WO2015085809A1 - Mobile payment security system with wireless data private network physically isolated from internet - Google Patents

Mobile payment security system with wireless data private network physically isolated from internet Download PDF

Info

Publication number
WO2015085809A1
WO2015085809A1 PCT/CN2014/087307 CN2014087307W WO2015085809A1 WO 2015085809 A1 WO2015085809 A1 WO 2015085809A1 CN 2014087307 W CN2014087307 W CN 2014087307W WO 2015085809 A1 WO2015085809 A1 WO 2015085809A1
Authority
WO
WIPO (PCT)
Prior art keywords
mobile
internet
payment
network
mobile terminal
Prior art date
Application number
PCT/CN2014/087307
Other languages
French (fr)
Chinese (zh)
Inventor
朱雄关
刘晓岩
Original Assignee
成都达信通通讯设备有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都达信通通讯设备有限公司 filed Critical 成都达信通通讯设备有限公司
Publication of WO2015085809A1 publication Critical patent/WO2015085809A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3229Use of the SIM of a M-device as secure element
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/325Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices using wireless networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/326Payment applications installed on the mobile devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/102Route integrity, e.g. using trusted paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/35Protecting application or service provisioning, e.g. securing SIM application provisioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules
    • H04W12/47Security arrangements using identity modules using near field communication [NFC] or radio frequency identification [RFID] modules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/77Graphical identity

Definitions

  • the invention relates to a wireless data private network for physical isolation of the Internet to construct a mobile payment security application system, which ensures information and transaction security, and a system for switching the network access channel and the secure payment application switching network channel on the mobile terminal.
  • Mobile payment combines the mobile network with the financial system, and uses the mobile communication network as a tool and means to realize mobile payment, providing customers with financial services such as commodity trading, payment, and bank account management.
  • the mobile payment system establishes a payment account bound to the mobile phone number for each mobile phone customer, and the customer can transfer and pay the cash through the mobile phone.
  • the mobile terminal used for the mobile payment may be a mobile phone, a PDA (Personal Digital Assistant), a mobile PC (Personal Computer), or the like, and includes a mobile phone short message, an interactive voice response, and a WAP (Wireless Application Protocol, Wireless application communication protocol) and other methods.
  • WAP Wireless Application Protocol, Wireless application communication protocol
  • the whole system consists of consumers, commercial organizations, payment platform operators, banks, mobile operators and other links.
  • the main principle is to build a mobile data value-added service on the mobile operation support platform, and to move customers.
  • the mobile phone number is treated as an associated payment account, enabling mobile customers to perform identity verification and transaction activities via their mobile phones.
  • the main methods are voice, STK and WEB.
  • mobile payment is mainly divided into near-field payment and remote payment.
  • the so-called near-field payment is to use the mobile phone to swipe the card to buy a car, to buy things, etc., which is very convenient.
  • Remote payment means by sending payment instructions (such as online banking, telephone banking, mobile payment, etc.) or by payment
  • the payment methods of tools such as mailing, remittance), such as the palm-and-cash e-commerce launched by the palm of the hand, the palm recharge, and the video in the palm of the hand are remote payment.
  • the current payment standards are not uniform, causing a lot of confusion for the related promotion work.
  • Near-field payment is the use of radio frequency, infrared or Bluetooth technology to realize the communication and information exchange between mobile phones and other intelligent terminals, and then complete the transaction payment.
  • the specific implementation techniques are as follows:
  • Infrared Radiation and Bluetooth The former has low cost and is not easily interfered; the latter has a long transmission distance and the signal has no directivity.
  • Radio Frequency Identification (RFID) technology has high security, high speed and large storage capacity, but its infrastructure investment is high, cost is high, and terminal requirements are high.
  • Remote payment is to use the wireless network to send a transaction request to a merchant that provides a certain commodity (or service) through a mobile phone, and complete the transaction payment.
  • the specific implementation techniques are as follows:
  • IVR Interactive Voice Response Technology
  • SMS Short Message Service
  • USB Unstructured Supplementary Data Service Technology
  • WAP Wireless Application Protocol
  • K.Java/Brew J2ME/Wireless Binary Runtime Environment
  • the identity authentication technology is used to realize the identity authentication of the parties to the transaction, and the digital signature technology is used to realize the confidentiality of the information.
  • the mobile payment system In order to ensure the security of data transmission in the network during the transaction process, the mobile payment system must establish a complete network security mechanism, including the firewall system and virus prevention system.
  • the system adopts a dual-network networking structure to prevent single-point equipment failures and links. Faults, ensure the smooth flow of the entire network; system hardware double backup, redundancy and load sharing mechanism, and data transmission security mechanism; network segment isolation for each bank, mobile communication network element and other entities connected to the system to ensure different The network is interconnected with the mobile payment system.
  • the prior art transaction security mechanism is to authenticate the user identity through the mobile payment service account opening process, and establish a binding relationship between the user identity and the mobile phone number; the mobile operator ensures the authentication of the user mobile phone and the legality of the subscription relationship.
  • the commercial organization or payment platform operator is required to issue a rush request to cancel the incomplete transaction operation.
  • the mobile payment center is deployed behind the firewall of the mobile operator network based on IP (Internet Protocol); the control mechanism is set, the payment limit is set, and the account is implemented.
  • Security management implement security module for encryption algorithm, key length, key security exchange, key update time, signature algorithm, etc.; realize security audit trail of transaction records, so that when a dispute occurs, it can provide complete, Accurate and credible transaction records are checked.
  • WEB and WAP page security Check whether the system adopts login anti-exhaustion measures, whether to provide security controls, digital certificates and independent payment passwords, whether the page adopts SQL (Structured Query Language) injection, cross-site scripting attack, Source code exposure and hacking prevention, as well as tamper-proof and anti-phishing measures;
  • SQL Structured Query Language
  • Coding security whether the system source code and plug-ins are checked for security, check the review report, whether there is a coding specification constraint system, whether the source code and version are effectively managed, and the management system is checked;
  • Electronic authentication application Whether to use third-party electronic certification authority certificates for internal and external business and key business, whether to use valid electronic signatures, and whether to effectively protect the server certificate private key;
  • Offline data authentication Check whether keys and certificates that meet business requirements, static data authentication, and dynamic data authentication are used.
  • Security packet Checks whether the packet format meets the requirements, verifies the integrity of the packet, the privacy of the packet, and how to manage the key.
  • Card security check the security of the card, whether the key is independent, the internal security system of the card, the type of key in the card, the storage of the key and the personal identification number, etc.
  • Terminal security Review the security requirements of the terminal data and equipment, as well as the key management requirements, and check whether the application terminal is strictly implemented as required;
  • Key management system detects how to manage the certificate authority public key, the card issuer public key, and the card issuer symmetric key;
  • Approved algorithms Which symmetric encryption algorithm, asymmetric encryption algorithm or hash algorithm is used in the system, and what functions these algorithms apply to the system, and detect corresponding system functions;
  • Client program security How to protect client applications and configuration files, check whether their version is up to date, and ensure the security of login password and payment password.
  • APN Access Point Name
  • GPRS General Packet Radio Service
  • APN as a route identifier:
  • the GPRS service support node SGSN queries the Domain Name System (DNS) server to query the GGSN IP address corresponding to the APN according to the APN to determine the GGSN that the user should access;
  • the APN is used as the service domain identifier:
  • the GGSN sends the service flow of the user to different service domains according to different APNs, and the different service domains correspond to different service bearer networking modes, user identity acquisition modes, and charging modes.
  • the service support node SGSN mainly completes the routing and forwarding, mobility management, session management, logical link management, authentication and encryption, and CDR of packet data packets. Functions such as generation and output.
  • the SGSN is a GPRS service support node, which provides a connection with the wireless packet controller PCU through the Gb interface, and performs mobile data management, such as user identification, encryption, compression, etc.; through the Gr interface and the HLR (Home Location Register, home location)
  • the register is connected to perform user database access and access control; it is also connected to the GGSN through the Gn interface to provide functions such as transmission path and protocol conversion between the IP data packet and the wireless unit; the SGSN can also provide the MSC (Mobile Switching) Center, mobile switching center) Gs interface connection and Gd interface connection with SMSC (Short Message Service Center) to support the cooperation of data services and circuit services and text messaging.
  • MSC Mobile Switching
  • SMSC Short Message Service Center
  • the SGSN cooperates with the GGSN to jointly assume the PS function of TD-SCDMA (WCDMA).
  • WCDMA TD-SCDMA
  • it is a basic network element of the GPRS network, it is connected to the base station subsystem BSS through the Gb interface. Its main role is to perform mobility management for the mobile station MS of the SGSN service area, and forward the input/output IP packets, which is similar to the VMSC in the GSM circuit network.
  • the SGSN also integrates a VLR similar to the GSM network. (Visitor Location Register, visit location register), when the user is in the GPRS Attach state, the SGSN stores user information and location information related to the group.
  • VLR Visitor Location Register
  • the SGSN When the SGSN is the PS domain function node of the TD-SCDMA (WCDMA) core network, it is connected to the UTRAN through the Iu_PS interface, and mainly provides the functions of routing forwarding, mobility management, session management, authentication and encryption of the PS domain.
  • GGSN9811 mainly mentions two APNs, CMWAP and CMNET, which are the earliest provided by China Mobile and are currently the most widely used by users:
  • CMWAP and CMNET are two GPRS access channels divided by China Mobile. The former is set up for mobile WAP access, while the latter is mainly used for PC, laptop, PDA and other GPRS Internet services.
  • CMWAP APN is mainly for HTTP-based (Hypertext Transfer Protocol)-based services, such as WAP Internet browsing, MMS, and so on.
  • HTTP-based Hypertext Transfer Protocol
  • MMS Internet browsing
  • HTTP-based Hypertext Transfer Protocol
  • HTTP-based domain of the wireless application protocol has gradually evolved into a default service for most self-operated services and cooperative services through upgrading and configuration. Domain, providing users with MMS, PIM, streaming media, universal download, newsletter, music player, games and other services.
  • the CMWAP APN uses the WAP gateway as a proxy node for HTTP access, and provides some auxiliary functions for users, such as free mobile phone number, content conversion, and adaptive pre-judgment.
  • CMNET is an APN set up for open Internet access services. Users can access the Internet using any protocol without any control and restriction policies, but also do not provide other accessibility features.
  • the mobile terminal accesses the GGSN through the access SGSN, and the service data stream is translated into the Internet by NAT (Network Address Translation) address translation through the firewall corresponding to the GGSN.
  • NAT Network Address Translation
  • VPDN is an abbreviation of Virtual Private Dialup Network. It is based on the virtual private dial-up network service of dial-up users. It can establish a secure virtual private network by using the bearer functions of IP and other networks, combined with the corresponding authentication and authorization mechanisms. .
  • the VPDN business is primarily for business and government administration. After the enterprise applies for the service, it only needs to access its intranet through a dedicated line to the Internet. Users can dial VPDN service anywhere in the country to enter the virtual private network and securely access the information resources they need. . Users can easily and flexibly The line performs operations such as opening an account, canceling an account, and setting user rights to the dial-up user.
  • the VPDN network built by the operator is divided into two types: the fixed network VPDN and the wireless VPDN.
  • the physical locations of the two VPDN networks are different.
  • the fixed network VPDN network is located on the Internet and can be accessed by all terminals;
  • the wireless VPDN network is located in the operator's wireless data network, which is isolated from the Internet and cannot be accessed through the WIFI network; when the mobile terminal is connected to the wireless VPDN network, the first connection is required.
  • the APN network carried by the wireless VPDN cannot be accessed by users of other APN networks or networked channels.
  • the wireless VPDN network is a virtual private network built on the APN network.
  • the connection process of the wireless VPDN network is to first connect the APN channel carrying the VPDN network, then perform VPDN dialing to establish a VPDN network.
  • the networking parameters of the VPDN network include the networking parameters of the carried APN network and the networking parameters of the VPDN.
  • the mobile terminal can only connect to the VPDN network, which is a limitation of the system implementation of routing management in the network management.
  • the master can implement the APN and VPDN networking at the same time by modifying the routing table of the mobile terminal operating system.
  • the networked APN must be the APN network carried by the VPDN.
  • the VPDN network Since the VPDN network is not physically isolated, it is isolated on software and its security is lower than that of the APN network.
  • the security of the VPDN network depends on the security of the APN network that is carried. If the APN network that is carried is physically isolated from the Internet, the VPDN network is secure.
  • the current mobile terminal operating system whether the browser or the API interface of the application, only provides a single-channel Internet access mode.
  • the intelligent system of the mobile terminal lacks an interface for automatically switching different channels to each other for different business applications. bring inconvenience.
  • How to rely on the public network to realize secure communication and data exchange between mobile terminals and bank intranets has become an urgent problem for major enterprises.
  • Remote access usually involves three parts: access terminal, access channel and intranet application. The lack of protection for any of these three parts will bring security risks to the entire remote access process.
  • the traditional virtual private network-based mobile terminal access scheme focuses on the establishment of a secure transmission channel, although to some extent logarithm According to the security transmission, the guarantee is provided, but the need for mobile payment to browse the goods on the Internet cannot be solved, and the requirement for the mobile user to access the Internet and secure the transaction cannot be satisfied.
  • the traditional bank payment model includes bank card and UKEY payment system, which are all three-in-one binding of account, password, bank card or UKEY, which can ensure the uniqueness of payment.
  • the current Internet payment system basically uses the short message dynamic code as the confirmation information, and the short message dynamic code has a certain timeliness, so that the phishing website can make payment through another terminal after stealing the user's dynamic code. This creates a security risk for the account.
  • the purpose of the present invention is to provide a security application guarantee for the majority of mobile payment networks and systems and mobile terminals in the prior art, and to provide a strong interaction and evade Internet intrusion on the network and the system.
  • the payment information is not easily stolen by the Trojan horse.
  • the intranet application system data transmission is safe and reliable, and does not affect the Internet access, and can prevent the SIM card from being copied, the account, the mobile phone number, and the IMSI (International Mobile Subscriber Identification Number) number.
  • the wireless data private network bound by the four-in-one password is a mobile payment security system that physically isolates the Internet.
  • a wireless data private network physically isolated Internet mobile payment security system including a payment server, a mobile phone number authentication device, a password authentication device, and a GSN mobile network gateway device.
  • APN network or VPDN network characterized in that the application system including the payment server and the authentication device is built in a mobile payment security data network isolated from the Internet, and the mobile payment security data network link and the Internet
  • the isolated APN network or VPDN network connected to the GSN mobile gateway, the payment server establishes the account, the mobile phone number, the IMSI number, and the password in a four-in-one binding multiple authentication through the password authentication device and the mobile phone number authentication device; the mobile terminal is connected to the network.
  • the Internet access channel is automatically turned off, and after the physical isolation of the Internet is successful, the graphic verification code information is exchanged between the base station and the mobile payment server.
  • the system model of the mobile phone number binding function is used, the mobile phone turns off the Internet access channel, and the networked mobile payment security network establishes communication with the mobile phone number authentication device.
  • the GGSN or SGSN first links the mobile network gateway GSN through the access point name APN leased line and/or the virtual private dial-up network VPDN dedicated line to store the user in the SIM card.
  • the international mobile subscriber identity IMSI is sent to the mobile phone number authentication device as a digital call calling-number paging request parameter, and the IMSI authentication and the account address binding are implemented by the mobile phone number authentication device, and then the password authentication device and the payment server are used. Communication.
  • the mode of password authentication includes a numeric password, or a biometric password.
  • a mobile secure payment system model using a graphic verification code authentication includes a mobile terminal, a dedicated data channel, an authentication device, and a payment server.
  • the payment server sends a random and secure graphic verification code as a transaction label, and submits the request in the mobile terminal payment request, and uses the graphic verification code of the successive transaction to secure the verification code. Cannot be copied.
  • the mobile terminal uses a dedicated browser to perform a system model for automatic switching of the network channel, and the dedicated browser networking channel automatic switching system model includes an embedded channel switching program.
  • a dedicated browser or client and application embedded with the channel switching program monitors the pages, services, and functions used by the user, and when the mobile payment service needs to be used, the browser or the client and the application call the embedded
  • the channel switching procedure sends a channel switching command and connects to the network via the mobile terminal networking subsystem, networked Internet or mobile secure payment data network.
  • the embedded channel switcher receives a dedicated browser or client and application life After the order is closed, the current networked network is closed, and the networking parameters of the mobile terminal are modified to be the APN or VPDN networking parameters specified or preset by the browser or the client and the application, and the request for the networked mobile payment security data network is initiated to the mobile terminal networking subsystem. After the networking is successful, the success message is fed back to the browser or the client and the application, the networking fails, and the failure message is fed back to the browser or the client and the application.
  • the mobile payment security data network channel is used to exchange information with the mobile payment security system; after the browser or the client and the application end the mobile payment service, , the embedded channel switching program is called to switch the mobile terminal networking channel back to the Internet access channel.
  • the mobile terminal uses a channel switching module embedded in the mobile terminal to perform a system model for automatically switching the network channel
  • the network channel automatic switching system model includes an application layer and a mobile a terminal operating system, and the mobile terminal operating system includes a channel switching module and a mobile terminal networking subsystem
  • the application layer includes a browser, a browser plug-in, a client or an application
  • the application layer links the channel switching module through an application programming interface API, The channel switching module is connected to the mobile terminal operating system.
  • the mobile terminal uses an independent channel switching software to perform a system model for automatically switching the networked channel, and the independent channel switching software networking channel automatically switches the system model, including the application layer.
  • the channel switching program software and the mobile terminal operating system wherein the application layer comprises a browser, a browser plug-in or a client and an application, the mobile terminal operating system comprises a mobile terminal networking subsystem, and the application layer links the channel through an application programming interface API
  • the switching software, the channel switching software links the mobile terminal networking subsystem to interact with the mobile terminal operating system data.
  • the channel switching software when the channel switching software is started, it resides in the memory, provides an application programming interface API to the application layer, and performs a channel switching operation according to the application layer instruction; the application layer invokes the activated channel through the application programming interface API.
  • the switching software performs switching of different networking channels; after the channel switching software exits the memory, the application layer programming interface API in the memory disappears.
  • the application layer meets different requirements and needs to switch the networked channel to meet the security switching requirements of different services of the network service and the secure payment;
  • a wireless data private network physically separated from the Internet is used to provide a mobile secure payment system constructed by mobile phone number authentication and password authentication, and provides a mobile terminal to automatically switch between the Internet access channel and the dedicated payment secure channel.
  • Methods. Completely eliminate the intrusion from the Internet and secure mobile payment through dual security certification.
  • the mobile terminal includes a mobile terminal application layer of a browser, a client or an application software to monitor a webpage, a service and a function used by the user, and a browser plug-in or a client and an application embedded by the embedded channel when the payment service is required.
  • the channel switching module performs the switching of the networked channel to ensure that the mobile terminal is uniquely connected to the dedicated mobile secure payment data network during the payment operation, thereby ensuring the security of the mobile payment system.
  • the present invention uses a dedicated mobile data network physically isolated from the Internet, including APN or VPDN data channels to secure information and data security of the application system.
  • the three-level deep protection of the secure access of the mobile terminal is realized from the three aspects of the secure transmission channel of the access terminal and the protection of the intranet application system, thereby improving the security of the terminal, ensuring the security of access from the source, and providing high-strength data security transmission.
  • the channel ensures the security of the data transmission process; the security access control technology ensures the security of the intranet application system.
  • the invention constructs an application system including an application server and an authentication device in a mobile payment security data network isolated from the Internet, and double authentication of mobile phone number authentication and password authentication ensures a mobile phone number, an IMSI number, a bank account and a password.
  • mobile payment security data is connected to the gateway GPRS support node GGSN of the mobile network using the APN or VPDN line isolated from the Internet to ensure physical isolation from the Internet and information interaction with the mobile terminal;
  • the graphical verification code ensures that the transaction information is not stolen by the Trojan; the mobile payment uses a graphical verification code to ensure that the payment information is not stolen by the Trojan.
  • the mobile secure payment system uses the mobile phone number and password for dual authentication to ensure the separation of the mobile phone number and password, avoiding the risk of the mobile phone SIM card being copied, and ensuring the binding relationship between the account, the mobile phone number, the IMSI, the password and the unique payment. relationship;
  • the browser, client or application on the mobile terminal can switch the networking channel according to different applications.
  • This connection mode can avoid the direct connection between the private data network and the Internet, thus completely avoiding the intrusion from the Internet and ensuring that the Internet access of the mobile terminal is not Affected, it can meet the technical needs of the mobile terminal to switch when using different applications for browsing shopping and payment.
  • FIG. 1 is a schematic diagram of a mobile payment security system model for physically isolating the Internet of the wireless data private network of the present invention
  • FIG. 2 is a schematic diagram of a system model for automatically switching a different channel networking interface by a mobile terminal of the present invention using a dedicated browser;
  • FIG. 3 is a schematic diagram of a system model of a mobile terminal of the present invention automatically switching different channel networking interfaces using a universal browser;
  • FIG. 4 is a schematic diagram of a system model for a mobile terminal to automatically switch between different channel networking interfaces by using an embedded channel switching program module;
  • FIG. 5 is a schematic diagram of a system model in which a mobile terminal automatically switches between different channel networking interfaces using an independent channel switching procedure.
  • the wireless data private network physically isolates the mobile payment security system of the Internet, including the payment server, the mobile phone number authentication device, the password authentication device, and the mobile payment security data network, respectively, including the Internet.
  • An APN or VPDN network connected to the GSN gateway.
  • the application system including the payment server and the authentication device is built in a mobile payment security data network isolated from the Internet, and the payment server establishes an account, a mobile phone number, an IMSI number, and a password through a password authentication device and a mobile phone number authentication device.
  • the multi-authentication mode of the bit-in-one binding the mobile network gateway GSN is connected via the mobile payment security data network access point name APN private line and/or the virtual private dial-up network VPDN private line; the mobile terminal automatically turns off the Internet access when using the mobile payment service Channel, networked mobile payment security network, physical isolation After the networking is successful, the graphic verification code information is exchanged between the base station and the mobile payment server; the mobile payment operation is always switched in the process of the wireless data private network secure payment data network that is uniquely connected to the mobile terminal.
  • the GGSN (Gateway GSN) functions mainly as a gateway. It can be connected to a variety of different data networks, such as ISDN (Integrated Services Digital Network) and PSPDN (Packet Switched Public Data Network).
  • the GGSN is called a GPRS router.
  • the GGSN can perform protocol conversion on GPRS packet data packets in the GSM network, so that these packet data packets can be transmitted to a remote TCP/IP or X.25 network.
  • SGSN is the abbreviation of English Serving GPRS SUPPORT NODE.
  • WCDMA GPRS/TD-SCDMA
  • SGSN mainly completes packet forwarding, mobility management, session management, logical link management, authentication and encryption, bill generation and output. And other functions.
  • the SGSN is a GPRS service support node, which provides a connection with a wireless packet controller PCU (Package Control Unit) through the Gb interface, and performs mobile data management, such as user identification, encryption, compression, etc.; and is connected to the HLR through a Gr interface. Accessing and access control of the user database; it is also connected to the GGSN through the Gn interface, providing functions such as transmission path and protocol conversion between the IP data packet and the wireless unit; the SGSN can also provide a Gs interface connection with the MSC and the SMSC
  • the Gd interface is connected to support the cooperation of data services and circuit services and the function of sending and receiving text messages.
  • the GGSN and the SGSN (collectively, the GSN) use the UDP port 2123 to listen for GTP-C packets, and the UDP port 2152 listens for GTP-U packets.
  • the connection mode described in the above embodiment can avoid the direct connection of the private data network to the Internet, thereby completely avoiding the intrusion from the Internet.
  • Embodiment 2 Mobile phone number binding account function
  • the system model of the mobile phone number binding function in which the wireless data private network physically isolates the Internet, the system model of the mobile phone number binding function is used, and the mobile phone number binding function system model includes the GSN device and the mobile phone number authentication device in sequence.
  • the mobile phone turns off the Internet access channel, and the networked mobile payment security network establishes a communication tunnel with the mobile phone number authentication device.
  • the mobile phone sends the time domain session (the session refers to an end user).
  • the time interval for communicating with the interactive system usually refers to the time elapsed between registration and entry into the system; and the GGSN or SGSN first passes the access point name APN line and/or The virtual private dial-up network VPDN private line links the mobile network gateway GSN, and automatically stores the international mobile subscriber identity IMSI stored in the SIM card as a digital call calling-number paging request parameter to the mobile phone number authentication device, and authenticates by mobile phone number.
  • the device implements IMSI authentication and user account address binding, and then communicates with the payment server via the password authentication device.
  • the mobile phone number authentication device server When the mobile phone number authentication device server receives the payment request sent by the mobile terminal client, the user name is taken out, and the IMSI number sent by the digital call calling-numbei sent by the GSN and the IMSI number stored in the mobile phone number authentication device are The binding relationship of the account address is compared, and the matching is performed by the authentication, thereby realizing the binding function of the mobile phone number and the user account address.
  • the IMSI number used for mobile phone number authentication is derived from the underlying access information of the mobile phone chip, and is the SIM card authentication information of the mobile phone on the GGSN or the SGSN, and has nothing to do with the application layer communication of the mobile terminal.
  • IMSI is the only mobile subscriber identity code on the whole network and in the world. It is the only one that uniquely identifies a mobile subscriber.
  • SIM card authentication belongs to the underlying hardware communication category of mobile terminals, all built into the chip hardware and cannot be modified by software. Using such an authentication mode can effectively block false registrations by Trojans, viruses, or hackers.
  • Embodiment 3 Password Authentication Mode
  • the mode of password authentication includes a digital password, or a biometric password such as a fingerprint, a face or a pupil, and the like.
  • Password authentication can be a single form such as a number, or a superposition of multiple forms. Such as the form of digital plus fingerprint.
  • Embodiment 4 Graphic verification code
  • a mobile secure payment system model using a graphic verification code authentication includes a mobile terminal, a dedicated data channel, an authentication device, and a payment server.
  • the payment server sends a random secure graphic verification code as a transaction label and submits it in the mobile terminal payment request.
  • the verification code can be used to ensure that the verification code cannot be copied.
  • Using a random and secure graphical verification code can effectively avoid the invasion of the system by Trojans or viruses.
  • the mobile terminal performs a switching mode of the networking channel for two different applications of Internet access and mobile payment, including the following four system modes:
  • Embodiment 5 Dedicated browser switching mode
  • the mobile terminal uses a dedicated browser to perform a system model for automatic switching of the networked channel
  • the dedicated browser networking channel automatic switching system model includes a dedicated browser with an embedded channel switching program and / or embedded channel switch program client and application and mobile terminal networking subsystem.
  • a dedicated browser or client with embedded channel switching program and application through the mobile terminal networking subsystem networking channel, networked Internet or mobile secure payment data network.
  • a dedicated browser or client and application embedded with the channel switching program monitors the pages, services, and functions used by the user.
  • the browser or the client and the application call the embedded channel switching program.
  • the embedded channel switching program After receiving the command of the dedicated browser or the client and the application, the embedded channel switching program closes the current networked network, and modifies the networking parameters of the mobile terminal to be the browser or the client and the APN or VPDN specified or preset by the application.
  • the parameter initiates a request for the networked mobile payment security data network to the mobile terminal networking subsystem. After the networking is successful, the success message is fed back to the browser or the client and the application, the networking fails, and the failure message is fed back to the browser or the client and the application. .
  • the mobile payment security data network channel is used to exchange information with the mobile payment security system; after the dedicated browser or the client and the application end the mobile payment service, the call is made within the call.
  • the embedded channel switching program switches the mobile terminal networking channel back to the Internet access channel.
  • the mobile terminal networking subsystem refers to a software and hardware system including functions such as storage and modification of network parameters of the mobile terminal, network management, and networking operations.
  • Embodiment 6 Generic Browser Plugin Mode
  • the mobile terminal uses a universal browser plug-in to perform a system model for automatic switching of the network channel; the universal browser plug-in network channel automatically switches the system model, including the embedded channel switching program.
  • Plug-in universal dedicated browser and mobile terminal networking subsystem A universal dedicated browser for plug-ins that embed channel switching programs, via a mobile terminal networking subsystem, a networked Internet or mobile secure payment data network.
  • the universal browser monitors the pages, services, and functions used by the user.
  • the browser invokes the embedded channel switching plug-in, sends a channel switching command, and the embedded channel switching plug-in receives the common browser command.
  • the current networked network is closed, and the networking parameters of the mobile terminal are modified to the APN or VPDN networking parameters specified or preset by the browser, and the request for the networked mobile payment security data network is initiated to the mobile terminal networking subsystem.
  • the browsing is performed. The device feeds back the success message, the network fails, and the failure message is fed back to the browser.
  • the universal browser After receiving the networking success message, the universal browser uses the mobile payment secure data network channel to exchange information with the mobile payment security system; after the universal browser completes the mobile payment service, the embedded channel switching plug-in is invoked to switch the mobile terminal networking channel. Go back to the internet access channel.
  • Embodiment 7 Inline channel switching module mode
  • the mobile terminal uses the channel switching module embedded in the mobile terminal to perform a system model for automatically switching the network channel, and the network channel automatic switching system model includes an application layer and a mobile terminal operating system.
  • the mobile terminal operating system includes a channel switching module and a mobile terminal networking subsystem;
  • the application layer includes a browser, a browser plug-in, a client or an application;
  • the application layer links the channel switching module through an application programming interface API (Application Programming Interface)
  • the channel switching module is connected to the mobile terminal networking subsystem.
  • the channel switching module is a module built in the mobile terminal operating system and linked with the mobile terminal networking subsystem to perform the channel switching operation function.
  • the application layer monitors the pages, services, and functions used by the user.
  • the channel switching plug-in is invoked to send a channel switching command.
  • the application layer uses the mobile payment security data network for information interaction.
  • the channel switching module is invoked to switch the networked channel back to the Internet access channel.
  • Embodiment 8 Independent channel switching software mode
  • the mobile terminal uses an independent channel switching software to perform a system model for automatic switching of the network channel, and the independent channel switching software networking channel automatically switches the system model, including the application layer and the channel switching program.
  • Software and mobile terminal operating system wherein the application layer comprises a browser, a browser plug-in or a client and an application, the mobile terminal operating system comprises a mobile terminal networking subsystem, and the application layer passes
  • the application programming interface API links the channel switching software, and the channel switching software links the mobile terminal networking subsystem to interact with the mobile terminal operating system data.
  • Channel switching is an application that needs to be manually started, independent of the mobile terminal's operating system. After the channel switching software is manually started, it resides in the memory, provides an application programming interface API to the application layer, and performs channel switching operation according to the application layer instruction; the application layer invokes the channel switching software after startup through the application programming interface API. Switching between different networking channels; after the channel switching software exits the memory, the application layer programming interface API in the memory disappears.
  • the mobile payment security application system may be applied to mailboxes, OAs, or other security requirements.
  • the service or application system, the program may be stored in a mobile terminal readable storage medium.
  • each module/unit of the terminal in the above embodiment may be implemented in the form of hardware or in the form of a software function module. .
  • the present invention is not limited to the combination of any specific form of hardware and software, and is intended to be within the scope of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Business, Economics & Management (AREA)
  • Signal Processing (AREA)
  • Accounting & Taxation (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention provides a mobile payment security system with a wireless data private network physically isolated from Internet, aiming to provide a mobile payment security system that is strong in interaction, can prevent intrusion from the Internet, makes payment information be not prone to be stolen by a Trojan horse, transmits intranet data securely and reliably, does not affect Internet access and can prevent an SIM card from being duplicated. The present invention is implemented through a following technical scheme: an application system comprising a payment server and authentication devices being constructed in a mobile payment secure data network that is isolated from the Internet, the mobile payment secure data network linking to an APN network or a VPDN network that is isolated from the Internet and connected to a GSN mobile gateway, and the payment server setting up four-in-one multi-authentication with an account, a mobile number, an IMSI number, and a password bound through a password authentication device and a mobile number authentication device; when the mobile payment secure data network is networked, automatically shutting off an Internet access channel and, when the Internet is physically isolated successfully, performing graphic verification code information interaction with the mobile payment server through a base station.

Description

无线数据专网物理隔离互联网的移动支付安全系统Wireless data private network physical isolation internet mobile payment security system
本申请要求于2013年12月9日提交中国专利局、申请号为201310660556.9、发明名称为“无线数据专网物理隔离互联网的移动支付安全系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese Patent Application filed on Dec. 9, 2013, the Chinese Patent Office, the application number 201310660556.9, and the invention titled "Mobile Payment Security System for Wireless Data Private Network Physical Isolation Internet", the entire contents of which are incorporated by reference. Combined in this application.
技术领域Technical field
本发明是关于互联网物理隔离的无线数据专网建设移动支付安全应用系统,保障信息和交易安全,以及在移动终端上实现互联网访问通道与安全支付应用切换联网通道的系统。The invention relates to a wireless data private network for physical isolation of the Internet to construct a mobile payment security application system, which ensures information and transaction security, and a system for switching the network access channel and the secure payment application switching network channel on the mobile terminal.
背景技术Background technique
移动支付是将移动网络与金融系统相结合,将移动通信网络作为实现移动支付的工具和手段,为客户提供商品交易、缴费、银行账号管理等金融服务。移动支付系统为每个手机客户建立一个与手机号码绑定的支付账户,客户通过手机即可进行现金的划转和支付。移动支付所使用的移动终端可以是手机、PDA(Personal Digital Assistant,个人数字助手)、移动PC(Personal Computer,个人计算机)等,其手段包括手机短信,互动式语音应答、WAP(Wireless Application Protocol,无线应用通讯协议)等多种方式。在移动支付产业中,整个系统由消费者、商业机构、支付平台运营商、银行、移动运营商等多个环节组成,主要原理是在移动运营支撑平台上构建一个移动数据增值业务,把移动客户的手机号码当作关联支付账户,使移动客户可以通过手机进行身份确认和交易活动。移动支付接入方式主要有五种:第一种是利用短信STK(SIMTOOL KIT,用户识别应用发展工具)方式;第二种是语音方式IVR(Interactive Voice Response交互式语音应答);第三种是利用USSD(Unstructured Supplementary Service Data,非结构化补充数据业务)方式;第四种是使用WAP协议实现;第五种是利用WEB方式实现。目前主要采用的是语音、STK和WEB方式实现。按照传输方式的不同,移动支付主要分为近场支付和远程支付,所谓近场支付,就是用手机刷卡的方式坐车、买东西等,很便利。远程支付是指:通过发送支付指令(如网银、电话银行、手机支付等)或借助支付 工具(如通过邮寄、汇款)进行的支付方式,如掌中付推出的掌中电商,掌中充值,掌中视频等属于远程支付。目前支付标准不统一给相关的推广工作造成了很多困惑。近场支付是利用射频、红外或者蓝牙等技术,实现手机与其他智能终端的通讯与信息交换,进而完成交易支付,具体实现技术如下:Mobile payment combines the mobile network with the financial system, and uses the mobile communication network as a tool and means to realize mobile payment, providing customers with financial services such as commodity trading, payment, and bank account management. The mobile payment system establishes a payment account bound to the mobile phone number for each mobile phone customer, and the customer can transfer and pay the cash through the mobile phone. The mobile terminal used for the mobile payment may be a mobile phone, a PDA (Personal Digital Assistant), a mobile PC (Personal Computer), or the like, and includes a mobile phone short message, an interactive voice response, and a WAP (Wireless Application Protocol, Wireless application communication protocol) and other methods. In the mobile payment industry, the whole system consists of consumers, commercial organizations, payment platform operators, banks, mobile operators and other links. The main principle is to build a mobile data value-added service on the mobile operation support platform, and to move customers. The mobile phone number is treated as an associated payment account, enabling mobile customers to perform identity verification and transaction activities via their mobile phones. There are five main types of mobile payment access: the first is SMS STK (SIMTOOL KIT, User Identification Application Development Tool); the second is Voice Mode IVR (Interactive Voice Response); the third is Utilizing USSD (Unstructured Supplementary Service Data); the fourth is implemented using the WAP protocol; the fifth is implemented using the WEB method. At present, the main methods are voice, STK and WEB. According to the different transmission methods, mobile payment is mainly divided into near-field payment and remote payment. The so-called near-field payment is to use the mobile phone to swipe the card to buy a car, to buy things, etc., which is very convenient. Remote payment means: by sending payment instructions (such as online banking, telephone banking, mobile payment, etc.) or by payment The payment methods of tools (such as mailing, remittance), such as the palm-and-cash e-commerce launched by the palm of the hand, the palm recharge, and the video in the palm of the hand are remote payment. The current payment standards are not uniform, causing a lot of confusion for the related promotion work. Near-field payment is the use of radio frequency, infrared or Bluetooth technology to realize the communication and information exchange between mobile phones and other intelligent terminals, and then complete the transaction payment. The specific implementation techniques are as follows:
(1)红外(IR,Infrared Radiation)与蓝牙:前者的成本低,不易被干扰;后者的传输距离较远,且信号没有方向性。(1) Infrared Radiation and Bluetooth: The former has low cost and is not easily interfered; the latter has a long transmission distance and the signal has no directivity.
(2)无线射频识别技术(RFID,Radio Frequency Identification)技术安全性高、速度快且存储量大,但其基础设施投入大、成本高、终端要求较高。(2) Radio Frequency Identification (RFID) technology has high security, high speed and large storage capacity, but its infrastructure investment is high, cost is high, and terminal requirements are high.
远程支付是利用无线网络,通过手机向提供某种商品(或服务)的商家发出交易申请,并完成交易支付,具体实现技术如下:Remote payment is to use the wireless network to send a transaction request to a merchant that provides a certain commodity (or service) through a mobile phone, and complete the transaction payment. The specific implementation techniques are as follows:
(1)交互语音应答技术(IVR):用手机拨打电话实现支付过程。它的稳定性和实时性较好,但由于操作复杂导致耗时较长,通讯费用较高,安全性能不佳,仅适用于小额支付。(1) Interactive Voice Response Technology (IVR): The payment process is realized by making a call with a mobile phone. Its stability and real-time performance are good, but due to the complicated operation, it takes a long time, the communication cost is high, and the security performance is not good, which is only suitable for small payment.
(2)短消息服务技术(SMS,Short Message Service):通过发送短信完成支付。这种方式的用户群基础广泛,费用低,易于操作,普通手机均可实现,但是安全性差,不能确定短信发送及接收的响应时间。(2) Short Message Service (SMS): The payment is completed by sending a short message. This type of user base is broad in base, low in cost, easy to operate, and can be implemented in ordinary mobile phones, but the security is poor, and the response time of sending and receiving of text messages cannot be determined.
(3)非结构化补充数据业务技术(USSD):通信网络在用户使用手机向网络发送事先预定的数字或符号后,为用户提供相应的服务。该技术操作简单,交易成本低、具有较高的安全性,但对终端要求较高,需要特定终端支持。(3) Unstructured Supplementary Data Service Technology (USSD): The communication network provides users with corresponding services after the user sends a predetermined number or symbol to the network using the mobile phone. The technology is simple in operation, low in transaction cost, and has high security, but has high requirements on terminals and requires specific terminal support.
(4)无线应用协议技术(WAP):利用手机连接Internet完成支付。该方法交互性强,但由于网络不稳定,造成指令的响应速度不能确定,使用费用较高,且需要终端支持。(4) Wireless Application Protocol (WAP): Use the mobile phone to connect to the Internet to complete the payment. The method is highly interactive, but due to network instability, the response speed of the command cannot be determined, the usage cost is high, and terminal support is required.
(5)K.Java/Brew(J2ME/无线二进制运行环境):通过下载K.Java/Brew连接Internet。它可移植性强、消耗网络资源低、服务器负载低,界面易被用户接受,但需要终端设备支持。不论移动支付采用何种技术实现,其安全性都是影响支付业务能否发展的关键因素。移动支付的安全性涉及用户信息的保密、用户资金和支付信息的安全等问题,其面临的安全风险主要来自于无线链路、服务网络和终端。为解决移动支付面临的安全问题,从管理上来说,一般采用限额控制和签约机制;从技术上来说,一般采用访问控制技术使支付中的 交易信息不被非法用户获取和篡改,采用身份认证技术实现对交易各方的身份认证,采用数字签名技术实现信息的保密等等。为了保证交易过程中数据在网络传输中的安全,移动支付系统须建立完善的网络安全机制,包括防火墙系统、病毒防范系统等;系统采用双网的组网结构,防止单点设备故障和链路故障,保证整个网络的畅通;系统硬件双备份,具有冗余性和负载分担机制,及数据传输安全机制;对接入到系统的各银行、移动通信网元等实体作网段隔离,保证不同网络因都与移动支付系统相连而互通。目前现有技术的交易安全机制是通过移动支付业务开户流程对用户身份的认证,建立用户身份与手机号码的绑定关系;移动运营商确保对用户手机的认证,及对订购关系的合法性鉴权,对于不完整的交易,要求商业机构或支付平台运营商发出冲正请求,取消不完整的交易操作。为防止非授权者对主机的入侵,将移动支付中心部署在移动运营商网络的基于IP(Internet Protocol,网络之间互连协议)的防火墙后面;实现控制机制,设置支付限额;实现对账号的安全管理;实现对加密算法、密钥长度、密钥安全交换、密钥更新时间、签名算法等的安全模块进行管理;实现交易记录的安全审计跟踪,这样在发生纠纷的时候,可以提供完整、准确和可信的交易记录进行核查。(5) K.Java/Brew (J2ME/Wireless Binary Runtime Environment): Connect to the Internet by downloading K.Java/Brew. It is highly portable, consumes low network resources, has low server load, and the interface is easily accepted by users, but requires terminal device support. Regardless of the technology used for mobile payments, its security is a key factor affecting the development of payment services. The security of mobile payment involves the confidentiality of user information, the security of user funds and payment information, and the security risks it faces mainly come from wireless links, service networks and terminals. In order to solve the security problem faced by mobile payment, in terms of management, the quota control and signing mechanism are generally adopted; technically, access control technology is generally used to make payment The transaction information is not obtained and falsified by illegal users. The identity authentication technology is used to realize the identity authentication of the parties to the transaction, and the digital signature technology is used to realize the confidentiality of the information. In order to ensure the security of data transmission in the network during the transaction process, the mobile payment system must establish a complete network security mechanism, including the firewall system and virus prevention system. The system adopts a dual-network networking structure to prevent single-point equipment failures and links. Faults, ensure the smooth flow of the entire network; system hardware double backup, redundancy and load sharing mechanism, and data transmission security mechanism; network segment isolation for each bank, mobile communication network element and other entities connected to the system to ensure different The network is interconnected with the mobile payment system. At present, the prior art transaction security mechanism is to authenticate the user identity through the mobile payment service account opening process, and establish a binding relationship between the user identity and the mobile phone number; the mobile operator ensures the authentication of the user mobile phone and the legality of the subscription relationship. Right, for incomplete transactions, the commercial organization or payment platform operator is required to issue a rush request to cancel the incomplete transaction operation. To prevent unauthorized users from invading the host, the mobile payment center is deployed behind the firewall of the mobile operator network based on IP (Internet Protocol); the control mechanism is set, the payment limit is set, and the account is implemented. Security management; implement security module for encryption algorithm, key length, key security exchange, key update time, signature algorithm, etc.; realize security audit trail of transaction records, so that when a dispute occurs, it can provide complete, Accurate and credible transaction records are checked.
WEB和WAP页面安全:检测系统是否采用登录防穷举措施,是否提供安全控件、数字证书和独立的支付密码,页面是否采取SQL(Structured Query Language,结构化查询语言)注入、跨站脚本攻击、源代码暴露和黑客挂马的防范,以及防篡改和防钓鱼措施;WEB and WAP page security: Check whether the system adopts login anti-exhaustion measures, whether to provide security controls, digital certificates and independent payment passwords, whether the page adopts SQL (Structured Query Language) injection, cross-site scripting attack, Source code exposure and hacking prevention, as well as tamper-proof and anti-phishing measures;
编码安全:对系统源代码和插件是否进行了安全性审查,检查其审查报告,是否具有编码规范约束制度,是否对源代码和版本进行有效管理,检查其管理制度;Coding security: whether the system source code and plug-ins are checked for security, check the review report, whether there is a coding specification constraint system, whether the source code and version are effectively managed, and the management system is checked;
电子认证应用:对内对外业务和关键业务是否使用第三方电子认证机构证书,是否使用有效的电子签名,是否对服务器证书私钥进行有效保护;Electronic authentication application: Whether to use third-party electronic certification authority certificates for internal and external business and key business, whether to use valid electronic signatures, and whether to effectively protect the server certificate private key;
脱机数据认证:检查是否使用符合业务要求的密钥和证书、静态数据认证和动态数据认证等;Offline data authentication: Check whether keys and certificates that meet business requirements, static data authentication, and dynamic data authentication are used.
应用密文和发卡机构认证:检查应用密文产生、发卡机构认证和密钥管理等; Application of ciphertext and card issuer certification: check application ciphertext generation, card issuer authentication and key management;
安全报文:检测报文格式是否符合要求,验证报文完整性、报文私密性,如何管理密钥;Security packet: Checks whether the packet format meets the requirements, verifies the integrity of the packet, the privacy of the packet, and how to manage the key.
卡片安全:检测卡片的安全性、密钥是否具有独立性、卡片内部安全体系、卡片中密钥的种类、密钥和个人识别码的存放等;Card security: check the security of the card, whether the key is independent, the internal security system of the card, the type of key in the card, the storage of the key and the personal identification number, etc.
终端安全:审查终端数据和设备的安全性要求,以及密钥管理要求,并检查应用终端是否严格按要求执行;Terminal security: Review the security requirements of the terminal data and equipment, as well as the key management requirements, and check whether the application terminal is strictly implemented as required;
密钥管理体系:检测如何对认证中心公钥、发卡机构公钥和发卡机构对称密钥进行管理;Key management system: detects how to manage the certificate authority public key, the card issuer public key, and the card issuer symmetric key;
认可的算法:系统采用了哪种对称加密算法、非对称加密算法或哈希算法等,以及这些算法应用在系统的哪些功能,并检测对应系统功能;Approved algorithms: Which symmetric encryption algorithm, asymmetric encryption algorithm or hash algorithm is used in the system, and what functions these algorithms apply to the system, and detect corresponding system functions;
客户端程序安全:如何保护客户端应用程序和配置文件,查看其版本是否最新,保证登录密码和支付密码的安全。随着移动互联网的高速发展,移动互联金融业务呈现巨大市场需求,但是黑客入侵、钓鱼网站等各种非法手段无时无刻不在侵害互联网金融的安全,各种预装软件、病毒打包等威胁手机网络安全的问题日益突出,并逐渐形成黑色产业链。互联网应用系统的安全,日益成为人们关注的焦点。棱镜门之后,人们发现,在拥有强大技术实力的美国政府面前,任何互联网公司包括当前拥有互联网技术最顶尖科技的苹果和谷歌公司,只要在互联网上建立的信息系统,即使拥有各类安全防护措施,都无法避免信息被窃取的安全漏洞。安全问题在手机支付业务中始终占据着极其重要的位置。一方面,银行需要对用户的交易密码做加密处理,如对某些重要数据做硬件加密以及相应的日志管理。另一方面,通信运营商需加强信号传输中的安全问题,防止信号被截获等。移动支付是典型的多应用,需要利用多通道管理多个应用,确定应用的各种状态、应用生命周期等,要重点保证不同应用的并存、并发及应用自身的安全、应用间互访的安全等。随着虚拟化交易比重上升,安全风险也成了普遍担心的问题。手机支付工具操作系统和不规范的应用下载,钓鱼网站、木马程序频出,严重影响移动支付的终端安全环境。此外,如果用于近场支付的手机一旦丢失,被盗刷的可能性极高。移动支付的安全问题一直是移动支付能否快速推广的一个瓶颈。信息的机密性,完整性,不可抵赖性,真实性、支付模式、身份验证、支付终端(手机)的安全性、移动支付各 环节的法律保障不健全(合同签订、发货、付款、违约、售后责任、退货、纳税、发票开具、支付审计)等。Client program security: How to protect client applications and configuration files, check whether their version is up to date, and ensure the security of login password and payment password. With the rapid development of the mobile Internet, the mobile internet financial business presents a huge market demand, but various illegal means such as hacking and phishing websites infringe on the security of Internet finance all the time, various pre-installed software, virus packaging and other threats to mobile phone network security. The problem has become increasingly prominent and has gradually formed a black industrial chain. The security of Internet application systems has increasingly become the focus of attention. After the prism door, it was discovered that in the face of the US government with strong technical strength, any Internet company, including Apple and Google, which currently has the most advanced technology of Internet technology, has all kinds of security measures as long as it establishes an information system on the Internet. There is no way to avoid security vulnerabilities in which information is stolen. Security issues have always occupied an extremely important position in the mobile payment business. On the one hand, the bank needs to encrypt the user's transaction password, such as hardware encryption and corresponding log management for some important data. On the other hand, communication operators need to strengthen security issues in signal transmission to prevent signals from being intercepted. Mobile payment is a typical multi-application. It needs to manage multiple applications with multiple channels, determine various states of applications, application life cycle, etc., and focus on ensuring the coexistence of concurrent applications, concurrent and application security, and mutual application security. Wait. As the proportion of virtualized transactions rises, security risks have become a common concern. Mobile payment tool operating system and non-standard application download, phishing websites, Trojans frequently appear, seriously affecting the terminal security environment of mobile payment. In addition, if the mobile phone used for near-field payment is lost, the possibility of being stolen is extremely high. The security issue of mobile payment has always been a bottleneck for the rapid promotion of mobile payment. Confidentiality, integrity, non-repudiation, authenticity, payment model, authentication, payment terminal (mobile phone) security, mobile payment The legal protection of the link is not perfect (contract signing, delivery, payment, breach of contract, after-sales responsibility, return, tax payment, invoicing, payment audit).
在传统技术领域,物理隔离是保障内部网络安全最重要最有效的举措,无论银行信息系统还是政府信息系统都是使用与互联网物理隔离的内部网络来保障信息安全的。使用与互联网物理隔离的内部网络由于杜绝了互联网的联网通道,任何黑客都无法进行入侵。对于普通用户而言,APN(Access Point Name,接入点名称)只是为了上网而在手机终端上预先配置或手工设定的一组参数。而对于移动网络来说,APN是用来实现用户互联网协议IP报文路由至相应GPRS(通用分组无线服务技术,General Packet Radio Service)网络路由器GGSN及外部网络的必不可少的标识,其作用具体包括:APN作为路由标识:GPRS服务支持节点SGSN根据APN,向特定域名系统DNS(Domain Name System)服务器查询该APN对应的GGSN IP地址,以确定用户应接入的GGSN;APN作为业务域标识:GGSN根据APN不同,将用户的业务流送到不同的业务域,而不同的业务域则对应了不同的业务承载组网方式、用户标识获取方式、计费模式等。服务支持节点SGSN作为GPRS/TD-SCDMA(WCDMA)核心网分组域设备重要组成部分,主要完成分组数据包的路由转发、移动性管理、会话管理、逻辑链路管理、鉴权和加密、话单产生和输出等功能。SGSN即GPRS服务支持节点,它通过Gb接口提供与无线分组控制器PCU的连接,进行移动数据的管理,如用户身份识别,加密,压缩等功能;通过Gr接口与HLR(Home Location Register,归属位置寄存器)相连,进行用户数据库的访问及接入控制;它还通过Gn接口与GGSN相连,提供IP数据包到无线单元之间的传输通路和协议变换等功能;SGSN还可以提供与MSC(Mobile Switching Center,移动交换中心)的Gs接口连接以及与SMSC(Short Message Service Center,短消息服务中心)之间的Gd接口连接,用以支持数据业务和电路业务的协同工作和短信收发等功能。SGSN与GGSN配合,共同承担TD-SCDMA(WCDMA)的PS功能。当作为GPRS网络的一个基本的组成网元时,通过Gb接口和基站子系统BSS相连。其主要的作用就是为本SGSN服务区域的移动台MS进行移动性管理,并转发输入/输出的IP分组,其地位类似于GSM电路网中的VMSC。此外,SGSN中还集成了类似于GSM网络中VLR (Visitor Location Register,拜访位置寄存器)的功能,当用户处于GPRS Attach(GPRS附着)状态时,SGSN中存储了同分组相关的用户信息和位置信息。当SGSN作为TD-SCDMA(WCDMA)核心网的PS域功能节点,它通过Iu_PS接口与UTRAN相连,主要提供PS域的路由转发、移动性管理、会话管理、鉴权和加密等功能。GGSN9811主要提以中国移动最早提供、也是目前用户使用最广的两个APN——CMWAP、CMNET为例:In the traditional technology field, physical isolation is the most important and effective measure to ensure internal network security. Both the banking information system and the government information system use internal networks that are physically isolated from the Internet to ensure information security. The use of an internal network physically isolated from the Internet has prevented all hackers from intruding by eliminating the Internet's networking channels. For ordinary users, APN (Access Point Name) is a set of parameters that are pre-configured or manually set on the mobile terminal for Internet access. For mobile networks, APN is an indispensable identifier for routing user Internet Protocol IP packets to the corresponding GPRS (General Packet Radio Service) network router GGSN and external network. Including: APN as a route identifier: The GPRS service support node SGSN queries the Domain Name System (DNS) server to query the GGSN IP address corresponding to the APN according to the APN to determine the GGSN that the user should access; the APN is used as the service domain identifier: The GGSN sends the service flow of the user to different service domains according to different APNs, and the different service domains correspond to different service bearer networking modes, user identity acquisition modes, and charging modes. As an important component of the GPRS/TD-SCDMA (WCDMA) core network packet domain equipment, the service support node SGSN mainly completes the routing and forwarding, mobility management, session management, logical link management, authentication and encryption, and CDR of packet data packets. Functions such as generation and output. The SGSN is a GPRS service support node, which provides a connection with the wireless packet controller PCU through the Gb interface, and performs mobile data management, such as user identification, encryption, compression, etc.; through the Gr interface and the HLR (Home Location Register, home location) The register is connected to perform user database access and access control; it is also connected to the GGSN through the Gn interface to provide functions such as transmission path and protocol conversion between the IP data packet and the wireless unit; the SGSN can also provide the MSC (Mobile Switching) Center, mobile switching center) Gs interface connection and Gd interface connection with SMSC (Short Message Service Center) to support the cooperation of data services and circuit services and text messaging. The SGSN cooperates with the GGSN to jointly assume the PS function of TD-SCDMA (WCDMA). When it is a basic network element of the GPRS network, it is connected to the base station subsystem BSS through the Gb interface. Its main role is to perform mobility management for the mobile station MS of the SGSN service area, and forward the input/output IP packets, which is similar to the VMSC in the GSM circuit network. In addition, the SGSN also integrates a VLR similar to the GSM network. (Visitor Location Register, visit location register), when the user is in the GPRS Attach state, the SGSN stores user information and location information related to the group. When the SGSN is the PS domain function node of the TD-SCDMA (WCDMA) core network, it is connected to the UTRAN through the Iu_PS interface, and mainly provides the functions of routing forwarding, mobility management, session management, authentication and encryption of the PS domain. GGSN9811 mainly mentions two APNs, CMWAP and CMNET, which are the earliest provided by China Mobile and are currently the most widely used by users:
1)CMWAP APN1) CMWAP APN
CMWAP和CMNET是中国移动人为划分的两个GPRS接入通道。前者是为手机WAP上网而设立的,后者则主要是为PC、笔记本电脑、PDA等利用GPRS上网服务。CMWAP APN在设计之初主要面向基于HTTP(HTTP-Hypertext transfer protocol,超文本传输协议)协议的业务,如WAP上网浏览,彩信等。随着数据业务的不断发展,为了支持逐渐引入的非超文本传输协议HTTP的业务,无线应用协议WAP域通过进行升级改造和配置,逐渐演变为面向绝大多数自营业务和合作业务的默认业务域,面向用户提供彩信、PIM、流媒体、通用下载、快讯、音乐随身听、游戏等业务。CMWAP APN使用了WAP网关作为HTTP访问的代理节点,同时可面向用户提供一些辅助功能,例如免输手机号码、内容转换、适配预判等。CMWAP and CMNET are two GPRS access channels divided by China Mobile. The former is set up for mobile WAP access, while the latter is mainly used for PC, laptop, PDA and other GPRS Internet services. At the beginning of the design, CMWAP APN is mainly for HTTP-based (Hypertext Transfer Protocol)-based services, such as WAP Internet browsing, MMS, and so on. With the continuous development of data services, in order to support the gradually introduced non-hypertext transfer protocol HTTP services, the WAP domain of the wireless application protocol has gradually evolved into a default service for most self-operated services and cooperative services through upgrading and configuration. Domain, providing users with MMS, PIM, streaming media, universal download, newsletter, music player, games and other services. The CMWAP APN uses the WAP gateway as a proxy node for HTTP access, and provides some auxiliary functions for users, such as free mobile phone number, content conversion, and adaptive pre-judgment.
2)CMNET APN2) CMNET APN
CMNET是为了开展开放的互联网接入服务设置的APN,用户可使用任何协议访问互联网,没有任何控制和限制策略,但同时也不提供其他辅助功能。使用CMNET APN时,移动终端通过接入地SGSN就近接入GGSN,业务数据流通过GGSN对应的防火墙进行NAT(Network Address Translation,网络地址转换)地址转换后接入互联网。CMNET is an APN set up for open Internet access services. Users can access the Internet using any protocol without any control and restriction policies, but also do not provide other accessibility features. When the CMNET APN is used, the mobile terminal accesses the GGSN through the access SGSN, and the service data stream is translated into the Internet by NAT (Network Address Translation) address translation through the firewall corresponding to the GGSN.
VPDN是虚拟拨号专用网络(Virtual Private Dialup Network)的缩写,它基于拨号用户的虚拟专用拨号网业务,利用IP和其他网络的承载功能,结合相应的认证和授权机制,可以建立安全的虚拟专用网络。VPDN业务主要面向企业以及政府管理部门。企业申请该业务后,只需要将其企业内部网通过一条专线接入到互联网络,用户即可在国内任何地方拨号使用VPDN业务进入到该虚拟专用网中,安全地访问自己所需要的信息资源。用户可以方便灵活地自 行对所属拨号用户进行开户、销户、设置用户权限等操作。VPDN is an abbreviation of Virtual Private Dialup Network. It is based on the virtual private dial-up network service of dial-up users. It can establish a secure virtual private network by using the bearer functions of IP and other networks, combined with the corresponding authentication and authorization mechanisms. . The VPDN business is primarily for business and government administration. After the enterprise applies for the service, it only needs to access its intranet through a dedicated line to the Internet. Users can dial VPDN service anywhere in the country to enter the virtual private network and securely access the information resources they need. . Users can easily and flexibly The line performs operations such as opening an account, canceling an account, and setting user rights to the dial-up user.
当前在运营商所建设的VPDN网络分为固网VPDN与无线VPDN两种,这两种VPDN网络的物理位置是不一样的。固网VPDN网络设在互联网上,所有终端均可访问;无线VPDN网络设在运营商的无线数据网内,与互联网是隔离的,通过WIFI网络无法访问;移动终端连接无线VPDN网络,首先要连接该无线VPDN所承载的APN网络,其它APN网络或联网通道的用户无法访问该VPDN网络。Currently, the VPDN network built by the operator is divided into two types: the fixed network VPDN and the wireless VPDN. The physical locations of the two VPDN networks are different. The fixed network VPDN network is located on the Internet and can be accessed by all terminals; the wireless VPDN network is located in the operator's wireless data network, which is isolated from the Internet and cannot be accessed through the WIFI network; when the mobile terminal is connected to the wireless VPDN network, the first connection is required. The APN network carried by the wireless VPDN cannot be accessed by users of other APN networks or networked channels.
无线VPDN网络是构建在APN网络之上的虚拟专用网络,无线VPDN网络的连接流程是,先连接承载VPDN网络的APN通道,再进行VPDN拨号,建立VPDN网络。VPDN网络的联网参数包括承载的APN网络的联网参数和VPDN的联网参数。The wireless VPDN network is a virtual private network built on the APN network. The connection process of the wireless VPDN network is to first connect the APN channel carrying the VPDN network, then perform VPDN dialing to establish a VPDN network. The networking parameters of the VPDN network include the networking parameters of the carried APN network and the networking parameters of the VPDN.
VPDN连接后,移动终端只能连接VPDN网络,这是系统在网络管理中路由管理实现的一种限制。高手可以通过修改移动终端操作系统的路由表,实现APN与VPDN同时联网,同时联网的APN必须是VPDN的承载的APN网络。After the VPDN is connected, the mobile terminal can only connect to the VPDN network, which is a limitation of the system implementation of routing management in the network management. The master can implement the APN and VPDN networking at the same time by modifying the routing table of the mobile terminal operating system. At the same time, the networked APN must be the APN network carried by the VPDN.
由于VPDN网络不是物理上的数据隔离,是在软件上实现的隔离,其安全性较APN网络低。VPDN网络的安全性取决于承载的APN网络的安全,如果承载的APN网络是物理隔离互联网的,VPDN网络就是安全的。Since the VPDN network is not physically isolated, it is isolated on software and its security is lower than that of the APN network. The security of the VPDN network depends on the security of the APN network that is carried. If the APN network that is carried is physically isolated from the Internet, the VPDN network is secure.
专用通道虽然可以保障信息与系统安全,但是互联网应用日益普及的今天,人们需要在移动终端上兼顾互联网应用与安全应用两种应用模式。特别是在移动支付领域,人们一方面需要在网络商城浏览商品,一方面又需要彻底保障交易的安全。Although dedicated channels can guarantee the security of information and systems, today's Internet applications are becoming more and more popular. People need to take into account the two application modes of Internet applications and security applications on mobile terminals. Especially in the field of mobile payment, on the one hand, people need to browse goods in the online shopping mall, on the one hand, they need to completely guarantee the security of transactions.
但是,当前的移动终端操作系统,无论是浏览器还是应用程序的API接口都只提供单通道的互联网访问模式,同时,移动终端的智能系统缺乏自动切换不同通道联网的接口,给不同的业务应用带来不便。如何依托公网实现移动终端与银行内网之间的安全通信和数据交换成为当前各大企业亟待解决的问题。远程接入通常涉及三个部分:接入终端、接入通道和内网应用,对这三个部分任一个保护的不到位都将给整个远程接入过程带来安全隐患。传统的基于虚拟专网的移动终端接入方案关注于安全传输通道的建立,虽然在一定程度上对数 据安全传输提供了保证,但是不能解决移动支付需要在互联网浏览商品的需要,无法满足移动用户既要访问互联网又要保障交易安全的要求。However, the current mobile terminal operating system, whether the browser or the API interface of the application, only provides a single-channel Internet access mode. At the same time, the intelligent system of the mobile terminal lacks an interface for automatically switching different channels to each other for different business applications. bring inconvenience. How to rely on the public network to realize secure communication and data exchange between mobile terminals and bank intranets has become an urgent problem for major enterprises. Remote access usually involves three parts: access terminal, access channel and intranet application. The lack of protection for any of these three parts will bring security risks to the entire remote access process. The traditional virtual private network-based mobile terminal access scheme focuses on the establishment of a secure transmission channel, although to some extent logarithm According to the security transmission, the guarantee is provided, but the need for mobile payment to browse the goods on the Internet cannot be solved, and the requirement for the mobile user to access the Internet and secure the transaction cannot be satisfied.
传统的银行支付模式包括银行卡和UKEY支付系统,都是账户、密码、银行卡或UKEY三位一体的绑定,可以确保支付的唯一性。当前的互联网支付系统基本上使用短信动态码来作为确认信息,短信动态码存在一定的时效性,使得钓鱼网站在窃取用户的动态码后,可以通过另外的终端进行支付。从而造成账户的安全隐患。The traditional bank payment model includes bank card and UKEY payment system, which are all three-in-one binding of account, password, bank card or UKEY, which can ensure the uniqueness of payment. The current Internet payment system basically uses the short message dynamic code as the confirmation information, and the short message dynamic code has a certain timeliness, so that the phishing website can make payment through another terminal after stealing the user's dynamic code. This creates a security risk for the account.
因此确保支付的唯一性,是支付安全的要求。Therefore, ensuring the uniqueness of payment is a requirement for payment security.
另外,当前网上曝光不少复制手机SIM(Subscriber Identity Module,客户识别模块)卡的技术手段,单一绑定手机号码的支付业务存在较大的安全隐患。In addition, the current online exposure of many mobile phone SIM (Subscriber Identity Module) card technology, the single binding mobile phone number payment service has a large security risks.
当前智能手机病毒的日益猖獗,手机木马盗窃单纯的由数字构成的密码非常容易,移动支付必须防范木马对数字密码的窃取。With the increasing embarrassment of current smartphone viruses, it is very easy for mobile phone Trojans to steal simple passwords composed of numbers. Mobile payments must prevent Trojans from stealing digital passwords.
综上所述,移动支付的安全性涉及两大部分:In summary, the security of mobile payments involves two major parts:
1、网络和系统的安全性;1. Network and system security;
2、移动终端的安全性。2. The security of the mobile terminal.
发明内容Summary of the invention
本发明的目的是针对现有技术存在的不足之处,在移动支付网络和系统与移动终端二大部分提供安全应用保障,在网络和系统上,提供一种交互性强、能够规避互联网入侵,支付信息不易被木马窃用,内网应用系统数据传输安全可靠,且不影响互联网访问,并能防SIM卡被复制,账户、手机号码、IMSI(International Mobile Subscriber Identification Number,国际移动用户识别码)号、密码四位一体绑定的无线数据专网物理隔离互联网的移动支付安全系统。The purpose of the present invention is to provide a security application guarantee for the majority of mobile payment networks and systems and mobile terminals in the prior art, and to provide a strong interaction and evade Internet intrusion on the network and the system. The payment information is not easily stolen by the Trojan horse. The intranet application system data transmission is safe and reliable, and does not affect the Internet access, and can prevent the SIM card from being copied, the account, the mobile phone number, and the IMSI (International Mobile Subscriber Identification Number) number. The wireless data private network bound by the four-in-one password is a mobile payment security system that physically isolates the Internet.
本发明的上述目的可以通过以下措施来达到,一种无线数据专网物理隔离互联网的移动支付安全系统,包括支付服务器,手机号码鉴权设备,密码鉴权设备和与GSN移动网络网关设备相连的APN网络或VPDN网络,其特征在于:支付服务器、鉴权设备在内的应用系统构建在与互联网相隔离的移动支付安全数据网络内,移动支付安全数据网络链接与互联网 隔离的与GSN移动网关相连的APN网络或VPDN网络,支付服务器通过密码鉴权设备、手机号码鉴权设备,建立账户、手机号码、IMSI号、密码四位一体绑定多重认证;移动终端在联网移动支付安全数据网络时,自动关断互联网访问通道,物理隔离互联网成功后,通过基站与移动支付服务器进行图形验证码信息交互。The above object of the present invention can be achieved by the following measures: a wireless data private network physically isolated Internet mobile payment security system, including a payment server, a mobile phone number authentication device, a password authentication device, and a GSN mobile network gateway device. APN network or VPDN network, characterized in that the application system including the payment server and the authentication device is built in a mobile payment security data network isolated from the Internet, and the mobile payment security data network link and the Internet The isolated APN network or VPDN network connected to the GSN mobile gateway, the payment server establishes the account, the mobile phone number, the IMSI number, and the password in a four-in-one binding multiple authentication through the password authentication device and the mobile phone number authentication device; the mobile terminal is connected to the network. When the mobile payment security data network is used, the Internet access channel is automatically turned off, and after the physical isolation of the Internet is successful, the graphic verification code information is exchanged between the base station and the mobile payment server.
可选的,在无线数据专网物理隔离互联网的移动支付安全系统中,使用手机号码绑定功能的系统模型,手机关断互联网访问通道,联网移动支付安全网络,与手机号码鉴权设备建立通信隧道,在建立通信隧道过程中,当手机发送时域请求时,GGSN或SGSN首先通过接入点名称APN专线和/或虚拟专用拨号网VPDN专线链接移动网络网关GSN,把用户储存在SIM卡中国际移动用户识别码IMSI作为一个数字呼叫calling-number寻呼请求参数发给手机号码鉴权设备,通过手机号码鉴权设备实现IMSI认证和账户地址绑定,再经密码鉴权设备与支付服务器进行通信。Optionally, in the mobile payment security system in which the wireless data private network physically isolates the Internet, the system model of the mobile phone number binding function is used, the mobile phone turns off the Internet access channel, and the networked mobile payment security network establishes communication with the mobile phone number authentication device. In the process of establishing a communication tunnel, when the mobile phone sends a time domain request, the GGSN or SGSN first links the mobile network gateway GSN through the access point name APN leased line and/or the virtual private dial-up network VPDN dedicated line to store the user in the SIM card. The international mobile subscriber identity IMSI is sent to the mobile phone number authentication device as a digital call calling-number paging request parameter, and the IMSI authentication and the account address binding are implemented by the mobile phone number authentication device, and then the password authentication device and the payment server are used. Communication.
可选的,密码鉴权的模式包括数字密码,或生物密码。Optionally, the mode of password authentication includes a numeric password, or a biometric password.
可选的,在无线数据专网物理隔离互联网的移动支付安全系统中,使用图形验证码认证的移动安全支付系统模型,移动安全支付系统模型包括移动终端、专用数据通道、鉴权设备和支付服务器。Optionally, in a mobile payment security system in which the wireless data private network physically isolates the Internet, a mobile secure payment system model using a graphic verification code authentication, the mobile secure payment system model includes a mobile terminal, a dedicated data channel, an authentication device, and a payment server. .
可选的,支付服务器在每次移动终端发送交易请求时,下发一个随机的安全的图形验证码,作为交易的标签,在移动终端支付请求中提交,采用逐次交易的图形验证码保障验证码不可复制。Optionally, each time the mobile terminal sends a transaction request, the payment server sends a random and secure graphic verification code as a transaction label, and submits the request in the mobile terminal payment request, and uses the graphic verification code of the successive transaction to secure the verification code. Cannot be copied.
可选的,在无线数据专网物理隔离互联网的移动支付安全系统中,移动终端使用专用浏览器进行联网通道自动切换的系统模型,专用浏览器联网通道自动切换系统模型包括内嵌通道切换程序的专用浏览器和/或内嵌通道切换程序客户端与应用程序和移动终端联网子系统。Optionally, in the mobile payment security system in which the wireless data private network physically isolates the Internet, the mobile terminal uses a dedicated browser to perform a system model for automatic switching of the network channel, and the dedicated browser networking channel automatic switching system model includes an embedded channel switching program. Dedicated browser and/or embedded channel switcher client and application and mobile terminal networking subsystem.
可选的,内嵌通道切换程序的专用浏览器或客户端与应用程序监测用户使用的页面、业务与功能,当遇到需要使用移动支付业务时,浏览器或客户端与应用程序调用内嵌的通道切换程序,发送通道切换命令,并通过移动终端联网子系统联网通道,联网互联网或移动安全支付数据网络。Optionally, a dedicated browser or client and application embedded with the channel switching program monitors the pages, services, and functions used by the user, and when the mobile payment service needs to be used, the browser or the client and the application call the embedded The channel switching procedure sends a channel switching command and connects to the network via the mobile terminal networking subsystem, networked Internet or mobile secure payment data network.
可选的,内嵌通道切换程序收到专用浏览器或客户端与应用程序的命 令后,关闭当前联网网络,将移动终端的联网参数修改为浏览器或客户端与应用程序指定或预设的APN或VPDN联网参数,向移动终端联网子系统发起联网移动支付安全数据网络的请求,联网成功后,向浏览器或客户端与应用程序反馈成功消息,联网失败,向浏览器或客户端与应用程序反馈失败消息。Optional, the embedded channel switcher receives a dedicated browser or client and application life After the order is closed, the current networked network is closed, and the networking parameters of the mobile terminal are modified to be the APN or VPDN networking parameters specified or preset by the browser or the client and the application, and the request for the networked mobile payment security data network is initiated to the mobile terminal networking subsystem. After the networking is successful, the success message is fed back to the browser or the client and the application, the networking fails, and the failure message is fed back to the browser or the client and the application.
可选的,专用浏览器或客户端与应用程序收到联网成功消息后,使用移动支付安全数据网络通道,与移动支付安全系统进行信息交互;浏览器或客户端与应用程序结束移动支付业务后,调用内嵌的通道切换程序将移动终端联网通道切换回互联网访问通道。Optionally, after the dedicated browser or the client and the application receive the networking success message, the mobile payment security data network channel is used to exchange information with the mobile payment security system; after the browser or the client and the application end the mobile payment service, , the embedded channel switching program is called to switch the mobile terminal networking channel back to the Internet access channel.
可选的,在无线数据专网物理隔离互联网的移动支付安全系统中,移动终端使用移动终端内嵌的通道切换模块进行联网通道自动切换的系统模型,联网通道自动切换系统模型包括应用层和移动终端操作系统,且和移动终端操作系统包含通道切换模块和移动终端联网子系统;应用层包含浏览器、浏览器插件、客户端或应用程序;应用层通过应用程序编程接口API链接通道切换模块,经通道切换模块连通移动终端操作系统。Optionally, in the mobile payment security system in which the wireless data private network physically isolates the Internet, the mobile terminal uses a channel switching module embedded in the mobile terminal to perform a system model for automatically switching the network channel, and the network channel automatic switching system model includes an application layer and a mobile a terminal operating system, and the mobile terminal operating system includes a channel switching module and a mobile terminal networking subsystem; the application layer includes a browser, a browser plug-in, a client or an application; and the application layer links the channel switching module through an application programming interface API, The channel switching module is connected to the mobile terminal operating system.
可选的,在无线数据专网物理隔离互联网的移动支付安全系统中,移动终端使用独立的通道切换软件进行联网通道自动切换的系统模型,独立通道切换软件联网通道自动切换系统模型,包括应用层、通道切换程序软件和移动终端操作系统,其中,应用层包含浏览器、浏览器插件或客户端与应用程序,移动终端操作系统包含移动终端联网子系统,应用层通过应用程序编程接口API链接通道切换软件,通道切换软件链接移动终端联网子系统与移动终端操作系统交互数据。Optionally, in the mobile payment security system in which the wireless data private network physically isolates the Internet, the mobile terminal uses an independent channel switching software to perform a system model for automatically switching the networked channel, and the independent channel switching software networking channel automatically switches the system model, including the application layer. The channel switching program software and the mobile terminal operating system, wherein the application layer comprises a browser, a browser plug-in or a client and an application, the mobile terminal operating system comprises a mobile terminal networking subsystem, and the application layer links the channel through an application programming interface API The switching software, the channel switching software links the mobile terminal networking subsystem to interact with the mobile terminal operating system data.
可选的,当通道切换软件启动后,驻留在内存中,向应用层提供应用程序编程接口API,并根据应用层指令进行通道切换操作;应用层通过应用程序编程接口API调用启动后的通道切换软件进行不同联网通道的切换;通道切换软件退出内存后,内存中的应用层程序编程接口API消失。Optionally, when the channel switching software is started, it resides in the memory, provides an application programming interface API to the application layer, and performs a channel switching operation according to the application layer instruction; the application layer invokes the activated channel through the application programming interface API. The switching software performs switching of different networking channels; after the channel switching software exits the memory, the application layer programming interface API in the memory disappears.
本发明相比于现有技术具有如下有益效果:The present invention has the following beneficial effects compared to the prior art:
本发明在移动终端上,应用层针对不同需求,通过切换联网通道的方法,来满足网络业务与安全支付不同应用的安全切换需求;在移动互联网 上,使用完全与互联网物理隔离的无线数据专网,提供手机号码鉴权和密码鉴权双重认证构建的移动安全支付系统,并提供移动终端在互联网访问通道和专用支付安全通道之间自动切换联网的方法。彻底杜绝来自互联网的入侵,并通过双重安全认证保障移动支付的安全。According to the present invention, on the mobile terminal, the application layer meets different requirements and needs to switch the networked channel to meet the security switching requirements of different services of the network service and the secure payment; In the above, a wireless data private network physically separated from the Internet is used to provide a mobile secure payment system constructed by mobile phone number authentication and password authentication, and provides a mobile terminal to automatically switch between the Internet access channel and the dedicated payment secure channel. Methods. Completely eliminate the intrusion from the Internet and secure mobile payment through dual security certification.
移动终端包含浏览器、客户端或应用软件的移动终端应用层监测用户使用的网页、业务与功能,在需要进行支付业务时,通过内嵌通道切换的浏览器插件或客户端与应用程序内嵌的通道切换模块,进行联网通道的切换,保障在支付操作过程中,移动终端唯一联网专用移动安全支付数据网络,确保了移动支付系统的安全。The mobile terminal includes a mobile terminal application layer of a browser, a client or an application software to monitor a webpage, a service and a function used by the user, and a browser plug-in or a client and an application embedded by the embedded channel when the payment service is required. The channel switching module performs the switching of the networked channel to ensure that the mobile terminal is uniquely connected to the dedicated mobile secure payment data network during the payment operation, thereby ensuring the security of the mobile payment system.
本发明使用与互联网物理隔离的专用移动数据网络包括APN或VPDN数据通道来保障应用系统的信息与数据安全。从接入终端安全传输通道和内网应用系统防护三个方面实现移动终端安全接入的三级纵深防护,提升了终端安全性,从源头保证接入的安全;提供了高强度的数据安全传输通道,保证数据传输过程的安全;采用安全访问控制技术保证了内网应用系统的安全。The present invention uses a dedicated mobile data network physically isolated from the Internet, including APN or VPDN data channels to secure information and data security of the application system. The three-level deep protection of the secure access of the mobile terminal is realized from the three aspects of the secure transmission channel of the access terminal and the protection of the intranet application system, thereby improving the security of the terminal, ensuring the security of access from the source, and providing high-strength data security transmission. The channel ensures the security of the data transmission process; the security access control technology ensures the security of the intranet application system.
本发明将应用服务器、鉴权设备在内的应用系统构建在与互联网相隔离的移动支付安全数据网络内,手机号码鉴权与密码鉴权的双重认证确保手机号码、IMSI号、银行账户和密码四位一体的绑定关系;移动支付安全数据使用与互联网隔离的APN或VPDN专线与移动网络的网关GPRS支持节点GGSN相连,确保与互联网的物理隔离并与移动终端进行信息交互;交易过程中使用图形验证码确保交易信息不被木马窃取;移动支付使用图形验证码确保支付信息不被木马窃用。The invention constructs an application system including an application server and an authentication device in a mobile payment security data network isolated from the Internet, and double authentication of mobile phone number authentication and password authentication ensures a mobile phone number, an IMSI number, a bank account and a password. Four-in-one binding relationship; mobile payment security data is connected to the gateway GPRS support node GGSN of the mobile network using the APN or VPDN line isolated from the Internet to ensure physical isolation from the Internet and information interaction with the mobile terminal; The graphical verification code ensures that the transaction information is not stolen by the Trojan; the mobile payment uses a graphical verification code to ensure that the payment information is not stolen by the Trojan.
移动安全支付系统使用手机号码与密码双重鉴权,确保手机号码与密码的分离,避免手机SIM卡被复制的风险,同时确保账户、手机号码、IMSI、密码四位一体的绑定关系和唯一支付关系;The mobile secure payment system uses the mobile phone number and password for dual authentication to ensure the separation of the mobile phone number and password, avoiding the risk of the mobile phone SIM card being copied, and ensuring the binding relationship between the account, the mobile phone number, the IMSI, the password and the unique payment. relationship;
移动终端上浏览器、客户端或应用程序可以根据不同的应用进行联网通道的切换。这种连接模式可以避免专用数据网络与互联网进行直接连接,从而彻底规避来自互联网的入侵,同时保证移动终端的互联网访问不 受影响,可以满足移动终端在使用浏览购物与支付的不同应用时进行切换的技术需要。The browser, client or application on the mobile terminal can switch the networking channel according to different applications. This connection mode can avoid the direct connection between the private data network and the Internet, thus completely avoiding the intrusion from the Internet and ensuring that the Internet access of the mobile terminal is not Affected, it can meet the technical needs of the mobile terminal to switch when using different applications for browsing shopping and payment.
附图说明DRAWINGS
为使本发明的目的、技术方案和优点更加清楚明白,下面将结合附图对本发明的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。The embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
图1是本发明无线数据专网物理隔离互联网的移动支付安全系统模型示意图;1 is a schematic diagram of a mobile payment security system model for physically isolating the Internet of the wireless data private network of the present invention;
图2是本发明移动终端使用专用浏览器自动切换不同通道联网接口的系统模型示意图;2 is a schematic diagram of a system model for automatically switching a different channel networking interface by a mobile terminal of the present invention using a dedicated browser;
图3是本发明移动终端使用通用浏览器自动切换不同通道联网接口的系统模型示意图;3 is a schematic diagram of a system model of a mobile terminal of the present invention automatically switching different channel networking interfaces using a universal browser;
图4是移动终端使用内嵌通道切换程序模块自动切换不同通道联网接口的系统模型示意图;4 is a schematic diagram of a system model for a mobile terminal to automatically switch between different channel networking interfaces by using an embedded channel switching program module;
图5是移动终端使用独立通道切换程序自动切换不同通道联网接口的系统模型示意图。FIG. 5 is a schematic diagram of a system model in which a mobile terminal automatically switches between different channel networking interfaces using an independent channel switching procedure.
具体实施方式detailed description
实施例1:Example 1:
参阅图1。在以下描述的一个最佳实施例中,无线数据专网物理隔离互联网的移动支付安全系统,依次包括支付服务器、手机号码鉴权设备、密码鉴权设备、移动支付安全数据网络包括与互联网隔离的与GSN网关相连的APN或VPDN网络。支付服务器、鉴权设备在内的应用系统构建在与互联网相隔离的移动支付安全数据网络内,支付服务器通过密码鉴权设备、手机号码鉴权设备,建立账户、手机号码、IMSI号、密码四位一体绑定的多重认证模式,经移动支付安全数据网络接入点名称APN专线和/或虚拟专用拨号网VPDN专线链接移动网络网关GSN;移动终端在使用移动支付业务时,自动关断互联网访问通道,联网移动支付安全网络,物理隔离互 联网成功后,通过基站与移动支付服务器进行图形验证码信息交互;使移动支付操作始终切换在移动终端唯一联网的无线数据专网安全支付数据网络进程之中。其中,GGSN(Gateway GSN,网关GSN)主要是起网关作用,它可以和多种不同的数据网络连接,如ISDN(Integrated Services Digital Network,综合业务数字网)、PSPDN(Packet Switched Public Data Network,分组交换公用数据网)和LAN(Local Area Network,局域网)等。有的文献中,把GGSN称为GPRS路由器。GGSN可以把GSM网中的GPRS分组数据包进行协议转换,从而可以把这些分组数据包传送到远端的TCP/IP或X.25网络。SGSN是英文Serving GPRS SUPPORT NODE的缩写。SGSN作为GPRS/TD-SCDMA(WCDMA)核心网分组域设备重要组成部分,主要完成分组数据包的路由转发、移动性管理、会话管理、逻辑链路管理、鉴权和加密、话单产生和输出等功能。SGSN即GPRS服务支持节点,它通过Gb接口提供与无线分组控制器PCU(Package Control Unit)的连接,进行移动数据的管理,如用户身份识别,加密,压缩等功能;通过Gr接口与HLR相连,进行用户数据库的访问及接入控制;它还通过Gn接口与GGSN相连,提供IP数据包到无线单元之间的传输通路和协议变换等功能;SGSN还可以提供与MSC的Gs接口连接以及与SMSC之间的Gd接口连接,用以支持数据业务和电路业务的协同工作和短信收发等功能。GGSN和SGSN(合称GSN)使用UDP2123端口侦听GTP-C报文,UDP端口2152侦听GTP-U报文。上述实施例描述的这种连接模式可以避免专用数据网络与互联网进行直接连接,从而彻底规避来自互联网的入侵。See Figure 1. In a preferred embodiment described below, the wireless data private network physically isolates the mobile payment security system of the Internet, including the payment server, the mobile phone number authentication device, the password authentication device, and the mobile payment security data network, respectively, including the Internet. An APN or VPDN network connected to the GSN gateway. The application system including the payment server and the authentication device is built in a mobile payment security data network isolated from the Internet, and the payment server establishes an account, a mobile phone number, an IMSI number, and a password through a password authentication device and a mobile phone number authentication device. The multi-authentication mode of the bit-in-one binding, the mobile network gateway GSN is connected via the mobile payment security data network access point name APN private line and/or the virtual private dial-up network VPDN private line; the mobile terminal automatically turns off the Internet access when using the mobile payment service Channel, networked mobile payment security network, physical isolation After the networking is successful, the graphic verification code information is exchanged between the base station and the mobile payment server; the mobile payment operation is always switched in the process of the wireless data private network secure payment data network that is uniquely connected to the mobile terminal. The GGSN (Gateway GSN) functions mainly as a gateway. It can be connected to a variety of different data networks, such as ISDN (Integrated Services Digital Network) and PSPDN (Packet Switched Public Data Network). Exchange public data network) and LAN (Local Area Network). In some literatures, the GGSN is called a GPRS router. The GGSN can perform protocol conversion on GPRS packet data packets in the GSM network, so that these packet data packets can be transmitted to a remote TCP/IP or X.25 network. SGSN is the abbreviation of English Serving GPRS SUPPORT NODE. As an important component of GPRS/TD-SCDMA (WCDMA) core network packet domain equipment, SGSN mainly completes packet forwarding, mobility management, session management, logical link management, authentication and encryption, bill generation and output. And other functions. The SGSN is a GPRS service support node, which provides a connection with a wireless packet controller PCU (Package Control Unit) through the Gb interface, and performs mobile data management, such as user identification, encryption, compression, etc.; and is connected to the HLR through a Gr interface. Accessing and access control of the user database; it is also connected to the GGSN through the Gn interface, providing functions such as transmission path and protocol conversion between the IP data packet and the wireless unit; the SGSN can also provide a Gs interface connection with the MSC and the SMSC The Gd interface is connected to support the cooperation of data services and circuit services and the function of sending and receiving text messages. The GGSN and the SGSN (collectively, the GSN) use the UDP port 2123 to listen for GTP-C packets, and the UDP port 2152 listens for GTP-U packets. The connection mode described in the above embodiment can avoid the direct connection of the private data network to the Internet, thereby completely avoiding the intrusion from the Internet.
实施例2:手机号码绑定账户功能Embodiment 2: Mobile phone number binding account function
图1中,在无线数据专网物理隔离互联网的移动支付安全系统中,使用手机号码绑定功能的系统模型,手机号码绑定功能系统模型,依次包括GSN设备和手机号码鉴权设备。手机关断互联网访问通道,联网移动支付安全网络,与手机号码鉴权设备建立通信隧道,在建立通信隧道过程中,当手机发送时域请求时,手机发送时域session(session是指一个终端用户与交互系统进行通信的时间间隔,通常指从注册进入系统到注销退出系统之间所经过的时间);GGSN或SGSN首先通过接入点名称APN专线和/或 虚拟专用拨号网VPDN专线链接移动网络网关GSN,自动把用户储存在SIM卡中国际移动用户识别码IMSI作为一个数字呼叫calling-number寻呼请求参数发给手机号码鉴权设备,通过手机号码鉴权设备实现IMSI认证和用户账户地址绑定,再经密码鉴权设备与支付服务器进行通信。当手机号码鉴权设备服务器收到移动终端客户端发送的支付请求时,从中取出用户名,与GSN发送的数字呼叫calling-numbei送上的IMSI号与手机号码鉴权设备内存储的IMSI号和账户地址的绑定关系进行比对,符合则通过鉴权,从而实现手机号码与用户账户地址的绑定功能。In FIG. 1, in the mobile payment security system in which the wireless data private network physically isolates the Internet, the system model of the mobile phone number binding function is used, and the mobile phone number binding function system model includes the GSN device and the mobile phone number authentication device in sequence. The mobile phone turns off the Internet access channel, and the networked mobile payment security network establishes a communication tunnel with the mobile phone number authentication device. During the process of establishing the communication tunnel, when the mobile phone sends the time domain request, the mobile phone sends the time domain session (the session refers to an end user). The time interval for communicating with the interactive system, usually refers to the time elapsed between registration and entry into the system; and the GGSN or SGSN first passes the access point name APN line and/or The virtual private dial-up network VPDN private line links the mobile network gateway GSN, and automatically stores the international mobile subscriber identity IMSI stored in the SIM card as a digital call calling-number paging request parameter to the mobile phone number authentication device, and authenticates by mobile phone number. The device implements IMSI authentication and user account address binding, and then communicates with the payment server via the password authentication device. When the mobile phone number authentication device server receives the payment request sent by the mobile terminal client, the user name is taken out, and the IMSI number sent by the digital call calling-numbei sent by the GSN and the IMSI number stored in the mobile phone number authentication device are The binding relationship of the account address is compared, and the matching is performed by the authentication, thereby realizing the binding function of the mobile phone number and the user account address.
手机号码鉴权使用的IMSI号来源于手机芯片的底层接入信息,是GGSN或SGSN上的手机SIM卡鉴权信息,与移动终端的应用层通信无关。The IMSI number used for mobile phone number authentication is derived from the underlying access information of the mobile phone chip, and is the SIM card authentication information of the mobile phone on the GGSN or the SGSN, and has nothing to do with the application layer communication of the mobile terminal.
IMSI是全网和全球唯一的移动用户识别码,国际上为唯一识别一个移动用户所分配的号码。SIM卡鉴权属于移动终端底层硬件通信范畴,全部内置于芯片硬件内部,无法被软件修改。使用这样的鉴权模式可以有效屏蔽木马、病毒或黑客进行的虚假注册。IMSI is the only mobile subscriber identity code on the whole network and in the world. It is the only one that uniquely identifies a mobile subscriber. SIM card authentication belongs to the underlying hardware communication category of mobile terminals, all built into the chip hardware and cannot be modified by software. Using such an authentication mode can effectively block false registrations by Trojans, viruses, or hackers.
实施例3:密码鉴权模式Embodiment 3: Password Authentication Mode
参阅图1。在上述实施例1中,密码鉴权的模式包括数字密码,或生物密码如指纹、脸或瞳孔等等。密码鉴权可以单一的一种形态如数字,也可以是多种形态的叠加。如数字加指纹的形式。See Figure 1. In the above embodiment 1, the mode of password authentication includes a digital password, or a biometric password such as a fingerprint, a face or a pupil, and the like. Password authentication can be a single form such as a number, or a superposition of multiple forms. Such as the form of digital plus fingerprint.
实施例4:图形验证码Embodiment 4: Graphic verification code
图1中。在无线数据专网物理隔离互联网的移动支付安全系统中,使用图形验证码认证的移动安全支付系统模型,移动安全支付系统模型包括移动终端、专用数据通道、鉴权设备和支付服务器。支付服务器在每次移动终端发送交易请求时,下发一个随机的安全的图形验证码,作为交易的标签,在移动终端支付请求中提交。采用逐次交易的图形验证码可以保障验证码不可复制。采用随机的安全的图形验证码可以有效规避木马或病毒对系统的入侵。Figure 1. In the mobile payment security system in which the wireless data private network physically isolates the Internet, a mobile secure payment system model using a graphic verification code authentication, the mobile secure payment system model includes a mobile terminal, a dedicated data channel, an authentication device, and a payment server. Each time the mobile terminal sends a transaction request, the payment server sends a random secure graphic verification code as a transaction label and submits it in the mobile terminal payment request. The verification code can be used to ensure that the verification code cannot be copied. Using a random and secure graphical verification code can effectively avoid the invasion of the system by Trojans or viruses.
移动终端针对互联网访问与移动支付两种不同应用进行联网通道的切换模式,包括以下四种系统模式: The mobile terminal performs a switching mode of the networking channel for two different applications of Internet access and mobile payment, including the following four system modes:
实施例5:专用浏览器切换模式Embodiment 5: Dedicated browser switching mode
参阅图2。在无线数据专网物理隔离互联网的移动支付安全系统中,移动终端使用专用浏览器进行联网通道自动切换的系统模型,专用浏览器联网通道自动切换系统模型包括内嵌通道切换程序的专用浏览器和/或内嵌通道切换程序客户端与应用程序和移动终端联网子系统。内嵌通道切换程序的专用浏览器或客户端与应用程序通过移动终端联网子系统联网通道,联网互联网或移动安全支付数据网络。See Figure 2. In the mobile payment security system in which the wireless data private network physically isolates the Internet, the mobile terminal uses a dedicated browser to perform a system model for automatic switching of the networked channel, and the dedicated browser networking channel automatic switching system model includes a dedicated browser with an embedded channel switching program and / or embedded channel switch program client and application and mobile terminal networking subsystem. A dedicated browser or client with embedded channel switching program and application through the mobile terminal networking subsystem networking channel, networked Internet or mobile secure payment data network.
内嵌通道切换程序的专用浏览器或客户端与应用程序监测用户使用的页面、业务与功能,当遇到需要使用移动支付业务时,浏览器或客户端与应用程序调用内嵌的通道切换程序,发送通道切换命令,并通过移动终端联网子系统联网通道,联网互联网或移动安全支付数据网络。A dedicated browser or client and application embedded with the channel switching program monitors the pages, services, and functions used by the user. When a mobile payment service is required, the browser or the client and the application call the embedded channel switching program. Send channel switching commands and connect to the network through the mobile terminal networking subsystem, networked Internet or mobile secure payment data network.
内嵌通道切换程序收到专用浏览器或客户端与应用程序的命令后,关闭当前联网网络,将移动终端的联网参数修改为浏览器或客户端与应用程序指定或预设的APN或VPDN联网参数,向移动终端联网子系统发起联网移动支付安全数据网络的请求,联网成功后,向浏览器或客户端与应用程序反馈成功消息,联网失败,向浏览器或客户端与应用程序反馈失败消息。After receiving the command of the dedicated browser or the client and the application, the embedded channel switching program closes the current networked network, and modifies the networking parameters of the mobile terminal to be the browser or the client and the APN or VPDN specified or preset by the application. The parameter initiates a request for the networked mobile payment security data network to the mobile terminal networking subsystem. After the networking is successful, the success message is fed back to the browser or the client and the application, the networking fails, and the failure message is fed back to the browser or the client and the application. .
专用浏览器或客户端与应用程序收到联网成功消息后,使用移动支付安全数据网络通道,与移动支付安全系统进行信息交互;专用浏览器或客户端与应用程序结束移动支付业务后,调用内嵌的通道切换程序,将移动终端联网通道切换回互联网访问通道。After the dedicated browser or the client and the application receive the networking success message, the mobile payment security data network channel is used to exchange information with the mobile payment security system; after the dedicated browser or the client and the application end the mobile payment service, the call is made within the call. The embedded channel switching program switches the mobile terminal networking channel back to the Internet access channel.
移动终端联网子系统是指包含移动终端联网参数存储与修改、网络管理、联网操作等功能在内的软硬件系统。The mobile terminal networking subsystem refers to a software and hardware system including functions such as storage and modification of network parameters of the mobile terminal, network management, and networking operations.
实施例6:通用浏览器插件模式Embodiment 6: Generic Browser Plugin Mode
参阅图3。在无线数据专网物理隔离互联网的移动支付安全系统中,移动终端使用通用浏览器插件进行联网通道自动切换的系统模型;用通用浏览器插件联网通道自动切换系统模型,包括内嵌通道切换程序的插件的通用专用浏览器和移动终端联网子系统。内嵌通道切换程序的插件的通用专用浏览器通过移动终端联网子系统,联网互联网或移动安全支付数据网络。 See Figure 3. In the mobile payment security system in which the wireless data private network physically isolates the Internet, the mobile terminal uses a universal browser plug-in to perform a system model for automatic switching of the network channel; the universal browser plug-in network channel automatically switches the system model, including the embedded channel switching program. Plug-in universal dedicated browser and mobile terminal networking subsystem. A universal dedicated browser for plug-ins that embed channel switching programs, via a mobile terminal networking subsystem, a networked Internet or mobile secure payment data network.
通用浏览器监测用户使用的页面、业务与功能,当遇到需要使用移动支付业务时,浏览器调用内嵌的通道切换插件,发送通道切换命令,内嵌的通道切换插件收到通用浏览器命令后,关闭当前联网网络,将移动终端的联网参数修改为浏览器指定或预设的APN或VPDN联网参数,向移动终端联网子系统发起联网移动支付安全数据网络的请求,联网成功后,向浏览器反馈成功消息,联网失败,向浏览器反馈失败消息。The universal browser monitors the pages, services, and functions used by the user. When encountering the need to use the mobile payment service, the browser invokes the embedded channel switching plug-in, sends a channel switching command, and the embedded channel switching plug-in receives the common browser command. After that, the current networked network is closed, and the networking parameters of the mobile terminal are modified to the APN or VPDN networking parameters specified or preset by the browser, and the request for the networked mobile payment security data network is initiated to the mobile terminal networking subsystem. After the networking is successful, the browsing is performed. The device feeds back the success message, the network fails, and the failure message is fed back to the browser.
通用浏览器收到联网成功消息后,使用移动支付安全数据网络通道,与移动支付安全系统进行信息交互;通用浏览器完成移动支付业务后,调用内嵌的通道切换插件,将移动终端联网通道切换回互联网访问通道。After receiving the networking success message, the universal browser uses the mobile payment secure data network channel to exchange information with the mobile payment security system; after the universal browser completes the mobile payment service, the embedded channel switching plug-in is invoked to switch the mobile terminal networking channel. Go back to the internet access channel.
实施例7:内嵌通道切换模块方式Embodiment 7: Inline channel switching module mode
参阅图4。在无线数据专网物理隔离互联网的移动支付安全系统中,移动终端使用移动终端内嵌的通道切换模块进行联网通道自动切换的系统模型,联网通道自动切换系统模型包括应用层和移动终端操作系统,且和移动终端操作系统包含通道切换模块和移动终端联网子系统;应用层包含浏览器、浏览器插件、客户端或应用程序;应用层通过应用程序编程接口API(Application Programming Interface)链接通道切换模块,经通道切换模块连通移动终端联网子系统。See Figure 4. In the mobile payment security system in which the wireless data private network physically isolates the Internet, the mobile terminal uses the channel switching module embedded in the mobile terminal to perform a system model for automatically switching the network channel, and the network channel automatic switching system model includes an application layer and a mobile terminal operating system. And the mobile terminal operating system includes a channel switching module and a mobile terminal networking subsystem; the application layer includes a browser, a browser plug-in, a client or an application; and the application layer links the channel switching module through an application programming interface API (Application Programming Interface) The channel switching module is connected to the mobile terminal networking subsystem.
通道切换模块是内置于移动终端操作系统内与移动终端联网子系统链接,执行通道切换操作功能的模块。The channel switching module is a module built in the mobile terminal operating system and linked with the mobile terminal networking subsystem to perform the channel switching operation function.
应用层监测用户使用的页面、业务与功能,当遇到需要使用移动支付业务时,调用通道切换插件,发送通道切换命令。应用层收到通道切换成功的消息后,使用移动支付安全数据网络进行信息交互。应用层完成移动支付安全业务后,调用通道切换模块,将联网通道切换回互联网访问通道。The application layer monitors the pages, services, and functions used by the user. When a mobile payment service is required, the channel switching plug-in is invoked to send a channel switching command. After receiving the message that the channel switching succeeds, the application layer uses the mobile payment security data network for information interaction. After the application layer completes the mobile payment security service, the channel switching module is invoked to switch the networked channel back to the Internet access channel.
实施例8:独立的通道切换软件方式Embodiment 8: Independent channel switching software mode
参阅图5。在无线数据专网物理隔离互联网的移动支付安全系统中,移动终端使用独立的通道切换软件进行联网通道自动切换的系统模型,独立通道切换软件联网通道自动切换系统模型,包括应用层、通道切换程序软件和移动终端操作系统,其中,应用层包含浏览器、浏览器插件或客户端与应用程序,移动终端操作系统包含移动终端联网子系统,应用层通过 应用程序编程接口API链接通道切换软件,通道切换软件链接移动终端联网子系统与移动终端操作系统交互数据。See Figure 5. In the mobile payment security system in which the wireless data private network physically isolates the Internet, the mobile terminal uses an independent channel switching software to perform a system model for automatic switching of the network channel, and the independent channel switching software networking channel automatically switches the system model, including the application layer and the channel switching program. Software and mobile terminal operating system, wherein the application layer comprises a browser, a browser plug-in or a client and an application, the mobile terminal operating system comprises a mobile terminal networking subsystem, and the application layer passes The application programming interface API links the channel switching software, and the channel switching software links the mobile terminal networking subsystem to interact with the mobile terminal operating system data.
通道切换是一段需要手工启动的,独立于移动终端操作系统外的应用程序。当通道切换软件被手动启动后,驻留在内存中,向应用层提供应用程序编程接口API,并根据应用层指令进行通道切换操作;应用层通过应用程序编程接口API调用启动后的通道切换软件进行不同联网通道的切换;通道切换软件退出内存后,内存中的应用层程序编程接口API消失。Channel switching is an application that needs to be manually started, independent of the mobile terminal's operating system. After the channel switching software is manually started, it resides in the memory, provides an application programming interface API to the application layer, and performs channel switching operation according to the application layer instruction; the application layer invokes the channel switching software after startup through the application programming interface API. Switching between different networking channels; after the channel switching software exits the memory, the application layer programming interface API in the memory disappears.
以上所述的仅是本发明的优选实施例。应当指出,对于本领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以作出若干变形和改进,比如所述移动支付安全应用系统可以应用于邮箱、OA或其它需要保证安全的业务或应用系统,另外所述的程序可以存储于移动终端可读存储介质中,可选地,上述实施例终端各模块/单元可以采用硬件的形式实现,也可采用软件功能模块的形式实现。本发明不限制于任何特定形式的硬件和软件的结合,亦属于本发明的范畴,这些变更和改变应视为属于本发明的保护范围。 What has been described above is only a preferred embodiment of the invention. It should be noted that some variations and modifications may be made by those skilled in the art without departing from the principles of the present invention. For example, the mobile payment security application system may be applied to mailboxes, OAs, or other security requirements. The service or application system, the program may be stored in a mobile terminal readable storage medium. Alternatively, each module/unit of the terminal in the above embodiment may be implemented in the form of hardware or in the form of a software function module. . The present invention is not limited to the combination of any specific form of hardware and software, and is intended to be within the scope of the present invention.

Claims (12)

  1. 一种无线数据专网物理隔离互联网的移动支付安全系统,包括支付服务器,手机号码鉴权设备,密码鉴权设备和与GSN移动网络网关设备相链接的APN网络或VPDN网络,其特征在于:支付服务器、鉴权设备在内的应用系统构建在与互联网相隔离的移动支付安全数据网络内,移动支付安全数据网络链接与互联网隔离的与GSN移动网关相连的APN网络或VPDN网络,支付服务器通过密码鉴权设备、手机号码鉴权设备,建立账户、手机号码、IMSI号、密码四位一体绑定多重认证;移动终端在联网移动支付安全数据网络时,自动关断互联网访问通道,物理隔离互联网成功后,通过基站与移动支付服务器进行图形验证码信息交互。A wireless data private network physically isolated Internet mobile payment security system, comprising a payment server, a mobile phone number authentication device, a password authentication device and an APN network or a VPDN network linked with a GSN mobile network gateway device, characterized in that: payment The application system including the server and the authentication device is built in a mobile payment security data network isolated from the Internet, and the mobile payment security data network link is connected to the APN network or the VPDN network connected to the GSN mobile gateway by the Internet, and the payment server passes the password. The authentication device and the mobile phone number authentication device establish a four-in-one binding of the account, the mobile phone number, the IMSI number, and the password. The mobile terminal automatically shuts down the Internet access channel when the mobile payment security data network is connected, and physically isolates the Internet. Then, the graphic verification code information is exchanged with the mobile payment server through the base station.
  2. 如权利要求1所述的无线数据专网物理隔离互联网的移动支付安全系统,其特征在于:在无线数据专网物理隔离互联网的移动支付安全系统中,使用手机号码绑定功能的系统模型,手机关断互联网访问通道,联网移动支付安全网络,与手机号码鉴权设备建立通信隧道,在建立通信隧道过程中,当手机发送时域请求时,GGSN或SGSN首先通过接入点名称APN专线和/或虚拟专用拨号网VPDN专线链接移动网络网关GSN,把用户储存在SIM卡中国际移动用户识别码IMSI作为一个数字呼叫calling-number寻呼请求参数发给手机号码鉴权设备,通过手机号码鉴权设备实现IMSI认证和账户地址绑定,再经密码鉴权设备与支付服务器进行通信。The mobile data security system for physically isolating the Internet of the wireless data private network according to claim 1, characterized in that: in the mobile payment security system in which the wireless data private network is physically isolated from the Internet, the system model using the mobile phone number binding function, the mobile phone Turn off the Internet access channel, connect the mobile payment security network, and establish a communication tunnel with the mobile phone number authentication device. During the process of establishing the communication tunnel, when the mobile phone sends the time domain request, the GGSN or SGSN first passes the access point name APN line and / Or the virtual private dial-up network VPDN private line links the mobile network gateway GSN, and the international mobile subscriber identity IMSI stored by the user in the SIM card is sent to the mobile phone number authentication device as a digital call calling-number paging request parameter, and authenticated by the mobile phone number. The device implements IMSI authentication and account address binding, and then communicates with the payment server via the password authentication device.
  3. 如权利要求1所述的无线数据专网物理隔离互联网的移动支付安全系统,其特征在于:密码鉴权的模式包括数字密码,或生物密码。The mobile data security system for physically isolating the Internet by the wireless data private network according to claim 1, wherein the password authentication mode comprises a digital password or a biometric password.
  4. 如权利要求1所述的无线数据专网物理隔离互联网的移动支付安全系统,其特征在于:在无线数据专网物理隔离互联网的移动支付安全系统中,使用图形验证码认证的移动安全支付系统模型,移动安全支付系统模型包括移动终端、专用数据通道、鉴权设备和支付服务器。The mobile data security system for physically isolating the Internet of the wireless data private network according to claim 1, characterized in that: in the mobile payment security system in which the wireless data private network physically isolates the Internet, the mobile secure payment system model using the graphic verification code authentication The mobile secure payment system model includes a mobile terminal, a dedicated data channel, an authentication device, and a payment server.
  5. 如权利要求4所述的无线数据专网物理隔离互联网的移动支付安全系统,其特征在于:支付服务器在每次移动终端发送交易请求时,下发一个随机的安全的图形验证码,作为交易的标签,在移动终端支付请求中提交,采用逐次交易的图形验证码保障验证码不可复制。 The mobile data security system for physically separating the Internet by the wireless data private network according to claim 4, wherein the payment server sends a random secure graphic verification code as a transaction each time the mobile terminal sends a transaction request. The tag is submitted in the mobile terminal payment request, and the verification code of the successive transaction is used to ensure that the verification code cannot be copied.
  6. 如权利要求1所述的无线数据专网物理隔离互联网的移动支付安全系统,其特征在于:在无线数据专网物理隔离互联网的移动支付安全系统中,移动终端使用专用浏览器进行联网通道自动切换的系统模型,专用浏览器联网通道自动切换系统模型包括内嵌通道切换程序的专用浏览器和/或内嵌通道切换程序客户端与应用程序和移动终端联网子系统。The mobile data security system for physically isolating the Internet of the wireless data private network according to claim 1, wherein in the mobile payment security system in which the wireless data private network physically isolates the Internet, the mobile terminal uses a dedicated browser to automatically switch the networked channel. The system model, dedicated browser networking channel automatic switching system model includes a dedicated browser with embedded channel switching program and / or embedded channel switching program client and application and mobile terminal networking subsystem.
  7. 如权利要求6所述的无线数据专网物理隔离互联网的移动支付安全系统,其特征在于:内嵌通道切换程序的专用浏览器或客户端与应用程序监测用户使用的页面、业务与功能,当遇到需要使用移动支付业务时,浏览器或客户端与应用程序调用内嵌的通道切换程序,发送通道切换命令,并通过移动终端联网子系统联网通道,联网互联网或移动安全支付数据网络。The mobile data security system for physically isolating the Internet of the wireless data private network according to claim 6, wherein the dedicated browser or the client and the application embedded in the channel switching program monitor the pages, services and functions used by the user. When it is necessary to use the mobile payment service, the browser or the client and the application call the embedded channel switching program, send a channel switching command, and connect to the network through the mobile terminal networking subsystem, networked Internet or mobile secure payment data network.
  8. 如权利要求7所述的无线数据专网物理隔离互联网的移动支付安全系统,其特征在于:内嵌通道切换程序收到专用浏览器或客户端与应用程序的命令后,关闭当前联网网络,将移动终端的联网参数修改为浏览器或客户端与应用程序指定或预设的APN或VPDN联网参数,向移动终端联网子系统发起联网移动支付安全数据网络的请求,联网成功后,向浏览器或客户端与应用程序反馈成功消息,联网失败,向浏览器或客户端与应用程序反馈失败消息。The mobile data security system for physically isolating the Internet by the wireless data private network according to claim 7, wherein the embedded channel switching program closes the current network after receiving the command of the dedicated browser or the client and the application, The networking parameter of the mobile terminal is modified to be a connection or a preset APN or VPDN networking parameter of the client and the application, and a request for the networked mobile payment security data network is initiated to the mobile terminal networking subsystem. After the networking is successful, the browser or the browser The client and the application feed back the success message, the network fails, and the failure message is fed back to the browser or the client and the application.
  9. 如权利要求8所述的无线数据专网物理隔离互联网的移动支付安全系统,其特征在于:专用浏览器或客户端与应用程序收到联网成功消息后,使用移动支付安全数据网络通道,与移动支付安全系统进行信息交互;浏览器或客户端与应用程序结束移动支付业务后,调用内嵌的通道切换程序将移动终端联网通道切换回互联网访问通道。The mobile data security system for physically isolating the Internet of the wireless data private network according to claim 8, wherein the dedicated browser or the client and the application receive the network success message, use the mobile payment security data network channel, and move The payment security system performs information exchange; after the browser or the client and the application end the mobile payment service, the embedded channel switching program is invoked to switch the mobile terminal networking channel back to the Internet access channel.
  10. 如权利要求1所述的无线数据专网物理隔离互联网的移动支付安全系统,其特征在于:在无线数据专网物理隔离互联网的移动支付安全系统中,移动终端使用移动终端内嵌的通道切换模块进行联网通道自动切换的系统模型,联网通道自动切换系统模型包括应用层和移动终端操作系统,且和移动终端操作系统包含通道切换模块和移动终端联网子系统;应用层包含浏览器、浏览器插件、客户端或应用程序;应用层通过应用程序编程 接口API链接通道切换模块,经通道切换模块连通移动终端操作系统。The mobile data security system for physically isolating the Internet of the wireless data private network according to claim 1, wherein in the mobile payment security system in which the wireless data private network physically isolates the Internet, the mobile terminal uses the channel switching module embedded in the mobile terminal. The system model for automatic switching of the networked channel, the network channel automatic switching system model includes an application layer and a mobile terminal operating system, and the mobile terminal operating system includes a channel switching module and a mobile terminal networking subsystem; the application layer includes a browser and a browser plug-in , client or application; application layer is programmed through the application The interface API links the channel switching module, and connects the mobile terminal operating system via the channel switching module.
  11. 如权利要求1所述的无线数据专网物理隔离互联网的移动支付安全系统,其特征在于:在无线数据专网物理隔离互联网的移动支付安全系统中,移动终端使用独立的通道切换软件进行联网通道自动切换的系统模型,独立通道切换软件联网通道自动切换系统模型,包括应用层、通道切换程序软件和移动终端操作系统,其中,应用层包含浏览器、浏览器插件或客户端与应用程序,移动终端操作系统包含移动终端联网子系统,应用层通过应用程序编程接口API链接通道切换软件,通道切换软件链接移动终端联网子系统与移动终端操作系统交互数据。The mobile data security system for physically isolating the Internet of the wireless data private network according to claim 1, wherein in the mobile payment security system in which the wireless data private network physically isolates the Internet, the mobile terminal uses an independent channel switching software to perform the networking channel. Automatic switching system model, independent channel switching software networking channel automatic switching system model, including application layer, channel switching program software and mobile terminal operating system, wherein the application layer includes browser, browser plug-in or client and application, mobile The terminal operating system includes a mobile terminal networking subsystem, and the application layer links the channel switching software through the application programming interface API, and the channel switching software links the mobile terminal networking subsystem to interact data with the mobile terminal operating system.
  12. 如权利要求1所述的无线数据专网物理隔离互联网的移动支付安全系统,其特征在于:当通道切换软件启动后,驻留在内存中,向应用层提供应用程序编程接口API,并根据应用层指令进行通道切换操作;应用层通过应用程序编程接口API调用启动后的通道切换软件进行不同联网通道的切换;通道切换软件退出内存后,内存中的应用层程序编程接口API消失。 The mobile data security system for physically isolating the Internet of the wireless data private network according to claim 1, wherein: when the channel switching software is started, the system resides in the memory, and provides an application programming interface API to the application layer, and according to the application. The layer instruction performs channel switching operation; the application layer invokes the channel switching software after startup by the application programming interface API to switch between different networking channels; after the channel switching software exits the memory, the application layer programming interface API in the memory disappears.
PCT/CN2014/087307 2013-12-09 2014-09-24 Mobile payment security system with wireless data private network physically isolated from internet WO2015085809A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310660556.9A CN103619020B (en) 2013-12-09 2013-12-09 Mobile payment security system for wireless data private network physical isolation internet
CN201310660556.9 2013-12-09

Publications (1)

Publication Number Publication Date
WO2015085809A1 true WO2015085809A1 (en) 2015-06-18

Family

ID=50169724

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/087307 WO2015085809A1 (en) 2013-12-09 2014-09-24 Mobile payment security system with wireless data private network physically isolated from internet

Country Status (2)

Country Link
CN (1) CN103619020B (en)
WO (1) WO2015085809A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109754270A (en) * 2019-03-08 2019-05-14 重庆市微导科技有限公司 Family terminating machine on one-stop vehicle
CN112073375A (en) * 2020-08-07 2020-12-11 中国电力科学研究院有限公司 Isolation device and isolation method suitable for power Internet of things client side
CN112327736A (en) * 2020-09-14 2021-02-05 广东联凯智能科技有限公司 Embedded programmable module for electronic products
US11928665B2 (en) 2020-07-21 2024-03-12 Mastercard International Incorporated Methods and systems for facilitating a payment transaction over a secure radio frequency connection

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103619020B (en) * 2013-12-09 2017-02-08 成都达信通通讯设备有限公司 Mobile payment security system for wireless data private network physical isolation internet
WO2015188718A1 (en) * 2014-06-10 2015-12-17 北京奇虎科技有限公司 Mobile terminal-based payment method and apparatus, and mobile terminal
CN104821992B (en) * 2015-05-25 2018-01-19 广东欧珀移动通信有限公司 A kind of method and device of mobile phone automatically switching network connection type
CN105550577A (en) * 2015-12-31 2016-05-04 宇龙计算机通信科技(深圳)有限公司 Security control method and system for terminal container
CN107274178B (en) * 2017-07-21 2020-07-17 Oppo广东移动通信有限公司 Network switching method and related product
CN107528739B (en) * 2017-09-21 2021-04-16 中国银联股份有限公司 Terminal monitoring management method and device
CN108769959A (en) * 2018-04-11 2018-11-06 南京熊猫通信科技有限公司 A kind of communication terminal near field identifying system and method based on microcell base station
US11785013B2 (en) 2018-05-18 2023-10-10 Telefonaktiebolaget Lm Ericsson (Publ) Application program access control
CN109246104B (en) * 2018-09-12 2021-06-08 安徽中科数盾科技有限公司 Security mobile police service system oriented to high-confidentiality environment
CN109981816B (en) * 2019-03-21 2023-04-18 上海风汇网络科技有限公司 Value transmission system and method based on DNS (Domain name System) and DNS server
CN111490988B (en) * 2020-04-10 2022-07-15 海南简族信息技术有限公司 Data transmission method, device, equipment and computer readable storage medium
CN113962680A (en) * 2020-07-20 2022-01-21 中移(上海)信息通信科技有限公司 Payment method, device, equipment and computer storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101923757A (en) * 2010-08-05 2010-12-22 中国科学院深圳先进技术研究院 Mobile payment management system
CN201846357U (en) * 2010-07-30 2011-05-25 杭州茵缌特科技有限公司 Security network architecture for non-field industries
KR20110069911A (en) * 2009-12-18 2011-06-24 에스케이 텔레콤주식회사 Finance settlement service method and system using a sticker card
CN103347273A (en) * 2013-07-02 2013-10-09 北京播思无线技术有限公司 Device and method for automatically selecting optimal transmission mode according to service requirements
CN103618736A (en) * 2013-12-09 2014-03-05 成都达信通通讯设备有限公司 Safety application system for mobile terminal to automatically switch between different channel networking interfaces
CN103619020A (en) * 2013-12-09 2014-03-05 成都达信通通讯设备有限公司 Mobile payment security system for wireless data private network physical isolation internet

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5778173A (en) * 1996-06-12 1998-07-07 At&T Corp. Mechanism for enabling secure electronic transactions on the open internet
CN100525523C (en) * 2003-07-28 2009-08-05 华为技术有限公司 Method for mobile terminal switching in packet network
CN103093346A (en) * 2011-10-31 2013-05-08 深圳光启高等理工研究院 Mobile terminal payment method and mobile terminal

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110069911A (en) * 2009-12-18 2011-06-24 에스케이 텔레콤주식회사 Finance settlement service method and system using a sticker card
CN201846357U (en) * 2010-07-30 2011-05-25 杭州茵缌特科技有限公司 Security network architecture for non-field industries
CN101923757A (en) * 2010-08-05 2010-12-22 中国科学院深圳先进技术研究院 Mobile payment management system
CN103347273A (en) * 2013-07-02 2013-10-09 北京播思无线技术有限公司 Device and method for automatically selecting optimal transmission mode according to service requirements
CN103618736A (en) * 2013-12-09 2014-03-05 成都达信通通讯设备有限公司 Safety application system for mobile terminal to automatically switch between different channel networking interfaces
CN103619020A (en) * 2013-12-09 2014-03-05 成都达信通通讯设备有限公司 Mobile payment security system for wireless data private network physical isolation internet

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109754270A (en) * 2019-03-08 2019-05-14 重庆市微导科技有限公司 Family terminating machine on one-stop vehicle
CN109754270B (en) * 2019-03-08 2023-04-07 重庆市微导科技有限公司 One-stop vehicle terminal
US11928665B2 (en) 2020-07-21 2024-03-12 Mastercard International Incorporated Methods and systems for facilitating a payment transaction over a secure radio frequency connection
CN112073375A (en) * 2020-08-07 2020-12-11 中国电力科学研究院有限公司 Isolation device and isolation method suitable for power Internet of things client side
CN112073375B (en) * 2020-08-07 2023-09-26 中国电力科学研究院有限公司 Isolation device and isolation method suitable for client side of electric power Internet of things
CN112327736A (en) * 2020-09-14 2021-02-05 广东联凯智能科技有限公司 Embedded programmable module for electronic products

Also Published As

Publication number Publication date
CN103619020B (en) 2017-02-08
CN103619020A (en) 2014-03-05

Similar Documents

Publication Publication Date Title
WO2015085809A1 (en) Mobile payment security system with wireless data private network physically isolated from internet
CN113396569B (en) System and method for second factor authentication of customer support calls
US9843585B2 (en) Methods and apparatus for large scale distribution of electronic access clients
AU2009323748B2 (en) Secure transaction authentication
JP2018088292A (en) System and method for secure transaction process by mobile equipment
WO2015085808A1 (en) Secure application system with mobile terminal automatically switching different channel networking interfaces
CN108476223B (en) Method and apparatus for SIM-based authentication of non-SIM devices
CN101448001B (en) System for realizing WAP mobile banking transaction security control and method thereof
CN101986598B (en) Authentication method, server and system
US20120054837A1 (en) Network control method for controlling client-and-server based high reliability session for secure payment using multi interface user terminal in wired of wireless internet
WO2008136764A1 (en) System and method for secured data transfer over a network from a mobile device
EP3017390B1 (en) Method and system related to authentication of users for accessing data networks
TWI632798B (en) Server, mobile terminal, and network real-name authentication system and method
CN103297437A (en) Safety server access method for mobile intelligent terminal
CN102202306A (en) Mobile security authentication terminal and method
WO2014177938A2 (en) Digital credential with embedded authentication instructions
CN106230824A (en) A kind of mobile device authentic authentication system and method
CN104168565A (en) Method for controlling safe communication of intelligent terminal under undependable wireless network environment
CN103401686A (en) User Internet identity authentication system and application method thereof
US11861582B2 (en) Security protection of association between a user device and a user
KR20170070379A (en) cryptograpic communication method and system based on USIM card of mobile device
Sung et al. User authentication using mobile phones for mobile payment
CN109801423A (en) A kind of control method for vehicle and system based on bluetooth
Yuan et al. Safety analysis and strategy of Alipay
KR101480706B1 (en) Network system for providing security to intranet and method for providing security to intranet using security gateway of mobile communication network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14869798

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 05.12.2016)

122 Ep: pct application non-entry in european phase

Ref document number: 14869798

Country of ref document: EP

Kind code of ref document: A1