WO2019134494A1 - Verification information processing method, communication device, service platform, and storage medium - Google Patents

Verification information processing method, communication device, service platform, and storage medium Download PDF

Info

Publication number
WO2019134494A1
WO2019134494A1 PCT/CN2018/121311 CN2018121311W WO2019134494A1 WO 2019134494 A1 WO2019134494 A1 WO 2019134494A1 CN 2018121311 W CN2018121311 W CN 2018121311W WO 2019134494 A1 WO2019134494 A1 WO 2019134494A1
Authority
WO
WIPO (PCT)
Prior art keywords
short message
identifier
application
verification
user identification
Prior art date
Application number
PCT/CN2018/121311
Other languages
French (fr)
Chinese (zh)
Inventor
乐祖晖
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2019134494A1 publication Critical patent/WO2019134494A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements
    • H04W4/14Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]

Definitions

  • the present application relates to the field of communications technologies, but is not limited to the field of communications technologies, and in particular, to a verification information processing method, a communication device, a service platform, and a storage medium.
  • SMS for authentication is a common security method in many businesses.
  • the third-party payment service needs to request the banking system to send a short message before the payment is determined.
  • the short message carries the short message verification code, and the short message verification is input to the verification interface and sent to the banking system.
  • the banking system After the banking system receives it, it determines whether it is a verification code issued by itself, and if so, may perform a payment operation.
  • SMS verification improves the security of certain business functions, there may be a problem that if a communication device that receives a short message is installed with a malicious application (such as a malicious code such as a Trojan), the malicious application can read the The short message is sent to the illegal user or the device, which leads to the leakage of the verification code, which may result in insecure execution of business operations such as payment.
  • a malicious application such as a malicious code such as a Trojan
  • the embodiment of the present application is expected to provide a verification information processing method, a communication device, and a storage medium.
  • an embodiment of the present application provides a verification information processing method, including:
  • the short message is read from the user identification card, where the short message includes verification information
  • the embodiment of the present application provides a verification information processing method, including:
  • the access control middleware And receiving, by the access control middleware, the short message that is read from the user identity card based on the read request, where the short message carries the verification information, and is sent by the service platform to the user identity based on the obtaining request.
  • Identification card
  • the embodiment of the present application provides a verification information processing method, including:
  • the embodiment of the present application provides a communication device, where the communication device runs an access control middleware, and the access control middleware includes:
  • a determining unit configured to determine whether the service application has permission to access a user identity user identification card
  • a reading unit configured to read a short message from the user identification card when the service application has the right to access the user identification card, where the short message includes verification information
  • a transmission unit configured to transmit the short message to the service application.
  • a communications device is installed in the communications device, where the communications device is installed with a service application, where the service application includes:
  • a first sending unit configured to send an acquisition request of the verification information to the service platform
  • a second sending unit configured to send a read request to the access control middleware
  • a first receiving unit configured to receive a short message that is read by the access control middleware from the user identity card based on the read request, where the short message carries verification information, and the service platform is based on the service platform
  • the acquisition request is sent to the user identification card.
  • the embodiment of the present application provides a service platform, including:
  • a second receiving unit configured to receive an acquisition request of the verification information sent by the service application
  • the third sending unit is configured to send, according to the obtaining request, a short message carrying the verification information to the user identity identification user identifier card of the designated device.
  • an embodiment of the present application provides a communication device, including: a transceiver, a memory, a processor, and a computer program stored on the memory and executed by the processor;
  • the processor is coupled to the transceiver and the memory, respectively, for implementing the verification information processing method provided by one or more of the foregoing technical solutions by executing the computer program.
  • the embodiment of the present application is a computer storage medium, where the computer storage medium stores a computer program; after the computer program is executed, the verification information processing method provided by the one or more technical solutions can be implemented.
  • the embodiment of the present application provides a verification information processing method, a communication device, a service platform, and a storage medium.
  • the service platform is not directly sent by the short message processing module that carries the verification information to the communication device, but is directly sent to the short message processing module.
  • the user identification card if the business application on the device needs to read the short message on the user identification card, it needs to pass the authorization identification before the short message can be read from the user identification card. Obviously, this increases the difficulty of malicious applications such as Trojans reading the verification information, and improves the security of the verification information.
  • FIG. 1 is a schematic structural diagram of a processing system for verifying information according to an embodiment of the present application
  • FIG. 2 is a schematic flowchart of a first verification information processing method according to an embodiment of the present application
  • FIG. 3 is a schematic flowchart diagram of a second verification information processing method according to an embodiment of the present disclosure
  • FIG. 4 is a schematic flowchart of a third verification information processing method according to an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a communication device according to an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of another communication device according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic structural diagram of a service platform according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of still another communication device according to an embodiment of the present application.
  • FIG. 9 is a schematic flowchart diagram of a fourth verification information processing method according to an embodiment of the present application.
  • the malicious application is used to steal the authentication information in the short message.
  • the short message carrying the verification information is directly sent to the user identification card, and is stored by the user identification card. If the application needs to access the user identification card or read the short message carrying the authentication information on the user identification card, the authorization verification is required, and only the corresponding short message can be read through the authorization verification, so that the verification information can be obtained.
  • the security of the verification information is improved relative to the short message processing module that stores the short message in the short message application or is open to all applications. In view of this, as shown in FIG. 1, this embodiment first provides a system architecture for processing a short message carrying authentication information.
  • the system architecture includes a service platform that sends a text message to the user identification card, and triggers a service application that sends a text message on the service platform.
  • An Application Programming Interface is also provided in the device.
  • the API is provided with an access control middleware, which can realize the authorization of the service application by interacting with the information of the user identification card.
  • There may also be a mobile device in Figure 1, which is required to be written to other devices.
  • the communication device in the embodiment of the present application may be: a mobile phone, a tablet computer, a wearable device, an in-vehicle device, or an Internet of Things terminal, and the like, which can perform network communication.
  • the access control application is also configured on the user identification card in FIG.
  • the access control application can be used for data interaction with the access control middleware in the API, for example, performing SMS interaction according to a pre-configured control rule.
  • the control rule may be sent by the access control application to the access control middleware, and the access control middleware controls the access of the service application to the user identification card according to the control rule.
  • the business application is authenticated for accessing the user identification card or the short message on the user identification card.
  • the control rule may further include: access control information, the information may include information such as an application identifier that allows access to an application on the user identification card.
  • the user identification card which may also be referred to as a smart card, may be various cards carrying user identity information, such as a Subscriber Identity Module (SIM), a User Identity Model (UIM), Universal Customer Identification Module (Universa Subscriber Identity Module), nano-SIM card, SIM card. It is smaller than the micro-SIM card being used, which is an upgraded version of the SIM.
  • SIM Subscriber Identity Module
  • UIM User Identity Model
  • Universal Customer Identification Module Universal Subscriber Identity Module
  • nano-SIM card SIM card. It is smaller than the micro-SIM card being used, which is an upgraded version of the SIM.
  • the nano-SIM card also referred to as a fourth form factor integrated circuit board, is a new generation SIM.
  • the SIM card also known as the Miro SIM card, is another upgraded version of SIM that is smaller than a normal SIM card.
  • the user identity card may include a separate SIM card detachable from the mobile terminal and an eSIM card integrated with the circuit chip of the mobile device according to the form of the card.
  • this embodiment provides a verification information processing method, including:
  • Step S110 determining whether the service application has the right to access the user identity identification card
  • Step S120 When the service application has the right to access the user identification card, the short message is read from the user identification card, where the short message includes verification information;
  • Step S130 transmitting the short message to the service application.
  • the verification information processing method provided in this embodiment may be applied to an access control middleware in a communication device, and the access control middleware may be an integral part of an API installed in the device.
  • the short message carrying the verification information is directly sent to the user identification card.
  • the request for obtaining the verification information sent by the communication device to the service platform after receiving the acquisition request, the service platform constructs a short message, and the short message is directly sent to the user identification card.
  • the packet header part of the short message carries an identifier bit, and when the identifier bit is the first value, the short message indicates that the short message is a special short message sent to the user identification card, and if the identifier bit is the second value, the short message is indicated.
  • a normal short message for sending a short message processing module of the communication device The first value and the second value are different.
  • the special short message is stored by the user identification card, and only the storage record of the short message is stored in the user identification card. Ordinary text messages can be stored in other storage media in the communication device.
  • an application identifier (AID) of a service application having access to the user identity card is stored in a specific storage area or user identification card of the communication device.
  • the application identifier of a generally illegal application or a malicious application is not stored on the specific storage area or the user identification card.
  • a specific storage area of the user identification card or the communication device has an AID list in which an application that can access the user identification card is encrypted, and the AID of the malicious application or the illegal application or other legitimate application without permission is not written.
  • the AID list can be used to determine whether the service application currently requesting access to the user identification card has the right to access the user identification card.
  • the business application may be an application that can provide various business services, such as a payment application that can perform online payment, a shopping application that can make a purchase, a social application that can be socialized, and the like.
  • the access control middleware only sends the short message read on the user identification card to the authorized application.
  • the verification information is stored as the information content of the short message on the user identification card, it is obviously more difficult to illegally apply the information to be stolen than the short message processing module directly stored in the communication device, thereby reducing the verification.
  • the risk of information being stolen increases the security of the verification information.
  • the verification information may include: a payment verification code for payment verification, an unlock verification code that can be used to unlock a certain function or perform an operation.
  • the step S120 may include:
  • the step S120 may include:
  • the first verification identifier may be a first session identifier of the service application and the service platform
  • the second verification identifier may also be a session identifier sent by the service platform to the user identification card.
  • the identifier may be referred to as a second session identifier
  • the session identifier is usually a session identifier of a session in which the service platform sends a text message.
  • the short message sent by the service platform to the user identification card is requested by the service application, and the session between the service application and the service platform is assigned a verification identifier.
  • the service platform sends the verification information to the user identity card, and sends the verification information to the user identification card together with the verification identifier of the session of the service application, that is, the second verification identifier is sent by the service platform. of.
  • the verification information and the second verification identifier may be used as the short message content, and sent by the service platform to the user identification card. In some embodiments, the verification information and the second verification identifier may be located in different short messages sent by the service platform.
  • the short message correspondingly stores two short messages, or extracts the verification information and the second verification identifier, and stores the verification information and the second verification identifier correspondingly.
  • the service application provides a first verification identifier to the access control middleware, and the access control middleware further acquires a second verification identifier from the user identification card, and matches the first verification identifier and the second verification.
  • the identifier if the first verification identifier and the second verification identifier are consistent, may be considered that the service application currently requesting access to the user identification card has the right to access the user identification card. In this way, the AID of the business application is not recorded in advance on a specific storage area or user identification card. In this case, if the service application sends the short message carrying the verification information and the second verification identifier to the user identification card, the corresponding business application has the right to temporarily access the user identification card, but the access is The right to the SMS on the user ID card.
  • the step S120 may include:
  • the right message; the short message corresponding to the second verification application is transmitted to the service application for use by the business application.
  • the step S120 may include: sending a first verification identifier provided by the service application to the user identity identification card, where the first verification identifier is used for the user identification card and the second The verification identifier is matched, wherein the second verification identifier is corresponding to the short message stored on the user identification card;
  • the step S130 may include: receiving the short message sent by the user identity card when the first check identifier and the second check identifier match.
  • the first verification identifier and the second verification identifier may be various information having a verification function.
  • the first verification identifier may be a first session identifier
  • the second verification identifier may be The second session identifier.
  • the first session identifier and the second session identifier are matched to be a user identification card, and the user identifier card only passes the first session identifier and the second session identifier when the first session identifier and the second session identifier match.
  • Access control middleware is transmitted to the business application.
  • the short message further carries the time-sensitive information.
  • the user identification card After receiving the short message, the user identification card parses the information content of the short message, and saves the valid time range indicated by the time-effect information. If the short message exceeds the valid time range, the short message is deleted or the short message is invalidated, and the storage resource storing the short message is released, and other information may be stored so that the information content of the short message is cover.
  • the method further includes:
  • the user identification card is provided with a storage queue of short messages, and the queue may be a First Input First Output (FIFO) queue, such that if a message is stored in the user identification card If the number exceeds the number of storage queues, the first SMS that enters the queue will be discarded, thus solving the problem of insufficient storage space on the user ID card.
  • FIFO First Input First Output
  • the short message in order to reduce the leakage phenomenon of the short message during the transmission process, the short message is encrypted and transmitted, usually adopting end-to-end encrypted transmission, and the intermediate forwarding node may directly transmit the data packet without parsing the short message. Further improve the security of the verification information in the short message.
  • the access control middleware further receives the short message identifier from the service application; in step S120, the short message is requested from the user identity card according to the short message identifier.
  • the short message identifier may be an identifier that is specifically assigned by the service platform to identify a short message that is sent to the user identification card.
  • the short message identifier may be a session identifier of a session of the service application with a service platform. In this case, the reuse of the session identifier is implemented again, and no special short message identifier is allocated. If the service platform generates a special short message identifier, the service platform needs to separately send the short message identifier to the user identity card and the service application.
  • the first check code and the second check code are both session identifiers, and the short message identifier is also a session identifier.
  • the service application on the device submits the read request for reading the short message to the access control middleware, and the session identifier of the session with the service platform can be carried in the access control middleware, and the access control middleware can send the session representation to the user identification card, and the user identity After the identification card is received, the session identifier stored corresponding to the short message is matched. If the matching is successful, the short message is sent to the access control middleware, and is forwarded to the corresponding application by the access control middleware.
  • the user identity card when the user identity card performs the matching of the session identifier, on the one hand, it is actually determining whether the service application on the device has the right of the user identity card, and also locates the short message that the current service application wants to access; Such an operation implements multiple functions. If the session identifier is not successfully matched, the user identity card may return a message of denying access or access failure to the service application through the access control middleware. If this is the case, the malicious application needs to obtain the short message stored on the user identification card, and also needs to obtain the session identifier corresponding to the short message, which obviously increases the difficulty for the malicious application to obtain the verification information, and improves the security of the verification information.
  • this embodiment provides a verification information processing method, including:
  • Step S210 The service application sends an acquisition request of the verification information to the service platform.
  • Step S220 The service application sends a read request to the access control middleware
  • Step S230 The service application receives the short message read by the access control middleware from the user identification card based on the read request, where the short message carries the verification information, and the service platform is based on the obtaining request. Is issued to the user identification card.
  • the method provided in this embodiment is applied to a service application. If the service application needs to verify the information, for example, a function that requires authentication information to be verified based on the user operation, the service request is automatically sent to the corresponding service platform on the network side, and the request is triggered by the service platform. A text message with verification information.
  • the short message is not sent to the ordinary short message of the communication device, but is sent to the special identifier of the user identification card in the communication device.
  • the communication device can determine that the short message is sent to the user identification card by reading the identifier of the packet header of the short message, and directly hand the short message to the user identification card for storage, instead of It is then forwarded to the SMS application of the normal SMS for processing.
  • the service application needs to read the short message in the user identification card.
  • the short message carrying the verification information needs to be read to the user identification card through the access control middleware.
  • the access control middleware needs to send the short message in the user identification card to the service application after verifying that the service application has the access right, thereby reducing the verification information in the short message being illegal. The probability of stealing is applied, thereby improving the security of the verification information.
  • the method further includes:
  • the step S220 may include:
  • the read request is sent to the access control middleware.
  • the service application may begin sending a read request to the access control middleware after transmitting the acquisition request.
  • the access control middleware in order to reduce the phenomenon that the service platform has not sent a short message, the access control middleware cannot successfully read the short message from the user identification card based on the read request.
  • the service application may also be used. Receiving the sending notification sent by the service platform, and requesting the access control middleware to access the short message on the user identification card after receiving the sending notification, the privileged business application cannot be successfully obtained or cannot be accessed. The probability of the card.
  • the read request carries an application identifier of the service application and/or a first session identifier that is in a session with the service platform;
  • the application identifier and/or the session identifier are used by the access control middleware to determine whether the service application has permission to access the user identity card.
  • the service application may obtain a first verification identifier, for example, the first verification identifier may be generated by the service platform and carried in the Sending a check code sent to the service application for the access control of the short message stored on the user identification card.
  • the first check code may be identification information that is known by some service applications, for example, a first session identifier of the service application in a session with the service platform, and the like.
  • the application identifier is identifier information that is known by the application after being installed and installed on the communication device, and can be used for the access control middleware to identify the access authority of the service application.
  • the service platform does not need to send the verification identifier to the service application.
  • the service application acquires the session when the service platform establishes the session.
  • the identifier when the subsequent request to access the short message on the user identification card, directly reads the locally stored session identifier and carries it in the read request.
  • the service platform does not need to generate the verification identifier for the permission check, but reuses the session identifier, thereby realizing the multiple use of one information, thereby simplifying the operation of the service platform and realizing the versatility of the information.
  • this embodiment provides a verification information processing method, including:
  • Step S310 The service platform receives an acquisition request of the verification information sent by the service application.
  • Step S320 The service platform sends a short message carrying the verification information to the user identification user identification card of the designated device according to the obtaining request.
  • the verification information processing method provided in this embodiment may be applied to a method in a service platform.
  • the service platform receives the acquisition request sent by the service application, and the service platform generates a verification code according to the acquisition request, and generates a short message based on the verification code.
  • the short message is sent to the user identification card in the communication device installed by the service application, so the service platform constructs a special short message carrying the verification information.
  • the difference between a special short message and a normal short message can be distinguished by the identifier in the packet header of the short message. For example, if the identifier is the first value, it is a special short message, and if the second value is a normal short message. In this way, the difficulty of reading the verification information by the illegal application is reduced, thereby improving the security of the verification information.
  • the designated device may be a communication device installed for the service application, or may be another electronic device.
  • device A requests authentication information from the service platform, and the service platform sends a text message to the user identification card of device B.
  • the service platform sends a text message to the user identification card of device B.
  • a user's mobile phone and a computer run a social account at the same time, and the user operates the computer to request verification information, and the short message carrying the verification information is finally sent to the user identification card of the mobile phone bound to the social account.
  • the application running on the social account can read the verification information in the short message from the user identification card of the mobile phone.
  • the method further includes:
  • the sending notification is used to notify the service application that the verification information has been sent or that the short message carrying the verification information has been sent.
  • the service application reads the corresponding short message to the user identification card of the communication device where the communication device is located.
  • the sending notification may further carry a first check identifier for the service application to read the right to check the short message, where the first check identifier may be the first session identifier, but is not limited to the session. logo.
  • the method further includes:
  • the identification card sends a second verification identifier to the user identification card, where the second verification identifier is used alone or in combination with an application identifier of the service application, for verifying whether the service application has rights from the user
  • the identification card reads the short message.
  • Sending the second verification identifier to the access control middleware, and the matching between the first verification identifier and the second verification identifier may be performed by the access control middleware itself or the user identification card, thereby determining the service Whether the application has the right to read the short message carrying the verification information from the user identification card, thereby improving the security of the verification information again.
  • the second verification identifier is a session identifier of the session between the service platform and the service application.
  • the embodiment provides a communication device, where the communication device runs an access control middleware, and the access control middleware includes:
  • the determining unit 110 is configured to determine whether the service application has permission to access the user identity user identity card
  • the reading unit 120 is configured to: when the service application has the right to access the user identification card, read the short message from the user identification card, where the short message includes the verification information;
  • the transmitting unit 130 is configured to transmit the short message to the service application.
  • the determining unit 110 and the reading unit 120 can implement a processor in the application communication device, and the processor can implement the above operation by accessing execution of the code in the middleware.
  • the transmission unit 130 may correspond to a communication bus or the like within the device, and may implement data interaction between different parts within the device.
  • one or more applications may be installed in the communication device, for example, application 1, application 2, application 3, etc.; the service application may be one of an application installed in the communication device. .
  • Each application can interact with the access control middleware via a bus within the communication device to complete the transmission of the short message between the user identification card and the service application.
  • the user identification card can be a separate card that can be separated from the communication device.
  • the user identification card can be an electronic virtual identity card (eSIM) card.
  • eSIM electronic virtual identity card
  • the eSIM card is integrated on the chip of the electronic device itself, for example, integrated on the motherboard of the mobile phone.
  • the eSIM card is also assigned its own storage area, which can store short messages and/or applications.
  • the determining unit 110 is configured to determine, according to the application identifier of the service application, whether the service application is authorized to access the user identity card.
  • the determining unit 110 is further configured to match the first verification identifier provided by the service application and the second verification identifier provided by the user identity card; and determining, according to the result of the matching, whether the service application has permission to access The user identification card, wherein the second verification identifier is corresponding to the short message stored on the user identification card.
  • the determining unit 110 may be further configured to send the first verification identifier provided by the service application to the user identity identification card, where the first verification identifier is used for the user identity The identification card is matched with the second verification identifier, wherein the second verification identifier is corresponding to the short message stored on the user identification card; the reading unit 120 is specifically configured to receive the user The short message sent by the identity card when the first check identifier and the second check identifier match.
  • the first verification identifier is a first session identifier that is used by the service application to perform a session with the service platform, and the second verification identifier is sent by the service platform to the user identifier card. Two session ID.
  • the embodiment provides a communication device, where the communication device is installed with a service application, and the service application includes:
  • the first sending unit 210 is configured to send an acquisition request of the verification information to the service platform;
  • a second sending unit 220 configured to send a read request to the access control middleware
  • the first receiving unit 230 is configured to receive a short message that is read by the access control middleware from the user identity card according to the read request, where the short message carries verification information, which is based on the service platform.
  • the obtaining request is sent to the user identification card.
  • the first sending unit 210 may correspond to an external communication interface of the device, for example, a network interface or a transceiver antenna, etc., and may be used to send the acquisition request to a service platform located on the network side.
  • the second sending unit 220 and the first receiving unit 230 may correspond to an internal communication interface within the device, for example, an interface connected to the integrated circuit bus, and may be used to communicate with other components or applications within the device, thereby Send a read request and/or receive a text message.
  • the second receiving unit may be configured to receive a sending notification that is returned after the service platform sends the short message carrying the authentication information, where the second sending unit is configured to receive the sending notification. After receiving the notification of the transmission, the read request is sent to the access control middleware.
  • the read request carries an application identifier of the service application and/or a first verification identifier that is in a session with the service platform; wherein the application identifier/or the first verification identifier is used by And determining, by the access control middleware, whether the service application has permission to access the user identification card.
  • the first verification identifier is a first session identifier of the service application that performs a session with the service platform.
  • the embodiment further provides a service platform, including:
  • the second receiving unit 310 is configured to receive an acquisition request of the verification information sent by the service application.
  • the third sending unit 320 is configured to send, according to the obtaining request, a short message carrying the verification information to the user identity identification card of the device where the service application is located.
  • the second receiving unit 310 and the third sending unit 320 may each correspond to a communication interface, and may be used for a read request sent from a service application and send a short message to a user identity card of a device where the service application is located.
  • the third sending unit 320 is further configured to send, to the service application, a sending notification that the short message has been sent.
  • the third sending unit 320 is further configured to send the second verification identifier to the user identity card, where the second verification identifier is used alone or with an application of the service application.
  • the identification combination is used to verify whether the business application has permission to read the short message from the user identification card.
  • the second verification identifier is a session identifier of the session between the service platform and the service application.
  • the embodiment of the present application provides a communication device, including: a transceiver 410, a memory 420, a processor 430, and a computer program stored on the memory 420 and executed by the processor 430;
  • the communication device can include a transceiver 410, a memory 420, a processor 430, and a computer program stored on the memory 420 and executed by the processor 430;
  • the processor 430 is connected to the transceiver 410 and the memory 420, respectively, for example, to the network interface and the memory 420 via the integrated circuit bus IIC.
  • the processor 430 is configured to execute the verification information processing method provided by the foregoing one or more technical solutions by executing the computer program, for example, the verification information processing method executed by the access control middleware and the verification information executed by the business application The processing method or the verification information processing method executed by the service platform.
  • the transceiver 410 can be any type of interface that can be used for communication, such as a cable interface or a fiber optic cable interface.
  • the memory 420 may be a storage device including a storage medium in the communication device, and may be a random access memory, a read only memory, a storage hard disk, or the like.
  • the processor 430 can be various types of processors, central processing units, microprocessors, application processors, programmable arrays or application specific integrated circuits, and the like.
  • the communication device can be a terminal or a service server of the service platform.
  • the communication device When the communication device is a terminal device that interfaces with the service platform, the communication device is provided with a installation slot of the user identification card, which can be installed by the user identification card; the processor has a line connected to the installation slot, Thereby, a connection can be established with the user identification card by means of tapping, etc., and data interaction is performed.
  • an eSIM card is integrated on the chip of the communication device itself.
  • the embodiment of the present application provides a computer storage medium, where the computer storage medium stores a computer program; after the computer program is executed by the processor, the verification information processing method provided by the foregoing one or more technical solutions may be implemented, for example, The verification information processing method executed by the access control middleware, the verification information processing method executed by the business application, or the verification information processing method executed by the service platform.
  • the computer storage medium may be: a mobile storage device, a read-only memory (ROM, Read-Only Mem or y), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. medium.
  • the computer storage medium is preferably a non-transitory storage medium, or a non-volatile storage medium.
  • the verification message here can be a text message carrying verification information.
  • the method may specifically include the following parts.
  • the service platform can use the operator's existing SIM card management platform, Trusted Service Management (TSM) to set control rules in the SIM card, so that only the mobile device applications allowed by the rule (in Figure 1)
  • TSM Trusted Service Management
  • the "business application” can access the application on the SIM card (“SIM card application” in Figure 1).
  • the second part the device applies the identification information such as the mobile phone number to apply for the dynamic short message code to the service platform.
  • the service application is installed on the device, instead of being installed on the SIM card.
  • the service platform After receiving the application, the service platform generates the SMS verification code and the session ID. (Note: The session ID can be used to support concurrent access of the same user, and can also prevent malicious attacks. If the service platform does not support the function, the subsequent process does not. The Session ID field appears).
  • the service platform sends a text message to the specified mobile phone number, which is a special short message and is directly sent to the SIM card of the device where the mobile phone number is located.
  • the application on the SIM card After receiving the short message, the application on the SIM card reads the SMS verification code and the Session ID content and saves it;
  • the service platform After receiving the response that the short message is successfully received, the service platform notifies the device that the application short message has been successfully sent;
  • the API(s) on the device requests to read the short message content (the request includes the application AID, the Session ID);
  • API(s) verifies whether the application on the device has permission to access the application on the SIM card of the specified AID;
  • the device API(s) first selects the application specified by the SIM card;
  • the device API(s) sends an SMS content reading application to the application on the SIM card;
  • the application on the SIM card returns the short message content according to the Session ID
  • the application on the SIM card returns the text message content
  • API(s) returns the text message content
  • the application obtains the content of the short message on the device, the user manually or automatically fills in the dynamic short message code;
  • the application sends the dynamic short message code to the service platform for verification.
  • the service platform verifies the content of the short message
  • the verification returns a successful verification response, the user can perform subsequent operations.
  • the mobile phone number may be identification information of the communication device that receives the short message, and may further replace the mobile phone with a network protocol address (IP) or an international mobile device identifier of the communication device during specific implementation. number.
  • IP network protocol address
  • the user SIM card receives a text message of unknown origin, it will not affect the user's own business (Session ID protection).
  • the problem of the existing short message verification code can be avoided.
  • the session ID function is supported, you need to save the SMS content for each session ID (by the capacity limit, you can set the maximum number of saved SMS messages. If the first-in first-out principle is exceeded, the first received SMS content will be discarded) Return the corresponding SMS verification code according to the Session ID included in the application.
  • Session ID function If the Session ID function is not supported, you need to save the received SMS content. If you receive a new SMS content, it will overwrite the previous one to ensure the timeliness of the SMS.
  • the example provides a method for transmitting authentication information, including:
  • the service platform generates a short message verification code and a session identifier
  • the service platform sends the SMS verification code and the session identifier to the application on the SIM card; the application on the SIM card is installed and runs on the SIM card;
  • the application saves the SMS verification code and the session identifier on the SIM card
  • the service platform returns a response, for example, sending a return response to the application on the device based on the session identifier, and the response may send a notification to the device to notify the device that the application has sent the SMS verification code.
  • the application reads the short message request, and the short message request carries the AID and the session identifier.
  • the API(s) sends a read short message request to the selected SIM card, where the request carries a session identifier provided by the application on the device;
  • the application on the SIM card queries the short message according to the session identifier
  • API(s) forwards the short message content to the application on the device
  • the application on the device fills in the content of the short message (ie, the short message verification code) into the corresponding location;
  • the service platform checks the short message verification code after receiving the verification request that carries the session identifier and the short message content sent by the application on the device;
  • the service platform returns the verification result to the application on the device.
  • the disclosed apparatus and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed.
  • the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
  • the units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit;
  • the unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed.
  • the foregoing storage device includes the following steps: the foregoing storage medium includes: a mobile storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk.
  • ROM read-only memory
  • RAM random access memory
  • magnetic disk or an optical disk.
  • optical disk A medium that can store program code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephone Function (AREA)

