[go: up one dir, main page]

CN101488111A - Identification authentication method and system - Google Patents

Identification authentication method and system Download PDF

Info

Publication number
CN101488111A
CN101488111A CNA2009100773140A CN200910077314A CN101488111A CN 101488111 A CN101488111 A CN 101488111A CN A2009100773140 A CNA2009100773140 A CN A2009100773140A CN 200910077314 A CN200910077314 A CN 200910077314A CN 101488111 A CN101488111 A CN 101488111A
Authority
CN
China
Prior art keywords
session
storage device
portable storage
identity authentication
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2009100773140A
Other languages
Chinese (zh)
Inventor
刘道斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Potevio Information Technology Co Ltd
Original Assignee
Potevio Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Potevio Information Technology Co Ltd filed Critical Potevio Information Technology Co Ltd
Priority to CNA2009100773140A priority Critical patent/CN101488111A/en
Publication of CN101488111A publication Critical patent/CN101488111A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

本发明公开了一种身份认证方法,先由便携式存储设备将与自身相同的会话密钥产生机制、以及与自身的加密机制对应的解密机制加载至终端;然后,便携式存储设备使用自身的会话密钥对自身产生的会话票据进行加密;终端按照与便携式存储设备相同的会话密钥产生机制产生会话密钥,并使用自身的会话密钥解密来自便携式存储设备的加密的会话票据,再将解密后得到的会话票据返回给便携式存储设备;此后,便携式存储设备即可比较接收到的会话票据与自身产生的会话票据,以实现身份认证。同时,本发明还公开了一种身份认证系统,采用该方法和系统可提高终端与便携式存储设备之间的身份认证的安全性。

Figure 200910077314

The invention discloses an identity authentication method. First, a portable storage device loads the same session key generation mechanism as itself and a decryption mechanism corresponding to its own encryption mechanism to a terminal; then, the portable storage device uses its own session key key to encrypt the session ticket generated by itself; the terminal generates a session key according to the same session key generation mechanism as the portable storage device, and uses its own session key to decrypt the encrypted session ticket from the portable storage device, and then decrypts the decrypted The obtained session ticket is returned to the portable storage device; after that, the portable storage device can compare the received session ticket with the session ticket generated by itself, so as to realize identity authentication. At the same time, the invention also discloses an identity authentication system, and the method and system can improve the security of identity authentication between the terminal and the portable storage device.

Figure 200910077314

Description

一种身份认证方法和系统 An identity authentication method and system

技术领域 technical field

本发明涉及信息安全领域,特别涉及一种身份认证方法和系统。The invention relates to the field of information security, in particular to an identity authentication method and system.

背景技术 Background technique

当终端(如PC机、手机等)对便携式存储设备(如智能卡、存储卡等)进行访问时,便携式存储设备需要对访问的终端进行身份认证,图1为现有技术中身份认证方法的流程图。如图1所示,现有技术中身份认证的方法包括以下步骤:When a terminal (such as a PC, mobile phone, etc.) accesses a portable storage device (such as a smart card, a memory card, etc.), the portable storage device needs to perform identity authentication on the accessed terminal. Figure 1 is a flow chart of an identity authentication method in the prior art picture. As shown in Figure 1, the identity authentication method in the prior art includes the following steps:

步骤101,当终端探测到便携式存储设备时,给便携式存储设备上电,便携式存储设备向请求访问的终端发送身份认证请求。Step 101, when a terminal detects a portable storage device, it powers on the portable storage device, and the portable storage device sends an identity authentication request to a terminal requesting access.

步骤102,终端收到便携式存储设备发送的身份认证请求后,通过人机交互界面提示用户输入个人识别号码(PIN),用户根据人机交互界面的提示输入PIN。Step 102: After receiving the identity authentication request sent by the portable storage device, the terminal prompts the user to input a personal identification number (PIN) through the human-computer interaction interface, and the user inputs the PIN according to the prompt of the human-computer interaction interface.

步骤103,终端向便携式存储设备返回身份认证请求响应,该身份认证请求响应以明文方式携带用户输入的PIN。Step 103, the terminal returns an identity authentication request response to the portable storage device, and the identity authentication request response carries the PIN entered by the user in plain text.

步骤104,便携式存储设备收到用户输入的PIN后,对比用户输入的PIN、以及自身预先存储的PIN,如果二者一致,则身份认证通过;否则,身份认证失败。Step 104, after the portable storage device receives the PIN input by the user, it compares the PIN input by the user with the PIN stored in advance by itself, and if the two are consistent, the identity authentication is passed; otherwise, the identity authentication fails.

步骤105,便携式存储设备向终端返回身份认证结果,如果身份认证通过,则该终端可对该便携式存储设备进行访问;否则,终端无法访问。Step 105, the portable storage device returns the identity authentication result to the terminal, if the identity authentication passes, the terminal can access the portable storage device; otherwise, the terminal cannot access.

在现有的身份认证方法中,由于终端将用户输入的PIN以明文方式发送给便携式存储设备以进行身份认证,终端发送的PIN很容易被非法用户窃取或截获,导致非法用户也有可能获得访问该便携式存储设备的权限,因此现有的身份认证方法的安全性不高。In the existing identity authentication method, since the terminal sends the PIN entered by the user to the portable storage device in clear text for identity authentication, the PIN sent by the terminal is easily stolen or intercepted by the illegal user, and the illegal user may also gain access to the device. Portable storage device permissions, so the security of the existing identity authentication method is not high.

发明内容 Contents of the invention

有鉴于此,本发明的主要目的在于提供一种身份认证方法,以提高终端与便携式存储设备之间的身份认证的安全性。In view of this, the main purpose of the present invention is to provide an identity authentication method to improve the security of identity authentication between a terminal and a portable storage device.

本发明的另一目的在于提供一种身份认证系统,以提高终端与便携式存储设备之间的身份认证的安全性。Another object of the present invention is to provide an identity authentication system to improve the security of identity authentication between a terminal and a portable storage device.

为达到上述目的,本发明的技术方案具体是这样实现的:In order to achieve the above object, the technical solution of the present invention is specifically realized in the following way:

一种身份认证系统,该系统包括:终端、便携式存储设备,An identity authentication system, the system includes: a terminal, a portable storage device,

所述便携式存储设备包括:身份认证模块、安全处理模块加载单元,其中,The portable storage device includes: an identity authentication module, a security processing module loading unit, wherein,

身份认证模块使用自身的会话密钥对自身产生的会话票据进行加密;The identity authentication module uses its own session key to encrypt the session ticket generated by itself;

安全处理模块加载单元在所述终端中加载安全处理模块;The security processing module loading unit loads the security processing module in the terminal;

安全处理模块携带与身份认证模块相同的会话密钥产生机制,并与身份认证模块按照相同的会话密钥产生机制产生各自的会话密钥;安全处理模块还携带与身份认证模块中的加密机制对应的解密机制,并使用自身的会话密钥解密来自身份认证模块的加密的会话票据,并将解密后得到的会话票据返回给身份认证模块;The security processing module carries the same session key generation mechanism as the identity authentication module, and generates its own session key according to the same session key generation mechanism as the identity authentication module; the security processing module also carries the encryption mechanism corresponding to the identity authentication module. decryption mechanism, and use its own session key to decrypt the encrypted session ticket from the identity authentication module, and return the decrypted session ticket to the identity authentication module;

且,身份认证模块还用于比较接收到的会话票据与自身产生的会话票据。Moreover, the identity authentication module is also used to compare the received session ticket with the session ticket generated by itself.

所述身份认证模块包括:第一会话密钥产生单元、第一会话票据产生单元、加密单元,身份认证单元;所述安全处理模块包括:身份信息录入及保存单元、第二会话密钥产生单元、解密单元;其中,The identity authentication module includes: a first session key generation unit, a first session ticket generation unit, an encryption unit, and an identity authentication unit; the security processing module includes: an identity information entry and storage unit, a second session key generation unit , decryption unit; where,

第一会话密钥产生单元,用于以便携式存储设备自身的身份信息为密钥种子产生第一会话密钥;A first session key generating unit, configured to use the identity information of the portable storage device itself as a key seed to generate a first session key;

第一会话票据产生单元,用于产生第一会话票据并将第一会话票据发送给加密单元和身份认证单元;The first session ticket generating unit is used to generate the first session ticket and send the first session ticket to the encryption unit and the identity authentication unit;

加密单元,用于使用第一会话密钥加密第一会话票据,将加密的第一会话票据发送给解密单元;An encryption unit, configured to use the first session key to encrypt the first session ticket, and send the encrypted first session ticket to the decryption unit;

身份信息录入及保存单元,用于用户录入身份信息及保存用户录入的身份信息;An identity information entry and storage unit, used for user entry of identity information and storage of user entry identity information;

第二会话密钥产生单元,用于以用户录入的身份信息为密钥种子按照第一会话密钥的产生机制产生第二会话密钥;The second session key generation unit is used to use the identity information entered by the user as the key seed to generate the second session key according to the generation mechanism of the first session key;

解密单元,用于使用第二会话密钥按照与加密机制对应的解密机制解密来自加密单元的加密的第一会话票据,并将解密后得到的第二会话票据发送给身份认证单元;The decryption unit is configured to use the second session key to decrypt the encrypted first session ticket from the encryption unit according to the decryption mechanism corresponding to the encryption mechanism, and send the decrypted second session ticket to the identity authentication unit;

身份认证单元,用于比较来自解密单元的第二会话票据和来自第一会话票据产生单元的第一会话票据是否一致,如果一致则对终端的身份认证通过;否则,身份认证失败。The identity authentication unit is used to compare whether the second session ticket from the decryption unit is consistent with the first session ticket from the first session ticket generation unit, and if they are consistent, the identity authentication of the terminal is passed; otherwise, the identity authentication fails.

所述终端为PC机、或手机、或自动柜员机ATM;The terminal is a PC, or a mobile phone, or an automatic teller machine (ATM);

所述便携式存储设备为智能卡、或存储卡、或USBKey。The portable storage device is a smart card, or a memory card, or a USBKey.

所述终端和所述便携式存储设备之间采用ISO7816接口协议、或通用存储卡接口协议、或USB接口协议、或无线接口协议。An ISO7816 interface protocol, or a universal memory card interface protocol, or a USB interface protocol, or a wireless interface protocol is used between the terminal and the portable storage device.

所述身份信息为个人识别号码PIN、或生物特征信息。The identity information is a personal identification number PIN, or biometric information.

所述身份信息录入及保存单元包括软键盘。The identity information entry and storage unit includes a soft keyboard.

所述第一会话票据和第二会话票据依据当前会话时间产生。The first session ticket and the second session ticket are generated according to the current session time.

一种身份认证方法,该方法包括以下步骤:A kind of identity authentication method, this method comprises the following steps:

便携式存储设备将与自身相同的会话密钥产生机制、以及与自身的加密机制对应的解密机制加载至终端;The portable storage device loads the same session key generation mechanism as itself and the decryption mechanism corresponding to its own encryption mechanism to the terminal;

便携式存储设备使用自身的会话密钥对自身产生的会话票据进行加密;The portable storage device uses its own session key to encrypt the session ticket generated by itself;

终端按照与便携式存储设备相同的会话密钥产生机制产生会话密钥,并使用自身的会话密钥解密来自便携式存储设备的加密的会话票据,然后将解密后得到的会话票据返回给便携式存储设备;The terminal generates a session key according to the same session key generation mechanism as the portable storage device, and uses its own session key to decrypt the encrypted session ticket from the portable storage device, and then returns the decrypted session ticket to the portable storage device;

便携式存储设备比较接收到的会话票据与自身产生的会话票据。The portable storage device compares the received session ticket with its own generated session ticket.

所述终端与便携式存储设备按照相同的会话密钥产生机制产生各自的会话密钥的方法为:便携式存储设备以自身的身份信息为密钥种子产生第一会话密钥,终端以用户录入的身份信息为密钥种子按照第一会话密钥的产生机制产生第二会话密钥;The method for the terminal and the portable storage device to generate their own session keys according to the same session key generation mechanism is as follows: the portable storage device uses its own identity information as the key seed to generate the first session key, and the terminal generates the first session key with the identity information entered by the user. The information is the key seed to generate the second session key according to the generation mechanism of the first session key;

所述便携式存储设备使用自身的会话密钥对自身产生的会话票据进行加密的方法为:便携式存储设备产生第一会话票据,并使用第一会话密钥加密第一会话票据;The method for the portable storage device to use its own session key to encrypt the session ticket generated by itself is as follows: the portable storage device generates a first session ticket, and uses the first session key to encrypt the first session ticket;

所述终端使用自身的会话密钥解密来自便携式存储设备的加密的会话票据的方法为:终端使用第二会话密钥按照与加密机制对应的解密机制解密来自便携式存储设备的加密的第一会话票据;The method that the terminal uses its own session key to decrypt the encrypted session ticket from the portable storage device is as follows: the terminal uses the second session key to decrypt the encrypted first session ticket from the portable storage device according to the decryption mechanism corresponding to the encryption mechanism ;

所述便携式存储设备比较接收到的会话票据和自身产生的会话票据的方法为:便携式存储设备比较来自终端的第二会话票据和自身产生的第一会话票据是否一致,如果一致则对终端的身份认证通过;否则,身份认证失败。The method for the portable storage device to compare the received session ticket with the session ticket generated by itself is as follows: the portable storage device compares whether the second session ticket from the terminal is consistent with the first session ticket generated by itself, and if they are consistent, the terminal identity Authentication passed; otherwise, identity authentication failed.

所述终端为PC机、或手机、或自动柜员机ATM;The terminal is a PC, or a mobile phone, or an automatic teller machine (ATM);

所述便携式存储设备为智能卡、或存储卡、或USBKey。The portable storage device is a smart card, or a memory card, or a USBKey.

所述终端和便携式存储设备通过ISO7816接口、或通用存储卡接口、或USB接口、或无线接口连接。The terminal and the portable storage device are connected through an ISO7816 interface, or a universal memory card interface, or a USB interface, or a wireless interface.

所述身份信息为个人识别号码PIN、或生物特征信息。The identity information is a personal identification number PIN, or biometric information.

所述用户录入身份信息的方法为:用户使用软键盘录入身份信息。The method for the user to input identity information is as follows: the user uses a soft keyboard to input the identity information.

所述第一会话票据和第二会话票据依据当前会话时间产生。The first session ticket and the second session ticket are generated according to the current session time.

由上述的技术方案可见,本发明先由便携式存储设备将与自身相同的会话密钥产生机制、以及与自身的加密机制对应的解密机制加载至终端;然后,便携式存储设备使用自身的会话密钥对自身产生的会话票据进行加密;相应地,终端按照与便携式存储设备相同的会话密钥产生机制产生会话密钥,并使用自身的会话密钥解密来自便携式存储设备的加密的会话票据,再将解密后得到的会话票据返回给便携式存储设备;此后,便携式存储设备即可比较接收到的会话票据与自身产生的会话票据,以实现身份认证。这样,由于终端和便携式存储设备之间不直接传送用户输入的PIN,避免了例如PIN等身份信息被非法用户窃取,因此提高了终端与便携式存储设备之间的身份认证的安全性。It can be seen from the above technical solution that the present invention firstly loads the same session key generation mechanism as itself and the decryption mechanism corresponding to its own encryption mechanism to the terminal by the portable storage device; then, the portable storage device uses its own session key Encrypt the session ticket generated by itself; correspondingly, the terminal generates a session key according to the same session key generation mechanism as the portable storage device, and uses its own session key to decrypt the encrypted session ticket from the portable storage device, and then The session ticket obtained after decryption is returned to the portable storage device; thereafter, the portable storage device can compare the received session ticket with the session ticket generated by itself, so as to realize identity authentication. In this way, since the PIN entered by the user is not directly transmitted between the terminal and the portable storage device, identity information such as the PIN is prevented from being stolen by an illegal user, thereby improving the security of identity authentication between the terminal and the portable storage device.

附图说明 Description of drawings

图1为现有技术中身份认证方法的流程图;Fig. 1 is the flowchart of identity authentication method in the prior art;

图2为本发明所提供的一种身份认证系统的结构图;Fig. 2 is a structural diagram of an identity authentication system provided by the present invention;

图3为本发明所提供的一种身份认证方法的流程图;Fig. 3 is a flow chart of an identity authentication method provided by the present invention;

图4为本发明所提供的一种身份认证方法的实施例的流程图。Fig. 4 is a flowchart of an embodiment of an identity authentication method provided by the present invention.

具体实施方式 Detailed ways

为使本发明的目的、技术方案及优点更加清楚明白,以下参照附图并举实施例,对本发明进一步详细说明。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings and examples.

图2为本发明所提供的一种身份认证系统的结构图,如图2所示,该身份认证系统包括:终端201、便携式存储设备202。FIG. 2 is a structural diagram of an identity authentication system provided by the present invention. As shown in FIG. 2 , the identity authentication system includes: a terminal 201 and a portable storage device 202 .

终端201至少包括:安全处理模块2011和第二接口单元2015;便携式存储设备202至少包括:安全处理模块加载单元2021、身份认证模块2022、第一接口单元2027。The terminal 201 includes at least: a security processing module 2011 and a second interface unit 2015; the portable storage device 202 includes at least: a security processing module loading unit 2021, an identity authentication module 2022, and a first interface unit 2027.

安全处理模块加载单元2021通过第一接口单元2027和第二接口单元2015将安全处理模块2011加载至终端201,安全处理模块2011携带与身份认证模块2022相同的会话密钥产生机制、以及与身份认证模块中的加密机制对应的解密机制;安全处理模块2011与身份认证模块2022按照相同的会话密钥产生机制产生各自的会话密钥;身份认证模块2022使用自身的会话密钥对自身产生的会话票据进行加密,安全处理模块2011使用自身的会话密钥解密来自身份认证模块2022的加密的会话票据,并将解密后得到的会话票据通过第一接口单元2027和第二接口单元2015返回给身份认证模块2022;身份认证模块2022比较接收到的会话票据和自身产生的会话票据。The security processing module loading unit 2021 loads the security processing module 2011 to the terminal 201 through the first interface unit 2027 and the second interface unit 2015. The security processing module 2011 carries the same session key generation mechanism as the identity authentication module 2022, and the identity authentication The decryption mechanism corresponding to the encryption mechanism in the module; the security processing module 2011 and the identity authentication module 2022 generate their own session keys according to the same session key generation mechanism; the identity authentication module 2022 uses its own session key to pair the session ticket generated by itself To encrypt, the security processing module 2011 uses its own session key to decrypt the encrypted session ticket from the identity authentication module 2022, and returns the decrypted session ticket to the identity authentication module through the first interface unit 2027 and the second interface unit 2015 2022: The identity authentication module 2022 compares the received session ticket with the session ticket generated by itself.

安全处理模块2011至少包括:身份信息录入及保存单元2012、第二会话密钥产生单元2013、解密单元2014;身份认证模块2022至少包括:第一会话密钥产生单元2023、第一会话票据产生单元2024、加密单元2025,身份认证单元2026。The security processing module 2011 includes at least: an identity information entry and storage unit 2012, a second session key generation unit 2013, and a decryption unit 2014; the identity authentication module 2022 includes at least: a first session key generation unit 2023, a first session ticket generation unit 2024, an encryption unit 2025, and an identity authentication unit 2026.

其中,第一会话密钥产生单元2023,用于以便携式存储设备202自身的身份信息为密钥种子产生第一会话密钥;第一会话票据产生单元2024,用于产生第一会话票据并将第一会话票据发送给加密单元2025和身份认证单元2026;加密单元2025,用于使用第一会话密钥加密第一会话票据,将加密的第一会话票据通过第一接口单元2027和第二接口单元2015发送给解密单元2014;身份信息录入及保存单元2012,用于用户录入身份信息并保存用户录入的身份信息;第二会话密钥产生单元2013,用于以用户录入的身份信息为密钥种子按照第一会话密钥的产生机制产生第二会话密钥;解密单元2014,用于使用第二会话密钥按照与加密机制对应的解密机制解密来自加密单元2025的第一会话票据,并将解密后得到的第二会话票据通过第一接口单元2027和第二接口单元2015发送给身份认证单元2026;身份认证单元2026,用于比较来自解密单元2014的第二会话票据和来自第一会话票据产生单元2024的第一会话票据是否一致,如果一致则对终端201的身份认证通过;否则,身份认证失败。Wherein, the first session key generation unit 2023 is used to generate the first session key with the identity information of the portable storage device 202 itself as the key seed; the first session ticket generation unit 2024 is used to generate the first session ticket and The first session ticket is sent to the encryption unit 2025 and the identity authentication unit 2026; the encryption unit 2025 is configured to use the first session key to encrypt the first session ticket, and pass the encrypted first session ticket through the first interface unit 2027 and the second interface The unit 2015 sends it to the decryption unit 2014; the identity information entry and storage unit 2012 is used to enter the identity information of the user and save the identity information entered by the user; the second session key generation unit 2013 is used to use the identity information entered by the user as a key The seed generates a second session key according to the generation mechanism of the first session key; the decryption unit 2014 is configured to use the second session key to decrypt the first session ticket from the encryption unit 2025 according to a decryption mechanism corresponding to the encryption mechanism, and The second session ticket obtained after decryption is sent to the identity authentication unit 2026 through the first interface unit 2027 and the second interface unit 2015; the identity authentication unit 2026 is used to compare the second session ticket from the decryption unit 2014 with the first session ticket Whether the first session ticket of the generating unit 2024 is consistent, if consistent, the identity authentication of the terminal 201 is passed; otherwise, the identity authentication fails.

另外,需要说明的是,当身份认证结束后,用于本次身份认证的安全处理模块2011将会自动从终端201中删除,当进行下次身份认证时,会有新的安全处理模块被加载至终端201。In addition, it should be noted that after the identity authentication is completed, the security processing module 2011 used for this identity authentication will be automatically deleted from the terminal 201, and when the next identity authentication is performed, a new security processing module will be loaded to terminal 201.

在实际应用中,终端201可为PC机、手机、自动柜员机ATM等,相应地,连接终端201和便携式存储设备202的第一接口单元2027和第二接口单元2015可采用ISO7816接口协议、通用存储卡接口协议、USB接口协议,若终端201和便携式存储设备202中被置入无线通信模块(图未示出),连接终端201和便携式存储设备202的第一接口单元2027和第二接口单元2015可采用无线接口协议。In practical applications, the terminal 201 can be a PC, a mobile phone, an automatic teller machine (ATM), etc. Correspondingly, the first interface unit 2027 and the second interface unit 2015 connecting the terminal 201 and the portable storage device 202 can adopt the ISO7816 interface protocol, universal storage Card interface protocol, USB interface protocol, if the wireless communication module (not shown) is embedded in the terminal 201 and the portable storage device 202, the first interface unit 2027 and the second interface unit 2015 connecting the terminal 201 and the portable storage device 202 A wireless interface protocol may be used.

在实际应用中,用于身份认证的身份信息可为PIN,也可为生物特征信息,例如指纹信息、虹膜信息等。当身份信息为PIN时,身份认证录入及保存单元2012可包括软键盘,用于用户输入PIN。In practical applications, the identity information used for identity authentication may be a PIN, or biometric information, such as fingerprint information, iris information, and the like. When the identity information is a PIN, the identity authentication entry and storage unit 2012 may include a soft keyboard for the user to input a PIN.

基于上述身份认证系统,图3为本发明所提供的一种身份认证方法的流程图,如图3所示,该身份认证方法包括以下步骤:Based on the above-mentioned identity authentication system, Fig. 3 is a flowchart of an identity authentication method provided by the present invention. As shown in Fig. 3, the identity authentication method includes the following steps:

步骤301,便携式存储设备将与自身相同的会话密钥产生机制、以及与自身的加密机制对应的解密机制加载至终端。In step 301, the portable storage device loads the same session key generation mechanism as itself and the decryption mechanism corresponding to its own encryption mechanism to the terminal.

步骤302,终端和便携式存储设备按照相同的会话密钥产生机制产生各自的会话密钥,具体为,便携式存储设备以自身的身份信息为密钥种子产生第一会话密钥,终端以用户录入的身份信息为密钥种子按照第一会话密钥的产生机制产生第二会话密钥。Step 302, the terminal and the portable storage device generate their own session keys according to the same session key generation mechanism, specifically, the portable storage device uses its own identity information as the key seed to generate the first session key, and the terminal uses the user-entered The identity information is the key seed to generate the second session key according to the generation mechanism of the first session key.

步骤303,便携式存储设备使用自身的会话密钥对自身产生的会话票据进行加密,终端使用自身的会话密钥解密来自便携式存储设备的加密的会话票据,并将解密后得到的会话票据返回给便携式存储设备,具体为,便携式存储设备产生第一会话票据,并使用第一会话密钥加密第一会话票据,将加密的第一会话票据发送给终端,终端使用第二会话密钥按照与加密机制对应的解密机制解密来自便携式存储设备的加密的第一会话票据。Step 303, the portable storage device uses its own session key to encrypt the session ticket generated by itself, and the terminal uses its own session key to decrypt the encrypted session ticket from the portable storage device, and returns the decrypted session ticket to the portable The storage device, specifically, the portable storage device generates the first session ticket, encrypts the first session ticket with the first session key, and sends the encrypted first session ticket to the terminal, and the terminal uses the second session key according to the encryption mechanism A corresponding decryption mechanism decrypts the encrypted first session ticket from the portable storage device.

步骤304,便携式存储设备比较接收到的会话票据与自身产生的会话票据,具体为,便携式存储设备比较来自终端的第二会话票据和自身产生的第一会话票据是否一致,如果一致则对终端的身份认证通过;否则,身份认证失败。Step 304, the portable storage device compares the received session ticket with the session ticket generated by itself, specifically, the portable storage device compares whether the second session ticket from the terminal is consistent with the first session ticket generated by itself, and if they are consistent, the terminal's Identity authentication passed; otherwise, identity authentication failed.

下面通过一个实施例详述本发明所提供的一种身份认证方法。An identity authentication method provided by the present invention will be described in detail below through an embodiment.

图4为本发明所提供的一种身份认证方法的实施例的流程图,如图4所示,该身份认证方法包括以下步骤:Fig. 4 is a flowchart of an embodiment of an identity authentication method provided by the present invention. As shown in Fig. 4, the identity authentication method includes the following steps:

步骤401,便携式存储设备将与自身相同的会话密钥产生机制、以及与自身的加密机制对应的解密机制加载至终端。Step 401, the portable storage device loads the same session key generation mechanism as itself and the decryption mechanism corresponding to its own encryption mechanism to the terminal.

当终端探测到便携式存储设备时,给便携式存储设备上电,此方法可按照现有技术的方法,然后便携式存储设备立即将与自身相同的会话密钥产生机制、以及与自身的加密机制对应的解密机制加载至终端。When the terminal detects the portable storage device, the portable storage device is powered on. This method can be based on the method of the prior art, and then the portable storage device immediately uses the same session key generation mechanism as itself and the encryption mechanism corresponding to the portable storage device. The decryption mechanism is loaded to the terminal.

步骤402,用户输入PIN,终端保存用户输入的PIN。Step 402, the user inputs a PIN, and the terminal saves the PIN input by the user.

较佳地,在本实施例中,用户使用软键盘录入PIN。使用软键盘的益处为:当用户每次录入PIN时,软键盘中各个字符的位置是不相同的,若终端中存在木马程序,木马程序无法通过记录用户敲击字符的顺序来窃取PIN。Preferably, in this embodiment, the user uses a soft keyboard to enter a PIN. The advantage of using the soft keyboard is that when the user enters the PIN each time, the position of each character in the soft keyboard is different. If there is a Trojan horse program in the terminal, the Trojan horse program cannot steal the PIN by recording the sequence of the characters typed by the user.

步骤403,终端向便携式存储设备发送身份认证请求。Step 403, the terminal sends an identity authentication request to the portable storage device.

步骤404,便携式存储设备产生第一会话票据T并以便携式存储设备自身的PIN为密钥种子产生第一会话密钥K。Step 404, the portable storage device generates a first session ticket T and uses the PIN of the portable storage device itself as a key seed to generate a first session key K.

在现有技术中,会话票据的形式通常是一串随机数,较佳地,在本实施例中,可依据当前的会话时间产生第一会话票据T,同时,产生第一会话密钥K的方法与现有技术中产生密钥的方法相同,例如采用哈希运算、异或运算等。In the prior art, the session ticket is usually in the form of a string of random numbers. Preferably, in this embodiment, the first session ticket T can be generated according to the current session time, and at the same time, the first session key K can be generated The method is the same as the method for generating the key in the prior art, for example, hash operation, XOR operation and the like are adopted.

步骤405,便携式存储设备使用第一会话密钥K加密第一会话票据T,得到加密的第一会话票据E(T)。Step 405, the portable storage device uses the first session key K to encrypt the first session ticket T to obtain an encrypted first session ticket E(T).

加密的方法通常采用现有技术中的加密方法。The encryption method usually adopts the encryption method in the prior art.

步骤406,便携式存储设备向终端发送身份认证请求响应,身份认证请求响应携带步骤405中得到的加密的第一会话票据E(T)。Step 406 , the portable storage device sends an identity authentication request response to the terminal, and the identity authentication request response carries the encrypted first session ticket E(T) obtained in step 405 .

步骤407,终端中的安全认证模块以步骤402中用户输入的PIN为密钥种子,按照第一会话密钥的产生机制产生第二会话密钥K′。In step 407, the security authentication module in the terminal uses the PIN input by the user in step 402 as a key seed, and generates a second session key K' according to the generation mechanism of the first session key.

步骤408,终端使用步骤406中产生的第二会话密钥K′按照与加密机制对应的解密机制解密接收到的加密的第一会话票据E(T),得到第二会话票据T′。Step 408, the terminal uses the second session key K' generated in step 406 to decrypt the received encrypted first session ticket E(T) according to the decryption mechanism corresponding to the encryption mechanism, to obtain the second session ticket T'.

步骤409,终端将第二会话票据T′发送给便携式存储设备。Step 409, the terminal sends the second session ticket T' to the portable storage device.

步骤410,便携式存储设备验证接收到的第二会话票据T′和步骤404中产生的第一会话票据T是否一致,如果一致则对终端的身份认证通过。Step 410, the portable storage device verifies whether the received second session ticket T' is consistent with the first session ticket T generated in step 404, and if they are consistent, the identity authentication of the terminal is passed.

步骤411,便携式存储设备向终端返回身份认证结果,如果身份认证通过,则允许终端对便携式存储设备进行访问;否则,进入下一周期的认证流程或拒绝终端对便携式存储设备的访问。In step 411, the portable storage device returns the identity authentication result to the terminal. If the identity authentication is passed, the terminal is allowed to access the portable storage device; otherwise, enter the next cycle of authentication process or deny the terminal's access to the portable storage device.

至此,本流程结束。So far, this process ends.

综上所述,以上仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。To sum up, the above are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (14)

1. An identity authentication system, the system comprising: a terminal, a portable storage device, characterized in that,
the portable storage device includes: an identity authentication module, a security processing module loading unit, wherein,
the identity authentication module encrypts a session bill generated by the identity authentication module by using a session key of the identity authentication module;
the safety processing module loading unit loads a safety processing module in the terminal;
the security processing module carries a session key generation mechanism which is the same as that of the identity authentication module, and generates respective session keys according to the same session key generation mechanism as that of the identity authentication module; the security processing module also carries a decryption mechanism corresponding to the encryption mechanism in the identity authentication module, decrypts the encrypted session bill from the identity authentication module by using the session key of the security processing module, and returns the session bill obtained after decryption to the identity authentication module;
and the identity authentication module is also used for comparing the received session ticket with the session ticket generated by the identity authentication module.
2. The system of claim 1, wherein the identity authentication module comprises: the system comprises a first session key generation unit, a first session bill generation unit, an encryption unit and an identity authentication unit; the secure processing module includes: the device comprises an identity information input and storage unit, a second session key generation unit and a decryption unit; wherein,
the first session key generation unit is used for generating a first session key by taking the identity information of the portable storage device as a key seed;
the first session bill generating unit is used for generating a first session bill and sending the first session bill to the encryption unit and the identity authentication unit;
the encryption unit is used for encrypting the first session ticket by using the first session key and sending the encrypted first session ticket to the decryption unit;
the identity information input and storage unit is used for inputting identity information by a user and storing the identity information input by the user;
the second session key generation unit is used for generating a second session key according to a generation mechanism of the first session key by taking the identity information input by the user as a key seed;
the decryption unit is used for decrypting the encrypted first session ticket from the encryption unit according to a decryption mechanism corresponding to the encryption mechanism by using the second session key and sending the decrypted second session ticket to the identity authentication unit;
the identity authentication unit is used for comparing whether the second session bill from the decryption unit is consistent with the first session bill from the first session bill generation unit or not, and if so, the identity authentication of the terminal is passed; otherwise, the identity authentication fails.
3. The system according to claim 1 or 2,
the terminal is a PC (personal computer), a mobile phone or an ATM (automatic teller machine);
the portable storage device is a smart card, a memory card or a USBKey.
4. The system according to claim 2, wherein an ISO7816 interface protocol, a universal memory card interface protocol, a USB interface protocol, or a wireless interface protocol is adopted between the terminal and the portable storage device.
5. The system of claim 2, wherein the identity information is a Personal Identification Number (PIN) or biometric information.
6. The system of claim 2, wherein the identity information entry and retention unit comprises a soft keyboard.
7. The system of claim 2, wherein the first session ticket and the second session ticket are generated based on a current session time.
8. An identity authentication method, characterized in that the method comprises the steps of:
the portable storage device loads a session key generation mechanism which is the same as the portable storage device and a decryption mechanism which corresponds to an encryption mechanism of the portable storage device to the terminal;
the portable storage device encrypts a self-generated session ticket by using a self-session key;
the terminal generates a session key according to a session key generation mechanism which is the same as that of the portable storage device, decrypts the encrypted session ticket from the portable storage device by using the session key of the terminal, and then returns the session ticket obtained after decryption to the portable storage device;
the portable storage device compares the received session ticket with the session ticket generated by itself.
9. The method of claim 8,
the method for generating respective session keys by the terminal and the portable storage device according to the same session key generation mechanism comprises the following steps: the portable storage equipment generates a first session key by taking the identity information of the portable storage equipment as a key seed, and the terminal generates a second session key by taking the identity information input by the user as the key seed according to a generation mechanism of the first session key;
the method for encrypting the session ticket generated by the portable storage device by using the session key of the portable storage device comprises the following steps: the portable storage device generates a first session ticket and encrypts the first session ticket using a first session key;
the method for the terminal to decrypt the encrypted session ticket from the portable storage device by using the session key of the terminal comprises the following steps: the terminal decrypts the encrypted first session ticket from the portable storage device according to a decryption mechanism corresponding to the encryption mechanism by using the second session key;
the method for comparing the received conversation bill with the self-generated conversation bill by the portable storage device comprises the following steps: the portable storage device compares whether the second session bill from the terminal is consistent with the first session bill generated by the portable storage device, and if so, the identity authentication of the terminal is passed; otherwise, the identity authentication fails.
10. The method according to claim 8 or 9, characterized in that the terminal is a PC, or a mobile phone, or an automatic teller machine ATM;
the portable storage device is a smart card, a memory card or a USBKey.
11. The method according to claim 9, wherein the terminal and the portable storage device are connected through an ISO7816 interface, or a universal memory card interface, or a USB interface, or a wireless interface.
12. The method of claim 9, wherein the identity information is a Personal Identification Number (PIN) or biometric information.
13. The method of claim 9, wherein the method for the user to enter identity information is: the user enters identity information using a soft keyboard.
14. The method of claim 9, wherein the first session ticket and the second session ticket are generated based on a current session time.
CNA2009100773140A 2009-02-17 2009-02-17 Identification authentication method and system Pending CN101488111A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2009100773140A CN101488111A (en) 2009-02-17 2009-02-17 Identification authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2009100773140A CN101488111A (en) 2009-02-17 2009-02-17 Identification authentication method and system

Publications (1)

Publication Number Publication Date
CN101488111A true CN101488111A (en) 2009-07-22

Family

ID=40891011

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2009100773140A Pending CN101488111A (en) 2009-02-17 2009-02-17 Identification authentication method and system

Country Status (1)

Country Link
CN (1) CN101488111A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102004909A (en) * 2010-11-30 2011-04-06 方正国际软件有限公司 Method and system for processing identity information
CN104065648A (en) * 2014-06-05 2014-09-24 天地融科技股份有限公司 Data processing method of voice communication
CN105491073A (en) * 2016-01-21 2016-04-13 腾讯科技(深圳)有限公司 Data downloading method, device and system
CN105790946A (en) * 2014-12-22 2016-07-20 中国移动通信集团公司 Method and system for building data channel and related devices
CN106302354A (en) * 2015-06-05 2017-01-04 北京壹人壹本信息科技有限公司 A kind of identity identifying method and device
CN106788972A (en) * 2016-12-16 2017-05-31 成都理工大学 A kind of train ticket self-help ticket-buying fetching system based on block chain authentication
WO2018045917A1 (en) * 2016-09-09 2018-03-15 天地融科技股份有限公司 Authorization system, method, and card
WO2018045916A1 (en) * 2016-09-09 2018-03-15 天地融科技股份有限公司 Authorization method, system, and card
CN108243156A (en) * 2016-12-26 2018-07-03 航天信息股份有限公司 A kind of method and system that network authentication is carried out based on fingerprint key
CN108509787A (en) * 2018-03-14 2018-09-07 深圳市中易通安全芯科技有限公司 A kind of program authentication method
CN113010875A (en) * 2021-03-17 2021-06-22 紫光国芯微电子股份有限公司 Information isolation method, memory card and mobile terminal
WO2022022057A1 (en) * 2020-07-30 2022-02-03 北京金山云网络技术有限公司 Session ticket processing method and apparatus, electronic device, and computer readable storage medium

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102004909A (en) * 2010-11-30 2011-04-06 方正国际软件有限公司 Method and system for processing identity information
CN104065648B (en) * 2014-06-05 2017-07-21 天地融科技股份有限公司 A kind of data processing method of voice call
CN104065648A (en) * 2014-06-05 2014-09-24 天地融科技股份有限公司 Data processing method of voice communication
CN105790946B (en) * 2014-12-22 2020-05-12 中国移动通信集团公司 Method, system and related equipment for establishing data channel
CN105790946A (en) * 2014-12-22 2016-07-20 中国移动通信集团公司 Method and system for building data channel and related devices
CN106302354A (en) * 2015-06-05 2017-01-04 北京壹人壹本信息科技有限公司 A kind of identity identifying method and device
CN105491073A (en) * 2016-01-21 2016-04-13 腾讯科技(深圳)有限公司 Data downloading method, device and system
WO2018045917A1 (en) * 2016-09-09 2018-03-15 天地融科技股份有限公司 Authorization system, method, and card
WO2018045916A1 (en) * 2016-09-09 2018-03-15 天地融科技股份有限公司 Authorization method, system, and card
CN106788972A (en) * 2016-12-16 2017-05-31 成都理工大学 A kind of train ticket self-help ticket-buying fetching system based on block chain authentication
CN106788972B (en) * 2016-12-16 2020-03-10 成都理工大学 Train ticket self-service ticket buying and taking system based on block chain identity authentication
CN108243156A (en) * 2016-12-26 2018-07-03 航天信息股份有限公司 A kind of method and system that network authentication is carried out based on fingerprint key
CN108509787A (en) * 2018-03-14 2018-09-07 深圳市中易通安全芯科技有限公司 A kind of program authentication method
CN108509787B (en) * 2018-03-14 2022-06-10 深圳市中易通安全芯科技有限公司 Program authentication method
WO2022022057A1 (en) * 2020-07-30 2022-02-03 北京金山云网络技术有限公司 Session ticket processing method and apparatus, electronic device, and computer readable storage medium
CN113010875A (en) * 2021-03-17 2021-06-22 紫光国芯微电子股份有限公司 Information isolation method, memory card and mobile terminal

Similar Documents

Publication Publication Date Title
CN101488111A (en) Identification authentication method and system
US11706033B2 (en) Secure distributed information system
US9003516B2 (en) System and method for encrypted smart card pin entry
JP6264674B2 (en) Authentication system and method using QR code
US8365262B2 (en) Method for automatically generating and filling in login information and system for the same
US8295484B2 (en) System and method for securing data from a remote input device
US20130159699A1 (en) Password Recovery Service
US20100138667A1 (en) Authentication using stored biometric data
EP2628133B1 (en) Authenticate a fingerprint image
CN107864124B (en) Terminal information security protection method, terminal and Bluetooth lock
CN101140605A (en) Data safe reading method and safe storage device thereof
JP2008028940A (en) Information processing system, information processor, mobile terminal, and access control method
EP2590101B1 (en) Authentication using stored biometric data
US20140025946A1 (en) Audio-security storage apparatus and method for managing certificate using the same
CN105635103A (en) Network authentication method using card device
CN115529591B (en) Authentication method, device, equipment and storage medium based on token
CN107085899A (en) The identity identifying method at finance self-help end and finance self-help end
JP4760124B2 (en) Authentication device, registration device, registration method, and authentication method
KR101017014B1 (en) Game access system and method using smart chip medium
Wang et al. Method of internet service easy login application based on RFSIM
CN114139136A (en) Portable safety authentication system, method and assembly based on quantum key
CN113162766A (en) Key management method and system for key component
JP2004186913A (en) User authentication method, information terminal and information storage medium
KR20140007627A (en) Ic chip
CN102752270A (en) Electronic document transfer system, mobile communication device and related decryption device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Open date: 20090722