[go: up one dir, main page]

CN101414909B - Network application user authentication system, method and mobile communication terminal - Google Patents

Network application user authentication system, method and mobile communication terminal Download PDF

Info

Publication number
CN101414909B
CN101414909B CN200810226984XA CN200810226984A CN101414909B CN 101414909 B CN101414909 B CN 101414909B CN 200810226984X A CN200810226984X A CN 200810226984XA CN 200810226984 A CN200810226984 A CN 200810226984A CN 101414909 B CN101414909 B CN 101414909B
Authority
CN
China
Prior art keywords
user
authentication password
key
mobile communication
network application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN200810226984XA
Other languages
Chinese (zh)
Other versions
CN101414909A (en
Inventor
王伟珣
王斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Shanghai Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Shanghai Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN200810226984XA priority Critical patent/CN101414909B/en
Publication of CN101414909A publication Critical patent/CN101414909A/en
Application granted granted Critical
Publication of CN101414909B publication Critical patent/CN101414909B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种网络应用用户身份验证系统、方法和移动通信终端,用于提高网络应用用户身份验证的通用性。本发明实施例中,通过移动通信终端设备这个被越来越多人随身携带的设备存储身份数字证书,提供无需动态联网的设备,实现动态口令验证技术,从而以低成本便携来大幅提高应用系统的安全性。

Figure 200810226984

The invention discloses a network application user identity verification system, method and mobile communication terminal, which are used to improve the universality of network application user identity verification. In the embodiment of the present invention, the mobile communication terminal device, which is carried by more and more people, stores the identity digital certificate, provides a device that does not need dynamic networking, and realizes the dynamic password verification technology, thereby greatly improving the application system at low cost and portability. security.

Figure 200810226984

Description

网络应用用户身份验证系统、方法和移动通信终端 Network application user authentication system, method and mobile communication terminal

技术领域technical field

本发明涉及网络应用技术,特别涉及一种网络应用用户身份验证技术。 The invention relates to network application technology, in particular to a network application user identity verification technology. the

背景技术Background technique

在信息化网络高度发达的时代,移动电子商务类业务领域也正在越来越多地被大家所关注和使用。当前大多数电子商务应用、电子银行系统都采用传统的账号加用户密码的形式进行用户身份验证,这种方式中的口令有可能因为输入环境不隐秘、和用户的特征信息相关等原因被盗,存在安全隐患。 In the era of highly developed information networks, mobile e-commerce business fields are also being more and more concerned and used by everyone. At present, most e-commerce applications and e-banking systems use the traditional account plus user password for user identity verification. The password in this method may be stolen because the input environment is not secret and related to the user's characteristic information. There are security risks. the

目前解决用户密码安全问题的方案包括以下三种: At present, there are three solutions to solve the problem of user password security:

一、USB key硬件身份数字证书方案 1. USB key hardware identity digital certificate scheme

这种方案目前被企业普遍采用,USB Key是一种USB接口的硬件设备,采用软硬件相结合的强双因子认证模式,内置单片机或智能卡芯片,可以存储用户的口令或数字证书,利用USB Key内置的口令学算法实现对用户身份的验证。但是USB Key只能在有USB插口的设备上使用,限制了使用范围。另外由于必须连接电脑,在已经出现相应的木马病毒的情况下,仍然存在USBKey口令或证书被盗的安全隐患。 This solution is currently widely used by enterprises. USB Key is a hardware device with USB interface. It adopts a strong two-factor authentication mode combining software and hardware. It has a built-in single-chip microcomputer or smart card chip, which can store user passwords or digital certificates. Using USB Key The built-in password algorithm realizes the verification of user identity. However, USB Key can only be used on devices with USB sockets, which limits the scope of use. In addition, because it must be connected to a computer, there is still a potential safety hazard that the USBKey password or certificate is stolen in the case of a corresponding Trojan horse virus. the

二、动态口令令牌(One-time Password Token) 2. One-time Password Token

该技术是指用户的口令按照时间或使用次数不断动态变化,每个口令只使用一次。这个技术是当前安全身份验证的常用解决方案。 This technology means that the user's password is constantly changing dynamically according to the time or the number of times of use, and each password is only used once. This technique is a common solution for secure authentication today. the

现有的动态口令令牌技术使用内置电源、高精度时钟、口令生成芯片和显示屏的专用硬件,口令生成芯片运行专门的口令生成算法,根据当前时间或使用次数生成当前电子口令并显示在显示屏上。验证服务器采用相同的算法计算当前的有效口令。由于每次使用的电子口令必须由动态口令令牌来产生,只有 合法用户才持有该令牌硬件,所以只要动态口令验证通过,系统就可以认为该用户的身份是可靠的。这类动态口令令牌的技术和方法的缺点在于,大多数需要和时间精确相关,因此需要高精度时钟的专用硬件,导致硬件成本高,专用硬件令牌也携带不便,通用性不好。 The existing dynamic password token technology uses built-in power supply, high-precision clock, password generation chip and special hardware of the display screen. The password generation chip runs a special password generation algorithm, generates the current electronic password according to the current time or the number of times of use and displays it on the display. screen. The authentication server uses the same algorithm to calculate the current valid password. Since the electronic password used each time must be generated by a dynamic password token, only legitimate users hold the token hardware, so as long as the dynamic password verification passes, the system can consider the user's identity to be reliable. The shortcoming of this kind of dynamic password token technology and method is that most of them need to be precisely related to time, so special hardware with a high-precision clock is required, resulting in high hardware cost, and the special hardware token is also inconvenient to carry and has poor versatility. the

三、移动通信终端短信验证技术 3. Mobile communication terminal SMS verification technology

移动通信终端短信验证技术在每次交易前,由系统将动态验证码以短信的形式发给用户,从而实现动态口令的功能。这种方式比动态口令令牌方式要安全一些,但秘密的动态口令信息需要在不保密移动通信网络里明文传送,而且发送短信需要一定的成本,另外,短信方式存在可能的延迟问题。 Mobile communication terminal short message verification technology Before each transaction, the system sends a dynamic verification code to the user in the form of a short message, thereby realizing the function of a dynamic password. This method is safer than the dynamic password token method, but the secret dynamic password information needs to be transmitted in plain text in the unsecured mobile communication network, and sending short messages requires a certain cost. In addition, there is a possible delay problem in the short message method. the

发明内容Contents of the invention

本发明实施例提供一种网络应用用户身份验证系统、方法和移动通信终端,用于提高网络应用用户身份验证的通用性。 Embodiments of the present invention provide a network application user identity verification system, method and mobile communication terminal, which are used to improve the versatility of network application user identity verification. the

一种网络应用用户身份验证系统,包括: A network application user authentication system, comprising:

密钥及用户管理子系统,用于生成并保存用户使用网络应用的身份数字证书;在接收到包含身份数字证书的验证请求时,根据该验证请求生成随机信息并输出,以及利用设定算法生成在设定时长内有效的用户验证口令信息并输出,所述用户验证口令信息的计算参数包括:验证请求中包含的身份数字证书和根据该验证请求生成的随机信息; The key and user management subsystem is used to generate and save the identity digital certificate of the user using the network application; when receiving the verification request containing the identity digital certificate, generate random information according to the verification request and output it, and use the set algorithm to generate Effective user verification password information within the set time period is output, and the calculation parameters of the user verification password information include: the identity digital certificate contained in the verification request and the random information generated according to the verification request;

移动通信终端,用于从密钥及用户管理子系统获得用户的身份数字证书,并在用户进行网络应用的身份验证时,将该身份数字证书输出给网络应用及验证子系统;接收用户输入的所述密钥及用户管理子系统生成的随机信息,利用所述设定算法生成用户鉴权口令,所述用户鉴权口令的计算参数包括:用户输入的随机信息和保存的身份数字证书; The mobile communication terminal is used to obtain the user's identity digital certificate from the key and user management subsystem, and output the identity digital certificate to the network application and verification subsystem when the user performs identity verification of the network application; receive the user's input The key and the random information generated by the user management subsystem use the set algorithm to generate a user authentication password, and the calculation parameters of the user authentication password include: the random information input by the user and the saved identity digital certificate;

网络应用及验证子系统,用于在用户请求进行网络应用的身份验证时,从移动通信终端获得身份数字证书,生成所述验证请求并发送给密钥及用户管理 子系统;接收所述密钥及用户管理子系统输出的随机信息,接收用户输入的用户鉴权口令,接收所述密钥及用户管理子系统输出的用户验证口令信息,以及根据所述用户鉴权口令和用户验证口令信息获得验证结果。 The network application and verification subsystem is used to obtain the identity digital certificate from the mobile communication terminal when the user requests identity verification of the network application, generate the verification request and send it to the key and user management subsystem; receive the key and the random information output by the user management subsystem, receive the user authentication password input by the user, receive the key and the user verification password information output by the user management subsystem, and obtain Validation results. the

较佳的,所述网络应用及验证子系统具体包括: Preferably, the network application and verification subsystem specifically includes:

网络服务器,用于提供网络应用及验证子系统的交互界面并在用户通过该交互界面请求进行网络应用的身份验证时,与所述移动通信终端建立通信连接并通过所述通信连接从移动通信终端获得身份数字证书,生成所述验证请求并转发;接收所述随机信息并通过应用及验证子系统的交互界面显示给用户,接收用户通过应用及验证子系统的交互界面输入的用户鉴权口令并转发,以及接收验证结果; The network server is used to provide the interactive interface of the network application and the verification subsystem, and when the user requests identity verification of the network application through the interactive interface, establish a communication connection with the mobile communication terminal and transfer the mobile communication terminal to the mobile communication terminal through the communication connection. Obtain the identity digital certificate, generate the verification request and forward it; receive the random information and display it to the user through the interactive interface of the application and verification subsystem, receive the user authentication password input by the user through the interactive interface of the application and verification subsystem and send Forward, and receive verification results;

动态口令验证服务器,用于接收所述网络服务器输出的验证请求并转发给密钥及用户管理子系统,接收所述密钥及用户管理子系统输出的随机信息并转发给网络服务器;接收所述网络服务器转发的用户鉴权口令和密钥及用户管理子系统输出的用户验证口令信息,以及根据所述用户鉴权口令和用户验证口令信息获得验证结果,并将所述验证结果发送给网络服务器。 The dynamic password verification server is used to receive the verification request output by the network server and forward it to the key and user management subsystem, receive the random information output by the key and user management subsystem and forward it to the network server; receive the The user authentication password and key forwarded by the network server and the user authentication password information output by the user management subsystem, and the verification result is obtained according to the user authentication password and the user authentication password information, and the verification result is sent to the network server . the

进一步:所述密钥及用户管理子系统还用于接收用户通过密钥及用户管理子系统交互界面输入的用户密码并对应用户的身份数字证书进行保存;并且在利用所述设定算法生成在设定时长内有效的用户验证口令信息时,所述用户验证口令信息的计算参数还包括用户输入的用户密码;以及所述移动通信终端还用于接收用户通过移动通信终端交互界面输入的用户密码,并且在利用所述设定算法生成用户鉴权口令时,所述用户鉴权口令的计算参数还包括用户输入的用户密码。 Further: the key and user management subsystem is also used to receive the user password input by the user through the key and user management subsystem interaction interface and store the corresponding user's identity digital certificate; When valid user verification password information is set within the duration, the calculation parameters of the user verification password information also include the user password input by the user; and the mobile communication terminal is also used to receive the user password input by the user through the mobile communication terminal interactive interface , and when using the set algorithm to generate the user authentication password, the calculation parameters of the user authentication password also include the user password input by the user. the

更进一步:所述密钥及用户管理子系统还用于根据设定规则维护标识用户验证次数累计值的第一序列号,并且在利用所述设定算法生成在设定时长内有效的用户验证口令信息时,所述用户验证口令信息的计算参数还包括:所述第一序列号;以及所述移动通信终端还用于根据设定规则维护标识用户请求验证 次数累计值的第二序列号,并且在利用所述设定算法生成用户鉴权口令时,所述用户鉴权口令的计算参数还包括:所述第二序列号。 Further: the key and user management subsystem is also used to maintain the first serial number that identifies the cumulative value of user verification times according to the set rules, and use the set algorithm to generate valid user verification within the set time length In the case of password information, the calculation parameters of the user verification password information also include: the first serial number; and the mobile communication terminal is also used to maintain the second serial number that identifies the accumulated value of the number of verification times requested by the user according to the set rules, And when using the set algorithm to generate the user authentication password, the calculation parameters of the user authentication password further include: the second serial number. the

以及,所述密钥及用户管理子系统利用所述设定算法生成的在设定时长内有效的用户验证口令信息包括:利用包括所述第一序列号当前值的设定个数个第一序列号值中的每一个,分别对应生成的一组用户验证口令;以及所述动态口令验证服务器根据所述用户鉴权口令和用户验证口令信息,当用户鉴权口令和一组用户验证口令中的任一个一致时,获得验证通过的结果,反之获得验证失败的结果。 And, the user verification password information valid within the set time length generated by the key and user management subsystem using the set algorithm includes: using a set number of first serial numbers including the current value of the first serial number Each of the serial number values corresponds to a group of user verification passwords generated respectively; and the dynamic password verification server, according to the user authentication password and user verification password information, When any one of them is consistent, the result of verification is obtained, otherwise the result of verification failure is obtained. the

所述移动通信终端与网络应用及验证子系统通过建立通信连接传输用户的身份数字证书,所述建立通信连接具体包括: The mobile communication terminal and the network application and verification subsystem transmit the user's identity digital certificate by establishing a communication connection, and the establishment of the communication connection specifically includes:

通过USB接口建立的有线连接;或者 A wired connection via the USB port; or

通过蓝牙建立的无线连接;或者 A wireless connection via Bluetooth; or

通过红外线仿真串口建立的无线连接。 Wireless connection established via infrared emulation serial port. the

一种网络应用用户身份验证方法,包括: A network application user authentication method, comprising:

移动通信终端在用户进行网络应用的身份验证时,向网络应用及验证子系统输出从密钥及用户管理子系统获得的用户的身份数字证书; The mobile communication terminal outputs the user's identity digital certificate obtained from the key and user management subsystem to the network application and verification subsystem when the user performs identity verification of the network application;

网络应用及验证子系统在接收到用户的身份数字证书时,生成包含身份数字证书的验证请求并发送给密钥及用户管理子系统; When the network application and verification subsystem receives the user's identity digital certificate, it generates a verification request including the identity digital certificate and sends it to the key and user management subsystem;

密钥及用户管理子系统根据接收的验证请求,生成随机信息并利用设定算法生成在设定时长内有效的用户验证口令信息,以及将所述随机信息和用户验证口令信息输出给网络应用及验证子系统,所述用户验证口令信息的计算参数包括:验证请求中包含的身份数字证书和根据该验证请求生成的随机信息; The key and user management subsystem generates random information according to the received verification request and uses a set algorithm to generate valid user verification password information within a set time period, and outputs the random information and user verification password information to network applications and The verification subsystem, the calculation parameters of the user verification password information include: the identity digital certificate contained in the verification request and the random information generated according to the verification request;

网络应用及验证子系统接收密钥及用户管理子系统输出的随机信息和用户验证口令信息,接收用户输入的用户鉴权口令,所述用户鉴权口令为移动通信终端根据用户输入的所述密钥及用户管理子系统生成的随机信息、并利用所述设定算法生成并显示给用户的,所述用户鉴权口令的计算参数包括:用户输入的随机信息和保存的身份数字证书; The network application and verification subsystem receives the key, random information and user verification password information output by the user management subsystem, and receives the user authentication password input by the user. The user authentication password is the mobile communication terminal according to the password input by the user. The key and the random information generated by the user management subsystem, which are generated and displayed to the user by using the set algorithm, and the calculation parameters of the user authentication password include: the random information input by the user and the saved identity digital certificate;

网络应用及验证子系统根据所述用户鉴权口令和在设定时长内有效的用户验证口令信息,对用户身份进行验证。 The network application and verification subsystem verifies the identity of the user according to the user authentication password and the valid user verification password information within a set period of time. the

一种移动通信终端,包括: A mobile communication terminal, comprising:

用于从密钥及用户管理子系统获得用户的身份数字证书的单元; A unit for obtaining the user's identity digital certificate from the key and user management subsystem;

用于在用户进行网络应用的身份验证时,与网络应用及验证子系统建立通信连接并通过通信连接输出该身份数字证书的单元; A unit for establishing a communication connection with the network application and the verification subsystem and outputting the identity digital certificate through the communication connection when the user performs identity verification of the network application;

用于接收用户通过移动通信终端交互界面输入的所述密钥及用户管理子系统生成的随机信息的单元; A unit for receiving the key input by the user through the interactive interface of the mobile communication terminal and the random information generated by the user management subsystem;

用于利用设定算法生成用户鉴权口令并由移动通信终端交互界面进行显示的单元,所述用户鉴权口令的计算参数包括用户输入的随机信息和保存的身份数字证书。 A unit for generating a user authentication password using a set algorithm and displaying it on the interactive interface of the mobile communication terminal. The calculation parameters of the user authentication password include the random information input by the user and the stored identity digital certificate. the

本发明实施例中,通过移动通信终端设备这个被越来越多人随身携带的设备存储身份数字证书,提供验证工作时无需动态连互联网和高精度时钟的通用媒介,实现电子证书动态口令验证技术,从而以低成本来大幅提高了网络应用验证机制的通用性和便携性。 In the embodiment of the present invention, the electronic certificate dynamic password verification technology is realized by using the mobile communication terminal device, which is more and more carried by more and more people, to store the identity digital certificate and provide a universal medium that does not need to dynamically connect to the Internet and a high-precision clock during the verification work. , thereby greatly improving the versatility and portability of the network application verification mechanism at low cost. the

附图说明Description of drawings

图1为本发明实施例提供的网络应用用户身份验证系统的实现原理示意图; Fig. 1 is a schematic diagram of the realization principle of the network application user identity verification system provided by the embodiment of the present invention;

图2为本发明实施例提供的网络应用用户身份验证系统的一种具体网络架构示意图; Figure 2 is a schematic diagram of a specific network architecture of the network application user identity verification system provided by the embodiment of the present invention;

图3为本发明实施例提供的用户身份验证方法中,网络应用用户的开户流程示意图; Fig. 3 is a schematic diagram of the account opening process of a network application user in the user identity verification method provided by the embodiment of the present invention;

图4为本发明实施例提供的用户身份验证方法中,网络应用用户将身份数字证书下载到移动通信终端上的流程示意图; 4 is a schematic flow diagram of a network application user downloading an identity digital certificate to a mobile communication terminal in the user identity verification method provided by an embodiment of the present invention;

图5为本发明实施例提供用户身份验证方法中,激活移动通信终端上身份数字证书的流程示意图;5 is a schematic flow diagram of activating the identity digital certificate on the mobile communication terminal in the user identity verification method provided by the embodiment of the present invention;

图6为本发明实施例提供的使用身份数字证书进行身份验证的流程示意图。 FIG. 6 is a schematic flowchart of identity verification using an identity digital certificate provided by an embodiment of the present invention. the

具体实施方式Detailed ways

PKI(Public Key Infrastructure)即公开密钥体系,是一种遵循既定标准的密钥管理平台,能够为所有网络应用提供加密和数字签名等密码服务及所必需的密钥和证书管理体系,简单来说,PKI就是利用公钥理论和技术建立的提供安全服务的基础设施。PKI技术是信息安全技术的核心,也是电子商务的关键和基础技术。在PKI系统中,CA(Certificate Authority)认证中心是具有权威的认证管理机构,可以向用户签发唯一身份标识的数字证书,并和网络应用提供商的设备一起提供数字证书验证机制。 PKI (Public Key Infrastructure) is a public key system. It is a key management platform that follows established standards. It can provide cryptographic services such as encryption and digital signatures and the necessary key and certificate management systems for all network applications. In other words, PKI is the infrastructure for providing security services established using public key theory and technology. PKI technology is the core of information security technology, and also the key and basic technology of e-commerce. In the PKI system, the CA (Certificate Authority) certification center is an authoritative certification management organization, which can issue digital certificates with unique identities to users, and provide digital certificate verification mechanisms together with network application provider equipment. the

如图1所示,本发明实施例基于PKI机制的动态口令技术,提供一种实现用户身份验证的验证系统,利用具有权威机构的CA所颁发的身份数字证书,对网络应用的用户身份实现合法性验证,该验证系统主要包括:移动通信终端12、网络服务器13、动态口令验证服务器14和密钥及用户管理子系统11,其中: As shown in Figure 1, the embodiment of the present invention is based on the dynamic password technology of the PKI mechanism, provides a verification system for realizing user identity verification, and uses the identity digital certificate issued by the CA with the authoritative organization to realize the legalization of the user identity of the network application. Sex verification, the verification system mainly includes: mobile communication terminal 12, network server 13, dynamic password verification server 14 and key and user management subsystem 11, wherein:

密钥及用户管理子系统11,作为PKI系统中CA的设备,用于对身份数字证书的颁发、管理工作,以及和移动通信终端12、应用管理服务器,以及动态口令验证服务器14一起完成用户身份的验证;身份数字证书实际上是保存在密钥及用户管理子系统11上的用户相关信息记录,也可以看作由CA签发的一个声明,证明证书主体(证书申请者拥有了身份数字证书后即成为证书主体)与证书中所包含的公钥的惟一对应关系。身份数字证书包括证书申请者的名称及相关信息、申请者的公钥、签发证书的CA的数字签名及证书的有效期等内容。如果用户需要更新身份数字证书,可以重新到CA办理手续。 Key and user management subsystem 11, as a CA device in the PKI system, is used to issue and manage identity digital certificates, and complete user identity verification together with mobile communication terminal 12, application management server, and dynamic password verification server 14. verification; the identity digital certificate is actually a user-related information record stored in the key and user management subsystem 11, and can also be regarded as a statement issued by the CA to prove that the certificate subject (after the certificate applicant has the identity digital certificate) That is to say, it becomes the only corresponding relationship between the certificate subject) and the public key contained in the certificate. The identity digital certificate includes the name and related information of the certificate applicant, the applicant's public key, the digital signature of the CA that issued the certificate, and the validity period of the certificate. If the user needs to update the identity digital certificate, he can go to the CA to go through the procedure again. the

移动通信终端12,用于从密钥及用户管理子系统11下载颁发给网络应用用户的身份数字证书,并在用户需要进行身份验证时,通过移动通信终端12 的USB口、蓝牙或者红外仿真串口,将身份数字证书传输给网络服务器13,以表明网络应用用户的身份,并和网络服务器13、动态口令验证服务器14,以及密钥及用户管理子系统11一起,利用身份数字证书、预留在密钥及用户管理子系统11上的用户密码以及密钥及用户管理子系统11提供的在设定时长内有效的随机信息完成用户身份的验证; The mobile communication terminal 12 is used to download the identity digital certificate issued to the network application user from the key and user management subsystem 11, and when the user needs to perform identity verification, through the USB port, bluetooth or infrared simulation serial port of the mobile communication terminal 12 , transmit the identity digital certificate to the network server 13 to indicate the identity of the network application user, and together with the network server 13, the dynamic password verification server 14, and the key and user management subsystem 11, use the identity digital certificate, reserved in The user password on the key and user management subsystem 11 and the random information provided by the key and user management subsystem 11 within the set period of time are valid to complete the verification of user identity;

网络服务器13和动态口令验证服务器14,作为网络应用提供商的设备,组成网络应用及验证子系统,为用户提供网络应用交互界面,并和移动通信终端12以及密钥及用户管理子系统11一起完成用户身份的验证。 The network server 13 and the dynamic password verification server 14, as the equipment of the network application provider, form the network application and verification subsystem, provide the user with the network application interaction interface, and together with the mobile communication terminal 12 and the key and the user management subsystem 11 Complete user identity verification. the

用户下载身份数字证书之前,根据不同的网络应用,需要通过CA的柜台进行开户操作,包括向CA预留用户基本信息和用户密码,CA将用户预留的用户基本信息和用户密码保存到密钥及用户管理子系统中,密钥及用户管理子系统为申请数字证书的用户提供唯一的身份数字证书并产生对应的数字证书激活码,CA将数字证书激活码提供给用户,用户通过验证服务器将自己的身份数字证书下载到移动通信终端12的客户端上,并利用激活码激活身份数字证书。 Before the user downloads the identity digital certificate, according to different network applications, it is necessary to open an account through the counter of the CA, including reserving the basic user information and user password to the CA, and the CA saves the basic user information and user password reserved by the user to the key And in the user management subsystem, the key and user management subsystem provides a unique identity digital certificate for the user who applies for the digital certificate and generates a corresponding digital certificate activation code. The CA provides the digital certificate activation code to the user, and the user passes the authentication server. The own digital identity certificate is downloaded to the client of the mobile communication terminal 12, and the identity digital certificate is activated with the activation code. the

仍参见图1所示,本发明实施例中,移动通信终端12利用身份数字证书完成用户身份的验证的具体过程包括如下步骤: Still referring to shown in Fig. 1, in the embodiment of the present invention, the concrete process that mobile communication terminal 12 utilizes identity digital certificate to complete the verification of user identity includes the following steps:

S101、移动通信终端12在用户进行网络应用的身份验证时,与网络服务器13建立通信连接并通过通信连接输出从密钥及用户管理子系统11获得的用户的身份数字证书; S101, the mobile communication terminal 12 establishes a communication connection with the network server 13 and outputs the user's identity digital certificate obtained from the key and user management subsystem 11 through the communication connection when the user performs identity verification of the network application;

S102、网络服务器13在接收到用户的身份数字证书时,生成包含身份数字证书的验证请求并发送动态口令验证服务器14; S102, when the network server 13 receives the identity digital certificate of the user, generates a verification request including the identity digital certificate and sends a dynamic password verification server 14;

S103、动态口令验证服务器14将验证请求转发给密钥及用户管理子系统11; S103, the dynamic password verification server 14 forwards the verification request to the key and user management subsystem 11;

S104、密钥及用户管理子系统11根据接收的验证请求,生成随机信息并利用设定算法生成在设定时长内有效的用户验证口令信息,以及将随机信息和 用户验证口令信息输出给动态口令验证服务器14,用户验证口令信息的计算参数包括验证请求中包含的身份数字证书和根据该验证请求生成的随机信息; S104, the key and user management subsystem 11 generates random information according to the received verification request and utilizes the set algorithm to generate valid user verification password information within the set time length, and outputs the random information and user verification password information to the dynamic password Verification server 14, the calculation parameter of user verification password information includes the identity digital certificate contained in the verification request and the random information generated according to the verification request;

S105、动态口令验证服务器14将随机信息转发给网络服务器13,并保存用户验证口令信息; S105, the dynamic password verification server 14 forwards the random information to the network server 13, and saves the user verification password information;

S106、网络服务器13通过应用交互界面向用户显示随机信息; S106, the network server 13 displays random information to the user through the application interaction interface;

S107、用户通过应用交互界面可以看到随机信息,并通过移动通信终端12的交互界面将随机信息输入移动通信终端12; S107, the user can see the random information through the application interaction interface, and input the random information into the mobile communication terminal 12 through the interaction interface of the mobile communication terminal 12;

S108、移动通信终端12根据用户输入的随机信息和用户身份证书生成用户鉴权口令,并将用户鉴权口令显示到移动通信终端12的交互界面上; S108, the mobile communication terminal 12 generates a user authentication password according to the random information input by the user and the user identity certificate, and displays the user authentication password on the interactive interface of the mobile communication terminal 12;

S109、用户将移动通信终端12的交互界面上显示的用户鉴权口令输入到网络服务器13中; S109, the user inputs the user authentication password displayed on the interactive interface of the mobile communication terminal 12 into the network server 13;

S110、网络服务器13将用户鉴权口令转发给动态口令验证服务器14; S110, the network server 13 forwards the user authentication password to the dynamic password verification server 14;

S111、动态口令验证服务器14根据网络服务器13转发的用户鉴权口令,和之前保存的在设定时长内有效的用户验证口令信息,对用户身份进行验证。 S111. The dynamic password verification server 14 verifies the identity of the user according to the user authentication password forwarded by the network server 13 and the previously saved user verification password information valid within the set time period. the

S112、动态口令验证服务器14向网络服务器13返回验证结果。 S112, the dynamic password verification server 14 returns the verification result to the network server 13. the

在上述验证过程中,用户鉴权口令和用户验证口令信息的计算参数包括用户的身份数字证书和随机信息,用户的身份数字证书是用户的唯一标识,从而与用户绑定,只要用户保证个人人身份数字证书的安全,则可以保证验证结果的安全性。而随机信息是临时产生的,具有时效性,密钥及用户管理子系统11根据随机信息的时效性,为生成的用户验证口令信息设定有效时长,保证了每一次用于验证的用户鉴权口令和用户验证口令信息为当次有效的动态口令,从而提高了认证机制的安全性。 In the above verification process, the calculation parameters of the user authentication password and the user verification password information include the user's identity digital certificate and random information. The user's identity digital certificate is the user's unique The security of the identity digital certificate can guarantee the security of the verification result. The random information is temporarily generated and has timeliness. According to the timeliness of the random information, the key and user management subsystem 11 sets the effective duration for the generated user verification password information, which ensures that each user authentication used for verification The password and user verification password information is the current valid dynamic password, thereby improving the security of the authentication mechanism. the

一般的,网络服务器13包括用户可以通过交互界面操作的前台设备,例如电脑、游戏机、ATM机,POS机等,动态口令验证服务器14作为后台设备执行具体的验证操作,出于安全考虑,应该分开设置。但是对一些安全性要求较低,或者组网简单的应用,也可以合并设置为一个网络应用及验证子系统, 共同承担网络应用的交互和身份验证功能。 Generally, the network server 13 includes a foreground device that a user can operate through an interactive interface, such as a computer, a game machine, an ATM machine, a POS machine, etc., and the dynamic password verification server 14 performs specific verification operations as a background device. For security reasons, it should set separately. However, for some applications with low security requirements or simple networking, they can also be combined and set up as a network application and authentication subsystem to jointly undertake the interaction and authentication functions of network applications. the

对于移动通信终端12和网络服务器13,分别需要根据本发明实施例提供的方案安装专用的客户端,为用户提供相应的交互界面,并执行用户通过交互界面输入的相关操作,根据本发明实施例提供的技术方案,相关交互界面的开发工作为本领域技术人员所熟知,这里不再详细描述。 For the mobile communication terminal 12 and the network server 13, it is necessary to install a dedicated client according to the solution provided by the embodiment of the present invention, provide a corresponding interactive interface for the user, and perform related operations input by the user through the interactive interface, according to the embodiment of the present invention The provided technical solutions and the development of related interactive interfaces are well known to those skilled in the art, and will not be described in detail here. the

本发明实施例中,随机信息可以是随机数、或者数字和字母的组合等,生成方法例如伪随机数生成算法等,随机信息的产生技术也为本领域技术人员所熟知,这里不再详细描述。 In the embodiment of the present invention, the random information can be a random number, or a combination of numbers and letters, etc., and the generation method is such as a pseudo-random number generation algorithm, etc. The generation technology of the random information is also well known to those skilled in the art, and will not be described in detail here . the

本发明实施例中,通过移动通信终端设备这个被越来越多人随身携带的设备存储身份数字证书,提供验证工作时无需动态连互联网和高精度时钟的通用媒介,实现电子证书动态口令验证技术,从而以低成本来大幅提高了网络应用验证机制的通用性和便携性。 In the embodiment of the present invention, the electronic certificate dynamic password verification technology is realized by using the mobile communication terminal device, which is more and more carried by more and more people, to store the identity digital certificate and provide a universal medium that does not need to dynamically connect to the Internet and a high-precision clock during the verification work. , thereby greatly improving the versatility and portability of the network application verification mechanism at low cost. the

本发明实施例中,口令的算法一般采用不可逆哈希算法,如SHA1、MD5等。 In the embodiment of the present invention, the password algorithm generally adopts an irreversible hash algorithm, such as SHA1, MD5, and the like. the

进一步为增加验证机制的安全性,本发明实施例中,用户还可以在密钥及用户管理子系统11预留用户密码,并在输入随机信息时输入用户密码,从在计算用户验证口令信息时,计算参数可以进一步包括:用户预先保存在密钥及用户管理子系统11中的用户密码;以及在计算用户鉴权口令时,计算参数也可以进一步包括:用户通过移动通信终端12交互界面接收到输入随机信息。 In order to further increase the security of the authentication mechanism, in the embodiment of the present invention, the user can also reserve a user password in the key and user management subsystem 11, and input the user password when inputting random information, from when calculating the user verification password information , the calculation parameters may further include: the user pre-stored in the key and the user password in the user management subsystem 11; and when calculating the user authentication password, the calculation parameters may further include: Enter random information. the

更进一步,为增加验证机制的安全性,本发明实施例中,移动通信终端12根据设定规则,例如每次第进1的累计方法,在本地维护用户触发验证请求的累计值,密钥及用户管理子系统11根据相同的设定规则,每一次收到验证请求并生成随机信息和用户验证口令信息时更新累计值,双方将各自维护的累计次数作为一个参数参与用户鉴权口令和用户验证口令信息的计算,为防止用户的误操作,密钥及用户管理子系统11计算出的用户验证口令信息包括分别用当前累计值和大于当前累计值的几个值计算出的一组用户验证口令,只要用户 鉴权口令和一组用户验证口令中的任一个一致,则可获得验证通过的结果,反之获得验证失败的结果。 Furthermore, in order to increase the security of the verification mechanism, in the embodiment of the present invention, the mobile communication terminal 12 maintains locally the accumulated value of the verification request triggered by the user, the key and the user's According to the same setting rules, the management subsystem 11 updates the cumulative value every time it receives a verification request and generates random information and user verification password information. For the calculation of information, in order to prevent the misoperation of the user, the user verification password information calculated by the key and the user management subsystem 11 includes a group of user verification passwords calculated with the current cumulative value and several values greater than the current cumulative value respectively, As long as the user authentication password is consistent with any one of a group of user verification passwords, the result of verification can be obtained, otherwise the result of verification failure can be obtained. the

本发明实施例提供的一种网络应用认证系统的具体架构参见图2所示,其中: The specific architecture of a network application authentication system provided by an embodiment of the present invention is shown in Figure 2, wherein:

密钥及用户管理子系统具体包括:用户管理服务器、CA服务器、用户信息库和移动通信终端软件下载服务器,其中:用户管理服务器可以连接柜台终端,主要用于个人数字证书的颁发和管理工作,包括接收用户在开户网络应用时预留的用户基本信息、用户密码,为用户生成身份数字证书以及激活码,并在用户请求进行身份认证时生成随机信息和验证口令信息等。用户信息库主要作为数据库存储每一个用户的身份数字证书等相关信息。移动通信终端客户端下载服务器为用户提供各种网络应用客户端的相关软件,用户可以登录该服务器下载或更新网络应用的客户端,在运营商网络支持的情况下可以采用WapPush的方式推送地址到用户移动通信终端上,用户也可以直接通过移动通信终端无线登录到服务器上下载,当然,也可以由移动通信终端设备厂商预装到终端设备或终端设备的SIM/USIM模块上。 The key and user management subsystem specifically includes: user management server, CA server, user information database and mobile communication terminal software download server, among which: user management server can be connected to the counter terminal, mainly used for the issuance and management of personal digital certificates, Including receiving the user's basic information and user password reserved by the user when opening an account network application, generating an identity digital certificate and activation code for the user, and generating random information and verification password information when the user requests identity authentication. The user information base is mainly used as a database to store relevant information such as the identity digital certificate of each user. The mobile communication terminal client download server provides users with related software of various network application clients. Users can log in to the server to download or update the client of network applications. If the operator's network supports it, the address can be pushed to the user by means of WapPush. On the mobile communication terminal, the user can also directly log in to the server to download through the mobile communication terminal wirelessly. Of course, it can also be pre-installed on the terminal device or the SIM/USIM module of the terminal device by the mobile communication terminal equipment manufacturer. the

网络应用及验证子系统具体包括:业务终端、网络(WEB)服务器、动态口令验证服务器和业务应用服务器等,其中:业务终端提供网络应用的交互界面,网络服务器提供网络应用的登录管理,动态口令验证服务器执行口令验证,验证通过的用户可以进入业务应用服务器执行具体业务。 The network application and verification subsystem specifically includes: business terminals, network (WEB) servers, dynamic password verification servers and business application servers, among which: business terminals provide interactive interfaces for network applications, network servers provide login management for network applications, and dynamic passwords The verification server performs password verification, and users who pass the verification can enter the business application server to perform specific services. the

下面结合附图,以较佳实施例对本发明涉及的各个流程进行详细说明。 The various processes involved in the present invention will be described in detail below with preferred embodiments in conjunction with the accompanying drawings. the

一、用户开户流程 1. User account opening process

如图3所示,用户在使用网络应用之前,首先要到CA提供的柜台申请开户,具体的开户流程包括如下步骤: As shown in Figure 3, before using the network application, the user must first apply for an account at the counter provided by the CA. The specific account opening process includes the following steps:

S301、用户自己或柜员代替用户填写申请表,并且柜员需要将用户的基本信息录入密钥及用户管理子系统,包括:身份证号id_num和用户使用的移动通信终端的电话号码phone_num等;S301. The user or the teller fills in the application form on behalf of the user, and the teller needs to enter the user's basic information into the key and the user management subsystem, including: ID number id_num and the phone number phone_num of the mobile communication terminal used by the user;

S302、用户将选择的用户密码passwd录入密钥及用户管理子系统,用户密码作为用户密码可以参与鉴权口令和验证口令的计算,进一步加强验证机制的安全性; S302, the user enters the selected user password passwd into the key and the user management subsystem, and the user password as the user password can participate in the calculation of the authentication password and the verification password, further strengthening the security of the verification mechanism;

进一步,还可以调用密码系统修改密码流程,供用户修改密码。 Furthermore, it is also possible to call the password system to modify the password process for the user to modify the password. the

S303、密钥及用户管理子系统生成身份数字证书及其激活码; S303, the key and user management subsystem generates an identity digital certificate and its activation code;

身份数字证书的生成方式很多,可以根据身份证号、电话号码、用户密码或其它基本信息生成,本领域技术人员可以根据需要灵活选择生成方式。 There are many ways to generate an identity digital certificate, which can be generated based on ID number, telephone number, user password or other basic information, and those skilled in the art can flexibly choose the generation method according to needs. the

身份数字证书的激活码的生成方式也很多,可以根据用户密码或其它基本信息生成,本领域技术人员可以根据需要灵活选择其它激活码生成方式,本发明实施例给出以下具体实现方式: There are also many ways to generate the activation code of the identity digital certificate, which can be generated according to the user password or other basic information. Those skilled in the art can flexibly choose other activation code generation methods according to the needs. The embodiment of the present invention provides the following specific implementation methods:

密钥及用户管理子系统将passwd通过不可逆算法fsave计算得到原始口令的存储形式save_pass,其中:计算参数包括passwd和phone_num等: The key and user management subsystem calculates passwd through the irreversible algorithm f save to obtain the original password storage form save_pass, where: calculation parameters include passwd and phone_num, etc.:

save_pass=fsave(passwd,phone_num) save_pass = f save (passwd, phone_num)

以phone_num为索引存储save_pass。密钥管理子系统并不直接保存用户口令,由于采用的是不可逆算法,也无法通过save_pass反解出passwd。 Store save_pass with phone_num as index. The key management subsystem does not directly save user passwords, and because it uses an irreversible algorithm, passwd cannot be deciphered through save_pass. the

密钥及用户管理子系统通过不可逆算法fact生成激活码act_key: The key and user management subsystem generates the activation code act_key through the irreversible algorithm f act :

act_key=fact(passwd,phone_num,id_num) act_key=f act (passwd, phone_num, id_num)

最后打印phone_num/act_key并发放给用户,完成开户流程。 Finally, print phone_num/act_key and issue it to the user to complete the account opening process. the

二、身份数字证书下载流程 2. Identity digital certificate download process

如图4所示,用户申请开户完成后,获得激活码,并通过密钥及用户管理子系统中的下载服务器将身份数字证书下载到移动通信终端上,具体流程包括以下步骤: As shown in Figure 4, after the user has completed the application for opening an account, he will obtain an activation code, and download the identity digital certificate to the mobile communication terminal through the download server in the key and user management subsystem. The specific process includes the following steps:

S401、登录下载网站的网页; S401, log in to the web page of the download website;

S402、用户在网页的输入界面输入移动通信终端的用户号码,用户身份证号(如果选择)、以及激活码,向移动通信终端软件下载服务器发出请求,请求身份数字证书License’。移动通信终端软件下载服务器根据用户身份证号(如 果选择)和激活码从CA服务器提取身份数字证书,并根据移动通信终端的用户号码发送到移动通信终端上; S402. The user inputs the user number of the mobile communication terminal, the user ID number (if selected), and the activation code on the input interface of the web page, and sends a request to the mobile communication terminal software download server for the identity digital certificate License'. The mobile communication terminal software download server extracts the identity digital certificate from the CA server according to the user ID number (if selected) and the activation code, and sends it to the mobile communication terminal according to the user number of the mobile communication terminal;

License’=flic(passwd,phone_num,id_num,act_key)。 License'=f lic (passwd, phone_num, id_num, act_key).

S403、移动通信终端根据用户操作,以phone_num为索引安装身份数字证书。 S403. The mobile communication terminal installs the identity digital certificate with phone_num as an index according to the user operation. the

三、激活下载到移动通信终端上的身份数字证书 3. Activate the identity digital certificate downloaded to the mobile communication terminal

身份数字证书被激活后才可以使用,并且在激活过程中,可以同时完成使用移动通信终端的用户号码和个人数字证书的绑定,如图5所示,具体包括如下步骤: The identity digital certificate can only be used after it is activated, and during the activation process, the binding of the user number of the mobile communication terminal and the personal digital certificate can be completed at the same time, as shown in Figure 5, which specifically includes the following steps:

S501、用户在移动通信终端上输入需要使用该功能的移动通信终端卡号phone_num,移动通信终端将保存该卡号; S501. The user inputs the mobile communication terminal card number phone_num that needs to use this function on the mobile communication terminal, and the mobile communication terminal will save the card number;

S502、用户在移动通信终端输入开户时预留的用户密码passwd; S502. The user enters the user password passwd reserved when opening an account in the mobile communication terminal;

S503、用户在移动通信终端输入开户的时候预留的用户基本信息:身份证号码id_num(可选); S503. The user enters the basic user information reserved when opening an account in the mobile communication terminal: ID number id_num (optional);

S504、移动通信终端采用与密钥及用户管理子系统相同的不可逆算法fact计算act_key’: S504. The mobile communication terminal uses the same irreversible algorithm f act as the key and user management subsystem to calculate act_key':

act_key’=fact(passwd,phone_num,id_num) act_key'=f act (passwd, phone_num, id_num)

S505、用户输入激活码act_key,如果act_key’与act_key不一致则激活失败。 S505. The user inputs the activation code act_key. If the act_key' is inconsistent with the act_key, the activation fails. the

S506、在密钥及用户管理子系统将使用移动通信终端和个人数字证书进行绑定。 S506. The key and user management subsystem binds the mobile communication terminal with the personal digital certificate. the

本发明实施例提供一种具体的绑定过程: The embodiment of the present invention provides a specific binding process:

将移动通信终端特征信息作为phone_mask,例如移动通信终端的IMEI号作为phone_mask,若IMEI号无法取到则以移动通信终端的其它特征信息(如当前可用内存容量)为种子生成一个随机信息作为phone_mask。phone_mask用于区分不同的移动通信终端,以便对特定移动通信终端进行绑定;The characteristic information of the mobile communication terminal is used as the phone_mask, for example, the IMEI number of the mobile communication terminal is used as the phone_mask, if the IMEI number cannot be obtained, a random information is generated as a seed with other characteristic information (such as the current available memory capacity) of the mobile communication terminal as the phone_mask. phone_mask is used to distinguish different mobile communication terminals in order to bind specific mobile communication terminals;

采用不可逆算法fbind计算绑定码bind_key并保存在移动通信终端上: Use the irreversible algorithm f bind to calculate the binding code bind_key and save it on the mobile communication terminal:

bind_key=fbind(phone_num,phone_mask) bind_key = f bind (phone_num, phone_mask)

通过不可逆算法fsave计算原始口令的存储形式save_pass(此处save_pass并不保存,仅用于密钥对bind_key进行加密传输,以保证只有合法用户才能完成绑定): The storage form save_pass of the original password is calculated by the irreversible algorithm f save (save_pass is not saved here, it is only used to encrypt and transmit the key to bind_key to ensure that only legitimate users can complete the binding):

save_pass=fsave(passwd,phone_num) save_pass = f save (passwd, phone_num)

以save_pass为密钥加密phone_num/bind_key发送给密钥及用户管理子系统; Use save_pass as the key to encrypt phone_num/bind_key and send it to the key and user management subsystem;

密钥及用户管理子系统以save_pass解密得到bind_key; The key and user management subsystem decrypts with save_pass to obtain bind_key;

取随机信息作为同步码syn; Take random information as the synchronization code syn;

初始化服务器端计算次序seq_svr=0; Initialize the server-side calculation sequence seq_svr=0;

以phone_num为索引存储bind_key/syn/seq_svr; Store bind_key/syn/seq_svr with phone_num as the index;

密钥及用户管理子系统返回syn给移动通信终端; The key and user management subsystem returns syn to the mobile communication terminal;

移动通信终端存储syn; The mobile communication terminal stores syn;

初始化移动通信终端计算次序seq_mob=0; Initialize the mobile communication terminal calculation sequence seq_mob=0;

需要说明的是,用户密码、同步码syn可以在后期验证时作为计算验证口令和鉴权口令的参数,从而进一步加强验证机制的安全性。 It should be noted that the user password and the synchronization code syn can be used as parameters for calculating the verification password and the authentication password during later verification, thereby further strengthening the security of the verification mechanism. the

激活成功。 Activation succeeded. the

通过开户、下载和激活流程,移动通信终端成功获得了用户的身份数字证书。 Through account opening, downloading and activation processes, the mobile communication terminal successfully obtains the user's identity digital certificate. the

四、验证流程 4. Verification process

用户完成开户流程,并获得身份数字证书后,日常的使用流程比较方便,具体使用过程中的验证流程如图6所示,包括如下步骤: After the user completes the account opening process and obtains the identity digital certificate, the daily use process is more convenient. The verification process in the specific use process is shown in Figure 6, including the following steps:

S601、用户登录网络服务器使用网络应用时,网络服务器首先请求用户出示身份数字证书,网络服务器和移动通信终端建立通信连接,根据用户的操作,移动通信终端将用户的身份数字证书传输给网络服务器;S601. When the user logs in to the network server to use the network application, the network server first requests the user to present the digital identity certificate, the network server establishes a communication connection with the mobile communication terminal, and the mobile communication terminal transmits the user's digital identity certificate to the network server according to the user's operation;

S602、网络服务器生成包含用户的身份数字证书的验证请求并通过动态口令验证服务器发送给密钥及用户管理子系统,以及接收密钥及用户管理子系统返回的随机信息,并以防机器识别的方式显示随机信息challenge,例如采用抗自动识别的图型形式显示; S602. The network server generates a verification request containing the user's identity digital certificate and sends it to the key and user management subsystem through the dynamic password verification server, and receives the random information returned by the key and user management subsystem, and prevents machine identification Ways to display random information challenge, such as displaying in the form of anti-automatic identification graphics;

同时密钥及用户管理子系统还根据当前的计算次序seq_svr、seq_svr+1...seq_svr+N-1,共计n个序列号,分别计算n个一次性验证口令OTP’组成的验证口令“有效窗口”,并将验证口令“有效窗口”发送给动态口令验证服务器: At the same time, the key and user management subsystem also calculates the verification password "valid Window" and send the verification password "Valid Window" to the dynamic password verification server:

OTP’i=fOTP(save_pass,syn,seq_svr+i,bind_key,challenge):i=1...n OTP' i = f OTP (save_pass, syn, seq_svr+i, bind_key, challenge): i = 1...n

S603、移动通信终端计算用户鉴权口令OTP; S603. The mobile communication terminal calculates the user authentication password OTP;

移动通信终端根据用户输入的用户密码passwd、challenge,用户输入的用户密码仅在本次计算时候有效,并不在移动通信终端存储,不在网络上传输,以保证不被盗取。而且移动通信终端在计算鉴权口令的过程中也不连互联网。 The mobile communication terminal is based on the user password passwd and challenge input by the user. The user password input by the user is only valid during this calculation, and is not stored in the mobile communication terminal or transmitted on the network to ensure that it will not be stolen. Moreover, the mobile communication terminal is not connected to the Internet during the process of calculating the authentication password. the

移动通信终端上软件通过不可逆算法fsave计算用户密码的存储形式save_pass: The software on the mobile communication terminal calculates the storage form save_pass of the user password through the irreversible algorithm f save :

save_pass=fsave(passwd,card_num) save_pass = f save (passwd, card_num)

移动通信终端根据syn、当前计算次序seq_mob以及用户密码passwd和challenge,采用与后台系统一致的不可逆算法fOTP计算其本次用户鉴权口令并将鉴权口令显示下移动通信终端的交互界面上,以及将当前计算次序递增: According to the syn, the current calculation sequence seq_mob and the user password passwd and challenge, the mobile communication terminal uses the irreversible algorithm f OTP consistent with the background system to calculate its current user authentication password and display the authentication password on the interactive interface of the mobile communication terminal. and increment the current evaluation order:

OTP=fOTP(save_pass,syn,seq_mob,bind_key,challenge) OTP = f OTP (save_pass, syn, seq_mob, bind_key, challenge)

S604、口令验证过程。 S604, a password verification process. the

用户在网络服务器的应用交互界面上输入OTP,网络服务器将OTP传输给动态口令验证服务器,动态口令验证服务器如果确定OTP与验证口令“有效窗口”中的某一个OTP’i一致,则本次验证通过,否则验证失败,并将验证结果返回给网络服务器和密钥及用户管理子系统,网络服务器根据验证结果继续后续处理。The user inputs OTP on the application interaction interface of the network server , and the network server transmits the OTP to the dynamic password verification server. Pass, otherwise the verification fails, and the verification result is returned to the network server and the key and user management subsystem, and the network server continues subsequent processing according to the verification result.

本发明实施例中,通过移动通信终端设备这个被越来越多人随身携带的设备存储身份数字证书,提供无需动态联网的媒介,实现动态口令验证技术,从而以低成本来大幅提高了网络应用验证机制的通用性和便携性。 In the embodiment of the present invention, the mobile communication terminal device, which is carried by more and more people, stores the identity digital certificate, provides a medium that does not need dynamic networking, and realizes the dynamic password verification technology, thereby greatly improving network application at low cost. Versatility and portability of authentication mechanisms. the

显然,本领域的技术人员可以对本发明实施例进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Apparently, those skilled in the art can make various changes and modifications to the embodiments of the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (11)

1. a verifying network application user identification system is characterized in that, comprising:
Key and user management subsystem are used to generate and preserve the identity digital certificate that the user uses network application; When receiving the checking request that comprises the identity digital certificate, generate random information and output according to this checking request, and utilize set algorithm to be created on and set effectively user rs authentication password information and output in the duration, the calculating parameter of described user rs authentication password information comprises: identity digital certificate that comprises in the checking request and the random information that generates according to this checking request;
Mobile communication terminal is used for obtaining user's identity digital certificate from key and user management subsystem, and when the user carries out the authentication of network application, this identity digital certificate is exported to network application and checking subsystem; Receive the described key of user's input and the random information that user management subsystem generates, utilize described set algorithm to generate the subscription authentication password, the calculating parameter of described subscription authentication password comprises: the random information of user's input and the identity digital certificate of preservation;
Network application and checking subsystem are used for obtaining the identity digital certificate from mobile communication terminal when the authentication of network application is carried out in user's request, generate described checking request and send to key and user management subsystem; Receive the random information of described key and user management subsystem output, receive the subscription authentication password of user's input, receive the user rs authentication password information of described key and user management subsystem output, and obtain the checking result according to described subscription authentication password and user rs authentication password information.
2. the system as claimed in claim 1 is characterized in that, described network application and checking subsystem specifically comprise:
The webserver, be used to provide the interactive interface of network application and checking subsystem and when the user carries out the authentication of network application by this interactive interface request, establish a communications link with described mobile communication terminal and obtain the identity digital certificate, generate described checking request and forwarding by described communicating to connect from mobile communication terminal; Receive described random information and the interactive interface by network application and checking subsystem is shown to the user, receive the user by the interactive interface input of network application and checking subsystem the subscription authentication password and transmit and Receipt Validation result;
The verifying dynamic password server is used to receive the checking request of described webserver output and be transmitted to key and user management subsystem, receives the random information of described key and user management subsystem output and is transmitted to the webserver; Receive the subscription authentication password of described webserver forwarding and the user rs authentication password information of key and user management subsystem output, and obtain the checking result, and described checking result is sent to the webserver according to described subscription authentication password and user rs authentication password information.
3. system as claimed in claim 2 is characterized in that:
Described key and user management subsystem also are used to receive the user and preserve by key and the user cipher of user management subsystem interactive interface input and the identity digital certificate of respective user; And when utilizing described set algorithm to be created on to set in the duration effectively the user rs authentication password information, the calculating parameter of described user rs authentication password information also comprises the user cipher that the user imports; And
Described mobile communication terminal also is used to receive the user cipher of user by the input of mobile communication terminal interactive interface, and when utilizing described set algorithm to generate the subscription authentication password, the calculating parameter of described subscription authentication password also comprises the user cipher that the user imports.
4. as claim 2 or 3 described systems, it is characterized in that:
Described key and user management subsystem also are used for safeguarding first sequence number of identifying user checking number of times aggregate-value according to setting rule, and when utilizing described set algorithm to be created on to set in the duration effectively the user rs authentication password information, the calculating parameter of described user rs authentication password information also comprises: described first sequence number; And
Described mobile communication terminal also is used for safeguarding second sequence number of identifying user requests verification number of times aggregate-value according to setting rule, and when utilizing described set algorithm to generate the subscription authentication password, the calculating parameter of described subscription authentication password also comprises: described second sequence number.
5. system as claimed in claim 4, it is characterized in that, the effective user rs authentication password information in setting duration that described key and user management subsystem utilize described set algorithm to generate comprises: utilize each in setting several first sequence number value that comprise the described first sequence number currency, respectively one group of user rs authentication password of corresponding generation; And
Described verifying dynamic password server is according to described subscription authentication password and user rs authentication password information, when the subscription authentication password is consistent with in one group of user rs authentication password any, obtains the result that checking is passed through, otherwise obtains the result of authentication failed.
6. as claim 1,2 or 3 arbitrary described systems, it is characterized in that described mobile communication terminal and network application and checking subsystem are by the identity digital certificate of the transmission user that establishes a communications link, described establishing a communications link specifically comprises:
Wired connection by USB interface foundation; Perhaps
Wireless connections by bluetooth foundation; Perhaps
Wireless connections by the foundation of infrared ray emulation serial ports.
7. a verifying network application user identification method is characterized in that, comprising:
When mobile communication terminal carries out the authentication of network application the user, export from the user's of key and user management subsystem acquisition identity digital certificate to network application and checking subsystem;
Network application and checking subsystem are when receiving user's identity digital certificate, and generation comprises the checking request of identity digital certificate and sends to key and user management subsystem;
Key and user management subsystem are according to the checking request that receives, generate random information and utilize set algorithm to be created on effective user rs authentication password information in the setting duration, and described random information and user rs authentication password information exported to network application and checking subsystem, the calculating parameter of described user rs authentication password information comprises: the identity digital certificate that comprises in the checking request and according to the random information of this checking request generation;
Network application and checking subsystem receive the random information and the user rs authentication password information of key and user management subsystem output, receive the subscription authentication password of user's input, the described subscription authentication password random information that to be mobile communication terminal generate according to the described key of user's input and user management subsystem also utilizes described set algorithm to generate and is shown to the user, and the calculating parameter of described subscription authentication password comprises: the random information of user's input and the identity digital certificate of preservation;
Network application and checking subsystem according to described subscription authentication password and in setting duration effective user rs authentication password information, user identity is verified.
8. method as claimed in claim 7 is characterized in that:
The calculating parameter of described user rs authentication password information also comprises: the user is kept at the user cipher in key and the user management subsystem in advance; And
The calculating parameter of described subscription authentication password also comprises: during random information that the user generates by mobile communication terminal interactive interface input key and user management subsystem, and Shu Ru user cipher also.
9. as claim 7 or 8 described methods, it is characterized in that:
The calculating parameter of described user rs authentication password information also comprises: key and user management subsystem are according to setting first sequence number that is used for identifying user checking number of times aggregate-value that rule is safeguarded; And
The calculating parameter of described subscription authentication password also comprises: mobile communication terminal is according to described second sequence number that is used for identifying user requests verification number of times aggregate-value of setting the rule maintenance.
10. method as claimed in claim 9 is characterized in that, described user rs authentication password information comprises: utilize each in setting several first sequence number value that comprise the described first sequence number currency, the corresponding respectively one group of user rs authentication password that generates; And
Described network application and checking subsystem are according to subscription authentication password and user rs authentication password information, user identity verified specifically comprise: when the subscription authentication password is consistent with in described one group of user rs authentication password any, obtain the result that checking is passed through, otherwise obtain the result of authentication failed.
11. a mobile communication terminal is characterized in that, comprising:
Be used for from the unit of key and user management subsystem acquisition user's identity digital certificate;
Be used for when the user carries out the authentication of network application, with network application and the checking subsystem establish a communications link and by communicate to connect output this identity digital certificate the unit;
Be used to receive the user and pass through the described key of mobile communication terminal interactive interface input and the unit of the random information that user management subsystem generates;
The unit that is used to utilize set algorithm to generate the subscription authentication password and shown by the mobile communication terminal interactive interface, the calculating parameter of described subscription authentication password comprise the random information that the user imports and the identity digital certificate of preservation.
CN200810226984XA 2008-11-28 2008-11-28 Network application user authentication system, method and mobile communication terminal Active CN101414909B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810226984XA CN101414909B (en) 2008-11-28 2008-11-28 Network application user authentication system, method and mobile communication terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810226984XA CN101414909B (en) 2008-11-28 2008-11-28 Network application user authentication system, method and mobile communication terminal

Publications (2)

Publication Number Publication Date
CN101414909A CN101414909A (en) 2009-04-22
CN101414909B true CN101414909B (en) 2010-12-01

Family

ID=40595242

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810226984XA Active CN101414909B (en) 2008-11-28 2008-11-28 Network application user authentication system, method and mobile communication terminal

Country Status (1)

Country Link
CN (1) CN101414909B (en)

Families Citing this family (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101765108B (en) * 2009-07-01 2012-05-30 北京华胜天成科技股份有限公司 Security authentication service platform system, device and method based on mobile terminal
CN101997824B (en) * 2009-08-20 2016-08-10 中国移动通信集团公司 Identity identifying method based on mobile terminal and device thereof and system
CN102026171B (en) 2009-09-17 2013-06-12 国基电子(上海)有限公司 Method for safely controlling remote wireless equipment
CN102377759B (en) * 2010-08-25 2014-10-08 中国移动通信有限公司 Service processing system, user identity identification method and related devices
CN101957958A (en) * 2010-09-19 2011-01-26 中兴通讯股份有限公司 Method and mobile phone terminal for realizing network payment
CN102780674A (en) * 2011-05-09 2012-11-14 同方股份有限公司 Method and system for processing network service by utilizing multifactor authentication method
CN103167491B (en) * 2011-12-15 2016-03-02 上海格尔软件股份有限公司 A kind of mobile terminal uniqueness authentication method based on software digital certificate
CN103179564B (en) * 2011-12-22 2016-04-06 上海格尔软件股份有限公司 Based on the network application login method of mobile terminal authentication
CN102932244B (en) * 2012-10-25 2015-08-12 中国航天科工集团第二研究院七〇六所 Based on the trusted access gateway of two-way Trusting eBusiness
CN110087241B (en) * 2013-07-23 2022-06-03 创新先进技术有限公司 Service authorization method, device and system
CN103618605B (en) * 2013-11-26 2017-07-14 中国联合网络通信集团有限公司 The generation method and server of time-varying access token
CN105099680B (en) * 2014-05-05 2019-02-12 中国电子信息产业发展研究院 A method and device for authenticating user identity according to digital certificate
CN104113556A (en) * 2014-07-31 2014-10-22 国家超级计算深圳中心(深圳云计算中心) Network logon authentication method and system, mobile terminal and application server
CN105405012A (en) * 2014-09-11 2016-03-16 苏州海博智能系统有限公司 Smart IC card and payment processing method
CN104601593B (en) * 2015-02-04 2017-12-01 公安部第三研究所 The method that anti-tracking in network electronic authentication procedures is realized based on challenge mode
CN104991748A (en) * 2015-07-08 2015-10-21 李昕 Remote three-dimensional printing system and method thereof
CN105281913B (en) * 2015-09-17 2019-01-15 杭州猿人数据科技有限公司 Electronic evidence processing method, system and dynamic code service system for electronic signature
CN105610822A (en) * 2015-12-28 2016-05-25 东软熙康健康科技有限公司 Credit verifying method and device
JP6072954B1 (en) * 2016-03-02 2017-02-01 株式会社リクルートホールディングス Authentication processing apparatus and authentication processing method
CN107274182B (en) * 2016-04-06 2020-06-16 阿里巴巴集团控股有限公司 Service processing method and device
CN107769913B (en) * 2016-08-16 2020-12-29 广东国盾量子科技有限公司 Quantum UKey-based communication method and system
CN106656993B (en) * 2016-11-04 2019-12-06 中国银联股份有限公司 Dynamic verification code verification method and device
CN107231343B (en) * 2017-04-25 2019-10-11 广东网金控股股份有限公司 A USB shield activation method, client and system
CN108052829A (en) * 2017-09-05 2018-05-18 重庆自由家信息技术有限公司 A kind of data fusion method
CN109600223B (en) * 2017-09-30 2021-05-14 腾讯科技(深圳)有限公司 Verification method, activation method, device, equipment and storage medium
CN108737112A (en) * 2018-06-04 2018-11-02 北京艾丕科技有限责任公司 A kind of system for the shield that Activates Phone
CN112187709B (en) * 2019-07-05 2022-07-05 荣耀终端有限公司 Authentication method, device and server
CN115981937B (en) * 2022-12-23 2024-09-03 深圳市章江科技有限公司 A memory automation testing method and system based on hybrid cloud

Also Published As

Publication number Publication date
CN101414909A (en) 2009-04-22

Similar Documents

Publication Publication Date Title
CN101414909B (en) Network application user authentication system, method and mobile communication terminal
US8869253B2 (en) Electronic system for securing electronic services
CN103391197B (en) A kind of web identity authentication based on handset token and NFC technique
US8112787B2 (en) System and method for securing a credential via user and server verification
CN102088353B (en) Two-factor authentication method and system based on mobile terminal
WO2019079356A1 (en) Authentication token with client key
US20130205380A1 (en) Identity verification
US9344896B2 (en) Method and system for delivering a command to a mobile device
US9445269B2 (en) Terminal identity verification and service authentication method, system and terminal
CN104270338A (en) A method and system of electronic identity registration and authentication login
AU2011309758A1 (en) Mobile handset identification and communication authentication
TWI632798B (en) Server, mobile terminal, and network real-name authentication system and method
KR101210260B1 (en) OTP certification device
CN101662458A (en) Authentication method
KR20210095093A (en) Method for providing authentification service by using decentralized identity and server using the same
CN114390524B (en) Method and device for realizing one-key login service
CN105119716A (en) Secret key negotiation method based on SD cards
JP2009118110A (en) Metadata provision method for authentication system, system, program thereof, and recording medium
CN103401686A (en) User Internet identity authentication system and application method thereof
CN114158046B (en) Method and device for realizing one-key login service
KR20090097036A (en) One-time password generation method using SM, authentication method and authentication system using it
CN117336092A (en) Client login method and device, electronic equipment and storage medium
KR20180028751A (en) User Authentication Method and Apparatus Using Digital Certificate on FIDO 2.0 Method Thereof
CN118381626B (en) Inter-application authentication method, device and readable storage medium
KR101879842B1 (en) User authentication method and system using one time password

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant