WO2018113508A1 - Ciphertext-based identity verification method - Google Patents

Ciphertext-based identity verification method Download PDF

Info

Publication number
WO2018113508A1
WO2018113508A1 PCT/CN2017/114419 CN2017114419W WO2018113508A1 WO 2018113508 A1 WO2018113508 A1 WO 2018113508A1 CN 2017114419 W CN2017114419 W CN 2017114419W WO 2018113508 A1 WO2018113508 A1 WO 2018113508A1
Authority
WO
WIPO (PCT)
Prior art keywords
ciphertext
user
security information
restriction
application
Prior art date
Application number
PCT/CN2017/114419
Other languages
French (fr)
Chinese (zh)
Inventor
张栋
丁林润
李春欢
陆东东
Original Assignee
中国银联股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国银联股份有限公司 filed Critical 中国银联股份有限公司
Publication of WO2018113508A1 publication Critical patent/WO2018113508A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Definitions

  • the present invention relates to an authentication method and, more particularly, to a ciphertext based authentication method.
  • security information interaction processes ie, data interaction processes that require high security, such as payment transactions in the financial field.
  • the user's identity verification operation is typically required to be completed before the actual security information interaction process is implemented, and the security information interaction request (for example, the payment including the payment order) is initiated only if the identity verification is successful.
  • Request usually adopts the following two authentication methods: (1) The user inputs a personal password (PIN) on the security information interaction terminal (for example, the merchant POS machine), and then the security information interaction terminal initiates an online form identity verification process; (2) The user inputs a personal password (PIN) through a private mobile terminal (such as a mobile phone) and transmits the personal password to the relevant authentication server via the Internet for remote authentication or by a specific physical environment residing in the mobile terminal.
  • the data processing unit under (TEE or SE) performs local authentication.
  • the above existing technical solutions have the following problems: (1) there is a potential risk that the personal password is maliciously used because the personal password needs to be input on the security information interaction terminal before the actual security information interaction process is implemented; 2) Since the security information interaction request is initiated only when the authentication is successful, there is a potential risk of being illegally eavesdropped and attacked; (3) the cost is high due to the need to use a specific security unit or via a public Internet channel. Inconvenient to use.
  • the present invention proposes an enhanced security Fully and easy to use ciphertext-based authentication method.
  • a ciphertext-based authentication method includes the following steps:
  • the data processing server pushes one or more first restriction keys and one or more second restriction keys to the user's mobile terminal periodically or upon request, wherein the one or more second restriction keys Each of the keys is associated with the personal password of the user;
  • the security application when the user initiates a security information interaction process by the mobile terminal, the security application residing on the mobile terminal generates an application ciphertext using one of the one or more first restriction keys, And generating, by using one of the one or more second restriction keys, a user ciphertext, and then sending the application ciphertext and the user ciphertext to the security information interaction terminal, where the application ciphertext and the application
  • the user ciphertexts respectively include business detail data required for the security information interaction process
  • the security information interaction terminal constructs a security information interaction request after receiving the application ciphertext and the user ciphertext, and sends the security information interaction request to the data processing server to perform Subsequent security information interaction process.
  • the step (A1) further comprises: the data processing server periodically generates the first restriction key and the distributed value based on the same master key and the value of the application counter.
  • a second restriction key wherein the value of one application counter corresponds to an associated first restriction key and a second restriction key.
  • the step (A1) further comprises: the data processing server using the user's personal password to the first when transmitting the second restriction key to the mobile terminal
  • the second restriction key performs a bitwise exclusive OR operation, and transmits the second restriction key processed by the exclusive OR operation to the mobile terminal.
  • the step (A2) further comprises: using, by the security application residing on the mobile terminal, an XOR operation corresponding to a value of a current application counter
  • the second restriction key When the second restriction key generates the user ciphertext, it instructs the user to input the personal password and performs a bitwise exclusive OR operation on the second restricted key processed by the exclusive OR operation using the personal password input by the user to obtain The second restriction key processed by the exclusive OR operation, and then used
  • the user ciphertext is generated by a second restriction key that is not processed by the exclusive OR operation.
  • a first restriction key and a second restriction key associated therewith are valid only during a data interaction corresponding to the value of an application counter.
  • the step (A3) further comprises: after receiving the security information interaction request, the data processing server uses and generates the first restriction key and the The second restriction key generates the first restriction key and the second restriction key corresponding to the value of the current application counter again in the same manner, and respectively uses the first restriction key and the second restriction key generated again and based on the