Abstract

Disclosed are a verification information processing method, a communication device, a service platform, and a storage medium. The verification information processing method comprises: determining whether a service application has a permission of accessing a subscriber identity module; if the service application has the permission of accessing the subscriber identity module, reading an SMS message from the subscriber identity module, wherein the SMS message comprises verification information; and transmitting the SMS message to the service application.

Description

验证信息处理方法、通信设备、业务平台及存储介质Verification information processing method, communication device, service platform, and storage medium
相关申请的交叉引用Cross-reference to related applications
本申请基于申请号为201810013801.X、申请日为2018年01月08日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。The present application is filed on the basis of the Chinese Patent Application No. 201810013801, the entire disclosure of which is hereby incorporated by reference.
技术领域Technical field
本申请涉及通信技术领域但不限于通信技术领域,尤其涉及一种验证信息处理方法、通信设备、业务平台及存储介质。The present application relates to the field of communications technologies, but is not limited to the field of communications technologies, and in particular, to a verification information processing method, a communication device, a service platform, and a storage medium.
背景技术Background technique
利用短信进行验证是很多业务中常见的安全处理方法。例如,第三方支付业务,在确定支付之前需要请求银行系统可能会下发短信,短信中携带有短信验证码,该短信验证输入到验证界面后,发送给银行系统。银行系统接收到之后,确定是否为自己所下发的验证码,若是则可能会进行支付操作。Using SMS for authentication is a common security method in many businesses. For example, the third-party payment service needs to request the banking system to send a short message before the payment is determined. The short message carries the short message verification code, and the short message verification is input to the verification interface and sent to the banking system. After the banking system receives it, it determines whether it is a verification code issued by itself, and if so, may perform a payment operation.
虽然短信验证提高了某些业务功能执行的安全性,但是还有可能存在的问题是,若接收短信的通信设备被安装了恶意应用(如木马等恶意代码),这些恶意应用可以读取出该短信,并将短信转发给非法用户或设备,从而导致验证码的泄露,从而可能导致支付等业务操作执行的不安全。Although SMS verification improves the security of certain business functions, there may be a problem that if a communication device that receives a short message is installed with a malicious application (such as a malicious code such as a Trojan), the malicious application can read the The short message is sent to the illegal user or the device, which leads to the leakage of the verification code, which may result in insecure execution of business operations such as payment.
发明内容Summary of the invention
本申请实施例期望提供一种验证信息处理方法、通信设备及存储介质。The embodiment of the present application is expected to provide a verification information processing method, a communication device, and a storage medium.
本申请的技术方案是这样实现的:The technical solution of the present application is implemented as follows:
第一方面,本申请实施例提供一种验证信息处理方法,包括:In a first aspect, an embodiment of the present application provides a verification information processing method, including:
确定所述业务应用是否有权限访问用户身份识别卡;Determining whether the business application has the right to access the user identification card;
当所述业务应用有权限访问所述用户身份识别卡时,从所述用户身份识别卡上读取短信,其中,所述短信包含有验证信息;When the service application has the right to access the user identification card, the short message is read from the user identification card, where the short message includes verification information;
将所述短信传输给所述业务应用。Transmitting the short message to the service application.
第二方面,本申请实施例提供一种验证信息处理方法,包括:In a second aspect, the embodiment of the present application provides a verification information processing method, including:
向业务平台发送验证信息的获取请求;Sending an acquisition request for verification information to the service platform;
向访问控制中间件发送读取请求;Sending a read request to the access control middleware;
接收所述访问控制中间件基于所述读取请求从用户身份识别卡读取的短信,其中,所述短信携带有验证信息,是所述业务平台基于所述获取请求下发给所述用户身份识别卡的。And receiving, by the access control middleware, the short message that is read from the user identity card based on the read request, where the short message carries the verification information, and is sent by the service platform to the user identity based on the obtaining request. Identification card.
第三方面,本申请实施例提供一种验证信息处理方法,包括:In a third aspect, the embodiment of the present application provides a verification information processing method, including:
接收业务应用发送的验证信息的获取请求;Receiving an acquisition request of the verification information sent by the service application;
根据所述获取请求,向指定设备的用户身份识别用户身份识别卡发送携带有验证信息的短信。And sending, according to the obtaining request, a short message carrying the verification information to the user identity identification user card of the designated device.
第四方面,本申请实施例提供一种通信设备,所述通信设备运行有访问控制中间件,所述访问控制中间件包括:In a fourth aspect, the embodiment of the present application provides a communication device, where the communication device runs an access control middleware, and the access control middleware includes:
确定单元,配置为确定所述业务应用是否有权限访问用户身份识别用户身份识别卡;a determining unit, configured to determine whether the service application has permission to access a user identity user identification card;
读取单元,配置为当所述业务应用有权限访问所述用户身份识别卡时,从所述用户身份识别卡上读取短信,其中,所述短信包含有验证信息;a reading unit configured to read a short message from the user identification card when the service application has the right to access the user identification card, where the short message includes verification information;
传输单元,配置为将所述短信传输给所述业务应用。And a transmission unit configured to transmit the short message to the service application.
第五方面,本申请实施例一种通信设备,所述通信设备安装有业务应用,所述业务应用包括:In a fifth aspect, a communications device is installed in the communications device, where the communications device is installed with a service application, where the service application includes:
第一发送单元,配置为向业务平台发送验证信息的获取请求;a first sending unit, configured to send an acquisition request of the verification information to the service platform;
第二发送单元,配置为向访问控制中间件发送读取请求;a second sending unit, configured to send a read request to the access control middleware;
第一接收单元,配置为接收所述访问控制中间件基于所述读取请求从所述用户身份识别卡读取的短信,其中,所述短信携带有验证信息,是所述业务平台基于所述获取请求下发给所述用户身份识别卡的。a first receiving unit, configured to receive a short message that is read by the access control middleware from the user identity card based on the read request, where the short message carries verification information, and the service platform is based on the service platform The acquisition request is sent to the user identification card.
第六方面,本申请实施例提供一种业务平台,包括:In a sixth aspect, the embodiment of the present application provides a service platform, including:
第二接收单元,配置为接收业务应用发送的验证信息的获取请求;a second receiving unit, configured to receive an acquisition request of the verification information sent by the service application;
第三发送单元,配置为根据所述获取请求,向指定设备的用户身份识别用户身份识别卡发送携带有验证信息的短信。The third sending unit is configured to send, according to the obtaining request, a short message carrying the verification information to the user identity identification user identifier card of the designated device.
第七方面,本申请实施例提供一种通信设备,包括:收发器、存储器、处理器及存储在所述存储器上并由所述处理器执行的计算机程序;In a seventh aspect, an embodiment of the present application provides a communication device, including: a transceiver, a memory, a processor, and a computer program stored on the memory and executed by the processor;
所述处理器分别与所述收发器及存储器连接,用于通过执行所述计算机程序实现前述一个或多个技术方案提供的所述验证信息处理方法。The processor is coupled to the transceiver and the memory, respectively, for implementing the verification information processing method provided by one or more of the foregoing technical solutions by executing the computer program.
第八方面,本申请实施例一种计算机存储介质,所述计算机存储介质存储有计算机程序;所述计算机程序被执行后,能够实现前述一个或多个技术方案提供的所述验证信息处理方法。In an eighth aspect, the embodiment of the present application is a computer storage medium, where the computer storage medium stores a computer program; after the computer program is executed, the verification information processing method provided by the one or more technical solutions can be implemented.
本申请实施例提供了一种验证信息处理方法、通信设备、业务平台及存储介质,业务平台不再是直接将携带有验证信息的短信下发给通信设备的短信处理模块,而是直接发送给用户身份识别卡,而设备上的业务应用若需要读取用户身份识别卡上的短信时,需要通过权限鉴定以后才可以从用户身份识别卡上读取到短信。显然这增加了木马程序等恶意应用读取到验证信息的难度,提升了验证信息的安全性。The embodiment of the present application provides a verification information processing method, a communication device, a service platform, and a storage medium. The service platform is not directly sent by the short message processing module that carries the verification information to the communication device, but is directly sent to the short message processing module. The user identification card, if the business application on the device needs to read the short message on the user identification card, it needs to pass the authorization identification before the short message can be read from the user identification card. Obviously, this increases the difficulty of malicious applications such as Trojans reading the verification information, and improves the security of the verification information.
附图说明DRAWINGS
图1为本申请实施例提供的一种验证信息的处理系统的架构示意图;FIG. 1 is a schematic structural diagram of a processing system for verifying information according to an embodiment of the present application;
图2为本申请实施例提供的第一种验证信息处理方法的流程示意图;2 is a schematic flowchart of a first verification information processing method according to an embodiment of the present application;
图3为本申请实施例提供的第二种验证信息处理方法的流程示意图;FIG. 3 is a schematic flowchart diagram of a second verification information processing method according to an embodiment of the present disclosure;
图4为本申请实施例提供的第三种验证信息处理方法的流程示意图;4 is a schematic flowchart of a third verification information processing method according to an embodiment of the present application;
图5为本申请实施例提供的一种通信设备的结构示意图;FIG. 5 is a schematic structural diagram of a communication device according to an embodiment of the present application;
图6为本申请实施例提供的另一种通信设备的结构示意图;FIG. 6 is a schematic structural diagram of another communication device according to an embodiment of the present disclosure;
图7为本申请实施例提供的一种业务平台的结构示意图;FIG. 7 is a schematic structural diagram of a service platform according to an embodiment of the present application;
图8为本申请实施例提供的再一种通信设备的结构示意图;FIG. 8 is a schematic structural diagram of still another communication device according to an embodiment of the present application;
图9为本申请实施例提供的第四种验证信息处理方法的流程示意图。FIG. 9 is a schematic flowchart diagram of a fourth verification information processing method according to an embodiment of the present application.
具体实施方式Detailed ways
以下结合说明书附图及具体实施例对本申请的技术方案做进一步的详细阐述。The technical solutions of the present application are further elaborated below in conjunction with the drawings and specific embodiments.
为了确保验证信息的安全性,降低恶意应用窃取短信中的验证信息,在本申请实施例中,携带有验证信息的短信是直接发送给用户身份识别卡的,由用户身份识别卡进行存储。若应用需要访问用户身份识别卡或读取用户身份识别卡上携带有验证信息的短信是需要进行权限验证的,仅有通过权限验证才可以读取到对应的短信,才可以获取验证信息,从而相对于将短信存储在短信应用中或向所有应用都开放的短信处理模块中,提升验证信息的安全性。有鉴于此,如图1所示,本实施例首先提供一种处理携带有验证信息的短信的系统架构。在系统架构中包括下发短信给用户身份识别卡的业务平台,触发业务平台下发短信的业务应用。在设备中还设置有应用编程接口(Application Programming Interface,API)。该API上设置有访问控制中间件,可以通过与用户身份识别卡的信息交互等,实现对业务应用的权限鉴定。在图1中还可能有移动设备,该验证信息是需要写入到其他设备的。本申请实施例中的通信设备可为:手机、平板电脑、可穿 戴设备、车载设备或者物联网终端等各种可进行网络通信的设备。在图1中所述用户身份识别卡上也配置有访问控制应用,该访问控制应用可用于与API中的访问控制中间件进行数据交互,例如,根据预先配置的控制规则进行短信的交互。所述控制规则可由访问控制应用下发给访问控制中间件,访问控制中间件根据所述控制规则控制业务应用对用户身份识别卡的访问。例如,根据控制规则对业务应用进行是否有访问用户身份识别卡或用户身份识别卡上短信的权限鉴定。所述控制规则还可包括:访问控制信息,该信息可包含有允许访问用户身份识别卡上应用的应用标识等信息。In order to ensure the security of the authentication information, the malicious application is used to steal the authentication information in the short message. In the embodiment of the present application, the short message carrying the verification information is directly sent to the user identification card, and is stored by the user identification card. If the application needs to access the user identification card or read the short message carrying the authentication information on the user identification card, the authorization verification is required, and only the corresponding short message can be read through the authorization verification, so that the verification information can be obtained. The security of the verification information is improved relative to the short message processing module that stores the short message in the short message application or is open to all applications. In view of this, as shown in FIG. 1, this embodiment first provides a system architecture for processing a short message carrying authentication information. The system architecture includes a service platform that sends a text message to the user identification card, and triggers a service application that sends a text message on the service platform. An Application Programming Interface (API) is also provided in the device. The API is provided with an access control middleware, which can realize the authorization of the service application by interacting with the information of the user identification card. There may also be a mobile device in Figure 1, which is required to be written to other devices. The communication device in the embodiment of the present application may be: a mobile phone, a tablet computer, a wearable device, an in-vehicle device, or an Internet of Things terminal, and the like, which can perform network communication. The access control application is also configured on the user identification card in FIG. 1, and the access control application can be used for data interaction with the access control middleware in the API, for example, performing SMS interaction according to a pre-configured control rule. The control rule may be sent by the access control application to the access control middleware, and the access control middleware controls the access of the service application to the user identification card according to the control rule. For example, according to the control rule, the business application is authenticated for accessing the user identification card or the short message on the user identification card. The control rule may further include: access control information, the information may include information such as an application identifier that allows access to an application on the user identification card.
所述用户身份识别卡,又可以称之为智能卡,可为携带有用户身份信息的各种卡,例如,客户识别模块(Subscriber Identity Module,SIM)、用户识别模块(User Identity Model,UIM)、全球客户识别模块(Universa Subscriber Identity Module)、nano-SIM卡、SIM小卡。它比正在使用的micro-SIM卡面积更小,所述USIM是所述SIM的升级版。所述nano-SIM卡又被称作第四形式要素集成电路板,是新一代的SIM。所述SIM小卡,又称之为Miro SIM卡,是SIM的另一种升级版,比普通的SIM卡的体积更小。The user identification card, which may also be referred to as a smart card, may be various cards carrying user identity information, such as a Subscriber Identity Module (SIM), a User Identity Model (UIM), Universal Customer Identification Module (Universa Subscriber Identity Module), nano-SIM card, SIM card. It is smaller than the micro-SIM card being used, which is an upgraded version of the SIM. The nano-SIM card, also referred to as a fourth form factor integrated circuit board, is a new generation SIM. The SIM card, also known as the Miro SIM card, is another upgraded version of SIM that is smaller than a normal SIM card.
所述用户身份识别卡根据卡的形态,可以包括与移动终端可分离的独立的SIM卡,以及与移动设备的电路芯片集成设计的eSIM卡。The user identity card may include a separate SIM card detachable from the mobile terminal and an eSIM card integrated with the circuit chip of the mobile device according to the form of the card.
如图2所示,本实施例提供一种验证信息处理方法,包括:As shown in FIG. 2, this embodiment provides a verification information processing method, including:
步骤S110:确定所述业务应用是否有权限访问用户身份识别用户身份识别卡;Step S110: determining whether the service application has the right to access the user identity identification card;
步骤S120:当所述业务应用有权限访问所述用户身份识别卡时,从所述用户身份识别卡上读取短信,其中,所述短信包含有验证信息;Step S120: When the service application has the right to access the user identification card, the short message is read from the user identification card, where the short message includes verification information;
步骤S130:将所述短信传输给所述业务应用。Step S130: transmitting the short message to the service application.
本实施例提供的验证信息处理方法可为应用于通信设备内的访问控制 中间件中,该访问控制中间件可为所述设备内安装的API的组成部分。The verification information processing method provided in this embodiment may be applied to an access control middleware in a communication device, and the access control middleware may be an integral part of an API installed in the device.
在本实施例中携带有验证信息的短信是直接下发给用户身份识别卡的。In this embodiment, the short message carrying the verification information is directly sent to the user identification card.
例如,通信设备向业务平台发送的验证信息的获取请求,业务平台在接收到获取请求之后,会构造一条短信,该短信是直接发送给用户身份识别卡的。例如,该短信的包头部分携带有标识位,该标识位为第一取值时,表示该短信为发送给用户身份识别卡的特殊短信,若该标识位为第二取值时,表示该短信为发送通信设备的短信处理模块的普通短信。所述第一取值和第二取值不同。特殊短信由用户身份识别卡存储,仅在用户身份识别卡中有该短信的存储记录。普通短信可有通信设备中的其他存储介质存储。For example, the request for obtaining the verification information sent by the communication device to the service platform, after receiving the acquisition request, the service platform constructs a short message, and the short message is directly sent to the user identification card. For example, the packet header part of the short message carries an identifier bit, and when the identifier bit is the first value, the short message indicates that the short message is a special short message sent to the user identification card, and if the identifier bit is the second value, the short message is indicated. A normal short message for sending a short message processing module of the communication device. The first value and the second value are different. The special short message is stored by the user identification card, and only the storage record of the short message is stored in the user identification card. Ordinary text messages can be stored in other storage media in the communication device.
通信设备中还安装有各种应用,这些应用若需要访问用户身份识别卡时,首先需要进行鉴权,鉴定其是否有访问用户身份识别卡的权限。Various applications are also installed in the communication device. When these applications need to access the user identification card, they first need to authenticate and verify whether they have the right to access the user identification card.
通常情况下,所述通信设备的特定存储区域或者用户身份识别卡中存储着有权限访问所述用户身份识别卡的业务应用的应用标识(Application IDentity,AID)。而一般非法应用或者恶意应用的应用标识是不会被存储到该特定存储区域或用户身份识别卡上的。例如,用户身份识别卡或通信设备内某一个特定存储区域有加密存储着可访问用户身份识别卡的应用的AID列表,而恶意应用或非法应用或者其他没有权限的合法应用的AID是没有写入该AID列表的,故可以通过查表的方式确定当前请求访问用户身份识别卡的业务应用是否具有访问用户身份识别卡的权限。Generally, an application identifier (AID) of a service application having access to the user identity card is stored in a specific storage area or user identification card of the communication device. The application identifier of a generally illegal application or a malicious application is not stored on the specific storage area or the user identification card. For example, a specific storage area of the user identification card or the communication device has an AID list in which an application that can access the user identification card is encrypted, and the AID of the malicious application or the illegal application or other legitimate application without permission is not written. The AID list can be used to determine whether the service application currently requesting access to the user identification card has the right to access the user identification card.
所述业务应用可为可提供各种业务服务的应用,例如,可进行网络支付的支付应用、可进行购物的购物应用、可进行社交的社交应用等。The business application may be an application that can provide various business services, such as a payment application that can perform online payment, a shopping application that can make a purchase, a social application that can be socialized, and the like.
在本实施例中,所述访问控制中间件仅会将用户身份识别卡上读取的短信发送给有权限的应用。这样的话,若验证信息是作为短信的信息内容存储在用户身份识别卡上,显然相对于直接存储在通信设备的短信处理模 块上,使得非法应用窃取验证信息的难度大大的提升了,减低了验证信息被窃取的风险,提升了验证信息的安全性。所述验证信息,可包括:用于支付验证的支付验证码,可用于解锁某一项功能或执行某一项操作的解锁验证码。In this embodiment, the access control middleware only sends the short message read on the user identification card to the authorized application. In this case, if the verification information is stored as the information content of the short message on the user identification card, it is obviously more difficult to illegally apply the information to be stolen than the short message processing module directly stored in the communication device, thereby reducing the verification. The risk of information being stolen increases the security of the verification information. The verification information may include: a payment verification code for payment verification, an unlock verification code that can be used to unlock a certain function or perform an operation.
具体如何确定所述业务应用是否具有访问用户身份识别卡的权限的方式有很多中,以下提供几种可选方式:There are many ways to determine whether the business application has the right to access the user identification card. Several options are provided below:
可选方式一:Optional one:
所述步骤S120可包括:The step S120 may include:
根据所述业务应用的应用标识,确定所述业务应用是否为有权限访问所述用户身份识别卡。Determining, according to the application identifier of the service application, whether the service application has the right to access the user identity card.
可选方式二:Option 2:
所述步骤S120可包括:The step S120 may include:
匹配所述业务应用提供的第一校验标识和所述用户身份识别卡提供的第二校验标识;Matching a first verification identifier provided by the service application and a second verification identifier provided by the user identity card;
根据匹配的结果,确定所述业务应用是否有权限访问所述用户身份识别卡,其中,所述第二校验标识为存储在所述用户身份识别卡上所述短信对应的。And determining, according to the result of the matching, whether the service application has the right to access the user identity card, wherein the second verification identifier is corresponding to the short message stored on the user identity card.
所述第一校验标识可所述业务应用与业务平台进行会话的第一会话标识,所述第二校验标识也可为所述业务平台下发给用户身份识别卡的一个会话标识,该标识可以称为第二会话标识,通常该会话标识是促使所述业务平台下发短信所在会话的会话标识。The first verification identifier may be a first session identifier of the service application and the service platform, and the second verification identifier may also be a session identifier sent by the service platform to the user identification card. The identifier may be referred to as a second session identifier, and the session identifier is usually a session identifier of a session in which the service platform sends a text message.
业务平台下发给用户身份识别卡的短信是由于业务应用请求的,业务应用与业务平台的会话是有分配校验标识的。所述业务平台会向用户身份识别卡发送验证信息的同时,会将其与业务应用进行会话的校验标识一同下发给所述用户身份识别卡,即第二校验标识是业务平台下发的。所述验 证信息和所述第二校验标识均可以作为短信内容,由所述业务平台下发给所述用户身份识别卡。在一些实施例中,验证信息和第二校验标识可位于业务平台下发的不同短信中,若用户身份识别卡接收到来自同一个业务平台发送的两条分别携带有验证信息和校验标识的短信,会对应存储两条短信,或提取出验证信息和第二校验标识,对应存储所述验证信息和第二校验标识。The short message sent by the service platform to the user identification card is requested by the service application, and the session between the service application and the service platform is assigned a verification identifier. The service platform sends the verification information to the user identity card, and sends the verification information to the user identification card together with the verification identifier of the session of the service application, that is, the second verification identifier is sent by the service platform. of. The verification information and the second verification identifier may be used as the short message content, and sent by the service platform to the user identification card. In some embodiments, the verification information and the second verification identifier may be located in different short messages sent by the service platform. If the user identification card receives two verification information and verification identifiers respectively sent from the same service platform, The short message correspondingly stores two short messages, or extracts the verification information and the second verification identifier, and stores the verification information and the second verification identifier correspondingly.
所述业务应用会向所述访问控制中间件提供第一校验标识,所述访问控制中间件还会从用户身份识别卡获取第二校验标识,匹配第一校验标识和第二校验标识,若第一校验标识和第二校验标识一致,可认为当前请求访问用户身份识别卡的业务应用具有访问用户身份识别卡的权限。这种的方式的话,业务应用的AID不用预先被记录在特定存储区域或用户身份识别卡上。这样的话,若有业务应用向用户身份识别卡发送了携带有验证信息和第二校验标识的短信之后,对应的业务应用就有了临时访问所述用户身份识别卡的权限,但是这种访问用户身份识别卡上该短信的权限。The service application provides a first verification identifier to the access control middleware, and the access control middleware further acquires a second verification identifier from the user identification card, and matches the first verification identifier and the second verification. The identifier, if the first verification identifier and the second verification identifier are consistent, may be considered that the service application currently requesting access to the user identification card has the right to access the user identification card. In this way, the AID of the business application is not recorded in advance on a specific storage area or user identification card. In this case, if the service application sends the short message carrying the verification information and the second verification identifier to the user identification card, the corresponding business application has the right to temporarily access the user identification card, but the access is The right to the SMS on the user ID card.
可选方式三:Option 3:
所述步骤S120可包括:The step S120 may include:
根据所述业务应用的应用标识,判断所述业务应用是否位于可访问用户身份识别卡的应用;Determining, according to the application identifier of the service application, whether the service application is located in an application that can access the user identification card;
匹配所述第一会话标识和第二会话标识;Matching the first session identifier and the second session identifier;
仅有在所述业务应用可访问所述用户身份识别卡,同时所述第一校验标识和所述第二校验标识一致时,则确定所述业务应用具有访问所述用户身份识别卡的权限;才会将与第二校验应用对应的短信传输给所述业务应用,供业务应用使用。Determining that the service application has access to the user identification card only when the service application has access to the user identification card, and the first verification identifier and the second verification identifier are consistent. The right message; the short message corresponding to the second verification application is transmitted to the service application for use by the business application.
可选方式四:Option 4:
所述步骤S120可包括:将所述业务应用提供的第一校验标识发送给所 述用户身份识别卡,其中,所述第一校验标识,用于供所述用户身份识别卡与第二校验标识进行匹配,其中,所述第二校验标识为存储在所述用户身份识别卡上所述短信对应的;The step S120 may include: sending a first verification identifier provided by the service application to the user identity identification card, where the first verification identifier is used for the user identification card and the second The verification identifier is matched, wherein the second verification identifier is corresponding to the short message stored on the user identification card;
所述步骤S130可包括:接收所述用户身份识别卡在所述第一校验标识和所述第二校验标识匹配时发送的所述短信。The step S130 may include: receiving the short message sent by the user identity card when the first check identifier and the second check identifier match.
所述第一校验标识和第二校验标识可为具有校验功能的各种信息,同样地,所述第一校验标识可为第一会话标识,所述第二校验标识可为第二会话标识。The first verification identifier and the second verification identifier may be various information having a verification function. Similarly, the first verification identifier may be a first session identifier, and the second verification identifier may be The second session identifier.
在本实施例中执行第一会话标识和第二会话标识匹配的为用户身份识别卡,用户身份识别卡仅会在第一会话标识和第二会话标识匹配一致时,才会将所述短信通过访问控制中间件传输给业务应用。In the embodiment, the first session identifier and the second session identifier are matched to be a user identification card, and the user identifier card only passes the first session identifier and the second session identifier when the first session identifier and the second session identifier match. Access control middleware is transmitted to the business application.
在一些实施例中,所述短信中还携带有时效信息,所述用户身份识别卡接收到所述短信之后,解析所述短信的信息内容,会在所述时效信息指示的有效时间范围内保存所述短信,超过所述有效时间范围,则会删除所述短信或将所述短信置为无效,则存储该短信的存储资源被释放,其他信息可以存储进去从而会使得该短信的信息内容被覆盖。In some embodiments, the short message further carries the time-sensitive information. After receiving the short message, the user identification card parses the information content of the short message, and saves the valid time range indicated by the time-effect information. If the short message exceeds the valid time range, the short message is deleted or the short message is invalidated, and the storage resource storing the short message is released, and other information may be stored so that the information content of the short message is cover.
在一些实施例中,所述方法还包括:In some embodiments, the method further includes:
判断当前时间是否位于所述业务应用可访问用户身份识别卡上的短信的有效时间范围内,若位于有效时间范围内才从所述用户身份识别卡读取所述短信,否则拒绝所述业务应用访问所述用户身份识别卡的请求,从而确保所述用户身份识别卡上信息的安全性。Determining whether the current time is within a valid time range of the short message of the service application accessible user identification card, and reading the short message from the user identification card if the current time is within the valid time range, otherwise rejecting the service application A request to access the user identification card to ensure the security of the information on the user identification card.
在一些实施例中,所述用户身份识别卡设置有短信的存储队列,该队列可为先进先出(First Input First Output,FIFO)队列,这样的话,若用户身份识别卡中存储的短信的条数超过存储队列可存储的条数,则最先进入队列的短信将被丢弃,从而解决用户身份识别卡上存储空间不够的问题。In some embodiments, the user identification card is provided with a storage queue of short messages, and the queue may be a First Input First Output (FIFO) queue, such that if a message is stored in the user identification card If the number exceeds the number of storage queues, the first SMS that enters the queue will be discarded, thus solving the problem of insufficient storage space on the user ID card.
在一些实施例中,为了降低短信在传输过程中的泄密现象,所述短信是加密传输的,通常采用端到端的加密传输,中间的转发节点可直接透传,不解析短信的数据包,从而进一步提升短信内验证信息的安全性。In some embodiments, in order to reduce the leakage phenomenon of the short message during the transmission process, the short message is encrypted and transmitted, usually adopting end-to-end encrypted transmission, and the intermediate forwarding node may directly transmit the data packet without parsing the short message. Further improve the security of the verification information in the short message.
在一些实施例中,所述访问控制中间件还会从业务应用接收短信标识;所述步骤S120中根据所述短信标识从用户身份识别卡请求所述短信。所述短信标识可为业务平台分配的专门标识其下发到用户身份识别卡上短信的标识。在一些实施例中,所述短信标识可为所述业务应用与业务平台进行会话的会话标识。这样的话,再次实现了会话标识的复用,不用分配专门的短信标识。若业务平台生成专门的短信标识,则需要业务平台还需要分别向所述用户身份识别卡和所述业务应用下发所述短信标识。优选地,所述第一校验码和第二校验码均为会话标识,所述短信标识也为会话标识。这样,设备上的业务应用向访问控制中间件提交读取短信的读取请求中可携带其与业务平台进行会话的会话标识,访问控制中间件可以将会话表示发送给用户身份识别卡,用户身份识别卡接收到之后,与短信对应存储的会话标识进行匹配,若匹配成功就将短信发送给访问控制中间件,并由访问控制中间件转发给对应应用。这样的话,用户身份识别卡在进行会话标识的匹配时,一方面实际上是对设备上的业务应用是否有用户身份识别卡的权限进行确定,同时还定位到了当前业务应用想要访问的短信;这样一个操作实现了多种功能。若为会话标识未匹配成功,则所述用户身份识别卡可以通过访问控制中间件向业务应用返回拒绝访问或访问失败的消息。若这样的话,恶意应用需要获取到用户身份识别卡上存储的短信,还需要获取与短信对应的会话标识,显然同样增大了恶意应用获取验证信息的难度,提升了验证信息的安全性。In some embodiments, the access control middleware further receives the short message identifier from the service application; in step S120, the short message is requested from the user identity card according to the short message identifier. The short message identifier may be an identifier that is specifically assigned by the service platform to identify a short message that is sent to the user identification card. In some embodiments, the short message identifier may be a session identifier of a session of the service application with a service platform. In this case, the reuse of the session identifier is implemented again, and no special short message identifier is allocated. If the service platform generates a special short message identifier, the service platform needs to separately send the short message identifier to the user identity card and the service application. Preferably, the first check code and the second check code are both session identifiers, and the short message identifier is also a session identifier. In this way, the service application on the device submits the read request for reading the short message to the access control middleware, and the session identifier of the session with the service platform can be carried in the access control middleware, and the access control middleware can send the session representation to the user identification card, and the user identity After the identification card is received, the session identifier stored corresponding to the short message is matched. If the matching is successful, the short message is sent to the access control middleware, and is forwarded to the corresponding application by the access control middleware. In this case, when the user identity card performs the matching of the session identifier, on the one hand, it is actually determining whether the service application on the device has the right of the user identity card, and also locates the short message that the current service application wants to access; Such an operation implements multiple functions. If the session identifier is not successfully matched, the user identity card may return a message of denying access or access failure to the service application through the access control middleware. If this is the case, the malicious application needs to obtain the short message stored on the user identification card, and also needs to obtain the session identifier corresponding to the short message, which obviously increases the difficulty for the malicious application to obtain the verification information, and improves the security of the verification information.
如图3所示,本实施例提供一种验证信息处理方法,包括:As shown in FIG. 3, this embodiment provides a verification information processing method, including:
步骤S210:业务应用向业务平台发送验证信息的获取请求;Step S210: The service application sends an acquisition request of the verification information to the service platform.
步骤S220:业务应用向访问控制中间件发送读取请求;Step S220: The service application sends a read request to the access control middleware;
步骤S230:业务应用接收所述访问控制中间件基于所述读取请求从所述用户身份识别卡读取的短信,其中,所述短信携带有验证信息,是所述业务平台基于所述获取请求下发给所述用户身份识别卡的。Step S230: The service application receives the short message read by the access control middleware from the user identification card based on the read request, where the short message carries the verification information, and the service platform is based on the obtaining request. Is issued to the user identification card.
本实施例提供的方法应用于业务应用中。业务应用若需要验证信息时,例如,基于用户操作触发了一个需要验证信息进行验证的功能,则会自动向网络侧对应的业务平台发送验证信息的获取请求,该获取请求会触发业务平台下发携带有验证信息的短信。在本实施例中,所述短信并非直接下发给通信设备的普通短信,而是直接下发给通信设备内的用户身份识别卡的特殊短信。这样通信设备在接收到该短信之后,可以通过读取该短信的包头的标识位,确定出该短信是发送给用户身份识别卡的,就直接将该短信交给用户身份识别卡存储,而不再转发给普通短信的短信应用来处理。The method provided in this embodiment is applied to a service application. If the service application needs to verify the information, for example, a function that requires authentication information to be verified based on the user operation, the service request is automatically sent to the corresponding service platform on the network side, and the request is triggered by the service platform. A text message with verification information. In this embodiment, the short message is not sent to the ordinary short message of the communication device, but is sent to the special identifier of the user identification card in the communication device. After receiving the short message, the communication device can determine that the short message is sent to the user identification card by reading the identifier of the packet header of the short message, and directly hand the short message to the user identification card for storage, instead of It is then forwarded to the SMS application of the normal SMS for processing.
这样的话,所述业务应用需要去用户身份识别卡中读取短信,此时,需要通过访问控制中间件向用户身份识别卡读取携带有验证信息的短信。在本实施例中所述访问控制中间件需要在验证所述业务应用具有访问权限之后,才会将用户身份识别卡中的短信发送给所述业务应用,这样减少了短信中的验证信息被非法应用窃取的概率,从而提升了验证信息的安全性。具体如何验证所述业务应用是否具有访问用户身份识别卡或用户身份识别卡上短信的权限,可以参见前述实施例。In this case, the service application needs to read the short message in the user identification card. At this time, the short message carrying the verification information needs to be read to the user identification card through the access control middleware. In this embodiment, the access control middleware needs to send the short message in the user identification card to the service application after verifying that the service application has the access right, thereby reducing the verification information in the short message being illegal. The probability of stealing is applied, thereby improving the security of the verification information. For details on how to verify whether the service application has the right to access the user identification card or the short message on the user identification card, refer to the foregoing embodiment.
可选地,所述方法还包括:Optionally, the method further includes:
接收所述业务平台在下发携带有验证信息的短信之后返回的发送通知;Receiving a sending notification returned by the service platform after sending a short message carrying the verification information;
所述步骤S220可包括:The step S220 may include:
在接收到所述发送通知之后,向所述访问控制中间件发送所述读取请求。After receiving the transmission notification, the read request is sent to the access control middleware.
在一些实施例中,所述业务应用在发送所述获取请求之后,就可以开始向所述访问控制中间件发送读取请求。在还有些实施例中,为了减少业务平台还未下发短信导致访问控制中间件不能基于读取请求从用户身份识别卡成功读取短信的现象,在本实施例中,所述业务应用还会接收到所述业务平台下发的发送通知,在接收到发送通知之后向访问控制中间件请求访问用户身份识别卡上的短信,就可以降低有权限的业务应用无法成功获取或无法访问用户身份识别卡的概率。In some embodiments, the service application may begin sending a read request to the access control middleware after transmitting the acquisition request. In some embodiments, in order to reduce the phenomenon that the service platform has not sent a short message, the access control middleware cannot successfully read the short message from the user identification card based on the read request. In this embodiment, the service application may also be used. Receiving the sending notification sent by the service platform, and requesting the access control middleware to access the short message on the user identification card after receiving the sending notification, the privileged business application cannot be successfully obtained or cannot be accessed. The probability of the card.
可选地,所述读取请求中携带有业务应用的应用标识和/或与所述业务平台进行会话的第一会话标识;Optionally, the read request carries an application identifier of the service application and/or a first session identifier that is in a session with the service platform;
其中,所述应用标识/或所述会话标识,用于供所述访问控制中间件确定所述业务应用是否有权限访问所述用户身份识别卡。The application identifier and/or the session identifier are used by the access control middleware to determine whether the service application has permission to access the user identity card.
在一些实施例中,为了充分确保验证信息的安全性,所述业务应用会获取第一校验标识,例如,所述第一校验标识可为由所述业务平台生成的并携带在所述发送通知内发送给所述业务应用的专用访问存储在用户身份识别卡上的短信的权限校验的校验码。在还有些实施例中,所述第一校验码可为一些业务应用已知的标识信息,例如,所述业务应用与业务平台进行会话的第一会话标识等。In some embodiments, in order to sufficiently ensure the security of the verification information, the service application may obtain a first verification identifier, for example, the first verification identifier may be generated by the service platform and carried in the Sending a check code sent to the service application for the access control of the short message stored on the user identification card. In some embodiments, the first check code may be identification information that is known by some service applications, for example, a first session identifier of the service application in a session with the service platform, and the like.
所述应用标识是所述应用被开发出来安装到通信设备之后就自行知道的标识信息,可以用于访问控制中间件对该业务应用进行访问权限的鉴定。The application identifier is identifier information that is known by the application after being installed and installed on the communication device, and can be used for the access control middleware to identify the access authority of the service application.
若第一校验标识为业务应用与业务平台进行会话的会话标识,这样的话,业务平台就不用专门向业务应用下发校验标识了,业务应用在于业务平台建立会话的时候就获取了该会话标识,后续请求访问用户身份识别卡上的短信时,直接读取本地存储的会话标识携带在读取请求中即可。且业务平台也不用专门生成进行权限校验的校验标识,而是复用会话标识,从而实现了一个信息的多重用途,从而简化了业务平台的操作的同时,实现 了信息的多用途化。If the first verification identifier is the session identifier of the session between the service application and the service platform, the service platform does not need to send the verification identifier to the service application. The service application acquires the session when the service platform establishes the session. The identifier, when the subsequent request to access the short message on the user identification card, directly reads the locally stored session identifier and carries it in the read request. Moreover, the service platform does not need to generate the verification identifier for the permission check, but reuses the session identifier, thereby realizing the multiple use of one information, thereby simplifying the operation of the service platform and realizing the versatility of the information.
如图4所示,本实施例提供一种验证信息处理方法,包括:As shown in FIG. 4, this embodiment provides a verification information processing method, including:
步骤S310:业务平台接收业务应用发送的验证信息的获取请求;Step S310: The service platform receives an acquisition request of the verification information sent by the service application.
步骤S320:业务平台根据所述获取请求,向指定设备的用户身份识别用户身份识别卡发送携带有验证信息的短信。Step S320: The service platform sends a short message carrying the verification information to the user identification user identification card of the designated device according to the obtaining request.
本实施例提供的验证信息处理方法,可为应用于业务平台中的方法。该业务平台会接收到业务应用发送的获取请求,根据该获取请求所述业务平台会生成验证码,并基于该验证码生成短信。且该短信为发送给业务应用所安装的通信设备内的用户身份识别卡上,故所述业务平台会构造一条携带有所述验证信息的特殊短信。特殊短信和普通短信的区别可以通过短信的数据包包头内的标识来区分。例如,该标识为第一取值则为特殊短信,若为第二取值可为普通短信。这样的话,降低非法应用读取到该验证信息的难度,从而提升了验证信息的安全性。The verification information processing method provided in this embodiment may be applied to a method in a service platform. The service platform receives the acquisition request sent by the service application, and the service platform generates a verification code according to the acquisition request, and generates a short message based on the verification code. And the short message is sent to the user identification card in the communication device installed by the service application, so the service platform constructs a special short message carrying the verification information. The difference between a special short message and a normal short message can be distinguished by the identifier in the packet header of the short message. For example, if the identifier is the first value, it is a special short message, and if the second value is a normal short message. In this way, the difficulty of reading the verification information by the illegal application is reduced, thereby improving the security of the verification information.
该指定设备可为所述业务应用所安装的通信设备,也可以是其他电子设备。例如,设备A向业务平台请求验证信息,而业务平台向设备B的用户身份识别卡发送了短信。例如,一个用户的手机和电脑上同时运行一个社交账号,用户操作电脑请求验证信息,而携带有验证信息的短信最终下发到与该社交账号绑定的手机的用户身份识别卡上。该社交账号所运行的应用可以从手机的用户身份识别卡上读取该短信内的验证信息。The designated device may be a communication device installed for the service application, or may be another electronic device. For example, device A requests authentication information from the service platform, and the service platform sends a text message to the user identification card of device B. For example, a user's mobile phone and a computer run a social account at the same time, and the user operates the computer to request verification information, and the short message carrying the verification information is finally sent to the user identification card of the mobile phone bound to the social account. The application running on the social account can read the verification information in the short message from the user identification card of the mobile phone.
可选地,所述方法还包括:Optionally, the method further includes:
向所述业务应用发送短信已发送的发送通知。Sending a notification that the short message has been sent to the business application.
该发送通知,用于告知业务应用验证信息已发送或者携带有验证信息的短信已发送。这样的话,所述业务应用在接收到所述发送通知之后向其所在通信设备的用户身份识别卡上读取对应的短信。The sending notification is used to notify the service application that the verification information has been sent or that the short message carrying the verification information has been sent. In this case, after receiving the sending notification, the service application reads the corresponding short message to the user identification card of the communication device where the communication device is located.
在一些实施例中,所述发送通知还可以携带用于业务应用读取所述短 信的权限校验的第一校验标识,该第一校验标识可为第一会话标识,但不限于会话标识。In some embodiments, the sending notification may further carry a first check identifier for the service application to read the right to check the short message, where the first check identifier may be the first session identifier, but is not limited to the session. Logo.
可选地,所述方法还包括:Optionally, the method further includes:
将第二校验标识发送给所述用户身份识别卡,其中,所述第二校验标识单独或与所述业务应用的应用标识结合,用于验证所述业务应用是否有权限从所述用户身份识别卡读取所述短信。Sending a second verification identifier to the user identification card, where the second verification identifier is used alone or in combination with an application identifier of the service application, for verifying whether the service application has rights from the user The identification card reads the short message.
将第二校验标识发送给访问控制中间件,可由所述访问控制中间件自身或者所述用户身份识别卡进行所述第一校验标识和第二校验标识的匹配,从而确定所述业务应用是否有权限从所述用户身份识别卡上读取携带有验证信息的短信,从而再次提升验证信息的安全性。Sending the second verification identifier to the access control middleware, and the matching between the first verification identifier and the second verification identifier may be performed by the access control middleware itself or the user identification card, thereby determining the service Whether the application has the right to read the short message carrying the verification information from the user identification card, thereby improving the security of the verification information again.
所述第二校验标识为所述业务平台与业务应用进行会话的会话标识。The second verification identifier is a session identifier of the session between the service platform and the service application.
如图5所示,本实施例提供一种通信设备,所述通信设备运行有访问控制中间件,所述访问控制中间件包括:As shown in FIG. 5, the embodiment provides a communication device, where the communication device runs an access control middleware, and the access control middleware includes:
确定单元110,用于确定所述业务应用是否有权限访问用户身份识别用户身份识别卡;The determining unit 110 is configured to determine whether the service application has permission to access the user identity user identity card;
读取单元120,用于当所述业务应用有权限访问所述用户身份识别卡时,从所述用户身份识别卡上读取短信,其中,所述短信包含有验证信息;The reading unit 120 is configured to: when the service application has the right to access the user identification card, read the short message from the user identification card, where the short message includes the verification information;
传输单元130,用于将所述短信传输给所述业务应用。The transmitting unit 130 is configured to transmit the short message to the service application.
所述确定单元110、读取单元120可对应用通信设备中的处理器,处理器可以通过访问控制中间件中代码的执行,实现上述操作。所述传输单元130可对应于设备内的通信总线等,可以实现设备内不同部分之间的数据交互。The determining unit 110 and the reading unit 120 can implement a processor in the application communication device, and the processor can implement the above operation by accessing execution of the code in the middleware. The transmission unit 130 may correspond to a communication bus or the like within the device, and may implement data interaction between different parts within the device.
如图5所示,所述通信设备内可能还安装有一个或多个应用,例如,应用1、应用2、应用3等;所述业务应用可为所述通信设备内安装的一个应用之一。各应用可通过通信设备内的总线与所述访问控制中间件之间进 行信息交互,从而完整所述短信在用户身份识别卡和业务应用之间的传输。As shown in FIG. 5, one or more applications may be installed in the communication device, for example, application 1, application 2, application 3, etc.; the service application may be one of an application installed in the communication device. . Each application can interact with the access control middleware via a bus within the communication device to complete the transmission of the short message between the user identification card and the service application.
在一些实施例中,所述用户身份识别卡可为能够与所述通信设备分离的独立的卡片,在另一些实施例中,所述用户身份识别卡可为电子虚拟身份认证卡(eSIM)卡,该eSIM卡是集成在电子设备自身的芯片上的,例如,集成在手机的主板上的。该eSIM卡同样分配有自身的存储区域,可以存储短信和/或应用等。In some embodiments, the user identification card can be a separate card that can be separated from the communication device. In other embodiments, the user identification card can be an electronic virtual identity card (eSIM) card. The eSIM card is integrated on the chip of the electronic device itself, for example, integrated on the motherboard of the mobile phone. The eSIM card is also assigned its own storage area, which can store short messages and/or applications.
可选地,所述确定单元110,可用于根据所述业务应用的应用标识,确定所述业务应用是否为有权限访问所述用户身份识别卡。Optionally, the determining unit 110 is configured to determine, according to the application identifier of the service application, whether the service application is authorized to access the user identity card.
所述确定单元110,还可用于匹配所述业务应用提供的第一校验标识和所述用户身份识别卡提供的第二校验标识;根据匹配的结果,确定所述业务应用是否有权限访问所述用户身份识别卡,其中,所述第二校验标识为存储在所述用户身份识别卡上所述短信对应的。The determining unit 110 is further configured to match the first verification identifier provided by the service application and the second verification identifier provided by the user identity card; and determining, according to the result of the matching, whether the service application has permission to access The user identification card, wherein the second verification identifier is corresponding to the short message stored on the user identification card.
进一步地,所述确定单元110,还可用于将所述业务应用提供的第一校验标识发送给所述用户身份识别卡,其中,所述第一校验标识,用于供所述用户身份识别卡与第二校验标识进行匹配,其中,所述第二校验标识为存储在所述用户身份识别卡上所述短信对应的;所述读取单元120,具体用于接收所述用户身份识别卡在所述第一校验标识和所述第二校验标识匹配时发送的所述短信。Further, the determining unit 110 may be further configured to send the first verification identifier provided by the service application to the user identity identification card, where the first verification identifier is used for the user identity The identification card is matched with the second verification identifier, wherein the second verification identifier is corresponding to the short message stored on the user identification card; the reading unit 120 is specifically configured to receive the user The short message sent by the identity card when the first check identifier and the second check identifier match.
可选地,所述第一校验标识为所述业务应用与所述业务平台进行会话的第一会话标识;所述第二校验标识为业务平台下发给所述用户身份识别卡的第二会话标识。Optionally, the first verification identifier is a first session identifier that is used by the service application to perform a session with the service platform, and the second verification identifier is sent by the service platform to the user identifier card. Two session ID.
如图6所示,本实施例提供一种通信设备,所述通信设备安装有业务应用,所述业务应用包括:As shown in FIG. 6, the embodiment provides a communication device, where the communication device is installed with a service application, and the service application includes:
第一发送单元210,用于向业务平台发送验证信息的获取请求;The first sending unit 210 is configured to send an acquisition request of the verification information to the service platform;
第二发送单元220,用于向访问控制中间件发送读取请求;a second sending unit 220, configured to send a read request to the access control middleware;
第一接收单元230,用于接收所述访问控制中间件基于所述读取请求从所述用户身份识别卡读取的短信,其中,所述短信携带有验证信息,是所述业务平台基于所述获取请求下发给所述用户身份识别卡的。The first receiving unit 230 is configured to receive a short message that is read by the access control middleware from the user identity card according to the read request, where the short message carries verification information, which is based on the service platform. The obtaining request is sent to the user identification card.
所述第一发送单元210可对应于设备的外部通信接口,例如,网络接口或收发天线等,可以用于向位于网络侧的业务平台发送所述获取请求。The first sending unit 210 may correspond to an external communication interface of the device, for example, a network interface or a transceiver antenna, etc., and may be used to send the acquisition request to a service platform located on the network side.
第二发送单元220及所述第一接收单元230可对应于设备内的内部通信接口,例如,与集成电路总线连接的接口,可以用于与设备内的其他组件或应用等部件进行通信,从而发送读取请求和/或接收短信。The second sending unit 220 and the first receiving unit 230 may correspond to an internal communication interface within the device, for example, an interface connected to the integrated circuit bus, and may be used to communicate with other components or applications within the device, thereby Send a read request and/or receive a text message.
可选地,所述第二接收单元,可对应于外部通信接口,还用于接收所述业务平台在下发携带有验证信息的短信之后返回的发送通知;所述第二发送单元220,具体用于在接收到所述发送通知之后,向所述访问控制中间件发送所述读取请求。Optionally, the second receiving unit may be configured to receive a sending notification that is returned after the service platform sends the short message carrying the authentication information, where the second sending unit is configured to receive the sending notification. After receiving the notification of the transmission, the read request is sent to the access control middleware.
进一步地,所述读取请求中携带有业务应用的应用标识和/或与所述业务平台进行会话的第一校验标识;其中,所述应用标识/或所述第一校验标识,用于供所述访问控制中间件确定所述业务应用是否有权限访问所述用户身份识别卡。Further, the read request carries an application identifier of the service application and/or a first verification identifier that is in a session with the service platform; wherein the application identifier/or the first verification identifier is used by And determining, by the access control middleware, whether the service application has permission to access the user identification card.
可选地,所述第一校验标识为所述业务应用与所述业务平台进行会话的第一会话标识。Optionally, the first verification identifier is a first session identifier of the service application that performs a session with the service platform.
如图7所示,本实施例还提供一种业务平台,包括:As shown in FIG. 7, the embodiment further provides a service platform, including:
第二接收单元310,用于接收业务应用发送的验证信息的获取请求;The second receiving unit 310 is configured to receive an acquisition request of the verification information sent by the service application.
第三发送单元320,用于根据所述获取请求,向所述业务应用所在的设备的用户身份识别卡发送携带有验证信息的短信。The third sending unit 320 is configured to send, according to the obtaining request, a short message carrying the verification information to the user identity identification card of the device where the service application is located.
在本申请实施例中,所述第二接收单元310及第三发送单元320均可对应于通信接口,可用于从业务应用发送的读取请求并向业务应用所在设备的用户身份识别卡发送短信。可选地,所述第三发送单元320,还可用于 向所述业务应用发送短信已发送的发送通知。In the embodiment of the present application, the second receiving unit 310 and the third sending unit 320 may each correspond to a communication interface, and may be used for a read request sent from a service application and send a short message to a user identity card of a device where the service application is located. . Optionally, the third sending unit 320 is further configured to send, to the service application, a sending notification that the short message has been sent.
在一些实施例中,所述第三发送单元320,还用于将第二校验标识发送给所述用户身份识别卡,其中,所述第二校验标识单独或与所述业务应用的应用标识结合,用于验证所述业务应用是否有权限从所述用户身份识别卡读取所述短信。In some embodiments, the third sending unit 320 is further configured to send the second verification identifier to the user identity card, where the second verification identifier is used alone or with an application of the service application. The identification combination is used to verify whether the business application has permission to read the short message from the user identification card.
可选地,所述第二校验标识为所述业务平台与业务应用进行会话的会话标识。Optionally, the second verification identifier is a session identifier of the session between the service platform and the service application.
如图8所示,本申请实施例提供一种通信设备,包括:收发器410、存储器420、处理器430及存储在存储器420上并由所述处理器430执行的计算机程序;As shown in FIG. 8, the embodiment of the present application provides a communication device, including: a transceiver 410, a memory 420, a processor 430, and a computer program stored on the memory 420 and executed by the processor 430;
所述通信设备可包括:收发器410、存储器420、处理器430及存储在所述存储器420上并由所述处理器430执行的计算机程序;The communication device can include a transceiver 410, a memory 420, a processor 430, and a computer program stored on the memory 420 and executed by the processor 430;
所述处理器430,分别与所述收发器410及存储器420连接,例如,通过集成电路总线IIC,分别与网络接口及存储器420连接。The processor 430 is connected to the transceiver 410 and the memory 420, respectively, for example, to the network interface and the memory 420 via the integrated circuit bus IIC.
所述处理器430,可用于通过执行所述计算机程序执行前述一个或多个技术方案提供的验证信息处理方法,例如,可以执行访问控制中间件执行的验证信息处理方法、业务应用执行的验证信息处理方法或业务平台执行的验证信息处理方法。The processor 430 is configured to execute the verification information processing method provided by the foregoing one or more technical solutions by executing the computer program, for example, the verification information processing method executed by the access control middleware and the verification information executed by the business application The processing method or the verification information processing method executed by the service platform.
所述收发器410可为电缆接口或光缆接口等各种类型可用于通信的接口。The transceiver 410 can be any type of interface that can be used for communication, such as a cable interface or a fiber optic cable interface.
所述存储器420可为通信设备中包括存储介质的存储器件,可为随机存储器、只读存储器、存储硬盘等。The memory 420 may be a storage device including a storage medium in the communication device, and may be a random access memory, a read only memory, a storage hard disk, or the like.
所述处理器430可为各种类型的处理器,中央处理器、微处理器、应用处理器、可编程阵列或专用集成电路等。The processor 430 can be various types of processors, central processing units, microprocessors, application processors, programmable arrays or application specific integrated circuits, and the like.
该通信设备可为终端,也可以是所述业务平台的业务服务器。The communication device can be a terminal or a service server of the service platform.
当所述通信设备为与业务平台对接的终端设备时,所述通信设备上设置有用户身份识别卡的安装槽,可供用户身份识别卡安装;所述处理器有连接到安装槽的线路,从而可以通过点触等方式与用户身份识别卡建立连接,并进行数据交互。在还有些情况下,所述通信设备内自身的芯片上集成设置有eSIM卡。When the communication device is a terminal device that interfaces with the service platform, the communication device is provided with a installation slot of the user identification card, which can be installed by the user identification card; the processor has a line connected to the installation slot, Thereby, a connection can be established with the user identification card by means of tapping, etc., and data interaction is performed. In some cases, an eSIM card is integrated on the chip of the communication device itself.
本申请实施例提供一种计算机存储介质,所述计算机存储介质存储有计算机程序;所述计算机程序被处理器执行后,可实现前述一个或多个技术方案提供的验证信息处理方法,例如,可以执行访问控制中间件执行的验证信息处理方法、业务应用执行的验证信息处理方法或业务平台执行的验证信息处理方法。The embodiment of the present application provides a computer storage medium, where the computer storage medium stores a computer program; after the computer program is executed by the processor, the verification information processing method provided by the foregoing one or more technical solutions may be implemented, for example, The verification information processing method executed by the access control middleware, the verification information processing method executed by the business application, or the verification information processing method executed by the service platform.
所述计算机存储介质可为:移动存储设备、只读存储器(ROM,Read-Only Mem或y)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。可选为,所述计算机存储介质优选为非瞬间存储介质,或非易失性存储介质。The computer storage medium may be: a mobile storage device, a read-only memory (ROM, Read-Only Mem or y), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. medium. Optionally, the computer storage medium is preferably a non-transitory storage medium, or a non-volatile storage medium.
以下结合上述实施例提供几个具体示例:Several specific examples are provided below in conjunction with the above embodiments:
示例1:Example 1:
本示例提供一种验证短信的传输方法。这里的验证短信可为携带有验证信息的短信。所述方法具体可包括以下几个部分。This example provides a method of verifying the transmission of a short message. The verification message here can be a text message carrying verification information. The method may specifically include the following parts.
第一部分:业务平台可以利用运营商现有的SIM卡管理平台、可信任服务管理(Trusted Service Management,TSM)在SIM卡内设置控制规则,使得仅有该规则允许的移动设备应用(图1中的“业务应用”)方可访问SIM卡上应用(图1中的“SIM卡上应用”)。The first part: the service platform can use the operator's existing SIM card management platform, Trusted Service Management (TSM) to set control rules in the SIM card, so that only the mobile device applications allowed by the rule (in Figure 1) The "business application" can access the application on the SIM card ("SIM card application" in Figure 1).
第二部分:设备上应用携带手机号码等标识信息,向业务平台申请动态短信码;在本申请实施例中,所述业务应用为安装在设备上应用,而非安装在SIM卡上应用。The second part: the device applies the identification information such as the mobile phone number to apply for the dynamic short message code to the service platform. In the embodiment of the present application, the service application is installed on the device, instead of being installed on the SIM card.
业务平台收到申请后,生成短信验证码及会话标识(Session ID)(注:Session ID可用于支持同一用户的并发访问、也可防止恶意攻击,如果业务平台不支持该功能、后续流程中不出现Session ID字段)。After receiving the application, the service platform generates the SMS verification code and the session ID. (Note: The session ID can be used to support concurrent access of the same user, and can also prevent malicious attacks. If the service platform does not support the function, the subsequent process does not. The Session ID field appears).
业务平台向指定的手机号码发送短信,该短信为特殊短信,是直接发送给该手机号所在的设备的SIM卡上的。The service platform sends a text message to the specified mobile phone number, which is a special short message and is directly sent to the SIM card of the device where the mobile phone number is located.
SIM卡上应用在收到短信后,读取其中的短信验证码和Session ID内容并保存;After receiving the short message, the application on the SIM card reads the SMS verification code and the Session ID content and saves it;
业务平台收到短信成功接收的响应后,通知设备上应用短信已成功发送;After receiving the response that the short message is successfully received, the service platform notifies the device that the application short message has been successfully sent;
设备上的API(s)申请读取短信内容(请求包括应用AID、Session ID);The API(s) on the device requests to read the short message content (the request includes the application AID, the Session ID);
API(s)校验设备上应用是否有权限访问指定AID的SIM卡上应用;API(s) verifies whether the application on the device has permission to access the application on the SIM card of the specified AID;
若校验通过,设备API(s)先选择SIM卡指定的应用;If the verification is passed, the device API(s) first selects the application specified by the SIM card;
设备API(s)向SIM卡上应用发送短信内容读取申请;The device API(s) sends an SMS content reading application to the application on the SIM card;
SIM卡上应用根据Session ID返回短信内容;The application on the SIM card returns the short message content according to the Session ID;
SIM卡上应用返回短信内容;The application on the SIM card returns the text message content;
API(s)返回短信内容;API(s) returns the text message content;
设备上应用获取短信内容后填入(用户手动或自动)动态短信码;After the application obtains the content of the short message on the device, the user manually or automatically fills in the dynamic short message code;
设备上应用将动态短信码发送至业务平台校验;The application sends the dynamic short message code to the service platform for verification.
业务平台校验短信内容;The service platform verifies the content of the short message;
若校验通过返回成功校验响应,用户可以执行后续操作。If the verification returns a successful verification response, the user can perform subsequent operations.
利用本示例提供的验证信息的传输方法,若非法终端伪造手机号码请求验证信息,则对应的设备的SIM卡是接收不到短信的,从而利用仿造手机号码的设备上应用不会获得该短信验证码。在本申请实施例中所述手机号码可为标识接收所述短信的通信设备的标识信息,在具体实现时还可以利用通信设备的网络协议地址(IP)或国际移动设备标识来取代所述手机号 码。且即便用户SIM卡收到了来历不明的短信,也不会影响该用户自己的业务(Session ID保护)。With the transmission method of the verification information provided by the example, if the illegal terminal forges the mobile phone number to request the verification information, the SIM card of the corresponding device cannot receive the short message, so the application on the device using the fake mobile phone number does not obtain the short message verification. code. In the embodiment of the present application, the mobile phone number may be identification information of the communication device that receives the short message, and may further replace the mobile phone with a network protocol address (IP) or an international mobile device identifier of the communication device during specific implementation. number. Even if the user SIM card receives a text message of unknown origin, it will not affect the user's own business (Session ID protection).
在另一些实施例中,用户如果通过其它设备上申请动态短信码,需要持有相应手机号码对应的手机并通过该设备上应用获取短信验证码,可以避免现有短信验证码的问题。In other embodiments, if the user applies for a dynamic short message code on another device, and needs to hold the mobile phone corresponding to the mobile phone number and obtain the short message verification code through the application on the device, the problem of the existing short message verification code can be avoided.
如果支持Session ID功能,需要为每个Session ID保存短信内容(受到容量限制,可以设置最大保存的短信条数,若超出限制采用先进先出原则,即丢弃最先收到的短信内容)、并根据申请中包含的Session ID返回相应的短信验证码。If the session ID function is supported, you need to save the SMS content for each session ID (by the capacity limit, you can set the maximum number of saved SMS messages. If the first-in first-out principle is exceeded, the first received SMS content will be discarded) Return the corresponding SMS verification code according to the Session ID included in the application.
如果不支持Session ID功能,需要保存接收到的短信内容,如果收到新的短信内容将覆盖之前收到的,以确保短信的时效性。If the Session ID function is not supported, you need to save the received SMS content. If you receive a new SMS content, it will overwrite the previous one to ensure the timeliness of the SMS.
业务平台与SIM卡的应用可以采用端到端加密以保护短信内容的安全性。Business platform and SIM card applications can use end-to-end encryption to protect the security of SMS content.
示例二:Example two:
如图9所示,本示例提供一种验证信息的传输方法,包括:As shown in FIG. 9, the example provides a method for transmitting authentication information, including:
1:设备上应用申请短信验证码,例如,基于手机号向业务平台发送请求携带有验证信息的短信的申请或请求;这里的短信验证码即为前述携带在短信中的验证信息的一种。1: Applying an application SMS verification code on the device, for example, sending an application or request for requesting a short message carrying the verification information to the service platform based on the mobile phone number; the short message verification code here is one of the foregoing verification information carried in the short message.
2:业务平台生成短信验证码及会话标识;2: The service platform generates a short message verification code and a session identifier;
3:业务平台将短信验证码、会话标识发送给SIM卡上应用;SIM卡上应用为安装并运行在SIM卡上应用;3: The service platform sends the SMS verification code and the session identifier to the application on the SIM card; the application on the SIM card is installed and runs on the SIM card;
4:SIM卡上应用保存短信验证码、会话标识;4: The application saves the SMS verification code and the session identifier on the SIM card;
5:SIM卡上应用向业务平台发送成功接收短信响应;5: The application on the SIM card sends a successful SMS response to the service platform;
6:业务平台返回响应,例如,基于会话标识向设备上应用发送返回响应,该响应可为前述发送通知,告知设备上应用已经发送短信验证码。6: The service platform returns a response, for example, sending a return response to the application on the device based on the session identifier, and the response may send a notification to the device to notify the device that the application has sent the SMS verification code.
7:设备上应用读取短信请求,该短信请求携带有AID、会话标识;7: The application reads the short message request, and the short message request carries the AID and the session identifier.
8:设备上API(s)进行权限校验;8: The API(s) on the device performs permission verification;
9:选择SIM卡上应用(AID);9: Select the application (AID) on the SIM card;
10:API(s)向选择的所述SIM卡上应用发送读取短信请求,该请求携带有设备上应用提供的会话标识;10: The API(s) sends a read short message request to the selected SIM card, where the request carries a session identifier provided by the application on the device;
11:SIM卡上应用根据会话标识查询短信;11: The application on the SIM card queries the short message according to the session identifier;
12:SIM卡上应用将短信内容发送给API(s);12: The application on the SIM card sends the short message content to the API(s);
13:API(s)将短信内容转发给设备上应用;13: API(s) forwards the short message content to the application on the device;
14:设备上应用将短信内容(即短信验证码)填入到对应位置;14: The application on the device fills in the content of the short message (ie, the short message verification code) into the corresponding location;
15:通过与业务应用的交互进行验证15: Verify through interaction with business applications
16:业务平台会在接收到设备上应用发送的携带有会话标识及短信内容的验证请求之后,检查短信验证码;The service platform checks the short message verification code after receiving the verification request that carries the session identifier and the short message content sent by the application on the device;
17:业务平台将验证结果返回给设备上应用。17: The service platform returns the verification result to the application on the device.
在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法,可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed. In addition, the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元,即可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部单元来实现本实施例方案的目的。The units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本申请各实施例中的各功能单元可以全部集成在一个处理模块中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; The unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:移动存储设备、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to the program instructions. The foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing storage device includes the following steps: the foregoing storage medium includes: a mobile storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk. A medium that can store program code.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The foregoing is only a specific embodiment of the present application, but the scope of protection of the present application is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present application. It should be covered by the scope of protection of this application. Therefore, the scope of protection of the present application should be determined by the scope of the claims.

Claims (18)

  1. 一种验证信息处理方法,,包括:A verification information processing method, comprising:
    确定业务应用是否有权限访问用户身份识别卡;Determine whether the business application has permission to access the user identification card;
    当所述业务应用有权限访问所述用户身份识别卡时,从所述用户身份识别卡上读取短信,其中,所述短信包含有验证信息;When the service application has the right to access the user identification card, the short message is read from the user identification card, where the short message includes verification information;
    将所述短信传输给所述业务应用。Transmitting the short message to the service application.
  2. 根据权利要求1所述的方法,其中,The method of claim 1 wherein
    所述确定所述业务应用是否有权限访问存储在用户身份识别用户身份识别卡上的短信,包括:Determining whether the service application has the right to access the short message stored on the user identification user identification card, including:
    根据所述业务应用的应用标识,确定所述业务应用是否为有权限访问所述用户身份识别卡。Determining, according to the application identifier of the service application, whether the service application has the right to access the user identity card.
  3. 根据权利要求1或2所述的方法,其中,The method according to claim 1 or 2, wherein
    所述确定所述业务应用是否有权限访问存储在用户身份识别用户身份识别卡上的短信,还包括:The determining whether the service application has the right to access the short message stored on the user identification user identification card further includes:
    匹配所述业务应用提供的第一校验标识和所述用户身份识别卡提供的第二校验标识;Matching a first verification identifier provided by the service application and a second verification identifier provided by the user identity card;
    根据匹配的结果,确定所述业务应用是否有权限访问所述用户身份识别卡,其中,所述第二校验标识为存储在所述用户身份识别卡上所述短信对应的。And determining, according to the result of the matching, whether the service application has the right to access the user identity card, wherein the second verification identifier is corresponding to the short message stored on the user identity card.
  4. 根据权利要求1所述的方法,其中,The method of claim 1 wherein
    所述确定所述业务应用是否有权限访问存储在用户身份识别用户身份识别卡上的短信,包括:Determining whether the service application has the right to access the short message stored on the user identification user identification card, including:
    将所述业务应用提供的第一校验标识发送给所述用户身份识别卡,其中,所述第一校验标识,用于供所述用户身份识别卡与第二校验标识进行 匹配,所述第二校验标识为存储在所述用户身份识别卡上所述短信对应的;Transmitting, by the service identifier, the first verification identifier that is sent by the service application to the user identifier card, where the first verification identifier is used to match the user identifier card with the second verification identifier, where The second verification identifier is corresponding to the short message stored on the user identification card;
    所述当所述业务应用有权限访问所述用户身份识别卡时,从所述用户身份识别卡上读取短信,包括:When the service application has the right to access the user identification card, the short message is read from the user identification card, including:
    接收所述用户身份识别卡在所述第一校验标识和所述第二校验标识匹配时发送的所述短信。Receiving, by the user identity card, the short message sent when the first check identifier and the second check identifier match.
  5. 根据权利要求3或4所述的方法,其中,所述第一校验标识为所述业务应用与所述业务平台进行会话的第一会话标识;The method according to claim 3 or 4, wherein the first verification identifier is a first session identifier of the service application in a session with the service platform;
    所述第二校验标识为业务平台下发给所述用户身份识别卡的第二会话标识。The second verification identifier is a second session identifier sent by the service platform to the user identity card.
  6. 一种验证信息处理方法,包括:A verification information processing method includes:
    向业务平台发送验证信息的获取请求;Sending an acquisition request for verification information to the service platform;
    向访问控制中间件发送读取请求;Sending a read request to the access control middleware;
    接收所述访问控制中间件基于所述读取请求从用户身份识别卡读取的短信,其中,所述短信携带有验证信息,是所述业务平台基于所述获取请求下发给所述用户身份识别卡的。And receiving, by the access control middleware, the short message that is read from the user identity card based on the read request, where the short message carries the verification information, and is sent by the service platform to the user identity based on the obtaining request. Identification card.
  7. 根据权利要求6所述的方法,其中,The method of claim 6 wherein
    所述方法还包括:The method further includes:
    接收所述业务平台在下发携带有验证信息的短信之后返回的发送通知;Receiving a sending notification returned by the service platform after sending a short message carrying the verification information;
    所述向访问控制中间件发送读取请求,包括:The sending a read request to the access control middleware includes:
    在接收到所述发送通知之后,向所述访问控制中间件发送所述读取请求。After receiving the transmission notification, the read request is sent to the access control middleware.
  8. 根据权利要求6或7所述的方法,其中,The method according to claim 6 or 7, wherein
    所述读取请求中携带有业务应用的应用标识和/或与所述业务平台进行会话的第一校验标识;The read request carries an application identifier of the service application and/or a first verification identifier that is in a session with the service platform;
    其中,所述应用标识/或所述第一校验标识,用于供所述访问控制中间件确定所述业务应用是否有权限访问所述用户身份识别卡。The application identifier and/or the first verification identifier are used by the access control middleware to determine whether the service application has permission to access the user identity card.
  9. 根据权利要求8所述的方法,其中,The method of claim 8 wherein
    所述第一校验标识为所述业务应用与所述业务平台进行会话的第一会话标识。The first verification identifier is a first session identifier of the service application that performs a session with the service platform.
  10. 一种验证信息处理方法,其中,包括:A verification information processing method, comprising:
    接收业务应用发送的验证信息的获取请求;Receiving an acquisition request of the verification information sent by the service application;
    根据所述获取请求,向指定设备的用户身份识别用户身份识别卡发送携带有验证信息的短信。And sending, according to the obtaining request, a short message carrying the verification information to the user identity identification user card of the designated device.
  11. 根据权利要求10所述的方法,其中,所述方法还包括:The method of claim 10, wherein the method further comprises:
    向所述业务应用发送短信已发送的发送通知。Sending a notification that the short message has been sent to the business application.
  12. 根据权利要求10或11所述的方法,其中,The method according to claim 10 or 11, wherein
    所述方法还包括:The method further includes:
    将第二校验标识发送给所述用户身份识别卡,其中,所述第二校验标识单独或与所述业务应用的应用标识结合,用于验证所述业务应用是否有权限从所述用户身份识别卡读取所述短信。Sending a second verification identifier to the user identification card, where the second verification identifier is used alone or in combination with an application identifier of the service application, for verifying whether the service application has rights from the user The identification card reads the short message.
  13. 根据权利要求12所述的方法,其中,The method of claim 12, wherein
    所述第二校验标识为所述业务平台与业务应用进行会话的会话标识。The second verification identifier is a session identifier of the session between the service platform and the service application.
  14. 一种通信设备,所述通信设备运行有访问控制中间件,所述访问控制中间件包括:A communication device running an access control middleware, the access control middleware comprising:
    确定单元,配置为确定业务应用是否有权限访问用户身份识别用户身份识别卡;a determining unit configured to determine whether the business application has permission to access the user identification user identification card;
    读取单元,配置为当所述业务应用有权限访问所述用户身份识别卡时,从所述用户身份识别卡上读取短信,其中,所述短信包含有验证信息;a reading unit configured to read a short message from the user identification card when the service application has the right to access the user identification card, where the short message includes verification information;
    传输单元,用于将所述短信传输给所述业务应用。a transmitting unit, configured to transmit the short message to the service application.
  15. 一种通信设备,所述通信设备安装有业务应用,所述业务应用包括:A communication device is installed with a service application, and the service application includes:
    第一发送单元,配置为向业务平台发送验证信息的获取请求;a first sending unit, configured to send an acquisition request of the verification information to the service platform;
    第二发送单元,配置为向访问控制中间件发送读取请求;a second sending unit, configured to send a read request to the access control middleware;
    第一接收单元,配置为接收所述访问控制中间件基于所述读取请求从用户身份识别用户身份识别卡读取的短信,其中,所述短信携带有验证信息,是所述业务平台基于所述获取请求下发给所述用户身份识别卡的。The first receiving unit is configured to receive the short message that is read by the access control middleware from the user identification user identification card based on the read request, where the short message carries verification information, which is based on the service platform The obtaining request is sent to the user identification card.
  16. 一种业务平台,包括:A business platform that includes:
    第二接收单元,配置为接收业务应用发送的验证信息的获取请求;a second receiving unit, configured to receive an acquisition request of the verification information sent by the service application;
    第三发送单元,配置为根据所述获取请求,向指定设备的用户身份识别用户身份识别卡发送携带有验证信息的短信。The third sending unit is configured to send, according to the obtaining request, a short message carrying the verification information to the user identity identification user identifier card of the designated device.
  17. 一种通信设备,包括:收发器、存储器、处理器及存储在所述存储器上并由所述处理器执行的计算机程序;A communication device comprising: a transceiver, a memory, a processor, and a computer program stored on the memory and executed by the processor;
    所述处理器分别与所述收发器及存储器连接,用于通过执行所述计算机程序实现权利要求1至5、6至9及10至13任一项提供的所述验证信息处理方法。The processor is coupled to the transceiver and the memory, respectively, for implementing the verification information processing method provided by any one of claims 1 to 5, 6 to 9, and 10 to 13 by executing the computer program.
  18. 一种计算机存储介质,所述计算机存储介质存储有计算机程序;所述计算机程序被执行后,能够实现权利要求1至5、6至9及10至13任一项提供的所述验证信息处理方法。A computer storage medium storing a computer program; the computer program being executed to implement the verification information processing method provided by any one of claims 1 to 5, 6 to 9 and 10 to 13 .
PCT/CN2018/121311 2018-01-08 2018-12-14 Verification information processing method, communication device, service platform, and storage medium WO2019134494A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810013801.X 2018-01-08
CN201810013801.XA CN110022536A (en) 2018-01-08 2018-01-08 Verification information processing method, communication equipment, business platform and storage medium

Publications (1)

Publication Number Publication Date
WO2019134494A1 true WO2019134494A1 (en) 2019-07-11

Family

ID=67143583

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/121311 WO2019134494A1 (en) 2018-01-08 2018-12-14 Verification information processing method, communication device, service platform, and storage medium

Country Status (2)

Country Link
CN (1) CN110022536A (en)
WO (1) WO2019134494A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112084486A (en) * 2020-09-08 2020-12-15 中国平安财产保险股份有限公司 User information verification method and device, electronic equipment and storage medium
CN112115511A (en) * 2020-09-17 2020-12-22 政采云有限公司 Authority verification method, device and system, and service authority configuration method and device
CN113112345A (en) * 2021-04-30 2021-07-13 中国银行股份有限公司 Intelligent counter business handling method, device and system based on 5G
CN113778709A (en) * 2021-08-25 2021-12-10 北京达佳互联信息技术有限公司 Interface calling method, device, server and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114390457B (en) * 2022-01-17 2023-11-07 百果园技术(新加坡)有限公司 Short message verification method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101742504A (en) * 2008-11-24 2010-06-16 国民技术股份有限公司 Method for carrying out identity authentication by utilizing short messages
CN103781064A (en) * 2014-01-02 2014-05-07 张鹏 Short message verification system and verification method
CN105142139A (en) * 2014-05-30 2015-12-09 北京奇虎科技有限公司 Method and device for obtaining verification information
CN107222861A (en) * 2017-05-19 2017-09-29 珠海市魅族科技有限公司 Auth method, authentication means, terminal and non-volatile memory medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102026187B (en) * 2010-12-02 2014-02-26 大唐微电子技术有限公司 Subscriber identification module and transmission method and system based on subscriber identification module
CN104239804A (en) * 2013-06-07 2014-12-24 腾讯科技(深圳)有限公司 Data protecting method and device
CN104980580B (en) * 2015-06-17 2018-03-23 小米科技有限责任公司 Short message inspection method and device
CN105100098A (en) * 2015-07-27 2015-11-25 中国联合网络通信集团有限公司 Machine card interaction safety authorization method and device
CN105260673A (en) * 2015-09-18 2016-01-20 小米科技有限责任公司 Short message reading method and apparatus
CN105307137B (en) * 2015-09-18 2019-05-07 小米科技有限责任公司 Short message read method and device
CN106529934A (en) * 2016-11-08 2017-03-22 青岛海信移动通信技术股份有限公司 Mobile payment method and mobile payment device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101742504A (en) * 2008-11-24 2010-06-16 国民技术股份有限公司 Method for carrying out identity authentication by utilizing short messages
CN103781064A (en) * 2014-01-02 2014-05-07 张鹏 Short message verification system and verification method
CN105142139A (en) * 2014-05-30 2015-12-09 北京奇虎科技有限公司 Method and device for obtaining verification information
CN107222861A (en) * 2017-05-19 2017-09-29 珠海市魅族科技有限公司 Auth method, authentication means, terminal and non-volatile memory medium

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112084486A (en) * 2020-09-08 2020-12-15 中国平安财产保险股份有限公司 User information verification method and device, electronic equipment and storage medium
CN112115511A (en) * 2020-09-17 2020-12-22 政采云有限公司 Authority verification method, device and system, and service authority configuration method and device
CN113112345A (en) * 2021-04-30 2021-07-13 中国银行股份有限公司 Intelligent counter business handling method, device and system based on 5G
CN113778709A (en) * 2021-08-25 2021-12-10 北京达佳互联信息技术有限公司 Interface calling method, device, server and storage medium
CN113778709B (en) * 2021-08-25 2024-03-12 北京达佳互联信息技术有限公司 Interface calling method, device, server and storage medium

Also Published As

Publication number Publication date
CN110022536A (en) 2019-07-16

Similar Documents

Publication Publication Date Title
US11962616B2 (en) Protection against rerouting a communication channel of a telecommunication device having an NFC circuit and a secure data circuit
US9801070B2 (en) Protection of a security element coupled to an NFC circuit
US11743721B2 (en) Protection of a communication channel between a security module and an NFC circuit
US10716007B2 (en) Protection of a security module in a telecommunication device coupled to an NFC circuit
US11963004B2 (en) Detection of a rerouting of a communication channel of a telecommunication device connected to an NFC circuit
CN108632253B (en) Client data security access method and device based on mobile terminal
WO2019134494A1 (en) Verification information processing method, communication device, service platform, and storage medium
JP2022524709A (en) Second element of customer support calls Systems and methods for authentication
WO2016188256A1 (en) Application access authentication method, system, apparatus and terminal
US9547756B2 (en) Registration of devices in a digital rights management environment
US11126753B2 (en) Secure processor chip and terminal device
US9185561B2 (en) Protection against rerouting in an NFC circuit communication channel
US11564094B1 (en) Secondary device authentication proxied from authenticated primary device
JP2003223235A (en) Application authentication system
US20140041036A1 (en) Assessing the resistance of a security module against attacks by communication pipe diversion
CN111669351B (en) Authentication method, service server, client and computer readable storage medium
US20110154436A1 (en) Provider Management Methods and Systems for a Portable Device Running Android Platform
US20170161699A1 (en) Method and Device for Achieving Remote Payment
JP2012141754A (en) Ic chip, processing method in ic chip, processing program for ic chip, and portable terminal
CN114579951A (en) Service access method, electronic device and storage medium
CN106534047A (en) Information transmitting method and apparatus based on Trust application
CN113626777A (en) Identity authentication method, storage medium and electronic device
KR102082356B1 (en) User authentication system and method thereof, and apparatus applied to the same
KR20070077481A (en) Process server for relaying user authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18898215

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 16/10/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18898215

Country of ref document: EP

Kind code of ref document: A1