WO2017005163A1 - Wireless communication-based security authentication device - Google Patents

Wireless communication-based security authentication device Download PDF

Info

Publication number
WO2017005163A1
WO2017005163A1 PCT/CN2016/088549 CN2016088549W WO2017005163A1 WO 2017005163 A1 WO2017005163 A1 WO 2017005163A1 CN 2016088549 W CN2016088549 W CN 2016088549W WO 2017005163 A1 WO2017005163 A1 WO 2017005163A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
wireless communication
user equipment
authentication
wireless
Prior art date
Application number
PCT/CN2016/088549
Other languages
French (fr)
Chinese (zh)
Inventor
万四爽
徐燕军
何朔
尹亚伟
刘国宝
Original Assignee
中国银联股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国银联股份有限公司 filed Critical 中国银联股份有限公司
Publication of WO2017005163A1 publication Critical patent/WO2017005163A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to a secure authentication device, and more particularly to a secure authentication device based on wireless communication.
  • a U shield (such as a USB Key) or an OTP (Dynamic Password) is generally used to implement a secure authentication process for security information interaction.
  • OTP Dynamic Password
  • the above prior art solutions have the following problems: (1) For the U shield, since the U shield needs to be inserted into the computer, the operation is inconvenient and the usage scenario is limited; (1) for the OTP (dynamic) The way of the password), because it is necessary to carry the OTP device with it for use, it is also inconvenient to operate and the use scenario is limited; (3) the existing technical solution can only provide one-way security authentication (ie, user-side to server-side security) The protection is not able to provide security protection from the server side to the user side, so the security is low.
  • the present invention proposes a safety authentication device that is easy to operate and has comprehensive security protection capabilities.
  • a security authentication device based on wireless communication includes:
  • the wireless communication module is configured to establish a wireless communication link with the wireless router
  • a main controller configured to perform data communication with a user equipment in a wireless network to which the wireless router belongs by using the wireless communication link to perform security information based on basic security data Security authentication operations related to the interaction process;
  • a secure storage module for storing the basic security data.
  • the basic security data includes at least a security key.
  • the wireless communication module is capable of automatically performing a networking operation after the secure authentication device is activated and initialized, the networking operation comprising: (1) determining whether the network is currently connected for the first time, and If it is the first time to network, go to step (2), otherwise go to step (3); (2) perform network automatic monitoring and networking operations; (3) directly connect to the network to which the last networking operation is connected, and if connected If it fails, go to step (2).
  • the network automatic monitoring and networking operation comprises: (1) starting a first listening program to listen to all network data packets from user equipments in the wireless network to which the wireless router belongs; (2) after listening to and receiving the network data packet, parsing configuration information of the wireless network to which the wireless router belongs from the network data packet, and then connecting to the wireless network based on the configuration information
  • the configuration information is stored in the secure storage module, wherein the configuration information includes a wireless network identifier and/or a wireless network password.
  • the main controller after connecting to the wireless network, establishes a communication link with the user equipment in the following manner: (1) starting a second listening program to listen for from the a broadcast request of the user equipment for finding a secure authentication device; (2) after listening to and receiving the broadcast request, returning a response message to the user equipment to establish an IP protocol-based communication with the user equipment a link, wherein the response message includes an IP address of the secure authentication device.
  • the main controller processes a secure authentication access request from the user equipment in a manner of: determining whether the user equipment is It has been added to the whitelist, and if it has been added to the whitelist, a response indicating that the secure authentication access operation is successful is returned to the user equipment. If the whitelist is not added, the access authentication operation is performed, and the access authentication operation is performed. After successful execution, a response indicating that the security authentication access operation is successful is returned, otherwise a response indicating that the security authentication access operation fails is returned.
  • the secure authentication access request includes device fingerprint information, where the device fingerprint information is a device serial number, or a device MAC address, or an operating system information of the device, or any of the foregoing information. combination.
  • the access identity authentication operation comprises: (1) parsing a secure authentication access request from the user equipment to extract device fingerprint information contained therein; (2) instructing a user to input a user access password via the user equipment; (3) determining whether the user access password is correct, And if it is correct, the access identity authentication operation is successful, and the device fingerprint information of the user equipment is subsequently written into the whitelist to indicate that the user equipment has successfully performed the access identity authentication operation; otherwise, the access identity The authentication operation failed.
  • the main controller performs a security authentication operation for the security information interaction request submitted by the user equipment in a manner based on a key pair stored in the secure storage module 3
  • the sensitive information in the security information interaction request is encrypted and then the entire security information interaction request is signed, and then the encrypted and signed security information interaction request is returned to the user equipment, so that the user equipment can
  • the encrypted and signed security information interaction request is transmitted to the data processing server.
  • the main controller performs a secure authentication operation on the signed processing result returned by the data processing server transmitted via the user equipment in a manner of: checking based on a predetermined algorithm Whether the signature of the processing result is correct, and if correct, returning a response indicating that the security information interaction is successful to the user equipment, otherwise returning a response indicating that the security information interaction failed to the user equipment.
  • the security authentication device further includes an indication module, the indication module is configured to indicate a current state of the security authentication device, and includes three sets of indicator elements, the first group of indicator elements And indicating that the security authentication device is connected to the wireless network, the second group of indicating components is configured to indicate whether the security authentication device is in data communication with the user equipment, and the second group of indicating components is configured to indicate whether the security authentication device is A security authentication operation is being performed.
  • the indication module is configured to indicate a current state of the security authentication device, and includes three sets of indicator elements, the first group of indicator elements And indicating that the security authentication device is connected to the wireless network, the second group of indicating components is configured to indicate whether the security authentication device is in data communication with the user equipment, and the second group of indicating components is configured to indicate whether the security authentication device is A security authentication operation is being performed.