  • the service detail data in the security information interaction request generates the application ciphertext and the user ciphertext, and then the generated application ciphertext and the user ciphertext respectively interact with the application ciphertext and the user included in the security information interaction request.
  • the ciphertext-based authentication method disclosed by the present invention has the following advantages: (1) enhanced security is required since a personal password is not required to be input on an external security information interaction terminal before the actual security information interaction process is implemented. (2) Since the security information interaction request can be initiated before the identity verification, the potential risk of being illegally eavesdropped and attacked can be avoided; (3) the cost is low because there is no need to use a specific security unit or via a public Internet channel. And easy to use.
  • FIG. 1 is a flow chart of a ciphertext based authentication method in accordance with an embodiment of the present invention.
  • the ciphertext-based identity verification method disclosed by the present invention includes the following steps: (A1) number Transmitting one or more first restriction keys and one or more second restriction keys to a user's mobile terminal (eg, a smart phone) periodically or upon request based on a processing server (eg, a financial service provider's cloud server) Wherein each of the one or more second restriction keys is associated with a personal password of the user; (A2) residing in the security information interaction process initiated by the user through the mobile terminal
  • the security application on the mobile terminal generates an application ciphertext using one of the one or more first restriction keys, and generates a user ciphertext using one of the one or more second restriction keys, Sending the application ciphertext and the user ciphertext to the security information interaction terminal (for example, a merchant POS machine or a merchant application (APP)), wherein the application ciphertext and the user
  • the step (A1) further comprises: the data processing server periodically based on the same master key (eg, a card issuer key) and an application A counter (ie, ATC, each application residing in the mobile terminal has a unique one of its application counters associated with each other, the application interacts with each other, the value of the associated application counter plus the value of 1) is dispersed
  • the method generates a first restriction key and a second restriction key, wherein the value of one application counter corresponds to an associated first restriction key and a second restriction key.
  • the step (A1) further includes: the data processing server using the user when transmitting the second restriction key to the mobile terminal a personal password (ie, a PIN that is bound to a security application residing on the mobile terminal upon initial registration) to perform a bitwise exclusive OR operation on the second restricted key and A second restriction key of the arithmetic processing is sent to the mobile terminal.
  • a personal password ie, a PIN that is bound to a security application residing on the mobile terminal upon initial registration
  • the step (A2) further comprises: using, at a security application residing on the mobile terminal, a value corresponding to a current application counter.
  • the second restriction key processed by the exclusive OR operation When the second restriction key processed by the exclusive OR operation generates the user ciphertext, it instructs the user to input a personal password (PIN) and uses the personal password (PIN) input by the user to process the second restriction key processed by the exclusive OR operation. Perform a reverse bitwise XOR operation to obtain an XOR-free operation The second restriction key, and then the second privilege key that is not processed by the exclusive OR operation is used to generate the user ciphertext.
  • a first restriction key and a second restriction key associated therewith are only in a data interaction process corresponding to the value of an application counter. Effective in the middle.
  • the step (A3) further includes: after receiving the security information interaction request, the data processing server uses and generates the Regenerating the first restriction key and the second restriction key corresponding to the value of the current application counter again in the same manner as the restriction key and the second restriction key, and respectively using the first restriction key and the first generated again Generating an application ciphertext and a user ciphertext based on the service detail data in the security information interaction request, and then generating the application ciphertext and the user ciphertext respectively in the security information interaction request Comparing the applied ciphertext with the user ciphertext, if the application ciphertext is consistent, determining that the mobile terminal is a legitimate device, and if the user ciphertext is consistent, determining that the user's identity verification is successful, and the data processing server subsequently Performing a subsequent security information interaction process based on the determination result (for example, in the case where the application ciphertext is consistent and the user cipher
  • the ciphertext-based authentication method disclosed by the present invention has the following advantages: (1) since there is no need to input a personal password on the external security information interaction terminal before implementing the actual security information interaction process, Enhanced security; (2) the ability to initiate security information interaction requests prior to authentication, thereby avoiding the potential risk of being illegally eavesdropped and attacked; (3) because there is no need to use a specific security unit or via a public Internet channel, Therefore, the cost is low and the use is convenient.

Abstract

The present invention provides a ciphertext-based identity verification method, comprising: a data processing server pushing one or more first usage limit keys and one or more second usage limit keys to a mobile terminal of a user periodically or based on a request; when the user initiates a security information interaction process via the mobile terminal, a security application residing on the mobile terminal using one of the one or more first usage limit keys to generate an application ciphertext, and using one of the one or more second usage limit keys to generate a user ciphertext, and then transmitting the application ciphertext and the user ciphertext to a security information interaction terminal; and after receiving the application ciphertext and the user ciphertext, the security information interaction terminal constructing a security information interaction request and transmitting the security information interaction request to the data processing server to perform a subsequent security information interaction process. The method disclosed by the present invention has improved security and is easy to use.

Description

基于密文的身份验证方法Ciphertext-based authentication method 技术领域Technical field
本发明涉及身份验证方法,更具体地,涉及基于密文的身份验证方法。The present invention relates to an authentication method and, more particularly, to a ciphertext based authentication method.
背景技术Background technique
目前,随着计算机和网络应用的日益广泛以及不同领域的业务种类的日益丰富,利用移动终端实施安全性信息交互过程(即对安全性要求较高的数据交互过程,例如金融领域中的支付交易)变得越来越重要。At present, with the increasing popularity of computers and network applications and the growing variety of services in different fields, mobile terminals are used to implement security information interaction processes (ie, data interaction processes that require high security, such as payment transactions in the financial field). )become more and more important.
在现有的技术方案中,在实施实际的安全性信息交互过程之前典型地需要完成用户的身份验证操作,并且仅在身份验证成功的情况下发起安全性信息交互请求(例如包含支付订单的支付请求),通常采用如下两种身份验证方式:(1)用户在安全性信息交互终端(例如商户POS机)上输入个人密码(PIN),随后安全性信息交互终端发起联机形式的身份验证过程;(2)用户通过私有的移动终端(例如手机)输入个人密码(PIN)并经由互联网将所述个人密码发送至相关的身份验证服务器进行远程身份验证或者由驻留于移动终端中的特定物理环境(TEE或SE)下的数据处理单元进行本地身份验证。In the prior art solution, the user's identity verification operation is typically required to be completed before the actual security information interaction process is implemented, and the security information interaction request (for example, the payment including the payment order) is initiated only if the identity verification is successful. Request), usually adopts the following two authentication methods: (1) The user inputs a personal password (PIN) on the security information interaction terminal (for example, the merchant POS machine), and then the security information interaction terminal initiates an online form identity verification process; (2) The user inputs a personal password (PIN) through a private mobile terminal (such as a mobile phone) and transmits the personal password to the relevant authentication server via the Internet for remote authentication or by a specific physical environment residing in the mobile terminal. The data processing unit under (TEE or SE) performs local authentication.
然而,上述现有的技术方案存在如下问题:(1)由于需要在实施实际的安全性信息交互过程之前在安全性信息交互终端上输入个人密码,故存在个人密码被恶意使用的潜在风险;(2)由于仅在身份验证成功的情况下发起安全性信息交互请求,故存在被非法窃听和攻击的潜在风险;(3)由于需要使用特定的安全单元或者经由公共互联网通道,故成本较高且使用不便。However, the above existing technical solutions have the following problems: (1) there is a potential risk that the personal password is maliciously used because the personal password needs to be input on the security information interaction terminal before the actual security information interaction process is implemented; 2) Since the security information interaction request is initiated only when the authentication is successful, there is a potential risk of being illegally eavesdropped and attacked; (3) the cost is high due to the need to use a specific security unit or via a public Internet channel. Inconvenient to use.
因此,存在如下需求:提供具有增强的安全性并且使用便捷的基于密文的身份验证方法。Therefore, there is a need to provide a ciphertext-based authentication method with enhanced security and ease of use.
发明内容Summary of the invention
为了解决上述现有技术方案所存在的问题,本发明提出了具有增强的安 全性并且使用便捷的基于密文的身份验证方法。In order to solve the problems existing in the above prior art solutions, the present invention proposes an enhanced security Fully and easy to use ciphertext-based authentication method.
本发明的目的是通过以下技术方案实现的:The object of the invention is achieved by the following technical solutions:
一种基于密文的身份验证方法,所述基于密文的身份验证方法包括下列步骤:A ciphertext-based authentication method, the ciphertext-based authentication method includes the following steps:
(A1)数据处理服务器周期性地或基于请求向用户的移动终端推送一个或多个第一限制密钥和一个或多个第二限制密钥,其中,所述一个或多个第二限制密钥中的每个与所述用户的个人密码相关联;(A1) The data processing server pushes one or more first restriction keys and one or more second restriction keys to the user's mobile terminal periodically or upon request, wherein the one or more second restriction keys Each of the keys is associated with the personal password of the user;
(A2)在用户通过所述移动终端发起安全性信息交互过程时,驻留于所述移动终端上的安全性应用使用所述一个或多个第一限制密钥中的一个生成应用密文,并使用所述一个或多个第二限制密钥中的一个生成用户密文,随之将所述应用密文和用户密文发送至安全性信息交互终端,其中,所述应用密文和所述用户密文均包含所述安全性信息交互过程所需的业务明细数据;(A2) when the user initiates a security information interaction process by the mobile terminal, the security application residing on the mobile terminal generates an application ciphertext using one of the one or more first restriction keys, And generating, by using one of the one or more second restriction keys, a user ciphertext, and then sending the application ciphertext and the user ciphertext to the security information interaction terminal, where the application ciphertext and the application The user ciphertexts respectively include business detail data required for the security information interaction process;
(A3)所述安全性信息交互终端在接收到所述应用密文和所述用户密文后构建安全性信息交互请求,并将所述安全性信息交互请求发送至所述数据处理服务器以进行后续的安全性信息交互过程。(A3) the security information interaction terminal constructs a security information interaction request after receiving the application ciphertext and the user ciphertext, and sends the security information interaction request to the data processing server to perform Subsequent security information interaction process.
在上面所公开的方案中,优选地,所述步骤(A1)进一步包括:所述数据处理服务器周期性地基于同一个主密钥以及应用计数器的值以分散的方式生成第一限制密钥和第二限制密钥,其中,一个应用计数器的值对应于相关联的一个第一限制密钥和一个第二限制密钥。In the solution disclosed above, preferably, the step (A1) further comprises: the data processing server periodically generates the first restriction key and the distributed value based on the same master key and the value of the application counter. A second restriction key, wherein the value of one application counter corresponds to an associated first restriction key and a second restriction key.
在上面所公开的方案中,优选地,所述步骤(A1)进一步包括:所述数据处理服务器在将所述第二限制密钥发送至所述移动终端时使用用户的个人密码对所述第二限制密钥进行逐位的异或运算,并将经异或运算处理的第二限制密钥发送至所述移动终端。In the solution disclosed above, preferably, the step (A1) further comprises: the data processing server using the user's personal password to the first when transmitting the second restriction key to the mobile terminal The second restriction key performs a bitwise exclusive OR operation, and transmits the second restriction key processed by the exclusive OR operation to the mobile terminal.
在上面所公开的方案中,优选地,所述步骤(A2)进一步包括:在驻留于所述移动终端上的安全性应用使用与当前应用计数器的值相对应的经异或运算处理的第二限制密钥生成用户密文时,其指示用户输入个人密码并使用用户输入的个人密码对所述经异或运算处理的第二限制密钥进行反向的逐位异或运算以获得未经异或运算处理的第二限制密钥,并随之使用所述 未经异或运算处理的第二限制密钥生成所述用户密文。In the solution disclosed above, preferably, the step (A2) further comprises: using, by the security application residing on the mobile terminal, an XOR operation corresponding to a value of a current application counter When the second restriction key generates the user ciphertext, it instructs the user to input the personal password and performs a bitwise exclusive OR operation on the second restricted key processed by the exclusive OR operation using the personal password input by the user to obtain The second restriction key processed by the exclusive OR operation, and then used The user ciphertext is generated by a second restriction key that is not processed by the exclusive OR operation.
在上面所公开的方案中,优选地,一个第一限制密钥和一个与其相关联的第二限制密钥仅在与一个应用计数器的值相对应的一次数据交互过程中有效。In the solution disclosed above, preferably, a first restriction key and a second restriction key associated therewith are valid only during a data interaction corresponding to the value of an application counter.
在上面所公开的方案中,优选地,所述步骤(A3)进一步包括:在接收到所述安全性信息交互请求后,所述数据处理服务器使用与生成所述第一限制密钥和所述第二限制密钥相同的方式再次生成与当前应用计数器的值对应的第一限制密钥和第二限制密钥,并分别使用再次生成的第一限制密钥和第二限制密钥以及基于所述安全性信息交互请求中的业务明细数据生成应用密文和用户密文,随之将生成的应用密文和用户密文各自与所述安全性信息交互请求中所包含的应用密文和用户密文相比较,如果应用密文一致,则判定所述移动终端是合法的设备,如果用户密文一致,则判定用户的身份验证成功,并且所述数据处理服务器随后基于判定结果执行后续的安全性信息交互过程。In the solution disclosed above, preferably, the step (A3) further comprises: after receiving the security information interaction request, the data processing server uses and generates the first restriction key and the The second restriction key generates the first restriction key and the second restriction key corresponding to the value of the current application counter again in the same manner, and respectively uses the first restriction key and the second restriction key generated again and based on the The service detail data in the security information interaction request generates the application ciphertext and the user ciphertext, and then the generated application ciphertext and the user ciphertext respectively interact with the application ciphertext and the user included in the security information interaction request. Comparing the ciphertext, if the application ciphertext is consistent, determining that the mobile terminal is a legitimate device, if the user ciphertext is consistent, determining that the user's identity verification is successful, and the data processing server subsequently performing subsequent security based on the determination result. Sexual information interaction process.
本发明所公开的基于密文的身份验证方法具有以下优点:(1)由于在实施实际的安全性信息交互过程之前无需在外部的安全性信息交互终端上输入个人密码,故具有增强的安全性;(2)由于能够在身份验证之前发起安全性信息交互请求,故可以避免被非法窃听和攻击的潜在风险;(3)由于不需要使用特定的安全单元或者经由公共互联网通道,故成本较低且使用便捷。The ciphertext-based authentication method disclosed by the present invention has the following advantages: (1) enhanced security is required since a personal password is not required to be input on an external security information interaction terminal before the actual security information interaction process is implemented. (2) Since the security information interaction request can be initiated before the identity verification, the potential risk of being illegally eavesdropped and attacked can be avoided; (3) the cost is low because there is no need to use a specific security unit or via a public Internet channel. And easy to use.
附图说明DRAWINGS
结合附图,本发明的技术特征以及优点将会被本领域技术人员更好地理解,其中:The technical features and advantages of the present invention will be better understood by those skilled in the art, in which:
图1是根据本发明的实施例的基于密文的身份验证方法的流程图。1 is a flow chart of a ciphertext based authentication method in accordance with an embodiment of the present invention.
具体实施方式detailed description
图1是根据本发明的实施例的基于密文的身份验证方法的流程图。如图1所示,本发明所公开的基于密文的身份验证方法包括下列步骤:(A1)数 据处理服务器(例如金融服务提供方的云端服务器)周期性地或基于请求向用户的移动终端(例如智能手机)推送一个或多个第一限制密钥和一个或多个第二限制密钥,其中,所述一个或多个第二限制密钥中的每个与所述用户的个人密码相关联;(A2)在用户通过所述移动终端发起安全性信息交互过程时,驻留于所述移动终端上的安全性应用使用所述一个或多个第一限制密钥中的一个生成应用密文,并使用所述一个或多个第二限制密钥中的一个生成用户密文,随之将所述应用密文和用户密文发送至安全性信息交互终端(例如商户POS机或商户应用(APP)),其中,所述应用密文和所述用户密文均包含所述安全性信息交互过程所需的业务明细数据(例如支付交易的明细信息);(A3)所述安全性信息交互终端在接收到所述应用密文和所述用户密文后构建安全性信息交互请求,并将所述安全性信息交互请求发送至所述数据处理服务器以进行后续的安全性信息交互过程。1 is a flow chart of a ciphertext based authentication method in accordance with an embodiment of the present invention. As shown in FIG. 1, the ciphertext-based identity verification method disclosed by the present invention includes the following steps: (A1) number Transmitting one or more first restriction keys and one or more second restriction keys to a user's mobile terminal (eg, a smart phone) periodically or upon request based on a processing server (eg, a financial service provider's cloud server) Wherein each of the one or more second restriction keys is associated with a personal password of the user; (A2) residing in the security information interaction process initiated by the user through the mobile terminal The security application on the mobile terminal generates an application ciphertext using one of the one or more first restriction keys, and generates a user ciphertext using one of the one or more second restriction keys, Sending the application ciphertext and the user ciphertext to the security information interaction terminal (for example, a merchant POS machine or a merchant application (APP)), wherein the application ciphertext and the user ciphertext both include the security information The service detail data required for the interaction process (for example, the detailed information of the payment transaction); (A3) the security information interaction terminal constructs the security information interaction request after receiving the application ciphertext and the user ciphertext And said security information interaction request to said data processing server for subsequent security information interaction process.
优选地,在本发明所公开的基于密文的身份验证方法中,所述步骤(A1)进一步包括:所述数据处理服务器周期性地基于同一个主密钥(例如发卡方密钥)以及应用计数器(即ATC,驻留于移动终端中的每个应用具有与其相关联的唯一的一个应用计数器,该应用每进行一次数据交互,与其相关联的应用计数器的值加1)的值以分散的方式生成第一限制密钥和第二限制密钥,其中,一个应用计数器的值对应于相关联的一个第一限制密钥和一个第二限制密钥。Preferably, in the ciphertext-based authentication method disclosed in the present invention, the step (A1) further comprises: the data processing server periodically based on the same master key (eg, a card issuer key) and an application A counter (ie, ATC, each application residing in the mobile terminal has a unique one of its application counters associated with each other, the application interacts with each other, the value of the associated application counter plus the value of 1) is dispersed The method generates a first restriction key and a second restriction key, wherein the value of one application counter corresponds to an associated first restriction key and a second restriction key.
优选地,在本发明所公开的基于密文的身份验证方法中,所述步骤(A1)进一步包括:所述数据处理服务器在将所述第二限制密钥发送至所述移动终端时使用用户的个人密码(即PIN,其在初始注册时与驻留于所述移动终端上的安全性应用相绑定)对所述第二限制密钥进行逐位的异或运算,并将经异或运算处理的第二限制密钥发送至所述移动终端。Preferably, in the ciphertext-based authentication method disclosed in the present invention, the step (A1) further includes: the data processing server using the user when transmitting the second restriction key to the mobile terminal a personal password (ie, a PIN that is bound to a security application residing on the mobile terminal upon initial registration) to perform a bitwise exclusive OR operation on the second restricted key and A second restriction key of the arithmetic processing is sent to the mobile terminal.
优选地,在本发明所公开的基于密文的身份验证方法中,所述步骤(A2)进一步包括:在驻留于所述移动终端上的安全性应用使用与当前应用计数器的值相对应的经异或运算处理的第二限制密钥生成用户密文时,其指示用户输入个人密码(PIN)并使用用户输入的个人密码(PIN)对所述经异或运算处理的第二限制密钥进行反向的逐位异或运算以获得未经异或运算处理 的第二限制密钥,并随之使用所述未经异或运算处理的第二限制密钥生成所述用户密文。Preferably, in the ciphertext-based authentication method disclosed in the present invention, the step (A2) further comprises: using, at a security application residing on the mobile terminal, a value corresponding to a current application counter. When the second restriction key processed by the exclusive OR operation generates the user ciphertext, it instructs the user to input a personal password (PIN) and uses the personal password (PIN) input by the user to process the second restriction key processed by the exclusive OR operation. Perform a reverse bitwise XOR operation to obtain an XOR-free operation The second restriction key, and then the second privilege key that is not processed by the exclusive OR operation is used to generate the user ciphertext.
优选地,在本发明所公开的基于密文的身份验证方法中,一个第一限制密钥和一个与其相关联的第二限制密钥仅在与一个应用计数器的值相对应的一次数据交互过程中有效。Preferably, in the ciphertext-based authentication method disclosed in the present invention, a first restriction key and a second restriction key associated therewith are only in a data interaction process corresponding to the value of an application counter. Effective in the middle.
优选地,在本发明所公开的基于密文的身份验证方法中,所述步骤(A3)进一步包括:在接收到所述安全性信息交互请求后,所述数据处理服务器使用与生成所述第一限制密钥和所述第二限制密钥相同的方式再次生成与当前应用计数器的值对应的第一限制密钥和第二限制密钥,并分别使用再次生成的第一限制密钥和第二限制密钥以及基于所述安全性信息交互请求中的业务明细数据生成应用密文和用户密文,随之将生成的应用密文和用户密文各自与所述安全性信息交互请求中所包含的应用密文和用户密文相比较,如果应用密文一致,则判定所述移动终端是合法的设备,如果用户密文一致,则判定用户的身份验证成功,并且所述数据处理服务器随后基于判定结果执行后续的安全性信息交互过程(例如,在应用密文一致而用户密文不一致的情况下,数据处理服务器可以设置相关的错误发生计数器,即当用户密文验证错误发生的次数超过一定阈值后可以拒绝后续的安全性信息交互过程的执行)。Preferably, in the ciphertext-based authentication method disclosed in the present disclosure, the step (A3) further includes: after receiving the security information interaction request, the data processing server uses and generates the Regenerating the first restriction key and the second restriction key corresponding to the value of the current application counter again in the same manner as the restriction key and the second restriction key, and respectively using the first restriction key and the first generated again Generating an application ciphertext and a user ciphertext based on the service detail data in the security information interaction request, and then generating the application ciphertext and the user ciphertext respectively in the security information interaction request Comparing the applied ciphertext with the user ciphertext, if the application ciphertext is consistent, determining that the mobile terminal is a legitimate device, and if the user ciphertext is consistent, determining that the user's identity verification is successful, and the data processing server subsequently Performing a subsequent security information interaction process based on the determination result (for example, in the case where the application ciphertext is consistent and the user ciphertext is inconsistent, data processing Services may be provided associated error counters, i.e. when the number of times a user ciphertext verification error exceeds a certain threshold may refuse to perform the subsequent security information interaction process).
由上可见,本发明所公开的基于密文的身份验证方法具有下列优点:(1)由于在实施实际的安全性信息交互过程之前无需在外部的安全性信息交互终端上输入个人密码,故具有增强的安全性;(2)由于能够在身份验证之前发起安全性信息交互请求,故可以避免被非法窃听和攻击的潜在风险;(3)由于不需要使用特定的安全单元或者经由公共互联网通道,故成本较低且使用便捷。It can be seen from the above that the ciphertext-based authentication method disclosed by the present invention has the following advantages: (1) since there is no need to input a personal password on the external security information interaction terminal before implementing the actual security information interaction process, Enhanced security; (2) the ability to initiate security information interaction requests prior to authentication, thereby avoiding the potential risk of being illegally eavesdropped and attacked; (3) because there is no need to use a specific security unit or via a public Internet channel, Therefore, the cost is low and the use is convenient.
尽管本发明是通过上述的优选实施方式进行描述的,但是其实现形式并不局限于上述的实施方式。应该认识到:在不脱离本发明主旨和范围的情况下,本领域技术人员可以对本发明做出不同的变化和修改。 Although the invention has been described in terms of the preferred embodiments described above, the implementation forms are not limited to the embodiments described above. It will be appreciated that various changes and modifications can be made in the present invention without departing from the spirit and scope of the invention.

Claims (6)

  1. 一种基于密文的身份验证方法,所述基于密文的身份验证方法包括下列步骤:A ciphertext-based authentication method, the ciphertext-based authentication method includes the following steps:
    (A1)数据处理服务器周期性地或基于请求向用户的移动终端推送一个或多个第一限制密钥和一个或多个第二限制密钥,其中,所述一个或多个第二限制密钥中的每个与所述用户的个人密码相关联;(A1) The data processing server pushes one or more first restriction keys and one or more second restriction keys to the user's mobile terminal periodically or upon request, wherein the one or more second restriction keys Each of the keys is associated with the personal password of the user;
    (A2)在用户通过所述移动终端发起安全性信息交互过程时,驻留于所述移动终端上的安全性应用使用所述一个或多个第一限制密钥中的一个生成应用密文,并使用所述一个或多个第二限制密钥中的一个生成用户密文,随之将所述应用密文和用户密文发送至安全性信息交互终端,其中,所述应用密文和所述用户密文均包含所述安全性信息交互过程所需的业务明细数据;(A2) when the user initiates a security information interaction process by the mobile terminal, the security application residing on the mobile terminal generates an application ciphertext using one of the one or more first restriction keys, And generating, by using one of the one or more second restriction keys, a user ciphertext, and then sending the application ciphertext and the user ciphertext to the security information interaction terminal, where the application ciphertext and the application The user ciphertexts respectively include business detail data required for the security information interaction process;
    (A3)所述安全性信息交互终端在接收到所述应用密文和所述用户密文后构建安全性信息交互请求,并将所述安全性信息交互请求发送至所述数据处理服务器以进行后续的安全性信息交互过程。(A3) the security information interaction terminal constructs a security information interaction request after receiving the application ciphertext and the user ciphertext, and sends the security information interaction request to the data processing server to perform Subsequent security information interaction process.
  2. 根据权利要求1所述的基于密文的身份验证方法,其特征在于,所述步骤(A1)进一步包括:所述数据处理服务器周期性地基于同一个主密钥以及应用计数器的值以分散的方式生成第一限制密钥和第二限制密钥,其中,一个应用计数器的值对应于相关联的一个第一限制密钥和一个第二限制密钥。The ciphertext-based authentication method according to claim 1, wherein said step (A1) further comprises: said data processing server periodically dispersing based on values of the same master key and an application counter The method generates a first restriction key and a second restriction key, wherein the value of one application counter corresponds to an associated first restriction key and a second restriction key.
  3. 根据权利要求2所述的基于密文的身份验证方法,其特征在于,所述步骤(A1)进一步包括:所述数据处理服务器在将所述第二限制密钥发送至所述移动终端时使用用户的个人密码对所述第二限制密钥进行逐位的异或运算,并将经异或运算处理的第二限制密钥发送至所述移动终端。The ciphertext-based authentication method according to claim 2, wherein said step (A1) further comprises: said data processing server uses when said second restriction key is transmitted to said mobile terminal The user's personal password performs a bitwise exclusive OR operation on the second restriction key, and transmits the second restriction key processed by the exclusive OR operation to the mobile terminal.
  4. 根据权利要求3所述的基于密文的身份验证方法,其特征在于,所述步骤(A2)进一步包括:在驻留于所述移动终端上的安全性应用使用与当前应用计数器的值相对应的经异或运算处理的第二限制密钥生成用户密文时,其指示用户输入个人密码并使用用户输入的个人密码对所述经异或运算处理的第二限制密钥进行反向的逐位异或运算以获得未经异或运算处理的第 二限制密钥,并随之使用所述未经异或运算处理的第二限制密钥生成所述用户密文。The ciphertext-based authentication method according to claim 3, wherein said step (A2) further comprises: using a security application resident on said mobile terminal corresponding to a value of a current application counter When the second restriction key processed by the exclusive OR operation generates the user ciphertext, it instructs the user to input the personal password and reverses the second restriction key processed by the exclusive OR operation using the personal password input by the user. Bitwise exclusive OR operation to obtain the first unprocessed operation The second restriction key is used to generate the user ciphertext using the second restriction key that is not processed by the exclusive OR operation.
  5. 根据权利要求4所述的基于密文的身份验证方法,其特征在于,一个第一限制密钥和一个与其相关联的第二限制密钥仅在与一个应用计数器的值相对应的一次数据交互过程中有效。The ciphertext-based authentication method according to claim 4, wherein a first restriction key and a second restriction key associated therewith are only in one data interaction corresponding to the value of an application counter. Effective in the process.
  6. 根据权利要求5所述的基于密文的身份验证方法,其特征在于,所述步骤(A3)进一步包括:在接收到所述安全性信息交互请求后,所述数据处理服务器使用与生成所述第一限制密钥和所述第二限制密钥相同的方式再次生成与当前应用计数器的值对应的第一限制密钥和第二限制密钥,并分别使用再次生成的第一限制密钥和第二限制密钥以及基于所述安全性信息交互请求中的业务明细数据生成应用密文和用户密文,随之将生成的应用密文和用户密文各自与所述安全性信息交互请求中所包含的应用密文和用户密文相比较,如果应用密文一致,则判定所述移动终端是合法的设备,如果用户密文一致,则判定用户的身份验证成功,并且所述数据处理服务器随后基于判定结果执行后续的安全性信息交互过程。 The ciphertext-based authentication method according to claim 5, wherein the step (A3) further comprises: after receiving the security information interaction request, the data processing server uses and generates the The first restriction key and the second restriction key generate the first restriction key and the second restriction key corresponding to the value of the current application counter again, and respectively use the re-generated first restriction key and And generating, by the second restriction key, the application ciphertext and the user ciphertext based on the service detail data in the security information interaction request, and then the generated application ciphertext and the user ciphertext are respectively interacted with the security information request The application ciphertext is compared with the user ciphertext. If the ciphertext is consistent, the mobile terminal is determined to be a legal device. If the ciphertext of the user is consistent, the authentication of the user is determined to be successful, and the data processing server is determined. A subsequent security information interaction process is then performed based on the determination result.
PCT/CN2017/114419 2016-12-23 2017-12-04 Ciphertext-based identity verification method WO2018113508A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611203764.6A CN106961417B (en) 2016-12-23 2016-12-23 Identity verification method based on ciphertext
CN201611203764.6 2016-12-23

Publications (1)

Publication Number Publication Date
WO2018113508A1 true WO2018113508A1 (en) 2018-06-28

Family

ID=59480853

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/114419 WO2018113508A1 (en) 2016-12-23 2017-12-04 Ciphertext-based identity verification method

Country Status (3)

Country Link
CN (1) CN106961417B (en)
TW (1) TWI728212B (en)
WO (1) WO2018113508A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111311261A (en) * 2020-02-24 2020-06-19 中国工商银行股份有限公司 Security processing method, device and system for online transaction

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106961417B (en) * 2016-12-23 2020-05-22 中国银联股份有限公司 Identity verification method based on ciphertext

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120011007A1 (en) * 2010-07-07 2012-01-12 At&T Intellectual Property I, L.P. Mobile Payment Using DTMF Signaling
CN102694782A (en) * 2011-03-24 2012-09-26 中国银联股份有限公司 Internet-based device and method for security information interaction
CN104778794A (en) * 2015-04-24 2015-07-15 华为技术有限公司 Mobile payment device and method
CN105678553A (en) * 2015-08-05 2016-06-15 腾讯科技(深圳)有限公司 Method, device and system for processing order information
CN106961417A (en) * 2016-12-23 2017-07-18 中国银联股份有限公司 Auth method based on ciphertext

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752264A (en) * 2011-04-19 2012-10-24 中国银行股份有限公司 Internet dual-dynamic-password subscriber identity authentication method and system
JPWO2016035466A1 (en) * 2014-09-03 2017-04-27 エンクリプティア株式会社 COMMUNICATION SYSTEM, SERVER DEVICE PROGRAM AND RECORDING MEDIUM RECORDING THE SAME, COMMUNICATION DEVICE PROGRAM AND RECORDING MEDIUM RECORDING THE SAME, TERMINAL DEVICE PROGRAM AND RECORDING MEDIUM RECORDING THE SAME
CN105991285B (en) * 2015-02-16 2019-06-11 阿里巴巴集团控股有限公司 Identity identifying method, apparatus and system for quantum key distribution process

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120011007A1 (en) * 2010-07-07 2012-01-12 At&T Intellectual Property I, L.P. Mobile Payment Using DTMF Signaling
CN102694782A (en) * 2011-03-24 2012-09-26 中国银联股份有限公司 Internet-based device and method for security information interaction
CN104778794A (en) * 2015-04-24 2015-07-15 华为技术有限公司 Mobile payment device and method
CN105678553A (en) * 2015-08-05 2016-06-15 腾讯科技(深圳)有限公司 Method, device and system for processing order information
CN106961417A (en) * 2016-12-23 2017-07-18 中国银联股份有限公司 Auth method based on ciphertext

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111311261A (en) * 2020-02-24 2020-06-19 中国工商银行股份有限公司 Security processing method, device and system for online transaction
CN111311261B (en) * 2020-02-24 2023-07-21 中国工商银行股份有限公司 Safe processing method, device and system for online transaction

Also Published As

Publication number Publication date
CN106961417A (en) 2017-07-18
TW201828134A (en) 2018-08-01
CN106961417B (en) 2020-05-22
TWI728212B (en) 2021-05-21

Similar Documents

Publication Publication Date Title
US11729150B2 (en) Key pair infrastructure for secure messaging
US10341111B2 (en) Secure authentication of user and mobile device
US9426134B2 (en) Method and systems for the authentication of a user
CN106875173B (en) Method for authenticating transaction
CN117579281A (en) Method and system for ownership verification using blockchain
US20080235513A1 (en) Three Party Authentication
US9749130B2 (en) Distributing keys for decrypting client data
CN105577612B (en) Identity authentication method, third-party server, merchant server and user terminal
WO2014107977A1 (en) Key protection method and system
CN104268746A (en) Card-free payment method
US11436597B1 (en) Biometrics-based e-signatures for pre-authorization and acceptance transfer
WO2015135392A1 (en) O2o secure payment method and system
US20180159865A1 (en) System and method for message recipient verification
US9836618B2 (en) System and method of authentication of a first party respective of a second party aided by a third party
EP3959628A1 (en) Trusted customer identity systems and methods
WO2017107733A1 (en) Off-line payment method, terminal device, background payment apparatus and off-line payment system
WO2018113508A1 (en) Ciphertext-based identity verification method
KR20220038109A (en) Authenticator app for consent architecture
CN112074835A (en) Techniques to perform secure operations
WO2017016039A1 (en) Method and device for transferring business data between accounts
CN117336092A (en) Client login method and device, electronic equipment and storage medium
Sung et al. Mobile Payment Based on Transaction Certificate Using Cloud Self‐Proxy Server
TW201721559A (en) Method of prelogin preview for online bank and system thereof
WO2015014254A1 (en) Method for secure exchange of information related to resource transfers
US20230153788A1 (en) Performing card lifecycle actions for card accounts utilizing encryption and double signature validation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17883637

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17883637

Country of ref document: EP

Kind code of ref document: A1