CN1323538C - A method and system for dynamic identity authentication - Google Patents
A method and system for dynamic identity authentication Download PDFInfo
- Publication number
- CN1323538C CN1323538C CNB200310111570XA CN200310111570A CN1323538C CN 1323538 C CN1323538 C CN 1323538C CN B200310111570X A CNB200310111570X A CN B200310111570XA CN 200310111570 A CN200310111570 A CN 200310111570A CN 1323538 C CN1323538 C CN 1323538C
- Authority
- CN
- China
- Prior art keywords
- user
- password
- information
- mobile phone
- identity authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本发明公开了一种动态身份认证方法及系统,其步骤为:①输入用户信息,向认证服务器发送认证请求;②认证服务器接收到请求后,先验证用户信息的合法性,提示合法用户输入用户端密码;③用户通过手机令牌产生用户端密码;④用户将上述用户端密码通过用户终端输入并传送到认证服务器;⑤如果认证服务器接收到的密码与其产生的一致,则通过身份认证;否则不通过。其系统包括用户终端、用户信息服务器、认证服务器和手机令牌。认证服务器负责接收和完成用户的服务请求,手机令牌用于产生同步的当前身份认证密码。本发明既可有效防范通过窥视或猜测认证密码来进行的非法登录,又可有效防范通过截获传输信息来进行的非法登录,从而大大提高了系统的安全性。
The invention discloses a dynamic identity authentication method and system. The steps are as follows: ① input user information, and send an authentication request to an authentication server; ③The user generates the client password through the mobile phone token; ④The user inputs the above-mentioned client password through the user terminal and sends it to the authentication server; ⑤If the password received by the authentication server is consistent with the one generated, the identity authentication is passed; otherwise Fail. Its system includes user terminal, user information server, authentication server and mobile phone token. The authentication server is responsible for receiving and completing the user's service request, and the mobile phone token is used to generate a synchronized current identity authentication password. The invention can not only effectively prevent illegal login through peeping or guessing authentication password, but also effectively prevent illegal login through intercepting transmission information, thus greatly improving the security of the system.
Description
Technical Field
The invention belongs to the information security authentication technology, which is realized by comprehensively utilizing an electronic computer, an information coding and a mobile communication technology and can be applied to a plurality of systems and fields needing identity authentication, such as banks, securities and the like.
Background
Authentication is one of the important mechanisms for implementing network security, and in secure network communication, involved communication parties must verify whether their identities are consistent with what is claimed through some form of authentication mechanism, and then access control and recording for different users can be implemented. As early as the seventies of the twentieth century, the international bank card association encountered a problem of how to authenticate users to ensure system security. With the rapid development of information technology, an eavesdropper can acquire a password by adopting a low-level peeping method; guessing passwords, analyzing protocols and filtering out passwords (using a sniffing program) using the "passed file" system; monitoring and obtaining the password with a TSR (terminal resident program); the method of intercepting password by using Trojan horse program breaks through the computer security mechanism to carry out illegal access; computer virus (such as bugbear virus) is used to steal credit card number, data of online bank and bank password from computer. The effective prevention method is to adopt dynamic electronic cipher technology. The essence of the method is that the password is changed at regular time or after each use, and the password input by the user is different when the user accesses the electronic device every time, which increases the difficulty for electronic theft.
The method and system using the above technology are proposed in the invention patents of "dynamic electronic cipher forming method" (99116451.2) and "dynamic electronic cipher system" (00114328. X). However, since the user password card and the host system are synchronized mainly by using a non-contact clock synchronization technology, which may cause error accumulation over time, it is necessary to correct clocks of both parties after a period of time; in addition, the use of the user password card increases the use burden of the user; and the user password card with the keyboard and the liquid crystal display screen can be damaged due to careless use. In order to overcome the above-mentioned disadvantages, we have also proposed the invention patent of "dynamic cipher wireless transmission method" (99116517.9). However, because the dynamic password is transmitted in a plaintext manner in the method, an eavesdropper can conveniently intercept the identity authentication password. Moreover, this method cannot guarantee the real-time performance of authentication when wireless network communication is congested.
Disclosure of Invention
The invention aims to overcome the defects and provide a dynamic identity authentication method, which adopts a widely used mobile phone as an identity token, can effectively prevent illegal login by peeping or guessing an authentication password and also can effectively prevent illegal login by intercepting and capturing transmission data, can greatly improve the safety of a system, does not need wireless network transmission for the dynamic password in the authentication process, and ensures the real-time property of authentication. The invention also aims to provide an implementation system of the method.
The invention discloses a dynamic identity authentication method for a mobile phone token, which is realized by utilizing a computer technology and a mobile communication technology and comprises the following steps:
(1) the user inputs user information at the user terminal and sends an identity authentication request to the identity authentication server;
(2) after receiving the authentication request, the identity authentication server firstly verifies the validity of the user information. If the user is a legal user, the identity authentication server generates and temporarily stores a server-side dynamic identity authentication password, and prompts the user to input a user-side dynamic identity authentication password at the user terminal;
(3) the user inputs an application module starting password in the mobile phone token and passes the identity authentication of the mobile phone token end;
(4) the user generates a user side dynamic identity authentication password through the mobile phone token and informs the user through the mobile phone;
(5) the user inputs the informed user-side dynamic identity authentication password through the user terminal and transmits the password to the identity authentication server to wait for identity authentication;
(6) if the user-side dynamic identity authentication password received by the identity authentication server is consistent with the server-side dynamic identity authentication password, passing the identity authentication; otherwise, the authentication is not passed.
When the step (2) is carried out, if a legal user finds that the own account is locked, the legal user can apply for unlocking through the mobile phone token, and the steps are as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends an 'application account unlocking request' message to an authentication server through a mobile phone token;
3) the authentication server receives the information of the 'application account unlocking request' and then verifies the validity of the information;
4) the authentication server sets a 'user state' field of the user to be in an unlocking state in a user information database, and then sends 'application account unlocking response' information to the user;
5) the mobile phone token receives the information of 'application account unlocking response' and prompts the user that the unlocking is successful.
When the step (3) is performed, if the user finds that the dynamic identity authentication service is not started, the dynamic identity authentication service should be started, and the steps are as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends a request for opening dynamic identity authentication service to an authentication server through a mobile phone token;
3) the authentication server receives the information of 'starting dynamic identity authentication service request' and then verifies the validity of the information;
4) the authentication server marks the authentication mode of the user as a dynamic identity authentication mode in a user database, and then sends 'start dynamic identity authentication service response' information to the mobile phone token;
5) and the mobile token receives the response information of starting the dynamic identity authentication service and prompts that the dynamic identity authentication service is started.
In the process of identity authentication, if a legal user finds that the legal user can not pass the authentication after passing correct operation, the user can use a mobile token to request system synchronization, and the steps are as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends information of applying for a system synchronization request to an authentication server through a mobile phone token;
3) the authentication server receives the information of applying for the system synchronization request and then verifies the validity of the information;
4) the authentication server takes out the current working password of the server from the user database;
5) the authentication server generates 'application system synchronous response' information, writes the current working password of the server into a 'server side information' field in the information, and then sends response information to the user;
6) and after receiving the information of applying for system synchronous response, the mobile token extracts the current working password in the information, and sets the current working password at the mobile token end as the extracted current working password in the information to complete system synchronization.
In the process of identity authentication, if the dynamic identity authentication service is to be cancelled, the steps are as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends a request for canceling the dynamic identity authentication service to an authentication server through a mobile phone token;
3) the authentication server receives the information of canceling the dynamic identity authentication service request and then verifies the validity of the information;
4) the authentication server marks the authentication mode of the user as a fixed password identity authentication mode in a user information database, and then sends 'cancel dynamic identity authentication service response' information to the mobile phone token;
5) the mobile phone token receives the information of canceling the dynamic identity authentication service response and prompts that the dynamic identity authentication service is canceled.
In the process of identity authentication, if the dynamic identity authentication process is to be stopped, the steps are as follows:
1) the user inputs a preset stopping instruction of the mobile phone token, and the token system stops the authentication process;
2) the user inputs and transmits a request for stopping the dynamic identity authentication service to the identity authentication server through the user terminal;
3) and after receiving the request for stopping the dynamic identity authentication service, the authentication server stops the authentication process of the server side.
When the step (3) is carried out, if a legal user finds that the own mobile phone token is locked, the legal user can apply for unlocking through the mobile phone token, and the steps are as follows:
1) a user inputs a mobile phone token registration password and passes the authorization authentication of a mobile phone token end;
2) the mobile phone token sets the 'user state' field in the mobile phone token to be in an unlocking state, and then informs the user of 'unlocking response' information through the mobile phone.
A system for realizing the method comprises a user terminal, a user information server, an authentication server and a mobile token; wherein,
the user terminal is used for inputting user information and is communicated with the identity authentication server through a network;
the user information server is used for storing a table set according to the identity authentication protocol, providing each user information required in the authentication process and receiving the operation of the authentication server;
the authentication server is responsible for receiving and completing a service request of a user, and is provided with an authentication server side service module, a password generation module and a communication module; the authentication server side service module is used for network transmission control, authentication system security protocol processing, information transmission encryption and decryption, user information access and dynamic password acquisition and temporary storage; the password generation module is responsible for generating a server-side dynamic identity authentication password and is communicated with the authentication server through a server bus; the communication module is responsible for sending and receiving information of the authentication server end and is an intermediary for communication between the mobile phone token and the authentication server;
the mobile phone token is a user mobile phone with a dynamic identity authentication client application module arranged in an SIM card of the mobile phone, the dynamic identity authentication client application module and a password generation module in an authentication server use the same dynamic password generation algorithm and the same current working password, and independently generate a synchronous dynamic identity authentication password.
The authentication server side service module comprises a user information management module, a dynamic password access module, a protocol processing module, a core management module, an encryption module and a network transmission module;
the user information management module is responsible for completing user information management commands of the core management module, including establishing a new account, modifying existing account information, deleting overdue account information, locking or unlocking a user account and controlling user access authority;
the dynamic password access module is an access module of the password generation module, receives the user key information provided by the core management module, generates a dynamic password in the authentication process, and sends the dynamic password to the core management module for temporary storage;
the protocol processing module is a service processing end of a dynamic identity authentication system security protocol and is used for receiving security protocol information provided by the core management module and returning a processing result to the core management module;
the encryption module is used for completing an information encryption and decryption request of the core management module;
the network transmission module is used for completing information transmission and receiving tasks of the server side, processing an information transmission request of the core management module and sending different types of information to different communication networks;
the core management module is responsible for coordinating the interrelationship and information transfer among the modules.
The dynamic identity authentication client application module in the mobile phone token comprises a dynamic password generator, a memory, a password comparator and a controller;
the memory is used for storing a user ID, a user identity card number, a registration password Pr and an encryption key Ke, and is responsible for storing a current working password Ks for generating a dynamic identity authentication password, a starting password (or a mobile phone token password) Pt of the client application module and the number Nt of times of continuously and wrongly inputting a token access password on the token; it is connected with a dynamic password generator, a password comparator and a controller;
the dynamic password generator is used for generating a current authentication password of the user by the current working password Ks, the password corresponds to the authentication password of the server, and the authentication password is informed to the user through an output device of the mobile phone;
the password comparator is used for judging whether the mobile phone user is legal or not;
the controller is used for controlling the coordination work of the modules.
The invention is different from the invention ' method for ensuring the safety of money payment by adding a paging system on the internet and a response system ' (99123882.6) and ' a dynamic password wireless transmission method ' (99116517.9) ' and is characterized in that the user side of the invention adopts a widely used mobile phone as a token, and dynamic identity authentication passwords are independently generated at a mobile phone token end and an identity authentication server end respectively, so that the invention does not need to rely on wireless network transmission, ensures the real-time property of authentication, and the outside cannot intercept the passwords at all, thereby greatly improving the safety of the system. In addition, the user is not required to pay extra communication cost in the authentication process, so that the use cost of the dynamic identity authentication service is greatly reduced compared with the two inventions.