  • the wireless communication-based security authentication apparatus disclosed by the present invention has the following advantages: (1) convenient operation; (2) not only providing security protection from the user side to the server side, but also providing security protection from the server side to the user side.
  • FIG. 1 is a schematic structure of a wireless communication-based secure authentication apparatus according to an embodiment of the present invention Figure.
  • the wireless communication-based security authentication apparatus disclosed by the present invention includes a main controller 1, a wireless communication module 2, and a secure storage module 3.
  • the wireless communication module 2 is configured to establish a wireless communication link with a wireless router.
  • the main controller 1 is configured to perform data communication with a user equipment in a wireless network to which the wireless router belongs through the wireless communication link to perform a security authentication operation related to a security information interaction process based on the basic security data.
  • the secure storage module 3 is configured to store the basic security data.
  • the basic security data includes at least a security key.
  • the wireless communication module 2 can automatically perform a networking operation after the security authentication apparatus is started and initialized, and the networking operation includes: (1) determining the current Whether it is the first time networking, and if it is the first time, enter step (2), otherwise enter step (3); (2) perform network automatic monitoring and networking operations; (3) directly connect to the last network operation Connect to the network, and if the connection fails, proceed to step (2).
  • the network automatic monitoring and networking operation comprises: (1) starting a first listening program to listen to all wireless networks from the wireless router to which the wireless router belongs. a network data packet of the user equipment (for example, a UDP data packet); (2) after listening to and receiving the network data packet, parsing configuration information of the wireless network to which the wireless router belongs from the network data packet, and A connection is then made to the wireless network based on the configuration information and the configuration information is stored in the secure storage module 3, wherein the configuration information comprises a wireless network identifier and/or a wireless network password.
  • a network data packet of the user equipment for example, a UDP data packet
  • the main controller 1 after being connected to the wireless network, the main controller 1 establishes a communication link with the user equipment in the following manner: (1) a second listener is started to listen for a broadcast request from the user equipment for finding a secure authentication device; (2) after listening to and receiving the broadcast request, returning a response message to the user equipment to establish An IP protocol based communication link of the user equipment, wherein the response message includes The IP address of the secure authentication device.
  • the main controller 1 processes the secure authentication interface from the user equipment in the following manner.
  • Incoming request determining whether the user equipment has been added to the whitelist (that is, the user equipment that has successfully performed the access authentication operation before), and if the whitelist has been added, returns a security authentication access operation to the user equipment. The response is performed, and if the whitelist is not added, the access authentication operation is performed, and after the access authentication operation is successfully executed, a response indicating that the secure authentication access operation is successful is returned, otherwise, a response indicating that the secure authentication access operation fails is returned.
  • the secure authentication access request includes device fingerprint information, where the device fingerprint information is a device serial number, or a device MAC address, or an operating system of the device. Information, or any combination of the above.
  • the access identity authentication operation comprises: (1) parsing a secure authentication access request from the user equipment to extract a device included therein Fingerprint information; (2) instructing the user to input a user access password via the user equipment; (3) determining whether the user access password is correct, and if correct, the access identity authentication operation is successful, and the user equipment is subsequently The device fingerprint information is written in the whitelist to indicate that the user equipment has successfully performed the access identity authentication operation; otherwise, the access identity authentication operation fails.
  • the main controller 1 requests a security information interaction (for example, a payment request) for the user equipment in a manner as follows, which includes, by way of example, Performing a secure authentication operation based on the transfer amount, the transferee account, the account password, etc.: encrypting the sensitive information in the security information interaction request based on the key stored in the secure storage module 3 and then The security information interaction request is signed, and then the encrypted and signed security information interaction request is returned to the user equipment such that the user equipment can transmit the encrypted and signed security information interaction request to the data processing server (eg Payment server).
  • a security information interaction for example, a payment request
  • the data processing server eg Payment server
  • the main controller 1 performs security for the signed processing result returned by the data processing server transmitted via the user equipment in the following manner An authentication operation: verifying whether the signature of the processing result is correct based on a predetermined algorithm, and returning a response indicating that the security information interaction is successful to the user equipment if correct, otherwise returning to the user equipment indicating that the security information interaction fails the response to.
  • the user equipment is a mobile phone, or a computer, or a television.
  • the wireless communication-based security authentication apparatus disclosed by the present invention further includes an indication module 4 for indicating a current status of the security authentication apparatus, which includes three sets of indicating elements (for example, LED lights), The first set of indicator elements are used to indicate whether the secure authentication device has access to the wireless network, the second set of indicator elements are used to indicate whether the secure authentication device is in data communication with the user equipment, and the second set of indicator elements are used to indicate Whether the secure authentication device is performing a secure authentication operation.
  • an indication module 4 for indicating a current status of the security authentication apparatus, which includes three sets of indicating elements (for example, LED lights), The first set of indicator elements are used to indicate whether the secure authentication device has access to the wireless network, the second set of indicator elements are used to indicate whether the secure authentication device is in data communication with the user equipment, and the second set of indicator elements are used to indicate Whether the secure authentication device is performing a secure authentication operation.
  • the wireless communication-based security authentication device disclosed in the present invention has the following advantages: (1) convenient operation; (2) not only providing user-to-server-side security protection, but also providing server-to-user-side safety protection.

Abstract

Provided in the present invention is a wireless communication-based security authentication device, the device comprising: a wireless communication module for establishing a wireless communication link with a wireless router; a main controller for performing data communication with a user equipment in a wireless network to which the wireless router belongs through the wireless communication link, and performing a security authentication operation related to a security information exchange process on the basis of basic security data; and a security storage module for storing the basic security data. The wireless communication-based security authentication device disclosed in the present invention is convenient to operate and capable of comprehensive security protection.

Description

基于无线通信的安全认证装置Security authentication device based on wireless communication 技术领域Technical field
本发明涉及安全认证装置,更具体地,涉及基于无线通信的安全认证装置。The present invention relates to a secure authentication device, and more particularly to a secure authentication device based on wireless communication.
背景技术Background technique
目前,随着计算机和网络应用的日益广泛以及不同领域的业务种类的日益丰富,用于安全性信息交互(即对安全性要求较高的信息交互,例如金融领域中的交易处理过程)的安全认证装置和方法变得越来越重要。At present, with the increasing popularity of computer and network applications and the growing variety of services in different fields, security for information interaction (ie, information interaction with high security requirements, such as transaction processing in the financial field) Authentication devices and methods are becoming more and more important.
在现有的技术方案中,通常采用U盾(例如USB Key)或者OTP(动态口令)的方式实现针对安全性信息交互的安全认证过程。In the existing technical solutions, a U shield (such as a USB Key) or an OTP (Dynamic Password) is generally used to implement a secure authentication process for security information interaction.
然而,上述现有技术方案存在如下问题:(1)针对采用U盾的方式,由于需要将U盾插到电脑上才能使用,故操作不便且使用场景受限;(1)针对采用OTP(动态口令)的方式,由于需要随身携带OTP设备以便使用,故同样操作不便且使用场景受限;(3)由于现有的技术方案仅能够提供单向的安全认证(即用户侧至服务器侧的安全保护)而无法提供服务器侧至用户侧的安全保护,故安全性较低。However, the above prior art solutions have the following problems: (1) For the U shield, since the U shield needs to be inserted into the computer, the operation is inconvenient and the usage scenario is limited; (1) for the OTP (dynamic) The way of the password), because it is necessary to carry the OTP device with it for use, it is also inconvenient to operate and the use scenario is limited; (3) the existing technical solution can only provide one-way security authentication (ie, user-side to server-side security) The protection is not able to provide security protection from the server side to the user side, so the security is low.
因此,存在如下需求:提供操作便捷并且具有全面的安全保护能力的安全认证装置。Therefore, there is a need to provide a secure authentication device that is easy to operate and has comprehensive security protection capabilities.
发明内容Summary of the invention
为了解决上述现有技术方案所存在的问题,本发明提出了操作便捷并且具有全面的安全保护能力的安全认证装置。In order to solve the problems of the above prior art solutions, the present invention proposes a safety authentication device that is easy to operate and has comprehensive security protection capabilities.
本发明的目的可通过以下技术方案实现:The object of the invention can be achieved by the following technical solutions:
一种基于无线通信的安全认证装置,所述基于无线通信的安全认证装置包括:A security authentication device based on wireless communication, the wireless communication-based security authentication device includes:
无线通讯模块,所述无线通讯模块用于与无线路由器建立无线通信链路;a wireless communication module, the wireless communication module is configured to establish a wireless communication link with the wireless router;
主控制器,所述主控制器用于通过该无线通信链路与所述无线路由器所属的无线网络中的用户设备进行数据通信以基于基础安全数据执行与安全性信 息交互过程相关的安全认证操作;a main controller, configured to perform data communication with a user equipment in a wireless network to which the wireless router belongs by using the wireless communication link to perform security information based on basic security data Security authentication operations related to the interaction process;
安全存储模块,所述安全存储模块用于存储所述基础安全数据。a secure storage module for storing the basic security data.
在上面所公开的方案中,优选地,所述基础安全数据至少包括安全密钥。In the solution disclosed above, preferably, the basic security data includes at least a security key.
在上面所公开的方案中,优选地,所述无线通讯模块能够在该安全认证装置启动并初始化后自动执行联网操作,所述联网操作包括:(1)判断当前是否是第一次联网,并且如果是第一次联网,则进入步骤(2),否则进入步骤(3);(2)执行网络自动监听及联网操作;(3)直接连接至上一次联网操作所连接到的网络,并且如果连接失败,则进入步骤(2)。In the solution disclosed above, preferably, the wireless communication module is capable of automatically performing a networking operation after the secure authentication device is activated and initialized, the networking operation comprising: (1) determining whether the network is currently connected for the first time, and If it is the first time to network, go to step (2), otherwise go to step (3); (2) perform network automatic monitoring and networking operations; (3) directly connect to the network to which the last networking operation is connected, and if connected If it fails, go to step (2).
在上面所公开的方案中,优选地,所述网络自动监听及联网操作包括:(1)启动第一监听程序以监听所有来自所述无线路由器所属的无线网络中的用户设备的网络数据包;(2)当监听并接收到所述网络数据包后,从所述网络数据包中解析出所述无线路由器所属的无线网络的配置信息,并随之基于该配置信息连接到所述无线网络并将所述配置信息存储到所述安全存储模块中,其中,所述配置信息包括无线网络标识符和/或无线网络密码。In the solution disclosed above, preferably, the network automatic monitoring and networking operation comprises: (1) starting a first listening program to listen to all network data packets from user equipments in the wireless network to which the wireless router belongs; (2) after listening to and receiving the network data packet, parsing configuration information of the wireless network to which the wireless router belongs from the network data packet, and then connecting to the wireless network based on the configuration information The configuration information is stored in the secure storage module, wherein the configuration information includes a wireless network identifier and/or a wireless network password.
在上面所公开的方案中,优选地,在连接到所述无线网络后,所述主控制器以如下方式建立与所述用户设备的通信链路:(1)启动第二监听程序以监听来自所述用户设备的用于寻找安全认证装置的广播请求;(2)在监听并接收到所述广播请求后,向所述用户设备返回应答消息以建立与所述用户设备的基于IP协议的通信链路,其中,所述应答消息包括该安全认证装置的IP地址。In the solution disclosed above, preferably, after connecting to the wireless network, the main controller establishes a communication link with the user equipment in the following manner: (1) starting a second listening program to listen for from the a broadcast request of the user equipment for finding a secure authentication device; (2) after listening to and receiving the broadcast request, returning a response message to the user equipment to establish an IP protocol-based communication with the user equipment a link, wherein the response message includes an IP address of the secure authentication device.
在上面所公开的方案中,优选地,在建立与所述用户设备的通信链路后,所述主控制器以如下方式处理来自所述用户设备的安全认证接入请求:判断该用户设备是否已被加入白名单,并且如果已加入白名单,则向该用户设备返回指示安全认证接入操作成功的响应,如果未加入白名单,则执行接入身份认证操作,并在接入身份认证操作成功执行后返回指示安全认证接入操作成功的响应,否则返回指示安全认证接入操作失败的响应。In the solution disclosed above, preferably, after establishing a communication link with the user equipment, the main controller processes a secure authentication access request from the user equipment in a manner of: determining whether the user equipment is It has been added to the whitelist, and if it has been added to the whitelist, a response indicating that the secure authentication access operation is successful is returned to the user equipment. If the whitelist is not added, the access authentication operation is performed, and the access authentication operation is performed. After successful execution, a response indicating that the security authentication access operation is successful is returned, otherwise a response indicating that the security authentication access operation fails is returned.
在上面所公开的方案中,优选地,所述安全认证接入请求包括设备指纹信息,所述设备指纹信息是设备序列号、或设备MAC地址、或设备的操作系统信息、或上述信息的任意组合。In the solution disclosed above, preferably, the secure authentication access request includes device fingerprint information, where the device fingerprint information is a device serial number, or a device MAC address, or an operating system information of the device, or any of the foregoing information. combination.
在上面所公开的方案中,优选地,所述接入身份认证操作包括:(1)解析 来自所述用户设备的安全认证接入请求以提取出其所包含的设备指纹信息;(2)指示用户经由所述用户设备输入用户接入口令;(3)判断该用户接入口令是否正确,并且如果正确,则接入身份认证操作成功,并且随之将该用户设备的设备指纹信息写入所述白名单中以指示该用户设备已成功执行过接入身份认证操作,否则,接入身份认证操作失败。In the solution disclosed above, preferably, the access identity authentication operation comprises: (1) parsing a secure authentication access request from the user equipment to extract device fingerprint information contained therein; (2) instructing a user to input a user access password via the user equipment; (3) determining whether the user access password is correct, And if it is correct, the access identity authentication operation is successful, and the device fingerprint information of the user equipment is subsequently written into the whitelist to indicate that the user equipment has successfully performed the access identity authentication operation; otherwise, the access identity The authentication operation failed.
在上面所公开的方案中,优选地,所述主控制器以如下方式针对所述用户设备提交的安全性信息交互请求执行安全认证操作:基于所述安全存储模块3中所存储的密钥对所述安全性信息交互请求中的敏感信息进行加密并随之对整个安全性信息交互请求进行签名,随后将经加密和签名的安全性信息交互请求返回所述用户设备,以致所述用户设备能够将经加密和签名的安全性信息交互请求传送到数据处理服务器。In the solution disclosed above, preferably, the main controller performs a security authentication operation for the security information interaction request submitted by the user equipment in a manner based on a key pair stored in the secure storage module 3 The sensitive information in the security information interaction request is encrypted and then the entire security information interaction request is signed, and then the encrypted and signed security information interaction request is returned to the user equipment, so that the user equipment can The encrypted and signed security information interaction request is transmitted to the data processing server.
在上面所公开的方案中,优选地,所述主控制器以如下方式针对经由所述用户设备传送来的所述数据处理服务器返回的经签名的处理结果执行安全认证操作:基于预定算法校验所述处理结果的签名是否正确,并且如果正确,则向所述用户设备返回指示安全性信息交互成功的响应,否则向所述用户设备返回指示安全性信息交互失败的响应。In the solution disclosed above, preferably, the main controller performs a secure authentication operation on the signed processing result returned by the data processing server transmitted via the user equipment in a manner of: checking based on a predetermined algorithm Whether the signature of the processing result is correct, and if correct, returning a response indicating that the security information interaction is successful to the user equipment, otherwise returning a response indicating that the security information interaction failed to the user equipment.
在上面所公开的方案中,优选地,所述安全认证装置进一步包括指示模块,所述指示模块用于指示所述安全认证装置的当前状态,其包括三组指示元件,第一组指示元件用于指示所述安全认证装置是否已接入无线网络,第二组指示元件用于指示所述安全认证装置是否正在与用户设备进行数据通信,第二组指示元件用于指示所述安全认证装置是否正在执行安全认证操作。In the solution disclosed above, preferably, the security authentication device further includes an indication module, the indication module is configured to indicate a current state of the security authentication device, and includes three sets of indicator elements, the first group of indicator elements And indicating that the security authentication device is connected to the wireless network, the second group of indicating components is configured to indicate whether the security authentication device is in data communication with the user equipment, and the second group of indicating components is configured to indicate whether the security authentication device is A security authentication operation is being performed.
本发明所公开的基于无线通信的安全认证装置具有下列优点:(1)操作便捷;(2)不仅能够提供用户侧至服务器侧的安全保护,而且能够提供服务器侧至用户侧的安全保护。The wireless communication-based security authentication apparatus disclosed by the present invention has the following advantages: (1) convenient operation; (2) not only providing security protection from the user side to the server side, but also providing security protection from the server side to the user side.
附图说明DRAWINGS
结合附图,本发明的技术特征以及优点将会被本领域技术人员更好地理解,其中:The technical features and advantages of the present invention will be better understood by those skilled in the art, in which:
图1是根据本发明的实施例的基于无线通信的安全认证装置的示意性结构 图。1 is a schematic structure of a wireless communication-based secure authentication apparatus according to an embodiment of the present invention Figure.
具体实施方式detailed description
图1是根据本发明的实施例的基于无线通信的安全认证装置的示意性结构图。如图1所示,本发明所公开的基于无线通信的安全认证装置包括主控制器1、无线通讯模块2以及安全存储模块3。所述无线通讯模块2用于与无线路由器建立无线通信链路。所述主控制器1用于通过该无线通信链路与所述无线路由器所属的无线网络中的用户设备进行数据通信以基于基础安全数据执行与安全性信息交互过程相关的安全认证操作。所述安全存储模块3用于存储所述基础安全数据。1 is a schematic structural diagram of a wireless communication-based secure authentication apparatus according to an embodiment of the present invention. As shown in FIG. 1, the wireless communication-based security authentication apparatus disclosed by the present invention includes a main controller 1, a wireless communication module 2, and a secure storage module 3. The wireless communication module 2 is configured to establish a wireless communication link with a wireless router. The main controller 1 is configured to perform data communication with a user equipment in a wireless network to which the wireless router belongs through the wireless communication link to perform a security authentication operation related to a security information interaction process based on the basic security data. The secure storage module 3 is configured to store the basic security data.
优选地,在本发明所公开的基于无线通信的安全认证装置中,所述基础安全数据至少包括安全密钥。Preferably, in the wireless communication-based secure authentication apparatus disclosed in the present invention, the basic security data includes at least a security key.
优选地,在本发明所公开的基于无线通信的安全认证装置中,所述无线通讯模块2能够在该安全认证装置启动并初始化后自动执行联网操作,所述联网操作包括:(1)判断当前是否是第一次联网,并且如果是第一次联网,则进入步骤(2),否则进入步骤(3);(2)执行网络自动监听及联网操作;(3)直接连接至上一次联网操作所连接到的网络,并且如果连接失败,则进入步骤(2)。Preferably, in the wireless communication-based security authentication apparatus disclosed by the present invention, the wireless communication module 2 can automatically perform a networking operation after the security authentication apparatus is started and initialized, and the networking operation includes: (1) determining the current Whether it is the first time networking, and if it is the first time, enter step (2), otherwise enter step (3); (2) perform network automatic monitoring and networking operations; (3) directly connect to the last network operation Connect to the network, and if the connection fails, proceed to step (2).
优选地,在本发明所公开的基于无线通信的安全认证装置中,所述网络自动监听及联网操作包括:(1)启动第一监听程序以监听所有来自所述无线路由器所属的无线网络中的用户设备的网络数据包(例如UDP数据包);(2)当监听并接收到所述网络数据包后,从所述网络数据包中解析出所述无线路由器所属的无线网络的配置信息,并随之基于该配置信息连接到所述无线网络并将所述配置信息存储到所述安全存储模块3中,其中,所述配置信息包括无线网络标识符和/或无线网络密码。Preferably, in the wireless communication-based secure authentication apparatus disclosed by the present invention, the network automatic monitoring and networking operation comprises: (1) starting a first listening program to listen to all wireless networks from the wireless router to which the wireless router belongs. a network data packet of the user equipment (for example, a UDP data packet); (2) after listening to and receiving the network data packet, parsing configuration information of the wireless network to which the wireless router belongs from the network data packet, and A connection is then made to the wireless network based on the configuration information and the configuration information is stored in the secure storage module 3, wherein the configuration information comprises a wireless network identifier and/or a wireless network password.
优选地,在本发明所公开的基于无线通信的安全认证装置中,在连接到所述无线网络后,所述主控制器1以如下方式建立与所述用户设备的通信链路:(1)启动第二监听程序以监听来自所述用户设备的用于寻找安全认证装置的广播请求;(2)在监听并接收到所述广播请求后,向所述用户设备返回应答消息以建立与所述用户设备的基于IP协议的通信链路,其中,所述应答消息包括 该安全认证装置的IP地址。Preferably, in the wireless communication-based secure authentication apparatus disclosed by the present invention, after being connected to the wireless network, the main controller 1 establishes a communication link with the user equipment in the following manner: (1) a second listener is started to listen for a broadcast request from the user equipment for finding a secure authentication device; (2) after listening to and receiving the broadcast request, returning a response message to the user equipment to establish An IP protocol based communication link of the user equipment, wherein the response message includes The IP address of the secure authentication device.
优选地,在本发明所公开的基于无线通信的安全认证装置中,在建立与所述用户设备的通信链路后,所述主控制器1以如下方式处理来自所述用户设备的安全认证接入请求:判断该用户设备是否已被加入白名单(即之前曾经成功执行过接入身份认证操作的用户设备),并且如果已加入白名单,则向该用户设备返回指示安全认证接入操作成功的响应,如果未加入白名单,则执行接入身份认证操作,并在接入身份认证操作成功执行后返回指示安全认证接入操作成功的响应,否则返回指示安全认证接入操作失败的响应。Preferably, in the wireless communication-based secure authentication apparatus disclosed by the present invention, after establishing a communication link with the user equipment, the main controller 1 processes the secure authentication interface from the user equipment in the following manner. Incoming request: determining whether the user equipment has been added to the whitelist (that is, the user equipment that has successfully performed the access authentication operation before), and if the whitelist has been added, returns a security authentication access operation to the user equipment. The response is performed, and if the whitelist is not added, the access authentication operation is performed, and after the access authentication operation is successfully executed, a response indicating that the secure authentication access operation is successful is returned, otherwise, a response indicating that the secure authentication access operation fails is returned.
优选地,在本发明所公开的基于无线通信的安全认证装置中,所述安全认证接入请求包括设备指纹信息,所述设备指纹信息是设备序列号、或设备MAC地址、或设备的操作系统信息、或上述信息的任意组合。Preferably, in the wireless communication-based secure authentication apparatus disclosed by the present invention, the secure authentication access request includes device fingerprint information, where the device fingerprint information is a device serial number, or a device MAC address, or an operating system of the device. Information, or any combination of the above.
优选地,在本发明所公开的基于无线通信的安全认证装置中,所述接入身份认证操作包括:(1)解析来自所述用户设备的安全认证接入请求以提取出其所包含的设备指纹信息;(2)指示用户经由所述用户设备输入用户接入口令;(3)判断该用户接入口令是否正确,并且如果正确,则接入身份认证操作成功,并且随之将该用户设备的设备指纹信息写入所述白名单中以指示该用户设备已成功执行过接入身份认证操作,否则,接入身份认证操作失败。Preferably, in the wireless communication-based secure authentication apparatus disclosed by the present invention, the access identity authentication operation comprises: (1) parsing a secure authentication access request from the user equipment to extract a device included therein Fingerprint information; (2) instructing the user to input a user access password via the user equipment; (3) determining whether the user access password is correct, and if correct, the access identity authentication operation is successful, and the user equipment is subsequently The device fingerprint information is written in the whitelist to indicate that the user equipment has successfully performed the access identity authentication operation; otherwise, the access identity authentication operation fails.
优选地,在本发明所公开的基于无线通信的安全认证装置中,所述主控制器1以如下方式针对所述用户设备提交的安全性信息交互请求(例如支付请求,示例性地,其包括转账金额、转出方账户、账户密码等等)执行安全认证操作:基于所述安全存储模块3中所存储的密钥对所述安全性信息交互请求中的敏感信息进行加密并随之对整个安全性信息交互请求进行签名,随后将经加密和签名的安全性信息交互请求返回所述用户设备,以致所述用户设备能够将经加密和签名的安全性信息交互请求传送到数据处理服务器(例如支付服务器)。Preferably, in the wireless communication-based secure authentication apparatus disclosed by the present invention, the main controller 1 requests a security information interaction (for example, a payment request) for the user equipment in a manner as follows, which includes, by way of example, Performing a secure authentication operation based on the transfer amount, the transferee account, the account password, etc.: encrypting the sensitive information in the security information interaction request based on the key stored in the secure storage module 3 and then The security information interaction request is signed, and then the encrypted and signed security information interaction request is returned to the user equipment such that the user equipment can transmit the encrypted and signed security information interaction request to the data processing server (eg Payment server).
优选地,在本发明所公开的基于无线通信的安全认证装置中,所述主控制器1以如下方式针对经由所述用户设备传送来的所述数据处理服务器返回的经签名的处理结果执行安全认证操作:基于预定算法校验所述处理结果的签名是否正确,并且如果正确,则向所述用户设备返回指示安全性信息交互成功的响应,否则向所述用户设备返回指示安全性信息交互失败的响应。 Preferably, in the wireless communication-based secure authentication apparatus disclosed by the present invention, the main controller 1 performs security for the signed processing result returned by the data processing server transmitted via the user equipment in the following manner An authentication operation: verifying whether the signature of the processing result is correct based on a predetermined algorithm, and returning a response indicating that the security information interaction is successful to the user equipment if correct, otherwise returning to the user equipment indicating that the security information interaction fails the response to.
优选地,在本发明所公开的基于无线通信的安全认证装置中,所述用户设备是手机、或电脑、或电视。Preferably, in the wireless communication-based secure authentication apparatus disclosed in the present invention, the user equipment is a mobile phone, or a computer, or a television.
优选地,本发明所公开的基于无线通信的安全认证装置进一步包括指示模块4,所述指示模块4用于指示所述安全认证装置的当前状态,其包括三组指示元件(例如LED灯),第一组指示元件用于指示所述安全认证装置是否已接入无线网络,第二组指示元件用于指示所述安全认证装置是否正在与用户设备进行数据通信,第二组指示元件用于指示所述安全认证装置是否正在执行安全认证操作。Preferably, the wireless communication-based security authentication apparatus disclosed by the present invention further includes an indication module 4 for indicating a current status of the security authentication apparatus, which includes three sets of indicating elements (for example, LED lights), The first set of indicator elements are used to indicate whether the secure authentication device has access to the wireless network, the second set of indicator elements are used to indicate whether the secure authentication device is in data communication with the user equipment, and the second set of indicator elements are used to indicate Whether the secure authentication device is performing a secure authentication operation.
由上可见,本发明所公开的基于无线通信的安全认证装置具有下列优点:(1)操作便捷;(2)不仅能够提供用户侧至服务器侧的安全保护,而且能够提供服务器侧至用户侧的安全保护。It can be seen from the above that the wireless communication-based security authentication device disclosed in the present invention has the following advantages: (1) convenient operation; (2) not only providing user-to-server-side security protection, but also providing server-to-user-side safety protection.
尽管本发明是通过上述的优选实施方式进行描述的,但是其实现形式并不局限于上述的实施方式。应该认识到:在不脱离本发明主旨和范围的情况下,本领域技术人员可以对本发明做出不同的变化和修改。 Although the invention has been described in terms of the preferred embodiments described above, the implementation forms are not limited to the embodiments described above. It will be appreciated that various changes and modifications can be made in the present invention without departing from the spirit and scope of the invention.

Claims (11)

  1. 一种基于无线通信的安全认证装置,所述基于无线通信的安全认证装置包括:A security authentication device based on wireless communication, the wireless communication-based security authentication device includes:
    无线通讯模块,所述无线通讯模块用于与无线路由器建立无线通信链路;a wireless communication module, the wireless communication module is configured to establish a wireless communication link with the wireless router;
    主控制器,所述主控制器用于通过该无线通信链路与所述无线路由器所属的无线网络中的用户设备进行数据通信以基于基础安全数据执行与安全性信息交互过程相关的安全认证操作;a main controller, configured to perform data communication with a user equipment in a wireless network to which the wireless router belongs by using the wireless communication link to perform a security authentication operation related to a security information interaction process based on the basic security data;
    安全存储模块,所述安全存储模块用于存储所述基础安全数据。a secure storage module for storing the basic security data.
  2. 根据权利要求1所述的基于无线通信的安全认证装置,其特征在于,所述基础安全数据至少包括安全密钥。The wireless communication-based secure authentication apparatus according to claim 1, wherein the basic security data includes at least a security key.
  3. 根据权利要求2所述的基于无线通信的安全认证装置,其特征在于,所述无线通讯模块能够在该安全认证装置启动并初始化后自动执行联网操作,所述联网操作包括:(1)判断当前是否是第一次联网,并且如果是第一次联网,则进入步骤(2),否则进入步骤(3);(2)执行网络自动监听及联网操作;(3)直接连接至上一次联网操作所连接到的网络,并且如果连接失败,则进入步骤(2)。The wireless communication-based security authentication apparatus according to claim 2, wherein the wireless communication module is capable of automatically performing a networking operation after the security authentication device is activated and initialized, and the networking operation comprises: (1) determining the current Whether it is the first time networking, and if it is the first time, enter step (2), otherwise enter step (3); (2) perform network automatic monitoring and networking operations; (3) directly connect to the last network operation Connect to the network, and if the connection fails, proceed to step (2).
  4. 根据权利要求3所述的基于无线通信的安全认证装置,其特征在于,所述网络自动监听及联网操作包括:(1)启动第一监听程序以监听所有来自所述无线路由器所属的无线网络中的用户设备的网络数据包;(2)当监听并接收到所述网络数据包后,从所述网络数据包中解析出所述无线路由器所属的无线网络的配置信息,并随之基于该配置信息连接到所述无线网络并将所述配置信息存储到所述安全存储模块中,其中,所述配置信息包括无线网络标识符和/或无线网络密码。The wireless communication-based security authentication apparatus according to claim 3, wherein the network automatic monitoring and networking operation comprises: (1) starting a first listening program to listen to all wireless networks from which the wireless router belongs Network packet of the user equipment; (2) after listening to and receiving the network data packet, parsing configuration information of the wireless network to which the wireless router belongs from the network data packet, and then based on the configuration Information is coupled to the wireless network and stores the configuration information into the secure storage module, wherein the configuration information includes a wireless network identifier and/or a wireless network password.
  5. 根据权利要求4所述的基于无线通信的安全认证装置,其特征在于,在连接到所述无线网络后,所述主控制器以如下方式建立与所述用户设备的通信链路:(1)启动第二监听程序以监听来自所述用户设备的用于寻找安全认证装置的广播请求;(2)在监听并接收到所述广播请求后,向所述用户设备返回应答消息以建立与所述用户设备的基于IP协议的通信链路,其中,所述应答消 息包括该安全认证装置的IP地址。The wireless communication-based security authentication apparatus according to claim 4, wherein after being connected to the wireless network, the main controller establishes a communication link with the user equipment in the following manner: (1) a second listener is started to listen for a broadcast request from the user equipment for finding a secure authentication device; (2) after listening to and receiving the broadcast request, returning a response message to the user equipment to establish An IP protocol based communication link of the user equipment, wherein the response cancellation The information includes the IP address of the secure authentication device.
  6. 根据权利要求5所述的基于无线通信的安全认证装置,其特征在于,在建立与所述用户设备的通信链路后,所述主控制器以如下方式处理来自所述用户设备的安全认证接入请求:判断该用户设备是否已被加入白名单,并且如果已加入白名单,则向该用户设备返回指示安全认证接入操作成功的响应,如果未加入白名单,则执行接入身份认证操作,并在接入身份认证操作成功执行后返回指示安全认证接入操作成功的响应,否则返回指示安全认证接入操作失败的响应。The wireless communication-based security authentication apparatus according to claim 5, wherein after establishing a communication link with the user equipment, the main controller processes the security authentication connection from the user equipment in the following manner Incoming request: determining whether the user equipment has been added to the whitelist, and if the whitelist has been added, returns a response indicating that the security authentication access operation is successful, and if the whitelist is not added, performing the access authentication operation. And returning a response indicating that the security authentication access operation succeeds after the access authentication operation is successfully executed, otherwise returning a response indicating that the security authentication access operation fails.
  7. 根据权利要求6所述的基于无线通信的安全认证装置,其特征在于,所述安全认证接入请求包括设备指纹信息,所述设备指纹信息是设备序列号、或设备MAC地址、或设备的操作系统信息、或上述信息的任意组合。The wireless communication-based security authentication apparatus according to claim 6, wherein the secure authentication access request comprises device fingerprint information, and the device fingerprint information is a device serial number, or a device MAC address, or an operation of the device. System information, or any combination of the above.
  8. 根据权利要求7所述的基于无线通信的安全认证装置,其特征在于,所述接入身份认证操作包括:(1)解析来自所述用户设备的安全认证接入请求以提取出其所包含的设备指纹信息;(2)指示用户经由所述用户设备输入用户接入口令;(3)判断该用户接入口令是否正确,并且如果正确,则接入身份认证操作成功,并且随之将该用户设备的设备指纹信息写入所述白名单中以指示该用户设备已成功执行过接入身份认证操作,否则,接入身份认证操作失败。The wireless communication-based secure authentication apparatus according to claim 7, wherein the access identity authentication operation comprises: (1) parsing a secure authentication access request from the user equipment to extract the included Device fingerprint information; (2) instructing the user to input a user access password via the user device; (3) determining whether the user access password is correct, and if correct, the access identity authentication operation is successful, and the user is subsequently The device fingerprint information of the device is written in the whitelist to indicate that the user equipment has successfully performed the access identity authentication operation; otherwise, the access identity authentication operation fails.
  9. 根据权利要求8所述的基于无线通信的安全认证装置,其特征在于,所述主控制器以如下方式针对所述用户设备提交的安全性信息交互请求执行安全认证操作:基于所述安全存储模块3中所存储的密钥对所述安全性信息交互请求中的敏感信息进行加密并随之对整个安全性信息交互请求进行签名,随后将经加密和签名的安全性信息交互请求返回所述用户设备,以致所述用户设备能够将经加密和签名的安全性信息交互请求传送到数据处理服务器。The wireless communication-based security authentication apparatus according to claim 8, wherein the main controller performs a security authentication operation for the security information interaction request submitted by the user equipment in a manner of: based on the security storage module The key stored in 3 encrypts the sensitive information in the security information interaction request and then signs the entire security information interaction request, and then returns the encrypted and signed security information interaction request to the user. The device such that the user device is capable of transmitting the encrypted and signed security information interaction request to the data processing server.
  10. 根据权利要求9所述的基于无线通信的安全认证装置,其特征在于,所述主控制器以如下方式针对经由所述用户设备传送来的所述数据处理服务器返回的经签名的处理结果执行安全认证操作:基于预定算法校验所述处理结果的签名是否正确,并且如果正确,则向所述用户设备返回指示安全性信息交互成功的响应,否则向所述用户设备返回指示安全性信息交互失败的响应。The wireless communication-based secure authentication apparatus according to claim 9, wherein said main controller performs security for a signed processing result returned by said data processing server transmitted via said user equipment in the following manner An authentication operation: verifying whether the signature of the processing result is correct based on a predetermined algorithm, and returning a response indicating that the security information interaction is successful to the user equipment if correct, otherwise returning to the user equipment indicating that the security information interaction fails the response to.
  11. 根据权利要求10所述的基于无线通信的安全认证装置,其特征在于, 所述安全认证装置进一步包括指示模块,所述指示模块用于指示所述安全认证装置的当前状态,其包括三组指示元件,第一组指示元件用于指示所述安全认证装置是否已接入无线网络,第二组指示元件用于指示所述安全认证装置是否正在与用户设备进行数据通信,第二组指示元件用于指示所述安全认证装置是否正在执行安全认证操作。 A wireless communication-based security authentication apparatus according to claim 10, wherein The security authentication device further includes an indication module, the indication module is configured to indicate a current state of the security authentication device, and includes three sets of indication elements, the first group of indication elements are used to indicate whether the security authentication device is connected A wireless network, a second set of indicating elements for indicating whether the secure authentication device is in data communication with a user equipment, and a second set of indicating elements for indicating whether the secure authentication device is performing a secure authentication operation.
PCT/CN2016/088549 2015-07-09 2016-07-05 Wireless communication-based security authentication device WO2017005163A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510399139.2 2015-07-09
CN201510399139.2A CN105592459B (en) 2015-07-09 2015-07-09 Safety certification device based on wireless communication

Publications (1)

Publication Number Publication Date
WO2017005163A1 true WO2017005163A1 (en) 2017-01-12

Family

ID=55931593

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/088549 WO2017005163A1 (en) 2015-07-09 2016-07-05 Wireless communication-based security authentication device

Country Status (2)

Country Link
CN (1) CN105592459B (en)
WO (1) WO2017005163A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108718304A (en) * 2018-05-10 2018-10-30 北京握奇智能科技有限公司 It is a kind of using the digital encryption shield connection method of white list authentication mechanism and system
US10965672B2 (en) 2018-04-13 2021-03-30 At&T Intellectual Property I, L.P. Network service control for access to wireless radio networks

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105592459B (en) * 2015-07-09 2019-06-18 中国银联股份有限公司 Safety certification device based on wireless communication
CN109463942A (en) * 2018-11-29 2019-03-15 西安智星语知识产权服务有限公司 Internet of things type showing stand component and its method
WO2021097628A1 (en) * 2019-11-18 2021-05-27 深圳市汇顶科技股份有限公司 Path selecting method and ble device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070042755A1 (en) * 2005-08-20 2007-02-22 Tara Chand Singhal Systems and methods for two-factor remote user authentication
CN103093344A (en) * 2013-02-21 2013-05-08 沈志松 Safe payment system based on wireless fidelity (wifi)
CN104702412A (en) * 2015-03-14 2015-06-10 丁贤根 External AI (Artificial Intelligence) safety certificate system of mobile phone for mobile payment and realizing method thereof
CN104702411A (en) * 2015-03-14 2015-06-10 丁贤根 Token design method integrating mobile payment safety authentication and mobile phone loss alarm
CN105592459A (en) * 2015-07-09 2016-05-18 中国银联股份有限公司 Security authentication device based on wireless communication

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546571B (en) * 2010-12-31 2014-10-15 国民技术股份有限公司 Identity authentication system and method
KR101540023B1 (en) * 2013-11-12 2015-07-29 주식회사 시큐아이 Security device and method for managing authenticated user device
CN204009917U (en) * 2014-02-27 2014-12-10 深圳市文鼎创数据科技有限公司 There is the safety certification device of wireless charging function
CN103905200B (en) * 2014-03-21 2017-11-14 北京中金国信科技有限公司 A kind of identity identifying method and system based on sound wave communication
CN104619040A (en) * 2015-02-10 2015-05-13 福州瑞芯微电子有限公司 Method and system for quickly connecting WIFI equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070042755A1 (en) * 2005-08-20 2007-02-22 Tara Chand Singhal Systems and methods for two-factor remote user authentication
CN103093344A (en) * 2013-02-21 2013-05-08 沈志松 Safe payment system based on wireless fidelity (wifi)
CN104702412A (en) * 2015-03-14 2015-06-10 丁贤根 External AI (Artificial Intelligence) safety certificate system of mobile phone for mobile payment and realizing method thereof
CN104702411A (en) * 2015-03-14 2015-06-10 丁贤根 Token design method integrating mobile payment safety authentication and mobile phone loss alarm
CN105592459A (en) * 2015-07-09 2016-05-18 中国银联股份有限公司 Security authentication device based on wireless communication

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10965672B2 (en) 2018-04-13 2021-03-30 At&T Intellectual Property I, L.P. Network service control for access to wireless radio networks
US11601429B2 (en) 2018-04-13 2023-03-07 At&T Intellectual Property I, L.P. Network service control for access to wireless radio networks
CN108718304A (en) * 2018-05-10 2018-10-30 北京握奇智能科技有限公司 It is a kind of using the digital encryption shield connection method of white list authentication mechanism and system

Also Published As

Publication number Publication date
CN105592459B (en) 2019-06-18
CN105592459A (en) 2016-05-18

Similar Documents

Publication Publication Date Title
WO2017005163A1 (en) Wireless communication-based security authentication device
WO2017041675A1 (en) Method for sending and acquiring wifi networking information and corresponding apparatus
JP5068495B2 (en) Distributed authentication function
WO2016062002A1 (en) Connection management method and apparatus, electrical device
WO2015085848A1 (en) Security authentication method and bidirectional forwarding detection method
US11736304B2 (en) Secure authentication of remote equipment
US20170208630A1 (en) Wireless connection establishing methods and wireless connection establishing apparatuses
TW201811087A (en) Connection establishment method, apparatus and device
US9807088B2 (en) Method and network node for obtaining a permanent identity of an authenticating wireless device
CN107005927A (en) Cut-in method, equipment and the system of user equipment (UE)
US20230050271A1 (en) Communication system and computer readable storage medium
WO2018205148A1 (en) Data packet checking method and device
WO2014183535A1 (en) Method and system for secure transmission of small data of mtc device group
CN104284331A (en) Method and system for connecting with portable WLAN hotspot
CN110474922B (en) Communication method, PC system and access control router
CN109088731B (en) Internet of things cloud communication method and device
CN106537962B (en) Wireless network configuration, access and access method, device and equipment
CN113965425A (en) Access method, device and equipment of Internet of things equipment and computer readable storage medium
CN114301967B (en) Control method, device and equipment for narrowband Internet of things
US11659384B2 (en) Data center 5G network encrypted multicast-based authority authentication method and system
CN102075567A (en) Authentication method, client, server, feedthrough server and authentication system
CN106304071B (en) A kind of network access verifying method, access authentication equipment and system
TWI520653B (en) Auto-matching method of wireless security, method of establishing connection, and wireless access point device
CN108990052B (en) Method for detecting WPA2 protocol vulnerability
JP6126062B2 (en) Network device and MAC address authentication method for network device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16820814

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16820814

Country of ref document: EP

Kind code of ref document: A1