技股份有限公司
Publication of WO2015018249A1 publication Critical patent/WO2015018249A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Definitions

  • the present invention relates to the field of information security, and in particular, to a method and system for verifying a dynamic port token identity. Background technique
  • Password authentication can be divided into static password authentication and dynamic password authentication.
  • a dynamic password is a one-time password, and each password can only be used once.
  • Dynamic passwords can change over time, times, and challenge information.
  • Dynamic port tokens can be used to generate and display dynamic passwords (also known as dynamic passwords) with built-in seed keys that reference the seed key each time a dynamic password is calculated.
  • Synchronous dynamic port tokens currently on the market each time a dynamic password is calculated, in addition to referencing the seed key and other static factors, it is also necessary to reference at least one automatically changing synchronization factor, such as time, event count, and the like. Since the synchronization factor is dynamically changing, the dynamic passwords obtained each time are different.
  • the challenge response type dynamic port token when calculating the dynamic password, refers to the synchronization factor such as time or event count in addition to the challenge information.
  • the seed key and synchronization factor are the basic elements for calculating the dynamic password.
  • the synchronization factor is predictable, especially for time-synchronized tokens.
  • the time of the token is standard time.
  • the event count also has a specified starting value. Due to the predictability of the synchronization factor, the seed key becomes the basis for securing security with dynamic passwords. If the seed key is compromised, the security of the dynamic password will be greatly affected.
  • the seed key is typically produced by the token manufacturer (ie, the vendor) and injected into the token, while the manufacturer needs to provide the seed file to the customer (eg, bank, etc.) Used to import a dynamic password authentication system so that dynamic password authentication can be completed.
  • the seed key can also be generated by the customer and provided to the token manufacturer for production. That is, the seed key of the token is inevitably grasped by the token manufacturer and the bank, which increases the possibility of seed key leakage, and once the seed key is leaked, the criminal can falsify the token according to the leaked seed key, thereby Causes the user's economic loss.
  • the invention provides a method and a system for verifying a dynamic port token identity, so as to at least solve the problem of how to verify whether the dynamic port token identity is legal and how to avoid the user's economic loss in the case where a forged token occurs.
  • a method for verifying a dynamic port token identity including: receiving, by a dynamic port token, an identity verification command, calculating a first verification value according to the first information, and outputting the first verification value, where
  • the first information includes at least a first seed key for verifying the dynamic port token identity, where the first seed key is preset in the dynamic port token; and corresponding to the dynamic port token
  • the verification device acquires the first verification value, verifies the first verification value, and outputs a verification result.
  • the dynamic port token receiving the identity verification instruction includes: the dynamic port token receiving an identity verification instruction input by a user, wherein the identity verification instruction is input by one of the following forms: a button or a button combination, a sound signal, a creature The feature signal or the optical signal; or, the dynamic port token receives the transaction information; or the dynamic port token receives an instruction that arrives within a preset period.
  • the obtaining, by the verification device corresponding to the dynamic port token, the first verification value includes: in an online situation, the background server receives the first verification value, and sends the first verification value to the verification device .
  • the acquiring, by the verification device corresponding to the dynamic port token, the first verification value includes: in an offline situation, the terminal receives the first verification value, and sends the first verification value to the verification device .
  • the verifying, by the verification device, the first verification value includes: the verification device calculates a second verification value according to the second information, where the second information includes at least a second seed key, the second The seed key is preset for verifying the dynamic port token identity; the verification device compares the first verification value with the second verification value; the first verification value is the same as the second verification value In case, the verification device determines that the identity of the dynamic port token is legal.
  • the dynamic port token performs the verification method of the dynamic port token identity before generating the dynamic password; or the dynamic port token performs the verification method of the dynamic port token identity while generating the dynamic password.
  • the first seed key is different from the seed key of the dynamic password used to generate the transaction in the dynamic port token.
  • the first information further includes at least one of the following: a product serial number, a random number, and a time of the dynamic port token.
  • the content included in the second information is corresponding to the content included in the first information.
  • a verification system for a dynamic port token identity comprising: a dynamic port token and a verification device.
  • the dynamic port token includes: a receiving module, configured to receive an identity verification command, and a calculating module, configured to calculate a first verification value according to the first information, where the first information includes at least a first a sub-key, the first seed key is preset in the dynamic port token; and the first output module is configured to output the first verification value.
  • the verification device includes: an obtaining module, configured to acquire the first verification value; a certificate module, configured to verify the first verification value; and a second output module, configured to output a verification result.
  • the receiving module includes: a first receiving unit, configured to receive an identity verification instruction input by a user, or receive an instruction that arrives within a preset period, where the identity verification instruction is input by one of the following forms: a button or a button a combination, a sound signal, a biometric signal or an optical signal; a second receiving unit, configured to receive the transaction information.
  • system further includes: a background server, configured to receive the first verification value in an online situation, and send the first verification value to the verification device.
  • system further includes: a terminal, configured to receive the first verification value in an offline situation, and send the first verification value to the verification device.
  • the verification module includes: a calculation unit, configured to calculate a second verification value according to the second information, where the second information includes at least a second seed key, where the second seed key is preset a comparison unit, configured to compare the first verification value with the second verification value, and a determining unit, configured to: when the first verification value is the same as the second verification value Next, determine that the identity of the dynamic port token is legal.
  • the verification device performs verification of the dynamic port token identity before generating the dynamic password; or, the verification device performs verification of the dynamic port token identity while generating the dynamic password.
  • the first seed key is different from the seed key of the dynamic password used to generate the transaction in the dynamic port token.
  • the first information further includes at least one of the following: a product serial number, a random number, and a time of the dynamic port token.
  • the content included in the second information is corresponding to the content included in the first information.
  • a computer storage medium comprising: computer instructions, when the computer instructions are executed, such that: the dynamic port token receives the identity verification instruction, and calculates the first information according to the first information Verifying the value, and outputting the first verification value, where the first information includes at least a first seed key for verifying the identity of the dynamic port token, and the first seed key is preset in the
  • the verification device corresponding to the dynamic port token acquires the first verification value, verifies the first verification value, and outputs a verification result.
  • the present invention provides a method and a system for verifying a dynamic port token identity, and a seed key for verifying a dynamic port token identity is preset in the dynamic port token, at least according to the
  • the seed key calculates the verification value by using a preset algorithm, and sends the verification value to the verification device for verification. If the verification value is consistent with the standard verification value calculated in the verification device, the token identity is legal, that is, the token is reliable. The manufacturer produces, otherwise the token identity is illegal, it is forged; the dynamic port token identity is verified, and the dynamic port token is prevented from being forged.
  • online verification and offline verification modes are provided.
  • the online verification mode is adopted, and the verification value is forwarded by the bank server. After the verification pass information, the transaction can be carried out, which makes the verification and transaction process simple and convenient.
  • the offline verification mode can be adopted to avoid causing the bank server. burden;
  • the first information may further include other randomness that may increase the calculated verification value, so that the hacker is difficult to break and is more secure;
  • the verification of the dynamic port token identity can be performed before the dynamic password is generated, that is, whether the dynamic password is generated according to the verification result to execute the transaction, so that unnecessary operations can be avoided; or the dynamic password is generated while generating the dynamic password.
  • the verification of the card identity, in the case of a dynamic password and identity verification the execution of the transaction can save the time spent on the entire transaction process.
  • FIG. 1 is a flowchart of a method for verifying a dynamic port token identity according to Embodiment 1 of the present invention
  • FIG. 2 is a structural block diagram 1 of a dynamic port token identity verification system according to Embodiment 2 of the present invention.
  • FIG. 3 is a structural block diagram 2 of a dynamic port token identity verification system according to Embodiment 2 of the present invention.
  • FIG. 4 is a structural block diagram of a dynamic port token identity verification system according to Embodiment 3 of the present invention.
  • FIG. 5 is a flowchart of a transaction method provided by Embodiment 4 of the present invention.
  • Embodiment 6 is a flowchart of a transaction method provided by Embodiment 5 of the present invention.
  • Figure 7 is a flow chart showing the transaction method provided in Embodiment 6 of the present invention.
  • orientation or positional relationship of "post”, “left”, “right”, “vertical”, “horizontal”, “top”, “bottom”, “inside”, “outside”, etc. is The orientation or the positional relationship shown in the drawings is merely for the convenience of the description of the invention and the description of the invention, and is not intended to indicate or imply that the device or component referred to has a specific orientation, is constructed and operated in a specific orientation, and therefore cannot be understood. To limit the invention. Moreover, the terms “first” and “second” are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or quantity or location.
  • Connection should be understood in a broad sense, for example, it can be a fixed connection, a detachable connection, or an integral connection; it can be a mechanical connection or an electrical connection; it can be directly connected or indirectly connected through an intermediate medium. , can be the internal connection of two components.
  • Connection should be understood in a broad sense, for example, it can be a fixed connection, a detachable connection, or an integral connection; it can be a mechanical connection or an electrical connection; it can be directly connected or indirectly connected through an intermediate medium. , can be the internal connection of two components.
  • the specific meaning of the above terms in the present invention can be understood in a specific case by those skilled in the art.
  • This embodiment provides a method for verifying a dynamic port token identity, which can verify whether the dynamic port token identity is legal, that is, whether the dynamic port token is forged.
  • 1 is a flowchart of a method for verifying a dynamic port token identity according to Embodiment 1 of the present invention. As shown in FIG. 1, the method includes the following steps:
  • Step S101 The dynamic port token receives the identity verification command, calculates a first verification value according to the first information, and outputs a first verification value, where the first information includes at least a first seed key for verifying the dynamic port token identity.
  • the first seed key is pre-set in the dynamic port token.
  • the outputting the first verification value may be displaying the first verification value on the display screen of the dynamic password card, or transmitting the first verification value to other devices, or a combination of the two methods.
  • the first seed key is different from the seed key used to generate the dynamic password used in the transaction in the dynamic port token. If the two are the same, after the seed key for generating the dynamic password is leaked, the criminal will
  • the seed key is used as a key for verifying the dynamic port token identity, forging a dynamic port token, and may not be able to verify the authenticity of the token.
  • the key algorithm used to calculate the verification value in the forged token happens to be a dynamic port token.
  • the algorithm set at the factory is the same, and it is impossible to verify its authenticity. Therefore, in order to avoid this, it is preferable to use different seed keys to generate dynamic passwords and verify token identities, respectively.
  • Step S102 The verification device corresponding to the dynamic port token obtains the first verification value, verifies the first verification value, and outputs the verification result after the verification is completed.
  • the verification device may be a software implemented system or a hardware device, and the hardware device may store a product serial number of all dynamic port tokens produced by the manufacturer and a corresponding seed key for verifying the identity. And other information.
  • the authentication command is used to trigger the identity verification of the dynamic port token.
  • the dynamic port token receiving the identity verification instruction in step S101 includes: the dynamic port token receives the identity verification instruction input by the user, wherein the identity verification instruction passes the following form Input: button or button combination, sound signal, biometric signal or optical signal; or, the dynamic port token receives the transaction information; or, the dynamic port token receives the instruction that arrives within the preset period.
  • the dynamic port token can receive an authentication command input in the form of a button or a key combination
  • the button or button combination can be preset by the manufacturer of the dynamic port token, or can be customized by the user. For the case where the manufacturer sets the button or the button combination, it cannot be changed, or the user needs higher authority to modify it.
  • the button or combination of buttons can be: Long press on a button of the dynamic port token, any combination of buttons on the dynamic port token (eg buttons 4 and 8).
  • the sound signal can be a fixed piece of music, and the biometric signal can be a specific fingerprint, an iris, or the like.
  • the use of received transaction information to trigger authentication typically in the case of a transaction after verification.
  • the obtaining, by the verification device, the first verification value in step S102 includes the following two cases:
  • the background server receives the first verification value and sends the first verification value to the verification device.
  • the verification result is returned to the background server.
  • the backend server can be the bank's server for transactions.
  • the online verification mode is adopted, and the verification value is forwarded by the bank server, and the verified information is obtained, and then the transaction can be performed.
  • the terminal receives the first verification value and transmits the first verification value to the verification device.
  • the verification result is returned to the terminal.
  • offline means that the authentication is not performed by the bank server.
  • the offline verification mode can be adopted to avoid the burden on the background server.
  • the first verification value of the dynamic port token output may be displayed through the display screen.
  • the terminal for example, a mobile phone, a tablet computer, a PC, etc.
  • the fixed contact is sent directly to the verification device; the verification value can also be input on the verification interface of the manufacturer's website, and the verification result is displayed to the user after being verified by the verification device in the background.
  • the verification device performs the verification of the first verification value in step S102, which can be implemented by the following steps:
  • the verification device calculates the second verification value according to the second information, where the second information includes at least the second seed key, the second seed key a pre-set key for verifying the dynamic port token identity;
  • the verification device compares the first verification value with the second verification value; and if the first verification value is the same as the second verification value, the verification device determines the dynamic port token Legal status.
  • the first seed key used to verify the dynamic port token identity preset in the dynamic port token may be forged, and the first verification value is calculated according to at least the first seed key according to a preset algorithm.
  • the first verification value is sent to the verification device;
  • the second seed key used by the verification device is preset by the vendor for the dynamic port token, and is only known by the vendor itself, and is used to uniquely identify the dynamic port token, at least according to the second seed key. Key is pre-set
  • the second verification value calculated by the algorithm can be understood as a standard verification value. As long as the first verification value is inconsistent with the standard verification value, the token identity is invalid. If they are consistent, the token identity is legal.
  • the foregoing first information further includes at least one of the following: a product serial number of the dynamic port token, a random number, and a time; the content and the first information included in the second information used to generate the second verification value in the verification device includes: The content is corresponding.
  • the random number or time can be used to increase the randomness of the calculated verification value, making it difficult for hackers to crack and be more secure.
  • the first information includes the first seed key, the product serial number, and the time
  • the second information also includes the first seed key, the product serial number, and the time, and the first verification value is calculated and the second verification value is calculated.
  • the algorithm used is the same, so that it can be guaranteed that the first verification value and the second verification value are the same if the first seed key is not forged.
  • the content included in the first information is not necessarily the same as the content included in the second information, and the algorithm used to calculate the first verification value and the second verification value is not necessarily the same.
  • the algorithm for calculating the verification value may be: an algorithm such as SM3, HMAC-256 HMAC-512, and MD5, and the content included in the first information and the content included in the second information may be different according to different algorithms.
  • the dynamic port token can verify the dynamic port token identity before generating the dynamic password; or the dynamic port token can also verify the dynamic port token identity while generating the dynamic password. That is to say, it is possible to first verify whether the identity of the dynamic port token is legal, and if the identity is legal, generate a dynamic password to execute the transaction, so that unnecessary operations can be avoided; and the dynamic password can be verified while generating the dynamic password. Whether the identity is legal or not, and the dynamic password and identity are verified, the execution of the transaction can save the time spent on the entire transaction process.
  • the technical solution provided in this embodiment pre-sets a seed key for verifying the dynamic port token identity in the dynamic port token, and calculates a verification value according to at least the pre-set algorithm according to the seed key, and sends the verification value to the verification device.
  • the token identity is legal, that is, the token is produced by a reliable manufacturer; if the verification value is inconsistent with the standard verification value calculated in the verification device, The token identity is illegal and is forged.
  • the dynamic port token identity is verified to prevent the dynamic port token from being forged. Furthermore, if it is verified that the dynamic port token identity is illegal, subsequent operations such as subsequent transactions may not be allowed, thereby avoiding economic loss to the user.
  • the token is a forged token, it indicates that the seed key used to generate the dynamic password is leaked, and the seed key used for authentication is not leaked, and the seed key may be excluded from the possibility of vendor leakage. .
  • This embodiment provides a dynamic port token identity verification system, which can be used to implement the verification method in Embodiment 1.
  • 2 is a structural block diagram 1 of a dynamic port token identity verification system according to Embodiment 2 of the present invention. As shown in FIG. 2, the system includes: a dynamic port token 20 and a verification device 30, where:
  • the dynamic port token 20 includes: a receiving module 201, configured to receive an identity verification command; a computing module 202, coupled to the receiving module 201, configured to calculate a first verification value according to the first information, where the first information includes at least The first seed key of the stateful token identity, the first seed key is preset in the dynamic port token; the first output module 203 is connected to the computing module 202, and configured to output the first verification value.
  • the first output module 203 can be a display screen of the dynamic port token 20.
  • the first seed key is different from the seed key of the dynamic port token used to generate the dynamic password used by the transaction.
  • the verification device 30 includes: an obtaining module 301, configured to obtain a first verification value; a verification module 302, connected to the obtaining module 301, for verifying the first verification value; and a second output module 303, connected to the verification module 302, After the verification is completed, the verification result is output.
  • the verification device 30 may be a software implemented system or a hardware device, and the hardware device may store the product serial number of all the dynamic port tokens produced by the manufacturer and the corresponding seed density for verifying the identity. Key and other information.
  • the receiving module 201 includes: a first receiving unit 2011, configured to receive an authentication command input by a user or receive an instruction that arrives within a preset period, where the authentication command is input by: pressing a button or a button a combination, a sound signal, a biometric signal or an optical signal; a second receiving unit 2012, configured to receive transaction information. It has been described in detail in Embodiment 1, and will not be described again here.
  • the above system further includes: a background server 40, configured to receive the first verification value in the case of online, and send the first verification value to the verification device 30.
  • the verification result is returned to the background server 40.
  • the backend server 40 can be a bank's server for transactions. In the case that both the dynamic port token identity needs to be verified and the transaction needs to be performed, after the bank server obtains the verified information, the transaction can be performed, which makes the verification and transaction process relatively simple and convenient. At the same time, trading with the verification passed can guarantee the security of the transaction and user funds.
  • the verification module 302 includes: a calculating unit 3021, configured to calculate a second verification value according to the second information, where the second information includes at least a second seed key, where the second seed key is preset for verifying the dynamic password Key of the card identity; comparison unit 3022, connected to the calculation unit 3021, for comparing the first verification value with the second verification value; the determining unit 3023, connected to the comparison unit 3022, for the first verification value and the second verification When the values are the same, it is determined that the identity of the dynamic port token is legal.
  • the first information further includes at least one of the following: a product serial number of the dynamic port token, a random number, and a time; the content included in the second information used to generate the second verification value in the verification device corresponds to the content included in the first information of.
  • Using random numbers or time can increase the randomness of the calculated verification values, which is more secure.
  • the first information includes the first seed key, the product serial number, and the time
  • the second information also includes the first seed key, the product serial number, and the time, and the first verification value is calculated and the second verification value is calculated.
  • the algorithm used is the same, so that it can be guaranteed that the first verification value and the second verification value are the same if the first seed key is not forged.
  • the content included in the first information is not necessarily the same as the content included in the second information, and the algorithm used to calculate the first verification value and the second verification value is not necessarily the same.
  • the algorithm for calculating the verification value may be: SM3, HMAC-256 HMAC-512, and
  • MD5 the content included in the first information and the content included in the second information may be different according to different algorithms.
  • the verification device performs verification of the dynamic port token identity before generating the dynamic password; or, the verification device performs verification of the dynamic port token identity while generating the dynamic password. That is to say, it is possible to first verify whether the identity of the dynamic port token is legal, and if the identity is legal, generate a dynamic password to execute the transaction, so that unnecessary operations can be avoided; and the dynamic password can be verified while generating the dynamic password. Whether the identity is legal or not, and the dynamic password and identity are verified, the execution of the transaction can save the time spent on the entire transaction process.
  • the technical solution provided in this embodiment pre-sets a seed key for verifying the dynamic port token identity in the dynamic port token, and the calculating module 202 calculates the verification value according to the seed key according to at least a preset algorithm, and the first output module 203 Sending the verification value to the verification device 30 for verification. If the verification value is consistent with the standard verification value calculated in the verification device 30, the token identity is legal, that is, the token is produced by a reliable manufacturer; if the verification value and the verification device are If the standard verification value calculated in 30 is inconsistent, the token identity is illegal and is forged; the dynamic port token identity verification is implemented to prevent the dynamic port token from being forged.
  • the dynamic port token identity is illegal, operations such as subsequent transactions may not be allowed, thereby avoiding economic loss to the user.
  • the token is a forged token, it indicates that the seed key used to generate the dynamic password is leaked, and the seed key used for authentication is not leaked, and the seed key may be excluded from the possibility of vendor leakage. .
  • the system of this embodiment differs from the system of FIG. 3 in Embodiment 2 in that the background server 40 is replaced with the terminal 50 to implement offline verification, and corresponding to the replacement, the transmission mode of the first verification value is changed.
  • the system further includes: a terminal 50, configured to receive the first verification value in an offline situation, and send the first verification value to the verification device 30.
  • the verification result is returned to the terminal 50.
  • offline refers to not verifying through the bank server. If only the identity of the dynamic port token is verified, and no transaction is required, the offline verification mode can be adopted to avoid the burden on the background server.
  • the first verification value of the dynamic port token output may be displayed through the display screen.
  • the terminal for example, a mobile phone, an iPad, a PC, etc.
  • the fixed contact is sent directly to the verification device; the verification value can also be input on the verification interface of the manufacturer's website, and the verification result is displayed to the user after being verified by the verification device in the background.
  • the present embodiment provides a transaction method, which can be implemented based on the verification method of the dynamic port token identity described in Embodiment 1 and the verification system of the dynamic port token identity described in Embodiment 2, as shown in FIG.
  • the trading method includes the following steps: Step S501, the dynamic port token generates a dynamic password;
  • Step S502 The dynamic port token calculates a first verification value according to the first information, where the first information includes at least a first seed key for verifying a dynamic port token identity, where the first seed key is preset in a dynamic port token. It should be noted that the sequence of step S501 and step S502 can be exchanged, that is, step S502 is first performed to calculate the first verification value, and then step S501 is executed to generate a dynamic password, and the trigger condition for calculating the first verification value may be that the transaction is received. After receiving the transaction information, step S501 and step S502 are simultaneously performed.
  • Step S503 the dynamic port token sends the dynamic password together with the first verification value to the background server;
  • Step S504 after receiving the dynamic password and the first verification value, the background server verifies the dynamic password, and sends the first verification value to the verification device corresponding to the dynamic port token for verification; after the verification device is verified, the verification result is output; Step S505 The background server receives the verification result, and executes the transaction if both the dynamic password and the first verification value are verified.
  • the present embodiment provides a transaction method, which can be implemented based on the verification method of the dynamic port token identity described in Embodiment 1 and the verification system of the dynamic port token identity described in Embodiment 2.
  • the transaction method of this embodiment The difference from the transaction method in Embodiment 4 is that in this embodiment, the identity verification of the token is performed first, and then based on the verification result, it is determined whether a dynamic password is generated to execute the transaction.
  • the transaction method includes the following steps:
  • Step S601 the dynamic port token receives the transaction information, calculates a first verification value according to the first information, and outputs a first verification value, where the first information includes at least a first seed key for verifying the dynamic port token identity, A subkey is pre-set in the dynamic port token;
  • Step S602 the background server receives the first verification value, and forwards the first verification value to the verification device.
  • Step S603 the verification device verifies the first verification value, and after the verification is completed, outputs the verification result.
  • Step S604 the background server Receiving the verification result, if the verification result is legal, step S605 is performed; if the verification result is invalid, step S606 is performed;
  • Step S605 the background server sends information (for example, the verification pass information) to the dynamic port token, triggers the dynamic port token to generate a dynamic password, and performs a subsequent transaction process;
  • information for example, the verification pass information
  • Step S606 the background server sends information (for example, verification failure information) to the dynamic port token, and stops the transaction.
  • the condition for triggering the identity verification may also be that the user arrives within the predetermined verification period or the user The authentication command is input.
  • the trigger condition for generating the dynamic password in step S605 may be that the transaction information is received within a certain time (for example, 3 minutes, 10 minutes, etc.) after the verification is passed, to ensure security.
  • the steps of verifying the first verification value by the verification device have been described in detail in Embodiments 1 to 3, and are not described herein again.
  • the identity verification of the token is performed first, and then based on the verification result, it is determined whether a dynamic password is generated to execute the transaction, thereby avoiding unnecessary operations.
  • the present embodiment provides a transaction method, which can be implemented based on the verification method of the dynamic port token identity described in Embodiment 1 and the verification system of the dynamic port token identity described in Embodiment 3.
  • the transaction method of this embodiment The difference from the transaction method in Embodiment 5 is that the authentication mode of the token is performed in the online verification mode in Embodiment 5.
  • the token is authenticated by using the offline verification mode, as shown in FIG.
  • the method includes the following steps:
  • Step S701 the dynamic port token receives the transaction information, calculates the first verification value according to the first information, and outputs the first verification value (here, the first verification value may be displayed on the display screen of the dynamic port token), where
  • the first information includes at least a first seed key for verifying a dynamic port token identity, where the first seed key is preset in the dynamic port token;
  • Step S702 The user obtains the first verification value, and forwards the first verification value to the verification device by using an email, a short message, or the like, or inputs a first verification value on the verification interface, so that the verification device obtains the first verification value;
  • Step S703 the verification device verifies the first verification value, and after the verification is completed, outputs the verification result;
  • Step S704 the terminal receives the verification result, if the verification result is the identity legal, step S705 is performed; if the verification result is the identity is invalid, Go to step S706;
  • Step S705 The user operates the dynamic port token to trigger the dynamic port token to generate a dynamic password, and performs a subsequent transaction process. Step S706, no transaction is performed.
  • the condition for triggering the identity verification may also be that it arrives within a predetermined verification period or the user inputs an identity verification instruction.
  • the trigger condition for generating the dynamic password in step S705 may be a certain time after the verification is passed. (eg 3 minutes, 10 minutes, etc.) Receive transaction information to ensure security.
  • the steps of verifying the first verification value by the verification device have been described in detail in Embodiments 1 to 3, and are not described herein again.
  • the offline authentication mode is used to verify the identity of the dynamic port token. If the verification is passed, the dynamic password is generated, and the transaction is completed with the background server. Otherwise, the transaction is not performed to ensure the security of the user funds; and the offline verification can reduce the burden on the server.
  • the present application provides a computer storage medium comprising computer instructions that, when executed, cause:
  • the dynamic port token receives the authentication command, calculates the first verification value according to the first information, and outputs the first verification value, where the first information includes at least a first seed key for verifying the dynamic port token identity, and the first seed key
  • the key is preset in the dynamic port token; the verification device corresponding to the dynamic port token acquires the first verification value, verifies the first verification value, and outputs the verification result.
  • portions of the invention may be implemented in hardware, software, firmware or a combination thereof.
  • multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system.
  • a suitable instruction execution system For example, if implemented in hardware, as in another embodiment, it can be implemented with any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.
  • each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
  • the integrated modules, if implemented in the form of software functional modules and sold or used as separate products, may also be stored in a computer readable storage medium.
  • the above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Testing And Monitoring For Control Systems (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

Disclosed are a method and a system for verifying an identity of a dynamic password token. The method comprises: a dynamic password token receiving an identity verification instruction, calculating a first verification value according to first information, and outputting the first verification value, the first information at least comprising a first seed key for verifying an identity of the dynamic password token, and the first seed key being preset in the dynamic password token; and a verification apparatus corresponding to the dynamic password token obtaining the first verification value, verifying the first verification value, and outputting a verification result. In the present invention, a seed key for verifying an identity of the dynamic password token is preset in the dynamic password token, and a verification value calculated at least according to the seed key is sent to a verification apparatus for verification; if the verification value is consistent with a standard verification value calculated in the verification apparatus, the identity of the dynamic password token is valid; otherwise, the identity of the dynamic password token is invalid; in this manner, the identity of the dynamic password token is verified, and the dynamic password token is prevented from being forged.

Description

一种动态口令牌身份的验证方法及系统  Method and system for verifying dynamic port token identity
技术领域 Technical field
本发明涉及一种信息安全领域, 尤其涉及一种动态口令牌身份的验证方法及系统。 背景技术  The present invention relates to the field of information security, and in particular, to a method and system for verifying a dynamic port token identity. Background technique
为了保证信息安全, 一般都会在进行操作之前进行身份认证, 其目的是赋予合法用户 访问的权限以及拒绝非法用户的访问。 通过密码正确与否来进行身份认证, 是比较常见的 方式, 密码认证可以分为静态密码认证和动态密码认证。 动态密码是一种一次性密码, 每 个密码只能使用一次。 动态密码可以随时间、 次数和挑战信息的变化而变化。 动态口令牌 可以用于产生并显示动态密码(也称为动态口令), 其内置种子密钥, 每次计算动态密码时 都会引用种子密钥。  In order to ensure information security, authentication is usually performed before the operation is performed. The purpose is to give legitimate users access and to deny access to illegal users. It is a common method to perform identity authentication by whether the password is correct or not. Password authentication can be divided into static password authentication and dynamic password authentication. A dynamic password is a one-time password, and each password can only be used once. Dynamic passwords can change over time, times, and challenge information. Dynamic port tokens can be used to generate and display dynamic passwords (also known as dynamic passwords) with built-in seed keys that reference the seed key each time a dynamic password is calculated.
目前市场上的同步型动态口令牌, 每次计算动态密码时, 除了引用种子密钥和其他的 静态因素外, 还需要引用至少一个自动变化的同步因子, 如时间、 事件计数等。 由于同步 因子是动态变化的, 因此每次得到的动态密码都不相同。 挑战应答型动态口令牌, 在计算 动态密码时, 除了引用挑战信息, 还引用了时间或事件计数等同步因子。  Synchronous dynamic port tokens currently on the market, each time a dynamic password is calculated, in addition to referencing the seed key and other static factors, it is also necessary to reference at least one automatically changing synchronization factor, such as time, event count, and the like. Since the synchronization factor is dynamically changing, the dynamic passwords obtained each time are different. The challenge response type dynamic port token, when calculating the dynamic password, refers to the synchronization factor such as time or event count in addition to the challenge information.
从上述的基本工作原理可以看出, 种子密钥和同步因子是计算动态密码的基本要素。 但是, 同步因子都是可以预知的, 特别是时间同步型令牌, 令牌的时间是标准时间, 对于 事件同步型令牌, 其事件计数也是有一个规定的起始值。 由于同步因子的可预知性, 种子 密钥成为了利用动态密码保证安全的根本, 如果种子密钥外泄, 将极大地影响动态密码的 安全性。  As can be seen from the basic working principle described above, the seed key and synchronization factor are the basic elements for calculating the dynamic password. However, the synchronization factor is predictable, especially for time-synchronized tokens. The time of the token is standard time. For event-synchronized tokens, the event count also has a specified starting value. Due to the predictability of the synchronization factor, the seed key becomes the basis for securing security with dynamic passwords. If the seed key is compromised, the security of the dynamic password will be greatly affected.
在实际的动态令牌应用中, 一般是由令牌的制造商 (即厂商) 生产种子密钥, 并注入 到令牌中, 同时, 制造商需要将种子文件提供给客户 (例如, 银行等), 用于导入动态密码 认证系统, 以便可以完成动态密码认证。 或者, 种子密钥也可以由客户产生, 提供给令牌 厂商用于生产。 即令牌的种子密钥必然会被令牌厂商和银行掌握, 提高了种子密钥泄露的 可能性, 并且, 一旦种子密钥被泄露, 不法分子可以根据泄露的种子密钥伪造令牌, 从而 造成用户的经济损失。  In an actual dynamic token application, the seed key is typically produced by the token manufacturer (ie, the vendor) and injected into the token, while the manufacturer needs to provide the seed file to the customer (eg, bank, etc.) Used to import a dynamic password authentication system so that dynamic password authentication can be completed. Alternatively, the seed key can also be generated by the customer and provided to the token manufacturer for production. That is, the seed key of the token is inevitably grasped by the token manufacturer and the bank, which increases the possibility of seed key leakage, and once the seed key is leaked, the criminal can falsify the token according to the leaked seed key, thereby Causes the user's economic loss.
目前, 对于如何验证动态口令牌身份是否合法以及在出现了伪造令牌的情况下, 如何 避免用户经济损失的问题, 尚未提出有效的解决方案。 发明内容 本发明提供了一种动态口令牌身份的验证方法及系统, 以至少解决如何验证动态口令 牌身份是否合法以及在出现了伪造令牌的情况下, 如何避免用户经济损失的问题。 At present, no effective solution has been proposed for how to verify whether the dynamic port token identity is legal and how to avoid the user's economic loss in the case of a forged token. Summary of the invention The invention provides a method and a system for verifying a dynamic port token identity, so as to at least solve the problem of how to verify whether the dynamic port token identity is legal and how to avoid the user's economic loss in the case where a forged token occurs.
根据本发明的一个方面, 提供了一种动态口令牌身份的验证方法, 包括: 动态口令牌 接收身份验证指令, 根据第一信息计算第一验证值, 并输出所述第一验证值, 其中, 所述 第一信息至少包括用于验证所述动态口令牌身份的第一种子密钥, 所述第一种子密钥是预 先设置在所述动态口令牌中的; 与所述动态口令牌对应的验证装置获取所述第一验证值, 对所述第一验证值进行验证, 并输出验证结果。  According to an aspect of the present invention, a method for verifying a dynamic port token identity is provided, including: receiving, by a dynamic port token, an identity verification command, calculating a first verification value according to the first information, and outputting the first verification value, where The first information includes at least a first seed key for verifying the dynamic port token identity, where the first seed key is preset in the dynamic port token; and corresponding to the dynamic port token The verification device acquires the first verification value, verifies the first verification value, and outputs a verification result.
此外, 所述动态口令牌接收身份验证指令包括: 所述动态口令牌接收到用户输入的身 份验证指令, 其中, 所述身份验证指令通过以下形式之一输入: 按键或按键组合、 声音信 号、 生物特征信号或光信号; 或者, 所述动态口令牌接收到交易信息; 或者, 所述动态口 令牌接收到在预设周期内到达的指令。  In addition, the dynamic port token receiving the identity verification instruction includes: the dynamic port token receiving an identity verification instruction input by a user, wherein the identity verification instruction is input by one of the following forms: a button or a button combination, a sound signal, a creature The feature signal or the optical signal; or, the dynamic port token receives the transaction information; or the dynamic port token receives an instruction that arrives within a preset period.
此外, 与所述动态口令牌对应的验证装置获取所述第一验证值包括: 在联机情况下, 后台服务器接收所述第一验证值, 并将所述第一验证值发送至所述验证装置。  In addition, the obtaining, by the verification device corresponding to the dynamic port token, the first verification value includes: in an online situation, the background server receives the first verification value, and sends the first verification value to the verification device .
此外, 与所述动态口令牌对应的验证装置获取所述第一验证值包括: 在脱机情况下, 终端接收所述第一验证值, 并将所述第一验证值发送给所述验证装置。  In addition, the acquiring, by the verification device corresponding to the dynamic port token, the first verification value includes: in an offline situation, the terminal receives the first verification value, and sends the first verification value to the verification device .
此外, 所述验证装置对所述第一验证值进行验证包括: 所述验证装置根据第二信息计 算第二验证值, 其中, 所述第二信息至少包括第二种子密钥, 所述第二种子密钥是预先设 置的用于验证动态口令牌身份的; 所述验证装置比较所述第一验证值与所述第二验证值; 在所述第一验证值与所述第二验证值相同的情况下, 所述验证装置确定所述动态口令牌的 身份合法。  In addition, the verifying, by the verification device, the first verification value includes: the verification device calculates a second verification value according to the second information, where the second information includes at least a second seed key, the second The seed key is preset for verifying the dynamic port token identity; the verification device compares the first verification value with the second verification value; the first verification value is the same as the second verification value In case, the verification device determines that the identity of the dynamic port token is legal.
此外, 所述动态口令牌在生成动态口令前执行所述动态口令牌身份的验证方法; 或者, 所述动态口令牌在生成动态口令的同时执行所述动态口令牌身份的验证方法。。  In addition, the dynamic port token performs the verification method of the dynamic port token identity before generating the dynamic password; or the dynamic port token performs the verification method of the dynamic port token identity while generating the dynamic password. .
此外, 所述第一种子密钥与所述动态口令牌中生成交易所使用的动态口令的种子密钥 不同。  Furthermore, the first seed key is different from the seed key of the dynamic password used to generate the transaction in the dynamic port token.
此外, 所述第一信息还包括以下至少之一: 所述动态口令牌的产品序列号、 随机数和 时间。 所述第二信息所包括的内容与所述第一信息包括的内容是对应的。  In addition, the first information further includes at least one of the following: a product serial number, a random number, and a time of the dynamic port token. The content included in the second information is corresponding to the content included in the first information.
根据本发明的另一个方面, 提供了一种动态口令牌身份的验证系统, 包括: 动态口令 牌和验证装置。 所述动态口令牌包括: 接收模块, 用于接收身份验证指令; 计算模块, 用 于根据第一信息计算第一验证值, 其中, 所述第一信息至少包括用于验证动态口令牌身份 的第一种子密钥, 所述第一种子密钥是预先设置在所述动态口令牌中的; 第一输出模块, 用于输出所述第一验证值。 所述验证装置包括: 获取模块, 用于获取所述第一验证值; 验 证模块, 用于对所述第一验证值进行验证; 第二输出模块, 用于输出验证结果。 According to another aspect of the present invention, a verification system for a dynamic port token identity is provided, comprising: a dynamic port token and a verification device. The dynamic port token includes: a receiving module, configured to receive an identity verification command, and a calculating module, configured to calculate a first verification value according to the first information, where the first information includes at least a first a sub-key, the first seed key is preset in the dynamic port token; and the first output module is configured to output the first verification value. The verification device includes: an obtaining module, configured to acquire the first verification value; a certificate module, configured to verify the first verification value; and a second output module, configured to output a verification result.
此外, 所述接收模块包括: 第一接收单元, 用于接收用户输入的身份验证指令或者接 收在预设周期内到达的指令, 其中, 所述身份验证指令通过以下形式之一输入: 按键或按 键组合、 声音信号、 生物特征信号或光信号; 第二接收单元, 用于接收交易信息。  In addition, the receiving module includes: a first receiving unit, configured to receive an identity verification instruction input by a user, or receive an instruction that arrives within a preset period, where the identity verification instruction is input by one of the following forms: a button or a button a combination, a sound signal, a biometric signal or an optical signal; a second receiving unit, configured to receive the transaction information.
此外, 所述系统还包括: 后台服务器, 用于在联机情况下, 接收所述第一验证值, 并 将所述第一验证值发送至所述验证装置。  In addition, the system further includes: a background server, configured to receive the first verification value in an online situation, and send the first verification value to the verification device.
此外, 所述系统还包括: 终端, 用于在脱机情况下, 接收所述第一验证值, 并将所述 第一验证值发送给所述验证装置。  In addition, the system further includes: a terminal, configured to receive the first verification value in an offline situation, and send the first verification value to the verification device.
此外, 所述验证模块包括: 计算单元, 用于根据第二信息计算第二验证值, 其中, 所 述第二信息至少包括第二种子密钥, 所述第二种子密钥是预先设置的用于验证动态口令牌 身份的; 比较单元, 用于比较所述第一验证值与所述第二验证值; 确定单元, 用于在所述 第一验证值与所述第二验证值相同的情况下, 确定所述动态口令牌的身份合法。  In addition, the verification module includes: a calculation unit, configured to calculate a second verification value according to the second information, where the second information includes at least a second seed key, where the second seed key is preset a comparison unit, configured to compare the first verification value with the second verification value, and a determining unit, configured to: when the first verification value is the same as the second verification value Next, determine that the identity of the dynamic port token is legal.
此外, 在生成动态口令前进行所述验证装置对所述动态口令牌身份的验证; 或者, 在 生成动态口令的同时进行所述验证装置对所述动态口令牌身份的验证。  In addition, the verification device performs verification of the dynamic port token identity before generating the dynamic password; or, the verification device performs verification of the dynamic port token identity while generating the dynamic password.
此外, 所述第一种子密钥与所述动态口令牌中生成交易所使用的动态口令的种子密钥 不同。  Furthermore, the first seed key is different from the seed key of the dynamic password used to generate the transaction in the dynamic port token.
此外, 所述第一信息还包括以下至少之一: 所述动态口令牌的产品序列号、 随机数和 时间。 所述第二信息所包括的内容与所述第一信息包括的内容是对应的。  In addition, the first information further includes at least one of the following: a product serial number, a random number, and a time of the dynamic port token. The content included in the second information is corresponding to the content included in the first information.
根据本发明的另一个方面, 提供了一种计算机存储介质, 其特征在于, 包括计算机指 令, 当所述计算机指令被执行时, 使得: 动态口令牌接收身份验证指令, 根据第一信息计 算第一验证值, 并输出所述第一验证值, 其中, 所述第一信息至少包括用于验证所述动态 口令牌身份的第一种子密钥, 所述第一种子密钥是预先设置在所述动态口令牌中的; 与所 述动态口令牌对应的验证装置获取所述第一验证值, 对所述第一验证值进行验证, 并输出 验证结果。  According to another aspect of the present invention, a computer storage medium is provided, comprising: computer instructions, when the computer instructions are executed, such that: the dynamic port token receives the identity verification instruction, and calculates the first information according to the first information Verifying the value, and outputting the first verification value, where the first information includes at least a first seed key for verifying the identity of the dynamic port token, and the first seed key is preset in the The verification device corresponding to the dynamic port token acquires the first verification value, verifies the first verification value, and outputs a verification result.
由上述本发明提供的技术方案可以看出, 本发明提供了一种动态口令牌身份的验证方 法及系统, 在动态口令牌中预先设置用于验证动态口令牌身份的种子密钥, 至少根据该种 子密钥采用预先设置的算法计算出验证值, 将该验证值发送到验证装置进行验证, 如果该 验证值与验证装置中计算的标准验证值一致, 则令牌身份合法, 即令牌由可靠的厂商生产, 否则令牌身份不合法, 是伪造的; 实现了动态口令牌身份的验证, 防止动态口令牌被伪造。 进而, 若验证出动态口令牌身份不合法, 可以不允许进行后续的交易等操作, 从而避免给 用户造成经济损失; 另外, 提供联机验证和脱机验证两种模式, 对于既需要验证动态口令牌身份, 又需要 进行交易的情况, 由于银行服务器本来就需要接收动态口令, 采用联机验证模式, 由银行 服务器转发验证值, 得到验证通过信息后, 即可进行交易, 使得验证以及交易过程比较简 单、 方便; 对于只是验证动态口令牌身份, 而不需要进行交易的情况, 可以采用脱机验证 模式, 避免造成银行服务器的负担; It can be seen from the technical solution provided by the present invention that the present invention provides a method and a system for verifying a dynamic port token identity, and a seed key for verifying a dynamic port token identity is preset in the dynamic port token, at least according to the The seed key calculates the verification value by using a preset algorithm, and sends the verification value to the verification device for verification. If the verification value is consistent with the standard verification value calculated in the verification device, the token identity is legal, that is, the token is reliable. The manufacturer produces, otherwise the token identity is illegal, it is forged; the dynamic port token identity is verified, and the dynamic port token is prevented from being forged. Further, if it is verified that the dynamic port token identity is invalid, subsequent operations such as subsequent transactions may not be allowed, thereby avoiding economic loss to the user; In addition, online verification and offline verification modes are provided. For the case where both the dynamic port token identity needs to be verified and the transaction needs to be performed, since the bank server originally needs to receive the dynamic password, the online verification mode is adopted, and the verification value is forwarded by the bank server. After the verification pass information, the transaction can be carried out, which makes the verification and transaction process simple and convenient. For the case of verifying the dynamic port token identity without transaction, the offline verification mode can be adopted to avoid causing the bank server. burden;
另外, 第一信息还可以包括其他可以增加计算出的验证值的随机性, 使得黑客难以破 解, 更加安全;  In addition, the first information may further include other randomness that may increase the calculated verification value, so that the hacker is difficult to break and is more secure;
另外, 动态口令牌身份的验证可以在生成动态口令前进行, 即根据验证结果决定是否 生成动态口令, 以执行交易, 这样, 可以避免不必要的操作; 或者, 在生成动态口令的同 时进行动态口令牌身份的验证, 在动态口令和身份均验证通过的情况下, 执行交易, 可以 节省整个交易流程耗费的时间。 附图说明  In addition, the verification of the dynamic port token identity can be performed before the dynamic password is generated, that is, whether the dynamic password is generated according to the verification result to execute the transaction, so that unnecessary operations can be avoided; or the dynamic password is generated while generating the dynamic password. The verification of the card identity, in the case of a dynamic password and identity verification, the execution of the transaction can save the time spent on the entire transaction process. DRAWINGS
为了更清楚地说明本发明实施例的技术方案, 下面将对实施例描述中所需要使用的附 图作简单地介绍, 显而易见地, 下面描述中的附图仅仅是本发明的一些实施例, 对于本领 域的普通技术人员来讲, 在不付出创造性劳动的前提下, 还可以根据这些附图获得其他附 图。  In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention, Those skilled in the art can also obtain other drawings based on these drawings without any creative work.
图 1是本发明实施例 1提供的动态口令牌身份的验证方法的流程图;  1 is a flowchart of a method for verifying a dynamic port token identity according to Embodiment 1 of the present invention;
图 2是本发明实施例 2提供的动态口令牌身份的验证系统的结构框图一;  2 is a structural block diagram 1 of a dynamic port token identity verification system according to Embodiment 2 of the present invention;
图 3是本发明实施例 2提供的动态口令牌身份的验证系统的结构框图二;  3 is a structural block diagram 2 of a dynamic port token identity verification system according to Embodiment 2 of the present invention;
图 4是本发明实施例 3提供的动态口令牌身份的验证系统的结构框图;  4 is a structural block diagram of a dynamic port token identity verification system according to Embodiment 3 of the present invention;
图 5是本发明实施例 4提供的交易方法的流程图;  Figure 5 is a flowchart of a transaction method provided by Embodiment 4 of the present invention;
图 6是本发明实施例 5提供的交易方法的流程图; 以及  6 is a flowchart of a transaction method provided by Embodiment 5 of the present invention;
图 7是本发明实施例 6提供的交易方法的流程图。  Figure 7 is a flow chart showing the transaction method provided in Embodiment 6 of the present invention.
具体实施方式 detailed description
下面结合本发明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描 述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是全部的实施例。 基于本发 明的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例, 都属于本发明的保护范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
在本发明的描述中, 需要理解的是, 术语"中心"、 "纵向"、 "横向"、 "上"、 "下"、 "前"、 In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "transverse", "upper", "lower", "front",
"后"、 "左"、 "右"、 "竖直"、 "水平"、 "顶"、 "底"、 "内"、 "外"等指示的方位或位置关系为 基于附图所示的方位或位置关系, 仅是为了便于描述本发明和简化描述, 而不是指示或暗 示所指的装置或元件必须具有特定的方位、 以特定的方位构造和操作, 因此不能理解为对 本发明的限制。 此外, 术语"第一"、 "第二 "仅用于描述目的, 而不能理解为指示或暗示相 对重要性或数量或位置。 The orientation or positional relationship of "post", "left", "right", "vertical", "horizontal", "top", "bottom", "inside", "outside", etc. is The orientation or the positional relationship shown in the drawings is merely for the convenience of the description of the invention and the description of the invention, and is not intended to indicate or imply that the device or component referred to has a specific orientation, is constructed and operated in a specific orientation, and therefore cannot be understood. To limit the invention. Moreover, the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or quantity or location.
在本发明的描述中,需要说明的是,除非另有明确的规定和限定,术语"安装"、 "相连"、 In the description of the present invention, it should be noted that the terms "installed", "connected", unless otherwise specifically defined and defined.
"连接 "应做广义理解, 例如, 可以是固定连接, 也可以是可拆卸连接, 或一体地连接; 可 以是机械连接, 也可以是电连接; 可以是直接相连, 也可以通过中间媒介间接相连, 可以 是两个元件内部的连通。 对于本领域的普通技术人员而言, 可以具体情况理解上述术语在 本发明中的具体含义。 "Connection" should be understood in a broad sense, for example, it can be a fixed connection, a detachable connection, or an integral connection; it can be a mechanical connection or an electrical connection; it can be directly connected or indirectly connected through an intermediate medium. , can be the internal connection of two components. The specific meaning of the above terms in the present invention can be understood in a specific case by those skilled in the art.
下面将结合附图对本发明实施例作进一步地详细描述。  The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.
实施例 1  Example 1
本实施例提供了一种动态口令牌身份的验证方法,可以验证动态口令牌身份是否合法, 即确定动态口令牌是不是伪造的。 图 1是本发明实施例 1提供的动态口令牌身份的验证方 法的流程图, 如图 1所示, 该方法包括以下步骤:  This embodiment provides a method for verifying a dynamic port token identity, which can verify whether the dynamic port token identity is legal, that is, whether the dynamic port token is forged. 1 is a flowchart of a method for verifying a dynamic port token identity according to Embodiment 1 of the present invention. As shown in FIG. 1, the method includes the following steps:
步骤 S 101 , 动态口令牌接收身份验证指令, 根据第一信息计算第一验证值, 并输出第 一验证值, 其中, 第一信息至少包括用于验证动态口令牌身份的第一种子密钥, 第一种子 密钥是预先设置在动态口令牌中的。 输出第一验证值可以是将第一验证值显示在动态口令 牌的显示屏上, 也可以将第一验证值发送给其他设备, 或者两种方式的结合。  Step S101: The dynamic port token receives the identity verification command, calculates a first verification value according to the first information, and outputs a first verification value, where the first information includes at least a first seed key for verifying the dynamic port token identity. The first seed key is pre-set in the dynamic port token. The outputting the first verification value may be displaying the first verification value on the display screen of the dynamic password card, or transmitting the first verification value to other devices, or a combination of the two methods.
优选地, 上述第一种子密钥与动态口令牌中用于生成交易所使用的动态口令的种子密 钥不同, 如果二者相同, 在用于生成动态口令的种子密钥泄漏后, 不法分子将该种子密钥 作为验证动态口令牌身份的密钥, 伪造出动态口令牌, 可能无法验证出令牌的真伪, 例如, 伪造的令牌中计算验证值使用的密钥算法恰巧与动态口令牌出厂时设置的算法相同, 就无 法验证出其真伪。 因此, 为了避免上述情况的发生, 最好采用不同的种子密钥分别用于生 成动态口令和验证令牌身份。  Preferably, the first seed key is different from the seed key used to generate the dynamic password used in the transaction in the dynamic port token. If the two are the same, after the seed key for generating the dynamic password is leaked, the criminal will The seed key is used as a key for verifying the dynamic port token identity, forging a dynamic port token, and may not be able to verify the authenticity of the token. For example, the key algorithm used to calculate the verification value in the forged token happens to be a dynamic port token. The algorithm set at the factory is the same, and it is impossible to verify its authenticity. Therefore, in order to avoid this, it is preferable to use different seed keys to generate dynamic passwords and verify token identities, respectively.
步骤 S 102, 动态口令牌对应的验证装置获取第一验证值, 对第一验证值进行验证, 并 在验证完成后, 输出验证结果。  Step S102: The verification device corresponding to the dynamic port token obtains the first verification value, verifies the first verification value, and outputs the verification result after the verification is completed.
需要说明的是, 验证装置可以是软件实现的系统, 也可以是硬件设备, 该硬件设备内 可以存储厂商生产的所有的动态口令牌的产品序列号及其对应的用于验证身份的种子密钥 等信息。  It should be noted that the verification device may be a software implemented system or a hardware device, and the hardware device may store a product serial number of all dynamic port tokens produced by the manufacturer and a corresponding seed key for verifying the identity. And other information.
身份验证指令用于触发动态口令牌的身份验证,步骤 S101中动态口令牌接收身份验证 指令包括: 动态口令牌接收到用户输入的身份验证指令, 其中, 身份验证指令通过以下形 式输入: 按键或按键组合、 声音信号、 生物特征信号或光信号; 或者, 动态口令牌接收到 交易信息; 或者, 动态口令牌接收到在预设周期内到达的指令。 The authentication command is used to trigger the identity verification of the dynamic port token. The dynamic port token receiving the identity verification instruction in step S101 includes: the dynamic port token receives the identity verification instruction input by the user, wherein the identity verification instruction passes the following form Input: button or button combination, sound signal, biometric signal or optical signal; or, the dynamic port token receives the transaction information; or, the dynamic port token receives the instruction that arrives within the preset period.
具体地, 动态口令牌可以接收以按键或按键组合形式输入的身份验证指令, 按键或按 键组合可以是动态口令牌的厂商预先设置的, 也可以由用户自定义。 对于厂商设置按键或 按键组合的情况, 可以是无法更改的, 也可以是用户需要较高权限才可以修改的。 按键或 按键组合可以是: 长按动态口令牌的某个按键、 动态口令牌上的任意按键组合 (例如按键 4和 8)。 声音信号可以是一段固定的音乐, 生物特征信号可以是特定的指纹、 虹膜等。 利 用接收到交易信息来触发身份验证, 一般是在验证之后需要进行交易的情况。  Specifically, the dynamic port token can receive an authentication command input in the form of a button or a key combination, and the button or button combination can be preset by the manufacturer of the dynamic port token, or can be customized by the user. For the case where the manufacturer sets the button or the button combination, it cannot be changed, or the user needs higher authority to modify it. The button or combination of buttons can be: Long press on a button of the dynamic port token, any combination of buttons on the dynamic port token (eg buttons 4 and 8). The sound signal can be a fixed piece of music, and the biometric signal can be a specific fingerprint, an iris, or the like. The use of received transaction information to trigger authentication, typically in the case of a transaction after verification.
步骤 S 102中验证装置获取第一验证值包括以下两种情况:  The obtaining, by the verification device, the first verification value in step S102 includes the following two cases:
( 1 ) 在联机情况下, 后台服务器接收第一验证值, 并将第一验证值发送至验证装置。 对应的, 验证结果返回给后台服务器。  (1) In the case of online, the background server receives the first verification value and sends the first verification value to the verification device. Correspondingly, the verification result is returned to the background server.
后台服务器可以是银行的用于交易的服务器。 对于既需要验证动态口令牌身份, 又需 要进行交易的情况, 由于银行服务器本来就需要接收动态口令, 采用联机验证模式, 由银 行服务器转发验证值, 得到验证通过的信息后, 即可进行交易, 使得验证以及交易过程比 较简单、 方便。 同时, 在验证通过的情况下进行交易, 可以保证交易以及用户资金的安全。  The backend server can be the bank's server for transactions. In the case that both the dynamic port token identity needs to be verified and the transaction needs to be performed, since the bank server originally needs to receive the dynamic password, the online verification mode is adopted, and the verification value is forwarded by the bank server, and the verified information is obtained, and then the transaction can be performed. Make verification and transaction process simple and convenient. At the same time, trading with the verification passed can guarantee the security of the transaction and user funds.
(2)在脱机情况下, 终端接收第一验证值, 并将第一验证值发送给验证装置。对应的, 验证结果是返回给终端。 此处, 脱机指的是不通过银行服务器进行验证, 对于只是验证动 态口令牌身份, 而不需要进行交易的情况, 可以采用脱机验证模式, 避免造成后台服务器 的负担。  (2) In the offline case, the terminal receives the first verification value and transmits the first verification value to the verification device. Correspondingly, the verification result is returned to the terminal. Here, offline means that the authentication is not performed by the bank server. For the case where only the dynamic port token identity is verified, and no transaction is required, the offline verification mode can be adopted to avoid the burden on the background server.
动态口令牌输出第一验证值可以是通过显示屏进行显示, 用户获知该验证值之后, 利 用终端 (例如, 手机、 平板电脑、 PC机等)采用短信或邮件等形式将该验证值发给厂商的 固定联系人或者直接发送至验证装置; 也可以在厂商的网站的验证界面输入该验证值, 由 验证装置后台验证后, 将验证结果显示给用户。  The first verification value of the dynamic port token output may be displayed through the display screen. After the user knows the verification value, the terminal (for example, a mobile phone, a tablet computer, a PC, etc.) sends the verification value to the manufacturer by using a short message or an email. The fixed contact is sent directly to the verification device; the verification value can also be input on the verification interface of the manufacturer's website, and the verification result is displayed to the user after being verified by the verification device in the background.
步骤 S 102中验证装置对第一验证值进行验证, 可以通过以下步骤实现: 验证装置根据 第二信息计算第二验证值, 其中, 第二信息至少包括第二种子密钥, 第二种子密钥是预先 设置的用于验证动态口令牌身份的密钥; 验证装置比较第一验证值与第二验证值; 在第一 验证值与第二验证值相同的情况下, 验证装置确定动态口令牌的身份合法。  The verification device performs the verification of the first verification value in step S102, which can be implemented by the following steps: The verification device calculates the second verification value according to the second information, where the second information includes at least the second seed key, the second seed key a pre-set key for verifying the dynamic port token identity; the verification device compares the first verification value with the second verification value; and if the first verification value is the same as the second verification value, the verification device determines the dynamic port token Legal status.
实际上, 在动态口令牌中预先设置的用于验证动态口令牌身份的第一种子密钥可能是 伪造的, 至少根据第一种子密钥采用预先设置的算法计算出第一验证值, 将该第一验证值 发送到验证装置; 验证装置使用的第二种子密钥, 是厂商针对该动态口令牌预先设置的, 只有厂商自己知道, 用于唯一标识该动态口令牌, 至少根据第二种子密钥采用预先设置的 算法计算得到的第二验证值, 可以理解为标准验证值, 只要第一验证值与标准验证值不一 致, 令牌身份就不合法, 如果一致, 则令牌身份合法。 In fact, the first seed key used to verify the dynamic port token identity preset in the dynamic port token may be forged, and the first verification value is calculated according to at least the first seed key according to a preset algorithm. The first verification value is sent to the verification device; the second seed key used by the verification device is preset by the vendor for the dynamic port token, and is only known by the vendor itself, and is used to uniquely identify the dynamic port token, at least according to the second seed key. Key is pre-set The second verification value calculated by the algorithm can be understood as a standard verification value. As long as the first verification value is inconsistent with the standard verification value, the token identity is invalid. If they are consistent, the token identity is legal.
优选地, 上述第一信息还包括以下至少之一: 动态口令牌的产品序列号、 随机数和时 间; 验证装置中用于生成第二验证值的第二信息所包括的内容与第一信息包括的内容是对 应的。 采用随机数或时间可以增加计算出的验证值的随机性, 使得黑客难以破解, 更加安 全。 正常情况下, 第一信息包括第一种子密钥、 产品序列号和时间, 则第二信息也包括第 一种子密钥、产品序列号和时间, 且计算第一验证值和计算第二验证值所使用的算法相同, 从而可以保证在第一种子密钥不是伪造的情况下, 第一验证值与第二验证值是相同的。 而 对于伪造的令牌, 第一信息包括的内容与第二信息包括的内容不一定相同, 计算第一验证 值和计算第二验证值所使用的算法也不一定相同。  Preferably, the foregoing first information further includes at least one of the following: a product serial number of the dynamic port token, a random number, and a time; the content and the first information included in the second information used to generate the second verification value in the verification device includes: The content is corresponding. The random number or time can be used to increase the randomness of the calculated verification value, making it difficult for hackers to crack and be more secure. Normally, the first information includes the first seed key, the product serial number, and the time, and the second information also includes the first seed key, the product serial number, and the time, and the first verification value is calculated and the second verification value is calculated. The algorithm used is the same, so that it can be guaranteed that the first verification value and the second verification value are the same if the first seed key is not forged. For the forged token, the content included in the first information is not necessarily the same as the content included in the second information, and the algorithm used to calculate the first verification value and the second verification value is not necessarily the same.
具体地, 计算验证值的算法可以是: SM3、 HMAC-256 HMAC-512和 MD5等算法, 第一信息包括的内容以及第二信息包括的内容可以根据算法的不同有所区别。  Specifically, the algorithm for calculating the verification value may be: an algorithm such as SM3, HMAC-256 HMAC-512, and MD5, and the content included in the first information and the content included in the second information may be different according to different algorithms.
此外, 动态口令牌可以在生成动态口令前进行动态口令牌身份的验证; 或者, 动态口 令牌也可以在生成动态口令的同时进行动态口令牌身份的验证。 也就是说, 可以先验证动 态口令牌的身份是否合法, 在身份合法的情况下, 生成动态口令, 以执行交易, 这样, 可 以避免不必要的操作; 也可以生成动态口令的同时验证动态口令牌的身份是否合法, 在动 态口令和身份均验证通过的情况下, 执行交易, 可以节省整个交易流程耗费的时间。  In addition, the dynamic port token can verify the dynamic port token identity before generating the dynamic password; or the dynamic port token can also verify the dynamic port token identity while generating the dynamic password. That is to say, it is possible to first verify whether the identity of the dynamic port token is legal, and if the identity is legal, generate a dynamic password to execute the transaction, so that unnecessary operations can be avoided; and the dynamic password can be verified while generating the dynamic password. Whether the identity is legal or not, and the dynamic password and identity are verified, the execution of the transaction can save the time spent on the entire transaction process.
本实施例提供的技术方案在动态口令牌中预先设置用于验证动态口令牌身份的种子密 钥, 至少根据该种子密钥采用预先设置的算法计算出验证值, 将该验证值发送到验证装置 进行验证, 如果该验证值与验证装置中计算的标准验证值一致, 则令牌身份合法, 即令牌 由可靠的厂商生产; 如果该验证值与验证装置中计算的标准验证值不一致, 则该令牌身份 不合法, 是伪造的; 实现了动态口令牌身份的验证, 防止动态口令牌被伪造。 进而, 若验 证出动态口令牌身份不合法, 可以不允许进行后续的交易等操作, 从而避免给用户造成经 济损失。 另一方面, 若能够验证出是伪造的令牌, 则表明用于生成动态口令的种子密钥被 泄露, 而用于身份验证的种子密钥没有泄露, 可以排除种子密钥是厂商泄露的可能。  The technical solution provided in this embodiment pre-sets a seed key for verifying the dynamic port token identity in the dynamic port token, and calculates a verification value according to at least the pre-set algorithm according to the seed key, and sends the verification value to the verification device. Performing verification, if the verification value is consistent with the standard verification value calculated in the verification device, the token identity is legal, that is, the token is produced by a reliable manufacturer; if the verification value is inconsistent with the standard verification value calculated in the verification device, The token identity is illegal and is forged. The dynamic port token identity is verified to prevent the dynamic port token from being forged. Furthermore, if it is verified that the dynamic port token identity is illegal, subsequent operations such as subsequent transactions may not be allowed, thereby avoiding economic loss to the user. On the other hand, if it can be verified that the token is a forged token, it indicates that the seed key used to generate the dynamic password is leaked, and the seed key used for authentication is not leaked, and the seed key may be excluded from the possibility of vendor leakage. .
实施例 2  Example 2
本实施例提供了一种动态口令牌身份的验证系统, 该系统可以用来实现实施例 1 中的 验证方法。 图 2是本发明实施例 2提供的动态口令牌身份的验证系统的结构框图一, 如图 2所示, 该系统包括: 动态口令牌 20和验证装置 30, 其中:  This embodiment provides a dynamic port token identity verification system, which can be used to implement the verification method in Embodiment 1. 2 is a structural block diagram 1 of a dynamic port token identity verification system according to Embodiment 2 of the present invention. As shown in FIG. 2, the system includes: a dynamic port token 20 and a verification device 30, where:
动态口令牌 20包括: 接收模块 201, 用于接收身份验证指令; 计算模块 202, 连接至 接收模块 201, 用于根据第一信息计算第一验证值, 其中, 第一信息至少包括用于验证动 态口令牌身份的第一种子密钥, 第一种子密钥是预先设置在动态口令牌中的; 第一输出模 块 203, 连接至计算模块 202, 用于输出第一验证值。 第一输出模块 203可以是动态口令牌 20的显示屏。 优选地, 上述第一种子密钥与动态口令牌中用于生成交易所使用的动态口令 的种子密钥不同。 The dynamic port token 20 includes: a receiving module 201, configured to receive an identity verification command; a computing module 202, coupled to the receiving module 201, configured to calculate a first verification value according to the first information, where the first information includes at least The first seed key of the stateful token identity, the first seed key is preset in the dynamic port token; the first output module 203 is connected to the computing module 202, and configured to output the first verification value. The first output module 203 can be a display screen of the dynamic port token 20. Preferably, the first seed key is different from the seed key of the dynamic port token used to generate the dynamic password used by the transaction.
验证装置 30包括: 获取模块 301, 用于获取第一验证值; 验证模块 302, 连接至获取 模块 301, 用于对第一验证值进行验证; 第二输出模块 303, 连接至验证模块 302, 用于在 验证完成后, 输出验证结果。 需要说明的是, 验证装置 30可以是软件实现的系统, 也可以 是硬件设备, 该硬件设备内可以存储厂商生产的所有的动态口令牌的产品序列号及其对应 的用于验证身份的种子密钥等信息。  The verification device 30 includes: an obtaining module 301, configured to obtain a first verification value; a verification module 302, connected to the obtaining module 301, for verifying the first verification value; and a second output module 303, connected to the verification module 302, After the verification is completed, the verification result is output. It should be noted that the verification device 30 may be a software implemented system or a hardware device, and the hardware device may store the product serial number of all the dynamic port tokens produced by the manufacturer and the corresponding seed density for verifying the identity. Key and other information.
如图 3所示, 接收模块 201包括: 第一接收单元 2011, 用于接收用户输入的身份验证 指令或者接收在预设周期内到达的指令, 其中, 身份验证指令通过以下形式输入: 按键或 按键组合、 声音信号、 生物特征信号或光信号; 第二接收单元 2012, 用于接收交易信息。 在实施例 1中已经详细描述, 此处不再赘述。  As shown in FIG. 3, the receiving module 201 includes: a first receiving unit 2011, configured to receive an authentication command input by a user or receive an instruction that arrives within a preset period, where the authentication command is input by: pressing a button or a button a combination, a sound signal, a biometric signal or an optical signal; a second receiving unit 2012, configured to receive transaction information. It has been described in detail in Embodiment 1, and will not be described again here.
上述系统还包括: 后台服务器 40, 用于在联机情况下, 接收第一验证值, 并将第一验 证值发送至验证装置 30。 对应的, 验证结果返回给后台服务器 40。 后台服务器 40可以是 银行的用于交易的服务器。 对于既需要验证动态口令牌身份, 又需要进行交易的情况, 银 行服务器得到验证通过的信息后, 即可进行交易, 使得验证以及交易过程比较简单、 方便。 同时, 在验证通过的情况下进行交易, 可以保证交易以及用户资金的安全。  The above system further includes: a background server 40, configured to receive the first verification value in the case of online, and send the first verification value to the verification device 30. Correspondingly, the verification result is returned to the background server 40. The backend server 40 can be a bank's server for transactions. In the case that both the dynamic port token identity needs to be verified and the transaction needs to be performed, after the bank server obtains the verified information, the transaction can be performed, which makes the verification and transaction process relatively simple and convenient. At the same time, trading with the verification passed can guarantee the security of the transaction and user funds.
此外, 验证模块 302包括: 计算单元 3021, 用于根据第二信息计算第二验证值, 其中, 第二信息至少包括第二种子密钥, 第二种子密钥是预先设置的用于验证动态口令牌身份的 密钥; 比较单元 3022, 连接至计算单元 3021, 用于比较第一验证值与第二验证值; 确定单 元 3023, 连接至比较单元 3022, 用于在第一验证值与第二验证值相同的情况下, 确定动态 口令牌的身份合法。  In addition, the verification module 302 includes: a calculating unit 3021, configured to calculate a second verification value according to the second information, where the second information includes at least a second seed key, where the second seed key is preset for verifying the dynamic password Key of the card identity; comparison unit 3022, connected to the calculation unit 3021, for comparing the first verification value with the second verification value; the determining unit 3023, connected to the comparison unit 3022, for the first verification value and the second verification When the values are the same, it is determined that the identity of the dynamic port token is legal.
第一信息还包括以下至少之一: 动态口令牌的产品序列号、 随机数和时间; 验证装置 中用于生成第二验证值的第二信息所包括的内容与第一信息包括的内容是对应的。 采用随 机数或时间可以增加计算出的验证值的随机性, 更加安全。 正常情况下, 第一信息包括第 一种子密钥、 产品序列号和时间, 则第二信息也包括第一种子密钥、 产品序列号和时间, 且计算第一验证值和计算第二验证值所使用的算法相同, 从而可以保证在第一种子密钥不 是伪造的情况下, 第一验证值与第二验证值是相同的。 而对于伪造的令牌, 第一信息包括 的内容与第二信息包括的内容不一定相同, 计算第一验证值和计算第二验证值所使用的算 法也不一定相同。 具体地, 计算验证值的算法可以是: SM3、 HMAC-256 HMAC-512 和 MD5 等算法, 第一信息包括的内容以及第二信息包括的内容可以根据算法的不同有所区 另 |J。 The first information further includes at least one of the following: a product serial number of the dynamic port token, a random number, and a time; the content included in the second information used to generate the second verification value in the verification device corresponds to the content included in the first information of. Using random numbers or time can increase the randomness of the calculated verification values, which is more secure. Normally, the first information includes the first seed key, the product serial number, and the time, and the second information also includes the first seed key, the product serial number, and the time, and the first verification value is calculated and the second verification value is calculated. The algorithm used is the same, so that it can be guaranteed that the first verification value and the second verification value are the same if the first seed key is not forged. For the forged token, the content included in the first information is not necessarily the same as the content included in the second information, and the algorithm used to calculate the first verification value and the second verification value is not necessarily the same. Specifically, the algorithm for calculating the verification value may be: SM3, HMAC-256 HMAC-512, and For algorithms such as MD5, the content included in the first information and the content included in the second information may be different according to different algorithms.
另外, 在生成动态口令前进行验证装置对所述动态口令牌身份的验证; 或者, 在生成 动态口令的同时进行验证装置对动态口令牌身份的验证。 也就是说, 可以先验证动态口令 牌的身份是否合法, 在身份合法的情况下, 生成动态口令, 以执行交易, 这样, 可以避免 不必要的操作; 也可以生成动态口令的同时验证动态口令牌的身份是否合法, 在动态口令 和身份均验证通过的情况下, 执行交易, 可以节省整个交易流程耗费的时间。  In addition, the verification device performs verification of the dynamic port token identity before generating the dynamic password; or, the verification device performs verification of the dynamic port token identity while generating the dynamic password. That is to say, it is possible to first verify whether the identity of the dynamic port token is legal, and if the identity is legal, generate a dynamic password to execute the transaction, so that unnecessary operations can be avoided; and the dynamic password can be verified while generating the dynamic password. Whether the identity is legal or not, and the dynamic password and identity are verified, the execution of the transaction can save the time spent on the entire transaction process.
本实施例提供的技术方案在动态口令牌中预先设置用于验证动态口令牌身份的种子密 钥, 计算模块 202至少根据该种子密钥采用预先设置的算法计算出验证值, 第一输出模块 203将该验证值发送到验证装置 30进行验证, 如果该验证值与验证装置 30中计算的标准 验证值一致, 则令牌身份合法, 即令牌由可靠的厂商生产; 如果该验证值与验证装置 30中 计算的标准验证值不一致, 则该令牌身份不合法, 是伪造的; 实现了动态口令牌身份的验 证, 防止动态口令牌被伪造。 进而, 若验证出动态口令牌身份不合法, 可以不允许进行后 续的交易等操作, 从而避免给用户造成经济损失。 另一方面, 若能够验证出是伪造的令牌, 则表明用于生成动态口令的种子密钥被泄露, 而用于身份验证的种子密钥没有泄露, 可以 排除种子密钥是厂商泄露的可能。  The technical solution provided in this embodiment pre-sets a seed key for verifying the dynamic port token identity in the dynamic port token, and the calculating module 202 calculates the verification value according to the seed key according to at least a preset algorithm, and the first output module 203 Sending the verification value to the verification device 30 for verification. If the verification value is consistent with the standard verification value calculated in the verification device 30, the token identity is legal, that is, the token is produced by a reliable manufacturer; if the verification value and the verification device are If the standard verification value calculated in 30 is inconsistent, the token identity is illegal and is forged; the dynamic port token identity verification is implemented to prevent the dynamic port token from being forged. Further, if it is verified that the dynamic port token identity is illegal, operations such as subsequent transactions may not be allowed, thereby avoiding economic loss to the user. On the other hand, if it can be verified that the token is a forged token, it indicates that the seed key used to generate the dynamic password is leaked, and the seed key used for authentication is not leaked, and the seed key may be excluded from the possibility of vendor leakage. .
实施例 3  Example 3
本实施例的系统与实施例 2中图 3所示系统的区别在于将后台服务器 40替换为终端 50, 实现脱机验证, 且对应于该替换, 第一验证值的传输方式有所改变。 如图 4所示, 该 系统还包括: 终端 50, 用于在脱机情况下, 接收第一验证值, 并将第一验证值发送给验证 装置 30。 对应的, 验证结果是返回给终端 50。 此处, 脱机指的是不通过银行服务器进行验 证, 如果只是验证动态口令牌的身份, 而不需要进行交易, 可以采用脱机验证的模式, 避 免造成后台服务器的负担。  The system of this embodiment differs from the system of FIG. 3 in Embodiment 2 in that the background server 40 is replaced with the terminal 50 to implement offline verification, and corresponding to the replacement, the transmission mode of the first verification value is changed. As shown in FIG. 4, the system further includes: a terminal 50, configured to receive the first verification value in an offline situation, and send the first verification value to the verification device 30. Correspondingly, the verification result is returned to the terminal 50. Here, offline refers to not verifying through the bank server. If only the identity of the dynamic port token is verified, and no transaction is required, the offline verification mode can be adopted to avoid the burden on the background server.
动态口令牌输出第一验证值可以是通过显示屏进行显示, 用户获知该验证值之后, 利 用终端 (例如, 手机、 ipad、 PC机等) 采用短信或邮件等形式将该验证值发给厂商的固定 联系人或者直接发送至验证装置; 也可以在厂商的网站的验证界面输入该验证值, 由验证 装置后台验证后, 将验证结果显示给用户。  The first verification value of the dynamic port token output may be displayed through the display screen. After the user knows the verification value, the terminal (for example, a mobile phone, an iPad, a PC, etc.) sends the verification value to the manufacturer by using a short message or an email. The fixed contact is sent directly to the verification device; the verification value can also be input on the verification interface of the manufacturer's website, and the verification result is displayed to the user after being verified by the verification device in the background.
实施例 4  Example 4
本实施例提供了一种交易方法, 该交易方法可以基于实施例 1 中描述的动态口令牌身 份的验证方法及实施例 2中描述动态口令牌身份的验证系统实现, 如图 5所示, 该交易方 法包括以下步骤: 步骤 S501, 动态口令牌生成动态口令; The present embodiment provides a transaction method, which can be implemented based on the verification method of the dynamic port token identity described in Embodiment 1 and the verification system of the dynamic port token identity described in Embodiment 2, as shown in FIG. The trading method includes the following steps: Step S501, the dynamic port token generates a dynamic password;
步骤 S502, 动态口令牌根据第一信息计算第一验证值, 其中, 第一信息至少包括用于 验证动态口令牌身份的第一种子密钥, 第一种子密钥是是预先设置在动态口令牌中的; 需要说明的是,步骤 S501和步骤 S502的顺序可以交换, 即先执行步骤 S502计算第一 验证值, 再执行步骤 S501生成动态口令, 计算第一验证值的触发条件可以是接收到交易信 息; 或者接收到交易信息后, 同时执行步骤 S501和步骤 S502。  Step S502: The dynamic port token calculates a first verification value according to the first information, where the first information includes at least a first seed key for verifying a dynamic port token identity, where the first seed key is preset in a dynamic port token. It should be noted that the sequence of step S501 and step S502 can be exchanged, that is, step S502 is first performed to calculate the first verification value, and then step S501 is executed to generate a dynamic password, and the trigger condition for calculating the first verification value may be that the transaction is received. After receiving the transaction information, step S501 and step S502 are simultaneously performed.
步骤 S503 , 动态口令牌将动态口令和第一验证值一起发送至后台服务器;  Step S503, the dynamic port token sends the dynamic password together with the first verification value to the background server;
步骤 S504, 后台服务器接收到动态口令和第一验证值后, 验证动态口令, 并将第一验 证值发送至动态口令牌对应的验证装置进行验证; 验证装置验证完成后, 输出验证结果; 步骤 S505,后台服务器接收验证结果,在动态口令和第一验证值均验证通过的情况下, 执行交易。  Step S504, after receiving the dynamic password and the first verification value, the background server verifies the dynamic password, and sends the first verification value to the verification device corresponding to the dynamic port token for verification; after the verification device is verified, the verification result is output; Step S505 The background server receives the verification result, and executes the transaction if both the dynamic password and the first verification value are verified.
验证装置验证第一验证值的步骤在实施例 1至 3中已经详细描述过, 此处不再赘述。 本实施例中, 在动态口令和第一验证值均通过的情况下, 才可以执行交易, 利用双重 保障增加了交易的安全性, 保证用户资金安全。 即使动态口令牌被伪造, 由于其计算出的 第一验证值不能验证通过, 就无法完成交易, 避免用户的经济损失。  The steps of verifying the first verification value by the verification device have been described in detail in Embodiments 1 to 3, and are not described herein again. In this embodiment, when the dynamic password and the first verification value are both passed, the transaction can be executed, and the double guarantee is used to increase the security of the transaction and ensure the security of the user funds. Even if the dynamic port token is forged, since the calculated first verification value cannot be verified, the transaction cannot be completed, and the user's economic loss is avoided.
实施例 5  Example 5
本实施例提供了一种交易方法, 该交易方法可以基于实施例 1 中描述的动态口令牌身 份的验证方法及实施例 2中描述的动态口令牌身份的验证系统实现, 本实施例的交易方法 与实施例 4中交易方法的区别在于, 本实施例中是先进行令牌的身份验证, 再根据验证结 果决定是否生成动态口令, 以执行交易。 如图 6所示, 该交易方法包括以下步骤:  The present embodiment provides a transaction method, which can be implemented based on the verification method of the dynamic port token identity described in Embodiment 1 and the verification system of the dynamic port token identity described in Embodiment 2. The transaction method of this embodiment The difference from the transaction method in Embodiment 4 is that in this embodiment, the identity verification of the token is performed first, and then based on the verification result, it is determined whether a dynamic password is generated to execute the transaction. As shown in Figure 6, the transaction method includes the following steps:
步骤 S601 , 动态口令牌接收到交易信息, 根据第一信息计算第一验证值, 并输出第一 验证值, 其中, 第一信息至少包括用于验证动态口令牌身份的第一种子密钥, 第一种子密 钥是是预先设置在动态口令牌中的;  Step S601, the dynamic port token receives the transaction information, calculates a first verification value according to the first information, and outputs a first verification value, where the first information includes at least a first seed key for verifying the dynamic port token identity, A subkey is pre-set in the dynamic port token;
步骤 S602, 后台服务器接收第一验证值, 并将第一验证值转发给验证装置; 步骤 S603 , 验证装置对第一验证值进行验证, 并在验证完成后, 输出验证结果; 步骤 S604, 后台服务器接收验证结果, 如果验证结果为身份合法, 执行步骤 S605; 如 果验证结果为身份不合法, 执行步骤 S606;  Step S602, the background server receives the first verification value, and forwards the first verification value to the verification device. Step S603, the verification device verifies the first verification value, and after the verification is completed, outputs the verification result. Step S604, the background server Receiving the verification result, if the verification result is legal, step S605 is performed; if the verification result is invalid, step S606 is performed;
步骤 S605, 后台服务器发送信息 (例如, 验证通过信息) 到动态口令牌, 触发动态口 令牌生成动态口令, 进行后续的交易流程;  Step S605, the background server sends information (for example, the verification pass information) to the dynamic port token, triggers the dynamic port token to generate a dynamic password, and performs a subsequent transaction process;
步骤 S606, 后台服务器发送信息 (例如, 验证失败信息) 到动态口令牌, 停止交易。 在上述步骤 S601中,触发身份验证的条件也可以是在预定的验证周期内到达或者用户 输入身份验证指令, 对应的, 步骤 S605中生成动态口令的触发条件可以是在验证通过后的 一定时间内 (例如 3分钟、 10分钟等) 接收到交易信息, 以保证安全性。 Step S606, the background server sends information (for example, verification failure information) to the dynamic port token, and stops the transaction. In the above step S601, the condition for triggering the identity verification may also be that the user arrives within the predetermined verification period or the user The authentication command is input. Correspondingly, the trigger condition for generating the dynamic password in step S605 may be that the transaction information is received within a certain time (for example, 3 minutes, 10 minutes, etc.) after the verification is passed, to ensure security.
验证装置验证第一验证值的步骤在实施例 1至 3中已经详细描述过, 此处不再赘述。 本实施例中, 先进行令牌的身份验证, 再根据验证结果决定是否生成动态口令, 以执 行交易, 从而可以避免不必要的操作。  The steps of verifying the first verification value by the verification device have been described in detail in Embodiments 1 to 3, and are not described herein again. In this embodiment, the identity verification of the token is performed first, and then based on the verification result, it is determined whether a dynamic password is generated to execute the transaction, thereby avoiding unnecessary operations.
实施例 6  Example 6
本实施例提供了一种交易方法, 该交易方法可以基于实施例 1 中描述的动态口令牌身 份的验证方法及实施例 3中描述的动态口令牌身份的验证系统实现, 本实施例的交易方法 与实施例 5中交易方法的区别在于, 实施例 5中采用联机验证模式进行令牌的身份验证, 本实施例中采用脱机验证模式对令牌进行身份验证, 如图 7所示, 该交易方法包括以下步 骤:  The present embodiment provides a transaction method, which can be implemented based on the verification method of the dynamic port token identity described in Embodiment 1 and the verification system of the dynamic port token identity described in Embodiment 3. The transaction method of this embodiment The difference from the transaction method in Embodiment 5 is that the authentication mode of the token is performed in the online verification mode in Embodiment 5. In this embodiment, the token is authenticated by using the offline verification mode, as shown in FIG. The method includes the following steps:
步骤 S701 , 动态口令牌接收到交易信息, 根据第一信息计算第一验证值, 并输出第一 验证值(这里可以是将该第一验证值显示在动态口令牌的显示屏上), 其中, 第一信息至少 包括用于验证动态口令牌身份的第一种子密钥, 第一种子密钥是是预先设置在动态口令牌 中的;  Step S701, the dynamic port token receives the transaction information, calculates the first verification value according to the first information, and outputs the first verification value (here, the first verification value may be displayed on the display screen of the dynamic port token), where The first information includes at least a first seed key for verifying a dynamic port token identity, where the first seed key is preset in the dynamic port token;
步骤 S702, 用户获知该第一验证值, 并通过电子邮件、 短信等方式将第一验证值转发 给验证装置, 或者在验证界面输入第一验证值, 使得验证装置获得该第一验证值;  Step S702: The user obtains the first verification value, and forwards the first verification value to the verification device by using an email, a short message, or the like, or inputs a first verification value on the verification interface, so that the verification device obtains the first verification value;
步骤 S703 , 验证装置对第一验证值进行验证, 并在验证完成后, 输出验证结果; 步骤 S704, 终端接收验证结果, 如果验证结果为身份合法, 执行步骤 S705; 如果验证 结果为身份不合法, 执行步骤 S706;  Step S703, the verification device verifies the first verification value, and after the verification is completed, outputs the verification result; Step S704, the terminal receives the verification result, if the verification result is the identity legal, step S705 is performed; if the verification result is the identity is invalid, Go to step S706;
步骤 S705,用户操作动态口令牌触发动态口令牌生成动态口令,进行后续的交易流程; 步骤 S706, 不进行交易。  Step S705: The user operates the dynamic port token to trigger the dynamic port token to generate a dynamic password, and performs a subsequent transaction process. Step S706, no transaction is performed.
在上述步骤 S701中,触发身份验证的条件也可以是在预定的验证周期内到达或者用户 输入身份验证指令, 对应的, 步骤 S705中生成动态口令的触发条件可以是在验证通过后的 一定时间内 (例如 3分钟、 10分钟等) 接收到交易信息, 以保证安全性。  In the above step S701, the condition for triggering the identity verification may also be that it arrives within a predetermined verification period or the user inputs an identity verification instruction. Correspondingly, the trigger condition for generating the dynamic password in step S705 may be a certain time after the verification is passed. (eg 3 minutes, 10 minutes, etc.) Receive transaction information to ensure security.
验证装置验证第一验证值的步骤在实施例 1至 3中已经详细描述过, 此处不再赘述。 利用脱机验证模式验证动态口令牌的身份, 如果验证通过, 再生成动态口令, 与后台 服务器完成交易, 否则不进行交易, 保证用户资金安全; 并且, 脱机验证可以减轻服务器 的负担。  The steps of verifying the first verification value by the verification device have been described in detail in Embodiments 1 to 3, and are not described herein again. The offline authentication mode is used to verify the identity of the dynamic port token. If the verification is passed, the dynamic password is generated, and the transaction is completed with the background server. Otherwise, the transaction is not performed to ensure the security of the user funds; and the offline verification can reduce the burden on the server.
实施例 7  Example 7
本实施了提供了一种计算机存储介质包括计算机指令, 当计算机指令被执行时, 使得: 动态口令牌接收身份验证指令, 根据第一信息计算第一验证值, 并输出第一验证值, 其中, 第一信息至少包括用于验证动态口令牌身份的第一种子密钥, 第一种子密钥是预先 设置在动态口令牌中的; 与动态口令牌对应的验证装置获取第一验证值, 对第一验证值进 行验证, 并输出验证结果。 流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为, 表示包括一个 或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、 片段或部分, 并且本发明的优选实施方式的范围包括另外的实现, 其中可以不按所示出或讨论的顺序, 包括根据所涉及的功能按基本同时的方式或按相反的顺序, 来执行功能, 这应被本发明的 实施例所属技术领域的技术人员所理解。 The present application provides a computer storage medium comprising computer instructions that, when executed, cause: The dynamic port token receives the authentication command, calculates the first verification value according to the first information, and outputs the first verification value, where the first information includes at least a first seed key for verifying the dynamic port token identity, and the first seed key The key is preset in the dynamic port token; the verification device corresponding to the dynamic port token acquires the first verification value, verifies the first verification value, and outputs the verification result. Any process or method description in the flowcharts or otherwise described herein may be understood to represent a module, segment or portion of code that includes one or more executable instructions for implementing the steps of a particular logical function or process. And the scope of the preferred embodiments of the invention includes additional implementations, in which the functions may be performed in a substantially simultaneous manner or in an opposite order depending on the functions involved, in the order shown or discussed. It will be understood by those skilled in the art to which the embodiments of the present invention pertain.
应当理解, 本发明的各部分可以用硬件、 软件、 固件或它们的组合来实现。 在上述实 施方式中, 多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或 固件来实现。 例如, 如果用硬件来实现, 和在另一实施方式中一样, 可用本领域公知的下 列技术中的任一项或他们的组合来实现: 具有用于对数据信号实现逻辑功能的逻辑门电路 的离散逻辑电路, 具有合适的组合逻辑门电路的专用集成电路, 可编程门阵列 (PGA), 现 场可编程门阵列 (FPGA) 等。  It should be understood that portions of the invention may be implemented in hardware, software, firmware or a combination thereof. In the above-described embodiments, multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented with any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.
本技术领域的普通技术人员可以理解实现上述实施例方法携带的全部或部分步骤是可 以通过程序来指令相关的硬件完成, 所述的程序可以存储于一种计算机可读存储介质中, 该程序在执行时, 包括方法实施例的步骤之一或其组合。  One of ordinary skill in the art can understand that all or part of the steps carried by the method of implementing the above embodiments can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, one or a combination of the steps of the method embodiments is included.
此外, 在本发明各个实施例中的各功能单元可以集成在一个处理模块中, 也可以是各 个单元单独物理存在, 也可以两个或两个以上单元集成在一个模块中。 上述集成的模块既 可以采用硬件的形式实现, 也可以采用软件功能模块的形式实现。 所述集成的模块如果以 软件功能模块的形式实现并作为独立的产品销售或使用时, 也可以存储在一个计算机可读 取存储介质中。  In addition, each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules. The integrated modules, if implemented in the form of software functional modules and sold or used as separate products, may also be stored in a computer readable storage medium.
上述提到的存储介质可以是只读存储器, 磁盘或光盘等。  The above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
在本说明书的描述中, 参考术语"一个实施例"、 "一些实施例"、 "示例"、 "具体示例"、 或"一些示例"等的描述意指结合该实施例或示例描述的具体特征、 结构、 材料或者特点包 含于本发明的至少一个实施例或示例中。 在本说明书中, 对上述术语的示意性表述不一定 指的是相同的实施例或示例。 而且, 描述的具体特征、 结构、 材料或者特点可以在任何的 一个或多个实施例或示例中以合适的方式结合。 尽管上面已经示出和描述了本发明的实施例, 可以理解的是, 上述实施例是示例性的, 不能理解为对本发明的限制, 本领域的普通技术人员在不脱离本发明的原理和宗旨的情况 下在本发明的范围内可以对上述实施例进行变化、 修改、 替换和变型。 本发明的范围由所 附权利要求及其等同限定。 In the description of the present specification, the description of the terms "one embodiment", "some embodiments", "example", "specific example", or "some examples" and the like means a specific feature described in connection with the embodiment or example. A structure, material or feature is included in at least one embodiment or example of the invention. In the present specification, the schematic representation of the above terms does not necessarily mean the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in a suitable manner in any one or more embodiments or examples. Although the embodiments of the present invention have been shown and described, it is understood that the foregoing embodiments are illustrative and not restrictive Variations, modifications, alterations and variations of the above-described embodiments are possible within the scope of the invention. The scope of the invention is defined by the appended claims and their equivalents.

Claims

权利要求书 claims
1、 一种动态口令牌身份的验证方法, 其特征在于, 包括: 1. A dynamic password token identity verification method, characterized by including:
动态口令牌接收身份验证指令, 根据第一信息计算第一验证值, 并输出所述第一验证 值, 其中, 所述第一信息至少包括用于验证所述动态口令牌身份的第一种子密钥, 所述第 一种子密钥是预先设置在所述动态口令牌中的; The dynamic password token receives the identity verification instruction, calculates a first verification value based on the first information, and outputs the first verification value, wherein the first information at least includes a first seed password used to verify the identity of the dynamic password token. key, the first seed key is preset in the dynamic password token;
与所述动态口令牌对应的验证装置获取所述第一验证值,对所述第一验证值进行验证, 并输出验证结果。 The verification device corresponding to the dynamic password token obtains the first verification value, verifies the first verification value, and outputs the verification result.
2、根据权利要求 1所述的方法,其特征在于,所述动态口令牌接收身份验证指令包括: 所述动态口令牌接收到用户输入的身份验证指令, 其中, 所述身份验证指令通过以下 形式之一输入: 按键或按键组合、 声音信号、 生物特征信号或光信号; 2. The method according to claim 1, wherein the dynamic password token receives an identity verification instruction including: the dynamic password token receives an identity verification instruction input by a user, wherein the identity verification instruction is in the following form One of the inputs: keys or key combinations, sound signals, biometric signals or light signals;
或者, 所述动态口令牌接收到交易信息; Or, the dynamic password token receives transaction information;
或者, 所述动态口令牌接收到在预设周期内到达的指令。 Alternatively, the dynamic port token receives an instruction arriving within a preset period.
3、 根据权利要求 1或 2所述的方法, 其特征在于, 与所述动态口令牌对应的验证装置 获取所述第一验证值包括: 3. The method according to claim 1 or 2, wherein the verification device corresponding to the dynamic password token obtains the first verification value including:
在联机情况下, 后台服务器接收所述第一验证值, 并将所述第一验证值发送至所述验 证装置。 In an online situation, the backend server receives the first verification value and sends the first verification value to the verification device.
4、 根据权利要求 1或 2所述的方法, 其特征在于, 与所述动态口令牌对应的验证装置 获取所述第一验证值包括: 4. The method according to claim 1 or 2, wherein the verification device corresponding to the dynamic password token obtains the first verification value including:
在脱机情况下, 终端接收所述第一验证值, 并将所述第一验证值发送给所述验证装置。 In an offline situation, the terminal receives the first verification value and sends the first verification value to the verification device.
5、 根据权利要求 1至 4中任一项所述的方法, 其特征在于, 所述验证装置对所述第一 验证值进行验证包括: 5. The method according to any one of claims 1 to 4, characterized in that, the verification device verifying the first verification value includes:
所述验证装置根据第二信息计算第二验证值, 其中, 所述第二信息至少包括第二种子 密钥, 所述第二种子密钥是预先设置的用于验证动态口令牌身份的; The verification device calculates a second verification value based on the second information, wherein the second information includes at least a second seed key, and the second seed key is preset for verifying the identity of the dynamic password token;
所述验证装置比较所述第一验证值与所述第二验证值; The verification device compares the first verification value and the second verification value;
在所述第一验证值与所述第二验证值相同的情况下, 所述验证装置确定所述动态口令 牌的身份合法。 When the first verification value and the second verification value are the same, the verification device determines that the identity of the dynamic password token is legal.
6、 根据权利要求 1至 5中任一项所述的方法, 其特征在于, 6. The method according to any one of claims 1 to 5, characterized in that,
所述动态口令牌在生成动态口令前执行所述动态口令牌身份的验证方法; The dynamic password token executes the verification method of the identity of the dynamic password token before generating the dynamic password;
或者, 所述动态口令牌在生成动态口令的同时执行所述动态口令牌身份的验证方法。 Alternatively, the dynamic password token generates the dynamic password and simultaneously executes the dynamic password token identity verification method.
7、 根据权利要求 1至 6中任一项所述的方法, 其特征在于, 所述第一种子密钥与所述 动态口令牌中生成交易所使用的动态口令的种子密钥不同。 7. The method according to any one of claims 1 to 6, characterized in that the first seed key is different from the seed key used in the dynamic password token to generate the dynamic password used in the transaction.
8、 根据权利要求 1至 7中任一项所述的方法, 其特征在于, 8. The method according to any one of claims 1 to 7, characterized in that,
所述第一信息还包括以下至少之一: 所述动态口令牌的产品序列号、 随机数和时间。 The first information also includes at least one of the following: the product serial number, random number and time of the dynamic password token.
9、 根据权利要求 5至 8中任一项所述的方法, 其特征在于, 9. The method according to any one of claims 5 to 8, characterized in that,
所述第二信息包括的内容与所述第一信息包括的内容是对应的。 The content included in the second information corresponds to the content included in the first information.
10、 一种动态口令牌身份的验证系统, 其特征在于, 包括: 10. A dynamic password token identity verification system, characterized by including:
动态口令牌, 所述动态口令牌包括: Dynamic password token, the dynamic password token includes:
接收模块, 用于接收身份验证指令; Receiving module, used to receive identity verification instructions;
计算模块, 用于根据第一信息计算第一验证值, 其中, 所述第一信息至少包括 用于验证动态口令牌身份的第一种子密钥, 所述第一种子密钥是预先设置在所述动 态口令牌中的; The calculation module is used to calculate the first verification value based on the first information, wherein the first information at least includes a first seed key used to verify the identity of the dynamic password token, and the first seed key is preset in the location. In the above dynamic password token;
第一输出模块, 用于输出所述第一验证值; 以及 A first output module, used to output the first verification value; and
验证装置, 所述验证装置包括: Verification device, the verification device includes:
获取模块, 用于获取所述第一验证值; Obtaining module, used to obtain the first verification value;
验证模块, 用于对所述第一验证值进行验证; A verification module, used to verify the first verification value;
第二输出模块, 用于输出验证结果。 The second output module is used to output verification results.
11、 根据权利要求 10所述的系统, 其特征在于, 所述接收模块包括: 11. The system according to claim 10, characterized in that the receiving module includes:
第一接收单元,用于接收用户输入的身份验证指令或者接收在预设周期内到达的指令, 其中, 所述身份验证指令通过以下形式之一输入: 按键或按键组合、 声音信号、 生物特征 信号或光信号; The first receiving unit is used to receive identity verification instructions input by the user or receive instructions arriving within a preset period, wherein the identity verification instructions are input in one of the following forms: keys or key combinations, sound signals, biometric signals or light signal;
第二接收单元, 用于接收交易信息。 The second receiving unit is used to receive transaction information.
12、 根据权利要求 10或 11所述的系统, 其特征在于, 所述系统还包括: 后台服务器, 用于在联机情况下, 接收所述第一验证值, 并将所述第一验证值发送至所述验证装置。 12. The system according to claim 10 or 11, characterized in that, the system further includes: a background server, configured to receive the first verification value and send the first verification value when online to the verification device.
13、 根据权利要求 10或 11所述的系统, 其特征在于, 所述系统还包括: 终端, 用于 在脱机情况下, 接收所述第一验证值, 并将所述第一验证值发送给所述验证装置。 13. The system according to claim 10 or 11, characterized in that, the system further includes: a terminal, configured to receive the first verification value and send the first verification value when offline. to the verification device.
14、 根据权利要求 10至 13中任一项所述的系统, 其特征在于, 所述验证模块包括: 计算单元, 用于根据第二信息计算第二验证值, 其中, 所述第二信息至少包括第二种 子密钥, 所述第二种子密钥是预先设置的用于验证动态口令牌身份的; 14. The system according to any one of claims 10 to 13, characterized in that the verification module includes: a calculation unit configured to calculate a second verification value according to the second information, wherein the second information is at least Including a second seed key, the second seed key is preset and used to verify the identity of the dynamic password token;
比较单元, 用于比较所述第一验证值与所述第二验证值; A comparison unit configured to compare the first verification value with the second verification value;
确定单元, 用于在所述第一验证值与所述第二验证值相同的情况下, 确定所述动态口 令牌的身份合法。 Determining unit, configured to determine the dynamic interface when the first verification value and the second verification value are the same. The token's identity is valid.
15、 根据权利要求 10至 14中任一项所述的系统, 其特征在于,: 15. The system according to any one of claims 10 to 14, characterized in that:
在生成动态口令前进行所述验证装置对所述动态口令牌身份的验证; Verify the identity of the dynamic password token by the verification device before generating the dynamic password;
或者, 在生成动态口令的同时进行所述验证装置对所述动态口令牌身份的验证。 Alternatively, the verification device verifies the identity of the dynamic password token while generating the dynamic password.
16、 根据权利要求 10至 15中任一项所述的系统, 其特征在于, 所述第一种子密钥与 所述动态口令牌中生成交易所使用的动态口令的种子密钥不同。 16. The system according to any one of claims 10 to 15, characterized in that the first seed key is different from the seed key in the dynamic password token used to generate the dynamic password used in the transaction.
17、 根据权利要求 10至 16中任一项所述的系统, 其特征在于, 所述第一信息还包括 以下至少之一: 所述动态口令牌的产品序列号、 随机数和时间。 17. The system according to any one of claims 10 to 16, characterized in that the first information also includes at least one of the following: the product serial number, random number and time of the dynamic password token.
18、 根据权利要求 14至 17中任一项所述的系统, 其特征在于, 所述第二信息包括的 内容与所述第一信息包括的内容是对应的。 18. The system according to any one of claims 14 to 17, characterized in that the content included in the second information corresponds to the content included in the first information.
19、 一种计算机存储介质, 其特征在于, 包括计算机指令, 当所述计算机指令被执行 时, 使得: 19. A computer storage medium, characterized in that it includes computer instructions that, when executed, cause:
动态口令牌接收身份验证指令, 根据第一信息计算第一验证值, 并输出所述第一验证 值, 其中, 所述第一信息至少包括用于验证所述动态口令牌身份的第一种子密钥, 所述第 一种子密钥是预先设置在所述动态口令牌中的; The dynamic password token receives the identity verification instruction, calculates a first verification value based on the first information, and outputs the first verification value, wherein the first information at least includes a first seed password used to verify the identity of the dynamic password token. key, the first seed key is preset in the dynamic password token;
与所述动态口令牌对应的验证装置获取所述第一验证值,对所述第一验证值进行验证, 并输出验证结果。 The verification device corresponding to the dynamic password token obtains the first verification value, verifies the first verification value, and outputs the verification result.
PCT/CN2014/081697 2013-08-09 2014-07-04 Method and system for verifying identity of dynamic password token WO2015018249A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310345514.6 2013-08-09
CN201310345514.6A CN103427996B (en) 2013-08-09 2013-08-09 A kind of verification method of e-token identity and system

Publications (1)

Publication Number Publication Date
WO2015018249A1 true WO2015018249A1 (en) 2015-02-12

Family

ID=49652204

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/081697 WO2015018249A1 (en) 2013-08-09 2014-07-04 Method and system for verifying identity of dynamic password token

Country Status (3)

Country Link
CN (1) CN103427996B (en)
HK (1) HK1190522A1 (en)
WO (1) WO2015018249A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161004A (en) * 2015-03-31 2016-11-23 上海复旦微电子集团股份有限公司 The side channel energy of a kind of HMAC-SM3 cryptographic algorithm analyzes method and device
CN106161001A (en) * 2015-03-31 2016-11-23 上海复旦微电子集团股份有限公司 The side channel energy of HMAC-SM3 cryptographic algorithm analyzes method and device
CN111447016A (en) * 2020-04-02 2020-07-24 上海创远仪器技术股份有限公司 Method for realizing correctness verification processing aiming at channel model of channel simulator
US11044244B2 (en) 2018-09-18 2021-06-22 Allstate Insurance Company Authenticating devices via one or more pseudorandom sequences and one or more tokens

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103427996B (en) * 2013-08-09 2016-04-06 天地融科技股份有限公司 A kind of verification method of e-token identity and system
CN104113417B (en) * 2014-07-14 2018-11-06 上海众人网络安全技术有限公司 A kind of dynamic password identity authentication method and system based on NFC
CN104268458B (en) * 2014-09-23 2018-01-26 潍柴动力股份有限公司 A kind of vehicle program encryption verification method and encryption, checking device
CN104506321B (en) * 2014-12-15 2017-12-19 飞天诚信科技股份有限公司 A kind of method of seed data in renewal dynamic token
CN106161029B (en) * 2015-04-20 2019-12-03 阿里巴巴集团控股有限公司 Dynamic token control method and device
CN105631675B (en) * 2015-11-30 2019-06-11 东莞酷派软件技术有限公司 Information acquisition method and device, terminal
CN112039676A (en) * 2020-09-01 2020-12-04 中国银行股份有限公司 Token dynamic verification code safety generation method, device and equipment
CN113285948A (en) * 2021-05-21 2021-08-20 中国电信股份有限公司 Reverse dynamic password authentication method, device, medium and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101719826A (en) * 2009-05-13 2010-06-02 北京宏基恒信科技有限责任公司 Dynamic token having function of updating seed key and updating method for seed key thereof
CN102255917A (en) * 2011-08-15 2011-11-23 北京宏基恒信科技有限责任公司 Method, system and device for updating and synchronizing keys of dynamic token
CN102307193A (en) * 2011-08-22 2012-01-04 北京宏基恒信科技有限责任公司 Key updating and synchronizing method, system and device for dynamic token
CN103427996A (en) * 2013-08-09 2013-12-04 天地融科技股份有限公司 Method and system for verifying e-token identity

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101051908B (en) * 2007-05-21 2011-05-18 北京飞天诚信科技有限公司 Dynamic cipher certifying system and method
CN101651675B (en) * 2009-08-27 2015-09-23 飞天诚信科技股份有限公司 By the method and system that authentication code is verified client

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101719826A (en) * 2009-05-13 2010-06-02 北京宏基恒信科技有限责任公司 Dynamic token having function of updating seed key and updating method for seed key thereof
CN102255917A (en) * 2011-08-15 2011-11-23 北京宏基恒信科技有限责任公司 Method, system and device for updating and synchronizing keys of dynamic token
CN102307193A (en) * 2011-08-22 2012-01-04 北京宏基恒信科技有限责任公司 Key updating and synchronizing method, system and device for dynamic token
CN103427996A (en) * 2013-08-09 2013-12-04 天地融科技股份有限公司 Method and system for verifying e-token identity

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161004A (en) * 2015-03-31 2016-11-23 上海复旦微电子集团股份有限公司 The side channel energy of a kind of HMAC-SM3 cryptographic algorithm analyzes method and device
CN106161001A (en) * 2015-03-31 2016-11-23 上海复旦微电子集团股份有限公司 The side channel energy of HMAC-SM3 cryptographic algorithm analyzes method and device
CN106161001B (en) * 2015-03-31 2019-03-26 上海复旦微电子集团股份有限公司 The side channel energy analysis method and device of HMAC-SM3 cryptographic algorithm
CN106161004B (en) * 2015-03-31 2019-03-26 上海复旦微电子集团股份有限公司 A kind of the side channel energy analysis method and device of HMAC-SM3 cryptographic algorithm
US11044244B2 (en) 2018-09-18 2021-06-22 Allstate Insurance Company Authenticating devices via one or more pseudorandom sequences and one or more tokens
US11811754B2 (en) 2018-09-18 2023-11-07 Allstate Insurance Company Authenticating devices via tokens and verification computing devices
CN111447016A (en) * 2020-04-02 2020-07-24 上海创远仪器技术股份有限公司 Method for realizing correctness verification processing aiming at channel model of channel simulator
CN111447016B (en) * 2020-04-02 2022-06-21 上海创远仪器技术股份有限公司 Method for realizing correctness verification processing aiming at channel model of channel simulator

Also Published As

Publication number Publication date
HK1190522A1 (en) 2014-07-04
CN103427996B (en) 2016-04-06
CN103427996A (en) 2013-12-04

Similar Documents

Publication Publication Date Title
WO2015018249A1 (en) Method and system for verifying identity of dynamic password token
JP6992105B2 (en) Query system and method for determining authentication capability
US10404754B2 (en) Query system and method to determine authentication capabilities
CN110741370B (en) Biometric authentication with user input
KR102144528B1 (en) An authentication apparatus with a bluetooth interface
US9015482B2 (en) System and method for efficiently enrolling, registering, and authenticating with multiple authentication devices
US9219732B2 (en) System and method for processing random challenges within an authentication framework
US9083689B2 (en) System and method for implementing privacy classes within an authentication framework
WO2014161438A1 (en) Dynamic password token, and data transmission method and system for dynamic password token
EP3676746B1 (en) A system and a method for signing transactions using airgapped private keys
US20180007037A1 (en) Transaction-specific shared secret in one-time password device
AU2016385445A1 (en) Secure device pairing
WO2015058596A1 (en) Dynamic password generation method and system, and transaction request processing method and system
WO2014161436A1 (en) Electronic signature token, and method and system for electronic signature token to respond to operation request
US10021092B1 (en) Systems and methods for device authentication
WO2019047148A1 (en) Password verification method, terminal, and computer readable storage medium
KR20200050813A (en) Payment method using biometric authentication and electronic device thereof
WO2015000332A1 (en) Signature data transmission method and electronic signature token
KR20180034199A (en) Unified login method and system based on single sign on service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14834330

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14834330

Country of ref document: EP

Kind code of ref document: A1