Drawings
Fig. 1 is an overall structure diagram of an authentication system;
FIG. 2 is a diagram of an authentication server software architecture;
FIG. 3 is a diagram of a mobile token implementation;
fig. 4 is a diagram of a dynamic identity authentication process, where fig. 4.1 is a mobile token side implementation process, and fig. 4.2 is an authentication server side implementation process;
fig. 5 is a diagram of a process of starting dynamic identity authentication service, wherein fig. 5.1 is a mobile token side execution process, and fig. 5.2 is an authentication server side execution process;
fig. 6 is a diagram of a system synchronization application process, where fig. 6.1 is a mobile token side execution process, and fig. 6.2 is an authentication server side execution process;
fig. 7 is a diagram of a process of applying for unlocking a user account, where fig. 7.1 is a process executed by a token of a mobile phone, and fig. 7.2 is a process executed by an authentication server;
fig. 8 is a process diagram of canceling dynamic identity authentication service, where fig. 8.1 is a mobile token side implementation process, and fig. 8.2 is an authentication server side implementation process;
fig. 9 is a diagram illustrating the format of the security protocol message, wherein fig. 9.1 is the format of the protocol header, fig. 9.2 is the format of the service request message body, and fig. 9.3 is the format of the service response message body.
Detailed Description
The present invention will be further described in detail below with reference to the drawings by taking a bank system as an example.
Description of the System architecture
Fig. 1 is an overall configuration diagram of an authentication system, and includes a user terminal 6, a user information server 1, an authentication server 2, and a mobile token 5. The user information server 1 is a data server in the system, and uses an oracle9i database system in which a table set according to an authentication protocol is stored to provide information of each user required in the authentication process. It includes the following fields: identity card number, user ID, registration password Pr, encryption and decryption key Ke, current working password Ks (the same as the current working password stored in the mobile phone token), sign that the account number is being used (to prevent competitive attack), mobile phone number, etc. The user information server 1 receives an operation (query and modification of user information) request of the authentication server 2, which uses the OLEDB data interface. The authentication Server 2 is a Server side of the whole authentication system and is responsible for receiving and completing service requests of users. The authentication server is provided with a service module, a password generation module 3 and a communication module 4 of the authentication server side. The password generation module 3 is responsible for generating a dynamic identity authentication password of the server side, is a hardware implementation of a dynamic electronic password generation algorithm, and communicates with the authentication server 2 by using a server bus. The communication module 4 uses the COM port to communicate with the authentication server 2, the mobile token 5 is a user mobile phone which can complete the function of the authentication token, and the SIM card is provided with a JAVA program running environment. The application module of the dynamic identity authentication client is an embedded application module developed by using JAVA language, and is written into the SIM card of the mobile token 5 through the SIM card writing device TY 311. The application module of the dynamic identity authentication client in the mobile token 5 and the password generation module 3 in the authentication server use the same dynamic password generation algorithm and independently generate synchronous dynamic identity authentication passwords. A user terminal 6, such as an ATM terminal, communicates with the authentication server 2 via the bank intranet 7. And during authentication, the user submits a user-side dynamic identity authentication password generated by the mobile phone token to the authentication server, and the authentication server compares the user-side dynamic identity authentication password with a server-side dynamic identity authentication password generated by the authentication server and judges whether the user passes the identity authentication or not according to a comparison result.
Fig. 2 is a diagram of an authentication server side service module structure. The authentication Server side service module is Server side software of the authentication system and mainly completes functions of network transmission control, authentication system security protocol processing, information transmission encryption and decryption, user information access, dynamic password acquisition and temporary storage and the like. The authentication server side service module comprises a user information access module 8, a dynamic password access module 9, a protocol processing module 10, a core management module 11, an encryption module 12 and a network transmission module 13. The user information access module 8 is an access module of the back-end user information server, and is responsible for completing user information management commands of the core management module 11, including establishing a new account, modifying existing account information, deleting outdated account information, locking or unlocking a user account, controlling user access rights, and the like. The dynamic password access module 9 is an access module of a dynamic password generation module in the authentication service, and receives the user key information provided by the core management module 11, generates a dynamic password in the authentication process, and sends the dynamic password to the core management module 11 for temporary storage. The protocol processing module 10 is a Server processing end of the security protocol of the dynamic identity authentication system, and receives the security protocol information provided by the core management module 11 and returns the processing result to the core management module 11. The core management module 11 is the core of the whole authentication server software and is responsible for coordinating the interrelation and information transfer between other modules. The encryption module 12 mainly completes the information encryption and decryption request of the core management module 11. The network transmission module 13 mainly completes the information transmission task of the server side, and receives the information of the bank private network and the information of the communication module in the authentication server. It also processes the information transmission request of the core management module and sends different types of information to different communication networks.
Fig. 3 is a mobile phone token implementation diagram, 22 is a structure diagram of a SIM card part in a mobile phone token, and 23 is a structure diagram of an interface part of a mobile phone. The dynamic authentication client application module in the handset token comprises a dynamic password generator 14, a memory 15, a password comparator 16 and a controller 17. The memory 15 is used for storing a user ID, a user identification number, a registration password Pr, an encryption key and a decryption key Ke, and is responsible for storing a current working password Ks (the same as the current working password stored in the server) for generating a current dynamic identity authentication password, a start password (or a mobile phone token password) Pt of the client application module, and the number Nt of times of continuously and erroneously inputting a token access password on the token. The encryption key Ke and the current working password Ks are distributed for the user mobile phone token by the authentication server when the user applies for service; the start password (or handset token password) Pt of the client application module is provided by the user and written to the SIM card. The memory 15 is connected to the dynamic password generator 14, the password comparator 16 and the controller 17. The dynamic password generator 14 is used to generate the current user authentication password from the current working password Ks, and may be a stream password algorithm such as RC4, which corresponds to the server authentication password. The dynamic password generator 14 is connected to the display 20 through the display interface 18 of the mobile phone, and displays the generated password on the display screen. The password comparator 16 is used to determine whether the user of the mobile phone is legitimate and is connected to the keypad 21 through the keypad interface 19 so that the password entered by the user through the keypad is compared with the start password (or token password) Pt of the client application. The controller 17 is used for controlling the coordination of the modules.
Second, authentication process
As shown in fig. 4, the authentication process includes the steps of:
(1) a user inserts a bank card into an ATM terminal, submits user information and sends an identity authentication request to an identity authentication server;
(2) after receiving the authentication request, the identity authentication server firstly verifies the validity of the user information. If the user is a legal user (the user information is stored in the user information database), the identity authentication server generates and temporarily stores a server-side dynamic identity authentication password, and prompts the user to input a user-side dynamic identity authentication password at the user terminal. The detailed processing procedure of this step is as follows:
and (2.1) after receiving the authentication request, a network transmission module in the identity authentication server submits a user request to a core management module.
(2.2) the core management module inquires the user information database through the user information access module, if the user information database does not contain the user information, the core management module generates an error message and transmits the error message to the ATM terminal through the network transmission module, and the terminal prompts the user after receiving the message: the user information is wrong. If the user information database has the user information, the user information management module returns the user information of the user to the core management module, and checks the value of the Identification _ Mode field in the user information database (the field value is 0 to indicate that the user uses static password authentication, and 1 to indicate that the user uses dynamic password authentication).
(2.3) if the Identification _ Mode is 1, the core management module queries a Lock _ State field of the user (the field value is 0, which indicates that the user is locked, and 1 indicates that the user is locked), if the Lock _ State is 1, the core management module sends information to the ATM terminal to prompt that the user is locked, and exits the authentication process, otherwise, the core management module transmits the current working password of the user to the dynamic password access module, the dynamic password generation module generates the dynamic authentication password of the user according to the current working password and returns the dynamic authentication password to the core management module, and the core management module temporarily stores the dynamic authentication password of the user and sends information to the ATM terminal to prompt that the user inputs the dynamic authentication password of the user terminal.
If the legal user finds that the own account is locked, the legal user can apply for unlocking through the mobile phone token, and the specific process of unlocking is shown in a user application unlocking part of a dynamic identity authentication security protocol.
(3) And the user generates a user side dynamic identity authentication password through the mobile phone token and displays the user side dynamic identity authentication password on a mobile phone screen.
It must be emphasized that the user must complete both the "initialization of the mobile token" and the "opening of the dynamic authentication service" before using the dynamic authentication service provided by the bank. The details of the two processes are shown in the two parts of 'mobile token initialization' and 'dynamic identity authentication service starting' of the dynamic identity authentication security protocol.
(4) The user inputs the user dynamic identity authentication password displayed on the mobile phone screen through the user terminal and transmits the password to the identity authentication server to wait for identity authentication.
(5) If the user-side dynamic identity authentication password received by the identity authentication server is consistent with the server-side dynamic identity authentication password, passing the identity authentication; otherwise, the authentication is not passed. The detailed procedure for this step is as follows:
(5.1) the core management module of the authentication server obtains a user side dynamic identity authentication password submitted by the user from a network transmission module;
(5.2) the core management module compares the user-side dynamic identity authentication password with the temporarily-stored server-side dynamic identity authentication password, if the user-side dynamic identity authentication password and the temporarily-stored server-side dynamic identity authentication password are consistent, the core management module sends information to the ATM terminal through the network transmission module to prompt that the user authentication is successful, otherwise, the core management module modifies the user information in the user information database through the user information network module, adds 1 to a WrongPSW _ Count field in the user information (when the WrongPSW _ Count reaches a critical value, the user is locked), and sends row information to the ATM terminal through the network transmission module to request the user to restart the authentication process;
it must be pointed out that if a legal user finds that the system cannot pass the authentication after passing the correct operation, the user can request the system synchronization by using the mobile phone token, and the synchronization process is shown in the 'user applies for the system synchronization' part of the dynamic identity authentication security protocol.
Dynamic identity authentication security protocol
The invention discloses a dynamic identity authentication method based on a mobile phone token mode, which is an authentication method based on a synchronous dynamic identity authentication password. The dynamic identity authentication security protocol is a support protocol of a dynamic identity authentication method based on a mobile phone token mode. The method is an interactive protocol based on short messages, defines an interactive flow between a mobile token and an authentication server, an interactive information format and a safety mechanism (comprising an interactive information encryption method, an encryption key management method and an interactive information authentication method) for guaranteeing the safety of an interactive process. The security protocol not only provides a system synchronization function of the mobile token and the authentication server side for the user, but also supports the functions that the user can use the mobile token to complete the starting of the dynamic identity authentication service, the unlocking of the user, the cancellation of the dynamic identity authentication service by the user and the like. The basic principles of the security protocol are detailed below in terms of protocol procedures, security mechanisms, and information formats.
Protocol process
1. Mobile token initialization
The initialization process of the mobile phone token is divided into two links of client application module writing and client application module initialization. The client application module writing means that the JAVA-based embedded dynamic authentication client application module is written in the SIM card of the user mobile phone by using the SIM card writing device TY 311. The initialization of the client application module is mainly to set parameters of the client application module in the SIM card, including setting parameters of user identity information, information encryption and decryption keys, an application module starting password of the client, a current working password, a user registration password and the like. The starting password and the registration password of the application module of the client are selected by the user and can be modified at any time. And the application module starting password of the client is used for ensuring that only a legal mobile token user can use the mobile token to complete the dynamic identity authentication process. The registration password is used for ensuring that only a legal user can use the mobile phone token to complete the functions of unlocking and canceling the dynamic identity authentication service; the current working password and the information encryption and decryption keys are divided into a current working password of a token end of the mobile phone and a current working password of an authentication server end, the current working password and the information encryption and decryption keys of the authentication server end are also part of user information, and the two ends of the authentication server end are provided with the same current working password and the same information encryption and decryption keys. During initialization, the random number generator respectively generates an initial current working password and information encryption and decryption keys, and sets the current working password, the information encryption and decryption keys in the mobile phone token and the current working password, the information encryption and decryption keys at the authentication server end as the initial current working password and the information encryption and decryption keys.
2. User initiated dynamic identity authentication service
The process that the user starts the dynamic identity authentication service refers to that the user uses the mobile token to send a request for starting the dynamic identity authentication service to the authentication server, the authentication server firstly verifies the legality of the user information of the user and carries out corresponding processing after receiving the request, and then sends a response for starting the dynamic identity authentication service to the user. The detailed process is as follows:
1) a user inputs a mobile phone token client application module starting password (set during mobile phone token initialization), and the password passes the identity authentication of a mobile phone token end;
2) a user sends a request for opening dynamic identity authentication service to an authentication server through a mobile phone token;
3) the authentication server receives the information of 'starting dynamic identity authentication service request', and then verifies the validity of the information (the user ID and the registration password in the verification information are determined when the mobile phone of the user is initialized);
4) the authentication server marks the authentication mode of the user as a dynamic identity authentication mode in a user information base, and then sends 'start dynamic identity authentication service response' information to the mobile phone token;
5) and the mobile token receives the response information of starting the dynamic identity authentication service and prompts that the dynamic identity authentication service is started.
The processing procedure of the mobile phone token end and the authentication server end when the user starts the dynamic identity authentication service is shown in fig. 5.
3. User application system synchronization
As mentioned previously, the key to enabling a user to authenticate with an authentication server is that the handset token and the authentication server maintain system synchronization. However, due to the abnormal condition that the two ends are not synchronized (for example, the power of the mobile phone is suddenly cut off in the user authentication process), the system synchronization state of the two ends needs to be recovered through the "user applies for system synchronization" executing the dynamic identity authentication security protocol. The detailed process is as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends information of applying for a system synchronization request to an authentication server through a mobile phone token;
3) the authentication server receives the information of applying for the system synchronization request and then verifies the validity of the information (the user ID and the registration password in the verification information are determined when the mobile phone of the user is initialized);
4) the authentication server takes out the current working password of the server from the user information base;
5) the authentication server generates 'application system synchronous response' information, writes the current working password of the server into a 'server side information' field in the information, and then sends response information to the user;
6) and after receiving the 'application system synchronous response' information, the mobile token extracts the current working password in the information, and sets the current working password of the dynamic electronic password at the mobile token end as the current working password extracted from the information, thereby completing system synchronization.
The processing procedure of the mobile phone token end and the authentication server end when the user applies for system synchronization is shown in fig. 6.
4. User application for unlocking
If the user finds that the account of the user is locked by the bank, the user can apply for unlocking through the mobile phone token. The detailed process is as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends an 'application account unlocking request' message to an authentication server through a mobile phone token;
3) the authentication server receives the information of the 'application account unlocking request', and then verifies the validity of the information (the user ID and the registration password in the verification information are determined when the mobile phone of the user is initialized);
4) the authentication server sets a 'user state' field of the user to be in an unlocking state in a user information database, and then sends 'application account unlocking response' information to the user;
5) the mobile phone token receives the information of 'application account unlocking response' and prompts the user that the unlocking is successful.
The processing procedure of the mobile phone token end and the authentication server end when the user applies for unlocking is shown in fig. 7.
If a legal user finds that the own mobile phone token is locked, the user can apply for unlocking through the mobile phone token, and the steps are as follows:
1) the user inputs a mobile phone token registration password (generally, the password is longer than the starting password), and the authentication is carried out through the authorization identity of the mobile phone token end;
2) the mobile phone token sets the 'user state' field in the mobile phone token to be in an unlocking state, and then informs the user of 'unlocking response' information through the mobile phone.
5. User cancellation of dynamic identity authentication service
The user can not only start the dynamic identity authentication service through the mobile phone token, but also cancel the dynamic identity authentication service through the mobile phone token. The detailed process is as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends a request for canceling the dynamic identity authentication service to an authentication server through a mobile phone token;
3) the authentication server receives the information of canceling the dynamic identity authentication service request and then verifies the validity of the information (the user ID and the registration password in the verification information are determined when the mobile phone of the user is initialized);
4) the authentication server marks the authentication mode of the user as a fixed password identity authentication mode in a user information base, and then sends 'cancel dynamic identity authentication service response' information to the mobile phone token;
5) the mobile phone token receives the information of canceling the dynamic identity authentication service response and prompts that the dynamic identity authentication service is canceled.
The processing procedure of the mobile phone token side and the authentication server side when the user cancels the dynamic identity authentication service is shown in fig. 8.
6. User termination of dynamic identity authentication service
In the process of identity authentication, if the dynamic identity authentication process is to be stopped, the steps are as follows:
1) the user inputs a preset stopping instruction of the mobile phone token, and the token system stops the authentication process;
2) the user inputs and transmits a request for stopping the dynamic identity authentication service to the identity authentication server through the user terminal;
3) and after receiving the request for stopping the dynamic identity authentication service, the authentication server stops the authentication process of the server side.
Security mechanism for (II) security protocol
The security protocol encrypts and decrypts the interactive information according to an Encryption key, a decryption key and a block cipher algorithm such as DES (data Encryption Standard).
The protocol not only defines the encryption and decryption methods of the interactive information, but also specifies the management details of the corresponding encryption and decryption keys. The protocol specifies: writing encryption and decryption keys when the mobile phone token is initialized; the encryption and decryption key updating method based on the information use times is used, namely an information counter is maintained at a user mobile phone end, the number of request information sent by a mobile phone token is counted, when the counter reaches a threshold value, the mobile phone token automatically sets a key updating marker bit in interactive information, an authentication server carries new information encryption and decryption keys in response information after receiving the information, and the mobile phone token starts to use the new keys to encrypt and decrypt the information after receiving the new keys.
(III) safety protocol information format
The protocol information format is shown in figure 9. The information is divided into two types of service request information and service response information, and each information is divided into two parts, namely a header and an information body. The specific format is described as follows:
(1) protocol header
Version: a version number of the protocol;
head length: the length of the protocol header;
service party ID: using the unique ID to identify each service party providing the dynamic authentication service;
total length: the total length of the information, this field is set because the expansion of the body of information is considered later;
(2) service request information body
Service type: the 1 st bit indicates the information type; the 2bit indicates whether the client requests the information encryption key to be updated or whether a key carrying the update exists in the response information; 3-8 bits are information type bits;
verification code: information is verified using byte summation;
sequence number: identifying each request message to prevent replay attack;
user ID: a user authentication account number;
registration code: the initialization of the user mobile phone token is the generation of private data of the user. The server confirms the user identity by using the user ID and the user verification code;
(3) service response body
Service type: the same as above;
verification code: the same as above;
sequence number: copying the serial number in the request to ensure the one-to-one correspondence between the response and the request;
the new key is as follows: carrying protocol information to encrypt a new key;
service side information: response information returned to the user by the service party, such as the current working password of the algorithm;
Claims (10)
1. A dynamic identity authentication method for a mobile phone token is realized by utilizing a computer technology and a mobile communication technology, and comprises the following steps:
(1) a user inputs user information at a user terminal and sends an identity authentication request to an identity authentication server;
(2) after receiving the authentication request, the identity authentication server firstly verifies the validity of the user information; if the user is a legal user, the identity authentication server generates and temporarily stores a current dynamic identity authentication password of the server side, and prompts the user to input the current dynamic identity authentication password of the user side at the user terminal;
(3) the user inputs an application module starting password in the mobile phone token and passes the identity authentication of the mobile phone token end;
(4) the user generates a current dynamic identity authentication password of the user side through the mobile phone token and informs the user through the mobile phone;
(5) the user inputs the informed current dynamic identity authentication password of the user side through the user terminal and transmits the password to the identity authentication server to wait for identity authentication;
(6) if the current dynamic identity authentication password of the user side received by the identity authentication server is consistent with the current dynamic identity authentication password of the server side, passing the identity authentication; otherwise, the authentication is not passed.
2. The method of claim 1, wherein: when the step (2) is carried out, if a legal user finds that the own account is locked, the legal user can apply for unlocking through the mobile phone token, and the steps are as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends an 'application account unlocking request' message to an authentication server through a mobile phone token;
3) the authentication server receives the information of the 'application account unlocking request' and then verifies the validity of the information;
4) the authentication server sets a 'user state' field of the user to be in an unlocking state in a user information database, and then sends 'application account unlocking response' information to the user;
5) the mobile phone token receives the information of 'application account unlocking response' and prompts the user that the unlocking is successful.
3. The method according to claim 1 or 2, characterized in that: when the step (3) is performed, if the user finds that the dynamic identity authentication service is not started, the dynamic identity authentication service should be started, and the steps are as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends a request for opening dynamic identity authentication service to an authentication server through a mobile phone token;
3) the authentication server receives the information of 'starting dynamic identity authentication service request' and then verifies the validity of the information;
4) the authentication server marks the authentication mode of the user as a dynamic identity authentication mode in a user database, and then sends 'start dynamic identity authentication service response' information to the mobile phone token;
5) and the mobile token receives the response information of starting the dynamic identity authentication service and prompts that the dynamic identity authentication service is started.
4. The method of claim 3, wherein: in the process of identity authentication, if a legal user finds that the legal user can not pass the authentication after passing correct operation, the user can use a mobile token to request system synchronization, and the steps are as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends information of applying for a system synchronization request to an authentication server through a mobile phone token;
3) the authentication server receives the information of applying for the system synchronization request and then verifies the validity of the information;
4) the authentication server takes out the current working password of the dynamic electronic password of the server from the user information database;
5) the authentication server generates 'application system synchronous response' information, writes the current working password of the dynamic electronic password of the server end into a 'server side information' field in the information, and then sends response information to the user;
6) and after receiving the 'application system synchronous response' information, the mobile phone token extracts the current working password of the dynamic electronic password in the information, and sets the current working password value of the dynamic electronic password at the mobile phone token end as the current working password extracted from the information, thereby completing system synchronization.
5. The method of claim 4, wherein: in the process of identity authentication, if the dynamic identity authentication service is to be cancelled, the steps are as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends a request for canceling the dynamic identity authentication service to an authentication server through a mobile phone token;
3) the authentication server receives the information of canceling the dynamic identity authentication service request and then verifies the validity of the information;
4) the authentication server marks the authentication mode of the user as a fixed password identity authentication mode in a user information database, and then sends 'cancel dynamic identity authentication service response' information to the mobile phone token;
5) the mobile phone token receives the information of canceling the dynamic identity authentication service response and prompts that the dynamic identity authentication service is canceled.
6. The method of claim 5, wherein: in the process of identity authentication, if the dynamic identity authentication process is to be stopped, the steps are as follows:
1) the user inputs a preset stopping instruction of the mobile phone token, and the token system stops the authentication process;
2) the user inputs and transmits a request for stopping the dynamic identity authentication service to the identity authentication server through the user terminal;
3) and after receiving the request for stopping the dynamic identity authentication service, the authentication server stops the authentication process of the server side.
7. The method of claim 6, wherein: when the step (3) is carried out, if the user finds that the mobile phone token of the user is locked, the user can unlock the mobile phone token through the mobile phone token, and the steps are as follows:
1) the user inputs a preset registration password of the mobile phone token, and the authentication is carried out through the mobile phone token:
2) the mobile phone token sets the 'user state' field in the mobile phone token to be in an unlocking state, and then informs the user of 'unlocking response' information through the mobile phone.
8. A system for implementing the method of claim 1, comprising a user terminal, a user information server, an authentication server and a mobile token; wherein,
the user terminal is used for inputting user information and is communicated with the identity authentication server through a network;
the user information server is used for storing a table set according to the identity authentication protocol, providing each user information required in the authentication process and receiving the operation of the authentication server;
the authentication server is responsible for receiving and completing a service request of a user, and is provided with an authentication server side service module, a password generation module and a communication module; the authentication server side service module is used for network transmission control, authentication system security protocol processing, information transmission encryption and decryption, user information access and dynamic password acquisition and temporary storage; the password generation module is responsible for generating a current dynamic identity authentication password of the server end and is communicated with the authentication server through a bus of the server; the communication module is responsible for sending and receiving information of the authentication server end and is an intermediary for communication between the mobile phone token and the authentication server;
the mobile phone token is a user mobile phone with a dynamic identity authentication client application module arranged in an SIM card of the mobile phone, the dynamic identity authentication client application module and a password generation module in an authentication server use the same dynamic password generation algorithm and the same current working password, and independently generate a synchronous current dynamic identity authentication password.
9. The system of claim 8, wherein: the authentication server side service module comprises a user information management module (8), a dynamic password access module (9), a protocol processing module (10), a core management module (11), an encryption module (12) and a network transmission module (13);
the user information management module (8) is responsible for completing user information management commands of the core management module (11), including establishing a new account, modifying existing account information, deleting outdated account information, locking or unlocking a user account number and controlling user access authority;
the dynamic password access module (9) is an access module of the password generation module, receives the user key information provided by the core management module (11), generates a dynamic password in the authentication process, and sends the dynamic password to the core management module (11) for temporary storage;
the protocol processing module (10) is a service processing end of a dynamic identity authentication system security protocol and is used for receiving security protocol information provided by the core management module (11) and returning a processing result to the core management module (11);
the encryption module (12) is used for completing the information encryption and decryption request of the core management module (11);
the network transmission module (13) is used for completing information transmission tasks of a server end, receiving network information and information of a communication module in the authentication server, processing an information transmission request of the core management module (11), and sending different types of information to different communication networks;
the core management module (11) is responsible for coordinating the interrelation and information transfer among the modules.
10. The system according to claim 8 or 9, characterized in that: the dynamic identity authentication client application module in the mobile token comprises a dynamic password generator (14), a memory (15), a password comparator (16) and a controller (17);
the memory (15) is used for storing a user ID, a user identity card number, a registration password Pr and an encryption key Ke, and is responsible for storing a current working password Ks for generating a current dynamic identity authentication password, a starting password of a client application module or a mobile phone token password Pt and the number Nt of times of continuously and wrongly inputting a token access password on a token; it is connected with a dynamic password generator (14), a password comparator (16) and a controller (17);
the dynamic password generator (14) is used for generating a current authentication password of the user from the current working password Ks, the authentication password corresponds to the current authentication password of the server, and the authentication password is informed to the user through an output device of the mobile phone;
the password comparator (16) is used for judging whether the mobile phone user is legal or not;
the controller (17) is used for controlling the coordination work of the modules.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200310111570XA CN1323538C (en) | 2003-12-12 | 2003-12-12 | A method and system for dynamic identity authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200310111570XA CN1323538C (en) | 2003-12-12 | 2003-12-12 | A method and system for dynamic identity authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1547142A CN1547142A (en) | 2004-11-17 |
| CN1323538C true CN1323538C (en) | 2007-06-27 |
Family
ID=34336197
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200310111570XA Expired - Fee Related CN1323538C (en) | 2003-12-12 | 2003-12-12 | A method and system for dynamic identity authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1323538C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI412950B (en) * | 2009-06-29 | 2013-10-21 | Hon Hai Prec Ind Co Ltd | Document protection system and method thereof |
Families Citing this family (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100645401B1 (en) * | 2006-05-01 | 2006-11-15 | 주식회사 미래테크놀로지 | Time Synchronous OTP Generator in Mobile Phone |
| US8364120B2 (en) * | 2006-08-02 | 2013-01-29 | Motorola Mobility Llc | Identity verification using location over time information |
| CN1953452B (en) * | 2006-10-24 | 2011-07-20 | 中国科学院电工研究所 | A method for dynamic certification and authorization for stream media |
| CN101647026B (en) * | 2007-03-30 | 2014-01-08 | 日本电气株式会社 | User authentication control device, user authentication device, data processing device, user authentication control method, etc. |
| CN101072105B (en) * | 2007-05-21 | 2011-05-11 | 腾讯科技(深圳)有限公司 | Network identity authenticating method and system |
| CN101159542B (en) * | 2007-11-12 | 2010-06-09 | 中兴通讯股份有限公司 | Method and system for storing and acquiring authentication parameters on terminal network equipment |
| CN101222334B (en) * | 2008-01-11 | 2010-08-04 | 华中科技大学 | A Security Authentication Method of Password Token Using Image Interference |
| CN101990183B (en) | 2009-07-31 | 2013-10-02 | 国际商业机器公司 | Method, device and system for protecting user information |
| CN101662769B (en) * | 2009-09-22 | 2012-09-05 | 钱袋网(北京)信息技术有限公司 | Method, mobile terminal, server and system of telephone business authentication |
| CN101926675B (en) | 2009-10-30 | 2012-08-08 | 华为技术有限公司 | Method, device and system for remotely acquiring physical detection data of user |
| CN102402746B (en) * | 2010-09-09 | 2016-11-02 | 财付通支付科技有限公司 | A kind of methods, devices and systems of mobile payment security checking |
| CN102085116B (en) * | 2010-12-08 | 2012-08-15 | 华中科技大学 | Multifunctional remote medical care system based on multi-network fusion |
| CN102098313B (en) * | 2011-03-01 | 2017-03-15 | 黄泽鑫 | A kind of waterproof wall system and its verification method |
| CN102098317B (en) * | 2011-03-22 | 2013-12-18 | 浙江中控技术股份有限公司 | Data transmitting method and system applied to cloud system |
| CN102739719B (en) * | 2011-04-13 | 2016-03-30 | 中国移动通信集团公司 | User profile synchronous method and system thereof |
| CN102377570B (en) * | 2011-11-07 | 2014-03-12 | 飞天诚信科技股份有限公司 | Method and device for generating dynamic passwords |
| KR102102179B1 (en) * | 2013-03-14 | 2020-04-21 | 삼성전자 주식회사 | Embedded system, authentication system comprising the same, method of authenticating the system |
| CN103269483B (en) * | 2013-06-03 | 2015-09-23 | 上海众人网络安全技术有限公司 | A kind of OOAC handset token multi-mode activation system and method |
| CN104539785B (en) * | 2014-08-22 | 2017-02-01 | 南京速帕信息科技有限公司 | Implementation method of one-key release mobile phone token |
| CN105516069B (en) * | 2014-09-28 | 2020-10-09 | 腾讯科技(深圳)有限公司 | Data processing method, device and system |
| US10887103B2 (en) * | 2015-02-27 | 2021-01-05 | Feitian Technologies Co., Ltd. | Operating method for push authentication system and device |
| CN107317679B (en) * | 2017-06-05 | 2020-01-31 | 国政通科技股份有限公司 | Method and system for preventing fraud after identity cards are lost |
| CN107172436B (en) * | 2017-06-09 | 2019-11-26 | 国政通科技股份有限公司 | A kind of method and system of ID card information transmission protection |
| CN107948156B (en) * | 2017-11-24 | 2021-10-22 | 郑州云海信息技术有限公司 | An identity-based closed key management method and system |
| CN108989346B (en) * | 2018-08-30 | 2021-03-16 | 上海同态信息科技有限责任公司 | An agile authentication access method for third-party effective identity hosting based on account concealment |
| TWI725352B (en) * | 2018-11-05 | 2021-04-21 | 緯創資通股份有限公司 | Method for authentication and authorization and authentication server using the same |
| CN110062383A (en) * | 2019-04-24 | 2019-07-26 | 中国联合网络通信集团有限公司 | A kind of authentication method, terminal, certificate server, application server |
| CN110602700B (en) * | 2019-09-23 | 2023-01-17 | 飞天诚信科技股份有限公司 | Seed key processing method and device and electronic equipment |
| CN111711628B (en) * | 2020-06-16 | 2022-10-21 | 北京字节跳动网络技术有限公司 | Network communication identity authentication method, device, system, equipment and storage medium |
| CN113468514A (en) * | 2021-06-28 | 2021-10-01 | 深圳供电局有限公司 | Multi-factor identity authentication method and system in intranet environment |
| CN115643031A (en) * | 2022-10-26 | 2023-01-24 | 浪潮商用机器有限公司 | A security password authentication method, device, equipment and storage medium |
| CN116743434A (en) * | 2023-05-16 | 2023-09-12 | 河海大学 | An industrial Internet protection system and method |
| CN116863611A (en) * | 2023-08-10 | 2023-10-10 | 中国银行股份有限公司 | Identity recognition method, device, equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5699507A (en) * | 1995-01-17 | 1997-12-16 | Lucent Technologies Inc. | Method of identifying similarities in code segments |
| US6266525B1 (en) * | 1998-12-17 | 2001-07-24 | Lucent Technologies Inc. | Method for detecting fraudulent use of a communications system |
| JP2001337929A (en) * | 2000-05-26 | 2001-12-07 | Nec Corp | Dynamic password control system |
| CN1086818C (en) * | 1999-04-29 | 2002-06-26 | 华中理工大学 | Method for generating dynamic electronic cipher |
| CN1394067A (en) * | 2001-07-02 | 2003-01-29 | 黄金富 | Network bank pay system using telephone's incoming display as dynamic encrypting code |
| JP2003196238A (en) * | 2001-12-26 | 2003-07-11 | Fujitsu Ltd | Password authentication device and password authentication program |
-
2003
- 2003-12-12 CN CNB200310111570XA patent/CN1323538C/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5699507A (en) * | 1995-01-17 | 1997-12-16 | Lucent Technologies Inc. | Method of identifying similarities in code segments |
| US6266525B1 (en) * | 1998-12-17 | 2001-07-24 | Lucent Technologies Inc. | Method for detecting fraudulent use of a communications system |
| CN1086818C (en) * | 1999-04-29 | 2002-06-26 | 华中理工大学 | Method for generating dynamic electronic cipher |
| JP2001337929A (en) * | 2000-05-26 | 2001-12-07 | Nec Corp | Dynamic password control system |
| CN1394067A (en) * | 2001-07-02 | 2003-01-29 | 黄金富 | Network bank pay system using telephone's incoming display as dynamic encrypting code |
| JP2003196238A (en) * | 2001-12-26 | 2003-07-11 | Fujitsu Ltd | Password authentication device and password authentication program |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI412950B (en) * | 2009-06-29 | 2013-10-21 | Hon Hai Prec Ind Co Ltd | Document protection system and method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1547142A (en) | 2004-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1323538C (en) | A method and system for dynamic identity authentication | |
| JP3754004B2 (en) | Data update method | |
| US6044154A (en) | Remote generated, device identifier key for use with a dual-key reflexive encryption security system | |
| US7681037B2 (en) | Network connection system | |
| US6510523B1 (en) | Method and system for providing limited access privileges with an untrusted terminal | |
| US8700901B2 (en) | Facilitating secure online transactions | |
| US5636280A (en) | Dual key reflexive encryption security system | |
| US6931549B1 (en) | Method and apparatus for secure data storage and retrieval | |
| US8499147B2 (en) | Account management system, root-account management apparatus, derived-account management apparatus, and program | |
| EP0936530A1 (en) | Virtual smart card | |
| JP2005509231A (en) | Stored value data object safety management system and method, and user device for the system | |
| CN1268157C (en) | A handset used for dynamic identity authentication | |
| WO2006043904A1 (en) | One time passcode system | |
| JPH10135942A (en) | Communication system, message processing method and computer system | |
| CN112565265B (en) | Authentication method, authentication system and communication method between terminal devices of Internet of things | |
| JPH07325785A (en) | Network user authentication method, encrypted communication method, application client and server | |
| CN109598104B (en) | Software authorization protection system and method based on timestamp and secret authentication file | |
| CN106936588A (en) | A kind of trustship method, the apparatus and system of hardware controls lock | |
| JP2011070513A (en) | Access control system, authentication server system, and access control program | |
| WO2002032308A1 (en) | Biometrics authentication system and method | |
| CN119363489A (en) | Hongmeng-based cross-application unified identity authentication system, method and server | |
| EP1886204A1 (en) | Transaction method and verification method | |
| JPH11282998A (en) | User card, communication terminal equipment, communication server, communication system and user authentication method for communication system | |
| JP4226582B2 (en) | Data update system | |
| JP3082882B2 (en) | IC credit card system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20070627 Termination date: 20111212 |