CN103067402A - Method and system for digital certificate generation - Google Patents
Method and system for digital certificate generation Download PDFInfo
- Publication number
- CN103067402A CN103067402A CN2013100095632A CN201310009563A CN103067402A CN 103067402 A CN103067402 A CN 103067402A CN 2013100095632 A CN2013100095632 A CN 2013100095632A CN 201310009563 A CN201310009563 A CN 201310009563A CN 103067402 A CN103067402 A CN 103067402A
- Authority
- CN
- China
- Prior art keywords
- server
- portable terminal
- bank
- mobile banking
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000012795 verification Methods 0.000 claims abstract description 52
- 238000013475 authorization Methods 0.000 claims description 18
- 230000005540 biological transmission Effects 0.000 claims description 14
- 238000001629 sign test Methods 0.000 claims description 14
- 238000004321 preservation Methods 0.000 claims description 6
- 238000012360 testing method Methods 0.000 abstract 5
- 238000010200 validation analysis Methods 0.000 abstract 1
- 239000000284 extract Substances 0.000 description 6
- 238000000605 extraction Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007812 deficiency Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
Images
Landscapes
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a method and a system for digital certificate generation. The method for digital certificate generation comprises the following steps: a mobile terminal receives register order and establishes a connection with a comprehensive server of a bank to generate a pair of user public key and private key; the mobile terminal encrypts user information according to the public key of the comprehensive server of the bank and transmits the user information to the comprehensive server of the bank; the comprehensive server of the bank deciphers, tests and verifies the user information and transmits validation information to the mobile terminal after the user information passes the testing and verification; the mobile terminal encrypts the user public key after receiving the testing and verification information and transmits the cryptographic user public key to the comprehensive server of the bank; and the comprehensive server of the bank tests and verifies the correctness of the user public key and transmits the user public key to a third-party e-business authentication server to authenticate signature to generate a certificate of the user public key after the user public key passing the testing and verification. According to the method and the system for digital certificate generation, the difficulty of attack can be increased and security can be improved.
Description
Technical field
The present invention relates to field of information security technology, particularly a kind of generation method of digital certificate and a kind of generation system of digital certificate.
Background technology
In recent years, follow the fast development of the Internet and Financial Information, Web bank obtains rapidly the generally high praise of user and bank's industry because of its facility, the advantage such as efficient, wherein digital certificate is the identify label of user and bank server when concluding the business by Web bank, can guarantee the safety of online transaction.
At present, the generation of customer digital certificate is finished by bank server, through being handed down to the employed terminal of user after the electronic third-party business confirming server authentication again.The problem that exists is, bank server is in the process of the digital certificate that issues to terminal, and bank server may not known the concrete terminal that sends, thereby might be tackled, and there is the potential safety hazard that is stolen in digital certificate in the process that issues.
Summary of the invention
Purpose of the present invention is intended to solve at least one of above-mentioned technological deficiency.
For achieving the above object, first purpose of the present invention is to propose a kind of generation method of digital certificate, the method may further comprise the steps: a, portable terminal receive register instruction, and connect according to described register instruction and complex bank device, and generate a pair of client public key and private key; B, described portable terminal are encrypted user profile according to the PKI of described complex bank device, and the described user profile after will encrypting is sent to described complex bank device; C, described complex bank device are decrypted and verify the encryption described user profile afterwards that described portable terminal sends according to the private key of described complex bank device, and send authorization information by rear to described portable terminal in checking; D, described portable terminal receive after the authorization information of described complex bank device transmission, client public key is encrypted, and the client public key after will encrypting send to described complex bank device; And e, described complex bank device verify the correctness of described client public key, and checking by after described client public key be sent to electronic third-party business confirming server carry out authentication signature with generation client public key certificate.
Generation method according to the digital certificate of the embodiment of the invention, generate client public key and private key at portable terminal, user profile and client public key are sent to before the complex bank device, portable terminal and complex bank device both sides verify, and the mode with digital certificate is stored in bank after checking, guarantee the fail safe of client public key transmission channel, increase the difficulty of attacking.Simultaneously the complex bank device is through verifying portable terminal, can know clearly which portable terminal what communicate by letter with oneself is, prevents from palming off portable terminal and bank and carries out having guaranteed safety alternately.
For achieving the above object, second purpose of the present invention is to propose a kind of generation system of digital certificate, this system comprises: portable terminal, complex bank device and electronic third-party business confirming server, wherein, described portable terminal, be used for receiving register instruction, and connect according to described register instruction and described complex bank device, and generate a pair of client public key and private key, and according to the PKI of described complex bank device user profile is encrypted, and the described user profile after will encrypting is sent to described complex bank device; Described complex bank device is used for according to the private key of described complex bank device the encryption described user profile afterwards that described portable terminal sends being decrypted and verifying, and sends authorization information by rear to described portable terminal in checking; Described portable terminal also is used for receiving after the authorization information of described complex bank device transmission, client public key is encrypted, and the client public key after will encrypting sends to described complex bank device; Described complex bank device also is used for verifying the correctness of described client public key, and checking by after described client public key be sent to electronic third-party business confirming server carry out authentication signature with generation client public key certificate.
Generation system according to the digital certificate of the embodiment of the invention, generate client public key and private key at portable terminal, user profile and client public key are sent to before the complex bank device respectively, portable terminal and complex bank device both sides verify, so that client public key form with digital certificate after checking is stored in bank, guarantee the fail safe of client public key transmission channel, increase the difficulty of attacking.Simultaneously mobile banking's server is through verifying portable terminal, can know clearly which portable terminal what communicate by letter with oneself is, prevents from palming off portable terminal and bank and carries out having guaranteed safety alternately.
The aspect that the present invention adds and advantage in the following description part provide, and part will become obviously from the following description, or recognize by practice of the present invention.
Description of drawings
Above-mentioned and/or the additional aspect of the present invention and advantage are from obviously and easily understanding becoming the description of embodiment below in conjunction with accompanying drawing, wherein:
Fig. 1 is the flow chart of the generation method of according to an embodiment of the invention digital certificate;
Fig. 2 is the flow chart of generation method of the digital certificate of the specific embodiment according to the present invention;
Fig. 3 is the structural representation of the generation system of digital certificate according to an embodiment of the invention; And
Fig. 4 is the structural representation of the generation system of the digital certificate of a specific embodiment according to the present invention.
Embodiment
The below describes embodiments of the invention in detail, and the example of described embodiment is shown in the drawings, and wherein identical or similar label represents identical or similar element or the element with identical or similar functions from start to finish.Be exemplary below by the embodiment that is described with reference to the drawings, only be used for explaining the present invention, and can not be interpreted as limitation of the present invention.On the contrary, embodiments of the invention comprise spirit and interior all changes, modification and the equivalent of intension scope that falls into additional claims.
In description of the invention, it will be appreciated that term " first ", " second " etc. only are used for describing purpose, and can not be interpreted as indication or hint relative importance.In description of the invention, need to prove that unless clear and definite regulation and restriction are arranged in addition, term " links to each other ", " connection " should do broad understanding, for example, can be to be fixedly connected with, and also can be to removably connect, or connect integratedly; Can be mechanical connection, also can be to be electrically connected; Can be directly to link to each other, also can indirectly link to each other by intermediary.For the ordinary skill in the art, can concrete condition understand above-mentioned term concrete meaning in the present invention.In addition, in description of the invention, except as otherwise noted, the implication of " a plurality of " is two or more.
Describe and to be understood in the flow chart or in this any process of otherwise describing or method, expression comprises module, fragment or the part of code of the executable instruction of the step that one or more is used to realize specific logical function or process, and the scope of preferred implementation of the present invention comprises other realization, wherein can be not according to order shown or that discuss, comprise according to related function by the mode of basic while or by opposite order, carry out function, this should be understood by the embodiments of the invention person of ordinary skill in the field.
Below with reference to the generation method and system of accompanying drawing description according to the digital certificate of the embodiment of the invention.
Fig. 1 is the flow chart of the generation method of according to an embodiment of the invention digital certificate.
As shown in Figure 1, the generation method according to the digital certificate of the embodiment of the invention comprises the steps.
Step S101, portable terminal receives register instruction, and connects according to register instruction and complex bank device, and generates a pair of client public key and private key.
Particularly, portable terminal is downloaded bank client software, when client software is installed, from the software that loads, obtain the PKI of complex bank device, and according to register instruction the PKI of complex bank device is verified, and the checking by after connect according to register instruction and complex bank device, and will verify that the PKI by complex bank device afterwards is kept in the portable terminal, generate a pair of client public key and private key, after the user starts bank client software, can enter and log in/register interface.
Step S102, portable terminal is encrypted user profile according to the PKI of complex bank device, and the user profile after will encrypting is sent to the complex bank device.
Wherein, user profile comprises: the login password after phone number, bank's card number, registration are complete; Perhaps
The cryptographic Hash of the login password after phone number, bank's card number, registration are complete.
In this step, when sending the user profile of encrypting, can also send authorization information, so that the complex bank device is verified the assurance fail safe to portable terminal.
Step S103, the complex bank device is decrypted and verifies the encryption user profile afterwards that portable terminal sends according to the private key of complex bank device, and sends authorization information by rear to portable terminal in checking.
Step S104, portable terminal receives after the authorization information of complex bank device transmission, client public key is encrypted, and the client public key after will encrypting sends to the complex bank device.
Step S105, the correctness of complex bank device authentication of users PKI, and checking by after client public key be sent to electronic third-party business confirming server carry out authentication signature with generation client public key certificate.
Particularly, electronic third-party business confirming server carries out authentication signature to user's PKI, can prevent that client public key from being pretended to be, and the client public key after will signing is stored in the complex bank device, and the prompting user public key certificate generates successfully after the client public key of complex bank device storage signature.
Generation method according to the digital certificate of the embodiment of the invention, generate client public key and private key at portable terminal, user profile and client public key are sent to before the complex bank device respectively, portable terminal and complex bank device both sides verify, so that client public key form with digital certificate after checking is stored in bank, guarantee the fail safe of client public key transmission channel, increase the difficulty of attacking.Simultaneously mobile banking's server is through verifying portable terminal, can know clearly which portable terminal what communicate by letter with oneself is, prevents from palming off portable terminal and bank and carries out having guaranteed safety alternately.
Fig. 2 is the flow chart of generation method of the digital certificate of the specific embodiment according to the present invention.
As shown in Figure 2, the generation method according to the digital certificate of the embodiment of the invention comprises the steps.
Step S201, portable terminal receives register instruction, and connects according to register instruction and complex bank device, and generates a pair of client public key and private key.
Concrete, portable terminal is downloaded bank client software, when client software is installed, from the software that loads, obtain the PKI of complex bank device, and according to register instruction the PKI of complex bank device is verified, and checking by after connect according to register instruction and complex bank device.Particularly, bank client software is when installing, the root certificate of the PKI of complex bank device is preset in the portable terminal in advance, when sending registration request, can whether correct according to the PKI of the root certification authentication complex bank device that presets, wherein when the PKI of complex bank device is correct, just can continue to carry out following step, prompting error message when the PKI mistake of complex bank device.
In one embodiment of the invention, the complex bank device comprises mobile banking's server and bank comprehensive front server, portable terminal obtains the PKI of mobile banking's server and the PKI of bank comprehensive front server from the software (for example bank client software) that loads, and according to register instruction the PKI of mobile banking's server and the PKI of bank comprehensive front server are verified, and checking by after connect according to register instruction and mobile banking's server.Particularly, bank client software is when installing, the root certificate of the PKI of the PKI of mobile banking's server and bank comprehensive front server is preset in the portable terminal in advance, when sending registration request, can whether correct according to the PKI of the PKI of the root certification authentication mobile banking server that presets and bank comprehensive front server, wherein when the PKI of the PKI of mobile banking's server and bank comprehensive front server is correct, just can continue to carry out following step, prompting error message when the PKI mistake of the PKI of mobile banking's server and bank comprehensive front server.
Wherein, the private key of mobile banking's service end is stored in mobile banking's server, and the PKI of mobile banking's server and private key are used for the communication data between portable terminal and the mobile banking's service end is encrypted; The private key of bank service end is stored in the bank comprehensive front server, and the PKI of bank comprehensive front server and private key are used for the sensitive informations such as bank card of process of exchange are encrypted.
Step S202, portable terminal receives the graphical verification code that mobile banking's server generates.
Wherein adopt the mode of graphical verification code to register and effectively to prevent from attacking.
Concrete, portable terminal can receive the graphical verification code of mobile banking's server generation and this graphical verification code is shown, and checks and inputs for the user.
Certainly, among the above-mentioned steps S201, the client public key of generation and the step of private key also can be carried out in this step simultaneously.
Step S203, portable terminal according to the PKI of mobile banking's server to phone number, bank's card number, login password/log in the cryptographic Hash of password, cryptographic Hash, the first random number and the graphical verification code of hardware characteristics information/hardware characteristics information is encrypted, and will encrypt after user profile be sent to mobile banking's server, wherein the first random number is generated by portable terminal.
User profile in the present embodiment comprises: phone number, bank's card number, login password, hardware characteristics information; Perhaps
User profile comprises: the cryptographic Hash of phone number, bank's card number, login password, hardware characteristics information; Perhaps
User profile comprises: the cryptographic Hash of phone number, bank's card number, login password, hardware characteristics information; Perhaps
User profile comprises: the cryptographic Hash of phone number, bank's card number, login password, the cryptographic Hash of hardware characteristics information.
In one embodiment of the invention, portable terminal receives the graphical verification code that mobile banking's server generates; Portable terminal logs in the character that the graphical verification code of first random number of cryptographic Hash, generation of this hardware characteristics information of the cryptographic Hash of password, the hardware characteristics information of user's input/calculate and user's input shows and is encrypted to this of bank's card number of the phone number of user's input, user's input, the login password of user's input/calculate according to the PKI of mobile banking's server, and will encrypt user profile afterwards and be sent to mobile banking's server.
Particularly, portable terminal extracts hardware characteristics information, hardware characteristics information can comprise the equipment Serial Number of portable terminal or the MAC Address of network interface card etc., so that mobile banking's server is bound portable terminal and is verified, certainly, in the present embodiment, after portable terminal extracts the hardware characteristics information of portable terminal, can also calculate the cryptographic Hash of this hardware characteristics information, thereby can prevent that hardware characteristics information is acquired in message transmitting procedure.
Simultaneously, portable terminal can also generate the first random number.
Certainly, among the above-mentioned steps S201, the client public key of generation and the step of private key also can and be extracted hardware characteristics information and/or generate the first random number and carry out simultaneously in this step.
Step S204, user profile after the encryption that mobile banking's server sends portable terminal according to the private key of mobile banking's server is decrypted to obtain user profile, and the graphical verification code checking by after phone number and bank's card number are sent to the bank comprehensive front server.
Step S205, the bank comprehensive front server phone number and the checking of bank card number by after send and verify by information to mobile banking's server.
Wherein, set up encrypted tunnel between bank comprehensive front server and the mobile banking's server, data are all encrypted transmission.
Step S206, mobile banking's server passes through Information generation the second random number and short-message verification code according to checking, and according to the first random number the second random number is encrypted, and with the short-message verification code and the second random number after encrypting be sent to portable terminal as authorization information.
Concrete, the short-message verification code is sent to portable terminal with the form of note, and for example the mode with the shortcode 955XX of bank is sent to portable terminal.
Step S207, portable terminal is encrypted to generate the first segmented messages identifying code according to the first random number and the second random number to short-message verification code and client public key, and according to private key for user the cryptographic Hash of hardware characteristics information/hardware characteristics information is signed to generate the first signing messages, and the first segmented messages identifying code, client public key and the first signing messages are sent to mobile banking's server.
At first, portable terminal is decrypted to obtain the second random number according to the first random number to the second random number.Then, according to the first random number and the second random number short-message verification code and the client public key that the user inputs is encrypted to generate the first segmented messages identifying code, this moment, portable terminal used the first random number and the second random number as new key.Again extract again the cryptographic Hash of the hardware characteristics information of hardware characteristics information/calculating extraction, and according to private key for user the cryptographic Hash of hardware characteristics information/hardware characteristics information is signed to generate the first signing messages, and the first segmented messages identifying code, client public key and the first signing messages are sent to mobile banking's server.
In addition, portable terminal can also be encrypted the first segmented messages identifying code, client public key and the first signing messages by the PKI of mobile banking's server before sending above-mentioned information.
Step S208, mobile banking's server is encrypted to generate the second segmented messages identifying code according to the first random number and second random number of storage to short-message verification code and client public key, and according to client public key the first signing messages is carried out sign test, and judge whether the first segmented messages identifying code is consistent with the second segmented messages identifying code, and whether the first signing messages passes through sign test.
Particularly, mobile banking's server is to after the first segmented messages identifying code, client public key and the first signing messages that receive the portable terminal transmission, mobile banking's server is encrypted to generate the second segmented messages identifying code according to the first random number and second random number of oneself storage to short-message verification code and client public key, and according to client public key the first signing messages is carried out sign test, then judge whether the first segmented messages identifying code is consistent with the second segmented messages identifying code, and whether the first signing messages passes through sign test.
Step S209, if it is consistent with the second segmented messages identifying code to judge the first segmented messages identifying code, the first signing messages is by sign test, then checking is passed through.
Step S210, mobile banking's server checking by after client public key be sent to electronic third-party business confirming server carry out authentication signature with generation client public key certificate.
In one embodiment of the invention, portable terminal also generates the 3rd random number, according to cryptographic Hash, the login password/log in cryptographic Hash and the 3rd random number generation symmetric key of password of hardware characteristics information/hardware characteristics information, and according to symmetric key private key for user is encrypted preservation.Wherein, the 3rd random number is sent to mobile banking's server preserves, mobile banking's server can utilize the 3rd random number authentication of users private key when transaction.
Generation method according to the digital certificate of the embodiment of the invention, generate client public key and private key at portable terminal, user profile and client public key are sent to before the complex bank device respectively, portable terminal and complex bank device both sides verify, so that client public key form with digital certificate after checking is stored in bank, guarantee the fail safe of client public key transmission channel, increase the difficulty of attacking.Simultaneously mobile banking's server is through verifying portable terminal, can know clearly which portable terminal what communicate by letter with oneself is, prevents from palming off portable terminal and bank and carries out having guaranteed safety alternately.
Fig. 3 is the structured flowchart of the generation system of digital certificate according to an embodiment of the invention.
As shown in Figure 3, the transaction system according to the embodiment of the invention comprises: portable terminal 10, complex bank device 20 and electronic third-party business confirming server 30.
Particularly, portable terminal 10 is used for receiving register instruction, and connect according to register instruction and complex bank device 20, and generate a pair of client public key and private key, and according to the PKI of the complex bank device 20 that prestores user profile is encrypted, and the user profile after will encrypting is sent to complex bank device 20.
Particularly, portable terminal 10 is downloaded bank client software, when client software is installed, from the software that loads, obtain the PKI of complex bank device 20, and according to register instruction the PKI of complex bank device 20 is verified, and the checking by after connect according to register instruction and complex bank device 20, and will verify that the PKI by complex bank device 20 afterwards is kept in the portable terminal 10, generate a pair of client public key and private key, after the user starts bank client software, can enter and log in/register interface.
Complex bank device 20 is used for according to the private key of complex bank device 20 the encryption user profile afterwards that portable terminal 10 sends being decrypted and verifying, and sends authorization informations by rear to portable terminal 10 in checking.
Wherein, user profile comprises: the login password after phone number, bank's card number, registration are complete; Perhaps
The cryptographic Hash of the login password after phone number, bank's card number, registration are complete.
When portable terminal 10 sends the user profile of encrypting, can also send authorization information, so that 20 pairs of portable terminals 10 of complex bank device are verified the assurance fail safe.
Portable terminal 10 also is used for receiving the authorization information that complex bank device 20 sends, client public key is encrypted, and the client public key after will encrypting sends to complex bank device 20, complex bank device 20 also is used for the correctness of authentication of users PKI, and checking by after client public key be sent to electronic third-party business confirming server 30 carry out authentication signature with generation client public key certificate.30 couples of users' of electronic third-party business confirming server PKI carries out authentication signature, can prevent that client public key from being pretended to be, and the client public key after will signing is stored in the complex bank device 20, and the prompting user public key certificate generates successfully after the client public key of complex bank device 20 storage signature.
Generation system according to the digital certificate of the embodiment of the invention, generate client public key and private key at portable terminal, user profile and client public key are sent to before the complex bank device respectively, portable terminal and complex bank device both sides verify, so that client public key form with digital certificate after checking is stored in bank, guarantee the fail safe of client public key transmission channel, increase the difficulty of attacking.Simultaneously mobile banking's server is through verifying portable terminal, can know clearly which portable terminal what communicate by letter with oneself is, prevents from palming off portable terminal and bank and carries out having guaranteed safety alternately.
Fig. 4 is the structured flowchart of the generation system of the digital certificate of a specific embodiment according to the present invention.
As shown in Figure 4, the transaction system according to the embodiment of the invention comprises: portable terminal 10, complex bank device 20, mobile banking's server 21, bank comprehensive front server 22 and electronic third-party business confirming server 30.Wherein, complex bank device 20 comprises mobile banking's server 21 and bank comprehensive front server 22.
In one embodiment of the invention, on basis embodiment illustrated in fig. 3, portable terminal 10 also is used for: obtain the PKI of mobile banking's server 21 and the PKI of bank comprehensive front server 22 from the software that loads, and according to register instruction the PKI of mobile banking's server 21 and the PKI of bank comprehensive front server 22 are verified, and checking by after connect according to register instruction and mobile banking's server 21.
Wherein, the private key of mobile banking's service end 21 is stored in mobile banking's server 21, and the PKI of mobile banking's server 21 and private key are used for the communication data between portable terminal 10 and the mobile banking's service end 21 is encrypted; The private key of bank service end 22 is stored in the bank comprehensive front server 22, and the PKI of bank comprehensive front server 22 and private key are used for the sensitive informations such as bank card of process of exchange are encrypted.
Portable terminal 10 also is used for: receive the graphical verification code that mobile banking's server 21 generates, wherein adopt graphical verification code can prevent from attacking, and be encrypted according to the PKI of mobile banking's server 21 graphical verification code to cryptographic Hash, the first random number and user's input of the cryptographic Hash of phone number, bank's card number, login password/log in password, hardware characteristics information/hardware characteristics information, and the user profile after will encrypting is sent to mobile banking's server 21, and wherein the first random number is generated by portable terminal 10.
User profile in the present embodiment comprises: phone number, bank's card number, login password, hardware characteristics information; Perhaps
User profile comprises: the cryptographic Hash of phone number, bank's card number, login password, hardware characteristics information; Perhaps
User profile comprises: the cryptographic Hash of phone number, bank's card number, login password, hardware characteristics information; Perhaps
User profile comprises: the cryptographic Hash of phone number, bank's card number, login password, the cryptographic Hash of hardware characteristics information.
In the present embodiment, portable terminal 10 also is used for: receive the graphical verification code that mobile banking's server 21 generates, and the character that the graphical verification code that this of bank's card number of the phone number of user's input, user's input, the login password of number of users input/calculate is logged in first random number of cryptographic Hash, generation of this hardware characteristics information of the cryptographic Hash of password, the hardware characteristics information of extraction/calculate and user's input according to the PKI of mobile banking's server 21 shows is encrypted, and will encrypt user profile afterwards and be sent to mobile banking's server 21.Particularly, portable terminal 10 extracts hardware characteristics information, hardware characteristics information can comprise the equipment Serial Number of portable terminal 10 or the MAC Address of network interface card etc., so that 21 pairs of portable terminals 10 of mobile banking's server are bound and are verified, certainly, in the present embodiment, after portable terminal 10 extracts the hardware characteristics information of portable terminal, can also calculate the cryptographic Hash of this hardware characteristics information, thereby can prevent that hardware characteristics information is acquired in message transmitting procedure.
In one embodiment of the invention, mobile banking's server 21 also is used for: the private key according to mobile banking's server 21 is decrypted to obtain user profile to the encryption user profile afterwards that portable terminal 10 sends, and graphical verification code checking by after phone number and bank's card number are sent to bank comprehensive front server 22, wherein, set up encrypted tunnel between bank comprehensive front server 22 and the mobile banking's server 21, data are all encrypted transmission, bank comprehensive front server 22 also be used for phone number and bank's card number checking by after send and verify by information to mobile banking's server 21, mobile banking's server 21 passes through Information generation the second random number and short-message verification code according to checking, and according to the first random number the second random number is encrypted, and with the short-message verification code and the second random number after encrypting be sent to portable terminal 10 as authorization information.Wherein, the short-message verification code can be sent to the form of note portable terminal 10, and for example the mode with the shortcode 955XX of bank is sent to portable terminal 10.
In one embodiment of the invention, portable terminal 10 also is used for: according to the first random number and the second random number short-message verification code and client public key are encrypted to generate the first segmented messages identifying code, and according to private key for user the cryptographic Hash of hardware characteristics information/hardware characteristics information is signed to generate the first signing messages, and the first segmented messages identifying code, client public key and the first signing messages are sent to mobile banking's server 21.
Particularly, portable terminal 10 is decrypted to obtain the second random number according to the first random number to the second random number.Then, according to the first random number and the second random number short-message verification code and client public key are encrypted to generate the first segmented messages identifying code, this moment, portable terminal 10 use the first random numbers and the second random number were as new key.Again extract again the cryptographic Hash of the hardware characteristics information of hardware characteristics information/calculating extraction, and according to private key for user the cryptographic Hash of hardware characteristics information/hardware characteristics information is signed to generate the first signing messages, and the first segmented messages identifying code, client public key and the first signing messages are sent to mobile banking's server 21.
In addition, portable terminal 10 utilized the PKI of mobile banking's server 21 that the first segmented messages identifying code, client public key and the first signing messages are encrypted before sending above-mentioned information.
Mobile banking's server 21 checking by after client public key be sent to electronic third-party business confirming server 30 carry out authentication signature with generation client public key certificate.
In one embodiment of the invention, mobile banking's server 21 also is used for: the first random number and the second random number according to storage are encrypted to generate the second segmented messages identifying code to short-message verification code and client public key, and according to client public key the first signing messages is carried out sign test, and judge whether the first segmented messages identifying code is consistent with the second segmented messages identifying code, whether the first signing messages passes through sign test, in that to judge the first segmented messages identifying code consistent with the second segmented messages identifying code, the first signing messages is by after the sign test, by checking.
In one embodiment of the invention, portable terminal 10 also is used for generating the 3rd random number, according to cryptographic Hash, the login password/log in cryptographic Hash and the 3rd random number generation symmetric key of password of hardware characteristics information/hardware characteristics information, and according to symmetric key private key for user is encrypted preservation.Wherein, the 3rd random number is sent to mobile banking's server 21 preserves, mobile banking's server 21 can utilize the 3rd random number authentication of users private key when transaction.
Generation system according to the digital certificate of the embodiment of the invention, generate client public key and private key at portable terminal, user profile and client public key are sent to before the complex bank device respectively, portable terminal and complex bank device both sides verify, so that client public key form with digital certificate after checking is stored in bank, guarantee the fail safe of client public key transmission channel, increase the difficulty of attacking.Simultaneously mobile banking's server is through verifying portable terminal, can know clearly which portable terminal what communicate by letter with oneself is, prevents from palming off portable terminal and bank and carries out having guaranteed safety alternately.
Although illustrated and described embodiments of the invention, for the ordinary skill in the art, be appreciated that without departing from the principles and spirit of the present invention and can carry out multiple variation, modification, replacement and modification to these embodiment that scope of the present invention is by claims and be equal to and limit.
Claims (18)
1. the generation method of a digital certificate is characterized in that the method comprises:
A, portable terminal receive register instruction, and connect according to described register instruction and complex bank device, and generate a pair of client public key and private key;
B, described portable terminal are encrypted user profile according to the PKI of described complex bank device, and the described user profile after will encrypting is sent to described complex bank device;
C, described complex bank device are decrypted and verify the encryption described user profile afterwards that described portable terminal sends according to the private key of described complex bank device, and send authorization information by rear to described portable terminal in checking;
D, described portable terminal receive after the authorization information of described complex bank device transmission, client public key is encrypted, and the client public key after will encrypting send to described complex bank device; And
E, described complex bank device are verified the correctness of described client public key, and checking by after described client public key be sent to electronic third-party business confirming server carry out authentication signature with generation client public key certificate.
2. method according to claim 1, it is characterized in that, described complex bank device comprises mobile banking's server and bank comprehensive front server, portable terminal among the described step a receives register instruction, and comprises according to the step that described register instruction and complex bank device connect:
Described portable terminal obtains the PKI of mobile banking's server and the PKI of bank comprehensive front server from the software that loads, and according to described register instruction the PKI of described mobile banking server and the PKI of described bank comprehensive front server are verified, and checking by after connect according to described register instruction and described mobile banking server.
3. method according to claim 1 is characterized in that, described complex bank device comprises mobile banking's server and bank comprehensive front server, and described step b comprises:
Described portable terminal receives the graphical verification code that described mobile banking server generates; And
Described portable terminal is encrypted phone number, bank's card number, login password, hardware characteristics information, the first random number and described graphical verification code according to the PKI of described mobile banking server, and will encrypt after described user profile be sent to described mobile banking server, wherein said the first random number is generated by described portable terminal.
4. method according to claim 1 is characterized in that, described complex bank device comprises mobile banking's server and bank comprehensive front server, and described step b comprises:
Described portable terminal receives the graphical verification code that described mobile banking server generates;
Described portable terminal is encrypted according to the PKI of described mobile banking server cryptographic Hash, the first random number of generation and the described graphical verification code of reception to the cryptographic Hash of bank's card number of the phone number that receives, reception, the login password that calculates, the hardware characteristics information that calculates, and will encrypt described user profile afterwards and be sent to described mobile banking server.
5. according to claim 3 or 4 described methods, it is characterized in that described step c comprises:
Described user profile after the encryption that described mobile banking server sends described portable terminal according to the private key of described mobile banking server is decrypted to obtain described user profile, and described graphical verification code checking by after described phone number and bank's card number are sent to the bank comprehensive front server;
Described bank server described phone number and the checking of bank card number by after send checking by information described mobile banking server extremely;
Described mobile banking server passes through Information generation the second random number and short-message verification code according to described checking, and according to described the first random number described the second random number is encrypted, and the second random number after described short-message verification code and the described encryption is sent to described portable terminal as described authorization information.
6. method according to claim 5 is characterized in that, described steps d comprises:
Described portable terminal is encrypted to generate the first segmented messages identifying code according to described the first random number and described the second random number to described short-message verification code and described client public key, and according to described private key for user described hardware characteristics information is signed to generate the first signing messages, and described the first segmented messages identifying code, client public key and the first signing messages are sent to described mobile banking server.
7. method according to claim 6 is characterized in that, the step of the correctness of the described client public key of described mobile banking's server authentication among the described step e comprises:
Described mobile banking server is encrypted to generate the second segmented messages identifying code according to described the first random number and described second random number of storage to described short-message verification code and described client public key, and according to described client public key described the first signing messages is carried out sign test, and judge whether described the first segmented messages identifying code is consistent with described the second segmented messages identifying code, and whether described the first signing messages passes through sign test; And
If described the first segmented messages identifying code is consistent with described the second segmented messages identifying code, described the first signing messages is by sign test, and then described client public key is by checking.
8. method according to claim 5, it is characterized in that, described short-message verification code is sent to described portable terminal with the form of note, and described portable terminal is decrypted described the second random number according to described the first random number after described user inputs described short-message verification code.
9. method according to claim 3 is characterized in that, the method also comprises:
Described portable terminal also generates the 3rd random number, generates symmetric key according to described hardware characteristics information, described login password and described the 3rd random number, and according to described symmetric key described private key for user is encrypted preservation; Or
Described portable terminal also generates the 3rd random number, generates symmetric key according to the cryptographic Hash of the cryptographic Hash of described hardware characteristics information, described login password and described the 3rd random number, and according to described symmetric key described private key for user is encrypted preservation.
10. the generation system of a digital certificate is characterized in that, this system comprises: portable terminal, complex bank device and electronic third-party business confirming server, wherein,
Described portable terminal, be used for receiving register instruction, and connect according to described register instruction and described complex bank device, and generate a pair of client public key and private key, and according to the PKI of described complex bank device user profile is encrypted, and the described user profile after will encrypting is sent to described complex bank device;
Described complex bank device is used for according to the private key of described complex bank device the encryption described user profile afterwards that described portable terminal sends being decrypted and verifying, and sends authorization information by rear to described portable terminal in checking;
Described portable terminal also is used for receiving after the authorization information of described complex bank device transmission, client public key is encrypted, and the client public key after will encrypting sends to described complex bank device;
Described complex bank device also is used for verifying the correctness of described client public key, and checking by after described client public key be sent to electronic third-party business confirming server carry out authentication signature with generation client public key certificate.
11. system according to claim 10 is characterized in that, described complex bank device comprises mobile banking's server and bank comprehensive front server, and described portable terminal also is used for:
From the software that loads, obtain the PKI of mobile banking's server and the PKI of bank comprehensive front server, and according to described register instruction the PKI of described mobile banking server and the PKI of described bank comprehensive front server are verified, and checking by after connect according to described register instruction and described mobile banking server.
12. system according to claim 10 is characterized in that, described complex bank device comprises mobile banking's server and bank comprehensive front server, and described portable terminal also is used for:
Receive the graphical verification code that described mobile banking server generates, and according to the PKI of described mobile banking server phone number, bank's card number, login password, hardware characteristics information, the first random number and described graphical verification code are encrypted, and will encrypt after described user profile be sent to described mobile banking server, wherein said the first random number is generated by described portable terminal.
13. system according to claim 10 is characterized in that, described complex bank device comprises mobile banking's server and bank comprehensive front server, and described portable terminal also is used for:
Receive the graphical verification code that described mobile banking server generates, and be encrypted according to the PKI of described mobile banking server cryptographic Hash, the first random number of generation and the described graphical verification code of reception to the cryptographic Hash of bank's card number of the phone number that receives, reception, the login password that calculates, the hardware characteristics information that calculates, and will encrypt described user profile afterwards and be sent to described mobile banking server.
14. according to claim 12 or 13 described systems, it is characterized in that,
Described mobile banking server also is used for: the described user profile after the encryption that described portable terminal is sent according to the private key of described mobile banking server is decrypted to obtain described user profile, and described graphical verification code checking by after described phone number and bank's card number are sent to the bank comprehensive front server;
Described bank comprehensive front server also is used for: described phone number and the checking of bank card number by after send checking by information described mobile banking server extremely;
Wherein, described mobile banking server passes through Information generation the second random number and short-message verification code according to described checking, and according to described the first random number described the second random number is encrypted, and the second random number after described short-message verification code and the described encryption is sent to described portable terminal as described authorization information.
15. system according to claim 14 is characterized in that, described portable terminal also is used for:
According to described the first random number and described the second random number described short-message verification code and described client public key are encrypted to generate the first segmented messages identifying code, and according to described private key for user described hardware characteristics information is signed to generate the first signing messages, and described the first segmented messages identifying code, client public key and the first signing messages are sent to described mobile banking server.
16. system according to claim 15 is characterized in that, described mobile banking server also is used for:
Described the first random number and described the second random number according to storage are encrypted to generate the second segmented messages identifying code to described short-message verification code and described client public key, and according to described client public key described the first signing messages is carried out sign test, and judge whether described the first segmented messages identifying code is consistent with described the second segmented messages identifying code, whether described the first signing messages passes through sign test, and consistent with described the second segmented messages identifying code at described the first segmented messages identifying code, described the first signing messages judges that by after the sign test described client public key is by checking.
17. system according to claim 14, it is characterized in that, described short-message verification code is sent to described portable terminal with the form of note, and described portable terminal is decrypted described the second random number according to described the first random number after described user inputs described short-message verification code.
18. system according to claim 12 is characterized in that, described portable terminal also is used for:
Generate the 3rd random number, generate symmetric key according to described hardware characteristics information, described login password and described the 3rd random number, and according to described symmetric key described private key for user is encrypted preservation; Or
Generate the 3rd random number, generate symmetric key according to the cryptographic Hash of the cryptographic Hash of described hardware characteristics information, described login password and described the 3rd random number, and according to described symmetric key described private key for user is encrypted preservation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310009563.2A CN103067402B (en) | 2013-01-10 | 2013-01-10 | The generation method and system of digital certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310009563.2A CN103067402B (en) | 2013-01-10 | 2013-01-10 | The generation method and system of digital certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103067402A true CN103067402A (en) | 2013-04-24 |
| CN103067402B CN103067402B (en) | 2016-01-20 |
Family
ID=48109863
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310009563.2A Active CN103067402B (en) | 2013-01-10 | 2013-01-10 | The generation method and system of digital certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103067402B (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104010044A (en) * | 2014-06-12 | 2014-08-27 | 北京握奇数据系统有限公司 | Application limitation installing method, manager and terminal based on trusted execution environment technology |
| CN104023032A (en) * | 2014-06-23 | 2014-09-03 | 北京握奇智能科技有限公司 | Application limited unloading method based on dependable execution environment technology, server and terminal |
| CN104486356A (en) * | 2014-12-29 | 2015-04-01 | 芜湖乐锐思信息咨询有限公司 | Data transmission method based on internet online tractions |
| CN104683107A (en) * | 2015-02-28 | 2015-06-03 | 深圳市思迪信息技术有限公司 | Digital certificate storage method and device, and digital signature method and device |
| WO2015085851A1 (en) * | 2013-12-10 | 2015-06-18 | 中国银联股份有限公司 | Secure network accessing method for pos terminal, and system thereof |
| CN104809367A (en) * | 2014-01-24 | 2015-07-29 | 中辉世纪传媒发展有限公司 | Digital rights management (DRM) protection method and device for service program |
| CN107026729A (en) * | 2015-12-17 | 2017-08-08 | 罗伯特·博世有限公司 | Method and apparatus for transmitting software |
| CN108134770A (en) * | 2017-10-19 | 2018-06-08 | 黄策 | Verify the application layer theft preventing method of short message |
| CN108365961A (en) * | 2018-01-02 | 2018-08-03 | 深圳壹账通智能科技有限公司 | The response method and server that interface call method and terminal device, interface call |
| CN110049062A (en) * | 2019-04-30 | 2019-07-23 | 北京达佳互联信息技术有限公司 | Verify code check method, device, electronic equipment and storage medium |
| CN110881063A (en) * | 2019-11-20 | 2020-03-13 | 腾讯科技(深圳)有限公司 | Storage method, device, equipment and medium of private data |
| CN111641615A (en) * | 2020-05-20 | 2020-09-08 | 深圳市今天国际物流技术股份有限公司 | Distributed identity authentication method and system based on certificate |
| CN112702712A (en) * | 2020-12-25 | 2021-04-23 | 江苏鸣实纯钧科技有限公司 | Method and system for encrypted data transmission of vehicle-mounted terminal |
| CN112766962A (en) * | 2021-01-20 | 2021-05-07 | 中信银行股份有限公司 | Method for receiving and sending certificate, transaction system, storage medium and electronic device |
| CN114297597A (en) * | 2021-12-29 | 2022-04-08 | 渔翁信息技术股份有限公司 | Account management method, system, equipment and computer readable storage medium |
| CN114338173A (en) * | 2021-12-29 | 2022-04-12 | 渔翁信息技术股份有限公司 | Account registration method, system, equipment and computer readable storage medium |
| CN114567425A (en) * | 2020-11-27 | 2022-05-31 | 中国电信股份有限公司 | Internet of things communication method and system, SoC Sim and Internet of things terminal |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6948061B1 (en) * | 2000-09-20 | 2005-09-20 | Certicom Corp. | Method and device for performing secure transactions |
| CN101447867A (en) * | 2008-12-31 | 2009-06-03 | 中国建设银行股份有限公司 | Method for managing digital certificate and system |
| CN101527633A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | System and method for intelligent key devices to obtain digital certificates |
| CN101645889A (en) * | 2009-06-26 | 2010-02-10 | 北京飞天诚信科技有限公司 | Method for issuing digital certificate |
| CN102254380A (en) * | 2010-05-31 | 2011-11-23 | 北京汇冠金财科技有限公司 | Safe mobile phone payment method and system based on hybrid encryption mechanism |
-
2013
- 2013-01-10 CN CN201310009563.2A patent/CN103067402B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6948061B1 (en) * | 2000-09-20 | 2005-09-20 | Certicom Corp. | Method and device for performing secure transactions |
| CN101447867A (en) * | 2008-12-31 | 2009-06-03 | 中国建设银行股份有限公司 | Method for managing digital certificate and system |
| CN101527633A (en) * | 2008-12-31 | 2009-09-09 | 北京飞天诚信科技有限公司 | System and method for intelligent key devices to obtain digital certificates |
| CN101645889A (en) * | 2009-06-26 | 2010-02-10 | 北京飞天诚信科技有限公司 | Method for issuing digital certificate |
| CN102254380A (en) * | 2010-05-31 | 2011-11-23 | 北京汇冠金财科技有限公司 | Safe mobile phone payment method and system based on hybrid encryption mechanism |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015085851A1 (en) * | 2013-12-10 | 2015-06-18 | 中国银联股份有限公司 | Secure network accessing method for pos terminal, and system thereof |
| US11443293B2 (en) | 2013-12-10 | 2022-09-13 | China Unionpay Co., Ltd. | Secure network accessing method for POS terminal, and system thereof |
| CN104809367A (en) * | 2014-01-24 | 2015-07-29 | 中辉世纪传媒发展有限公司 | Digital rights management (DRM) protection method and device for service program |
| CN104010044A (en) * | 2014-06-12 | 2014-08-27 | 北京握奇数据系统有限公司 | Application limitation installing method, manager and terminal based on trusted execution environment technology |
| CN104023032A (en) * | 2014-06-23 | 2014-09-03 | 北京握奇智能科技有限公司 | Application limited unloading method based on dependable execution environment technology, server and terminal |
| CN104023032B (en) * | 2014-06-23 | 2017-11-24 | 北京握奇智能科技有限公司 | Application based on credible performing environment technology is limited discharging method, server and terminal |
| CN104486356A (en) * | 2014-12-29 | 2015-04-01 | 芜湖乐锐思信息咨询有限公司 | Data transmission method based on internet online tractions |
| CN104683107B (en) * | 2015-02-28 | 2019-01-22 | 深圳市思迪信息技术股份有限公司 | Digital certificate keeping method and device, digital signature method and device |
| CN104683107A (en) * | 2015-02-28 | 2015-06-03 | 深圳市思迪信息技术有限公司 | Digital certificate storage method and device, and digital signature method and device |
| CN107026729B (en) * | 2015-12-17 | 2021-08-17 | 罗伯特·博世有限公司 | Method and device for transmitting software |
| CN107026729A (en) * | 2015-12-17 | 2017-08-08 | 罗伯特·博世有限公司 | Method and apparatus for transmitting software |
| CN108134770A (en) * | 2017-10-19 | 2018-06-08 | 黄策 | Verify the application layer theft preventing method of short message |
| CN108365961B (en) * | 2018-01-02 | 2019-07-19 | 深圳壹账通智能科技有限公司 | Interface invocation method and terminal device, interface invocation response method and server |
| CN108365961A (en) * | 2018-01-02 | 2018-08-03 | 深圳壹账通智能科技有限公司 | The response method and server that interface call method and terminal device, interface call |
| CN110049062B (en) * | 2019-04-30 | 2021-08-13 | 北京达佳互联信息技术有限公司 | Verification code verification method, device, system, server, electronic equipment and storage medium |
| CN110049062A (en) * | 2019-04-30 | 2019-07-23 | 北京达佳互联信息技术有限公司 | Verify code check method, device, electronic equipment and storage medium |
| CN110881063B (en) * | 2019-11-20 | 2022-03-15 | 腾讯科技(深圳)有限公司 | Storage method, device, equipment and medium of private data |
| CN110881063A (en) * | 2019-11-20 | 2020-03-13 | 腾讯科技(深圳)有限公司 | Storage method, device, equipment and medium of private data |
| CN111641615A (en) * | 2020-05-20 | 2020-09-08 | 深圳市今天国际物流技术股份有限公司 | Distributed identity authentication method and system based on certificate |
| CN114567425A (en) * | 2020-11-27 | 2022-05-31 | 中国电信股份有限公司 | Internet of things communication method and system, SoC Sim and Internet of things terminal |
| CN114567425B (en) * | 2020-11-27 | 2024-02-02 | 中国电信股份有限公司 | Internet of things communication method and system, soC Sim and Internet of things terminal |
| CN112702712A (en) * | 2020-12-25 | 2021-04-23 | 江苏鸣实纯钧科技有限公司 | Method and system for encrypted data transmission of vehicle-mounted terminal |
| CN112766962A (en) * | 2021-01-20 | 2021-05-07 | 中信银行股份有限公司 | Method for receiving and sending certificate, transaction system, storage medium and electronic device |
| CN114297597A (en) * | 2021-12-29 | 2022-04-08 | 渔翁信息技术股份有限公司 | Account management method, system, equipment and computer readable storage medium |
| CN114338173A (en) * | 2021-12-29 | 2022-04-12 | 渔翁信息技术股份有限公司 | Account registration method, system, equipment and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103067402B (en) | 2016-01-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103067402B (en) | The generation method and system of digital certificate | |
| CN103067401B (en) | Method and system for key protection | |
| CN103078742B (en) | Generation method and system of digital certificate | |
| CN103095456B (en) | The processing method of transaction message and system | |
| US8307202B2 (en) | Methods and systems for using PKCS registration on mobile environment | |
| CN103297403A (en) | Method and system for achieving dynamic password authentication | |
| CN104079562B (en) | A kind of safety certifying method and relevant apparatus based on payment terminal | |
| CN111435913A (en) | Identity authentication method and device for terminal of Internet of things and storage medium | |
| CN102036236A (en) | Method and device for authenticating mobile terminal | |
| CN109586920A (en) | A kind of trust authentication method and device | |
| CN102905260A (en) | Safety and certification system for data transmission of mobile terminal | |
| CN114710298B (en) | Chameleon hash-based document batch signing method, device, equipment and medium | |
| CN111541716A (en) | Data transmission method and related device | |
| KR20120053929A (en) | The agent system for digital signature using sign private key with double encryption and method thereof features to store in web storage | |
| CN105812334A (en) | Network authentication method | |
| CN103905194A (en) | Identity traceability authentication method and system | |
| CN111884811A (en) | Block chain-based data evidence storing method and data evidence storing platform | |
| CN107196972A (en) | An authentication method and system, terminal and server | |
| CN103746802B (en) | A kind of data processing method and mobile phone based on arranging key | |
| CN112995213B (en) | Security authentication method and application device thereof | |
| CN103813321B (en) | Agreement key based data processing method and mobile phone | |
| CN107733645B (en) | Encrypted communication authentication method and system | |
| KR20130100032A (en) | Method for distributting smartphone application by using code-signing scheme | |
| CN113099448A (en) | Terminal identity authentication method suitable for high-capacity SIM card | |
| CN107947938A (en) | SM3 algorithms and the verification method and system of SM2 algorithm digital signature are used for PDF |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |