CN103078742A - Generation method and system of digital certificate - Google Patents
Generation method and system of digital certificate Download PDFInfo
- Publication number
- CN103078742A CN103078742A CN2013100093800A CN201310009380A CN103078742A CN 103078742 A CN103078742 A CN 103078742A CN 2013100093800 A CN2013100093800 A CN 2013100093800A CN 201310009380 A CN201310009380 A CN 201310009380A CN 103078742 A CN103078742 A CN 103078742A
- Authority
- CN
- China
- Prior art keywords
- mobile banking
- server
- authorization information
- portable terminal
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a generation method and a generation system of a digital certificate. The generation method comprises the following steps: a mobile terminal establishes connection with a mobile bank server, generates a pair of user public key and private key, encrypts account information, first verification information and a first random encryption parameter and sends the account information, the first verification information and the first random encryption parameter to the mobile bank server; the mobile bank server decrypts, and sends the account information to a comprehensive prepositive server of a bank after the verification is passed; the comprehensive prepositive server verifies the account information; when a verification result is correct, the mobile bank server sends a second random encryption parameter and second verification information to the mobile terminal; the mobile terminal generates third verification information and sends the third verification information to the mobile bank server; and the mobile bank server verifies the third verification information, and carries out certificate signing on the user public key after the verification is passed so as to generate a user public key certificate. According to the invention, the attacking difficulty can be increased and the security can be improved.
Description
Technical field
The present invention relates to field of information security technology, particularly a kind of generation method of digital certificate and a kind of generation system of digital certificate.
Background technology
In recent years, follow the fast development of the Internet and Financial Information, Web bank obtains rapidly the generally high praise of user and bank's industry because of its facility, the advantage such as efficient, wherein digital certificate is the identify label of user and bank server when concluding the business by Web bank, can guarantee the safety of online transaction.
At present, the generation of customer digital certificate is finished by bank server, through being handed down to the employed terminal of user after the electronic third-party business confirming server authentication again.The problem that exists is, bank server is in the process of the digital certificate that issues to terminal, and bank server may not known the concrete terminal that sends, thereby might be tackled, and there is the potential safety hazard that is stolen in digital certificate in the process that issues.
Summary of the invention
Purpose of the present invention is intended to solve at least one of above-mentioned technological deficiency.
For achieving the above object, first purpose of the present invention is to propose a kind of generation method of digital certificate, the method may further comprise the steps: a, portable terminal receive register instruction, and connect according to described register instruction and mobile banking's server, and generate a pair of client public key and private key; The PKI of the described mobile banking server that b, portable terminal utilization prestore is encrypted account information, the first authorization information and the first accidental enciphering parameter, and the information after will encrypting is sent to described mobile banking server; The private key of c, the described mobile banking of described mobile banking server by utilizing server is decrypted the information from described portable terminal, to obtain described account information, described the first authorization information and the first accidental enciphering parameter, and described the first authorization information verified, checking by after described account information is sent to the bank comprehensive front server; D, described bank comprehensive front server send the result to described mobile banking server to verifying from the described account information of described mobile banking server; E, at described the result when being correct, described mobile banking server generates the second accidental enciphering parameter and the second authorization information, and described the second accidental enciphering parameter and described the second authorization information are sent to described portable terminal; F, described portable terminal utilize described the first accidental enciphering parameter and the second accidental enciphering parameter encrypts the second authorization information and described client public key generates the 3rd authorization information, and the 3rd authorization information is sent to described mobile banking server; And g, described mobile banking server verify described the 3rd authorization information from described portable terminal, and checking by after described client public key be sent to electronic third-party business confirming server carry out authentication signature, to generate the client public key certificate.
Generation method according to the digital certificate of the embodiment of the invention, generate client public key and private key at portable terminal, user profile and client public key are sent to before mobile banking's server, portable terminal and mobile banking's server and bank comprehensive front server are verified in many ways, and the mode with digital certificate is stored in mobile banking's server after checking, guarantee the fail safe of client public key transmission channel, increase the difficulty of attacking.Simultaneously mobile banking's server is through verifying portable terminal, can know clearly which portable terminal what communicate by letter with oneself is, prevents from palming off portable terminal and mobile banking's server and carries out having guaranteed safety alternately.
For achieving the above object, second purpose of the present invention is to propose a kind of generation system of digital certificate, this system comprises: portable terminal, mobile banking's server and bank comprehensive front server, wherein, described portable terminal, be used for receiving register instruction, and connect according to described register instruction and described mobile banking server, and generate a pair of client public key and private key, and the PKI that utilizes the described mobile banking server prestore is to account information, the first authorization information and the first accidental enciphering parameter are encrypted, and the information after will encrypting is sent to described mobile banking server; Described mobile banking server, be used for utilizing the private key of described mobile banking server that the information from described portable terminal is decrypted, to obtain described account information, described the first authorization information and the first accidental enciphering parameter, and described the first authorization information verified, checking by after described account information is sent to the bank comprehensive front server; Described bank comprehensive front server is used for sending the result to described mobile banking server to verifying from the described account information of described mobile banking server; Described mobile banking server also is used for generating the second accidental enciphering parameter and the second authorization information when being correct at described the result, and described the second accidental enciphering parameter and described the second authorization information be sent to described portable terminal, described portable terminal utilizes described the first accidental enciphering parameter and the second accidental enciphering parameter encrypts the second authorization information and described client public key generates the 3rd authorization information, and the 3rd authorization information is sent to described mobile banking server, described mobile banking server is verified described the 3rd authorization information from described portable terminal, and checking by after described client public key be sent to electronic third-party business confirming server carry out authentication signature, to generate the client public key certificate.
Generation system according to the digital certificate of the embodiment of the invention, generate client public key and private key at portable terminal, user profile and client public key are sent to before mobile banking's server, portable terminal and mobile banking's server and bank comprehensive front server are verified in many ways, and the mode with digital certificate is stored in mobile banking's server after checking, guarantee the fail safe of client public key transmission channel, increase the difficulty of attacking.Simultaneously mobile banking's server is through verifying portable terminal, can know clearly which portable terminal what communicate by letter with oneself is, prevents from palming off portable terminal and mobile banking's server and carries out having guaranteed safety alternately.
The aspect that the present invention adds and advantage in the following description part provide, and part will become obviously from the following description, or recognize by practice of the present invention.
Description of drawings
Above-mentioned and/or the additional aspect of the present invention and advantage are from obviously and easily understanding becoming the description of embodiment below in conjunction with accompanying drawing, wherein:
Fig. 1 is the flow chart of generation method of the digital certificate of the embodiment of the invention 1;
Fig. 2 is the flow chart of generation method of the digital certificate of the embodiment of the invention 2;
Fig. 3 is the structural representation of generation system of the digital certificate of the embodiment of the invention 3.
Embodiment
The below describes embodiments of the invention in detail, and the example of described embodiment is shown in the drawings, and wherein identical or similar label represents identical or similar element or the element with identical or similar functions from start to finish.Be exemplary below by the embodiment that is described with reference to the drawings, only be used for explaining the present invention, and can not be interpreted as limitation of the present invention.On the contrary, embodiments of the invention comprise spirit and interior all changes, modification and the equivalent of intension scope that falls into additional claims.
In description of the invention, it will be appreciated that term " first ", " second " etc. only are used for describing purpose, and can not be interpreted as indication or hint relative importance.In description of the invention, need to prove that unless clear and definite regulation and restriction are arranged in addition, term " links to each other ", " connection " should do broad understanding, for example, can be to be fixedly connected with, and also can be to removably connect, or connect integratedly; Can be mechanical connection, also can be to be electrically connected; Can be directly to link to each other, also can indirectly link to each other by intermediary.For the ordinary skill in the art, can concrete condition understand above-mentioned term concrete meaning in the present invention.In addition, in description of the invention, except as otherwise noted, the implication of " a plurality of " is two or more.
Describe and to be understood in the flow chart or in this any process of otherwise describing or method, expression comprises module, fragment or the part of code of the executable instruction of the step that one or more is used to realize specific logical function or process, and the scope of preferred implementation of the present invention comprises other realization, wherein can be not according to order shown or that discuss, comprise according to related function by the mode of basic while or by opposite order, carry out function, this should be understood by the embodiments of the invention person of ordinary skill in the field.
Below with reference to the generation method and system of accompanying drawing description according to the digital certificate of the embodiment of the invention.
Embodiment 1
Fig. 1 is the flow chart of generation method of the digital certificate of the embodiment of the invention 1.
As shown in Figure 1, the generation method according to the digital certificate of the embodiment of the invention comprises the steps:
Step S101, portable terminal receives register instruction, and connects according to register instruction and mobile banking's server, and generates a pair of client public key and private key.
Concrete, portable terminal is downloaded bank client software, when client software is installed, from the software that loads, obtain the PKI of mobile banking's server and the PKI of bank comprehensive front server, and according to register instruction the PKI of mobile banking's server and the PKI of bank comprehensive front server are verified, and checking by after connect according to register instruction and mobile banking's server.Particularly, bank client software is when installing, the root certificate of the PKI of the PKI of mobile banking's server and bank comprehensive front server is preset in the portable terminal in advance, when sending registration request, can whether correct according to the PKI of the PKI of the root certification authentication mobile banking server that presets and bank comprehensive front server, wherein when the PKI of the PKI of mobile banking's server and bank comprehensive front server is correct, just can continue to carry out following step, prompting error message when the PKI mistake of the PKI of mobile banking's server and bank comprehensive front server.
Wherein, the private key of mobile banking's service end is stored in mobile banking's server, and the PKI of mobile banking's server and private key are used for the communication data between portable terminal and the mobile banking's service end is encrypted; The private key of bank service end is stored in the bank comprehensive front server, and the PKI of bank comprehensive front server and private key are used for the sensitive informations such as bank card of process of exchange are encrypted.
Certainly, in the present embodiment, can be after the user clicks registration, triggering mobile terminals generates user's public private key pair according to the key create-rule of default rivest, shamir, adelman, and portable terminal generates user's public private key pair in order to undertaken alternately by this public private key pair and mobile banking's server during follow-up execution transaction.
Step S102, the PKI of mobile banking's server that the portable terminal utilization prestores is encrypted account information, the first authorization information and the first accidental enciphering parameter, and the information after will encrypting is sent to mobile banking's server.
Concrete, the first authorization information is generated by mobile banking's server, and is issued to portable terminal and shows, and checks and inputs for the user, and this first authorization information can be graphical verification code, thereby can prevent from attacking.
Portable terminal receives first authorization information (for example character in the graphical verification code) of user's input.
In addition, in the present embodiment, the first accidental enciphering parameter is generated at random by portable terminal.
Account information comprises: the login password after phone number, bank's card number, registration are complete; Perhaps
Account information comprises: the cryptographic Hash of the login password after phone number, bank's card number, registration are complete.
Step S103, the private key of server by utilizing mobile banking of mobile banking server is decrypted the information from portable terminal, to obtain account information, the first authorization information and the first accidental enciphering parameter, and the first authorization information verified, checking by after account information is sent to the bank comprehensive front server.
Concrete, whether the first authorization information that mobile banking's server authentication portable terminal sends is consistent with the first authorization information that self generates, unanimously then by checking.
In addition, after mobile banking's server obtains decryption information, preserve phone number and the first accidental enciphering parameter in the account information.
Step S104, bank comprehensive front server send the result to mobile banking's server to verifying from the account information of mobile banking's server.
Concrete, whether phone number and bank's card number in the bank comprehensive front server checking account information be correct, sends the result to mobile banking's server.
Step S105, when being correct, mobile banking's server generates the second accidental enciphering parameter and the second authorization information, and the second accidental enciphering parameter and the second authorization information are sent to portable terminal at the result.
Concrete, when being correct, mobile banking's server is encrypted the second accidental enciphering parameter according to the first accidental enciphering parameter, and the second accidental enciphering parameter after will encrypting is sent to portable terminal at the result; And the phone number that utilizes storage is sent to portable terminal with the second authorization information with the form of note.
Step S106, portable terminal utilize the first accidental enciphering parameter and the second accidental enciphering parameter encrypts the second authorization information and client public key generates the 3rd authorization information, and the 3rd authorization information is sent to mobile banking's server.
Concrete, portable terminal is decrypted the second accidental enciphering parameter after encrypting according to the first accidental enciphering parameter, obtains the second accidental enciphering parameter; And the second authorization information of reception user input;
Portable terminal is encrypted to generate the 3rd authorization information according to the first accidental enciphering parameter and the second accidental enciphering parameter to the second authorization information and the client public key that the user inputs again, and the 3rd authorization information and client public key are sent to mobile banking's server.
In the present embodiment, can utilize the first accidental enciphering parameter and the second accidental enciphering parameter that the second authorization information and client public key are carried out segmentation and be MAC to generate the 3rd authorization information.
Step S107, mobile banking's server verify the 3rd authorization information from portable terminal, and checking by after client public key be sent to electronic third-party business confirming server carry out authentication signature, to generate the client public key certificate.
Mobile banking's server is encrypted to generate the 4th authorization information according to the first accidental enciphering parameter and the second accidental enciphering parameter of storage to the second authorization information and client public key, and judge whether the 3rd authorization information that receives is consistent with the 4th authorization information of generation, if consistent, then checking is passed through.
Particularly, electronic third-party business confirming server carries out authentication signature to user's PKI, can prevent that client public key from being pretended to be, and the client public key after will signing is stored in mobile banking's server, and the prompting user public key certificate generates successfully after the client public key of mobile banking server stores signature.
Generation method according to the digital certificate of the embodiment of the invention, generate client public key and private key at portable terminal, user profile and client public key are sent to before mobile banking's server, portable terminal and mobile banking's server and bank comprehensive front server are verified in many ways, and the mode with digital certificate is stored in mobile banking's server after checking, guarantee the fail safe of client public key transmission channel, increase the difficulty of attacking.
Embodiment 2
Fig. 2 is the flow chart of generation method of the digital certificate of the embodiment of the invention 2.
As shown in Figure 2, the generation method according to the digital certificate of the embodiment of the invention comprises the steps:
Step S201, portable terminal receives register instruction, and connects according to register instruction and mobile banking's server, and generates a pair of client public key and private key.
Concrete, portable terminal is downloaded bank client software, when client software is installed, from the software that loads, obtain the PKI of mobile banking's server and the PKI of bank comprehensive front server, and according to register instruction the PKI of mobile banking's server and the PKI of bank comprehensive front server are verified, and checking by after connect according to register instruction and mobile banking's server.Bank client software is when installing, the root certificate of the PKI of the PKI of mobile banking's server and bank comprehensive front server is preset in the portable terminal in advance, when sending registration request, can whether correct according to the PKI of the PKI of the root certification authentication mobile banking server that presets and bank comprehensive front server, wherein when the PKI of the PKI of mobile banking's server and bank comprehensive front server is correct, just can continue to carry out following step, prompting error message when the PKI mistake of the PKI of mobile banking's server and bank comprehensive front server.
Wherein, the private key of mobile banking's service end is stored in mobile banking's server, and the PKI of mobile banking's server and private key are used for the communication data between portable terminal and the mobile banking's service end is encrypted; The private key of bank service end is stored in the bank comprehensive front server, and the PKI of bank comprehensive front server and private key are used for the sensitive informations such as bank card of process of exchange are encrypted.
Certainly, in the present embodiment, can be after the user clicks registration, triggering mobile terminals generates user's public private key pair according to the key create-rule of default rivest, shamir, adelman, and portable terminal generates user's public private key pair in order to undertaken alternately by this public private key pair and mobile banking's server during follow-up execution transaction.
Step S202, the PKI of mobile banking's server that the portable terminal utilization prestores is encrypted account information, hardware information, the first authorization information and the first accidental enciphering parameter, and the information after will encrypting is sent to mobile banking's server.
Concrete, the first authorization information is generated by mobile banking's server, and is issued to portable terminal and shows, and checks and inputs for the user, and this first authorization information can be graphical verification code, thereby can prevent from attacking.
Portable terminal receives first authorization information (for example character in the graphical verification code) of user's input.
In addition, in the present embodiment, the first accidental enciphering parameter is generated at random by portable terminal.
Account information comprises: the login password after phone number, bank's card number, registration are complete; Perhaps
Account information comprises: the cryptographic Hash of the login password after phone number, bank's card number, registration are complete.
Hardware information is: the cryptographic Hash of hardware characteristics information or hardware characteristics information, wherein, hardware characteristics information comprises the MAC Address of equipment Serial Number and/or network interface card.
Concrete, portable terminal is encrypted phone number, bank's card number, login password, hardware information, the first accidental enciphering parameter and the first authorization information according to the PKI of mobile banking's server, and will encrypt after information be sent to mobile banking's server, wherein the first accidental enciphering parameter is generated by portable terminal.
Particularly, portable terminal extracts the hardware characteristics information (perhaps calculating the cryptographic Hash of the hardware characteristics information of extracting) of portable terminal self, generate simultaneously the first accidental enciphering parameter, receive the phone number of user's typing, bank's card number, login password (can prompting user input twice), the character that graphical verification code shows, by click submit to after the PKI of portable terminal by mobile banking's server the information of obtaining (is comprised phone number, bank's card number, login password, the cryptographic Hash of hardware characteristics information/hardware characteristics information, the first accidental enciphering parameter and graphical verification code) be encrypted and send to mobile banking's server.
Certainly, at this moment, portable terminal can also calculate the cryptographic Hash of login password, and portable terminal is encrypted and sends to mobile banking's server by the PKI of mobile banking's server to the information (cryptographic Hash, the cryptographic Hash of hardware characteristics information/hardware characteristics information, the first accidental enciphering parameter and the graphical verification code that comprise phone number, bank's card number, login password) of obtaining after submitting to by click.
Step S203, the private key of server by utilizing mobile banking of mobile banking server is decrypted the information from portable terminal, to obtain account information, hardware information, the first authorization information and the first accidental enciphering parameter, and the first authorization information verified, checking by after account information is sent to the bank comprehensive front server.
Concrete, whether the first authorization information that mobile banking's server authentication portable terminal sends is consistent with the first authorization information that self generates, unanimously then by checking.
In addition, after mobile banking's server obtains decryption information, preserve phone number, hardware information and the first accidental enciphering parameter in the account information.
Step S204, bank comprehensive front server send the result to mobile banking's server to verifying from the account information of mobile banking's server.
Concrete, whether phone number and bank's card number in the bank comprehensive front server checking account information be correct, sends the result to mobile banking's server.
Step S205, when being correct, mobile banking's server generates the second accidental enciphering parameter and the second authorization information, and the second accidental enciphering parameter and the second authorization information are sent to portable terminal at the result.
Concrete, when being correct, mobile banking's server is encrypted the second accidental enciphering parameter according to the first accidental enciphering parameter, and the second accidental enciphering parameter after will encrypting is sent to portable terminal at the result; And the phone number that utilizes storage is sent to portable terminal with the second authorization information with the form of note.
Step S206, portable terminal is encrypted to generate three authorization informations according to the first accidental enciphering parameter and the second accidental enciphering parameter to the second authorization information and client public key, and according to private key for user hardware information is signed to generate the first signing messages, and the 3rd authorization information, client public key and the first signing messages are sent to mobile banking's server.
Concrete, portable terminal is decrypted the second accidental enciphering parameter after encrypting according to the first accidental enciphering parameter, obtains the second accidental enciphering parameter; And the second authorization information of reception user input;
Portable terminal is encrypted to generate the 3rd authorization information according to the first accidental enciphering parameter and the second accidental enciphering parameter to the second authorization information and the client public key that the user inputs again, and according to private key for user the cryptographic Hash of hardware characteristics information or hardware characteristics information is signed to generate the first signing messages, the 3rd authorization information, client public key and the first signing messages are sent to mobile banking's server.
In the present embodiment, can utilize the first accidental enciphering parameter and the second accidental enciphering parameter that the second authorization information and client public key are carried out segmentation and be MAC to generate the 3rd authorization information.
Step S207, mobile banking's server is verified the 3rd authorization information and the first signing messages from portable terminal, and checking by after client public key be sent to electronic third-party business confirming server carry out authentication signature, to generate the client public key certificate.
Concrete, mobile banking's server is encrypted to generate the 4th authorization information according to the first accidental enciphering parameter and the second accidental enciphering parameter of storage to the second authorization information and client public key, and according to client public key the first signing messages is carried out sign test, and judge whether the 3rd authorization information is consistent with the 4th authorization information, and whether the first signing messages passes through sign test; If consistent also by sign test, then checking is passed through.
Particularly, electronic third-party business confirming server carries out authentication signature to user's PKI, can prevent that client public key from being pretended to be, and the client public key after will signing is stored in mobile banking's server, and the prompting user public key certificate generates successfully after the client public key of mobile banking server stores signature.
Generation method according to the digital certificate of the embodiment of the invention, generate client public key and private key at portable terminal, user profile and client public key are sent to before mobile banking's server, portable terminal and mobile banking's server and bank comprehensive front server are verified in many ways, and the mode with digital certificate is stored in mobile banking's server after checking, guarantee the fail safe of client public key transmission channel, increase the difficulty of attacking.Simultaneously mobile banking's server is through verifying the hardware information of portable terminal, can know clearly which portable terminal what communicate by letter with oneself is, prevents from palming off portable terminal and mobile banking's server and carries out having guaranteed safety alternately.
Embodiment 3
Fig. 3 is the structured flowchart of generation system of the digital certificate of the embodiment of the invention 3.
As shown in Figure 3, the generation system according to the digital certificate of the embodiment of the invention comprises: portable terminal 10, mobile banking's server 20, bank comprehensive front server 30 and electronic third-party business confirming server 40.
Particularly, portable terminal 10 is used for receiving register instruction, and connect according to register instruction and mobile banking's server 20, and generate a pair of client public key and private key, and utilize the PKI of the mobile banking's server 20 that prestores that account information, the first authorization information and the first accidental enciphering parameter are encrypted, and the information after will encrypting is sent to mobile banking's server 20; Perhaps
Portable terminal 10 receives register instruction, and connect according to register instruction and mobile banking's server 20, and generate a pair of client public key and private key, and utilize the PKI of the mobile banking's server 20 that prestores that account information, hardware information (cryptographic Hash of hardware characteristics information or hardware characteristics information), the first authorization information and the first accidental enciphering parameter are encrypted, and the information after will encrypting is sent to mobile banking's server 20.Wherein, hardware characteristics information comprises the MAC Address of equipment Serial Number and/or network interface card.
Mobile banking's server 20 utilizes the private key of mobile banking's server 20 that the information from portable terminal 10 is decrypted, to obtain account information, the first authorization information and the first accidental enciphering parameter, and the first authorization information verified, checking by after account information is sent to bank comprehensive front server 30; Perhaps
Mobile banking's server 20 utilizes the private key of mobile banking's server 20 that the information from portable terminal 10 is decrypted, to obtain account information, hardware information, the first authorization information and the first accidental enciphering parameter, and the first authorization information verified, checking by after account information is sent to bank comprehensive front server 30.
Bank comprehensive front server 30 is used for verifying from the account information of mobile banking's server 20, send the result to mobile banking's server 20, mobile banking's server 20 also is used for generating the second accidental enciphering parameter and the second authorization information at the result when being correct, and the second accidental enciphering parameter and the second authorization information are sent to portable terminal 10.
Portable terminal 10 utilizes the first accidental enciphering parameter and the second accidental enciphering parameter encrypts the second authorization information and client public key generates the 3rd authorization information, and the 3rd authorization information is sent to mobile banking's server 20,20 pairs of the 3rd authorization informations from portable terminal 10 of mobile banking's server are verified, and checking by after client public key be sent to electronic third-party business confirming server 40 carry out authentication signature, to generate the client public key certificate; Perhaps
Portable terminal 10 is encrypted to generate the 3rd authorization information according to the first accidental enciphering parameter and the second accidental enciphering parameter to the second authorization information and the client public key that the user inputs, and according to private key for user the cryptographic Hash of hardware characteristics information or hardware characteristics information is signed to generate the first signing messages, with the 3rd authorization information, client public key and the first signing messages are sent to mobile banking's server 20,20 pairs of the 3rd authorization information and the first signing messages from portable terminal 10 of mobile banking's server are verified, and checking by after client public key be sent to electronic third-party business confirming server 40 carry out authentication signature, to generate the client public key certificate.
In the present embodiment, can utilize the first accidental enciphering parameter and the second accidental enciphering parameter that the second authorization information and client public key are carried out segmentation and be MAC to generate the 3rd authorization information.
Generation system according to the digital certificate of the embodiment of the invention, generate client public key and private key at portable terminal, user profile and client public key are sent to before mobile banking's server, portable terminal and mobile banking's server and bank comprehensive front server are verified in many ways, and the mode with digital certificate is stored in mobile banking's server after checking, guarantee the fail safe of client public key transmission channel, increase the difficulty of attacking.Simultaneously mobile banking's server is through verifying the hardware information of portable terminal, can know clearly which portable terminal what communicate by letter with oneself is, prevents from palming off portable terminal and mobile banking's server and carries out having guaranteed safety alternately.
In one embodiment of the invention, portable terminal 10 also is used for: obtain the PKI of mobile banking's server 20 and the PKI of bank comprehensive front server 30 from the software that loads, and according to register instruction the PKI of mobile banking's server 20 and the PKI of bank comprehensive front server 30 are verified, and checking by after connect according to register instruction and mobile banking's server 20.
Mobile banking's server 20 also is used for: pass through Information generation the second accidental enciphering parameter and the second authorization information according to checking, and according to the first accidental enciphering parameter the second accidental enciphering parameter is encrypted, and with the second authorization information and the second accidental enciphering parameter after encrypting be sent to portable terminal 10.Wherein, the second authorization information is sent to portable terminal 10 with the form of note, and portable terminal 10 is decrypted the second accidental enciphering parameter according to the first accidental enciphering parameter.
Mobile banking's server 20 also is used for: the first accidental enciphering parameter and the second accidental enciphering parameter according to storage are encrypted to generate the 4th authorization information to the second authorization information and client public key, and according to client public key the first signing messages is carried out sign test, and judge whether the 3rd authorization information is consistent with the 4th authorization information, whether the first signing messages is consistent by sign test, if consistent also by sign test, then checking is passed through.
Although illustrated and described embodiments of the invention, for the ordinary skill in the art, be appreciated that without departing from the principles and spirit of the present invention and can carry out multiple variation, modification, replacement and modification to these embodiment that scope of the present invention is by claims and be equal to and limit.
Claims (17)
1. the generation method of a digital certificate is characterized in that the method comprises:
A, portable terminal receive register instruction, and connect according to described register instruction and mobile banking's server, and generate a pair of client public key and private key;
The PKI of the described mobile banking server that b, portable terminal utilization prestore is encrypted account information, the first authorization information and the first accidental enciphering parameter, and the information after will encrypting is sent to described mobile banking server;
The private key of c, the described mobile banking of described mobile banking server by utilizing server is decrypted the information from described portable terminal, to obtain described account information, described the first authorization information and the first accidental enciphering parameter, and described the first authorization information verified, checking by after described account information is sent to the bank comprehensive front server;
D, described bank comprehensive front server send the result to described mobile banking server to verifying from the described account information of described mobile banking server;
E, at described the result when being correct, described mobile banking server generates the second accidental enciphering parameter and the second authorization information, and described the second accidental enciphering parameter and described the second authorization information are sent to described portable terminal;
F, described portable terminal utilize described the first accidental enciphering parameter and the second accidental enciphering parameter to encrypt described the second authorization information and described client public key generates the 3rd authorization information, and the 3rd authorization information is sent to described mobile banking server; And
G, described mobile banking server verify described the 3rd authorization information from described portable terminal, and checking by after described client public key be sent to electronic third-party business confirming server carry out authentication signature, to generate the client public key certificate.
2. method according to claim 1 is characterized in that, portable terminal among the described step a receives register instruction, and comprises according to the step that described register instruction and mobile banking's server connect:
Described portable terminal obtains the PKI of mobile banking's server and the PKI of bank comprehensive front server from the software that loads, the PKI of described mobile banking server and the PKI of described bank comprehensive front server are verified, and the checking by after connect according to described register instruction and described mobile banking server.
3. method according to claim 1 is characterized in that, described step b also comprises:
The PKI of the described mobile banking server that described portable terminal utilization prestores is encrypted the hardware characteristics information of described portable terminal, and wherein, described hardware characteristics information comprises the MAC Address of equipment Serial Number and/or network interface card;
Or
The PKI of the described mobile banking server that described portable terminal utilization prestores is encrypted the cryptographic Hash of the hardware characteristics information of described portable terminal, and wherein, described hardware characteristics information comprises the MAC Address of equipment Serial Number and/or network interface card.
4. method according to claim 3 is characterized in that, described account information comprises phone number, bank's card number and login password, and described step b comprises:
Described portable terminal receives described the first authorization information that described mobile banking server generates, and wherein said the first authorization information is graphical verification code; And
Described portable terminal is encrypted described phone number, bank's card number, login password, hardware characteristics information, the first accidental enciphering parameter and the first authorization information according to the PKI of described mobile banking server, and will encrypt after information be sent to described mobile banking server, wherein said the first accidental enciphering parameter is generated by described portable terminal;
Perhaps
Described portable terminal is encrypted according to the PKI of described mobile banking server cryptographic Hash, the described first accidental enciphering parameter of generation and described first authorization information of reception to the cryptographic Hash of the described bank card number of the described phone number that receives, reception, the described login password that calculates, the described hardware characteristics information that calculates, and the information afterwards of will encrypting is sent to described mobile banking server.
5. method according to claim 1 is characterized in that, the step that among the described step e described the second accidental enciphering parameter and described the second authorization information is sent to described portable terminal comprises:
Described mobile banking server is encrypted described the second accidental enciphering parameter according to described the first accidental enciphering parameter, and described the second accidental enciphering parameter after will encrypting is sent to described portable terminal;
Described mobile banking server is sent to described portable terminal with described the second authorization information with the form of note.
6. method according to claim 5 is characterized in that, described the second accidental enciphering parameter and described the second authorization information are sent to after the step of described portable terminal, and before the step f, described method also comprises:
Described portable terminal is decrypted described the second accidental enciphering parameter after encrypting according to described the first accidental enciphering parameter, obtains described the second accidental enciphering parameter; And the second authorization information of reception user input.
7. method according to claim 3 is characterized in that, described step f comprises:
Described portable terminal is encrypted to generate described the 3rd authorization information according to described the first accidental enciphering parameter and the second accidental enciphering parameter to described the second authorization information and described client public key, and according to described private key for user described hardware characteristics information is signed to generate the first signing messages, and described the 3rd authorization information, client public key and the first signing messages are sent to described mobile banking server; Or
Described portable terminal is encrypted to generate described the 3rd authorization information according to described the first accidental enciphering parameter and the second accidental enciphering parameter to described the second authorization information and described client public key, and according to described private key for user the cryptographic Hash of described hardware characteristics information is signed to generate the first signing messages, and described the 3rd authorization information, client public key and the first signing messages are sent to described mobile banking server.
8. method according to claim 7 is characterized in that, mobile banking's server described in the described step g comprises the step of verifying from described the 3rd authorization information of described portable terminal:
Described mobile banking server is encrypted to generate the 4th authorization information according to described the first accidental enciphering parameter and the second accidental enciphering parameter of storage to described the second authorization information and described client public key, and according to described client public key described the first signing messages is carried out sign test, and judge whether described the 3rd authorization information is consistent with described the 4th authorization information, and whether described the first signing messages passes through sign test; If consistent also by sign test, then checking is passed through.
9. according to claim 1 or 7 described methods, it is characterized in that the step that generates the 3rd authorization information described in the step f comprises:
Utilize described the first accidental enciphering parameter and described the second accidental enciphering parameter that described the second authorization information and described client public key are carried out segmentation and be MAC.
10. the generation system of a digital certificate is characterized in that, this system comprises: portable terminal, mobile banking's server and bank comprehensive front server, wherein,
Described portable terminal, be used for receiving register instruction, and connect according to described register instruction and described mobile banking server, and generate a pair of client public key and private key, and utilize the PKI of the described mobile banking server that prestores that account information, the first authorization information and the first accidental enciphering parameter are encrypted, and the information after will encrypting is sent to described mobile banking server;
Described mobile banking server, be used for utilizing the private key of described mobile banking server that the information from described portable terminal is decrypted, to obtain described account information, described the first authorization information and the first accidental enciphering parameter, and described the first authorization information verified, checking by after described account information is sent to the bank comprehensive front server;
Described bank comprehensive front server is used for sending the result to described mobile banking server to verifying from the described account information of described mobile banking server;
Described mobile banking server also is used for generating the second accidental enciphering parameter and the second authorization information when being correct at described the result, and described the second accidental enciphering parameter and described the second authorization information be sent to described portable terminal, described portable terminal utilizes described the first accidental enciphering parameter and the second accidental enciphering parameter encrypts the second authorization information and described client public key generates the 3rd authorization information, and the 3rd authorization information is sent to described mobile banking server, described mobile banking server is verified described the 3rd authorization information from described portable terminal, and checking by after described client public key be sent to electronic third-party business confirming server carry out authentication signature, to generate the client public key certificate.
11. system according to claim 10, it is characterized in that, described portable terminal also obtains the PKI of mobile banking's server and the PKI of bank comprehensive front server from the software that loads, the PKI of described mobile banking server and the PKI of described bank comprehensive front server are verified, and the checking by after connect according to described register instruction and described mobile banking server.
12. system according to claim 10, it is characterized in that, the PKI that described portable terminal also utilizes the described mobile banking server that prestores is encrypted the cryptographic Hash of the hardware characteristics information of the hardware characteristics information of described portable terminal or described portable terminal, and the information after will encrypting is sent to described mobile banking server, wherein, described hardware characteristics information comprises the MAC Address of equipment Serial Number and/or network interface card.
13. system according to claim 12 is characterized in that, described account information comprises phone number, bank's card number and login password, and described portable terminal also is used for:
Receive described the first authorization information that described mobile banking server generates, wherein said the first authorization information is graphical verification code, and according to the PKI of described mobile banking server described phone number, bank's card number, login password, hardware characteristics information, the first accidental enciphering parameter and the first authorization information are encrypted, and will encrypt after information be sent to described mobile banking server, wherein said the first accidental enciphering parameter is generated by described portable terminal;
Perhaps
Described portable terminal is encrypted according to the PKI of described mobile banking server cryptographic Hash, the described first accidental enciphering parameter of generation and described first authorization information of reception to the cryptographic Hash of the described bank card number of the described phone number that receives, reception, the described login password that calculates, the described hardware characteristics information that calculates, and the information afterwards of will encrypting is sent to described mobile banking server.
14. system according to claim 10 is characterized in that, described mobile banking server also is used for:
According to described the first accidental enciphering parameter described the second accidental enciphering parameter is encrypted, and described the second accidental enciphering parameter after will encrypting is sent to described portable terminal, and described the second authorization information is sent to described portable terminal with the form of note.
15. system according to claim 14 is characterized in that, described portable terminal also is used for:
According to described the first accidental enciphering parameter described the second accidental enciphering parameter after encrypting is decrypted, obtains described the second accidental enciphering parameter; And the second authorization information of reception user input.
16. system according to claim 12 is characterized in that, described portable terminal also is used for:
According to described the first accidental enciphering parameter and the second accidental enciphering parameter described the second authorization information and described client public key are encrypted to generate described the 3rd authorization information, and according to described private key for user described hardware characteristics information is signed to generate the first signing messages, and described the 3rd authorization information, client public key and the first signing messages are sent to described mobile banking server; Or
Described portable terminal is encrypted to generate described the 3rd authorization information according to described the first accidental enciphering parameter and the second accidental enciphering parameter to described the second authorization information and described client public key, and according to described private key for user the cryptographic Hash of described hardware characteristics information is signed to generate the first signing messages, and described the 3rd authorization information, client public key and the first signing messages are sent to described mobile banking server.
17. system according to claim 16 is characterized in that, described mobile banking server also is used for:
Described the first accidental enciphering parameter and the second accidental enciphering parameter according to storage are encrypted to generate the 4th authorization information to described the second authorization information and described client public key, and according to described client public key described the first signing messages is carried out sign test, and judge whether described the 3rd authorization information is consistent with described the 4th authorization information, and whether described the first signing messages passes through sign test; If consistent also by sign test, then checking is passed through.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310009380.0A CN103078742B (en) | 2013-01-10 | 2013-01-10 | Generation method and system of digital certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310009380.0A CN103078742B (en) | 2013-01-10 | 2013-01-10 | Generation method and system of digital certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103078742A true CN103078742A (en) | 2013-05-01 |
| CN103078742B CN103078742B (en) | 2015-04-08 |
Family
ID=48155152
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310009380.0A Active CN103078742B (en) | 2013-01-10 | 2013-01-10 | Generation method and system of digital certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103078742B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103942686A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive system |
| CN103942684A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive system |
| CN103942685A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive system |
| CN104426657A (en) * | 2013-08-23 | 2015-03-18 | 阿里巴巴集团控股有限公司 | Service authentication method and system, server |
| CN104767613A (en) * | 2014-01-02 | 2015-07-08 | 腾讯科技(深圳)有限公司 | Signature verification method, device and system |
| CN104935441A (en) * | 2015-06-30 | 2015-09-23 | 京东方科技集团股份有限公司 | Authentication method and relevant devices and systems |
| CN107888382A (en) * | 2017-11-24 | 2018-04-06 | 中钞信用卡产业发展有限公司杭州区块链技术研究院 | A kind of methods, devices and systems of the digital identity checking based on block chain |
| CN109067524A (en) * | 2018-07-31 | 2018-12-21 | 杭州复杂美科技有限公司 | A kind of public private key pair generation method and system |
| CN109245898A (en) * | 2018-08-29 | 2019-01-18 | 广东美的制冷设备有限公司 | Household appliance and its anti-fake generating device, anti-fake preparation method and its cut-in method |
| CN109284973A (en) * | 2018-08-24 | 2019-01-29 | 吴笑盈 | A kind of machinery plant reckons by the piece Working hours management system |
| CN109547459A (en) * | 2018-12-11 | 2019-03-29 | 航天信息股份有限公司 | A kind of method and system of authorization terminal equipment printing electronic bill |
| CN111193730A (en) * | 2019-12-25 | 2020-05-22 | 上海沄界信息科技有限公司 | IoT trusted scene construction method and device |
| CN112565156A (en) * | 2019-09-10 | 2021-03-26 | 北京京东尚科信息技术有限公司 | Information registration method, device and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070050303A1 (en) * | 2005-08-24 | 2007-03-01 | Schroeder Dale W | Biometric identification device |
| CN1934821A (en) * | 2004-03-22 | 2007-03-21 | 三星电子株式会社 | Authentication between device and portable storage |
| CN101123501A (en) * | 2006-08-08 | 2008-02-13 | 西安电子科技大学 | A WAPI authentication and secret key negotiation method and system |
| CN101420303A (en) * | 2008-12-12 | 2009-04-29 | 广州杰赛科技股份有限公司 | Communication method for audio data and apparatus thereof |
| CN101523800A (en) * | 2006-10-10 | 2009-09-02 | 高通股份有限公司 | Method and apparatus for mutual authentication |
-
2013
- 2013-01-10 CN CN201310009380.0A patent/CN103078742B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1934821A (en) * | 2004-03-22 | 2007-03-21 | 三星电子株式会社 | Authentication between device and portable storage |
| US20070050303A1 (en) * | 2005-08-24 | 2007-03-01 | Schroeder Dale W | Biometric identification device |
| CN101123501A (en) * | 2006-08-08 | 2008-02-13 | 西安电子科技大学 | A WAPI authentication and secret key negotiation method and system |
| CN101523800A (en) * | 2006-10-10 | 2009-09-02 | 高通股份有限公司 | Method and apparatus for mutual authentication |
| CN101420303A (en) * | 2008-12-12 | 2009-04-29 | 广州杰赛科技股份有限公司 | Communication method for audio data and apparatus thereof |
Non-Patent Citations (3)
| Title |
|---|
| 周进: "《手机银行系统安全性保障的设计研究》", 《信息安全与技术》, 30 November 2010 (2010-11-30), pages 33 - 34 * |
| 李福祥 等: "《基于数字证书的移动支付协议》", 《计算机科学》, vol. 39, no. 11, 30 November 2012 (2012-11-30), pages 19 - 23 * |
| 胡千 等: "《基于CA的移动终端安全支付系统的研究与设计》", 《贵州师范大学学报(自然科学版)》, vol. 29, no. 3, 31 August 2011 (2011-08-31), pages 93 - 96 * |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104426657B (en) * | 2013-08-23 | 2017-12-26 | 阿里巴巴集团控股有限公司 | A kind of service authentication method, system and server |
| CN104426657A (en) * | 2013-08-23 | 2015-03-18 | 阿里巴巴集团控股有限公司 | Service authentication method and system, server |
| CN104767613A (en) * | 2014-01-02 | 2015-07-08 | 腾讯科技(深圳)有限公司 | Signature verification method, device and system |
| CN104767613B (en) * | 2014-01-02 | 2018-02-13 | 腾讯科技(深圳)有限公司 | Signature verification method, apparatus and system |
| US11854003B2 (en) | 2014-01-02 | 2023-12-26 | Tencent Technology (Shenzhen) Company Limited | Signature verification method, apparatus, and system |
| US10915896B2 (en) | 2014-01-02 | 2021-02-09 | Tencent Technology (Shenzhen) Company Limited | Signature verification method, apparatus, and system |
| CN103942684A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive system |
| CN103942685A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive system |
| CN103942686A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive system |
| CN104935441A (en) * | 2015-06-30 | 2015-09-23 | 京东方科技集团股份有限公司 | Authentication method and relevant devices and systems |
| CN104935441B (en) * | 2015-06-30 | 2018-09-21 | 京东方科技集团股份有限公司 | A kind of authentication method and relevant apparatus, system |
| CN107888382B (en) * | 2017-11-24 | 2019-11-19 | 中钞信用卡产业发展有限公司杭州区块链技术研究院 | A kind of methods, devices and systems of the digital identity verifying based on block chain |
| CN107888382A (en) * | 2017-11-24 | 2018-04-06 | 中钞信用卡产业发展有限公司杭州区块链技术研究院 | A kind of methods, devices and systems of the digital identity checking based on block chain |
| CN109067524A (en) * | 2018-07-31 | 2018-12-21 | 杭州复杂美科技有限公司 | A kind of public private key pair generation method and system |
| CN109284973A (en) * | 2018-08-24 | 2019-01-29 | 吴笑盈 | A kind of machinery plant reckons by the piece Working hours management system |
| CN109284973B (en) * | 2018-08-24 | 2022-05-17 | 吴笑盈 | Management system for counting work hours of machinery factory |
| WO2020042276A1 (en) * | 2018-08-29 | 2020-03-05 | 广东美的制冷设备有限公司 | Household appliance, and anti-counterfeiting generation device, anti-counterfeiting preparation method and access method therefor |
| CN109245898A (en) * | 2018-08-29 | 2019-01-18 | 广东美的制冷设备有限公司 | Household appliance and its anti-fake generating device, anti-fake preparation method and its cut-in method |
| CN109547459A (en) * | 2018-12-11 | 2019-03-29 | 航天信息股份有限公司 | A kind of method and system of authorization terminal equipment printing electronic bill |
| CN112565156A (en) * | 2019-09-10 | 2021-03-26 | 北京京东尚科信息技术有限公司 | Information registration method, device and system |
| CN111193730A (en) * | 2019-12-25 | 2020-05-22 | 上海沄界信息科技有限公司 | IoT trusted scene construction method and device |
| CN111193730B (en) * | 2019-12-25 | 2022-06-14 | 上海沄界信息科技有限公司 | IoT trusted scene construction method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103078742B (en) | 2015-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103067401B (en) | Method and system for key protection | |
| CN103078742B (en) | Generation method and system of digital certificate | |
| US11588637B2 (en) | Methods for secure cryptogram generation | |
| CN103067402B (en) | The generation method and system of digital certificate | |
| CN106603485B (en) | Key agreement method and device | |
| US9838205B2 (en) | Network authentication method for secure electronic transactions | |
| EP2999189B1 (en) | Network authentication method for secure electronic transactions | |
| CN105790938B (en) | Safe unit key generation system and method based on credible performing environment | |
| CN103095456B (en) | The processing method of transaction message and system | |
| CN101828357B (en) | Credential provisioning method and device | |
| CN103297403A (en) | Method and system for achieving dynamic password authentication | |
| WO2015161689A1 (en) | Data processing method based on negotiation key | |
| CN104821933A (en) | Device and method certificate generation | |
| JP5380583B1 (en) | Device authentication method and system | |
| CN103269271A (en) | Method and system for back-upping private key in electronic signature token | |
| CN102905260A (en) | Safety and certification system for data transmission of mobile terminal | |
| CN105812334A (en) | Network authentication method | |
| CN113204760B (en) | Method and system for establishing secure channel for software cryptographic module | |
| WO2015135398A1 (en) | Negotiation key based data processing method | |
| CN111130798A (en) | Request authentication method and related equipment | |
| WO2015109958A1 (en) | Data processing method based on negotiation key, and mobile phone | |
| CN114139176A (en) | Industrial internet core data protection method and system based on state secret | |
| CN111435389A (en) | Power distribution terminal operation and maintenance tool safety protection system | |
| WO2015158173A1 (en) | Agreement key-based data processing method | |
| CN103813321A (en) | Agreement key based data processing method and mobile phone |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |