CN100576796C - System and method for secure identity authentication in online banking system - Google Patents
System and method for secure identity authentication in online banking system Download PDFInfo
- Publication number
- CN100576796C CN100576796C CN200710120049A CN200710120049A CN100576796C CN 100576796 C CN100576796 C CN 100576796C CN 200710120049 A CN200710120049 A CN 200710120049A CN 200710120049 A CN200710120049 A CN 200710120049A CN 100576796 C CN100576796 C CN 100576796C
- Authority
- CN
- China
- Prior art keywords
- dynamic password
- client terminal
- terminal device
- coordinates
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000012795 verification Methods 0.000 claims abstract description 22
- 238000013523 data management Methods 0.000 claims description 43
- 238000007726 management method Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 claims description 3
- 230000008676 import Effects 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 239000013307 optical fiber Substances 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000007812 deficiency Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Landscapes
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
本发明公开了一种在网上银行系统中进行安全身份认证的方法,包括:服务提供装置将第一次动态口令坐标返回给客户终端装置;客户终端装置向安全服务装置输入第一次动态口令,安全服务装置判断第一次动态口令是否正确,如果正确,向服务提供装置发送第一次动态口令验证通过信息;服务提供装置接收到第一次动态口令验证通过信息,将第二次动态口令坐标返回给客户终端装置,客户终端装置向安全服务装置输入第二次动态口令;安全服务装置判断客户终端装置输入的第二次动态口令是否正确,如果正确,则向客户终端装置发送安全身份认证通过信息。本发明同时公开了一种在网上银行系统中进行安全身份认证的系统。利用本发明,提高了网上银行系统的安全性。
The invention discloses a method for security identity authentication in an online banking system, comprising: a service providing device returns the coordinates of the first dynamic password to a client terminal device; the client terminal device inputs the first dynamic password to the security service device, The safety service device judges whether the dynamic password for the first time is correct, and if it is correct, sends the first dynamic password verification passing information to the service providing device; the service providing device receives the dynamic password verification passing information for the first time, and sends the second dynamic password coordinate Return to the client terminal device, the client terminal device inputs the dynamic password for the second time to the security service device; the security service device judges whether the second time dynamic password imported by the client terminal device is correct, and if it is correct, then sends the security identity authentication pass to the client terminal device information. The invention also discloses a system for performing security identity authentication in the online banking system. The invention improves the security of the online banking system.
Description
技术领域 technical field
本发明涉及信息系统中身份认证技术领域,尤其涉及一种在网上银行系统中进行安全身份认证的系统及方法。The invention relates to the technical field of identity authentication in information systems, in particular to a system and method for secure identity authentication in an online banking system.
背景技术 Background technique
随着网上银行的迅速发展,客户对网上银行交易安全性的要求也越来越高。目前提高网上银行交易安全性的方法有多种多样,动态口令卡就是其中较为常用的一种方式。With the rapid development of online banking, customers have higher and higher requirements for the security of online banking transactions. At present, there are many ways to improve the security of online banking transactions, and the dynamic password card is one of the more commonly used ways.
如图1所示,图1为目前动态口令卡的示意图。动态口令卡相当于一种动态的网上银行密码,动态口令卡上以矩阵的形式印有若干字符串,客户在使用网上银行进行对外转账、B2C购物、缴费等支付交易时,网上银行系统一般会随机给出两个口令卡坐标,例如口令卡坐标A1和B2,其中A1对应“223”,B2对应“334”,客户根据口令卡坐标A1和B2从动态口令卡中找到口令组合“223”和“334”,并输入到网上银行系统中。只有当口令组合“223”和“334”全部输入正确时,客户才能完成相关交易。As shown in Figure 1, Figure 1 is a schematic diagram of the current dynamic password card. The dynamic password card is equivalent to a dynamic online banking password. There are several strings printed on the dynamic password card in the form of a matrix. Randomly give two password card coordinates, such as password card coordinates A1 and B2, where A1 corresponds to "223" and B2 corresponds to "334". The customer finds the password combination "223" and "334" and enter it into the online banking system. Only when the combination of passwords "223" and "334" are all input correctly, the customer can complete the relevant transaction.
这种口令组合是动态变化的,使用者每次使用时输入的密码都不一样,交易结束后即失效,从而能够杜绝不法分子通过窃取客户静态密码盗窃资金,保障网上银行安全。This combination of passwords changes dynamically, and the passwords entered by users are different each time they use them, and they will become invalid after the transaction is completed, thereby preventing criminals from stealing funds through stealing customers' static passwords and ensuring the security of online banking.
随着动态口令卡的不断普及和网络技术的不断发展,目前部分不法分子利用客户安全意识薄弱,不熟悉银行支付流程等弱点,通过假网站等手段骗取客户动态口令卡信息,使客户资金存在安全隐患。目前的动态口令卡式实现方式面临如下风险:With the continuous popularization of dynamic password cards and the continuous development of network technology, at present, some criminals take advantage of customers' weak security awareness and unfamiliarity with bank payment processes to defraud customers of dynamic password card information through fake websites and other means, so that customers' funds are safe Hidden danger. The current dynamic password card implementation method faces the following risks:
(一)通过持续刷新口令卡坐标来进行攻击。不法分子首先通过在假网站上套取客户网银登录卡号、登录密码及若干组动态口令坐标值,然后在真网站上不断刷新动态口令坐标,直至在真网站上出现与其骗取的动态口令坐标值对应的动态口令坐标,然后将其骗取的动态口令坐标值输入客户网银账户,实现对客户网银账户的非法攻击。例如,当客户登录到假网站后,可以让客户输入A1、B2两个坐标值,然后不法分子再登录到真网站(前提是不法分子已经获取了客户的登录卡号和登录密码),不断刷新坐标,直到页面出现要求输入的坐标为A1、B2,然后将骗取的A1、B2两个坐标值输入网银系统。(1) Attack by continuously refreshing the coordinates of the password card. The criminals first obtain the customer's online banking login card number, login password and several sets of dynamic password coordinate values on the fake website, and then continuously refresh the dynamic password coordinates on the real website until the coordinates corresponding to the defrauded dynamic password coordinates appear on the real website. The coordinates of the dynamic password, and then input the coordinate value of the dynamic password defrauded into the customer's online banking account, so as to realize the illegal attack on the customer's online banking account. For example, when a customer logs in to a fake website, the customer can be asked to enter the two coordinate values of A1 and B2, and then the criminals log in to the real website (provided that the criminals have obtained the customer's login card number and login password), and constantly refresh the coordinates , until the page shows that the coordinates required to be input are A1 and B2, and then enter the cheated A1 and B2 coordinates into the online banking system.
(二)中间人网站攻击。不法分子制造虚假电子商务网站,并引诱客户访问欺诈网站,窃取客户的网上银行登录密码后,登录客户网银获取当前的一组动态口令坐标(例如A1、B2),并将该坐标放置在欺诈网站中,要求客户输入对应的口令卡坐标密码(即动态口令坐标值),在获取客户输入的口令卡坐标密码后,不法分子立即操作客户网银在短时间内进行转账,造成客户损失。(2) Man-in-the-middle website attack. Criminals create fake e-commerce websites and lure customers to visit fraudulent websites. After stealing the customer's online banking login password, they log in to the customer's online banking to obtain the current set of dynamic password coordinates (such as A1, B2), and place the coordinates on the fraudulent website. Among them, the customer is required to input the corresponding code card coordinate password (that is, the dynamic password coordinate value). After obtaining the password card coordinate password input by the customer, the criminals immediately operate the customer's online banking to transfer money in a short time, causing customer losses.
因此,目前通过动态口令卡方式来进行安全身份认证的方式急需改造。Therefore, the current way of performing security identity authentication by means of a dynamic password card is in urgent need of reformation.
发明内容 Contents of the invention
(一)要解决的技术问题(1) Technical problems to be solved
有鉴于此,本发明的一个目的在于提供一种在网上银行系统中进行安全身份认证的系统,以克服目前动态口令卡方式进行身份认证存在的安全性低的不足,提高网上银行系统的安全性。In view of this, an object of the present invention is to provide a system for secure identity authentication in the online banking system, to overcome the low security deficiency of the current dynamic password card method for identity authentication, and to improve the security of the online banking system .
本发明的另一个目的在于提供一种在网上银行系统中进行安全身份认证的方法,以克服目前动态口令卡方式进行身份认证存在的安全性低的不足,提高网上银行系统的安全性。Another object of the present invention is to provide a method for secure identity authentication in the online banking system, so as to overcome the low security deficiency of the current dynamic password card method for identity authentication and improve the security of the online banking system.
(二)技术方案(2) Technical solution
为达到上述一个目的,本发明提供了一种在网上银行系统中进行安全身份认证的系统,该系统至少包括:In order to achieve the above-mentioned purpose, the present invention provides a system for secure identity authentication in the online banking system, the system at least includes:
数据管理装置,用于运行数据库管理系统,存放网上银行动态密码卡安全数据及认证信息,并负责认证通过后的客户访问管理;The data management device is used to run the database management system, store the security data and authentication information of the online banking dynamic password card, and be responsible for the customer access management after the authentication is passed;
服务提供装置,用于根据接收自客户终端装置的交易请求从数据管理装置获取第一次动态口令坐标,并将获取的第一次动态口令坐标返回给客户终端装置;并在接收到安全服务装置输入的第一次动态口令验证通过信息后从数据管理装置获取第二次动态口令坐标,并将获取的第二次动态口令坐标返回给客户终端装置;The service providing device is used to obtain the coordinates of the first dynamic password from the data management device according to the transaction request received from the client terminal device, and return the acquired coordinates of the first dynamic password to the client terminal device; Obtain the coordinates of the dynamic password for the second time from the data management device after the input first dynamic password verification passes the information, and return the coordinates of the dynamic password for the second time obtained to the client terminal device;
安全服务装置,用于接收客户终端装置输入的第一次动态口令和第二次动态口令,判断客户终端装置输入第一次动态口令和第二次动态口令的时间是否超时,并根据从数据管理装置获取的动态口令判断第一次动态口令和第二次动态口令是否正确,在确认第一次动态口令正确时向服务提供装置发送第一次动态口令验证通过信息,在确认第二次动态口令正确时向客户终端装置发送安全身份认证通过信息;The security service device is used to receive the first dynamic password and the second dynamic password input by the client terminal device, determine whether the time for the client terminal device to input the first dynamic password and the second dynamic password has timed out, and according to the data management The dynamic password obtained by the device judges whether the first dynamic password and the second dynamic password are correct. When confirming that the first dynamic password is correct, it sends the first dynamic password verification pass message to the service provider device. After confirming the second dynamic password When correct, send the security identity authentication pass information to the client terminal device;
网络安全装置,用于保护企业内部网络的安全,防止公共网络中的非法用户对内部网络的访问和攻击;The network security device is used to protect the security of the enterprise's internal network and prevent illegal users from public networks from accessing and attacking the internal network;
客户终端装置,用于通过网络安全装置联接到服务提供装置或安全服务装置,实现服务提供装置或安全服务装置与客户端的交互。The client terminal device is used to connect to the service provider device or the security service device through the network security device, so as to realize the interaction between the service provider device or the security service device and the client.
上述方案中,所述数据管理装置、服务提供装置和安全服务装置通过内部网络连接于网络安全装置;In the above solution, the data management device, the service providing device and the security service device are connected to the network security device through an internal network;
所述内部网络为以太网Ethernet,或为局域网络光纤分布式数据接口FDDI或令牌环Token-Ring,用于实现所述数据管理装置、服务提供装置和安全服务装置之间的通信。The internal network is Ethernet, or a local area network optical fiber distributed data interface FDDI or token ring Token-Ring, which is used to realize the communication among the data management device, the service providing device and the security service device.
上述方案中,所述网络安全装置为防火墙,通过公共网络与客户终端装置连接;所述公共网络为互联网或企业外部网络。In the above solution, the network security device is a firewall, connected to the client terminal device through a public network; the public network is the Internet or an external network of the enterprise.
上述方案中,所述服务提供装置在将获取的第一次动态口令坐标返回给客户终端装置的同时,进一步用于向安全服务装置发送一计时开始信息,安全服务装置接收到该计时开始信息后开始计时,如果计时达到预先设定的第一次动态口令坐标有效时间,客户终端装置仍没有输入第一次动态口令或者客户终端装置输入的第一次动态口令仍是错误的,则向客户终端装置提示交易超时,并向服务提供装置发送指令,指示服务提供装置重新向客户终端装置发送一新的第一次动态口令坐标,该新的第一次动态口令坐标不同于之前的第一次动态口令坐标,服务提供装置根据接收的指令从数据管理装置获取该新的第一次动态口令坐标,并将获取的该新的第一次动态口令坐标返回给客户终端装置;如果在预先设定的该新的第一次动态口令坐标有效时间内,安全服务装置接收到客户终端装置输入的正确的第一次动态口令,则向服务提供装置发送第一次动态口令验证通过信息。In the above scheme, when the service provider device returns the obtained dynamic password coordinates for the first time to the client terminal device, it is further used to send a timing start message to the security service device, and the security service device receives the timing start message. Start counting, if the timing reaches the preset valid time for the first dynamic password coordinates, and the client terminal device still does not input the first dynamic password or the first dynamic password imported by the client terminal device is still wrong, then send a message to the client terminal. The device prompts that the transaction has timed out, and sends an instruction to the service provider device, instructing the service provider device to resend a new first dynamic password coordinate to the client terminal device, which is different from the previous first dynamic password coordinate. password coordinates, the service provider device obtains the new first dynamic password coordinates from the data management device according to the received instruction, and returns the obtained new first dynamic password coordinates to the client terminal device; Within the validity period of the new first dynamic password coordinates, the security service device receives the correct first dynamic password input by the client terminal device, and then sends the first dynamic password verification pass message to the service provider device.
上述方案中,所述安全服务装置进一步用于设定客户终端装置向安全服务装置输入第一次动态口令次数的阈值,如果安全服务装置判断客户终端装置输入的第一次动态口令不正确,则允许客户终端装置输入所述阈值规定次数的第一次动态口令,如果输入的错误次数达到所述阈值规定的次数,则锁定客户当天网上银行的交易权限,并在第二天自动解除锁定。In the above solution, the security service device is further used to set the threshold for the number of times that the client terminal device inputs the dynamic password for the first time to the security service device. If the security service device judges that the first dynamic password input by the client terminal device is incorrect, then The customer terminal device is allowed to input the dynamic password for the first time specified by the threshold. If the number of wrong inputs reaches the specified threshold, the customer's online banking transaction authority of the day will be locked, and the lock will be automatically unlocked the next day.
上述方案中,所述服务提供装置将获取的第二次动态口令坐标返回给客户终端装置的同时,进一步用于向安全服务装置发送一计时开始信息,安全服务装置接收到该计时开始信息后开始计时,如果计时达到预先设定的第二次动态口令坐标有效时间,客户终端装置仍没有输入第二次动态口令或者客户终端装置输入的第二次动态口令仍是错误的,则向客户终端装置提示交易超时,并向服务提供装置发送指令,指示服务提供装置重新向客户终端装置发送一新的第一次动态口令坐标,该新的第一次动态口令坐标不同于之前的第一次动态口令坐标,服务提供装置根据接收的指令从数据管理装置获取该新的第一次动态口令坐标,并将获取的该新的第一次动态口令坐标返回给客户终端装置;如果在预先设定的第二次动态口令坐标有效时间内,安全服务装置接收到客户终端装置输入的正确的第二次动态口令,则向客户终端装置发送安全身份认证通过信息。In the above scheme, when the service provider device returns the obtained second dynamic password coordinates to the client terminal device, it is further used to send a timing start information to the security service device, and the security service device starts after receiving the timing start information. Timing, if the timing reaches the preset valid time of the second dynamic password coordinates, the client terminal device has not yet input the second dynamic password or the second dynamic password input by the client terminal device is still wrong, then the client terminal device Prompt that the transaction is overtime, and send an instruction to the service provider device, instructing the service provider device to resend a new first-time dynamic password coordinate to the client terminal device, and the new first-time dynamic password coordinate is different from the previous first-time dynamic password coordinates, the service provider device obtains the coordinates of the new first dynamic password from the data management device according to the received instruction, and returns the acquired coordinates of the new first dynamic password to the client terminal device; Within the effective time of the second dynamic password coordinates, the security service device receives the correct second dynamic password input by the client terminal device, and then sends the security identity authentication passing information to the client terminal device.
上述方案中,所述安全服务装置进一步用于设定客户终端装置向安全服务装置输入第二次动态口令次数的阈值,如果安全服务装置判断客户终端装置输入的第二次动态口令不正确,则允许客户终端装置输入所述阈值规定次数的第二次动态口令,如果输入的错误次数达到所述阈值规定的次数,则锁定客户当天网上银行的交易权限,并在第二天自动解除锁定。In the above solution, the security service device is further used to set the threshold for the number of times the client terminal device inputs the second dynamic password to the security service device, and if the security service device judges that the second dynamic password input by the client terminal device is incorrect, then The client terminal device is allowed to input the second dynamic password for the specified number of thresholds. If the wrong number of times input reaches the specified threshold, the customer's online banking transaction authority of the day will be locked, and the lock will be automatically unlocked the next day.
为达到上述另一个目的,本发明提供了一种在网上银行系统中进行安全身份认证的方法,应用于至少包括数据管理装置、服务提供装置、安全服务装置和客户终端装置的在网上银行系统中进行安全身份认证的系统,该方法包括:In order to achieve the above another purpose, the present invention provides a method for secure identity authentication in an online banking system, which is applied in an online banking system including at least a data management device, a service providing device, a security service device and a client terminal device A system for secure identity authentication, the method comprising:
A、客户终端装置向服务提供装置发送交易请求,服务提供装置根据接收的交易请求从数据管理装置获取第一次动态口令坐标;A. The client terminal device sends a transaction request to the service provider device, and the service provider device obtains the first dynamic password coordinates from the data management device according to the received transaction request;
B、服务提供装置将获取的第一次动态口令坐标返回给客户终端装置,客户终端装置根据接收的第一次动态口令坐标向安全服务装置输入第一次动态口令;B. The service providing device returns the obtained first dynamic password coordinates to the client terminal device, and the client terminal device inputs the first dynamic password to the security service device according to the received first dynamic password coordinates;
C、安全服务装置判断客户终端装置输入的第一次动态口令是否正确,如果正确,则向服务提供装置发送第一次动态口令验证通过信息;C. The security service device judges whether the first dynamic password input by the client terminal device is correct, and if correct, sends the first dynamic password verification pass message to the service provider device;
D、服务提供装置接收到第一次动态口令验证通过信息,从数据管理装置获取第二次动态口令坐标,并将获取的第二次动态口令坐标返回给客户终端装置;D. The service providing device receives the first dynamic password verification pass information, obtains the second dynamic password coordinates from the data management device, and returns the obtained second dynamic password coordinates to the client terminal device;
E、客户终端装置根据接收的第二次动态口令坐标向安全服务装置输入第二次动态口令;E. The client terminal device inputs the second dynamic password to the security service device according to the received second dynamic password coordinates;
F、安全服务装置判断客户终端装置输入的第二次动态口令是否正确,如果正确,则向客户终端装置发送安全身份认证通过信息。F. The security service device judges whether the second dynamic password input by the client terminal device is correct, and if it is correct, sends security identity authentication passing information to the client terminal device.
上述方案中,预先设定第一次动态口令坐标有效时间,步骤B中所述服务提供装置将获取的第一次动态口令坐标返回给客户终端装置的同时,进一步向安全服务装置发送一计时开始信息,该方法进一步包括:安全服务装置接收到该计时开始信息后开始计时,如果计时达到预先设定的第一次动态口令坐标有效时间,客户终端装置仍没有输入第一次动态口令或者客户终端装置输入的第一次动态口令仍是错误的,则向客户终端装置提示交易超时,并向服务提供装置发送指令,指示服务提供装置重新向客户终端装置发送一新的第一次动态口令坐标,该新的第一次动态口令坐标不同于之前的第一次动态口令坐标,服务提供装置根据接收的指令从数据管理装置获取该新的第一次动态口令坐标,并转而执行步骤B;如果在预先设定的该新的第一次动态口令坐标有效时间内,安全服务装置接收到客户终端装置输入的正确的第一次动态口令,则执行步骤C中所述的向服务提供装置发送第一次动态口令验证通过信息。In the above scheme, the valid time of the first dynamic password coordinates is preset, and the service provider device in step B returns the obtained first dynamic password coordinates to the client terminal device, and further sends a timing start to the security service device. information, the method further includes: the security service device starts timing after receiving the timing start information, if the timing reaches the preset valid time of the first dynamic password coordinates, the client terminal device still does not input the first dynamic password or the client terminal The dynamic password that device imports for the first time is still wrong, then prompts transaction timeout to client terminal device, and sends instruction to service provider device, instructs service provider device to send a new first time dynamic password coordinate to client terminal device again, The new first dynamic password coordinates are different from the previous first dynamic password coordinates, and the service provider device obtains the new first first dynamic password coordinates from the data management device according to the received instruction, and turns to step B; if Within the valid time of the new first dynamic password coordinates set in advance, the security service device receives the correct first dynamic password input by the client terminal device, and then executes the sending of the first dynamic password described in step C to the service provider device. One-time dynamic password verification pass information.
上述方案中,进一步设定客户终端装置向安全服务装置输入第一次动态口令次数的阈值,如果步骤C中安全服务装置判断客户终端装置输入的第一次动态口令不正确,则允许客户终端装置输入所述阈值规定次数的第一次动态口令,如果输入的错误次数达到所述阈值规定的次数,则锁定客户当天网上银行的交易权限,并在第二天自动解除锁定。In the above scheme, the threshold value of the number of times that the client terminal device inputs the dynamic password for the first time to the security service device is further set, and if the security service device judges that the first dynamic password input by the client terminal device is incorrect in step C, then the client terminal device is allowed to Input the dynamic password for the first time specified by the threshold, if the wrong number of times entered reaches the specified threshold, the customer's online banking transaction authority on the day will be locked, and the lock will be automatically unlocked the next day.
上述方案中,预先设定第二次动态口令坐标有效时间,步骤D中所述服务提供装置将获取的第二次动态口令坐标返回给客户终端装置的同时,进一步向安全服务装置发送一计时开始信息,该方法进一步包括:安全服务装置接收到该计时开始信息后开始计时,如果计时达到预先设定的第二次动态口令坐标有效时间,客户终端装置仍没有输入第二次动态口令或者客户终端装置输入的第二次动态口令仍是错误的,则向客户终端装置提示交易超时,并向服务提供装置发送指令,指示服务提供装置重新向客户终端装置发送一新的第一次动态口令坐标,该新的第一次动态口令坐标不同于之前的第一次动态口令坐标,服务提供装置根据接收的指令从数据管理装置获取该新的第一次动态口令坐标,并转而执行步骤B;如果在预先设定的第二次动态口令坐标有效时间内,安全服务装置接收到客户终端装置输入的正确的第二次动态口令,则执行步骤F中所述的向客户终端装置发送安全身份认证通过信息。In the above scheme, the valid time of the second dynamic password coordinates is preset, and the service providing device described in step D returns the obtained second dynamic password coordinates to the client terminal device, and further sends a timing start to the security service device. information, the method further includes: the security service device starts timing after receiving the timing start information, if the timing reaches the preset valid time of the second dynamic password coordinates, the client terminal device still does not input the second dynamic password or the client terminal The second time dynamic password that device imports is still wrong, then prompts transaction overtime to client terminal device, and sends instruction to service provider device, instructs service provider device to send a new first time dynamic password coordinate to client terminal device again, The new first dynamic password coordinates are different from the previous first dynamic password coordinates, and the service provider device obtains the new first first dynamic password coordinates from the data management device according to the received instruction, and turns to step B; if Within the valid time of the preset second dynamic password coordinates, the security service device receives the correct second dynamic password input by the client terminal device, and then executes the process of sending the security identity authentication to the client terminal device described in step F. information.
上述方案中,进一步设定客户终端装置向安全服务装置输入第二次动态口令次数的阈值,如果步骤F中安全服务装置判断客户终端装置输入的第二次动态口令不正确,则允许客户终端装置输入所述阈值规定次数的第二次动态口令,如果输入的错误次数达到所述阈值规定的次数,则锁定客户当天网上银行的交易权限,并在第二天自动解除锁定。In the above-mentioned scheme, the threshold value of the number of times that the client terminal device inputs the dynamic password for the second time to the security service device is further set, and if the security service device judges that the second dynamic password input by the client terminal device is incorrect in step F, then the client terminal device is allowed to Input the second dynamic password for the prescribed number of times of the threshold, if the wrong number of times of input reaches the number of times prescribed for the threshold, the customer's online banking transaction authority of the day will be locked, and the lock will be automatically unlocked the next day.
(三)有益效果(3) Beneficial effects
从上述技术方案可以看出,本发明具有以下有益效果:As can be seen from the foregoing technical solutions, the present invention has the following beneficial effects:
1、本发明提供的这种在网上银行系统中进行安全身份认证的系统及方法,在深入研究目前动态口令卡实现方式的基础上,通过对目前的动态口令卡实现方式进行改进,采用二次挑战的方式,避免了持续刷新口令卡坐标攻击和中间人网站攻击,大大提高了网上银行使用安全性。1. The system and method for secure identity authentication in the online banking system provided by the present invention, on the basis of in-depth research on the implementation of the current dynamic password card, improves the current implementation of the dynamic password card and adopts a secondary The way of challenge avoids the attack of continuously refreshing the coordinates of the password card and the attack of the man-in-the-middle website, and greatly improves the security of online banking.
2、本发明提供的这种在网上银行系统中进行安全身份认证的系统及方法,可以防御持续刷新坐标攻击方式,有效地提升了动态口令卡使用的安全性。本发明通过刷新口令卡坐标的方式使第一次挑战出现的期望坐标概率可能性增大,但在正确输入第一次挑战坐标后,黑客无法通过刷新坐标的方式再获取另一个期望坐标,如果第二次挑战的坐标不在黑客掌握范围内,在第二个口令卡坐标有效时间内,黑客是无法完成交易的,超时后,重新开始进行又一个二次挑战的过程。2. The system and method for secure identity authentication in the online banking system provided by the present invention can defend against continuous coordinate refreshing attacks and effectively improve the security of dynamic password card usage. The present invention increases the probability of the expected coordinates of the first challenge by refreshing the coordinates of the password card, but after the coordinates of the first challenge are correctly entered, the hacker cannot obtain another expected coordinate by refreshing the coordinates. The coordinates of the second challenge are not within the control range of the hacker. The hacker cannot complete the transaction within the effective time of the coordinates of the second password card. After the timeout, the hacker will restart the process of another second challenge.
3、本发明提供的这种在网上银行系统中进行安全身份认证的系统及方法,可以防御中间人网站攻击方式,有效地提升了动态口令卡使用的安全性。目前黑客采用的攻击手段是以假冒网站客服的方式与客户进行联系,客户在登录欺诈网站中包含口令卡坐标支付页面时通常不会立即显示正确的口令卡坐标,“客服人员”在获取信息后修改网站的口令卡坐标后,要求客户重新刷新支付页面,骗取用户输入并截取。而采用本发明提供的二次挑战方案会要求进行第二次挑战应答,增加了复杂性,欺诈网站的“客服人员”需要在极短的时间(一般为2分钟)内截取客户输入的口令卡密码输入、获取第二次挑战的坐标、更改欺诈网站网页、骗取客户再次输入、获取二次挑战密码并输入后才能完成一次交易,人工方式完成的难度较大,因此威胁相对较小。3. The system and method for secure identity authentication in the online banking system provided by the present invention can defend against man-in-the-middle website attacks, and effectively improve the security of using the dynamic password card. At present, the attack method used by hackers is to contact customers in the form of counterfeit website customer service. When customers log in to fraudulent websites that include password card coordinates and payment pages, the correct password card coordinates are usually not displayed immediately. After obtaining the information, the "customer service personnel" After modifying the password card coordinates of the website, the customer is required to refresh the payment page to deceive the user into inputting and intercepting it. However, the second challenge solution provided by the present invention will require a second challenge response, which increases the complexity, and the "customer service personnel" of the fraudulent website need to intercept the password card input by the customer in a very short time (generally 2 minutes). Entering the password, obtaining the coordinates of the second challenge, changing the webpage of the fraudulent website, defrauding the customer to enter again, obtaining the password for the second challenge and entering it can complete a transaction. It is difficult to complete it manually, so the threat is relatively small.
4、本发明提供的这种在网上银行系统中进行安全身份认证的系统及方法,对目前网上银行系统改造成本低廉,兼容性强,无须对现有的一次挑战的动态口令卡实现方式进行重大的改动,实现成本低。4. The system and method for secure identity authentication in the online banking system provided by the present invention have low cost and strong compatibility for the current online banking system transformation, and there is no need to carry out major changes to the existing one-challenge dynamic password card implementation. The changes are low in cost.
5、本发明提供的这种在网上银行系统中进行安全身份认证的系统及方法,不需要对口令卡的介质进行重新设计,完全可以使用一次挑战方式的动态口令卡介质,与现有的一次挑战的动态口令卡兼容使用。5. The system and method for secure identity authentication in the online banking system provided by the present invention do not need to redesign the medium of the password card, and can fully use the dynamic password card medium of one-time challenge mode, which is different from the existing one-time password card medium. The dynamic password card of the challenge is compatible for use.
附图说明 Description of drawings
图1为目前动态口令卡的示意图;Fig. 1 is the schematic diagram of present dynamic password card;
图2为本发明提供的在网上银行系统中进行安全身份认证系统的结构框图;Fig. 2 is the structural block diagram that carries out security identity authentication system in the online banking system provided by the present invention;
图3为本发明提供的在网上银行系统中进行安全身份认证的方法流程图;Fig. 3 is the flow chart of the method for security identity authentication in the online banking system provided by the present invention;
图4为依照本发明实施例在网上银行系统中进行安全身份认证的方法流程图;4 is a flow chart of a method for secure identity authentication in an online banking system according to an embodiment of the present invention;
图5为图4中步骤408的界面示意图。FIG. 5 is a schematic diagram of the interface of step 408 in FIG. 4 .
具体实施方式 Detailed ways
为使本发明的目的、技术方案和优点更加清楚明白,以下结合具体实施例,并参照附图,对本发明进一步详细说明。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be described in further detail below in conjunction with specific embodiments and with reference to the accompanying drawings.
本发明在深入研究目前动态口令卡实现方式的基础上,通过对目前的动态口令卡实现方式进行改进,采用二次挑战的方式,避免了持续刷新口令卡坐标攻击和中间人网站攻击,大大提高了网上银行使用安全性。On the basis of in-depth study of the current dynamic password card implementation, the present invention improves the current dynamic password card implementation and adopts a secondary challenge method, avoiding the continuous refreshing of the password card coordinate attack and the man-in-the-middle website attack, and greatly improving the user experience. Online banking uses security.
如图2所示,图2为本发明提供的在网上银行系统中进行安全身份认证系统的结构框图,该系统包括数据管理装置1、服务提供装置2、安全服务装置3、网络安全装置4和客户终端装置5。As shown in Figure 2, Figure 2 is a structural block diagram of a security identity authentication system in the online banking system provided by the present invention, the system includes a
其中,数据管理装置1用于运行数据库管理系统,存放网上银行动态密码卡安全数据及认证信息,并负责认证通过后的客户访问管理。数据管理装置1可以是一个PC服务器或主机,存放的网银动态密码卡安全数据及认证信息至少包括动态密码卡的卡号、卡座标序号、卡座标值等。Among them, the
服务提供装置2用于根据接收自客户终端装置5的交易请求从数据管理装置1中获取第一次动态口令坐标,并将获取的第一次动态口令坐标返回给客户终端装置5;并在接收到安全服务装置3输入的第一次动态口令验证通过信息后从数据管理装置1获取第二次动态口令坐标,并将获取的第二次动态口令坐标返回给客户终端装置5。服务提供装置2可以是一个Web应用服务器,与客户进行交互。The
安全服务装置3用于接收客户终端装置5输入的第一次动态口令和第二次动态口令,判断客户终端装置5输入第一次动态口令和第二次动态口令的时间是否超时,并根据从数据管理装置1获取的动态口令判断第一次动态口令和第二次动态口令是否正确,在确认第一次动态口令正确时向服务提供装置2发送第一次动态口令验证通过信息,在确认第二次动态口令正确时向客户终端装置5发送安全身份认证通过信息。安全服务装置4可以是一个安全认证服务器,用于判断客户输入的动态密码是否正确。The
网络安全装置4用于保护企业内部网络的安全,防止公共网络中的非法用户对内部网络的访问和攻击。The
客户终端装置5用于通过网络安全装置4联接到服务提供装置2或安全服务装置3,实现服务提供装置2或安全服务装置3与客户端的交互。The
上述数据管理装置、服务提供装置和安全服务装置通过内部网络连接于网络安全装置。内部网络可以为以太网(Ethernet),或为光纤分布式数据接口(FDDI)或令牌环(Token-Ring)等局域网络,用于实现所述数据管理装置、服务提供装置和安全服务装置之间的通信。The above-mentioned data management device, service providing device and security service device are connected to the network security device through the internal network. The internal network can be Ethernet (Ethernet), or a local area network such as fiber optic distributed data interface (FDDI) or token ring (Token-Ring), which is used to realize the connection between the data management device, the service provider device and the security service device. communication between.
上述网络安全装置为防火墙,通过公共网络与客户终端装置连接。所述公共网络可以为互联网或企业外部网络等。The above-mentioned network security device is a firewall, which is connected to the client terminal device through a public network. The public network may be the Internet or an external network of an enterprise.
上述服务提供装置在将获取的第一次动态口令坐标返回给客户终端装置的同时,进一步用于向安全服务装置发送一计时开始信息,安全服务装置接收到该计时开始信息后开始计时,如果计时达到预先设定的第一次动态口令坐标有效时间,客户终端装置仍没有输入第一次动态口令或者客户终端装置输入的第一次动态口令仍是错误的,则向客户终端装置提示交易超时,并向服务提供装置发送指令,指示服务提供装置重新向客户终端装置发送一新的第一次动态口令坐标,该新的第一次动态口令坐标不同于之前的第一次动态口令坐标,服务提供装置根据接收的指令从数据管理装置获取该新的第一次动态口令坐标,并将获取的该新的第一次动态口令坐标返回给客户终端装置;如果在预先设定的该新的第一次动态口令坐标有效时间内,安全服务装置接收到客户终端装置输入的正确的第一次动态口令,则向服务提供装置发送第一次动态口令验证通过信息。The above-mentioned service providing device is further used to send a timing start message to the security service device while returning the obtained dynamic password coordinates for the first time to the client terminal device, and the security service device starts timing after receiving the timing start message. Reaching the valid time of the coordinates of the first dynamic password set in advance, if the client terminal device has not yet input the first dynamic password or the first dynamic password input by the client terminal device is still wrong, then the client terminal device will be prompted that the transaction has timed out, And send instructions to the service provider device, instruct the service provider device to send a new first dynamic password coordinate to the client terminal device again, this new first dynamic password coordinate is different from the previous first dynamic password coordinate, the service provides The device acquires the coordinates of the new first-time dynamic password from the data management device according to the received instruction, and returns the acquired coordinates of the new first-time dynamic password to the client terminal device; Within the effective time of the second dynamic password coordinates, the security service device receives the correct first dynamic password input by the client terminal device, and then sends the first dynamic password verification pass information to the service provider device.
上述安全服务装置进一步用于设定客户终端装置向安全服务装置输入第一次动态口令次数的阈值,如果安全服务装置判断客户终端装置输入的第一次动态口令不正确,则允许客户终端装置输入所述阈值规定次数的第一次动态口令,如果输入的错误次数达到所述阈值规定的次数,则锁定客户当天网上银行的交易权限,并在第二天自动解除锁定。The above-mentioned security service device is further used to set the threshold value of the first dynamic password input by the client terminal device to the security service device. If the security service device judges that the first dynamic password input by the client terminal device is incorrect, the client terminal device is allowed to input For the first time dynamic password specified by the threshold, if the number of wrong input times reaches the specified threshold, the customer's online banking transaction authority on the day will be locked, and the lock will be automatically unlocked the next day.
上述服务提供装置将获取的第二次动态口令坐标返回给客户终端装置的同时,进一步用于向安全服务装置发送一计时开始信息,安全服务装置接收到该计时开始信息后开始计时,如果计时达到预先设定的第二次动态口令坐标有效时间,客户终端装置仍没有输入第二次动态口令或者客户终端装置输入的第二次动态口令仍是错误的,则向客户终端装置提示交易超时,并向服务提供装置发送指令,指示服务提供装置重新向客户终端装置发送一新的第二次动态口令坐标,该新的第二次动态口令坐标不同于之前的第二次动态口令坐标,服务提供装置根据接收的指令从数据管理装置获取该新的第二次动态口令坐标,并将获取的该新的第二次动态口令坐标返回给客户终端装置;如果在预先设定的该新的第二次动态口令坐标有效时间内,安全服务装置接收到客户终端装置输入的正确的第二次动态口令,则向客户终端装置发送安全身份认证通过信息。When the above-mentioned service provider device returns the obtained second dynamic password coordinates to the client terminal device, it is further used to send a timing start message to the security service device, and the security service device starts timing after receiving the timing start message. If the timing reaches The preset valid time of the second dynamic password coordinates, if the client terminal device has not yet input the second dynamic password or the second dynamic password input by the client terminal device is still wrong, then the client terminal device will be prompted for transaction timeout, and Send an instruction to the service providing device to instruct the service providing device to resend a new second dynamic password coordinate to the client terminal device, the new second dynamic password coordinate is different from the previous second dynamic password coordinate, the service providing device Acquire the coordinates of the new second dynamic password from the data management device according to the received instruction, and return the acquired coordinates of the new dynamic password for the second time to the client terminal device; Within the effective time of the dynamic password coordinates, the security service device receives the correct second dynamic password input by the client terminal device, and then sends the security identity authentication passing information to the client terminal device.
上述安全服务装置进一步用于设定客户终端装置向安全服务装置输入第二次动态口令次数的阈值,如果安全服务装置判断客户终端装置输入的第二次动态口令不正确,则允许客户终端装置输入所述阈值规定次数的第二次动态口令,如果输入的错误次数达到所述阈值规定的次数,则锁定客户当天网上银行的交易权限,并在第二天自动解除锁定。The above-mentioned security service device is further used to set the threshold value for the number of times that the client terminal device inputs the second dynamic password to the security service device, and if the security service device judges that the second dynamic password input by the client terminal device is incorrect, then the client terminal device is allowed to input For the second dynamic password specified by the threshold, if the number of wrong input times reaches the specified threshold, the customer's online banking transaction authority on the day will be locked, and the lock will be automatically unlocked the next day.
基于图2所示的在网上银行系统中进行安全身份认证系统的结构框图,以下结合图3对本发明提供的在网上银行系统中进行安全身份认证的方法进行详细说明。Based on the structural block diagram of the system for secure identity authentication in the online banking system shown in FIG. 2 , the method for secure identity authentication in the online banking system provided by the present invention will be described in detail below in conjunction with FIG. 3 .
如图3所示,图3为本发明提供的在网上银行系统中进行安全身份认证的方法流程图,该方法包括以下步骤:As shown in Figure 3, Figure 3 is a flow chart of a method for performing security identity authentication in an online banking system provided by the present invention, the method comprising the following steps:
步骤301:客户终端装置向服务提供装置发送交易请求,服务提供装置根据接收的交易请求从数据管理装置获取第一次动态口令坐标;Step 301: the client terminal device sends a transaction request to the service provider device, and the service provider device obtains the coordinates of the first dynamic password from the data management device according to the received transaction request;
步骤302:服务提供装置将获取的第一次动态口令坐标返回给客户终端装置,客户终端装置根据接收的第一次动态口令坐标向安全服务装置输入第一次动态口令;Step 302: The service provider device returns the obtained first dynamic password coordinates to the client terminal device, and the client terminal device inputs the first dynamic password to the security service device according to the received first dynamic password coordinates;
步骤303:安全服务装置判断客户终端装置输入的第一次动态口令是否正确,如果正确,则向服务提供装置发送第一次动态口令验证通过信息;Step 303: The security service device judges whether the first dynamic password input by the client terminal device is correct, and if it is correct, sends the first dynamic password verification pass message to the service provider device;
步骤304:服务提供装置接收到第一次动态口令验证通过信息,从数据管理装置获取第二次动态口令坐标,并将获取的第二次动态口令坐标返回给客户终端装置;Step 304: The service providing device receives the information that the first OTP has been verified, obtains the coordinates of the second OTP from the data management device, and returns the obtained coordinates of the second OTP to the client terminal device;
步骤305:客户终端装置根据接收的第二次动态口令坐标向安全服务装置输入第二次动态口令;Step 305: The client terminal device inputs the second dynamic password to the security service device according to the received coordinates of the second dynamic password;
步骤306:安全服务装置判断客户终端装置输入的第二次动态口令是否正确,如果正确,则向客户终端装置发送安全身份认证通过信息。Step 306: The security service device judges whether the second dynamic password input by the client terminal device is correct, and if it is correct, sends security identity authentication passing information to the client terminal device.
在图3所示的进行安全身份认证的方法中,本发明还可以预先设定第一次动态口令坐标有效时间,此时,步骤302中所述服务提供装置将获取的第一次动态口令坐标返回给客户终端装置的同时,进一步向安全服务装置发送一计时开始信息,该方法进一步包括:安全服务装置接收到该计时开始信息后开始计时,如果计时达到预先设定的第一次动态口令坐标有效时间,客户终端装置仍没有输入第一次动态口令或者客户终端装置输入的第一次动态口令仍是错误的,则向客户终端装置提示交易超时,并向服务提供装置发送指令,指示服务提供装置重新向客户终端装置发送一新的第一次动态口令坐标,该新的第一次动态口令坐标不同于之前的第一次动态口令坐标,服务提供装置根据接收的指令从数据管理装置获取该新的第一次动态口令坐标,并转而执行步骤302;如果在预先设定的第一次动态口令坐标有效时间内,安全服务装置接收到客户终端装置输入的正确的第一次动态口令,则执行步骤303中所述的向服务提供装置发送第一次动态口令验证通过信息。In the method for secure identity authentication shown in Figure 3, the present invention can also pre-set the valid time of the first dynamic password coordinates. While returning to the client terminal device, further send a timing start message to the security service device, the method further includes: the security service device starts timing after receiving the timing start message, if the timing reaches the preset dynamic password coordinates for the first time Valid time, if the client terminal device has not input the dynamic password for the first time or the first dynamic password input by the client terminal device is still wrong, then the client terminal device will be prompted that the transaction has timed out, and an instruction will be sent to the service provider device to instruct the service provider The device re-sends a new first-time dynamic password coordinate to the client terminal device. The new first-time dynamic password coordinate is different from the previous first-time dynamic password coordinate. New dynamic password coordinates for the first time, and turn to step 302; If within the valid time of the dynamic password coordinates for the first time preset, the security service device receives the correct first dynamic password input by the client terminal device, Then execute the
在图3所示的进行安全身份认证的方法中,或者在上述预先设定第一次动态口令坐标有效时间的安全身份认证的方法中,本发明还可以进一步设定客户终端装置向安全服务装置输入第一次动态口令次数的阈值,如果步骤303中安全服务装置判断客户终端装置输入的第一次动态口令不正确,则允许客户终端装置输入所述阈值规定次数的第一次动态口令,如果输入的错误次数达到所述阈值规定的次数,则锁定客户当天网上银行的交易权限,并在第二天自动解除锁定。In the method for secure identity authentication shown in Figure 3, or in the above-mentioned method for secure identity authentication that presets the valid time of the dynamic password coordinates for the first time, the present invention can further set the client terminal device to the security service device Input the threshold value of dynamic password number of times for the first time, if in
在图3所示的进行安全身份认证的方法中,本发明还可以预先设定第二次动态口令坐标有效时间,步骤304中所述服务提供装置将获取的第二次动态口令坐标返回给客户终端装置的同时,进一步向安全服务装置发送一计时开始信息,该方法进一步包括:安全服务装置接收到该计时开始信息后开始计时,如果计时达到预先设定的第二次动态口令坐标有效时间,客户终端装置仍没有输入第二次动态口令或者客户终端装置输入的第二次动态口令仍是错误的,则向客户终端装置提示交易超时,并向服务提供装置发送指令,指示服务提供装置重新向客户终端装置发送一新的第二次动态口令坐标,服务提供装置根据接收的指令从数据管理装置获取该新的第二次动态口令坐标,并转而执行步骤302;如果在预先设定的该新的第二次动态口令坐标有效时间内,安全服务装置接收到客户终端装置输入的正确的第二次动态口令,则执行步骤306中所述的向客户终端装置发送安全身份认证通过信息。In the method for secure identity authentication shown in Figure 3, the present invention can also pre-set the valid time of the second dynamic password coordinates, and the service provider described in
在图3所示的进行安全身份认证的方法中,或者在上述预先设定第二次动态口令坐标有效时间的安全身份认证的方法中,本发明还可以进一步设定客户终端装置向安全服务装置输入第二次动态口令次数的阈值,如果步骤306中安全服务装置判断客户终端装置输入的第二次动态口令不正确,则允许客户终端装置输入所述阈值规定次数的第二次动态口令,如果输入的错误次数达到所述阈值规定的次数,则锁定客户当天网上银行的交易权限,并在第二天自动解除锁定。In the method for security identity authentication shown in FIG. 3 , or in the method for security identity authentication with the above-mentioned presetting of the valid time of the second dynamic password coordinates, the present invention can further set the client terminal device to the security service device Input the threshold value of the dynamic password number of times for the second time, if in
基于图3所述的在网上银行系统中进行安全身份认证的方法流程图,以下结合具体的实施例对本发明在网上银行系统中进行安全身份认证的方法进一步详细说明。Based on the flow chart of the method for secure identity authentication in the online banking system described in FIG. 3 , the method for secure identity authentication in the online banking system of the present invention will be further described in detail below in conjunction with specific embodiments.
实施例Example
在本实施例中,以基站发送接收到的IP数据包为例,结合附图进一步说明基站获取无线台管理连接标识的详细方法和步骤。In this embodiment, taking the IP data packet sent and received by the base station as an example, the detailed method and steps for the base station to obtain the wireless station management connection identifier are further described with reference to the accompanying drawings.
如图4所示,图4为依照本发明实施例在网上银行系统中进行安全身份认证的方法流程图,该方法包括以下步骤:As shown in Figure 4, Figure 4 is a flow chart of a method for secure identity authentication in an online banking system according to an embodiment of the present invention, and the method includes the following steps:
步骤400:客户终端装置向服务提供装置发送交易请求,服务提供装置接收来自客户终端装置的交易请求;Step 400: The client terminal device sends a transaction request to the service provider device, and the service provider device receives the transaction request from the client terminal device;
步骤401:服务提供装置对合法性进行检查处理,如果合法,将页面展现发送到客户终端装置;Step 401: The service provider device checks the legality, and if it is legal, sends the page display to the client terminal device;
步骤402:客户终端装置展现页面,提醒客户输入支付卡号;Step 402: The client terminal device displays a page to remind the client to input the payment card number;
步骤403:服务提供装置根据客户输入的支付卡号检查客户是否是网银客户以及客户类型;Step 403: The service provider checks whether the customer is an online banking customer and the customer type according to the payment card number input by the customer;
步骤404:服务提供装置确认该客户是动态口令卡客户,根据接收的交易请求从数据管理装置获取第一次动态口令坐标,并将获取的第一次动态口令坐标返回给客户终端装置;Step 404: The service provider device confirms that the customer is an OTP card customer, obtains the coordinates of the first OTP from the data management device according to the received transaction request, and returns the acquired coordinates of the first OTP to the client terminal device;
步骤405:客户终端装置提示客户输入第一个动态口令坐标值,客户输入第一个动态口令坐标值后,客户终端装置将客户输入的第一个动态口令坐标值提交给安全服务装置,如果客户没有在规定时间内输入,安全服务装置判断超时,向服务提供装置发送指令,指示服务提供装置重新向客户终端装置发送一新的第一次动态口令坐标,服务提供装置根据接收的指令再次从数据管理装置获取该新的第一次动态口令坐标,将获取的该新的第一次动态口令坐标返回给客户终端装置,并再次执行步骤405;如果客户在规定时间内输入了第一次动态口令,则执行步骤406;Step 405: The client terminal device prompts the client to input the coordinate value of the first dynamic password. After the client inputs the coordinate value of the first dynamic password, the client terminal device submits the coordinate value of the first dynamic password input by the client to the security service device. If the client If it is not input within the specified time, the security service device judges overtime, and sends an instruction to the service provider device, instructing the service provider device to send a new dynamic password coordinate for the first time to the client terminal device again, and the service provider device starts again from the data according to the instruction received. The management device obtains the coordinates of the new first dynamic password, returns the acquired coordinates of the new first dynamic password to the client terminal device, and executes step 405 again; if the client enters the first dynamic password within the specified time , then execute step 406;
步骤406:安全服务装置判断客户终端装置输入的第一次动态口令是否正确,如果正确,则向服务提供装置发送第一次动态口令验证通过信息,并执行步骤407;否则,向服务提供装置发送指令,指示服务提供装置重新向客户终端装置发送第一次动态口令坐标,服务提供装置根据接收的指令再次从数据管理装置获取第一次动态口令坐标,将获取的第一次动态口令坐标返回给客户终端装置,并再次执行步骤405;Step 406: The security service device judges whether the first dynamic password input by the client terminal device is correct, and if it is correct, then sends the first dynamic password verification pass message to the service provider device, and executes step 407; otherwise, sends a message to the service provider device command, instructing the service provider to resend the coordinates of the first dynamic password to the client terminal device, the service provider obtains the coordinates of the first dynamic password from the data management device again according to the received instruction, and returns the acquired coordinates of the first dynamic password to the client terminal device, and execute step 405 again;
步骤407:服务提供装置接收到第一次动态口令验证通过信息,从数据管理装置获取第二次动态口令坐标,并将获取的第二次动态口令坐标返回给客户终端装置;Step 407: The service providing device receives the information that the first dynamic password has been verified, obtains the coordinates of the second dynamic password from the data management device, and returns the acquired coordinates of the second dynamic password to the client terminal device;
步骤408:客户终端装置提示客户在规定时间内输入第二个动态口令坐标值并提交给安全服务装置,如果客户没有在规定时间内输入,安全服务装置判断超时,向服务提供装置发送指令,指示服务提供装置重新向客户终端装置发送一新的第二次动态口令坐标,服务提供装置根据接收的指令再次从数据管理装置获取该新的第二次动态口令坐标,将获取的该新的第二次动态口令坐标返回给客户终端装置,并再次执行步骤405;如果客户在规定时间内输入了第二次动态口令,则执行步骤409;Step 408: The client terminal device prompts the client to input the coordinate value of the second dynamic password within the specified time and submits it to the security service device. If the client fails to input it within the specified time, the security service device judges that it is timed out, and sends an instruction to the service provider device, instructing The service providing device resends a new second dynamic password coordinate to the client terminal device, and the service providing device acquires the new second dynamic password coordinate from the data management device again according to the received instruction, and the new second dynamic password that will be acquired The second OTP coordinates are returned to the client terminal device, and step 405 is executed again; if the client has input the OTP for the second time within the specified time, then step 409 is executed;
步骤409:安全服务装置判断客户终端装置输入的第二个动态口令是否正确,如果正确,则向客户终端装置发送安全身份认证通过信息;否则,身份认证失败,向客户终端装置发送安全身份认证失败信息。Step 409: The security service device judges whether the second dynamic password input by the client terminal device is correct, and if it is correct, then sends the security identity authentication passing information to the client terminal device; otherwise, the identity authentication fails, and sends a security identity authentication failure message to the client terminal device information.
图5为图4中步骤408的界面示意图,下面具体说明如下:Fig. 5 is a schematic diagram of the interface of step 408 in Fig. 4, and the following specific description is as follows:
本发明提供的在网上银行系统中进行安全身份认证的方法,也称为网上银行口令卡二次挑战方法,可以分为第一次挑战和第二次挑战两个步骤,客户只有两个步骤都应答成功,才能支付成功。The method for secure identity authentication in the online banking system provided by the present invention is also called the second challenge method of the online banking password card, which can be divided into two steps: the first challenge and the second challenge, and the customer only has two steps. Only when the answer is successful can the payment be successful.
首先,在第一次挑战过程中,客户进行个人网上银行支付时,系统随机提示输入验证码和第一个口令卡坐标A对应的密码,此时坐标B没有坐标信息(即第二个口令坐标不显示),如果客户所输验证码和口令卡坐标A对应的密码均正确,系统显示第二个口令坐标。在第一个口令卡坐标有效时间内,如果客户密码输入错误,则要求客户重新输入;如果超过有效时间,则提示客户“口令卡密码超时,请重新输入口令卡密码”,如果客户继续进行交易,就会随机产生另一个新坐标A,并提示客户输入对应的口令卡坐标A密码。First of all, during the first challenge, when the customer makes personal online banking payment, the system randomly prompts to input the verification code and the password corresponding to the coordinate A of the first password card. At this time, coordinate B has no coordinate information (that is, the second password coordinate not displayed), if the verification code entered by the customer and the password corresponding to the password card coordinate A are correct, the system will display the second password coordinate. Within the valid time of the first password card coordinates, if the customer’s password is entered incorrectly, the customer will be required to re-enter; if the valid time exceeds, the customer will be prompted “the password card password has expired, please re-enter the password card password”, if the customer continues to trade , another new coordinate A will be randomly generated, and the customer will be prompted to input the corresponding code card coordinate A password.
其次,在第二次挑战过程中,第一次挑战通过后,系统显示第二个口令坐标,提示客户再次输入对应的口令卡密码,如果密码正确且在此口令卡坐标的有效时间内,则二次挑战成功,完成一次正常身份认证。在第二个口令卡坐标有效时间内,如果客户密码输入错误,则提示客户重新输入;如果超过有效时间,则提示客户“口令卡密码超时,请重新输入密码”,如果客户继续进行交易,就会重新开始一个二次挑战/应答的过程,系统就会随机产生另一个新坐标A,返回第一次挑战过程,重新进行第一次挑战过程。第一次挑战通过后,系统才显示第二个口令坐标,可以有效防御中间人网站的攻击。Secondly, during the second challenge, after the first challenge is passed, the system will display the second password coordinates and prompt the customer to enter the corresponding password card password again. If the password is correct and within the valid time of the password card coordinates, then The second challenge is successful, and a normal identity authentication is completed. Within the valid time of the second password card coordinates, if the customer’s password is entered incorrectly, the customer will be prompted to re-enter; if the valid time exceeds, the customer will be prompted “password card password timed out, please re-enter the password”, if the customer continues to trade, the customer will be prompted A second challenge/response process will be restarted, and the system will randomly generate another new coordinate A, return to the first challenge process, and start the first challenge process again. After the first challenge is passed, the system will display the coordinates of the second password, which can effectively defend against man-in-the-middle website attacks.
二次挑战方法对于第一次挑战密码错误次数、第一次挑战时间超时、第二次挑战密码错误次数、第二次挑战时间超时和第二次刷新次数限额进行如下控制:The second challenge method controls the number of wrong passwords for the first challenge, the timeout of the first challenge, the number of wrong passwords for the second challenge, the timeout of the second challenge, and the limit for the number of refreshes for the second time as follows:
(1)客户第一次挑战输错密码的次数达到规定次数时,该客户网上银行交易权限当天锁定,第二天自动解锁;当客户超过规定时间再输入密码,系统提示客户“交易超时,请重新提交”,客户确定后刷新页面,随机产生新坐标。(1) When the number of times the customer enters the wrong password for the first challenge reaches the specified number of times, the customer's online banking transaction authority will be locked on the same day and will be automatically unlocked the next day; Resubmit", the customer refreshes the page after confirming, and randomly generates new coordinates.
(2)客户第二次挑战输错密码的次数达到规定次数时,该客户网上银行交易权限当天锁定,第二天自动解锁;当客户超过规定时间再输入密码,系统提示客户“交易超时,请重新提交”,系统回到第一次挑战页面并刷新,随机产生新坐标。(2) When the customer enters the wrong password for the second challenge and reaches the specified number of times, the customer's online banking transaction authority will be locked on the same day and will be automatically unlocked on the next day; Resubmit", the system returns to the first challenge page and refreshes, and randomly generates new coordinates.
(3)客户第二次挑战未输入密码且连续刷新坐标超过规定次数时,系统锁定客户的登录和交易权限,需要由客户本人到柜面进行密码重置方可解除锁定。这样就可以防御持续刷新口令卡坐标攻击。(3) When the customer does not enter the password for the second challenge and continuously refreshes the coordinates for more than the specified number of times, the system locks the customer's login and transaction authority, and the customer needs to go to the counter to reset the password before unlocking. In this way, the attack of continuously refreshing the coordinates of the password card can be defended.
以上所述的具体实施例,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施例而已,并不用于限制本发明,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The specific embodiments described above have further described the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific embodiments of the present invention and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.
Claims (12)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710120049A CN100576796C (en) | 2007-08-08 | 2007-08-08 | System and method for secure identity authentication in online banking system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710120049A CN100576796C (en) | 2007-08-08 | 2007-08-08 | System and method for secure identity authentication in online banking system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101119202A CN101119202A (en) | 2008-02-06 |
| CN100576796C true CN100576796C (en) | 2009-12-30 |
Family
ID=39055158
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710120049A Active CN100576796C (en) | 2007-08-08 | 2007-08-08 | System and method for secure identity authentication in online banking system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100576796C (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101119209A (en) | 2007-09-19 | 2008-02-06 | 腾讯科技(深圳)有限公司 | Virtual pet system and virtual pet chatting method, device |
| CN101304316B (en) * | 2008-06-30 | 2010-11-03 | 北京飞天诚信科技有限公司 | Method for improving identification authentication security based on password card |
| CN101296241B (en) * | 2008-06-30 | 2011-12-28 | 飞天诚信科技股份有限公司 | Method for improving identity authentication security based on password card |
| CN101304315B (en) * | 2008-06-30 | 2010-11-03 | 北京飞天诚信科技有限公司 | Method for improving identification authentication security based on password card |
| CN101304422B (en) * | 2008-06-30 | 2011-05-18 | 北京飞天诚信科技有限公司 | Method for improving identification authentication security based on password card |
| CN101626291B (en) * | 2008-07-07 | 2012-08-22 | 上海众人网络安全技术有限公司 | ECC algorithm-based identity authentication system and identity authentication method |
| CN101547098B (en) * | 2009-04-30 | 2010-11-10 | 太原理工大学 | Method and system for security certification of public network data transmission |
| CN102013064A (en) * | 2009-09-04 | 2011-04-13 | 宁波国际物流发展股份有限公司 | Online payment method based on electronic commerce platform |
| US8819437B2 (en) * | 2010-09-30 | 2014-08-26 | Microsoft Corporation | Cryptographic device that binds an additional authentication factor to multiple identities |
| CN101980233B (en) * | 2010-10-15 | 2013-11-06 | 上海聚力传媒技术有限公司 | Method and equipment for authenticating service based on equipment identifier |
| CN103117854A (en) * | 2012-12-10 | 2013-05-22 | 涂国坚 | Safe internet bank implementation method |
| CN104753886B (en) * | 2013-12-31 | 2018-10-19 | 中国科学院信息工程研究所 | It is a kind of to the locking method of remote user, unlocking method and device |
| CN103699829A (en) * | 2014-01-12 | 2014-04-02 | 汪风珍 | Password card |
| CN106790029A (en) * | 2016-12-15 | 2017-05-31 | 宝德科技集团股份有限公司 | A kind of big data acquisition methods and system based on identifying code |
| CN109462501B (en) * | 2018-10-29 | 2021-02-02 | 北京芯盾时代科技有限公司 | Authentication process control method and system |
| CN110351261B (en) * | 2019-06-28 | 2021-10-08 | 深圳市永达电子信息股份有限公司 | Method and system for managing device connection to security server based on two-factor authentication |
| CN112052485A (en) * | 2020-09-07 | 2020-12-08 | 深圳市亿道信息股份有限公司 | A one-key self-destruction method and system with anti-mistouch function |
-
2007
- 2007-08-08 CN CN200710120049A patent/CN100576796C/en active Active
Non-Patent Citations (2)
| Title |
|---|
| 动态口令认证技术. 姚鹏,杨珍.电子商务. 2006 * |
| 基于OTP技术的网上银行安全身份认证应用研究. 邓婧.对外经济贸易大学硕士学位论文. 2006 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101119202A (en) | 2008-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100576796C (en) | System and method for secure identity authentication in online banking system | |
| US11832099B2 (en) | System and method of notifying mobile devices to complete transactions | |
| EP1922632B1 (en) | Extended one-time password method and apparatus | |
| CN101453458B (en) | Personal identification process for dynamic cipher password bidirectional authentication based on multiple variables | |
| US8788419B2 (en) | Method and system for mitigating risk of fraud in internet banking | |
| US8245030B2 (en) | Method for authenticating online transactions using a browser | |
| US8079082B2 (en) | Verification of software application authenticity | |
| CN105357186B (en) | A kind of secondary authentication method based on out-of-band authentication and enhancing OTP mechanism | |
| CN101257489A (en) | Method for protecting account number safety | |
| EP3195108A1 (en) | System and method for integrating an authentication service within a network architecture | |
| CN103853950A (en) | Authentication method based on mobile terminal and mobile terminal | |
| CN101951321A (en) | Device, system and method for realizing identity authentication | |
| US20140330689A1 (en) | System and Method for Verifying Online Banking Account Identity Using Real-Time Communication and Digital Certificate | |
| US10051468B2 (en) | Process for authenticating an identity of a user | |
| WO2005022474A1 (en) | A method of, and a system for, inhibiting fraudulent online transactions | |
| CN101207483A (en) | Bidirectional double factor authentication method | |
| WO2008024362A9 (en) | Advanced multi-factor authentication methods | |
| WO2015108924A2 (en) | Authentication system | |
| KR101861441B1 (en) | Finance service providing method using simple login and server performing the same | |
| CN106487785B (en) | A kind of authentication identifying method and system based on mobile terminal | |
| CN104735028B (en) | A kind of website authenticity identification method, system, device and mobile device | |
| Sujatha et al. | An Analysis of Text-Based Authentication using Images in Banking System | |
| Jin et al. | Secure Electronic Payment Systems using a Smart phone | |
| CN101521572A (en) | Method for verifying server device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |