CN101800645A - Identity authentication method, device and system - Google Patents
Identity authentication method, device and system Download PDFInfo
- Publication number
- CN101800645A CN101800645A CN201010107211A CN201010107211A CN101800645A CN 101800645 A CN101800645 A CN 101800645A CN 201010107211 A CN201010107211 A CN 201010107211A CN 201010107211 A CN201010107211 A CN 201010107211A CN 101800645 A CN101800645 A CN 101800645A
- Authority
- CN
- China
- Prior art keywords
- password
- user
- input
- algorithm
- sign
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 230000009471 action Effects 0.000 claims description 6
- 238000012545 processing Methods 0.000 description 20
- 238000009825 accumulation Methods 0.000 description 7
- 238000012795 verification Methods 0.000 description 7
- 230000004048 modification Effects 0.000 description 6
- 239000013078 crystal Substances 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 241000234435 Lilium Species 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000008014 freezing Effects 0.000 description 1
- 238000007710 freezing Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000007790 scraping Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Landscapes
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The embodiment of the invention provides an identity authentication method, a device and a system. The device comprises a boot command input unit, an PIN input unit, a cryptogram mode selection unit, a storage unit, an interference unit, a cryptogram generation unit and a display unit, wherein the boot command input unit receives a boot command which is input by a user according to the external transaction page demands in order to generate a multi-element cryptogram, and executes the boot motion; the PIN input unit reminds the user of the PIN input request and receives the PIN input by the user; the cryptogram mode selection unit reminds the user of a multi-element cryptogram generation mode selection request and receives a multi-element cryptogram generation mode input by the user; the storage unit stores a user key and a cryptographic algorithm; the interference unit acquires an interference factor; the cryptogram generation unit generates a multi-element cryptogram according to the interference factor, the user key and the corresponding cryptographic algorithm; and the display unit displays the multi-element cryptogram which is to be input to the external transaction page. The invention is used for solving the problems in identity authentication and transaction authentication of internet banks and other financial transaction systems.
Description
Technical Field
The invention relates to an identity authentication and transaction authentication technology, in particular to an identity authentication and transaction authentication technology of financial transaction systems such as online banking and the like, and particularly relates to an identity authentication method, device and system.
Background
In the prior art, there are several schemes for identity authentication and transaction authorization authentication as follows: static password: when the user uses the system, the user often sets weak passwords such as birthdays, telephone numbers and the like; are susceptible to theft and interception, such as by trojan theft and network sniffing. (II) scraping the scratch card and the dynamic password card: the one-time pad is realized, but the security of the transaction data cannot be ensured, so that the risk of tampering the transaction data exists. (III) time-type dynamic token: the time-based one-time password generator can ensure one-time password, has certain safety improvement for stealing and sniffing risks, but can not completely eradicate the risks. At the same time, there is still no protection against data tampering. (IV) USBKEY and soft certificates: a PKI system is utilized to carry out digital signature and encryption on data, so that the completeness, non-repudiation, confidentiality and the like of the data are ensured; however, the implementation cost of the method is high, and CA, RA, signature checking components and the like need to be deployed in the background; the user needs to perform management operations such as application, update, recovery and the like of the certificate, and the use is complex. Meanwhile, soft certificates are easy to copy and steal; the USBKEY equipment can be used only by installing a driver and a related user side component, has the problems of compatibility and usability, and can only be applied to a computer terminal at present and cannot be used in channels such as mobile phones, telephones, televisions and the like. Meanwhile, in the method, because a plurality of links exist between the upper layer application and the bottom layer signature encryption, the risk of tampering data and the risk of maliciously utilizing the user certificate due to remote control still exist.
The various authentication schemes have low security, risk of being stolen and sniffed, incapability of protecting transaction data and the like; or the usability is not high, the background deployment and the user use are complex, and the method cannot be widely used in various channels.
Disclosure of Invention
The embodiment of the invention provides an identity authentication method, an identity authentication device and an identity authentication system, which are used for solving the problems of identity authentication and transaction authentication of financial transaction systems such as online banking and the like.
One of the objectives of the present invention is to provide an identity authentication method, which includes: receiving a multi-element password generation instruction input by a user through a keyboard or a touch screen according to the requirement of an external transaction page; prompting a Personal Identification Number (PIN) input request to a user according to the multi-element password generation instruction; receiving a PIN input by a user through a keyboard or a touch screen; after the PIN is determined to be correct, prompting a multi-element password generation mode selection request to a user; receiving a multi-element password generation mode input by a user through a keyboard or a touch screen; acquiring an interference factor, a pre-stored user key and a corresponding cipher algorithm according to the multi-element cipher generation mode, and generating a multi-element cipher according to the interference factor, the user key and the cipher algorithm; displaying the multi-element password; and inputting the multi-element password into an external transaction page for identity authentication.
One of the objects of the present invention is to provide an identity authentication apparatus, comprising: the starting instruction input unit is used for receiving a starting instruction which is input by a user according to the external transaction page requirement and is used for generating a multi-element password and executing a starting action; the PIN input unit is used for prompting a PIN input request to a user and receiving the PIN input by the user; the password mode selection unit is used for prompting a multi-element password generation mode selection request to a user after the PIN is determined to be correct, and receiving a multi-element password generation mode input by the user; the storage unit is used for storing a user key and a cryptographic algorithm; the interference unit is used for acquiring an interference factor; the password generation unit is used for acquiring the interference factor, the user key and the corresponding password algorithm according to a multi-element password generation mode selected by a user and generating a multi-element password according to the interference factor, the user key and the corresponding password algorithm; and the display unit is used for displaying the multi-element password so as to input an external transaction page.
One of the objects of the present invention is to provide an identity authentication system, comprising: an identity authentication device and a transaction terminal; the transaction terminal is connected with the background authentication server and used for prompting a multi-element password input request to a user through a transaction page and transmitting data input by the user to the background authentication server; the identity authentication device includes: the starting instruction input unit is used for receiving a starting instruction which is input by a user according to the prompt of the transaction page and is used for generating the multi-element password and executing the starting action; the PIN input unit is used for prompting a PIN input request to a user and receiving the PIN input by the user; the password mode selection unit is used for prompting a multi-element password generation mode selection request to a user after the PIN is determined to be correct, and receiving a multi-element password generation mode input by the user; the storage unit is used for storing a user key and a cryptographic algorithm; the interference unit is used for acquiring an interference factor; the password generation unit is used for acquiring an interference factor, a user key and a corresponding password algorithm according to a multi-element password generation mode selected by a user and generating a multi-element password according to the interference factor, the user key and the corresponding password algorithm; the display unit is used for displaying the multi-element password so as to input an external transaction page; and the external transaction page transmits the received multi-element password to the background authentication server.
The invention has the advantages that the transaction element is participated in the password generation process through the implementation mode of transaction short signature, so that the password can only be used for the transaction, and if the transaction is tampered or the password is used for other transactions, the server end cannot verify the transaction; the short signature ensures that the transaction data cannot be tampered, plays a role in transaction non-repudiation and improves the security of transaction authentication. The identity authentication device is used off-line, and does not need to be connected with a mobile phone, a telephone and a computer, and the off-line use mode can ensure that the device can be suitable for a plurality of electronic channels, and provides a foundation for a plurality of channels to use the same authentication medium. And secondly, the usability of the authentication medium is improved, the use difficulty of the device is reduced, and a driver and a control program do not need to be installed. The identity authentication device and the identity authentication system can be used for verifying the identity of a server side and simultaneously support two working modes of One-Time password (OTP) and short Signature (SIGN). The authentication device provides PIN code protection, and avoids risks caused by loss of the identity authentication device. Modification and resetting of the PIN code is supported.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flowchart of an identity authentication method according to an embodiment of the present invention;
FIG. 2 is a block diagram of an identity authentication apparatus according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an embodiment of an identity authentication apparatus;
FIG. 4 is a block diagram of an internal structure of an identity authentication apparatus according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating an identity authentication system according to an embodiment of the present invention;
FIG. 6 is a flowchart illustrating an OTP operation of an identity authentication system according to an embodiment of the present invention;
FIG. 7 is a flowchart of the SIGN working mode of the identity authentication system according to the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, the embodiment of the present invention provides an identity authentication method, which includes: receiving a multi-element password generation instruction input by a user through a keyboard or a touch screen according to the requirement of an external transaction page (step S101); prompting a Personal Identification Number (PIN) input request to a user according to the multi-element password generation instruction (step S102); receiving a PIN input by a user through a keyboard or a touch screen (step S103); after the PIN is determined to be correct, prompting a multi-element password generation mode selection request to a user (step S104); receiving a multi-element password generation mode input by a user through a keyboard or a touch screen (step S105); acquiring an interference factor, a pre-stored user key and a corresponding cipher algorithm according to the multi-element cipher generation mode, and generating a multi-element cipher according to the interference factor, the user key and the cipher algorithm (step S106); displaying the multi-element password (step S107); the multi-element password is input to an external transaction page for identity authentication (step S108).
The identity authentication method of the embodiment is an identity authentication method based on a dynamic token, can realize one-time multi-factor passwords of a plurality of interference factors including time or events and the like, and is used for user identity authentication and transaction authentication; meanwhile, the identity authentication method of the embodiment provides a short signature function, and can ensure that the transaction data cannot be tampered and repudiated.
The first level of protection of the multi-element password of the present embodiment is to generate a dynamic password based on the current interference factor (including the current time, counter, etc.); the second level of protection scope of the multi-element password is to further prevent the transaction key information from being hijacked and tampered, and the transaction key information is added on the basis of the current interference factor and is used as a generation factor of the dynamic password (or called verification code). The application scenario of the identity authentication method of the embodiment is not limited to the internet, and also includes various electronic channels such as a mobile phone, a telephone, an ATM and the like.
As shown in fig. 2, the identity authentication apparatus according to the embodiment of the present invention includes: the starting-up instruction input unit 101 is used for receiving a starting-up instruction which is input by a user according to the external transaction page requirement and is used for generating a multi-element password and executing a starting-up action; the PIN input unit 102 is used for prompting a PIN input request to a user and receiving a PIN input by the user; the password mode selection unit 103 is used for prompting a multi-element password generation mode selection request to a user after the PIN is determined to be correct, and receiving a multi-element password generation mode input by the user; the storage unit 104 is used for storing a user key and a cryptographic algorithm; the interference unit 105 is configured to obtain an interference factor; the password generation unit 106 is configured to obtain the interference factor, the user key and the corresponding password algorithm according to a multi-factor password generation mode selected by the user, and generate a multi-factor password according to the interference factor, the user key and the corresponding password algorithm; the display unit 107 is used to display the multi-element password to input an external transaction page.
The identity authentication device of the specific embodiment has two working modes, One is One-Time password (OTP) working mode, and the other is short Signature (SIGN) working mode. The OTP working mode mainly generates a one-time dynamic password according to a certain algorithm, such as an abstract algorithm or a symmetric encryption algorithm, and the like according to the interference factor and the client key, and achieves the purposes of identity authentication and transaction authentication through the one-time password. The SIGN working mode mainly generates a one-time transaction password related to transaction data according to a client input element (such as a transaction amount and a transaction account number), an interference factor and a client key and a certain algorithm, such as an abstract algorithm or a symmetric encryption algorithm, and the transaction data cannot be tampered and the transaction cannot be repudiated through the password.
Examples
Taking internet banking login as an example, a processing flow of the OTP working mode is introduced. The identity authentication system of the embodiment of the invention comprises: the system comprises an identity authentication device and an online banking transaction terminal; the transaction terminal is connected with the online banking background authentication server and used for prompting a multi-element password input request to a user through a transaction page and transmitting data input by the user to the background authentication server.
As shown in fig. 3, the identity authentication apparatus of the present embodiment includes: display screen, input keys and a housing. The input keys may be divided into function keys and a numeric keypad. The display screen is used for displaying dynamic passwords generated by prompts, and displaying functions such as client input and the like; the numeric keyboard is mainly used for inputting information such as PIN codes and transaction data; the function key is provided with an on-off key and is used for starting and closing the device; a PIN key for entering a PIN code modification program; the OTP key is used for generating a one-time dynamic password according to the current interference factor and the client key; and the SIGN key is used for generating a short signature password according to the client input element, the current interference factor and the client key. And the shell is used for fixing and protecting internal parts and circuits and has the functions of attractive appearance and convenient carrying and use. The identity authentication device of the embodiment is as large as a bank card, is easy to carry, and can be flexibly customized in appearance according to requirements.
As shown in fig. 4, the internal structure of the identity authentication apparatus of the present embodiment includes: the central processing unit is used for carrying out calculation processing according to various conditions and requests; the device comprises a display unit, an input unit, a storage unit, an interference factor unit and a power supply unit. The display unit comprises a display screen, a display driving chip and the like and is used for displaying prompt information, client input, password information and the like of the identity authentication device; the input unit comprises a keyboard and input control logic and is used for a client to input a PIN code of the identity authentication device, transaction challenge, function selection and the like; the storage unit is used for storing client keys, the client keys of the identity authentication devices are different and can be generated by using a hardware random generator, and other information such as an algorithm and the like is also stored in the storage unit; the interference factor unit is used for providing time or event interference factors, providing a clock crystal oscillator if the interference factors are time factors, and providing an event counter if the interference factors are event factors; as a special case, the identity authentication device can omit an interference factor unit, and in order to prevent password repetition and prevent retransmission attack, disposable information such as random variables or timestamps can be added in transaction elements required to be input by a client, so that the randomness of the password of the client is ensured, and one-time pad is realized; and a power supply unit for supplying power to components of the authentication device, such as a battery, a dual battery power supply with a replaceable backup battery, a rechargeable battery, and the like. The identity authentication device can adopt a touch switch to realize physical protection such as uncovering self-destruction and the like.
The identity authentication device has two working modes, one is OTP working mode, and the other is SIGN working mode. The OTP working mode mainly generates a one-time dynamic password according to a certain algorithm, such as an abstract algorithm or a symmetric encryption algorithm, and the like according to the interference factor and the client key, and achieves the purposes of identity authentication and transaction authentication through the one-time password.
As shown in fig. 5, the identity authentication system of this embodiment includes: an identity authentication device 201 and an ATM terminal 202; the ATM terminal 202 is connected with the background authentication server and used for prompting the multi-element password, the multi-element password generation mode and the short signature factor information to the user through the transaction page; the identity authentication apparatus 201 includes: the starting instruction input unit is used for receiving a starting instruction which is input by a user according to the external transaction page requirement and is used for generating a multi-element password and executing a starting action; the PIN input unit is used for prompting a PIN input request to a user and receiving the PIN input by the user; the password mode selection unit is used for prompting a multi-element password generation mode selection request to a user after the PIN is determined to be correct, and receiving a multi-element password generation mode input by the user; the storage unit is used for storing a user key and a cryptographic algorithm; the interference unit is used for acquiring an interference factor; the password generation unit is used for acquiring the interference factor, the user key and the corresponding password algorithm according to a multi-element password generation mode selected by a user and generating a multi-element password according to the interference factor, the user key and the corresponding password algorithm; and the display unit is used for displaying the multi-element password so as to input an external transaction page.
As shown in fig. 6, the OTP operation mode includes the following steps: the user carries the identity authentication device to carry out transaction on the online banking terminal. Wherein,
step S201, a client accesses an online bank login page and inputs a login ID;
step S202, prompting to use an identity authentication device to generate an OTP password by a page;
step S203, the user presses the on-off key of the identity authentication device to start the identity authentication device, namely, the input unit sends an instruction to the processing unit to start the identity authentication device;
step S204, a display unit of the identity authentication device prompts a customer to input a PIN code;
step S205, the customer inputs PIN code through the input unit, the processing unit obtains correct PIN code from the storage unit, and compares with the PIN code input by the customer, if correct, the display unit provides function selection prompt, if wrong, the processing unit carries out PIN code error accumulation and records in the storage unit, if not, the display unit prompts the customer to re-input PIN code, if the maximum error times of PIN code is reached, the processing unit refuses to compare PIN code and calculate password again, the identity authentication device is in a locked state, and the identity authentication device can only be used after the PIN code is reset;
step S206, the PIN code is correct, and the display unit prompts the customer to select the OTP or SIGN function;
step S207, the client presses the OTP key;
step S208, the input unit instructs the processing unit to obtain the interference factor from the interference factor unit, obtain the client key from the storage unit, and obtain a one-time OTP password by using an OTP algorithm according to the current interference factor and the client key, wherein the password can be composed of 6 digits, and the length and the password value range can be customized as required;
step S209, providing the obtained OTP password to the client through the display unit;
step S210, the customer inputs the OTP password generated by the identity authentication device on a transaction page and submits the OTP password;
the customer presses the on-off key of the identity authentication device to close the identity authentication device, and at the moment, the input unit instructs the processing unit to enable the identity authentication device to be in a closed state, if the customer does not manually close the identity authentication device, the identity authentication device can be automatically closed after displaying the OTP password for 15 seconds, the time can be self-defined as required, and the automatic closing after overtime is actively initiated by the processing unit;
step S211, the background dynamic password management system verifies the OTP password, the background recalculates the current OTP password of the client according to the recorded current interference factor and the client key, if the obtained password is the same as the password submitted by the client, the verification is passed, and the subsequent processing is continued;
step S212, returning to a login success page; and if the verification fails, prompting a relevant error.
The SIGN working mode mainly generates a one-time transaction password related to transaction data according to a certain algorithm and a client input element, an interference factor and a client key, and the password ensures that the transaction data cannot be tampered and the transaction cannot be repudiated.
As shown in fig. 7, the SIGN mode of operation includes the following steps:
step S301, a customer enters a transaction entry page, enters transaction elements such as a transfer-in account number and a transaction amount and submits the transaction elements to a bank background system;
step S302, after the system checks the validity of data and transaction, a transaction confirmation page is displayed back, and a client is prompted to use a dynamic identity authentication device to carry out short signature;
step S303, the client starts the identity authentication device by pressing the on-off key of the identity authentication device, and the input unit instructs the processing unit to be in a working state;
step S304, the processing unit instructs the display unit to prompt the input of a PIN code;
step S305, the customer inputs the correct PIN code, the input unit transmits the PIN code input by the customer to the processing unit, and the processing unit acquires the PIN code of the customer from the storage unit and compares the PIN code with the PIN code input by the customer;
step S306, if the PIN codes are consistent, the display unit is indicated to prompt the customer to select the OTP or SIGN function;
step S307, the client presses the SIGN key to enter the transaction short signature function; the input unit instructs the processing unit to be in the short signature function;
step S308, the transaction page prompts the content which needs to be input by the short signature function, such as transferring out the transferred account number, the transaction amount and/or the transaction character string. The transaction string may be information that the user reserves in the background, such as: and the nickname of the user is Lily, the system displays a transaction confirmation page back, prompts the user to use the dynamic identity authentication device to perform short signature authentication, and displays a nickname input request of the user, and the user needs to input Lily on the identity authentication device at the moment.
Step S309, the customer inputs the transaction account number, the amount and/or the transaction character string on the identity authentication device according to the content prompted by the transaction page, and the transaction account number, the amount and/or the transaction character string can be input in a plurality of fields, or the information is spliced into a signature string for one-time input. The entry length can support 256 bytes or can be customized according to requirements. If the input is wrong, the wrong input can be removed by using a back key, if one row or all the inputs are to be removed, the back key can be pressed for 2 seconds, then one row or all the customer inputs are cleared, and the operation can customize the input unit according to requirements. The input unit finally transmits the transaction information input by the customer to the processing unit. The short signature content can use account number and money, can also be some local numbers randomly selected from the content by a background, or can prompt the transaction verification code to be short signed; for the transaction, preferentially recommending to sign the transaction transferred account number and the amount;
step S310, after the customer finishes inputting the identity authentication device, the customer presses the SIGN key, and the input unit instructs the processing unit to perform short signature. Firstly, a client key is obtained from a storage unit, an interference factor is obtained from an interference factor unit, and a short signature password is calculated and generated according to the client input, the current interference factor and the client key and the algorithm of the SIGN function;
step S311, providing the short signature password to the client through the display unit;
step S312, the customer inputs the transaction short signature password on the transaction page and submits the transaction short signature password;
and step S313, the background dynamic password management system calculates the client transaction short signature password according to the SIGN algorithm according to the recorded client current interference factor, the client key and the transaction element required to be input, if the obtained value is the same as the password submitted by the client, the verification is passed, the subsequent processing is continued, and if the obtained value is wrong, the relevant information is returned.
And step S314, the short signature is successfully verified, and a transaction result is returned.
In order to support the customer to use the authentication device, a dynamic password management system needs to be deployed at a server side, and is used for life cycle management of customer key generation, storage, use, invalidation, freezing, unfreezing and the like, and the functions of dynamic password verification, error accumulation, interference factor synchronization, inquiry, statistics, monitoring and the like are provided.
When the background dynamic password management system verifies the OTP and SIGN passwords, if the OTP and the SIGN passwords are correct, the OTP and the SIGN passwords are recorded, and the current interference factors cannot be reused later; if the password is wrong, error accumulation is carried out, the background can carry out password error daily accumulation or historical accumulation, and the use of the client on the same day is limited when the daily accumulation reaches the error upper limit; when the historical accumulation reaches the upper limit, the token is limited to be used, and the customer must go to the counter to be defrosted.
In the SIGN working mode, the interference factor participates in operation, so that short signature passwords of the same transaction elements are different every time, and the risk of retransmitting the transaction passwords is avoided.
Both the OTP mode of operation and the SIGN mode of operation may be used for authentication and transaction authentication, and are not limited to the above scenario. For example, the OTP operation mode and SIGN operation mode can be used to verify the identity of the server, when the client logs in the system, the background of the dynamic password management system first calculates a password using the OTP or SIGN operation mode, and displays or transmits the password to the client, and the client can obtain the current password through its own authentication device, and if the password is consistent with the server, it indicates that the server is real, not a phishing website or phone fraud. When the SIGN working mode is used, a short signature can be performed by using certain agreed information, such as a current transaction verification code, or information reserved at a server side instead of transaction data. The identity authentication of a client or a server is preferentially recommended by using the OTP working mode, and the transaction short signature is preferably performed by using the SIGN working mode.
The identity authentication device has PIN code protection, and when the identity authentication device is used, the correct PIN code must be input to perform subsequent operation.
The identity authentication device does not have a PIN code when leaving a factory, and when a client uses the identity authentication device for the first time after taking the identity authentication device, the client is forced to set the PIN code. For example, when the device is used for the first time by a client, the device is started by pressing a switch key, the device prompts the client to set a PIN code, the client sets a 6-digit PIN code through a numeric keyboard and inputs the PIN code again once, the device is verified to be consistent, and the PIN code is successfully set.
The identity authentication device supports PIN code modification, a client presses a switch key of the device to start, inputs the PIN code to enter a function selection menu, the client presses the PIN key to enter a PIN code modification function, the client sets a 6-bit new PIN code by using a numeric keyboard and re-inputs the PIN code once, and the device is verified to be consistent, so that the PIN code modification is successful.
The identity authentication device supports PIN code resetting, when a customer forgets a PIN code, the customer needs to go to a counter for processing, and the identity authentication device provides a PIN code resetting function using a challenge response mode. At the counter, a customer presses a switch key of the device to open, presses a PIN key for 2 seconds, at the moment, the device obtains a PIN reset challenge value such as 6 digits according to a current interference factor and a specific PIN reset algorithm, the customer informs the 6 challenges to a teller, the teller is recorded in the system, a background system calculates a PIN reset response according to the challenges, the current interference factor of the customer and a customer key, the response can also be 6 digits and returns to a teller terminal, the teller reports to the customer through a printed password envelope or orally, the customer inputs the PIN reset response code on an authentication device, and the device is reset to a state without the PIN code or reset to a certain default value after being verified correctly.
The interference factor in the identity authentication device can adopt a clock crystal oscillator or an event counter, the clock crystal oscillator is recommended preferentially, and the interference factor is possibly affected by environmental and human factors to cause inconsistency with the record of the server side. If the clock crystal oscillator is inaccurate due to too high or too low temperature, the event OTP is tried artificially and is not checked with the background, so that the counting of the device is inconsistent with that of the server side. When the above situation occurs, the device interference factor needs to be synchronized.
The client can go to a counter for synchronization, the client uses the device to continuously generate two OTP passwords and informs a teller to submit a background, the background matches the two passwords submitted by the client within a certain variation range of the interference factor, for example, the OTP passwords are tried within plus and minus 24 hours by a clock crystal oscillator, if the two passwords are event counting, the OTP passwords are tried within plus and minus 50 ranges, as long as the two passwords continuously input by the client can be matched, the current counting of the interference factor of the device can be positioned, the server side record is adjusted, and the device synchronization is completed. The matching window can be customized according to requirements.
The identity authentication device is as large as a bank card, is easy to carry, and can be flexibly customized in appearance according to requirements. The device operates in a low power consumption state, the power consumption of the device can effectively guarantee that the device is used for more than 3 years, when the power consumption is exhausted or the validity period is reached, a customer can replace a new device, and the new device adopts a new customer key.
Various electronic channels can utilize the device to carry out identity authentication and transaction authentication, and if the device is matched with a static password of an original channel to be used together, double-factor authentication can be realized, and the transaction safety of a client is ensured.
According to the invention, through the implementation mode of transaction short signatures, transaction elements are participated in the password generation process, so that the password can only be used for the transaction, and if the transaction is tampered or the password is used for other transactions, the server side cannot verify the transaction; the short signature ensures that the transaction data cannot be tampered, plays a role in transaction non-repudiation and improves the security of transaction authentication. The identity authentication device is used off-line, and does not need to be connected with a mobile phone, a telephone and a computer, and the off-line use mode can ensure that the device can be suitable for a plurality of electronic channels, and provides a foundation for a plurality of channels to use the same authentication medium. And secondly, the usability of the authentication medium is improved, the use difficulty of the device is reduced, and a driver and a control program do not need to be installed. The identity authentication device and the identity authentication system can be used for verifying the identity of the server side and simultaneously support two working modes of OTP and SIGN. The authentication device provides PIN code protection, and avoids risks caused by loss of the identity authentication device. Modification and resetting of the PIN code is supported.
The principle and the implementation mode of the invention are explained by applying specific embodiments in the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (22)
1. An identity authentication method, characterized in that, the method comprises:
receiving a multi-element password generation instruction input by a user through a keyboard or a touch screen according to the requirement of an external transaction page;
prompting a Personal Identification Number (PIN) input request to a user according to the multi-element password generation instruction;
receiving a PIN input by a user through a keyboard or a touch screen;
after the PIN is determined to be correct, prompting a multi-element password generation mode selection request to a user;
receiving a multi-element password generation mode input by a user through a keyboard or a touch screen;
acquiring an interference factor, a pre-stored user key and a corresponding cipher algorithm according to the multi-element cipher generation mode, and generating the multi-element cipher according to the interference factor, the user key and the cipher algorithm;
displaying the multi-element password;
and inputting the multi-element password into the external transaction page for identity authentication.
2. The method of claim 1, wherein the multi-element cipher generation scheme comprises: one-time password OTP generation mode and short signature password SIGN generation mode.
3. The method of claim 2, wherein receiving an OTP generation mode input by a user through a keypad or a touch screen;
and acquiring an interference factor, a pre-stored user key and an OTP password algorithm according to the OTP generation mode, and generating an OTP password according to the interference factor, the user key and the OTP password algorithm.
4. The method of claim 2, wherein a SIGN generation pattern input by a user via a keyboard or a touch screen is received;
prompting a short signature factor information input request to a user according to the SIGN generation mode;
receiving short signature factor information input by a user through a keyboard or a touch screen;
and acquiring an interference factor, the short signature factor information, a pre-stored user key and a SIGN password algorithm according to the SIGN generation mode, and generating a SIGN password according to the interference factor, the short signature factor information, the user key and the SIGN password algorithm.
5. The method of claim 4, wherein the short signature factor information comprises: a transaction account number, a transaction amount, and/or a string.
6. The method of claim 1, wherein the interference factors comprise: clock data and/or event count data.
7. The method of claim 1, further comprising: and the external transaction page transmits the received multi-element password to a background authentication server, the background authentication server recalculates the current multi-element password of the user according to the locally recorded current interference factor, the user key and the password algorithm, and if the obtained multi-element password is the same as the multi-element password submitted by the user, the authentication is passed.
8. The method of claim 7, further comprising: and the external transaction page transmits the received multi-element password to a background authentication server, the background authentication server recalculates the current multi-element password of the user according to the current interference factor, the user key, the short signature factor information and the SIGN password algorithm which are locally recorded, and if the obtained multi-element password is the same as the multi-element password submitted by the user, the authentication is passed.
9. An identity authentication device, characterized in that said device comprises:
the starting instruction input unit is used for receiving a starting instruction which is input by a user according to the external transaction page requirement and is used for generating a multi-element password and executing a starting action;
the PIN input unit is used for prompting a PIN input request to a user and receiving the PIN input by the user;
the password mode selection unit is used for prompting a multi-element password generation mode selection request to a user after the PIN is determined to be correct, and receiving a multi-element password generation mode input by the user;
the storage unit is used for storing a user key and a cryptographic algorithm;
the interference unit is used for acquiring an interference factor;
the password generation unit is used for acquiring the interference factor, the user key and the corresponding password algorithm according to a multi-element password generation mode selected by a user and generating the multi-element password according to the interference factor, the user key and the corresponding password algorithm;
and the display unit is used for displaying the multi-element password so as to input an external transaction page.
10. The apparatus of claim 9, wherein said multi-element cipher generation scheme comprises: one-time password OTP generation mode and short signature password SIGN generation mode.
11. The apparatus as claimed in claim 10, wherein the storage unit stores an OTP cipher algorithm and a SIGN cipher algorithm;
the password mode selection unit receives an OTP generation mode input by a user;
the password generating unit acquires an interference factor, a user key and an OTP password algorithm according to the OTP generating mode and generates an OTP password according to the interference factor, the user key and the OTP password algorithm.
12. The apparatus of claim 10, further comprising: the short signature factor input unit is used for prompting a short signature factor information input request to a user and receiving short signature factor information input by the user through a keyboard or a touch screen; wherein,
the storage unit stores an OTP (one time password) algorithm and a SIGN (SIGN identity) algorithm;
the password mode selection unit receives a SIGN generation mode input by a user through a keyboard or a touch screen;
the code generating unit acquires an interference factor, the short signature factor information, a pre-stored user key and a SIGN code algorithm according to the SIGN generating mode, and generates a SIGN code according to the interference factor, the short signature factor information, the user key and the SIGN code algorithm.
13. The apparatus of claim 12, wherein the short signature factor information comprises: a transaction account number, a transaction amount, and/or a string.
14. The apparatus of claim 9, wherein the interference unit comprises:
a clock for generating time data;
and the event counter is used for generating event counting data.
15. An identity authentication system, said system comprising: an identity authentication device and a transaction terminal;
the transaction terminal is connected with the background authentication server and used for prompting a multi-element password input request to a user through a transaction page and transmitting data input by the user to the background authentication server;
the identity authentication device comprises: the starting instruction input unit is used for receiving a starting instruction which is input by a user according to the transaction page prompt and is used for generating a multi-element password and executing a starting action; the PIN input unit is used for prompting a PIN input request to a user and receiving the PIN input by the user; the password mode selection unit is used for prompting a multi-element password generation mode selection request to a user after the PIN is determined to be correct, and receiving a multi-element password generation mode input by the user; the storage unit is used for storing a user key and a cryptographic algorithm; the interference unit is used for acquiring an interference factor; the password generation unit is used for acquiring the interference factor, the user key and the corresponding password algorithm according to a multi-element password generation mode selected by a user and generating the multi-element password according to the interference factor, the user key and the corresponding password algorithm; the display unit is used for displaying the multi-element password so as to input the external transaction page;
and the external transaction page transmits the received multi-element password to the background authentication server.
16. The system of claim 15, wherein said multi-element cipher generation scheme comprises: one-time password OTP generation mode and short signature password SIGN generation mode.
17. The system of claim 16 wherein said memory unit stores an OTP cipher algorithm and a SIGN cipher algorithm;
the password mode selection unit receives an OTP generation mode input by a user;
the password generating unit acquires an interference factor, a user key and an OTP password algorithm according to the OTP generating mode and generates an OTP password according to the interference factor, the user key and the OTP password algorithm.
18. The system of claim 15, wherein said means further comprises: the short signature factor input unit is used for prompting a short signature factor information input request to a user and receiving short signature factor information input by the user through a keyboard or a touch screen; wherein,
the storage unit stores an OTP (one time password) algorithm and a SIGN (SIGN identity) algorithm;
the password mode selection unit receives a SIGN generation mode input by a user through a keyboard or a touch screen;
the code generating unit acquires an interference factor, the short signature factor information, a pre-stored user key and a SIGN code algorithm according to the SIGN generating mode, and generates a SIGN code according to the interference factor, the short signature factor information, the user key and the SIGN code algorithm.
19. The system of claim 18, wherein the short signature factor information comprises: a transaction account number, a transaction amount, and/or a string.
20. The system of claim 15, wherein the interference unit comprises:
a clock for generating time data;
and the event counter is used for generating event counting data.
21. The system of claim 15, wherein the background authentication server recalculates the current multi-factor password of the user according to the locally recorded current interference factor, the user key and the password algorithm, and if the obtained multi-factor password is the same as the multi-factor password submitted by the user, the authentication is passed.
22. The system as claimed in claim 21, wherein the background authentication server recalculates the current multi-factor password of the user according to the locally recorded current interference factor, the user key, the short signature factor information and the SIGN password algorithm, and if the obtained multi-factor password is the same as the multi-factor password submitted by the user, the authentication is passed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101072117A CN101800645B (en) | 2010-02-05 | 2010-02-05 | Identity authentication method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101072117A CN101800645B (en) | 2010-02-05 | 2010-02-05 | Identity authentication method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101800645A true CN101800645A (en) | 2010-08-11 |
| CN101800645B CN101800645B (en) | 2012-02-08 |
Family
ID=42596149
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010101072117A Active CN101800645B (en) | 2010-02-05 | 2010-02-05 | Identity authentication method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101800645B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102664736A (en) * | 2012-04-13 | 2012-09-12 | 天地融科技股份有限公司 | Electronic cipher generating method, device and equipment and electronic cipher authentication system |
| CN102685121A (en) * | 2012-05-03 | 2012-09-19 | 飞天诚信科技股份有限公司 | Digital signature method and digital signature device |
| CN103634121A (en) * | 2013-12-18 | 2014-03-12 | 上海众人网络安全技术有限公司 | System and method for improving reliability of dynamic token time |
| CN103973683A (en) * | 2014-05-06 | 2014-08-06 | 上海动联信息技术股份有限公司 | Double-password synchronization method for dynamic passwords |
| CN104333555A (en) * | 2014-11-14 | 2015-02-04 | 中国建设银行股份有限公司 | Dynamic token working method and dynamic token working system |
| CN104333555B (en) * | 2014-11-14 | 2018-02-09 | 中国建设银行股份有限公司 | A kind of dynamic token method of work and system |
| CN103684756B (en) * | 2013-12-12 | 2018-10-19 | 深圳云高创投实业有限公司 | The cryptographic system synchronized based on Internet of Things |
| CN109634512A (en) * | 2012-06-11 | 2019-04-16 | 三星电子株式会社 | Mobile device and its settlement method |
| CN114554310A (en) * | 2022-01-04 | 2022-05-27 | 云南电网有限责任公司 | Electric power metering sniffing system and method |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TW201335870A (en) * | 2012-02-17 | 2013-09-01 | Rdonline Co Ltd | Identity authentication method of transaction system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100492966C (en) * | 2004-11-26 | 2009-05-27 | 王小矿 | Identity certifying system based on intelligent card and dynamic coding |
| CN101309141A (en) * | 2007-05-15 | 2008-11-19 | 曲永皓 | Safe network transaction system |
-
2010
- 2010-02-05 CN CN2010101072117A patent/CN101800645B/en active Active
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102664736A (en) * | 2012-04-13 | 2012-09-12 | 天地融科技股份有限公司 | Electronic cipher generating method, device and equipment and electronic cipher authentication system |
| CN102685121A (en) * | 2012-05-03 | 2012-09-19 | 飞天诚信科技股份有限公司 | Digital signature method and digital signature device |
| CN109634512A (en) * | 2012-06-11 | 2019-04-16 | 三星电子株式会社 | Mobile device and its settlement method |
| CN103684756B (en) * | 2013-12-12 | 2018-10-19 | 深圳云高创投实业有限公司 | The cryptographic system synchronized based on Internet of Things |
| CN103634121A (en) * | 2013-12-18 | 2014-03-12 | 上海众人网络安全技术有限公司 | System and method for improving reliability of dynamic token time |
| CN103973683A (en) * | 2014-05-06 | 2014-08-06 | 上海动联信息技术股份有限公司 | Double-password synchronization method for dynamic passwords |
| CN104333555A (en) * | 2014-11-14 | 2015-02-04 | 中国建设银行股份有限公司 | Dynamic token working method and dynamic token working system |
| CN104333555B (en) * | 2014-11-14 | 2018-02-09 | 中国建设银行股份有限公司 | A kind of dynamic token method of work and system |
| CN114554310A (en) * | 2022-01-04 | 2022-05-27 | 云南电网有限责任公司 | Electric power metering sniffing system and method |
| CN114554310B (en) * | 2022-01-04 | 2024-03-22 | 云南电网有限责任公司 | Electric power metering sniffing system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101800645B (en) | 2012-02-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101789864B (en) | On-line bank background identity identification method, device and system | |
| CN101800645B (en) | Identity authentication method, device and system | |
| CN107888382B (en) | A kind of methods, devices and systems of the digital identity verifying based on block chain | |
| CN201717873U (en) | Identity authentication device and system | |
| US8788835B2 (en) | Methods for selectively capturing and replicating one-time password generator functionality from device to device | |
| JP5362558B2 (en) | Identification method based on biometric features | |
| CN105162596B (en) | For generating the safety value used in being interacted with server and the equipment for sending user to | |
| EP2380308B1 (en) | Secure remote authentication through an untrusted network | |
| WO2006116172A1 (en) | One-time password credit/debit card | |
| WO2008123939A1 (en) | Method and apparatus for generating one-time passwords | |
| CN106100848A (en) | Double factor identity authorization system based on smart mobile phone and user password and method | |
| CN101374049B (en) | Method and system for improving signature safety | |
| KR20120093598A (en) | System and method for transferring money using otp generated from account number | |
| CN201717874U (en) | Online banking background identity authentication device and system employing same | |
| US20190108521A1 (en) | Unpredictable number generation | |
| US20190362065A1 (en) | Password input system included in ic card and password input method included in ic card | |
| KR20070103956A (en) | One-time password generating device for authentication using time synchronous mode with detachably mounting type handphone and method thereof | |
| US20230086015A1 (en) | Ic card asymmetric labelling system and ic card built-in password input system | |
| JP2001052125A (en) | Device and system for authentication | |
| JP2007317095A (en) | Authentication system of automatic transaction apparatus | |
| KR20070117371A (en) | Apparatus for generating random numbers for object oriented otp | |
| US20150302506A1 (en) | Method for Securing an Order or Purchase Operation Means of a Client Device | |
| CN111259362B (en) | Identity authentication method of hardware digital certificate carrier | |
| Kim et al. | Biometric authentication technology trends in smart device environment | |
| KR101619282B1 (en) | Cloud system for manging combined password and control method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |