CN105337977A - Secure mobile communication architecture with dynamic two-way authentication and implementation method thereof - Google Patents
Secure mobile communication architecture with dynamic two-way authentication and implementation method thereof Download PDFInfo
- Publication number
- CN105337977A CN105337977A CN201510782319.9A CN201510782319A CN105337977A CN 105337977 A CN105337977 A CN 105337977A CN 201510782319 A CN201510782319 A CN 201510782319A CN 105337977 A CN105337977 A CN 105337977A
- Authority
- CN
- China
- Prior art keywords
- client terminal
- server end
- ssl
- certificate
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000010295 mobile communication Methods 0.000 title abstract description 15
- 230000006854 communication Effects 0.000 claims abstract description 49
- 238000004891 communication Methods 0.000 claims abstract description 47
- 230000002457 bidirectional effect Effects 0.000 claims description 20
- 238000012795 verification Methods 0.000 claims description 11
- 238000001629 sign test Methods 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 abstract description 6
- 238000005516 engineering process Methods 0.000 abstract description 5
- 230000008569 process Effects 0.000 description 10
- BQCADISMDOOEFD-UHFFFAOYSA-N Silver Chemical compound [Ag] BQCADISMDOOEFD-UHFFFAOYSA-N 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 229910052709 silver Inorganic materials 0.000 description 3
- 239000004332 silver Substances 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000000750 progressive effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a secure mobile communication architecture with dynamic two-way authentication and an implementation method thereof. In the secure mobile communication architecture, a client terminal and a server-side implement two-way authentication, the server-side adopts an SSL self-signed certificate, and the authentication to the server-side by the client terminal is finished through authentication to the SSL certificate of the server; the authentication to the client terminal by the server-side is finished through management of identity access authority provided by an asymmetric key pair and a PKI technology; and communication between the client terminal and the server-side adopts an SSL security authentication protocol so as to guarantee the data security in the communication process. By adopting the secure mobile communication architecture with dynamic two-way authentication for carrying out mobile communication, the implementation way is simple, counterfeiting, hacker attack and man-in-the-middle attack threats in the common mobile communication mechanism are eliminated, and the security of communication between the mobile client terminal and the server-side is greatly increased.
Description
Technical field
The present invention relates to mobile message security fields, particularly relate to safety moving communication mechanism and its implementation of a kind of dynamic bidirectional certification.
Background technology
By the end of the second quarter in 2015, China mobile netizen userbase reached 6.57 hundred million people, and Chinese smart phone user has reached 6.01 hundred million people, and mobile payment increases by 445% on a year-on-year basis, and Chinese Consumer's has entered the mobile payment epoch.But lawless person makes the Malwares such as personation Net silver upgrading assistant, pirate mobile phone Net silver client, fishing Alipay, and mobile payment security has been arrived in serious threat.
Domestic first part Mobile banking APP safety message shows, major part Mobile banking APP is also dangerous, especially the Android client of minority Mobile banking exists that encryption mechanism is imperfect, the not potential safety hazard such as validate service device identity, likely by computer hacker or trojan horse utilize.Log in the first step using Mobile banking's client as user, because will input the sensitive information such as Bank Account Number and password, fail safe is particularly important.But safety message shows, and it is obvious that two classes log in potential safety hazard: a class is that encryption mechanism is imperfect or too simple, is easy to victim and kidnaps or crack; Another kind of is do not verify service end identity in communication process, thus causes landfall process to be easy to meet with " man-in-the-middle attack ".Wherein, part mobile phone Net silver APP uses " HTTP(HTML (Hypertext Markup Language))+simple encryption " mode transfer, be very easily held as a hostage or crack.
It is reported, rogue program that is counterfeit, fishing class adopts so a kind of gimmick possibly: in the operation of background monitoring foreground window, if foreground is the log-in interface of a Bank application, rogue program just starts the counterfeit interface of oneself immediately, and this action can near user without any perception.And user when without discover once input user name password in counterfeit log-in interface, will cause account and password stolen.More frighteningly, a rogue program even can detect simultaneously, counterfeit and kidnap the log-in interface of multiple bank client, and a lot of bank APP can not effectively solve this kind of problem.
The safety problem of APP application is paid close attention to by user gradually, if utilize server stores customer data, that should consider to use SSL to encrypt client with the communication between server, and SSL can ensure sensitive information (as: bank's card number, social security card number, logs in voucher etc.) transmission security.
360 mobile phone safe centers statistics find have the mobile phone A PP of 50% using https-secure host-host protocol, use the APP of https agreement, comprise mobile phone advertisement plug-in unit class, APP that multiple types such as class are shared in mobile-phone payment class, social activity.Brainstrust from Hanover and Marburg university has carried out the research of SSL and TLS leak to 1.3 ten thousand most popular freewares in PlayStore, they find, 1074 APP program packages are containing SSL particular code, these codes or accept all certifications, accept all authenticating host names, become potential MITM(man-in-the-middle thus) leak attacked.Scientists has also carried out manual audit to 100 APP application programs, found that, due to the existence of SSL leak, it is open that 41 programs are attacked MITM.Brainstrust represents, leak APP application program may be utilized, and assailant is stolen extremely sensitive user profile, comprises them at Facebook, Google, Yahoo, even the username and password of Web bank.Although use https agreement, these APP server port information still may be stolen by hacker, jeopardize mobile phone and log in the personal secrets such as account number cipher used.
Summary of the invention
The APP that the present invention is directed to above-mentioned client terminal communicate with server end exist counterfeit, go fishing, the problem such as man-in-the-middle attack, innovation proposes safety moving communication architecture and its implementation of a kind of dynamic bidirectional certification, to solving the problem of secure communication.
Above-mentioned first object of the present invention, its technical solution be achieved is: a kind of safety moving communication architecture of dynamic bidirectional certification, it is characterized in that: described safety moving communication architecture based on SSL certificate between client terminal and server end and unsymmetrical key to realization, wherein said SSL certificate is to be signed and issued by server end and in the APP that develops in client terminal of hard coded, described client terminal verifies matching to from the SSL certificate of server end and the SSL certificate of hard coded in APP business procedure, described unsymmetrical key is with the user registered at server end uniquely corresponding to a pair PKI for resulting from client terminal and private key, wherein said PKI is sent by SSL escape way and only receives and keeps to server end, described encrypted private key is preserved and to be solidified in client terminal and to have non-network transporting, described server end passes through the validity of SSL escape way and public key verifications private key signature.
Further, described SSL certificate be server end lock based on certificate certainly sign and issue SSL certificate.
Further, described SSL certificate is the SSL certificate signed and issued of the third-party institution that server end adopts.
Above-mentioned second object of the present invention, its technical solution be achieved realizes based on previous security mobile communication framework, it is characterized in that comprising step:
S01, server end sign and issue SSL certificate and in the APP that develops in client terminal of hard coded, client terminal produces the unsymmetrical key pair that is specific to user and the machine automatically when user registers simultaneously, PKI right for unsymmetrical key sent by SSL escape way and receives and keeps in server end, and deleting the PKI in the machine; The right private key of unsymmetrical key is by PIN/passcode encrypting storing the machine at client terminal;
S02, client terminal send certification verification request to server end;
SSL certificate is sent to client terminal by S03, server end;
Whether S04, client terminal contrast the SSL certificate being hard-coded in the machine consistent with the SSL certificate received, and complete the certification of client terminal to server end;
S05, server end carry out completeness check to the APP of client terminal, and set up SSL safe lane;
S06, user input ID and PIN on client terminal, and the private key that the machine stores is deciphered;
S07, server end send a random challenge code to client terminal by SSL safe lane;
The private key that S08, client terminal the machine store is signed to described random challenge code, and signature value is postbacked and deliver to server end;
The corresponding PKI that S09, server end store carries out sign test to the signature value that client terminal sends, and completes the certification of server end to client terminal;
S10, client terminal and server end carry out safe APP business.
Further, described safety moving communication implementation method is for having defence hacker fishing, the Mobile banking of man-in-the-middle attack demand, mobile payment or the communication of social sharing platform respectively and separately between background server.
Apply safety moving communication architecture and its implementation of dynamic bidirectional certification of the present invention, compare to existing mobile communication framework and there is significant progressive: client terminal and server end two-way authentication, SSL security protocol is adopted to carry out communication, ensure that the fail safe of communication data, eliminate exist in common mobile communication mechanism counterfeit, fishing, man-in-the-middle attack threaten.Server end adopts from grant a certificate, without the need to third-party institution's application certificate, eliminates loaded down with trivial details certificate request, maintenance process, and provides cost savings to a certain extent; Client terminal certification, without the need to device certificate, provides identity access rights to manage (IAM) by unsymmetrical key to PKI technology, can defend hacker's beach assault, phishing attack, malware attacks completely.
Accompanying drawing explanation
Fig. 1 is that in the present invention, client terminal and user register the schematic flow sheet of ID at server end.
Fig. 2 is the schematic flow sheet of the safety moving communication architecture implementation method of dynamic bidirectional certification in the present invention.
Embodiment
The present invention is directed to exist in existing mobile communication mechanism counterfeit, fishing, man-in-the-middle attack problem, propose a kind of safety moving communication architecture of dynamic bidirectional certification, and give its implementation.In order to be illustrated more clearly in mobile communication framework in the present invention and implementation method, below in conjunction with drawings and Examples, the present invention is specifically described, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
First need introduce be dynamic bidirectional certification of the present invention rely realize hardware structure, its based on SSL certificate between client terminal and server end and unsymmetrical key to realization, wherein this SSL certificate is to be signed and issued by server end and in the APP that develops in client terminal of hard coded, this client terminal verifies matching to from the SSL certificate of server end and the SSL certificate of hard coded in APP business procedure, this unsymmetrical key is with the user registered at server end uniquely corresponding to a pair PKI for resulting from client terminal and private key, wherein said PKI is sent by SSL escape way and only receives and keeps to server end, this encrypted private key is preserved and to be solidified in client terminal and to have non-network transporting, this server end passes through the validity of SSL escape way and public key verifications private key signature.
It should be noted that, a usual APP is fixedly attached to a station server, so above-mentioned SSL certificate can be server end lock based on certificate certainly sign and issue SSL certificate, applicability is stronger.In certain practical application, the SSL certificate that server end also can adopt the third-party institution to sign and issue, the certification of client terminal to server end needs authentication certificate chain, to confirm whether this certificate is that trust authority is issued, if gone wrong in credentials verification process, client terminal can warn user that this certificate is insincere, but certain customers still can select to trust problematic certificate, thus brings chance to hacker's fishing and man-in-the-middle attack.
The implementation method of safety communication of the present invention is then described in detail in detail: before employing dynamic bidirectional certification mobile communication framework of the present invention carries out communication, client terminal user need register at server end, as shown in Figure 1, for client terminal user in the present invention is in the flow process of server end registration ID, it at least comprises following steps:
A, client terminal send certification verification request to server end;
SSL certificate is sent to client terminal by B, server end;
Whether the contrast of C, client terminal is hard-coded in local SSL certificate consistent with the SSL certificate received;
D, server end carry out completeness check to client terminal APP;
E, client terminal and server end set up SSL secure communication channel;
F, user arrange user name, and simultaneously client terminal is at mobile device for user produces a unsymmetrical key pair, and is encrypted through SSL by PKI and sends to server end, and deletes local PKI, and public key encryption is preserved by server end;
User name is sent to server end by G, client terminal user together with user name signature;
H, server end check whether user name can be used, and the validity of certifying signature;
I, client terminal require that user arranges PIN/passcode/ fingerprint, are used for the right private key of encryption key.
Further, server end SSL certificate described in step B is from grant a certificate, and namely refer to the certification authority not by being trusted, issued the certificate of self by signature entity, publisher is identical with certificate main body.Different with computer browsing page, what mobile phone application was generally fixed is connected to a station server end, be applicable to adopting from grant a certificate, the benefit of self-signed certificate is used to be do not need extra application, other certificates are installed, eliminate loaded down with trivial details certificate request, maintenance process, self-signed certificate is free simultaneously, provides cost savings to a certain extent.
Further, for from grant a certificate, adopt certificate lock-in techniques here, directly server side certificate is hard-coded in client terminal, then the trust store using the trust store oneself defined to replace cell phone system to carry in the application, goes to connect the server end of specifying.Adopt in this way, application no longer relies on the trust store that system carries, and makes to crack this application and becomes complicated.
Further, in step e, client terminal and server end are set up in SSL safe lane and are at least comprised following steps:
(1) client terminal produces random number Client.Random, sends to server end;
(2) server end produces random number Server.Random, issues client terminal;
(3) client terminal produces the pre-master key Pre-master-key of use communication later at random, and encrypts pre-master ciphering key=E (SPubKey, Pre-master-key) with server end PKI SPubKey and send to server end;
(4) server end is deciphered it with certificate private key after receiving C, obtains pre-master key, then generates master key master-key according to Client.Random, Server.Random and pre-master key Pre-master-key;
(5) client terminal uses the same method according to Client.Random, Server.Random and pre-master key Pre-master-key and generates master key master-key;
(6) client terminal and server end derive Traffic encryption key(TEK) according to the identical method of master key master-key, Client.Random, Server.Random respectively, for the MAC key of completeness check, and for the initial vector IV value of cryptographic calculation;
(7) whether client terminal and server end to verify the key of negotiation respectively consistent.
Client terminal is completed by step C and step e the certification of server end, if server end exists counterfeit, so in step e, client terminal can not negotiate consistent Traffic encryption key(TEK) with server end end, will be used for the MAC key of completeness check and will be used for the initial vector IV value of cryptographic calculation, thus correctly can not set up SSL connection, so the problem that presence server end is not counterfeit here.
Unsymmetrical key pair described in step F, if be RSA, suggestion adopts that position is long is not less than 2048.
User name described in step G is signed, and right private key is signed to user name to refer to client terminal unsymmetrical key, and signature verification described in step H refers to that whether the signature in server end client terminal public key verifications step G is effective.
If in step H, server end checks that the user name of user exists, or user name signature is invalid, then can require that user resets user name, again for user produces unsymmetrical key pair.
Client terminal described in step I requires that user inputs PIN/passcode/ fingerprint, by the knowledge known to user or the biological information that has, being system proves that user has the legal of private key.With the private key of PIN/passcode/ encrypting fingerprint unsymmetrical key, refer to the symmetric key encryption private key derived from PIN/passcode or fingerprint, safe storage on the mobile apparatus.PIN/Passcode and private key all can not transmit in a network, thus can not victim interception.Further, deriving from the algorithm of symmetric key by PIN/passcode/ fingerprint can oneself definition or PBKDF and the PBKDF2 algorithm of selection standard.
User is after server end completes ID registration, and this two-way authentication safety moving communication architecture just can be used to carry out safety communication, and as shown in Figure 2, it at least comprises following steps:
S01, with aforementioned user's registration step, be summarized as server end and sign and issue SSL certificate and in the APP that develops in client terminal of hard coded, client terminal produces the unsymmetrical key pair that is specific to user and the machine automatically when user registers simultaneously, PKI right for unsymmetrical key sent by SSL escape way and receives and keeps in server end, and deleting the PKI in the machine; The right private key of unsymmetrical key is by PIN/passcode encrypting storing the machine at client terminal;
S02, client terminal send certification verification request to server end;
SSL certificate is sent to client terminal by S03, server end;
Whether S04, client terminal contrast the SSL certificate being hard-coded in the machine consistent with the SSL certificate received, and complete the certification of client terminal to server end;
S05, server end carry out completeness check to the APP of client terminal, and set up SSL safe lane;
S06, user input ID and PIN on client terminal, and the private key that the machine stores is deciphered;
S07, server end send a random challenge code to client terminal by SSL safe lane;
The private key that S08, client terminal the machine store is signed to described random challenge code, and signature value is postbacked and deliver to server end;
The corresponding PKI that S09, server end store carries out sign test to the signature value that client terminal sends, and completes the certification of server end to client terminal;
S10, client terminal and server end carry out safe APP business.
Further, unsymmetrical key provides identity access rights to manage (IAM) to PKI technology, defends hacker's beach assault, phishing attack, malware attacks completely.
In S06, even if assailant can have access to the key of encryption, obtain correct key by traveling through several PIN code.Because PKI only stores on server end, do not store in client terminal APP.Whether be properly decrypt to verify private key, assailant also must to server end request authentication.And server end will lock this key after assailant's n continuous authentification failure, this is also arrange the reason that simple several PIN code just enough protect private key.
S07, S08 are processes of a client terminal and server end challenge response.Client terminal user often inputs a PIN code, server end all can send random challenge code to client terminal, client terminal private key carries out signature to random challenge code and sends to server end, this signature of public key verifications that server end is corresponding, if effectively, the number of times of continuous authentification failure is rearranged into 0 to signature by server end.Invalid if signed, the number of times of continuous authentification failure is added 1.If this counter reaches maximum (server end provides a default value, and suggestion is not more than 10, and client terminal also can be modified this value according to safe coefficient voluntarily), so account ID will be lockable, and device private lost efficacy simultaneously.User must prove oneself identity by other safe channels, regenerate a new device private, and announcement server end upgrades corresponding PKI at client terminal.
The safety moving communication architecture of dynamic bidirectional certification of the present invention can prevent the poor search PIN code of hacker from attacking device private, even if because assailant can guess PIN code decrypted private key, assailant still can not judge whether the data after deciphering are exactly correct key.Only have and after challenge response program, just can learn result with server end.And server end, will several times continuously unsuccessful log in trial after lock account ID.For searching for attack thoroughly, assailant must need the password attempt of more than 10 times, and this has exceeded the upper limit that server end is arranged, so poor search attack is doomed can failure.
Through these steps of S01 to S10, can realize client terminal and server end two-way authentication, the SSL traffic agreement of carrying out afterwards is two-way SSL authentication protocol.
The present invention can be applied to several scenes, and mobile-phone payment class, social activity share the APP of multiple type such as class and the communication of server end, all can adopt safety moving communication architecture and its implementation of dynamic bidirectional certification of the present invention.As the communication etc. of the communication of Mobile banking and background server end, mobile payment platform and the communication of background server end, social sharing platform and background server end, every communication security is had higher requirements and counterfeit, hacker's fishing need be defendd, the Mobile solution of man-in-the-middle attack all can adopt described mobile communication framework.
Embodiment 1, certain Mobile banking of bank has trusted problematic server side certificate blindly due to user, server end suffers hacker's phishing attack or man-in-the-middle attack, the safety moving communication architecture of the dynamic bidirectional certification described in the present invention now can be used to carry out communication, in the present invention, server end adopts from grant a certificate, its certification authentication flow process is different from common certificate checking flow process, user is there will not be to ignore the situation of dangerous server side certificate prompting, hacker does not have server side certificate private key, just cannot successfully and client terminal connect, also phishing attack is not had, the situation of man-in-the-middle attack occurs.
Embodiment 2, there is counterfeit client terminal in certain application APP, hacker forges a false client terminal quite similar with true APP client terminal, allows user input account number cipher and logs in, thus gains account, the password of user in this application by cheating.The safety moving communication architecture of the dynamic bidirectional certification described in the present invention now can be used to carry out the communication of client terminal server end, even if user has stolen user account, password, there is no the equipment of user, can not get device private, the challenge response process of server end and client terminal can not be successfully completed, thus the account of user can not be used, password carries out harmfulness operation.
In sum, apply the safety moving communication architecture of dynamic bidirectional certification of the present invention, compare to existing mobile communication framework and there is significant progressive: client terminal and the two-way authentication of server end end, SSL security protocol is adopted to carry out communication, ensure that the fail safe of communication data, eliminate exist in common mobile communication framework counterfeit, fishing, man-in-the-middle attack threaten.Server end end adopts from grant a certificate, without the need to third-party institution's application certificate, eliminates loaded down with trivial details certificate request, maintenance process, and provides cost savings to a certain extent; Client terminal certification, without the need to device certificate, provides identity access rights to manage (IAM) by unsymmetrical key to PKI technology, defends hacker's beach assault, phishing attack, malware attacks completely.
Above the security architecture of inventing and specific implementation method are described in detail, and give corresponding examples of implementation.Certainly, in addition to the implementation, the present invention can also have other execution mode, and all employings are equal to the technical scheme of replacement or equivalent transformation formation, all drop within invention which is intended to be protected.Be appreciated that: the safety moving communication architecture applying dynamic bidirectional certification of the present invention, execution mode is simple, improves again the fail safe of mobile client terminal and server end communication greatly.
Claims (5)
1. the safety moving communication architecture of a dynamic bidirectional certification, it is characterized in that: described safety moving communication architecture based on SSL certificate between client terminal and server end and unsymmetrical key to realization, wherein said SSL certificate is to be signed and issued by server end and in the APP that develops in client terminal of hard coded, described client terminal verifies matching to from the SSL certificate of server end and the SSL certificate of hard coded in APP business procedure, described unsymmetrical key is with the user registered at server end uniquely corresponding to a pair PKI for resulting from client terminal and private key, wherein said PKI is sent by SSL escape way and only receives and keeps to server end, described encrypted private key is preserved and to be solidified in client terminal and to have non-network transporting, described server end passes through the validity of SSL escape way and public key verifications private key signature.
2. the safety moving communication architecture of dynamic bidirectional certification according to claim 1, is characterized in that: described SSL certificate be server end lock based on certificate certainly sign and issue SSL certificate.
3. the safety moving communication architecture of dynamic bidirectional certification according to claim 1, is characterized in that: described SSL certificate is the SSL certificate that the third-party institution of server end employing signs and issues.
4. a safety moving communication implementation method for dynamic bidirectional certification, realizes based on safety moving communication architecture described in claim 1, it is characterized in that comprising step:
S01, server end sign and issue SSL certificate and in the APP that develops in client terminal of hard coded, client terminal produces the unsymmetrical key pair that is specific to user and the machine automatically when user registers simultaneously, PKI right for unsymmetrical key sent by SSL escape way and receives and keeps in server end, and deleting the PKI in the machine; The right private key of unsymmetrical key is by PIN/passcode encrypting storing the machine at client terminal;
S02, client terminal send certification verification request to server end;
SSL certificate is sent to client terminal by S03, server end;
Whether S04, client terminal contrast the SSL certificate being hard-coded in the machine consistent with the SSL certificate received, and complete the certification of client terminal to server end;
S05, server end carry out completeness check to the APP of client terminal, and set up SSL safe lane;
S06, user input ID and PIN on client terminal, and the private key that the machine stores is deciphered;
S07, server end send a random challenge code to client terminal by SSL safe lane;
The private key that S08, client terminal the machine store is signed to described random challenge code, and signature value is postbacked and deliver to server end;
The corresponding PKI that S09, server end store carries out sign test to the signature value that client terminal sends, and completes the certification of server end to client terminal;
S10, client terminal and server end carry out safe APP business.
5. the safety moving communication implementation method of dynamic bidirectional certification according to claim 1, is characterized in that: described safety moving communication implementation method is for having defence hacker fishing, the Mobile banking of man-in-the-middle attack demand, mobile payment or the communication of social sharing platform respectively and separately between background server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510782319.9A CN105337977B (en) | 2015-11-16 | 2015-11-16 | A kind of the safety moving communication system and its implementation of dynamic bidirectional certification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510782319.9A CN105337977B (en) | 2015-11-16 | 2015-11-16 | A kind of the safety moving communication system and its implementation of dynamic bidirectional certification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105337977A true CN105337977A (en) | 2016-02-17 |
| CN105337977B CN105337977B (en) | 2019-01-25 |
Family
ID=55288260
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510782319.9A Active CN105337977B (en) | 2015-11-16 | 2015-11-16 | A kind of the safety moving communication system and its implementation of dynamic bidirectional certification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105337977B (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106534086A (en) * | 2016-10-31 | 2017-03-22 | 深圳数字电视国家工程实验室股份有限公司 | Device authentication method and system, terminal device and server |
| WO2017177866A1 (en) * | 2016-04-11 | 2017-10-19 | Huawei Technologies Co., Ltd. | Activation of mobile devices in enterprise mobile management |
| CN107481357A (en) * | 2017-07-10 | 2017-12-15 | 广东工业大学 | Gate inhibition's safety certifying method based on certificate locking with dynamic key |
| CN107547205A (en) * | 2017-07-01 | 2018-01-05 | 郑州云海信息技术有限公司 | A kind of method for establishing CA server automatically under linux system |
| CN107948186A (en) * | 2017-12-13 | 2018-04-20 | 山东浪潮商用系统有限公司 | A kind of safety certifying method and device |
| CN108156162A (en) * | 2017-12-27 | 2018-06-12 | 中国电子产品可靠性与环境试验研究所 | Towards the authentication method and device of mobile applications |
| WO2018119852A1 (en) * | 2016-12-29 | 2018-07-05 | Gemalto Smart Cards Technology Co., Ltd. | Method for mutual authentication between device and secure element |
| CN109063490A (en) * | 2018-08-31 | 2018-12-21 | 北京梆梆安全科技有限公司 | A kind of method, device and equipment detecting host name loophole |
| CN109257365A (en) * | 2018-10-12 | 2019-01-22 | 深信服科技股份有限公司 | A kind of information processing method, device, equipment and storage medium |
| CN109359977A (en) * | 2018-09-10 | 2019-02-19 | 平安科技(深圳)有限公司 | Network communication method, device, computer equipment and storage medium |
| CN109361681A (en) * | 2018-11-12 | 2019-02-19 | 北京天融信网络安全技术有限公司 | The close certificate authentication method of state, device and equipment |
| CN109413076A (en) * | 2018-11-06 | 2019-03-01 | 北京奇虎科技有限公司 | Domain name analytic method and device |
| CN109495445A (en) * | 2018-09-30 | 2019-03-19 | 青岛海尔科技有限公司 | Identity identifying method, device, terminal, server and medium based on Internet of Things |
| CN109634760A (en) * | 2018-12-13 | 2019-04-16 | 上海阔地教育科技有限公司 | Data communication method and system based on the end Web and the end App |
| CN109993858A (en) * | 2017-12-29 | 2019-07-09 | 国民技术股份有限公司 | A kind of unlocking authentication method, smart lock and server |
| CN111080922A (en) * | 2019-12-27 | 2020-04-28 | 吉林大学珠海学院 | Intelligent key cabinet management system and implementation method thereof |
| CN111770092A (en) * | 2020-06-29 | 2020-10-13 | 华中科技大学 | A kind of numerical control system network security architecture and secure communication method and system |
| CN111815813A (en) * | 2020-06-22 | 2020-10-23 | 北京智辉空间科技有限责任公司 | Electronic lock safety system |
| CN112363968A (en) * | 2020-10-29 | 2021-02-12 | 北京新风航天装备有限公司 | Improved communication method of USB interface |
| CN114666132A (en) * | 2022-03-22 | 2022-06-24 | 深圳供电局有限公司 | Method for encrypting and authenticating application layer based on TCP/IP protocol |
| CN115348078A (en) * | 2022-08-12 | 2022-11-15 | 广东岭南通股份有限公司 | Method for preventing APP eavesdropping based on verification signature certificate, electronic device and storage medium |
| CN118413401A (en) * | 2024-07-02 | 2024-07-30 | 浙江云针信息科技有限公司 | Terminal communication method, system, computer device and computer readable storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101170413A (en) * | 2007-12-06 | 2008-04-30 | 华为技术有限公司 | Method and device for obtaining and distributing digital certificate and its private key |
| CN101770619A (en) * | 2008-12-31 | 2010-07-07 | 中国银联股份有限公司 | Multiple-factor authentication method for online payment and authentication system |
| CN102404115A (en) * | 2010-09-16 | 2012-04-04 | 林新格 | Method for realizing bidirectional safety certification of mobile phone and server in WAP (Wireless Application Protocol) mobile phone banking system by using SD (Secure Digital Memory) card and system thereof |
| CN104023085A (en) * | 2014-06-25 | 2014-09-03 | 武汉大学 | Security cloud storage system based on increment synchronization |
| WO2014175642A1 (en) * | 2013-04-26 | 2014-10-30 | Chung Hyun Cheol | Identity authentication system capable of non-repudiation and method for providing same |
| CN104394170A (en) * | 2014-12-11 | 2015-03-04 | 大唐微电子技术有限公司 | Security account using method, safety device, server and system |
| CN104573554A (en) * | 2014-12-30 | 2015-04-29 | 北京奇虎科技有限公司 | Method for loading safety key storage hardware and browser client device |
| CN104618307A (en) * | 2013-11-04 | 2015-05-13 | 航天信息股份有限公司 | Online banking transaction authentication system based on trusted computing platform |
-
2015
- 2015-11-16 CN CN201510782319.9A patent/CN105337977B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101170413A (en) * | 2007-12-06 | 2008-04-30 | 华为技术有限公司 | Method and device for obtaining and distributing digital certificate and its private key |
| CN101770619A (en) * | 2008-12-31 | 2010-07-07 | 中国银联股份有限公司 | Multiple-factor authentication method for online payment and authentication system |
| CN102404115A (en) * | 2010-09-16 | 2012-04-04 | 林新格 | Method for realizing bidirectional safety certification of mobile phone and server in WAP (Wireless Application Protocol) mobile phone banking system by using SD (Secure Digital Memory) card and system thereof |
| WO2014175642A1 (en) * | 2013-04-26 | 2014-10-30 | Chung Hyun Cheol | Identity authentication system capable of non-repudiation and method for providing same |
| CN104618307A (en) * | 2013-11-04 | 2015-05-13 | 航天信息股份有限公司 | Online banking transaction authentication system based on trusted computing platform |
| CN104023085A (en) * | 2014-06-25 | 2014-09-03 | 武汉大学 | Security cloud storage system based on increment synchronization |
| CN104394170A (en) * | 2014-12-11 | 2015-03-04 | 大唐微电子技术有限公司 | Security account using method, safety device, server and system |
| CN104573554A (en) * | 2014-12-30 | 2015-04-29 | 北京奇虎科技有限公司 | Method for loading safety key storage hardware and browser client device |
Non-Patent Citations (1)
| Title |
|---|
| 程宇贤: "网上银行身份认证系统的安全性研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017177866A1 (en) * | 2016-04-11 | 2017-10-19 | Huawei Technologies Co., Ltd. | Activation of mobile devices in enterprise mobile management |
| CN108886530A (en) * | 2016-04-11 | 2018-11-23 | 华为技术有限公司 | Activation of Mobile Devices in Enterprise Mobility Management |
| US10142323B2 (en) | 2016-04-11 | 2018-11-27 | Huawei Technologies Co., Ltd. | Activation of mobile devices in enterprise mobile management |
| CN108886530B (en) * | 2016-04-11 | 2021-02-12 | 华为技术有限公司 | Method for activating mobile device in enterprise mobile management and mobile device |
| CN106534086B (en) * | 2016-10-31 | 2019-08-30 | 深圳数字电视国家工程实验室股份有限公司 | A kind of equipment authentication method, terminal device, server and system |
| CN106534086A (en) * | 2016-10-31 | 2017-03-22 | 深圳数字电视国家工程实验室股份有限公司 | Device authentication method and system, terminal device and server |
| WO2018119852A1 (en) * | 2016-12-29 | 2018-07-05 | Gemalto Smart Cards Technology Co., Ltd. | Method for mutual authentication between device and secure element |
| CN107547205A (en) * | 2017-07-01 | 2018-01-05 | 郑州云海信息技术有限公司 | A kind of method for establishing CA server automatically under linux system |
| CN107481357A (en) * | 2017-07-10 | 2017-12-15 | 广东工业大学 | Gate inhibition's safety certifying method based on certificate locking with dynamic key |
| CN107948186A (en) * | 2017-12-13 | 2018-04-20 | 山东浪潮商用系统有限公司 | A kind of safety certifying method and device |
| CN108156162B (en) * | 2017-12-27 | 2021-07-27 | 中国电子产品可靠性与环境试验研究所 | Authentication method and device for mobile application |
| CN108156162A (en) * | 2017-12-27 | 2018-06-12 | 中国电子产品可靠性与环境试验研究所 | Towards the authentication method and device of mobile applications |
| CN109993858A (en) * | 2017-12-29 | 2019-07-09 | 国民技术股份有限公司 | A kind of unlocking authentication method, smart lock and server |
| CN109063490A (en) * | 2018-08-31 | 2018-12-21 | 北京梆梆安全科技有限公司 | A kind of method, device and equipment detecting host name loophole |
| CN109359977A (en) * | 2018-09-10 | 2019-02-19 | 平安科技(深圳)有限公司 | Network communication method, device, computer equipment and storage medium |
| CN109359977B (en) * | 2018-09-10 | 2024-10-18 | 平安科技(深圳)有限公司 | Network communication method, device, computer equipment and storage medium |
| CN109495445A (en) * | 2018-09-30 | 2019-03-19 | 青岛海尔科技有限公司 | Identity identifying method, device, terminal, server and medium based on Internet of Things |
| CN109257365A (en) * | 2018-10-12 | 2019-01-22 | 深信服科技股份有限公司 | A kind of information processing method, device, equipment and storage medium |
| CN109257365B (en) * | 2018-10-12 | 2021-08-13 | 深信服科技股份有限公司 | Information processing method, device, equipment and storage medium |
| CN109413076A (en) * | 2018-11-06 | 2019-03-01 | 北京奇虎科技有限公司 | Domain name analytic method and device |
| CN109413076B (en) * | 2018-11-06 | 2022-11-29 | 北京奇虎科技有限公司 | Domain name resolution method and device |
| CN109361681B (en) * | 2018-11-12 | 2021-10-15 | 北京天融信网络安全技术有限公司 | Method, device and equipment for authenticating national secret certificate |
| CN109361681A (en) * | 2018-11-12 | 2019-02-19 | 北京天融信网络安全技术有限公司 | The close certificate authentication method of state, device and equipment |
| CN109634760A (en) * | 2018-12-13 | 2019-04-16 | 上海阔地教育科技有限公司 | Data communication method and system based on the end Web and the end App |
| CN111080922A (en) * | 2019-12-27 | 2020-04-28 | 吉林大学珠海学院 | Intelligent key cabinet management system and implementation method thereof |
| CN111815813A (en) * | 2020-06-22 | 2020-10-23 | 北京智辉空间科技有限责任公司 | Electronic lock safety system |
| CN111770092A (en) * | 2020-06-29 | 2020-10-13 | 华中科技大学 | A kind of numerical control system network security architecture and secure communication method and system |
| CN111770092B (en) * | 2020-06-29 | 2021-06-29 | 华中科技大学 | A kind of numerical control system network security architecture and secure communication method and system |
| CN112363968B (en) * | 2020-10-29 | 2022-01-28 | 北京新风航天装备有限公司 | Improved communication method of USB interface |
| CN112363968A (en) * | 2020-10-29 | 2021-02-12 | 北京新风航天装备有限公司 | Improved communication method of USB interface |
| CN114666132A (en) * | 2022-03-22 | 2022-06-24 | 深圳供电局有限公司 | Method for encrypting and authenticating application layer based on TCP/IP protocol |
| CN114666132B (en) * | 2022-03-22 | 2024-01-30 | 深圳供电局有限公司 | Method for application layer encryption and authentication based on TCP/IP protocol |
| CN115348078A (en) * | 2022-08-12 | 2022-11-15 | 广东岭南通股份有限公司 | Method for preventing APP eavesdropping based on verification signature certificate, electronic device and storage medium |
| CN118413401A (en) * | 2024-07-02 | 2024-07-30 | 浙江云针信息科技有限公司 | Terminal communication method, system, computer device and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105337977B (en) | 2019-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105337977A (en) | Secure mobile communication architecture with dynamic two-way authentication and implementation method thereof | |
| US12041187B2 (en) | Transaction verification through enhanced authentication | |
| US11102191B2 (en) | Enabling single sign-on authentication for accessing protected network services | |
| EP3318003B1 (en) | Confidential authentication and provisioning | |
| US9350548B2 (en) | Two factor authentication using a protected pin-like passcode | |
| Naik et al. | Cyber security—iot | |
| TWI512524B (en) | System and method for identifying users | |
| WO2019020051A1 (en) | METHOD AND APPARATUS FOR SECURITY AUTHENTICATION | |
| US20150195280A1 (en) | Authentication system and authentication method | |
| US9628459B2 (en) | Secure data transmission using multi-channel communication | |
| US8397281B2 (en) | Service assisted secret provisioning | |
| JP2016502377A (en) | How to provide safety using safety calculations | |
| KR102838446B1 (en) | Private Key Cloud Storage | |
| CN105072110A (en) | Two-factor remote identity authentication method based on smart card | |
| CN105656862A (en) | Authentication method and device | |
| WO2014015759A1 (en) | Terminal identity verification and service authentication method, system, and terminal | |
| CN103701787A (en) | User name password authentication method implemented on basis of public key algorithm | |
| CN109272314B (en) | A secure communication method and system based on two-party collaborative signature calculation | |
| GB2522445A (en) | Secure mobile wireless communications platform | |
| CN109522689A (en) | Multiple-factor strong identity authentication method under mobile office environment | |
| CN108900595B (en) | Method, apparatus, device and computing medium for accessing cloud storage server data | |
| CN104811421A (en) | Secure communication method and secure communication device based on digital rights management | |
| CN103532961A (en) | Method and system for authenticating identity of power grid website based on trusted crypto modules | |
| CN110572392A (en) | Identity authentication method based on HyperLegger network | |
| WO2013152653A1 (en) | Air interface security method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Xinping street Suzhou City Industrial Park 215123 Jiangsu province No. 388 innovation park off 6 Building 5 floor Applicant after: JIANGSU PAYEGIS TECHNOLOGY CO., LTD. Address before: Xinping Street Industrial Park of Suzhou city in Jiangsu province 215123 No. 388 takeoff Innovation Park Building 6 5F Applicant before: Suzhou PayEgis Information Technology Co., Ltd. |
|
| COR | Change of bibliographic data | ||
| CB02 | Change of applicant information |
Address after: 215123 Room 3F301, C2 Building, Suzhou 2.5 Industrial Park, 88 Dongchang Road, Suzhou Industrial Park, Jiangsu Province Applicant after: JIANGSU PAYEGIS TECHNOLOGY CO., LTD. Address before: 215123 5, building 6, Tengfei Innovation Park, 388 Xinping street, Suzhou Industrial Park, Jiangsu. Applicant before: JIANGSU PAYEGIS TECHNOLOGY CO., LTD. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |