WO2016131272A1 - 一种基于智能卡的在线认证方法、智能卡及认证服务器 - Google Patents

一种基于智能卡的在线认证方法、智能卡及认证服务器 Download PDF

Info

Publication number
WO2016131272A1
WO2016131272A1 PCT/CN2015/090919 CN2015090919W WO2016131272A1 WO 2016131272 A1 WO2016131272 A1 WO 2016131272A1 CN 2015090919 W CN2015090919 W CN 2015090919W WO 2016131272 A1 WO2016131272 A1 WO 2016131272A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
channel
current terminal
user
terminal user
Prior art date
Application number
PCT/CN2015/090919
Other languages
English (en)
French (fr)
Inventor
吴传喜
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Priority to US15/749,269 priority Critical patent/US20180234412A1/en
Priority to EP15882411.0A priority patent/EP3334086A1/en
Publication of WO2016131272A1 publication Critical patent/WO2016131272A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a smart card-based online authentication method, a smart card, and an authentication server.
  • the embodiment of the present invention is to provide an online authentication method based on a smart card.
  • the smart card and the authentication server are at least solved the problems existing in the prior art, avoiding security risks, and improving the security level of the services provided by the Internet of Things related applications.
  • a smart card-based online authentication method includes:
  • the authentication request information directly transmitted by the current terminal user to the user identification authentication card is received.
  • the authentication request information transmitted by the current terminal user to the user identification authentication card is forwarded by the authentication server.
  • the generating, by the first application, the authentication code according to the authentication request information includes:
  • a smart card-based online authentication method includes:
  • the current terminal user initiates an authentication request, and directly transmits the authentication request information through the first channel.
  • the first application in the user identification authentication card Up to the first application in the user identification authentication card;
  • the authentication result is fed back through the first channel; the authentication result is used to indicate whether the current terminal user is a legitimate user.
  • the first channel is an OMA channel.
  • the method further includes:
  • the application management platform receives the authentication request, generates related authentication request information including the authentication request sequence number, and returns the information to the current terminal user.
  • the authentication result is fed back through the first channel, including:
  • the authentication server feeds the authentication result to the application management platform through the OMA channel, and the application management platform forwards the result to the current terminal user.
  • a smart card-based online authentication method includes:
  • the current terminal user initiates an authentication request, and the authentication request information is forwarded and transmitted to the first application in the user identification authentication card by using the first channel;
  • the authentication result is fed back through the first channel; the authentication result is used to indicate whether the current terminal user is a legitimate user.
  • the first channel is an OTA channel.
  • the method further includes:
  • the application management platform receives the authentication request, generates related authentication request information including the authentication request sequence number, and returns the information to the current terminal user.
  • the authentication result is fed back through the first channel, including:
  • the authentication server feeds the authentication result to the application management platform through the OTA channel, and the application management platform forwards the result to the current terminal user.
  • a smart card includes a first application, and the smart card includes:
  • a running unit configured to run a first application located in the user identification authentication card
  • a first receiving unit configured to receive, by using the first channel, authentication request information directly transmitted by the current terminal user to the user identification authentication card or receiving an authentication request that is forwarded by the current terminal user to the user identification authentication card by using an authentication server information;
  • the authentication code generating unit is configured to generate, by the first application, an authentication code according to the authentication request information, where the authentication code is used to identify whether the current terminal user is a legitimate user;
  • a sending unit configured to send the authentication code to the authentication server for verification by using the first channel
  • the second receiving unit is configured to receive, by using the first channel, an authentication result that is sent by the authentication server after verification, to determine whether the current terminal user is a legitimate user.
  • the first receiving unit is further configured to: when the first channel is an OMA channel, receive authentication request information directly transmitted by the current terminal user to the user identification authentication card.
  • the first receiving unit is further configured to: when the first channel is an OTA channel, the receiving is forwarded by the current terminal user to the user identification and authenticated by the authentication server. Card authentication request information.
  • the authentication code generating unit is further configured to parse the authentication request information to obtain information to be authenticated, extract preset authentication logic, and generate the authentication code according to the to-be-authenticated information and the authentication logic.
  • the operating unit, the first receiving unit, the authentication code generating unit, the sending unit, and the second receiving unit may use a central processing unit (CPU) and a digital signal when performing processing.
  • CPU central processing unit
  • a DSP Digital Singnal Processor
  • FPGA Field-Programmable Gate Array
  • An authentication system according to an embodiment of the present invention, where the system includes:
  • a running unit configured to run a first application located in the user identification authentication card
  • the transmitting unit is configured to initiate an authentication request by the current terminal user, and directly transmit the authentication request information to the first application in the user identification authentication card by using the first channel;
  • the authentication code generating unit is configured to generate, by the first application, an authentication code according to the authentication request information, where the authentication code is used to identify whether the current terminal user is a legitimate user;
  • a sending unit configured to send the authentication code to the authentication server for verification by using the first channel
  • the feedback unit is configured to feed back the authentication result by using the first channel, and the authentication result is used to indicate whether the current terminal user is a legitimate user.
  • the first channel is an OMA channel.
  • the system further includes an interaction unit, configured to: after the current terminal user initiates the authentication request, the application management platform receives the authentication request, generates related authentication request information including the authentication request sequence number, and returns the information to the The current terminal user.
  • the feedback unit is further configured to: the authentication server feeds the authentication result to the application management platform through the OMA channel, and the application management platform forwards the result to the current terminal user.
  • the operation unit, the transmission unit, the authentication code generation unit, the transmission unit, the feedback unit, and the interaction unit use a central processing unit (CPU) and a digital signal when performing processing.
  • CPU central processing unit
  • a DSP Digital Singnal Processor
  • FPGA Field-Programmable Gate Array
  • An authentication system according to an embodiment of the present invention, where the system includes:
  • a running unit configured to run a first application located in the user identification authentication card
  • the transmitting unit is configured to initiate an authentication request by the current terminal user, and forward the authentication request information to the first application in the user identification authentication card by using the first channel;
  • the authentication code generating unit is configured to generate, by the first application, an authentication code according to the authentication request information, where the authentication code is used to identify whether the current terminal user is a legitimate user;
  • a sending unit configured to send the authentication code to the authentication server for verification by using the first channel
  • the feedback unit is configured to feed back the authentication result by using the first channel, and the authentication result is used to indicate whether the current terminal user is a legitimate user.
  • the first channel is an OTA channel.
  • the system further includes an interaction unit, configured to: after the current terminal user initiates the authentication request, the application management platform receives the authentication request, generates related authentication request information including the authentication request sequence number, and returns the information to the The current terminal user.
  • the feedback unit is further configured to: the authentication server feeds the authentication result to the application management platform by using the OTA channel, and the application management platform forwards the result to the current terminal user.
  • the operation unit, the transmission unit, the authentication code generating unit, the sending unit, the feedback unit, and the interaction unit may use a central processing unit (CPU) and a digital unit when performing processing.
  • CPU central processing unit
  • DSP Digital Singnal Processor
  • FPGA Field-Programmable Gate Array
  • a smart card-based online authentication method includes: running a first application located in a user identification authentication card; receiving, by the first channel, directly transmitted by the current terminal user to the user identification authentication card Authentication request information or receiving authentication request information transmitted by the current terminal user to the user identification authentication card via the authentication server; generating, by the first application, an authentication code according to the authentication request information, the authentication code being used to identify Determining whether the current terminal user is a legitimate user; sending the authentication code to the authentication server for verification by using the first channel; and receiving the authentication result fed back by the authentication server after the first channel is received, to determine the current Whether the end user is a legitimate user.
  • the authentication request information is transmitted to the authentication application in the user identification authentication card on the first channel for identity authentication, and correspondingly, in the first application and the authentication server.
  • the interaction between the authentication server and the feedback authentication result determines whether the current terminal user is a legitimate user. Therefore, security risks are avoided, and the security level of the service provided by the Internet of Things related application is also improved.
  • FIG. 1 is a schematic flowchart of an implementation process according to an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of a unit structure of a smart card according to an embodiment of the present invention.
  • FIG. 3 is a schematic structural diagram of a component of an authentication system according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of online authentication based on OMA channel according to application example 1 of the embodiment of the present invention.
  • FIG. 5 is a schematic diagram of online authentication based on an OTA channel according to an application example 2 of the embodiment of the present invention.
  • a smart card-based online authentication method is provided in the embodiment of the present invention. As shown in FIG. 1 , the method includes:
  • Step 101 Run a first application located in a user identification authentication card
  • the user identification authentication card may be a smart card, and the first application may be an authentication application;
  • Step 102 Receive, by using a first channel, authentication request information directly transmitted by the current terminal user to the user identification authentication card, or receive authentication request information that is forwarded by the current terminal user to the user identification authentication card by using an authentication server;
  • the first channel may be a secure channel, including an OMA channel and an OTA channel;
  • Step 103 The first application generates an authentication code according to the authentication request information, where the authentication code is used to identify whether the current terminal user is a legitimate user.
  • Step 104 Send the authentication code to the authentication server for verification by using the first channel
  • Step 105 Receive, by using the first channel, an authentication result that is sent by the authentication server after verification, to determine whether the current terminal user is a legitimate user.
  • the authentication request information directly transmitted by the current terminal user to the user identification authentication card is received.
  • the authentication request information that is forwarded by the current terminal user to the user identification authentication card by the authentication server is received.
  • the generating, by the first application, the authentication code according to the authentication request information includes:
  • a smart card-based online authentication method includes:
  • the current terminal user initiates an authentication request, and directly transmits the authentication request information to the first application in the user identification authentication card through the first channel;
  • the authentication result is fed back through the first channel; the authentication result is used to indicate whether the current terminal user is a legitimate user.
  • the first channel is an OMA channel.
  • the method further includes:
  • the application management platform receives the authentication request, generates related authentication request information including the authentication request sequence number, and returns the information to the current terminal user.
  • the authentication result is fed back through the first channel, including:
  • the authentication server feeds the authentication result to the application management platform through the OMA channel, and the application management platform forwards the result to the current terminal user.
  • a smart card-based online authentication method includes:
  • the current terminal user initiates an authentication request, and the authentication request information is forwarded and transmitted to the first application in the user identification authentication card by using the first channel;
  • the authentication result is fed back through the first channel; the authentication result is used to indicate whether the current terminal user is a legitimate user.
  • the first channel is an OTA channel.
  • the method further includes:
  • the application management platform receives the authentication request, generates related authentication request information including the authentication request sequence number, and returns the information to the current terminal user.
  • the authentication result is fed back through the first channel, including:
  • the authentication server feeds the authentication result to the application management platform through the OTA channel, and the application management platform forwards the result to the current terminal user.
  • the smart card includes a first application, and the smart card includes:
  • the operating unit 11 is configured to run the first application located in the user identification authentication card
  • the first receiving unit 12 is configured to receive, by using the first channel, authentication request information directly transmitted by the current terminal user to the user identification authentication card or to receive authentication that is forwarded by the current terminal user to the user identification authentication card by the authentication server. Request information;
  • the authentication code generating unit 13 is configured to generate, by the first application, an authentication code according to the authentication request information, where the authentication code is used to identify whether the current terminal user is a legitimate user;
  • the sending unit 14 is configured to send the authentication code to the authentication server for verification by using the first channel
  • the second receiving unit 15 is configured to receive, by using the first channel, an authentication result that is sent by the authentication server after verification, to determine whether the current terminal user is a legitimate user.
  • the first receiving unit is further configured to: when the first channel is an OMA channel, the receiving is directly transmitted by the current terminal user to the user identifier. Authentication request information of the authentication card.
  • the first receiving unit is further configured to: when the first channel is an OTA channel, receive, by the current terminal user, forward and transmit to the user identification authentication card by using an authentication server. Authentication request information.
  • the authentication code generating unit is further configured to parse the authentication request information to obtain information to be authenticated, and extract preset authentication logic, according to the to-be-authenticated information and the authentication logic.
  • the authentication code is generated.
  • An authentication system according to an embodiment of the present invention, as shown in FIG. 3, the system includes:
  • the operating unit 21 is configured to run the first application located in the user identification authentication card
  • the transmitting unit 22 is configured to initiate an authentication request by the current terminal user, and directly transmit the authentication request information to the first application in the user identification authentication card by using the first channel;
  • the authentication code generating unit 23 is configured to generate, by the first application, an authentication code according to the authentication request information, where the authentication code is used to identify whether the current terminal user is a legitimate user;
  • the sending unit 24 is configured to send the authentication code to the authentication server for verification by using the first channel
  • the authentication unit 25 is configured to authenticate the authentication code by the authentication server.
  • the feedback unit 26 is configured to: after the authentication of the authentication server, feed back the authentication result by using the first channel; the authentication result is used to indicate whether the current terminal user is a legitimate user.
  • the operating unit 21, the transmitting unit 22, the authentication code generating unit 23, and the sending unit 24 may be located in the smart card; the authentication unit 25 and the feedback unit 26 may be located in the authentication server; used by the current terminal user.
  • the terminal communicates with the smart card and the application management platform, and the application management platform interacts with the smart card and the authentication server respectively.
  • the first channel is an OMA channel.
  • the system further includes an interaction unit configured as a After the current terminal user initiates the authentication request, the application management platform receives the authentication request, generates related authentication request information including the authentication request sequence number, and returns the current authentication request information to the current terminal user.
  • an interaction unit configured as a After the current terminal user initiates the authentication request, the application management platform receives the authentication request, generates related authentication request information including the authentication request sequence number, and returns the current authentication request information to the current terminal user.
  • the feedback unit is further configured to: the authentication server feeds the authentication result to the application management platform by using the OMA channel, and the application management platform forwards the Current end user.
  • An authentication system according to an embodiment of the present invention, as shown in FIG. 3, the system includes:
  • the operating unit 21 is configured to run the first application located in the user identification authentication card
  • the transmitting unit 22 is configured to initiate an authentication request by the current terminal user, and forward the authentication request information to the first application in the user identification authentication card by using the first channel;
  • the authentication code generating unit 23 is configured to generate, by the first application, an authentication code according to the authentication request information, where the authentication code is used to identify whether the current terminal user is a legitimate user;
  • the sending unit 24 is configured to send the authentication code to the authentication server for verification by using the first channel
  • the authentication unit 25 is configured to authenticate the authentication code by the authentication server.
  • the feedback unit 26 is configured to: after the authentication of the authentication server, feed back the authentication result by using the first channel; the authentication result is used to indicate whether the current terminal user is a legitimate user.
  • the operating unit 21, the transmitting unit 22, the authentication code generating unit 23, and the sending unit 24 may be located in the smart card; the authentication unit 25 and the feedback unit 26 may be located in the authentication server; used by the current terminal user.
  • the terminal communicates with the smart card and the application management platform, and the application management platform interacts with the smart card and the authentication server respectively.
  • the first channel is an OTA channel.
  • the system further includes an interaction unit configured as a After the current terminal user initiates the authentication request, the application management platform receives the authentication request, generates related authentication request information including the authentication request sequence number, and returns the current authentication request information to the current terminal user.
  • an interaction unit configured as a After the current terminal user initiates the authentication request, the application management platform receives the authentication request, generates related authentication request information including the authentication request sequence number, and returns the current authentication request information to the current terminal user.
  • the feedback unit is further configured to: the authentication server feeds the authentication result to the application management platform by using the OTA channel, and the application management platform forwards the Current end user.
  • the application scenario is a smart card-based online authentication scenario.
  • the application scenario is based on the smart card.
  • the method mainly includes: the authentication request obtaining manner refers to transmitting the authentication request information to the mobile terminal or the smart card authentication household card application responsible for authentication.
  • the authentication request is passed by the terminal directly or through the authentication server to an authentication application on the user card, such as an applet.
  • it is an online authentication method, that is, the authentication process requires the local and remote authentication servers to cooperate with each other to complete the identity verification, and the identity verification information generally needs to be authenticated by the network.
  • the authentication process is a local authentication performed by the terminal, and the user can flexibly set which manner is adopted, such as free local authentication, local personal code, fingerprint authentication, and the like.
  • the local authentication mode set by the user exists only in the user card of the smart phone and is not transmitted externally, which ensures the security of the local authentication and authentication mode.
  • the method includes the following steps;
  • Step 201 The terminal initiates an authentication request, and the application platform returns related authentication request information, such as an authentication request sequence number.
  • Step 202 The authentication request is directly sent from the terminal to the smart card authentication application via the OMA channel.
  • Step 203 The smart card authentication application selects a corresponding authentication method of the authentication request to perform an operation, and generates an authentication code.
  • Step 204 The authentication code is transmitted to the authentication server via the OMA channel.
  • Step 205 After the verification by the authentication server, return the authentication result to the application platform.
  • Step 206 The application platform forwards the result to the terminal.
  • the method includes the following steps;
  • Step 301 The terminal initiates an authentication request, and the application platform sends the application authentication request information to the authentication server.
  • Step 302 The authentication server sends the authentication request information to the smart card authentication application in the form of an OTA short message.
  • Step 303 The smart card authentication application selects a corresponding authentication method of the authentication request to perform an operation, and generates an authentication code.
  • Step 304 The authentication code is transmitted to the authentication server via the OTA channel.
  • Step 305 After the verification by the authentication server, return the authentication result to the application platform.
  • Step 306 The application platform forwards the result to the terminal.
  • an online authentication system mainly includes: a smart card authentication application (located in a smart card), a secure channel, and an authentication server.
  • the authentication card application mainly stores the authentication information and the authentication operation logic. After receiving the authentication request, the authentication identity code is generated according to the agreed authentication method, and then sent to the server for verification through a secure channel.
  • the authentication server is responsible for providing authentication identity authentication, authentication and authorization, cloud capability opening, security policies and rules, and so on.
  • the secure channel mainly includes an OTA channel and an OMA (Open Mobile API) card channel.
  • the OMA channel has a high transmission rate and can be used for the transmission of a large amount of data, and the capacity of the OTA short message transmission is limited and has a certain delay, and is only applicable to the transmission of a small amount of information. give away.
  • an online authentication system mainly includes: an application management platform, a smart card, a secure channel, and an authentication server.
  • the authentication card application is located in the smart card, and mainly stores the authentication information and the authentication operation logic, and generates an authentication identity code according to the agreed authentication method after receiving the authentication request, and then sends the authentication identity code to the server for verification.
  • the authentication server is responsible for providing authentication identity authentication, authentication and authorization, cloud capability opening, security policies and rules, and so on.
  • the secure channel mainly includes the over-the-air (OTA) channel and the open mobile application interface (OMA).
  • OTA over-the-air
  • OMA open mobile application interface
  • the smart card authentication application can be pre-installed or downloaded over the air to the smart card to complete the necessary information synchronization such as session key synchronization, PKI key pair generation, etc., and then after binding with the Internet of Things application, You can start business certification.
  • the safety of the channel can only be opened by applications that comply with security rules; OTA SMS is sent by the server to the smart card, and the session key is used to encrypt the transmitted content, which is difficult to be intercepted by the terminal application. At the same time, the access rights of these two types of channels are strictly controlled by the operators, ensuring the security of channel transmission.
  • the integrated modules described in the embodiments of the present invention may also be stored in a computer readable storage medium if they are implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions.
  • a computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
  • embodiments of the invention are not limited to any specific combination of hardware and software.
  • the embodiment of the present invention further provides a computer storage medium, wherein a computer program is stored, and the computer program is used to execute a smart card-based online authentication method according to an embodiment of the present invention.
  • the authentication request information is transmitted to the authentication application in the user identification authentication card on the first channel for identity authentication, and correspondingly, in the first application and the authentication server.
  • the interaction between the authentication server and the feedback authentication result determines whether the current terminal user is a legitimate user. Therefore, security risks are avoided, and the security level of the service provided by the Internet of Things related application is also improved.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Telephone Function (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明公开了一种基于智能卡的在线认证方法、智能卡及认证服务器,其中,所述方法包括:运行位于用户识别认证卡中的第一应用;通过第一通道接收由当前终端用户直接传输至所述用户识别认证卡的认证请求信息或接收由当前终端用户经认证服务器转发传输至所述用户识别认证卡的认证请求信息;由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;通过所述第一通道将所述认证码发送给认证服务器进行验证;通过所述第一通道接收所述认证服务器验证后反馈的认证结果,来判决所述当前终端用户是否为合法用户。

Description

一种基于智能卡的在线认证方法、智能卡及认证服务器 技术领域
本发明涉及通信技术领域,尤其涉及一种基于智能卡的在线认证方法、智能卡及认证服务器。
背景技术
本申请发明人在实现本申请实施例技术方案的过程中,至少发现相关技术中存在如下技术问题:
随着互联网的发展以及物联网的出现,各种安全事件层出不穷。比如比较重大的网络安全事件,如携程网安全支付日志的漏洞、众多酒店客户数据泄露、山寨网银与山寨微信客户端、敲诈者病毒等一系列的不安全事件导致大量用户账号、身份信息、金融信息泄露。而在物联网领域,所有的设备都会被接入互联网,并相互通信,对于用户来说,一方面,用户即将进入效率和便利的智能家居时代;另一方面,当用户的智能家居,如冰箱、温控器或者家庭安全摄像头连接到网络后,它们会像电脑一样容易受到攻击,发生故障或中断。事实上,智能家居等物联网设备比传统计算设备(例如电脑、笔记本、手机或平板电脑)更容易受到攻击和破坏。
物联网还处于起步阶段,安全控制能力不够强,存在安全漏洞,容易被黑客攻击,对于大多数用户来说,当一切事物都连接到互联网时,虽然会为用户的生活提供便利,但是如果这些物联网相关应用的安全性不能得到保证,存在安全隐患,对用户来说,是非常危险的。
发明内容
有鉴于此,本发明实施例希望提供一种基于智能卡的在线认证方法、 智能卡及认证服务器备,至少解决了现有技术存在的问题,避免安全隐患,提高物联网相关应用为用户提供服务的安全等级。
本发明实施例的技术方案是这样实现的:
本发明实施例的一种基于智能卡的在线认证方法,所述方法包括:
运行位于用户识别认证卡中的第一应用;
通过第一通道接收由当前终端用户直接传输至所述用户识别认证卡的认证请求信息或接收由当前终端用户经认证服务器转发传输至所述用户识别认证卡的认证请求信息;
由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
通过所述第一通道将所述认证码发送给认证服务器进行验证;
通过所述第一通道接收所述认证服务器验证后反馈的认证结果,来判决所述当前终端用户是否为合法用户。
上述方案中,所述第一通道为OMA通道时,接收由所述当前终端用户直接传输至所述用户识别认证卡的认证请求信息。
上述方案中,所述第一通道为OTA通道时,接收由所述当前终端用户经认证服务器转发传输至所述用户识别认证卡的认证请求信息。
上述方案中,所述由所述第一应用根据所述认证请求信息生成认证码,包括:
解析所述认证请求信息,得到待认证信息;
提取预设的认证逻辑,根据所述待认证信息和所述认证逻辑生成所述认证码。
本发明实施例的一种基于智能卡的在线认证方法,所述方法包括:
运行位于用户识别认证卡中的第一应用;
当前终端用户发起认证请求,通过第一通道直接将认证请求信息传输 至所述用户识别认证卡中的所述第一应用;
由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
通过所述第一通道将所述认证码发送给认证服务器进行验证;
认证服务器验证后,通过所述第一通道反馈认证结果;所述认证结果用于表征所述当前终端用户是否为合法用户。
上述方案中,所述第一通道为OMA通道。
上述方案中,所述方法还包括:
所述当前终端用户发起认证请求后,应用管理平台接收到所述认证请求,生成包括认证请求序列号在内的相关认证请求信息并返回给所述当前终端用户。
上述方案中,所述认证服务器验证后,通过所述第一通道反馈认证结果,包括:
所述认证服务器将所述认证结果通过所述OMA通道反馈给所述应用管理平台,由所述应用管理平台转发给所述当前终端用户。
本发明实施例的一种基于智能卡的在线认证方法,所述方法包括:
运行位于用户识别认证卡中的第一应用;
当前终端用户发起认证请求,通过第一通道将认证请求信息经认证服务器转发传输至所述用户识别认证卡中的所述第一应用;
由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
通过所述第一通道将所述认证码发送给认证服务器进行验证;
认证服务器验证后,通过所述第一通道反馈认证结果;所述认证结果用于表征所述当前终端用户是否为合法用户。
上述方案中,所述第一通道为OTA通道。
上述方案中,所述方法还包括:
所述当前终端用户发起认证请求后,应用管理平台接收到所述认证请求,生成包括认证请求序列号在内的相关认证请求信息并返回给所述当前终端用户。
上述方案中,所述认证服务器验证后,通过所述第一通道反馈认证结果,包括:
所述认证服务器将所述认证结果通过所述OTA通道反馈给所述应用管理平台,由所述应用管理平台转发给所述当前终端用户。
本发明实施例的一种智能卡,所述智能卡包括第一应用,所述智能卡包括:
运行单元,配置为运行位于用户识别认证卡中的第一应用;
第一接收单元,配置为通过第一通道接收由当前终端用户直接传输至所述用户识别认证卡的认证请求信息或接收由当前终端用户经认证服务器转发传输至所述用户识别认证卡的认证请求信息;
认证码生成单元,配置为由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
发送单元,配置为通过所述第一通道将所述认证码发送给认证服务器进行验证;
第二接收单元,配置为通过所述第一通道接收所述认证服务器验证后反馈的认证结果,来判决所述当前终端用户是否为合法用户。
上述方案中,所述第一接收单元,还配置为所述第一通道为OMA通道时,接收由所述当前终端用户直接传输至所述用户识别认证卡的认证请求信息。
上述方案中,所述第一接收单元,还配置为所述第一通道为OTA通道时,接收由所述当前终端用户经认证服务器转发传输至所述用户识别认证 卡的认证请求信息。
上述方案中,所述认证码生成单元,还配置为解析所述认证请求信息,得到待认证信息;提取预设的认证逻辑,根据所述待认证信息和所述认证逻辑生成所述认证码。
所述运行单元、所述第一接收单元、所述认证码生成单元、所述发送单元、所述第二接收单元在执行处理时,可以采用中央处理器(CPU,Central Processing Unit)、数字信号处理器(DSP,Digital Singnal Processor)或可编程逻辑阵列(FPGA,Field-Programmable Gate Array)实现。
本发明实施例的一种认证系统,所述系统包括:
运行单元,配置为运行位于用户识别认证卡中的第一应用;
传输单元,配置为当前终端用户发起认证请求,通过第一通道直接将认证请求信息传输至所述用户识别认证卡中的所述第一应用;
认证码生成单元,配置为由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
发送单元,配置为通过所述第一通道将所述认证码发送给认证服务器进行验证;
反馈单元,配置为认证服务器验证后,通过所述第一通道反馈认证结果;所述认证结果用于表征所述当前终端用户是否为合法用户。
上述方案中,所述第一通道为OMA通道。
上述方案中,所述系统还包括交互单元,配置为所述当前终端用户发起认证请求后,应用管理平台接收到所述认证请求,生成包括认证请求序列号在内的相关认证请求信息并返回给所述当前终端用户。
上述方案中,所述反馈单元,还配置为所述认证服务器将所述认证结果通过所述OMA通道反馈给所述应用管理平台,由所述应用管理平台转发给所述当前终端用户。
所述运行单元、所述传输单元、所述认证码生成单元、所述发送单元、所述反馈单元、所述交互单元在执行处理时,采用中央处理器(CPU,Central Processing Unit)、数字信号处理器(DSP,Digital Singnal Processor)或可编程逻辑阵列(FPGA,Field-Programmable Gate Array)实现。
本发明实施例的一种认证系统,所述系统包括:
运行单元,配置为运行位于用户识别认证卡中的第一应用;
传输单元,配置为当前终端用户发起认证请求,通过第一通道将认证请求信息经认证服务器转发传输至所述用户识别认证卡中的所述第一应用;
认证码生成单元,配置为由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
发送单元,配置为通过所述第一通道将所述认证码发送给认证服务器进行验证;
反馈单元,配置为认证服务器验证后,通过所述第一通道反馈认证结果;所述认证结果用于表征所述当前终端用户是否为合法用户。
上述方案中,所述第一通道为OTA通道。
上述方案中,所述系统还包括交互单元,配置为所述当前终端用户发起认证请求后,应用管理平台接收到所述认证请求,生成包括认证请求序列号在内的相关认证请求信息并返回给所述当前终端用户。
上述方案中,所述反馈单元,还配置为所述认证服务器将所述认证结果通过所述OTA通道反馈给所述应用管理平台,由所述应用管理平台转发给所述当前终端用户。
所述运行单元、所述传输单元、所述认证码生成单元、所述发送单元、所述反馈单元、所述交互单元在执行处理时,可以采用中央处理器(CPU,Central Processing Unit)、数字信号处理器(DSP,Digital Singnal Processor) 或可编程逻辑阵列(FPGA,Field-Programmable Gate Array)实现。
本发明实施例的一种基于智能卡的在线认证方法,所述方法包括:运行位于用户识别认证卡中的第一应用;通过第一通道接收由当前终端用户直接传输至所述用户识别认证卡的认证请求信息或接收由当前终端用户经认证服务器转发传输至所述用户识别认证卡的认证请求信息;由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;通过所述第一通道将所述认证码发送给认证服务器进行验证;通过所述第一通道接收所述认证服务器验证后反馈的认证结果,来判决所述当前终端用户是否为合法用户。
采用本发明实施例,由于第一通道是专门的安全通道,认证请求信息是在第一通道上传输至用户识别认证卡中的认证应用进行身份认证识别,相应的,在第一应用与认证服务器之间进行交互,通过认证服务器认证后反馈认证结果来确定当前终端用户是否为合法用户,因此,避免了安全隐患,也提高了物联网相关应用为用户提供服务的安全等级。
附图说明
图1为本发明实施例的实现流程示意图;
图2为本发明实施例的智能卡中单元组成结构示意图;
图3为本发明实施例认证系统的组成结构示意图;
图4为应用本发明实施例的应用实例一的基于OMA通道下的在线认证示意图;
图5为应用本发明实施例的应用实例二的基于OTA通道下的在线认证示意图。
具体实施方式
下面结合附图对技术方案的实施作进一步的详细描述。
本发明实施例的一种基于智能卡的在线认证方法,如图1所示,所述方法包括:
步骤101、运行位于用户识别认证卡中的第一应用;
这里,所述用户识别认证卡可以为智能卡,所述第一应用可以为认证应用;
步骤102、通过第一通道接收由当前终端用户直接传输至所述用户识别认证卡的认证请求信息或接收由当前终端用户经认证服务器转发传输至所述用户识别认证卡的认证请求信息;
这里,所述第一通道可以为安全通道,包括OMA通道和OTA通道;
步骤103、由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
步骤104、通过所述第一通道将所述认证码发送给认证服务器进行验证;
步骤105、通过所述第一通道接收所述认证服务器验证后反馈的认证结果,来判决所述当前终端用户是否为合法用户。
在本发明实施例一实施方式中,所述第一通道为OMA通道时,接收由所述当前终端用户直接传输至所述用户识别认证卡的认证请求信息。
在本发明实施例一实施方式中,所述第一通道为OTA通道时,接收由所述当前终端用户经认证服务器转发传输至所述用户识别认证卡的认证请求信息。
在本发明实施例一实施方式中,所述由所述第一应用根据所述认证请求信息生成认证码,包括:
解析所述认证请求信息,得到待认证信息;
提取预设的认证逻辑,根据所述待认证信息和所述认证逻辑生成所述认证码。
本发明实施例的一种基于智能卡的在线认证方法,所述方法包括:
运行位于用户识别认证卡中的第一应用;
当前终端用户发起认证请求,通过第一通道直接将认证请求信息传输至所述用户识别认证卡中的所述第一应用;
由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
通过所述第一通道将所述认证码发送给认证服务器进行验证;
认证服务器验证后,通过所述第一通道反馈认证结果;所述认证结果用于表征所述当前终端用户是否为合法用户。
在本发明实施例一实施方式中,所述第一通道为OMA通道。
在本发明实施例一实施方式中,所述方法还包括:
所述当前终端用户发起认证请求后,应用管理平台接收到所述认证请求,生成包括认证请求序列号在内的相关认证请求信息并返回给所述当前终端用户。
在本发明实施例一实施方式中,所述认证服务器验证后,通过所述第一通道反馈认证结果,包括:
所述认证服务器将所述认证结果通过所述OMA通道反馈给所述应用管理平台,由所述应用管理平台转发给所述当前终端用户。
本发明实施例的一种基于智能卡的在线认证方法,所述方法包括:
运行位于用户识别认证卡中的第一应用;
当前终端用户发起认证请求,通过第一通道将认证请求信息经认证服务器转发传输至所述用户识别认证卡中的所述第一应用;
由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
通过所述第一通道将所述认证码发送给认证服务器进行验证;
认证服务器验证后,通过所述第一通道反馈认证结果;所述认证结果用于表征所述当前终端用户是否为合法用户。
在本发明实施例一实施方式中,所述第一通道为OTA通道。
在本发明实施例一实施方式中,所述方法还包括:
所述当前终端用户发起认证请求后,应用管理平台接收到所述认证请求,生成包括认证请求序列号在内的相关认证请求信息并返回给所述当前终端用户。
在本发明实施例一实施方式中,所述认证服务器验证后,通过所述第一通道反馈认证结果,包括:
所述认证服务器将所述认证结果通过所述OTA通道反馈给所述应用管理平台,由所述应用管理平台转发给所述当前终端用户。
本发明实施例的一种智能卡,如图2所示,所述智能卡包括第一应用,所述智能卡包括:
运行单元11,配置为运行位于用户识别认证卡中的第一应用;
第一接收单元12,配置为通过第一通道接收由当前终端用户直接传输至所述用户识别认证卡的认证请求信息或接收由当前终端用户经认证服务器转发传输至所述用户识别认证卡的认证请求信息;
认证码生成单元13,配置为由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
发送单元14,配置为通过所述第一通道将所述认证码发送给认证服务器进行验证;
第二接收单元15,配置为通过所述第一通道接收所述认证服务器验证后反馈的认证结果,来判决所述当前终端用户是否为合法用户。
在本发明实施例一实施方式中,所述第一接收单元,还配置为所述第一通道为OMA通道时,接收由所述当前终端用户直接传输至所述用户识别 认证卡的认证请求信息。
在本发明实施例一实施方式中,所述第一接收单元,还配置为所述第一通道为OTA通道时,接收由所述当前终端用户经认证服务器转发传输至所述用户识别认证卡的认证请求信息。
在本发明实施例一实施方式中,所述认证码生成单元,还配置为解析所述认证请求信息,得到待认证信息;提取预设的认证逻辑,根据所述待认证信息和所述认证逻辑生成所述认证码。
本发明实施例的一种认证系统,如图3所示,所述系统包括:
运行单元21,配置为运行位于用户识别认证卡中的第一应用;
传输单元22,配置为当前终端用户发起认证请求,通过第一通道直接将认证请求信息传输至所述用户识别认证卡中的所述第一应用;
认证码生成单元23,配置为由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
发送单元24,配置为通过所述第一通道将所述认证码发送给认证服务器进行验证;
认证单元25,配置为认证服务器对所述认证码进行验证;
反馈单元26,配置为认证服务器验证后,通过所述第一通道反馈认证结果;所述认证结果用于表征所述当前终端用户是否为合法用户。
上述系统的组成单元中,运行单元21、传输单元22、认证码生成单元23、发送单元24可以位于所述智能卡中;认证单元25、反馈单元26可以位于认证服务器中;当前终端用户所使用的终端分别与所述智能卡及应用管理平台通信交互,所述应用管理平台分别与智能卡及所述认证服务器交互。
在本发明实施例一实施方式中,所述第一通道为OMA通道。
在本发明实施例一实施方式中,所述系统还包括交互单元,配置为所 述当前终端用户发起认证请求后,应用管理平台接收到所述认证请求,生成包括认证请求序列号在内的相关认证请求信息并返回给所述当前终端用户。
在本发明实施例一实施方式中,所述反馈单元,还配置为所述认证服务器将所述认证结果通过所述OMA通道反馈给所述应用管理平台,由所述应用管理平台转发给所述当前终端用户。
本发明实施例的一种认证系统,如图3所示,所述系统包括:
运行单元21,配置为运行位于用户识别认证卡中的第一应用;
传输单元22,配置为当前终端用户发起认证请求,通过第一通道将认证请求信息经认证服务器转发传输至所述用户识别认证卡中的所述第一应用;
认证码生成单元23,配置为由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
发送单元24,配置为通过所述第一通道将所述认证码发送给认证服务器进行验证;
认证单元25,配置为认证服务器对所述认证码进行验证;
反馈单元26,配置为认证服务器验证后,通过所述第一通道反馈认证结果;所述认证结果用于表征所述当前终端用户是否为合法用户。
上述系统的组成单元中,运行单元21、传输单元22、认证码生成单元23、发送单元24可以位于所述智能卡中;认证单元25、反馈单元26可以位于认证服务器中;当前终端用户所使用的终端分别与所述智能卡及应用管理平台通信交互,所述应用管理平台分别与智能卡及所述认证服务器交互。
在本发明实施例一实施方式中,所述第一通道为OTA通道。
在本发明实施例一实施方式中,所述系统还包括交互单元,配置为所 述当前终端用户发起认证请求后,应用管理平台接收到所述认证请求,生成包括认证请求序列号在内的相关认证请求信息并返回给所述当前终端用户。
在本发明实施例一实施方式中,所述反馈单元,还配置为所述认证服务器将所述认证结果通过所述OTA通道反馈给所述应用管理平台,由所述应用管理平台转发给所述当前终端用户。
以一个现实应用场景为例对本发明实施例阐述如下:
本应用场景为基于智能卡的在线认证场景,为了解决终端设备在当今物联网应用环境下的安全性问题,避免安全隐患,提高安全等级,本应用场景应用本发明实施例,是一种基于智能卡的在线认证方案,所述方法主要包括:认证请求获取方式是指将认证请求信息传递给负责认证的移动终端或者智能卡认证户卡应用。由终端直接或通过认证服务器将认证请求传递给用户卡上的认证应用,如Applet。这种情况下,是一种在线认证方式,即认证过程需要本地与远端的认证服务器相互配合完成身份校验,而且身份校验信息一般需要经过网络进行传递的认证方法。还有一种本地认证方式,即认证过程是在终端本地完成的认证,可以由用户灵活地设置采用何种方式,如免本地认证、本地个人码、指纹认证等等。用户设置的本地认证方式只存在智能手机的用户卡中,不向外传递,保证了本地认证验证方式的安全性。
应用实例一:
在线认证的方式,且基于OMA安全通道来传输信息,如图4所示,该方法包括以下步骤;
步骤201、终端发起认证请求,由应用平台返回认证请求序列号等相关的认证请求信息;
步骤202、认证请求经OMA通道直接从终端发送至智能卡认证应用。
步骤203、智能卡认证应用选择认证请求的相应认证方法进行运算,产生认证码。
步骤204、认证码经OMA通道传送给认证服务器,
步骤205、经认证服务器验算后,将认证结果返回应用平台。
步骤206、应用平台将结果转送给终端。
应用实例二:
在线认证的方式,且基于OTA安全通道来传输信息,如图5所示,该方法包括以下步骤;
步骤301、终端发起认证请求,应用平台将应用认证请求信息发送至认证服务器。
步骤302、认证服务器将认证请求信息以OTA短信形式发送至智能卡认证应用。
步骤303、智能卡认证应用选择认证请求的相应认证方法进行运算,产生认证码。
步骤304、认证码经OTA通道传送给认证服务器,
步骤305、经认证服务器验算后,将认证结果返回应用平台。
步骤306、应用平台将结果转送给终端。
相应的,对应上述应用实例,本方案提供的一种在线认证系统的具体实例,主要包括:智能卡认证应用(位于智能卡中)、安全通道以及认证服务器。认证卡应用主要存储认证信息与认证运算逻辑,接收到认证请求后根据约定认证方法生成认证身份码,然后通过安全通道送至服务器进行验证。认证服务器负责提供认证身份码的验证、认证授权、云端能力开放、安全策略与规则等等。安全通道主要包括OTA通道以及OMA(Open Mobile API)机卡通道。OMA通道传输速率较高,可以用于大量数据的传送,而OTA短信传送的容量受到限制而且有一定的时延,仅适用于少量信息的传 送。
相应的,对应上述应用实例,本方案提供的一种在线认证系统的另一个具体实例主要包括:应用管理平台、智能卡、安全通道以及认证服务器。认证卡应用位于认于智能卡中,主要存储认证信息与认证运算逻辑,并在接收到认证请求后根据约定认证方法生成认证身份码,然后通过安全通道送至服务器进行验证。认证服务器负责提供认证身份码的验证、认证授权、云端能力开放、安全策略与规则等等。安全通道主要包括空中下载(OTA,Over-the-Air Technology)通道以及开放手机应用程序接口(OMA,Open Mobile API)机卡通道。OMA通道传输速率较高,用于大量数据的传送,而OTA短信传送的容量受到限制而且有一定的时延,仅适用于少量信息的传送。
这里需要指出的是,智能卡认证应用可以通过预装或者空中下载至智能卡中,完成必要的信息同步如会话密钥同步、PKI密钥对的生成等,然后经过与物联网应用进行绑定后,可以开始进行业务认证。
综上所述,采用本发明实施例及上述具体实例的优点主要体现在以下几个方面:
(1)智能卡的安全性。目前的UICC卡具备较高的安全性,它具有严密的安全访问控制机制,任何应用要访问智能卡必须符合安全访问规则,由此对卡内信息和算法提供了目前前最高等级的安全防护。
(2)通道的安全性。OMA安全通道只有符合安全规则的应用才可以打开;OTA短信是由服务器送至智能卡上,使用会话密钥对传送内容加密,难以被终端应用截获。同时这两类通道的访问权限都严格掌握在运营商手中,保证了通道传送的安全性。
(3)算法的灵活性和安全性。使用存储在智能卡内的独特的静态卡信息以及其他动态信息,通过现有先进的算法生成认证码或使用基于PKI的 非对称密钥算法。实际使用时可根据该物联网应用的安全等级要求,采用相应的算法,具有较高的灵活性。
本发明实施例所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。这样,本发明实施例不限制于任何特定的硬件和软件结合。
相应的,本发明实施例还提供一种计算机存储介质,其中存储有计算机程序,该计算机程序用于执行本发明实施例的一种基于智能卡的在线认证方法。
以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。
工业实用性
采用本发明实施例,由于第一通道是专门的安全通道,认证请求信息是在第一通道上传输至用户识别认证卡中的认证应用进行身份认证识别,相应的,在第一应用与认证服务器之间进行交互,通过认证服务器认证后反馈认证结果来确定当前终端用户是否为合法用户,因此,避免了安全隐患,也提高了物联网相关应用为用户提供服务的安全等级。

Claims (24)

  1. 一种基于智能卡的在线认证方法,所述方法包括:
    运行位于用户识别认证卡中的第一应用;
    通过第一通道接收由当前终端用户直接传输至所述用户识别认证卡的认证请求信息或接收由当前终端用户经认证服务器转发传输至所述用户识别认证卡的认证请求信息;
    由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
    通过所述第一通道将所述认证码发送给认证服务器进行验证;
    通过所述第一通道接收所述认证服务器验证后反馈的认证结果,来判决所述当前终端用户是否为合法用户。
  2. 根据权利要求1所述的方法,其中,所述第一通道为OMA通道时,接收由所述当前终端用户直接传输至所述用户识别认证卡的认证请求信息。
  3. 根据权利要求1所述的方法,其中,所述第一通道为OTA通道时,接收由所述当前终端用户经认证服务器转发传输至所述用户识别认证卡的认证请求信息。
  4. 根据权利要求2或3所述的方法,其中,所述由所述第一应用根据所述认证请求信息生成认证码,包括:
    解析所述认证请求信息,得到待认证信息;
    提取预设的认证逻辑,根据所述待认证信息和所述认证逻辑生成所述认证码。
  5. 一种基于智能卡的在线认证方法,所述方法包括:
    运行位于用户识别认证卡中的第一应用;
    当前终端用户发起认证请求,通过第一通道直接将认证请求信息传输 至所述用户识别认证卡中的所述第一应用;
    由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
    通过所述第一通道将所述认证码发送给认证服务器进行验证;
    认证服务器验证后,通过所述第一通道反馈认证结果;所述认证结果用于表征所述当前终端用户是否为合法用户。
  6. 根据权利要求5所述的方法,其中,所述第一通道为OMA通道。
  7. 根据权利要求5或6所述的方法,其中,所述方法还包括:
    所述当前终端用户发起认证请求后,应用管理平台接收到所述认证请求,生成包括认证请求序列号在内的相关认证请求信息并返回给所述当前终端用户。
  8. 根据权利要求7所述的方法,其中,所述认证服务器验证后,通过所述第一通道反馈认证结果,包括:
    所述认证服务器将所述认证结果通过所述OMA通道反馈给所述应用管理平台,由所述应用管理平台转发给所述当前终端用户。
  9. 一种基于智能卡的在线认证方法,所述方法包括:
    运行位于用户识别认证卡中的第一应用;
    当前终端用户发起认证请求,通过第一通道将认证请求信息经认证服务器转发传输至所述用户识别认证卡中的所述第一应用;
    由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
    通过所述第一通道将所述认证码发送给认证服务器进行验证;
    认证服务器验证后,通过所述第一通道反馈认证结果;所述认证结果用于表征所述当前终端用户是否为合法用户。
  10. 根据权利要求9所述的方法,其中,所述第一通道为OTA通道。
  11. 根据权利要求9或10所述的方法,其中,所述方法还包括:
    所述当前终端用户发起认证请求后,应用管理平台接收到所述认证请求,生成包括认证请求序列号在内的相关认证请求信息并返回给所述当前终端用户。
  12. 根据权利要求11所述的方法,其中,所述认证服务器验证后,通过所述第一通道反馈认证结果,包括:
    所述认证服务器将所述认证结果通过所述OTA通道反馈给所述应用管理平台,由所述应用管理平台转发给所述当前终端用户。
  13. 一种智能卡,所述智能卡包括第一应用,所述智能卡包括:
    运行单元,配置为运行位于用户识别认证卡中的第一应用;
    第一接收单元,配置为通过第一通道接收由当前终端用户直接传输至所述用户识别认证卡的认证请求信息或接收由当前终端用户经认证服务器转发传输至所述用户识别认证卡的认证请求信息;
    认证码生成单元,配置为由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
    发送单元,配置为通过所述第一通道将所述认证码发送给认证服务器进行验证;
    第二接收单元,配置为通过所述第一通道接收所述认证服务器验证后反馈的认证结果,来判决所述当前终端用户是否为合法用户。
  14. 根据权利要求13所述的智能卡,其中,所述第一接收单元,还配置为所述第一通道为OMA通道时,接收由所述当前终端用户直接传输至所述用户识别认证卡的认证请求信息。
  15. 根据权利要求13所述的智能卡,其中,所述第一接收单元,还配置为所述第一通道为OTA通道时,接收由所述当前终端用户经认证服务器转发传输至所述用户识别认证卡的认证请求信息。
  16. 根据权利要求13或14所述的智能卡,其中,所述认证码生成单元,还配置为解析所述认证请求信息,得到待认证信息;提取预设的认证逻辑,根据所述待认证信息和所述认证逻辑生成所述认证码。
  17. 一种认证系统,所述系统包括:
    运行单元,配置为运行位于用户识别认证卡中的第一应用;
    传输单元,配置为当前终端用户发起认证请求,通过第一通道直接将认证请求信息传输至所述用户识别认证卡中的所述第一应用;
    认证码生成单元,配置为由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
    发送单元,配置为通过所述第一通道将所述认证码发送给认证服务器进行验证;
    反馈单元,配置为认证服务器验证后,通过所述第一通道反馈认证结果;所述认证结果用于表征所述当前终端用户是否为合法用户。
  18. 根据权利要求17所述的系统,其中,所述第一通道为OMA通道。
  19. 根据权利要求17或18所述的系统,其中,所述系统还包括交互单元,配置为所述当前终端用户发起认证请求后,应用管理平台接收到所述认证请求,生成包括认证请求序列号在内的相关认证请求信息并返回给所述当前终端用户。
  20. 根据权利要求19所述的系统,其中,所述反馈单元,还配置为所述认证服务器将所述认证结果通过所述OMA通道反馈给所述应用管理平台,由所述应用管理平台转发给所述当前终端用户。
  21. 一种认证系统,所述系统包括:
    运行单元,配置为运行位于用户识别认证卡中的第一应用;
    传输单元,配置为当前终端用户发起认证请求,通过第一通道将认证请求信息经认证服务器转发传输至所述用户识别认证卡中的所述第一应 用;
    认证码生成单元,配置为由所述第一应用根据所述认证请求信息生成认证码,所述认证码用于识别所述当前终端用户是否为合法用户;
    发送单元,配置为通过所述第一通道将所述认证码发送给认证服务器进行验证;
    反馈单元,配置为认证服务器验证后,通过所述第一通道反馈认证结果;所述认证结果用于表征所述当前终端用户是否为合法用户。
  22. 根据权利要求21所述的系统,其中,所述第一通道为OTA通道。
  23. 根据权利要求21或22所述的系统,其中,所述系统还包括交互单元,配置为所述当前终端用户发起认证请求后,应用管理平台接收到所述认证请求,生成包括认证请求序列号在内的相关认证请求信息并返回给所述当前终端用户。
  24. 根据权利要求22所述的系统,其中,所述反馈单元,还配置为所述认证服务器将所述认证结果通过所述OTA通道反馈给所述应用管理平台,由所述应用管理平台转发给所述当前终端用户。
PCT/CN2015/090919 2015-08-03 2015-09-28 一种基于智能卡的在线认证方法、智能卡及认证服务器 WO2016131272A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US15/749,269 US20180234412A1 (en) 2015-08-03 2015-09-28 Online authentication method based on smart card, smart card and authentication server
EP15882411.0A EP3334086A1 (en) 2015-08-03 2015-09-28 Online authentication method based on smart card, smart card and authentication server

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510482218.XA CN106411522A (zh) 2015-08-03 2015-08-03 一种基于智能卡的在线认证方法、智能卡及认证服务器
CN201510482218.X 2015-08-03

Publications (1)

Publication Number Publication Date
WO2016131272A1 true WO2016131272A1 (zh) 2016-08-25

Family

ID=56692154

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/090919 WO2016131272A1 (zh) 2015-08-03 2015-09-28 一种基于智能卡的在线认证方法、智能卡及认证服务器

Country Status (4)

Country Link
US (1) US20180234412A1 (zh)
EP (1) EP3334086A1 (zh)
CN (1) CN106411522A (zh)
WO (1) WO2016131272A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113162771A (zh) * 2021-04-25 2021-07-23 广州羊城通有限公司 一种智能卡应用管理方法、装置及系统

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108600218B (zh) * 2018-04-23 2020-12-29 捷德(中国)科技有限公司 一种远程授权系统和远程授权方法
EP3684004A1 (en) 2019-01-21 2020-07-22 Ngrave bvba Offline interception-free interaction with a cryptocurrency network using a network-disabled device
CN110049025A (zh) * 2019-04-02 2019-07-23 公安部第三研究所 针对智能芯片卡实现安全遥毙处理的方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101754213A (zh) * 2008-11-28 2010-06-23 爱思开电讯投资(中国)有限公司 保证应用安全的智能卡、终端设备、鉴权服务器及其方法
CN103152318A (zh) * 2011-12-07 2013-06-12 中国移动通信集团天津有限公司 一种身份认证方法、装置及其系统
CN103281693A (zh) * 2013-05-10 2013-09-04 北京凯华网联技术有限公司 无线通信认证方法、网络转换设备及终端
CN103701762A (zh) * 2012-09-28 2014-04-02 中国银联股份有限公司 安全性信息交互系统、设备及方法

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1767430B (zh) * 2004-10-27 2010-04-21 华为技术有限公司 鉴权方法
CN1852094B (zh) * 2005-12-13 2010-09-29 华为技术有限公司 网络业务应用账户的保护方法和系统
US8547859B2 (en) * 2007-11-15 2013-10-01 Ubeeairwalk, Inc. System, method, and computer-readable medium for authentication center-initiated authentication procedures for a mobile station attached with an IP-femtocell system
CN101820613B (zh) * 2009-02-27 2014-03-19 中兴通讯股份有限公司 一种应用下载的系统和方法
CN101588573B (zh) * 2009-06-29 2011-11-30 方秀芹 安全验证方法、系统及移动终端、服务器
US8831014B2 (en) * 2009-09-26 2014-09-09 Cisco Technology, Inc. Providing services at a communication network edge
US9497632B2 (en) * 2009-10-01 2016-11-15 T-Mobile Usa, Inc. System and method for pairing a UICC card with a particular mobile communications device
EP2852118B1 (en) * 2013-09-23 2018-12-26 Deutsche Telekom AG Method for an enhanced authentication and/or an enhanced identification of a secure element located in a communication device, especially a user equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101754213A (zh) * 2008-11-28 2010-06-23 爱思开电讯投资(中国)有限公司 保证应用安全的智能卡、终端设备、鉴权服务器及其方法
CN103152318A (zh) * 2011-12-07 2013-06-12 中国移动通信集团天津有限公司 一种身份认证方法、装置及其系统
CN103701762A (zh) * 2012-09-28 2014-04-02 中国银联股份有限公司 安全性信息交互系统、设备及方法
CN103281693A (zh) * 2013-05-10 2013-09-04 北京凯华网联技术有限公司 无线通信认证方法、网络转换设备及终端

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113162771A (zh) * 2021-04-25 2021-07-23 广州羊城通有限公司 一种智能卡应用管理方法、装置及系统
CN113162771B (zh) * 2021-04-25 2022-09-16 广州羊城通有限公司 一种智能卡应用管理方法、装置及系统

Also Published As

Publication number Publication date
US20180234412A1 (en) 2018-08-16
CN106411522A (zh) 2017-02-15
EP3334086A4 (en) 2018-06-13
EP3334086A1 (en) 2018-06-13

Similar Documents

Publication Publication Date Title
US11509485B2 (en) Identity authentication method and system, and computing device
US11956230B2 (en) First factor contactless card authentication system and method
US11764966B2 (en) Systems and methods for single-step out-of-band authentication
JP2023089249A (ja) 顧客サポート呼の第2の要素認証のためのシステムおよび方法
US20220394026A1 (en) Network identity protection method and device, and electronic equipment and storage medium
CN114679293A (zh) 基于零信任安全的访问控制方法、设备及存储介质
KR20210133985A (ko) 새로운 인증기를 보증하기 위한 시스템 및 방법
US9571164B1 (en) Remote authentication using near field communication tag
CA3035817A1 (en) System and method for decentralized authentication using a distributed transaction-based state machine
JP2019508972A (ja) パスワードなしのコンピュータログインのサービス支援モバイルペアリングのためのシステム及び方法
US10798068B2 (en) Wireless information passing and authentication
KR20150036104A (ko) 로그인 검증의 방법, 클라이언트, 서버 및 시스템
CN112989426B (zh) 授权认证方法及装置、资源访问令牌的获取方法
US20170289159A1 (en) Security support for free wi-fi and sponsored connectivity for paid wi-fi
WO2016188335A1 (zh) 用户数据的访问控制方法、装置及系统
US20210241270A1 (en) System and method of blockchain transaction verification
WO2016131272A1 (zh) 一种基于智能卡的在线认证方法、智能卡及认证服务器
CN113630412B (zh) 资源下载方法、资源下载装置、电子设备以及存储介质
CN105577606B (zh) 一种实现认证器注册的方法和装置
CN117336092A (zh) 一种客户端登录方法、装置、电子设备和存储介质
CN115549930B (zh) 登录操作系统的验证方法
CN115550002B (zh) 一种基于tee的智能家居远程控制方法及相关装置
US11757868B1 (en) Access control for network services
US11818123B1 (en) Optimized access control system
EP4047871A1 (en) Advanced security control implementation of proxied cryptographic keys

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15882411

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 15749269

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2015882411

Country of ref document: EP