[go: up one dir, main page]

CN109587683B - Method and system, application program and terminal information database for SMS anti-monitoring - Google Patents

Method and system, application program and terminal information database for SMS anti-monitoring Download PDF

Info

Publication number
CN109587683B
CN109587683B CN201910006481.XA CN201910006481A CN109587683B CN 109587683 B CN109587683 B CN 109587683B CN 201910006481 A CN201910006481 A CN 201910006481A CN 109587683 B CN109587683 B CN 109587683B
Authority
CN
China
Prior art keywords
code
terminal
plaintext
account user
application program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910006481.XA
Other languages
Chinese (zh)
Other versions
CN109587683A (en
Inventor
田新雪
马书惠
肖征荣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201910006481.XA priority Critical patent/CN109587683B/en
Publication of CN109587683A publication Critical patent/CN109587683A/en
Application granted granted Critical
Publication of CN109587683B publication Critical patent/CN109587683B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements
    • H04W4/14Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本发明属于互联网以及通信领域,涉及短信防监听的方法、系统、应用程序和终端信息数据库。该方法包括:接收与账号用户相关的明文;随机生成与明文对应的加密码,并使用加密码对明文加密进行加密得到原始密文码;提取接收短信验证码的终端的终端标识,并至少将包括终端标识、加密码和原始密文码的终端信息发送至终端信息数据库;接收账号用户再次输入的同一明文和终端标识;根据账号用户输入的终端标识,向终端信息库查询与终端标识对应的时间最近的加密码和原始密文码;以及根据账号用户再次输入的明文,将明文使用加密码进行加密得到复核密文码;根据原始密文码与复核密文码判断是否信任短信验证码。其能有效保证通过短信进行身份验证的安全性。

Figure 201910006481

The invention belongs to the field of Internet and communication, and relates to a method, a system, an application program and a terminal information database for anti-monitoring of short messages. The method includes: receiving plaintext related to an account user; randomly generating an encryption code corresponding to the plaintext, and encrypting the plaintext by using the encryption code to obtain the original ciphertext code; extracting the terminal identifier of the terminal receiving the SMS verification code, and at least The terminal information including the terminal identification, the encrypted password and the original ciphertext code is sent to the terminal information database; the same plaintext and terminal identification inputted by the account user are received again; according to the terminal identification input by the account user, the terminal information database is queried for the corresponding terminal identification. The latest encrypted password and original cipher text code; and according to the plain text input by the account user again, encrypt the plain text with the encrypted password to obtain the review cipher text code; judge whether to trust the SMS verification code according to the original cipher text code and the review cipher text code. It can effectively ensure the security of authentication through SMS.

Figure 201910006481

Description

短信防监听的方法及系统、应用程序和终端信息数据库Method and system, application program and terminal information database for anti-monitoring of short messages

技术领域technical field

本发明属于互联网以及通信领域,具体涉及短信防监听的方法、短信防监听的系统、应用程序和终端信息数据库。The invention belongs to the field of Internet and communication, and particularly relates to a method for preventing monitoring of short messages, a system for preventing monitoring of short messages, an application program and a terminal information database.

背景技术Background technique

随着手机实名制日益普及,越来越多的企业将手机短信验证码作为自己的安全屏障。各大银行网上银行、网上商城、团购网站、票务公司等企业使用短信验证,选择通过手机短信进行安全验证。短信验证码现在成为身份验证的主要方法,利用手机短信验证码,用户可以进行登录、修改密码等操作,并直接或间接使用与资金相关联的应用。然而,目前短信主要通过2G网络(GSM)传输,GSM采用的单向鉴权存在严重的安全缺陷,也就是说GSM不加密传输短信。With the increasing popularity of the mobile phone real-name system, more and more enterprises use the mobile phone SMS verification code as their own security barrier. Online banking, online shopping malls, group buying websites, ticketing companies and other enterprises of major banks use SMS verification, and choose to conduct security verification through mobile phone SMS. SMS verification codes have now become the main method of identity verification. Using mobile phone SMS verification codes, users can log in, change passwords, etc., and directly or indirectly use applications associated with funds. However, currently, short messages are mainly transmitted through 2G network (GSM), and the one-way authentication adopted by GSM has serious security defects, that is to say, GSM transmits short messages without encryption.

基站可以鉴别终端(例如手机)的合法性,但是终端无权鉴别基站的合法性。“伪基站”即假基站,一般由主机和笔记本电脑或手机组成,只要伪基站能够发送和真基站类似的信号,就可以欺骗手机接入其网络内,从而进行违法活动。利用该漏洞,不法分子通过伪基站伪装成运营商的基站,冒用他人终端强行向用户手机发送诈骗、广告推销等短信;甚至,通过伪基站和嗅探设备获取手机号和短信验证码,搜取以其为中心、一定半径范围内的手机卡信息及短信,利用监听到的短信伪装用户进行身份验证,会带来非常严重的问题,例如盗取用户的支付类账号信息等,给用户的资金安全带来隐患的问题。The base station can authenticate the legitimacy of the terminal (such as a mobile phone), but the terminal has no right to authenticate the legitimacy of the base station. A "pseudo base station" is a fake base station, which generally consists of a host computer and a laptop or a mobile phone. As long as the fake base station can send a signal similar to that of the real base station, it can deceive the mobile phone to access its network and conduct illegal activities. Taking advantage of this vulnerability, criminals disguise themselves as the operator's base station through a fake base station, and use other people's terminals to forcibly send SMS messages such as fraud and advertising sales to the user's mobile phone. Taking the mobile phone card information and short messages within a certain radius as the center, and using the monitored short messages to disguise the user for authentication, it will bring very serious problems, such as stealing the user's payment account information, etc. Financial security brings hidden problems.

如何保证通过短信进行验证的安全性,成为目前亟待解决的技术问题。How to ensure the security of verification through SMS has become a technical problem that needs to be solved urgently.

发明内容SUMMARY OF THE INVENTION

本发明所要解决的技术问题是针对现有技术中上述不足,提供一种短信防监听的方法、短信防监听的系统、应用程序和终端信息数据库,能有效保证通过短信进行身份验证的安全性。The technical problem to be solved by the present invention is aimed at the above-mentioned deficiencies in the prior art, and provides a method for anti-monitoring of short messages, a system for anti-monitoring of short messages, an application program and a terminal information database, which can effectively ensure the security of identity verification through short messages.

解决本发明技术问题所采用的技术方案是该短信防监听的方法,其在应用程序接收短信验证码之前,还包括对账号用户进行验证的步骤:The technical solution adopted to solve the technical problem of the present invention is the method for preventing monitoring of short messages. Before the application program receives the short message verification code, it also includes the steps of verifying the account user:

接收与账号用户相关的明文;Receive clear text related to account users;

随机生成与所述明文对应的加密码,并使用所述加密码对所述明文加密进行加密得到原始密文码;Randomly generate an encryption code corresponding to the plaintext, and use the encryption code to encrypt the plaintext to obtain the original ciphertext code;

提取接收所述短信验证码的所述终端的终端标识,并至少将包括所述终端标识、所述加密码和所述原始密文码的终端信息发送至终端信息数据库;extracting the terminal identifier of the terminal receiving the short message verification code, and at least sending the terminal information including the terminal identifier, the encryption code and the original ciphertext code to the terminal information database;

接收所述账号用户再次输入的同一所述明文和所述终端标识;receiving the same plaintext and the terminal identifier input again by the account user;

根据所述账号用户输入的所述终端标识,向所述终端信息库查询与所述终端标识对应的时间最近的所述加密码和所述原始密文码;According to the terminal identifier input by the account user, query the terminal information database for the latest encrypted password and the original ciphertext code corresponding to the terminal identifier;

以及,根据所述账号用户再次输入的所述明文,将所述明文使用所述加密码进行加密得到复核密文码;and, according to the plaintext input by the account user again, encrypting the plaintext using the encryption code to obtain a review ciphertext code;

根据所述原始密文码与所述复核密文码是否一致,判断是否信任所述短信验证码。According to whether the original cipher text code is consistent with the review cipher text code, it is judged whether to trust the short message verification code.

优选的是,所述明文由所述账号用户输入;Preferably, the plaintext is input by the account user;

或者,所述明文由所述账号用户登录的所述应用程序根据预定规则随机产生,并将所述明文返回至所述账号用户。Alternatively, the plaintext is randomly generated by the application program logged in by the account user according to a predetermined rule, and the plaintext is returned to the account user.

优选的是,发送至所述终端信息数据库的信息还包括需要登录的所述应用程序的名称、版本号、开发商的信息。Preferably, the information sent to the terminal information database further includes the name, version number, and developer information of the application to be logged in.

优选的是,所述明文为随机字符、账号用户身份证号码、账号用户姓名、账号用户最近频繁打电话的TOP10联系人中的某一位中的任一。Preferably, the plaintext is any one of random characters, the ID number of the account user, the name of the account user, and one of the TOP10 contacts that the account user frequently calls recently.

一种短信防监听的方法,其在应用程序接收所述短信验证码之前,还包括对账号用户进行验证的步骤:A method for anti-monitoring of short messages, before an application program receives the short message verification code, further comprising the step of verifying an account user:

接收并保存终端标识、加密码和密文码;Receive and save the terminal identification, encryption code and cipher text code;

根据查询请求,向所述应用程序返回与所述终端标识对应的时间最近的所述加密码和所述原始密文码。According to the query request, the latest encrypted code and the original cipher text code corresponding to the terminal identification are returned to the application program.

优选的是,在对账号用户进行验证之前,还包括终端在终端信息数据库中进行认证和登记的步骤,包括:Preferably, before verifying the account user, it also includes a step of authenticating and registering the terminal in the terminal information database, including:

所述账号用户通过移动交换网的方式发送所述终端的运营商客服密码至终端信息数据库,所述移动交换网的方式包括发送文字短信、语音短信或者拨打语音电话;The account user sends the operator customer service password of the terminal to the terminal information database through a mobile switching network, and the mobile switching network includes sending a text message, a voice message, or making a voice call;

所述终端信息数据库识别所述终端对应的终端标识,并提炼出所述运营商客服密码;The terminal information database identifies the terminal identifier corresponding to the terminal, and extracts the operator's customer service password;

所述终端信息数据库根据所述终端标识,查询运营商的客服系统中与所述终端标识对应的所述运营商客服密码;The terminal information database queries the operator's customer service password corresponding to the terminal identification in the operator's customer service system according to the terminal identification;

根据所述运营商客服密码的是否一致,判断所述终端是否为黑客操作。According to whether the passwords of the operator's customer service are consistent, it is determined whether the terminal is operated by a hacker.

优选的是,根据所述运营商客服密码的是否一致,判断所述终端是否为黑客操作的步骤,包括:Preferably, the step of judging whether the terminal is operated by a hacker according to whether the operator's customer service passwords are consistent, includes:

若所述运营商客服密码一致,则认为是所述账号用户进行的业务认证和登记;If the operator's customer service password is the same, it is considered to be the service authentication and registration performed by the account user;

若所述运营商客服密码一致,则认为是黑客冒充所述账号用户进行的业务认证和登记。If the operator's customer service password is the same, it is considered that the hacker pretends to be the account user to perform service authentication and registration.

优选的是,发送至所述终端信息数据库的信息还包括需要登录的所述应用程序的名称、版本号、开发商的信息。Preferably, the information sent to the terminal information database further includes the name, version number, and developer information of the application to be logged in.

一种应用程序,其包括用于对账号用户进行验证的验证模组,所述验证模组包括接口模块、加密模块、传输模块、复核模块和判断模块,其中:An application program comprising a verification module for verifying an account user, the verification module comprising an interface module, an encryption module, a transmission module, a review module and a judgment module, wherein:

所述接口模块,用于接收与账号用户相关的明文;以及,接收所述账号用户再次输入的同一所述明文和所述终端标识;The interface module is used to receive the plaintext related to the account user; and, receive the same plaintext and the terminal identifier input again by the account user;

所述加密模块,用于随机生成与所述明文对应的加密码,并使用所述加密码对所述明文加密进行加密得到原始密文码;The encryption module is used to randomly generate an encryption code corresponding to the plaintext, and use the encryption code to encrypt the plaintext to obtain the original ciphertext code;

所述传输模块,用于提取接收所述短信验证码的所述终端的终端标识,并至少将包括所述终端标识、所述加密码和所述原始密文码的终端信息发送至所述终端信息数据库;以及,还用于根据所述账号用户输入的所述终端标识,向所述终端信息库查询与所述终端标识对应的时间最近的所述加密码和所述原始密文码;The transmission module is configured to extract the terminal identifier of the terminal receiving the short message verification code, and at least send the terminal information including the terminal identifier, the encryption code and the original cipher text code to the terminal an information database; and, according to the terminal identification input by the account user, query the terminal information database for the latest encrypted password and the original cipher text code corresponding to the terminal identification;

所述复核模块,用于根据所述账号用户再次输入的所述明文,将所述明文使用所述加密码进行加密得到复核密文码;The review module is configured to encrypt the plaintext using the encryption code according to the plaintext input by the account user again to obtain a review ciphertext code;

所述判断模块,用于根据所述原始密文码与所述复核密文码是否一致,判断是否信任所述短信验证码。The judging module is configured to judge whether to trust the short message verification code according to whether the original ciphertext code is consistent with the review ciphertext code.

一种终端信息数据库,其包括存储模块、查询模块,其中:A terminal information database, which includes a storage module and a query module, wherein:

所述存储模块,用于接收并保存终端标识、加密码和密文码;The storage module is used to receive and save the terminal identification, encryption code and cipher text code;

所述查询模块,用于根据查询请求,向所述应用程序返回与所述终端标识对应的时间最近的所述加密码和所述原始密文码。The query module is configured to return the latest encrypted password and the original cipher text code corresponding to the terminal identification to the application program according to the query request.

一种短信防监听的系统,其包括上述应用程序和上述的终端信息数据库。An anti-monitoring system for short messages includes the above-mentioned application program and the above-mentioned terminal information database.

本发明的有益效果是:The beneficial effects of the present invention are:

本发明提供的短信防监听的方法、短信防监听的系统、应用程序和终端信息数据库,能有效防范伪基站带来的危害,彻底解决现有的手机连入伪基站后接收大量垃圾短信或者手机的传输信息经过伪基站被盗取,尤其能解决伪基站目前可以监听短信使得身份验证性失效,带来非常严重的问题例如盗取里面的支付类账号信息等导致用户的资金安全带来隐患的问题,避免用户连接到伪基站带来的危害,保障用户账号的正常使用和安全性。The method for anti-monitoring of short messages, the system for anti-monitoring of short messages, the application program and the terminal information database provided by the present invention can effectively prevent the harm caused by the pseudo base station, and completely solve the problem that the existing mobile phone receives a large number of junk short messages or mobile phones after connecting to the pseudo base station. The transmission information of the fake base station is stolen by the fake base station, especially to solve the problem that the fake base station can currently monitor the short message and make the authentication invalid, which brings very serious problems, such as stealing the payment account information inside, which leads to the hidden danger of the user's fund security. problem, avoid the harm caused by the user connecting to the pseudo base station, and ensure the normal use and security of the user account.

附图说明Description of drawings

图1为本发明实施例1中短信防监听的方法的流程图;1 is a flowchart of a method for preventing short message monitoring in Embodiment 1 of the present invention;

图2为本发明实施例1中应用程序中验证模块的结构框图;2 is a structural block diagram of a verification module in an application program in Embodiment 1 of the present invention;

图3为本发明实施例2中短信防监听的方法的流程图;3 is a flowchart of a method for preventing short message monitoring in Embodiment 2 of the present invention;

图4为本发明实施例2中终端信息数据库的结构框图;4 is a structural block diagram of a terminal information database in Embodiment 2 of the present invention;

图5为本发明实施例3中短信防监听的系统的结构框图;5 is a structural block diagram of a system for preventing short message monitoring in Embodiment 3 of the present invention;

图6为本发明实施例3中短信防监听的方法的流程图;6 is a flowchart of a method for preventing short message monitoring in Embodiment 3 of the present invention;

附图标识中:In the attached drawings:

1-验证模组;11-接口模块;12-加密模块;13-传输模块;14-复核模块;15-判断模块;1-verification module; 11-interface module; 12-encryption module; 13-transmission module; 14-review module; 15-judgment module;

2-终端信息数据库;21-存储模块;22-查询模块。2-terminal information database; 21-storage module; 22-query module.

具体实施方式Detailed ways

为使本领域技术人员更好地理解本发明的技术方案,下面结合附图和具体实施方式对本发明短信防监听的方法、短信防监听的系统、应用程序和终端信息数据库作进一步详细描述。In order to make those skilled in the art better understand the technical solutions of the present invention, the method for preventing short message monitoring, the system for preventing short message monitoring, the application program and the terminal information database of the present invention are further described in detail below with reference to the accompanying drawings and specific embodiments.

目前,通过短信验证码是修改登录密码、修改支付密码等网络活动的主要身份验证方式,也即以通过短信验证码即可确认账号用户身份来作为目前唯一的身份验证因素。本发明的技术构思在于:基于目前的身份验证现状,对短信验证码输入之前的账号用户身份进行验证,即通过增加一些对于账号拥有者或者说终端拥有者来说实施非常简单,但是对于攻击者来说非常费劲也难以实施的因素,从而降低通过短信监听的攻击者成功的概率。At present, SMS verification code is the main authentication method for modifying login passwords, payment passwords and other network activities, that is, the only authentication factor at present is to confirm the account user's identity through SMS verification code. The technical idea of the present invention is: based on the current status of identity verification, verifying the user identity of the account before the SMS verification code is input, that is, adding some is very simple for the account owner or terminal owner to implement, but for attackers It is very laborious and difficult to implement, thereby reducing the probability of success of an attacker who listens through SMS.

本发明提供的短信防监听的方法、短信防监听的系统、应用程序和终端信息数据库,能有效解决现有的终端(例如手机)连入伪基站后接收大量垃圾短信或传输信息经过伪基站被盗取,更甚者短信被伪基站监听使得身份验证性失效的问题,避免用户连接到伪基站,从而有效防范伪基站带来的危害,保障用户账户的正常使用和安全性。The method for anti-monitoring of short messages, the system for anti-monitoring of short messages, the application program and the terminal information database provided by the present invention can effectively solve the problem that an existing terminal (such as a mobile phone) receives a large number of junk short messages after connecting to a pseudo base station or transmits information to be blocked by the pseudo base station. Theft, or even the short message being monitored by the fake base station, makes the authentication invalid, preventing the user from connecting to the fake base station, thus effectively preventing the harm caused by the fake base station, and ensuring the normal use and security of the user account.

实施例1:Example 1:

本实施例提供一种短信防监听的方法及其相应的应用程序,能有效实现应用程序在接收短信验证码之前的账号用户身份验证,保障用户账户的安全性。This embodiment provides a method for anti-monitoring of short messages and a corresponding application program, which can effectively realize the account user identity verification of the application program before receiving the short message verification code, and ensure the security of the user account.

如图1所示,该短信防监听的方法在应用程序接收短信验证码之前,还包括对账号用户进行验证的步骤:As shown in Figure 1, the method for preventing SMS monitoring further includes the steps of verifying the account user before the application receives the SMS verification code:

步骤S11):接收与账号用户相关的明文。Step S11): Receive plaintext related to the account user.

在该步骤中,明文有两种获得方式,一是,明文由账号用户输入,也就是用户手动输入到应用程序中。二是,明文由账号用户登录的应用程序根据预定规则随机产生,并将明文返回至账号用户。也就是说无需用户手动输入明文,在用户指示进行验证身份后应用程序自动生成随机明文并发送至界面告知用户,该明文为双方约定规则下产生的。当然,明文可以为随机字符、账号用户身份证号码、账号用户姓名、账号用户最近频繁打电话的TOP10联系人中的某一位中的任一。In this step, there are two ways to obtain the plaintext. One is that the plaintext is input by the account user, that is, the user manually inputs it into the application program. Second, the plaintext is randomly generated by the application logged in by the account user according to predetermined rules, and the plaintext is returned to the account user. That is to say, there is no need for the user to manually enter the plaintext. After the user instructs to verify the identity, the application automatically generates a random plaintext and sends it to the interface to inform the user that the plaintext is generated under the rules agreed upon by both parties. Of course, the plaintext may be any one of random characters, the ID number of the account user, the name of the account user, and one of the top 10 contacts that the account user frequently calls recently.

步骤S12):随机生成与明文对应的加密码,并使用加密码对明文加密进行加密得到原始密文码。Step S12): randomly generate an encryption code corresponding to the plaintext, and use the encryption code to encrypt the plaintext to obtain the original ciphertext code.

在该步骤中,加密码可以为现行的各种加密算法,这里不做限定,在用户一次身份验证阶段保持不变。In this step, the encryption code may be various current encryption algorithms, which are not limited here, and remain unchanged in the first authentication stage of the user.

步骤S13):提取接收短信验证码的终端的终端标识,并至少将包括终端标识、加密码和原始密文码的终端信息发送至终端信息数据库。Step S13): extracting the terminal identifier of the terminal receiving the SMS verification code, and at least sending the terminal information including the terminal identifier, the encryption code and the original ciphertext code to the terminal information database.

在该步骤中,优选的是,发送至终端信息数据库的信息还包括需要登录的应用程序的名称、版本号、开发商的应用程序信息,以便于能更好的区别建立应用程序-加密码和密文码的对应。In this step, preferably, the information sent to the terminal information database also includes the name of the application that needs to be logged in, the version number, and the developer's application information, so as to be able to better distinguish the establishment of the application-encryption and password Correspondence to ciphertext.

步骤S14):接收账号用户再次输入的同一明文和终端标识。Step S14): Receive the same plaintext and terminal identifier input again by the account user.

在该步骤中,账号用户需手动输入其在步骤S11)中输入的明文,或者是应用程序生成并返回给账号用户的明文。In this step, the account user needs to manually input the plaintext input in step S11), or the plaintext generated by the application and returned to the account user.

步骤S15):根据账号用户输入的终端标识,向终端信息库查询与终端标识对应的时间最近的加密码和原始密文码。Step S15): According to the terminal identifier input by the account user, query the terminal information database for the latest encrypted password and original ciphertext code corresponding to the terminal identifier.

在该步骤中,加密码和原始密文码通过网络在应用程序与终端信息库之间交换。In this step, the encrypted code and the original ciphertext code are exchanged between the application program and the terminal information base through the network.

步骤S16):根据账号用户再次输入的明文,将明文使用加密码进行加密得到复核密文码。Step S16): according to the plaintext input by the account user again, encrypt the plaintext with an encryption code to obtain a review ciphertext code.

在该步骤中,应用程序单纯的根据账号在步骤S14)中手动输入的明文,使用在步骤S12)中使用的加密码进行加密得到复核密文码。In this step, the application program simply encrypts the plaintext manually input in step S14) according to the account, using the encryption code used in step S12) to obtain the review ciphertext code.

步骤S17):根据原始密文码与复核密文码是否一致,判断是否信任短信验证码。Step S17): According to whether the original cipher text code is consistent with the review cipher text code, it is judged whether to trust the SMS verification code.

在该步骤中,原始密文码与复核密文码是否一致,决定应用程序对后续通过2G的GSM网络传输的短信验证码的信任度。In this step, whether the original ciphertext code is consistent with the review ciphertext code determines the degree of trust of the application in the subsequent SMS verification code transmitted through the 2G GSM network.

通过上述方法,应用程序在每一次通过短信验证码登录之前都会生成一个随机加密码两次对明文进行加密并进行复核,由于该随机加密码通过移动交换网的方式形式(不同于GSM通道),这样对账号用户的验证在短信验证码之前,还预先竖立了一道坚实的安全防线,从而保证能接受的短信验证码对应用程序验证的真实性,避免采用被监听的短信验证码导致账户安全隐患。Through the above method, the application will generate a random encryption password twice to encrypt and review the plaintext before logging in through the SMS verification code each time. In this way, the verification of the account user also establishes a solid security line in advance before the SMS verification code, so as to ensure the authenticity of the application verification by the acceptable SMS verification code, and avoid the use of the monitored SMS verification code to cause account security risks. .

相应的,如图2所示,本实施例还提供一种应用程序,其包括用于对账号用户进行验证的验证模组,验证模组1包括接口模块11、加密模块12、传输模块13、复核模块14和判断模块15,其中:Correspondingly, as shown in FIG. 2, this embodiment also provides an application program, which includes a verification module for verifying account users, and the verification module 1 includes an interface module 11, an encryption module 12, a transmission module 13, The review module 14 and the judgment module 15, wherein:

接口模块11,用于接收与账号用户相关的明文;以及,接收账号用户再次输入的同一明文和终端标识;The interface module 11 is used to receive the plaintext related to the account user; and, to receive the same plaintext and the terminal identification input by the account user again;

加密模块12,用于随机生成与明文对应的加密码,并使用加密码对明文加密进行加密得到原始密文码;The encryption module 12 is used for randomly generating an encryption code corresponding to the plaintext, and encrypting the plaintext by using the encryption code to obtain the original ciphertext code;

传输模块13,用于提取终端的终端标识,并至少将包括终端标识、加密码和原始密文码的终端信息发送至终端信息数据库;以及,还用于根据账号用户输入的终端标识,向终端信息库查询与终端标识对应的时间最近的加密码和原始密文码;The transmission module 13 is used to extract the terminal identifier of the terminal, and at least send the terminal information including the terminal identifier, the encryption code and the original ciphertext code to the terminal information database; Query the latest encrypted code and original cipher text code corresponding to the terminal identification in the information database;

复核模块14,用于根据账号用户再次输入的明文,将明文使用加密码进行加密得到复核密文码;The review module 14 is configured to encrypt the plaintext with an encryption code according to the plaintext input by the account user again to obtain a review ciphertext code;

判断模块15,用于根据原始密文码与复核密文码是否一致,判断是否信任短信验证码。The judgment module 15 is used for judging whether to trust the SMS verification code according to whether the original ciphertext code is consistent with the review ciphertext code.

在以上随机明文的基础上,还可以增加一些其他因素,比如,作为验证方的应用程序除让被验证方提供终端和固定时间内对应的短信验证码之外,再增加账号用户身份证号码、账号用户姓名,或者账号用户最近频繁打电话的TOP10联系人中的某一位;作为验证方的应用程序可以通过与电信运营商确认这些信息的正确性。这些信息对于被验证方来说很容易提供,但是对于攻击者来说,除能够监听短信验证码以外,其他的信息作为伪基站攻击者来说很难获得,从而保证通过短信进行验证的安全性。On the basis of the above random plaintext, some other factors can also be added. For example, the application as the verifier not only asks the verified party to provide the terminal and the corresponding SMS verification code within a fixed time, but also adds the account user ID number, The name of the account user, or one of the TOP10 contacts of the account user who have frequently called recently; the application as the verifier can confirm the correctness of these information with the telecom operator. This information is easy for the verified party to provide, but for the attacker, in addition to monitoring the SMS verification code, other information is difficult to obtain as a pseudo base station attacker, so as to ensure the security of verification through SMS .

另外,上述方法中步骤S14)-步骤S16)获得来自终端信息库的原始密文码和自身再次计算得到的复核密文码的顺序不做限定,只要能得到原始密文码和复核密文码并进行一致性比较即可。In addition, in the above-mentioned method, the order in which steps S14)-step S16) obtain the original ciphertext code from the terminal information database and the rechecked ciphertext code calculated by itself is not limited, as long as the original ciphertext code and the rechecked ciphertext code can be obtained And make a consistency comparison.

应该理解的是,验证模组可以作为应用程序的一个功能部件集成在应用程序中,其可以以代码形式存储在存储器上;也可以作为一个独立的小程序独立运行,在应用程序有短信验证需求的时候关联该小程序调用实现对账号用户进行验证;或者,直接调用小程序、并保证应用程序与该小程序的消息同步,待验证完成后直接接收返回的验证结果,这里不做限定。It should be understood that the verification module can be integrated in the application as a functional component of the application, which can be stored in the memory in the form of code; it can also be run independently as an independent applet, and the application has SMS verification requirements. When you associate the applet to call to verify the account user; or, directly call the applet, and ensure that the application and the applet's messages are synchronized, and directly receive the returned verification result after the verification is completed, which is not limited here.

该方法短信防监听的方法及应用程序,适用于安装在移动终端(例如手机)的APP,也适用于电脑、笔记本等网络端的网页应用程序,这里也不做限定。The method and application program for anti-monitoring of short messages are applicable to APPs installed on mobile terminals (such as mobile phones), and are also applicable to web application programs on network terminals such as computers and notebooks, which are not limited here.

该短信防监听的方法及其相应的应用程序,能有效保障验证账号用户的安全性。The SMS anti-monitoring method and the corresponding application program can effectively guarantee the security of the user who authenticates the account.

实施例2:Example 2:

本实施例提供一种短信防监听的方法及其相应的终端信息数据库,能有效配合实现应用程序在接收短信验证码之前的账号用户身份验证,保障用户账户的安全性。This embodiment provides a method for anti-monitoring of short messages and a corresponding terminal information database, which can effectively cooperate to realize the account user identity verification of the application program before receiving the short message verification code, and ensure the security of the user account.

如图3所示,该短信防监听的方法在应用程序接收短信验证码之前,还包括对账号用户进行验证的步骤:As shown in Figure 3, the method for preventing SMS monitoring further includes the steps of verifying the account user before the application receives the SMS verification code:

步骤S21):接收并保存终端标识、加密码和密文码。Step S21): Receive and save the terminal identification, encryption code and cipher text code.

在该步骤中,发送至终端信息数据库的信息还包括需要登录的应用程序名称、版本号、开发商的应用程序信息,以便于能更好的区别建立应用程序-加密码和密文码的对应。In this step, the information sent to the terminal information database also includes the name of the application that needs to be logged in, the version number, and the developer's application information, so that the correspondence between the application-encryption code and the cipher text code can be better distinguished. .

步骤S22):根据查询请求,向应用程序返回与终端标识对应的时间最近的加密码和原始密文码。Step S22): According to the query request, return to the application the latest encrypted code and original cipher text code corresponding to the terminal identification.

在该步骤中,终端信息数据库向应用程序返回与终端标识对应的时间最近的加密码和原始密文码。In this step, the terminal information database returns the latest encrypted code and original cipher text code corresponding to the terminal identification to the application program.

优选的是,在对终端使用用户进行验证之前,还包括步骤S20):终端在终端信息数据库中进行认证和登记的步骤,包括:Preferably, before verifying the terminal user, it also includes step S20): the step of the terminal performing authentication and registration in the terminal information database, including:

账号用户通过移动交换网的方式发送终端的运营商客服密码至终端信息数据库,移动交换网的方式包括发送文字短信、语音短信或者拨打语音电话;The account user sends the terminal operator's customer service password to the terminal information database through the mobile switching network, and the mobile switching network includes sending text messages, voice messages or making voice calls;

终端信息数据库识别并提炼出终端对应的终端标识以及运营商客服密码;The terminal information database identifies and extracts the terminal identification and operator customer service password corresponding to the terminal;

终端信息数据库根据终端标识,查询运营商的客服系统中与终端标识对应的运营商客服密码;The terminal information database queries the operator's customer service password corresponding to the terminal identification in the operator's customer service system according to the terminal identification;

根据运营商客服密码的是否正确,判断终端是否为黑客操作。其中,根据运营商客服密码的是否正确,判断终端是否为黑客操作的步骤,包括:According to whether the operator's customer service password is correct, determine whether the terminal is operated by a hacker. Among them, according to whether the operator's customer service password is correct, the steps of judging whether the terminal is operated by a hacker include:

若运营商客服密码正确,则认为是账号用户进行的业务认证和登记;If the operator's customer service password is correct, it is considered to be the service authentication and registration performed by the account user;

若运营商客服密码错误,则认为是黑客冒充账号用户进行的业务认证和登记。If the operator's customer service password is incorrect, it is considered that the hacker pretends to be an account user for business authentication and registration.

相应的,如图4所示,本实施例还提供一种终端信息数据库2,其包括存储模块21、查询模块22,其中:Correspondingly, as shown in FIG. 4 , this embodiment further provides a terminal information database 2, which includes a storage module 21 and a query module 22, wherein:

存储模块21,用于接收并保存终端标识、加密码和密文码;The storage module 21 is used to receive and save the terminal identification, encryption code and cipher text code;

查询模块22,用于根据查询请求,向应用程序返回与终端标识对应的时间最近的加密码和原始密文码。The query module 22 is configured to, according to the query request, return the latest encrypted code and original cipher text code corresponding to the terminal identification to the application program.

该短信防监听的方法及其相应的终端信息数据库,为验证账号用户的安全性提供数据支撑。The method for preventing monitoring of short messages and the corresponding terminal information database provide data support for verifying the security of account users.

实施例3:Example 3:

本实施例提供一种短信防监听的系统,其基于实施例1的应用程序和实施例2的终端信息数据库,综合实现短信防监听的方法,以实现应用程序在接收短信验证码之前的账号用户身份验证,保障用户账户的安全性。This embodiment provides a system for anti-monitoring of short messages, which is based on the application program of Embodiment 1 and the terminal information database of Embodiment 2, and comprehensively realizes the method of anti-monitoring of short messages, so as to realize the account user of the application program before receiving the SMS verification code Authentication to ensure the security of user accounts.

作为被验证方的终端选择被验证的时候,例如需要登录一个应用程序的时候或浏览器门户网站的时候,在选择通过发送短信验证码进行验证之前,先进行对账号用户的真实身份的验证。如图5所示,该短信防监听的系统包括应用程序中的验证模块1和终端信息数据库2。以下将结合实施例1、实施例2提供的短信防监听的方法和相应的结构,对短信防监听的过程进行详细说明,流程图请参考图6。When the terminal as the verified party chooses to be verified, for example, when it needs to log in to an application or a browser portal, before choosing to verify by sending an SMS verification code, the real identity of the account user is verified first. As shown in FIG. 5 , the SMS anti-monitoring system includes a verification module 1 and a terminal information database 2 in an application program. The following will describe the process of anti-monitoring of short messages in detail with reference to the methods and corresponding structures for anti-monitoring of short messages provided in Embodiment 1 and Embodiment 2. Please refer to FIG. 6 for the flowchart.

实施方式一:Embodiment 1:

步骤S31):终端在终端信息数据库中认证和登记。Step S31): The terminal is authenticated and registered in the terminal information database.

在该步骤中,在终端信息数据库中认证和登记的具体方式为:该账号用户通过移动交换网的方式发送包括终端的运营商客服密码的请求认证和登记消息至终端信息数据库,例如发送文字短信、语音短信或者拨打语音电话。终端信息数据库接收该请求认证和登记消息后,识别并提炼出其中的终端对应的终端标识以及运营商客服密码,并根据终端标识查询运营商后台的支撑系统里的客服系统,若该运营商客服密码正确,则认为是该账号用户自己申请的该业务的认证和登记,而不是黑客冒充账号用户进行的认证和登记;若运营商客服密码错误,则认为是黑客冒充账号用户进行的业务认证和登记。In this step, the specific method of authentication and registration in the terminal information database is: the account user sends a request authentication and registration message including the terminal operator's customer service password to the terminal information database by means of a mobile switching network, such as sending a text message , a voice message, or a voice call. After receiving the request authentication and registration message, the terminal information database identifies and extracts the terminal identification corresponding to the terminal and the operator's customer service password, and queries the customer service system in the support system of the operator's background according to the terminal identification. If the password is correct, it is considered to be the authentication and registration of the service applied for by the account user, not the authentication and registration performed by the hacker pretending to be the account user; if the operator's customer service password is incorrect, it is considered to be the business authentication and registration performed by the hacker pretending to be the account user. register.

步骤S32):应用程序接收与账号用户相关的明文。Step S32): The application program receives the plaintext related to the account user.

在该步骤中,账号用户自己在应用程序中随机输入一个明文,例如“ABCDEFG”。In this step, the account user himself enters a random plaintext in the application, such as "ABCDEFG".

步骤S33):应用程序随机生成与明文对应的加密码,并使用加密码对明文加密进行加密得到原始密文码。Step S33): The application program randomly generates an encryption code corresponding to the plaintext, and uses the encryption code to encrypt the plaintext to obtain the original ciphertext code.

在该步骤中,应用程序生成一个随机的加密码KEY1,然后对该明文“ABCDEFG”第一次使用加密码KEY1进行加密,得到原始密文码,例如“1234567”。In this step, the application program generates a random encryption code KEY1, and then encrypts the plaintext "ABCDEFG" using the encryption code KEY1 for the first time to obtain the original ciphertext code, such as "1234567".

步骤S34):应用程序提取终端的终端标识,并至少将包括终端标识、加密码和原始密文码的终端信息发送至终端信息数据库;相应的,终端信息数据库接收并保存终端标识、加密码和密文码。Step S34): the application program extracts the terminal identification of the terminal, and at least sends the terminal information including the terminal identification, the encryption code and the original ciphertext code to the terminal information database; correspondingly, the terminal information database receives and saves the terminal identification, encryption code and ciphertext.

在该步骤中,作为验证方的应用程序将该加密码KEY1和密文码“1234567”发送至终端信息数据库进行存储记录。In this step, the application program as the verifier sends the encrypted code KEY1 and the cipher text code "1234567" to the terminal information database for storage and recording.

步骤S35):应用程序接收账号用户再次输入的同一明文和终端标识。Step S35): The application program receives the same plaintext and terminal identification input again by the account user.

在该步骤中,作为被验证方的账号用户将自己的明文“ABCDEFG”和终端标识(例如手机号码)再次发送至作为验证方的应用程序。In this step, the account user as the authenticated party sends his own plaintext "ABCDEFG" and the terminal identification (eg mobile phone number) to the application as the authenticator again.

步骤S36):应用程序根据账号用户输入的终端标识,向终端信息库查询与终端标识对应的时间最近的加密码和原始密文码;相应的,终端信息数据库根据查询请求,向应用程序返回与终端标识对应的时间最近的加密码和原始密文码。Step S36): the application program queries the terminal information database for the latest encrypted password and original cipher text code corresponding to the terminal identification according to the terminal identification input by the account user; correspondingly, the terminal information database returns to the application program according to the query request. The latest encrypted code and original cipher text code corresponding to the terminal identification.

在该步骤中,作为验证方的应用程序根据该终端标识向终端信息数据库查询该终端对应的加密码和密文码。终端信息数据库接收该查询请求后,将自己内部存储的加密码KEY1和密文码“1234567”发送至该应用程序。In this step, the application program serving as the verifier queries the terminal information database for the encryption code and cipher text code corresponding to the terminal according to the terminal identification. After receiving the query request, the terminal information database sends the encryption code KEY1 and the cipher text code "1234567" stored in itself to the application program.

步骤S37):应用程序根据账号用户再次输入的明文,将明文使用加密码进行加密得到复核密文码。Step S37): the application program encrypts the plaintext with an encryption code according to the plaintext input by the account user again to obtain a review ciphertext code.

在该步骤中,应用程序根据预先约定的算法,第二次使用明文“ABCDEFG”和加密码KEY1进行计算,得到密文码“1234567”。In this step, according to the pre-agreed algorithm, the application program uses the plaintext "ABCDEFG" and the encrypted password KEY1 to calculate for the second time, and obtains the ciphertext code "1234567".

步骤S38):应用程序根据原始密文码与复核密文码是否一致,判断是否信任短信验证码。Step S38): The application program determines whether to trust the SMS verification code according to whether the original ciphertext code is consistent with the review ciphertext code.

在该步骤中,若原始密文码与复核密文码一致,均为“1234567”,则密文码验证通过,也就是说该账号用户为真实的该终端的持有人,应用程序接受并信任后续短信验证码;若原始密文码与复核密文码一致,则应用程序不信任后续短信验证码。In this step, if the original ciphertext code is the same as the review ciphertext code, and both are "1234567", the ciphertext code verification is passed, that is to say, the account user is the real holder of the terminal, and the application accepts and approves Trust subsequent SMS verification codes; if the original ciphertext is the same as the review ciphertext, the app does not trust subsequent SMS verification codes.

作为验证方的应用程序,在接受账号用户输入通过2G的GSM网络传输的短信验证码之前,两次通过明文加密验证密文码,只有该密文码验证通过才确认该账号用户为真实的该终端的持有人,然后再进行传统的短信验证码的验证。The application as a verifier, before accepting the account user's input of the SMS verification code transmitted through the 2G GSM network, verifies the ciphertext code through plaintext encryption twice, and only when the ciphertext code is verified can it confirm that the account user is the real one The holder of the terminal then performs the traditional SMS verification code verification.

实施方式二:Embodiment 2:

步骤S31):终端在终端信息数据库中认证和登记。Step S31): The terminal is authenticated and registered in the terminal information database.

在该步骤中,在终端信息数据库中认证和登记的具体方式为:该账号用户通过移动交换网的方式发送包括终端的运营商客服密码的请求认证和登记消息至终端信息数据库,例如发送文字短信、语音短信或者拨打语音电话。终端信息数据库接收该请求认证和登记消息后,识别并提炼出其中的终端对应的终端标识以及运营商客服密码,并根据终端标识查询运营商后台的支撑系统里的客服系统,若该运营商客服密码正确,则认为是该账号用户自己申请的该业务的认证和登记,而不是黑客冒充账号用户进行的认证和登记;若运营商客服密码错误,则认为是黑客冒充账号用户进行的业务认证和登记。In this step, the specific method of authentication and registration in the terminal information database is: the account user sends a request authentication and registration message including the terminal operator's customer service password to the terminal information database by means of the mobile switching network, such as sending a text message , a voice message, or a voice call. After receiving the request authentication and registration message, the terminal information database identifies and extracts the terminal identification corresponding to the terminal and the operator's customer service password, and queries the customer service system in the support system of the operator's background according to the terminal identification. If the password is correct, it is considered to be the authentication and registration of the service applied for by the account user, not the authentication and registration performed by the hacker pretending to be the account user; if the operator's customer service password is incorrect, it is considered to be the business authentication and registration performed by the hacker pretending to be the account user. register.

步骤S32):应用程序接收与账号用户相关的明文。Step S32): The application program receives the plaintext related to the account user.

在该步骤中,该终端的账号用户首先向该应用程序发送验证请求,该应用程序收到该验证请求后,生成一段随机的明文例如“ABCDEFG”,并发送至该终端界面告知账号用户。这里的明文只要是双方约定的明文即可,本实施方式中由应用程序自动生成而不需要终端的明文输入,并直接主动发送至该终端界面。In this step, the account user of the terminal first sends a verification request to the application. After receiving the verification request, the application generates a random plaintext such as "ABCDEFG" and sends it to the terminal interface to inform the account user. The plaintext here only needs to be the plaintext agreed upon by both parties. In this embodiment, the application program automatically generates the plaintext without requiring the terminal's plaintext input, and is directly and actively sent to the terminal interface.

步骤S33):应用程序随机生成与明文对应的加密码,并使用加密码对明文加密进行加密得到原始密文码。Step S33): The application program randomly generates an encryption code corresponding to the plaintext, and uses the encryption code to encrypt the plaintext to obtain the original ciphertext code.

在该步骤中,应用程序生成一个随机的加密码KEY1,然后对该明文“ABCDEFG”使用加密码KEY1进行加密,得到密文码“1234567”。In this step, the application program generates a random encryption code KEY1, and then encrypts the plaintext "ABCDEFG" with the encryption code KEY1 to obtain the ciphertext code "1234567".

步骤S34):应用程序提取终端的终端标识,并至少将包括终端标识、加密码和原始密文码的终端信息发送至终端信息数据库;相应的,终端信息数据库接收并保存终端标识、加密码和密文码。Step S34): the application program extracts the terminal identification of the terminal, and at least sends the terminal information including the terminal identification, the encryption code and the original ciphertext code to the terminal information database; correspondingly, the terminal information database receives and saves the terminal identification, encryption code and ciphertext.

在该步骤中,作为验证方的应用程序将该加密码KEY1和密文码“1234567”发送到终端信息数据库中进行存储记录。为避免加密码以及密文码被滥用,发送的消息中也可以包含对应的要需要登录的应用程序名称、版本号、开发商等相关信息。In this step, the application program as the verifier sends the encrypted code KEY1 and the cipher text code "1234567" to the terminal information database for storage and recording. In order to avoid abuse of the encrypted password and the ciphertext code, the sent message may also include the corresponding application name, version number, developer and other related information to be logged in.

步骤S35):应用程序根据账号用户输入的终端标识,向终端信息库查询与终端标识对应的时间最近的加密码和原始密文码;相应的,终端信息数据库根据查询请求,向应用程序返回与终端标识对应的时间最近的加密码和原始密文码。Step S35): the application program queries the terminal information database for the latest encrypted password and the original cipher text code corresponding to the terminal identification according to the terminal identification input by the account user; correspondingly, the terminal information database returns to the application program according to the query request. The latest encrypted code and original cipher text code corresponding to the terminal identification.

在该步骤中,作为验证方的应用程序根据该终端标识和包括应用名称、版本号、开发商等的相关信息,向终端信息数据库查询该终端和应用程序对应的加密码和密文码。终端信息数据库接收该查询请求后,将自己内部存储的与该终端标识对应的最近的密文码“1234567”发送至该应用程序。In this step, the application as the verifier searches the terminal information database for the encryption code and cipher text code corresponding to the terminal and the application according to the terminal identification and related information including the application name, version number, developer, etc. After receiving the query request, the terminal information database sends the latest ciphertext code "1234567" stored in itself and corresponding to the terminal identification to the application.

步骤S36):应用程序接收账号用户再次输入的同一明文和终端标识。Step S36): the application program receives the same plaintext and terminal identification input again by the account user.

在该步骤中,作为被验证方的账号用户将自己接收到的明文“ABCDEFG”和终端标识(例如手机号码)再次发送至作为验证方的应用程序。In this step, the account user as the verified party sends the plaintext "ABCDEFG" and the terminal identification (eg mobile phone number) received by himself to the application as the verifying party again.

步骤S37):应用程序根据账号用户再次输入的明文,将明文使用加密码进行加密得到复核密文码。Step S37): the application program encrypts the plaintext with an encryption code according to the plaintext input by the account user again to obtain a review ciphertext code.

在该步骤中,应用程序根据预先约定的算法,使用明文“ABCDEFG”和加密码KEY1进行第二次计算,得到密文码“1234567”。In this step, the application program uses the plaintext "ABCDEFG" and the encrypted password KEY1 to perform the second calculation according to the pre-agreed algorithm, and obtains the ciphertext code "1234567".

步骤S38):应用程序根据原始密文码与复核密文码是否一致,判断是否信任短信验证码。Step S38): The application program determines whether to trust the SMS verification code according to whether the original ciphertext code is consistent with the review ciphertext code.

在该步骤中,若原始密文码与复核密文码一致,均为“1234567”,则密文码验证通过,也就是说该账号用户为真实的该终端的持有人,应用程序接受并信任后续短信验证码;若原始密文码与复核密文码一致,则应用程序不信任后续短信验证码。In this step, if the original ciphertext code is the same as the review ciphertext code, and both are "1234567", the ciphertext code verification is passed, that is to say, the account user is the real holder of the terminal, and the application accepts and approves Trust subsequent SMS verification codes; if the original ciphertext is the same as the review ciphertext, the app does not trust subsequent SMS verification codes.

作为验证方的应用程序,在接受账号用户输入通过2G的GSM网络传输的短信验证码之前,两次通过明文加密验证密文码,只有该密文码验证通过才确认该账号用户为真实的该终端的持有人,然后再进行传统的短信验证码的验证。The application as a verifier, before accepting the account user's input of the SMS verification code transmitted through the 2G GSM network, verifies the ciphertext code through plaintext encryption twice, and only when the ciphertext code is verified can it confirm that the account user is the real one The holder of the terminal then performs the traditional SMS verification code verification.

实施方式三:Embodiment three:

步骤S31):终端在终端信息数据库中认证和登记。Step S31): The terminal is authenticated and registered in the terminal information database.

在该步骤中,在终端信息数据库中认证和登记的具体方式为:该账号用户通过移动交换网的方式发送包括终端的运营商客服密码的请求认证和登记消息至终端信息数据库,例如发送文字短信、语音短信或者拨打语音电话。终端信息数据库接收该请求认证和登记消息后,识别并提炼出其中的终端对应的终端标识以及运营商客服密码,并根据终端标识查询运营商后台的支撑系统里的客服系统,若该运营商客服密码正确,则认为是该账号用户自己申请的该业务的认证和登记,而不是黑客冒充账号用户进行的认证和登记;若运营商客服密码错误,则认为是黑客冒充账号用户进行的业务认证和登记。In this step, the specific method of authentication and registration in the terminal information database is: the account user sends a request authentication and registration message including the terminal operator's customer service password to the terminal information database by means of the mobile switching network, such as sending a text message , a voice message, or a voice call. After receiving the request authentication and registration message, the terminal information database identifies and extracts the terminal identification corresponding to the terminal and the operator's customer service password, and queries the customer service system in the support system of the operator's background according to the terminal identification. If the password is correct, it is considered to be the authentication and registration of the service applied for by the account user, not the authentication and registration performed by the hacker pretending to be the account user; if the operator's customer service password is incorrect, it is considered to be the business authentication and registration performed by the hacker pretending to be the account user. register.

步骤S32):应用程序接收与账号用户相关的明文。Step S32): The application program receives the plaintext related to the account user.

在该步骤中,该终端的账号用户首先向该应用程序发送一个明文请求,该应用程序收到该请求后,生成一段随机的明文例如“ABCDEFG”,并发送至该终端界面告知账号用户。这里的明文只要是双方约定的明文即可,也可以由应用程序自动生成而不需要终端的明文申请,直接主动发送至该终端。In this step, the account user of the terminal first sends a plaintext request to the application. After receiving the request, the application generates a random plaintext such as "ABCDEFG" and sends it to the terminal interface to inform the account user. The plaintext here only needs to be the plaintext agreed upon by both parties, or it can be automatically generated by the application program without the need for a plaintext application of the terminal, and sent directly to the terminal.

步骤S33):应用程序随机生成与明文对应的加密码,并使用加密码对明文加密进行加密得到原始密文码。Step S33): The application program randomly generates an encryption code corresponding to the plaintext, and uses the encryption code to encrypt the plaintext to obtain the original ciphertext code.

在该步骤中,应用程序接收该明文“ABCDEFG”后,调用终端中的身份验证功能,验证模块生成一个随机的加密码KEY1,然后对该明文“ABCDEFG”使用加密码KEY1进行加密,得到密文码“1234567”。In this step, after the application receives the plaintext "ABCDEFG", it calls the authentication function in the terminal, the verification module generates a random encryption code KEY1, and then encrypts the plaintext "ABCDEFG" with the encryption code KEY1 to obtain the ciphertext Code "1234567".

步骤S34):应用程序提取终端的终端标识,并至少将包括终端标识、加密码和原始密文码的终端信息发送至终端信息数据库;相应的,终端信息数据库接收并保存终端标识、加密码和密文码。Step S34): the application program extracts the terminal identification of the terminal, and at least sends the terminal information including the terminal identification, the encryption code and the original ciphertext code to the terminal information database; correspondingly, the terminal information database receives and saves the terminal identification, encryption code and ciphertext.

在该步骤中,作为验证方的应用程序调用终端身份验证功能,验证模块将该加密码KEY1和密文码“1234567”发送到终端信息数据库中进行存储记录。为避免加密码以及密文码被滥用,发送的消息中也可以包含对应的要需要登录的应用程序名称、版本号、开发商等相关信息。In this step, the application program as the verifier invokes the terminal identity verification function, and the verification module sends the encrypted code KEY1 and the cipher text code "1234567" to the terminal information database for storage and recording. In order to avoid abuse of the encrypted password and the ciphertext code, the sent message may also include the corresponding application name, version number, developer and other related information to be logged in.

步骤S35):应用程序根据账号用户输入的终端标识,向终端信息库查询与终端标识对应的时间最近的加密码和原始密文码;相应的,终端信息数据库根据查询请求,向应用程序返回与终端标识对应的时间最近的加密码和原始密文码。Step S35): the application program queries the terminal information database for the latest encrypted password and the original cipher text code corresponding to the terminal identification according to the terminal identification input by the account user; correspondingly, the terminal information database returns to the application program according to the query request. The latest encrypted code and original cipher text code corresponding to the terminal identification.

在该步骤中,作为验证方的应用程序调用终端身份验证功能,根据该终端和包括应用名称、版本号、开发商等的相关信息,向终端信息数据库查询该终端和应用程序对应的加密码和密文码。终端信息数据库接收该查询请求后,将自己内部存储的密文码“1234567”发送至验证模块。In this step, the application as the verifier invokes the terminal identity verification function, and according to the terminal and relevant information including the application name, version number, developer, etc., queries the terminal information database for the encryption password and the corresponding encryption code of the terminal and the application. ciphertext. After receiving the query request, the terminal information database sends the ciphertext code "1234567" stored in itself to the verification module.

步骤S36):应用程序接收账号用户再次输入的同一明文和终端标识。Step S36): the application program receives the same plaintext and terminal identification input again by the account user.

在该步骤中,作为被验证方的账号用户将自己的明文“ABCDEFG”和终端标识(例如手机号码)再次发送至作为验证方的应用程序。In this step, the account user as the authenticated party sends his own plaintext "ABCDEFG" and the terminal identification (eg mobile phone number) to the application as the authenticator again.

步骤S37):应用程序根据账号用户再次输入的明文,将明文使用加密码进行加密得到复核密文码。Step S37): the application program encrypts the plaintext with an encryption code according to the plaintext input by the account user again to obtain a review ciphertext code.

在该步骤中,应用程序根据预先约定的算法,使用明文“ABCDEFG”和加密码KEY1进行第二次计算,得到密文码“1234567”In this step, the application program uses the plaintext "ABCDEFG" and the encrypted password KEY1 to perform the second calculation according to the pre-agreed algorithm, and obtains the ciphertext code "1234567"

步骤S38):应用程序根据原始密文码与复核密文码是否一致,判断是否信任短信验证码。Step S38): The application program determines whether to trust the SMS verification code according to whether the original ciphertext code is consistent with the review ciphertext code.

在该步骤中,作为验证方的应用程序调用终端身份验证功能,验证模块判断原始密文码与复核密文码是否一致,若原始密文码与复核密文码一致,均为“1234567”,则密文码验证通过,也就是说该账号用户为真实的该终端的持有人,接受并信任后续短信验证码;若原始密文码与复核密文码一致,则不信任后续短信验证码。验证结果返回应用程序,并决定应用程度对短信验证码的接受情况。In this step, the application program as the verifier invokes the terminal identity verification function, and the verification module judges whether the original ciphertext code is consistent with the review ciphertext code. The cipher text code verification is passed, that is to say, the account user is the real holder of the terminal, and the subsequent SMS verification code is accepted and trusted; if the original cipher text code is consistent with the review cipher text code, the subsequent SMS verification code is not trusted. . The verification result is returned to the application and determines the acceptance of the SMS verification code by the application level.

作为验证方的应用程序,在接受账号用户输入通过2G的GSM网络传输的短信验证码之前,两次通过明文加密验证密文码,只有该密文码验证通过才确认该账号用户为真实的该终端的持有人,然后再进行传统的短信验证码的验证。As an application program of the verifier, before accepting the account user's input of the SMS verification code transmitted through the 2G GSM network, the ciphertext code is verified through plaintext encryption twice. The holder of the terminal then performs the traditional SMS verification code verification.

本发明提供的短信防监听的方法、短信防监听的系统、应用程序和终端信息数据库,能有效防范伪基站带来的危害,彻底解决现有的手机连入伪基站后接收大量垃圾短信或者手机的传输信息经过伪基站被盗取,尤其能解决伪基站目前可以监听短信使得身份验证性失效,带来非常严重的问题例如盗取里面的支付类账号信息等导致用户的资金安全带来隐患的问题,避免用户连接到伪基站带来的危害,保障用户账号的正常使用和安全性。The method for anti-monitoring of short messages, the system for anti-monitoring of short messages, the application program and the terminal information database provided by the present invention can effectively prevent the harm caused by the pseudo base station, and completely solve the problem that the existing mobile phone receives a large number of junk short messages or mobile phones after connecting to the pseudo base station. The transmission information of the fake base station is stolen by the fake base station, especially to solve the problem that the fake base station can currently monitor the short message and make the authentication invalid, which brings very serious problems, such as stealing the payment account information inside, which leads to the hidden danger of the user's fund security. problem, avoid the harm caused by the user connecting to the pseudo base station, and ensure the normal use and security of the user account.

可以理解的是,以上实施方式仅仅是为说明本发明的原理而采用的示例性实施方式,然而本发明并不局限于此。对于本领域内的普通技术人员而言,在不脱离本发明的精神和实质的情况下,可以做出各种变型和改进,这些变型和改进也视为本发明的保护范围。It can be understood that the above embodiments are only exemplary embodiments adopted to illustrate the principle of the present invention, but the present invention is not limited thereto. For those skilled in the art, without departing from the spirit and essence of the present invention, various modifications and improvements can be made, and these modifications and improvements are also regarded as the protection scope of the present invention.

Claims (11)

1. A method for preventing short message monitoring is characterized in that an application program is installed on a mobile terminal, and before the application program receives a short message verification code, the method also comprises the steps of verifying an account user:
receiving plaintext input by the account user and related to the account user;
randomly generating an encryption code corresponding to the plaintext, and encrypting the plaintext by using the encryption code to obtain an original ciphertext code;
extracting a terminal identification of the mobile terminal receiving the short message verification code, and at least sending terminal information comprising the terminal identification, the encryption code and the original ciphertext code to a terminal information database;
receiving the same plaintext and the terminal identification input again by the account user;
inquiring the encryption code and the original ciphertext code which correspond to the terminal identifier and are closest to the current time from the terminal information database according to the terminal identifier input by the account user;
encrypting the plaintext by using the encryption code according to the plaintext input again by the account user to obtain a rechecked ciphertext code;
and judging whether to trust the short message verification code according to whether the original ciphertext code is consistent with the double-check ciphertext code.
2. The method for preventing short message monitoring according to claim 1, wherein the plaintext is inputted by the account user;
or the plaintext is randomly generated by the application program logged in by the account user according to a preset rule, and the plaintext is returned to the account user.
3. The method of claim 1, wherein the information sent to the terminal information database further includes a name, a version number, and information of a developer of the application program to be logged in.
4. The method for preventing interception of short messages according to any one of claims 1 to 3, wherein the plaintext is any one of random characters, account user identification numbers, account user names, and TOP10 contacts on which the account users have recently frequently made calls.
5. A method for preventing short message monitoring is characterized in that before an application program receives a short message verification code, the method also comprises the following steps of verifying an account user:
receiving and storing a terminal identifier, an encryption code and a ciphertext code;
according to the query request, returning the encryption code and the original ciphertext code which correspond to the terminal identifier and are closest to the current time to the application program;
the original ciphertext code is a code obtained by randomly generating an encryption code corresponding to a plaintext and encrypting the plaintext, wherein the plaintext is information which is input by an account user and is related to the account user;
the original ciphertext code is used for being compared with a rechecked ciphertext code obtained by the application program, so that the application program judges whether to trust the short message verification code according to whether the original ciphertext code is consistent with the rechecked ciphertext code, wherein the rechecked ciphertext code is a code word obtained by encrypting the plaintext input again by the account user by using the encryption code.
6. The method of claim 5, further comprising the steps of authenticating and registering the terminal in the terminal information database before the account user is verified, comprising:
the account user sends an operator customer service password of the terminal to a terminal information database in a mobile switching network mode, wherein the mobile switching network mode comprises sending a text short message, a voice short message or making a voice call;
the terminal information database identifies a terminal identifier corresponding to the terminal and extracts the operator customer service password;
the terminal information database inquires the operator customer service password corresponding to the terminal identification in a customer service system of an operator according to the terminal identification;
and judging whether the terminal is operated by a hacker or not according to the consistency of the customer service passwords of the operators.
7. The method of claim 6, wherein the step of determining whether the terminal is operated by a hacker according to whether the service passwords of the operators are consistent comprises:
if the operator customer service passwords are consistent, the service authentication and registration performed by the account user are considered;
and if the operator customer service passwords are consistent, the hacker pretends to be the service authentication and registration performed by the account user.
8. The method of claim 5, wherein the information sent to the terminal information database further includes a name, a version number, and information of a developer of the application program to be logged in.
9. The utility model provides an application program, its characterized in that, application program installs on mobile terminal, including being used for carrying out the verification module that verifies to account number user, the verification module includes interface module, encryption module, transmission module, recheck module and judgment module, wherein:
the interface module is used for receiving plaintext input by the account user and related to the account user; receiving the same plaintext and the terminal identification input again by the account user;
the encryption module is used for randomly generating an encryption code corresponding to the plaintext and encrypting the plaintext by using the encryption code to obtain an original ciphertext code;
the transmission module is used for extracting a terminal identifier of the mobile terminal for receiving the short message verification code and at least sending terminal information comprising the terminal identifier, the encryption code and the original ciphertext code to the terminal information database; the terminal information database is also used for inquiring the encryption code and the original ciphertext code which correspond to the terminal identifier and are closest to the current time according to the terminal identifier input by the account user;
the rechecking module is used for encrypting the plaintext by using the encryption code according to the plaintext input again by the account user to obtain a rechecked ciphertext code;
and the judging module is used for judging whether to trust the short message verification code according to whether the original ciphertext code is consistent with the rechecked ciphertext code.
10. A terminal information database is characterized by comprising a storage module and an inquiry module, wherein:
the storage module is used for receiving and storing the terminal identification, the encryption code and the ciphertext code;
the query module is used for returning the encryption code and the original ciphertext code which are corresponding to the terminal identifier and are closest to the current time to an application program according to a query request;
the original ciphertext code is a code obtained by randomly generating an encryption code corresponding to a plaintext and encrypting the plaintext, wherein the plaintext is information which is input by an account user and is related to the account user;
the original ciphertext code is used for being compared with a rechecked ciphertext code obtained by the application program, so that the application program judges whether to trust the short message verification code according to whether the original ciphertext code is consistent with the rechecked ciphertext code, wherein the rechecked ciphertext code is a code word obtained by encrypting the plaintext input again by the account user by using the encryption code.
11. A system for preventing short message interception, comprising the application program of claim 9 and the terminal information database of claim 10.
CN201910006481.XA 2019-01-04 2019-01-04 Method and system, application program and terminal information database for SMS anti-monitoring Active CN109587683B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910006481.XA CN109587683B (en) 2019-01-04 2019-01-04 Method and system, application program and terminal information database for SMS anti-monitoring

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910006481.XA CN109587683B (en) 2019-01-04 2019-01-04 Method and system, application program and terminal information database for SMS anti-monitoring

Publications (2)

Publication Number Publication Date
CN109587683A CN109587683A (en) 2019-04-05
CN109587683B true CN109587683B (en) 2022-04-26

Family

ID=65915983

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910006481.XA Active CN109587683B (en) 2019-01-04 2019-01-04 Method and system, application program and terminal information database for SMS anti-monitoring

Country Status (1)

Country Link
CN (1) CN109587683B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109982274A (en) * 2019-04-08 2019-07-05 上海载德信息科技有限公司 A kind of information acquisition method, device, server and storage medium
CN111770083B (en) * 2020-06-28 2022-04-26 中国联合网络通信集团有限公司 Method and device for sending SMS verification code
CN111885517B (en) * 2020-07-20 2021-11-09 中国联合网络通信集团有限公司 Short message verification code sniffing prevention method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103458407A (en) * 2013-07-29 2013-12-18 北京盛世光明软件股份有限公司 Internet account number login management system and method based on short message
CN107615294A (en) * 2016-03-04 2018-01-19 华为技术有限公司 A kind of identifying code short message display method and mobile terminal
CN107666469A (en) * 2016-07-29 2018-02-06 华为终端(东莞)有限公司 The processing method and terminal of identifying code short message
CN108600234A (en) * 2018-04-27 2018-09-28 中国农业银行股份有限公司 A kind of auth method, device and mobile terminal

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10021074B2 (en) * 2016-03-23 2018-07-10 Getac Technology Corporation Encrypting method and decrypting method of security short message and receiving apparatus for receiving security short message
CN106330862A (en) * 2016-08-10 2017-01-11 武汉信安珞珈科技有限公司 Secure transmission method and system for dynamic password
CN107733838A (en) * 2016-08-11 2018-02-23 中国移动通信集团安徽有限公司 A kind of mobile terminal client terminal identity identifying method, device and system
CN106559419B (en) * 2016-10-28 2019-08-06 北京安云世纪科技有限公司 The application and identification method and identification terminal of short message verification code
CN108990059B (en) * 2017-06-02 2021-06-29 创新先进技术有限公司 Verification method and device
CN108667791B (en) * 2017-12-18 2021-01-01 中国石油天然气股份有限公司 Identity authentication method
CN108599944A (en) * 2018-05-04 2018-09-28 贵州大学 A kind of identifying code short message transparent encryption method based on handset identities

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103458407A (en) * 2013-07-29 2013-12-18 北京盛世光明软件股份有限公司 Internet account number login management system and method based on short message
CN107615294A (en) * 2016-03-04 2018-01-19 华为技术有限公司 A kind of identifying code short message display method and mobile terminal
CN107666469A (en) * 2016-07-29 2018-02-06 华为终端(东莞)有限公司 The processing method and terminal of identifying code short message
CN108600234A (en) * 2018-04-27 2018-09-28 中国农业银行股份有限公司 A kind of auth method, device and mobile terminal

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于加密短信验证码的移动安全支付解决方案;李赛等;《计算机应用》;20170810(第08期);全文 *
隐式验证码的设计与实现;张华;《电信工程技术与标准化》;20161015(第10期);全文 *

Also Published As

Publication number Publication date
CN109587683A (en) 2019-04-05

Similar Documents

Publication Publication Date Title
US8214890B2 (en) Login authentication using a trusted device
AU2009323748B2 (en) Secure transaction authentication
US8132243B2 (en) Extended one-time password method and apparatus
CN101374050B (en) Apparatus, system and method for implementing identification authentication
CN106027501B (en) A kind of system and method for being traded safety certification in a mobile device
CN101951321B (en) Device, system and method for realizing identity authentication
CN106302332B (en) User data access control method, device and system
CN101765108A (en) Safety certification service platform system, device and method based on mobile terminal
TWI632798B (en) Server, mobile terminal, and network real-name authentication system and method
CN101589569A (en) Secure password distribution to a client device of a network
CN107612949B (en) Wireless intelligent terminal access authentication method and system based on radio frequency fingerprint
CN109587683B (en) Method and system, application program and terminal information database for SMS anti-monitoring
CN105338000B (en) A kind of verification method, verification system
JP2007058469A (en) Authentication system, authentication server, authentication method, and authentication program
WO2012004640A1 (en) Transaction authentication
RU2625949C2 (en) Method and system using cyber identifier for ensuring protected transactions
KR101879843B1 (en) Authentication mehtod and system using ip address and short message service
CN103401686A (en) User Internet identity authentication system and application method thereof
KR101133167B1 (en) Method and apparatus for user verifing process with enhanced security
CN115801450B (en) Multi-dimensional joint authentication method and system for time and terminal
KR101321829B1 (en) Method and system for site visitor authentication
CN116112234A (en) Method, system, medium and equipment for security verification of electronic receipt
Xu Security Enhancement for SMS Verification Code in Mobile Payment
KR20110087885A (en) Service security system and method
CN205545355U (en) A single sign-on system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant