[go: up one dir, main page]

HK1250275A1 - Electronic identity issuing and authentication and safe payment system based on authentication device - Google Patents

Electronic identity issuing and authentication and safe payment system based on authentication device Download PDF

Info

Publication number
HK1250275A1
HK1250275A1 HK18109686.0A HK18109686A HK1250275A1 HK 1250275 A1 HK1250275 A1 HK 1250275A1 HK 18109686 A HK18109686 A HK 18109686A HK 1250275 A1 HK1250275 A1 HK 1250275A1
Authority
HK
Hong Kong
Prior art keywords
authentication
information
server
identity
issuing
Prior art date
Application number
HK18109686.0A
Other languages
Chinese (zh)
Inventor
杨宪国
楊憲國
孙卫平
张建宁
孫衛平
張建寧
Original Assignee
杨宪国
楊憲國
孙卫平
孫衛平
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 杨宪国, 楊憲國, 孙卫平, 孫衛平 filed Critical 杨宪国
Priority to HK18109686.0A priority Critical patent/HK1250275A1/en
Publication of HK1250275A1 publication Critical patent/HK1250275A1/en

Links

Landscapes

  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The application provides an electronic ID card issuance authentication and secure payment system based on an authentication device,Including authentication device,Management controls,Issuing server,And an electronic identity authentication server,The authentication device is arranged on the mobile terminal and used for mobile user identity authentication,The authentication device pre stores the Eid issued by the electronic identity authentication server,And signing the identity authentication signature data sent by the electronic identity card authentication server according to the Eid to generate the identity authentication signature data;The authentication device authenticates and authenticates the identity data according to the signature information of the server,If the certification is passed,Sending the user identification code corresponding to the Eid to the issuing server;According to the user ID,Issuing the first information to the management control device;The management control device sends the first information issued by the issuing server to the authentication device.According to the application, the number of face-to-face signatures can be reduced, the convenience of information issuance can be increased, and the convenience of use can be improved.

Description

Electronic identity card issuing authentication and safety payment system based on authentication device
Technical Field
The application relates to the technical field of communication, in particular to an electronic identity card issuing authentication and safety payment system based on an authentication device.
Background
The U shield is a client certificate for electronic signature and digital authentication of online banking. Mobile payment can be facilitated if the information of the U-shield and electronic IDentity card (eID) can be integrated into the SIM card.
However, the conventional U shield of the bank requires real-name signing and issuing (hereinafter referred to as "face sign") in the bank, while the SIM card as a carrier requires real-name authentication and face signing in a mobile communication operator, and in order to load an electronic identity card (eID) in the SIM card, the user also needs real-name face signing, which makes the user need to take the same SIM card to multiple institutions for face signing, and the process is complicated.
At present, the issuing of the eID can be completed when the bank or the mobile operator performs the face-signing, so the process can be simplified into a method for issuing the face-signing twice.
Fig. 1 is a schematic diagram of two face-signing, as shown in fig. 1, a first face-signing a may be performed at a communications carrier 101, and by the first face-signing, a user first completes real-name authentication of a mobile phone number of a SIM card user at the communications carrier, issues the SIM card and writes the SIM card into the user number, and at the same time completes issuing an eID at the communications carrier, and the issued eID may be written into the SIM card.
The user then needs to go to the bank 102 to perform a second sign B, and the customer certificate information (e.g., U-shield certificate) of the bank can be issued to the SIM card 100, and after the second sign, the user can perform secure mobile payment using the U-shield built in the SIM card.
In addition, in the scheme of twice face signing, the first face signing can also be carried out in a bank, and the bank can issue the eID and the customer certificate information of the bank to the SIM card through the first face signing; the second face signing can be carried out at the communication operator, and the real-name authentication of the mobile phone number of the user is carried out through the second face signing, and the mobile phone number is signed and issued to the SIM card.
It should be noted that the above background description is only for the convenience of clear and complete description of the technical solutions of the present application and for the understanding of those skilled in the art. Such solutions are not considered to be known to the person skilled in the art merely because they have been set forth in the background section of the present application.
Disclosure of Invention
The inventor of the application finds that the process of issuing eID and U shield to the SIM card through two surface labels is still more complicated, and the complicated process limits the convenience of mobile payment of a user by using the eID and U shield built in the SIM card.
The embodiment of the application provides an authentication and safety payment system is signed and issued to electron ID card based on authentication device, and this system is signed and issued to authentication and safety payment can be based on the mode of issuing with electron ID card (eID) relevant information that prestores in the authentication device through long-range will first information sign in the authentication device, consequently, can reduce the number of times of face signing, has increased the convenience that information signed and issued, and then has improved the convenience of using.
According to an aspect of the embodiments of the present application, there is provided an electronic identification card issuing authentication and secure payment system based on an authentication device, the issuing authentication and secure payment system including an authentication device, a management control device, an issuing server, and an electronic identification authentication server, wherein:
the authentication device is arranged on the mobile terminal and used for carrying out identity authentication of the mobile user, information related to an electronic identity card (eID) issued by the electronic identity authentication server is stored in the authentication device in advance, and the identity authentication data to be signed sent by the electronic identity card authentication server is signed according to the information related to the electronic identity card so as to generate identity authentication signature data;
the electronic identity card authentication server authenticates according to the identity authentication signature data and the identification information of the authentication device, and sends a user identity identification code corresponding to the electronic identity card (eID) to an issuing server under the condition that the authentication is passed;
the issuing server issues the first information to the management control device according to the user identification code;
the management control device sends the first information issued by the issuing server to the authentication device.
The beneficial effect of this application lies in: according to the embodiment of the application, the first information can be issued to the authentication device in a remote issuing mode based on the information which is prestored in the authentication device and is related to the electronic identity card (eID), so that the number of times of face signing can be reduced, the convenience of information issuing is improved, and the convenience of use is further improved.
Specific embodiments of the present application are disclosed in detail with reference to the following description and drawings, indicating the manner in which the principles of the application may be employed. It should be understood that the embodiments of the present application are not so limited in scope. The embodiments of the application include many variations, modifications and equivalents within the spirit and scope of the appended claims.
Features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments, in combination with or instead of the features of the other embodiments.
It should be emphasized that the term "comprises/comprising" when used herein, is taken to specify the presence of stated features, integers, steps or components but does not preclude the presence or addition of one or more other features, integers, steps or components.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the application, are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the principles of the application. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort. In the drawings:
FIG. 1 is a schematic illustration of a two-time face-labeling;
fig. 2 is a schematic diagram of an issuing authentication and secure payment system according to embodiment 1 of the present application;
fig. 3 is a schematic diagram of an authentication device according to embodiment 1 of the present application;
fig. 4 is a schematic view of a management control apparatus according to embodiment 1 of the present application;
FIG. 5 is a schematic diagram of an issuing server of embodiment 1 of the present application;
fig. 6 is a schematic diagram of an electronic identity authentication server according to embodiment 1 of the present application;
fig. 7 is a schematic diagram of a process of issuing first information using the electronic identification card issuing authentication and secure payment system according to embodiment 1 of the present application;
fig. 8 is a schematic diagram of an issuance authentication and secure payment system according to embodiment 2 of the present application;
fig. 9 is a schematic diagram of a process of payment using the electronic identification card issuance authentication and secure payment system according to embodiment 2 of the present application.
Detailed Description
The foregoing and other features of the present application will become apparent from the following description, taken in conjunction with the accompanying drawings. In the description and drawings, particular embodiments of the application are disclosed in detail as being indicative of some of the embodiments in which the principles of the application may be employed, it being understood that the application is not limited to the described embodiments, but, on the contrary, is intended to cover all modifications, variations, and equivalents falling within the scope of the appended claims.
In the present application, the authentication device may be disposed in a mobile terminal, and the authentication device may be a Subscriber Identity Module (SIM) card, a chip attached to the SIM card, such as an SIM film card, or a device integrated into the mobile terminal, such as an eSIM card, having the same function as the SIM card; the function of the authentication device may be implemented by software running on the authentication device, for example, the software may be a Chip Operation System (COS). However, the present embodiment is not limited to this, and the functions of the authentication apparatus may also be implemented by hardware, or may also be implemented by hardware in combination with software, and the specific implementation manner may refer to the prior art.
In the present application, the management control device may be implemented by software, for example, the management control device may be a Software Development Kit (SDK), however, the present embodiment is not limited thereto, and the management control device may also be implemented by hardware, or implemented by hardware and software, and the specific implementation manner may refer to the prior art.
In this application, the management control device may be disposed in the mobile terminal, wherein the management control device may be disposed separately from the authentication device, or disposed in the authentication device.
In the present application, the issuing server and the electronic identity authentication server may also be implemented by software and/or hardware.
In the present application, the authentication device and the management control device may exchange Data through a plurality of Communication methods, such as bluetooth Communication, Near Field Communication (NFC), and Transport Protocol Data Unit (TPDU) Communication, or may be a Communication method of a customized unique Protocol between the authentication device and the management control device; the management control means may communicate with the issuance server via the communication module of the mobile terminal, and the communication may be performed via a wired network or a wireless network.
In this embodiment, the payment authentication data generated by the payment authentication server and sent to the management control device, and the first authentication pending data generated by the identity authentication server may be encrypted, and the encryption algorithm includes, but is not limited to, DES, 3DES, AES, RSA, SM4, and other encryption algorithms or data processing methods customized to the service.
The payment authentication data may include billing data, user account data, authentication time, random number, etc., and may also include other fields customized by the payment authentication server. The payment authentication server 803 can perform other security or anti-attack verification means besides verifying the digital signature of the payment authentication data, including comparing the authentication time contained in the authentication data, and the authentication data which is over a certain time range is regarded as being out of time and cannot be successfully authenticated; and comparing random numbers contained in the authentication data, wherein the random numbers generated each time can be authenticated only once to prevent replay attack and the like, and the method also can comprise security authentication measures which can be adopted by other servers.
The data to be signed in the identity authentication can comprise identity attribute data, authentication time, random numbers and the like, and can also comprise service fields defined by other identity authentication servers. The identity authentication server can carry out other security or anti-attack verification means besides verifying the digital signature of the identity authentication data, wherein the verification means comprises the steps of comparing the authentication time contained in the authentication data, and the authentication data which is over a certain time range is regarded as the authentication failure success of the overtime authentication data; and comparing random numbers contained in the authentication data, wherein the random numbers generated each time can be authenticated only once to prevent replay attack and the like, and the method also can comprise security authentication measures which can be adopted by other servers.
In the application, the mobile terminal may be a portable electronic device such as a functional mobile phone, a smart phone, or a tablet computer.
Example 1
The embodiment 1 of the application provides an electronic identity card issuing authentication and safety payment system based on an authentication device. Fig. 2 is a schematic diagram of the issuance authentication and secure payment system, and as shown in fig. 2, the issuance authentication and secure payment system 200 includes: an authentication device 201, a management control device 202, an issuing server 203, and an electronic identity authentication server 204.
In this embodiment, the authentication device 201 is disposed in the mobile terminal and configured to perform identity authentication of the mobile user, where information related to an electronic identity card (eID) issued by the electronic identity authentication server 204 may be stored in advance in the authentication device, and the data to be signed for identity authentication sent by the electronic identity card authentication server 204 is signed according to the information related to the electronic identity card eID to generate identity authentication signature data; the electronic identity card authentication server 204 can authenticate according to the identity authentication signature data generated by the authentication device 201 and the identification information of the authentication device 201, and send a user identity identification code corresponding to an electronic identity card (eID) to the issuing server 203 under the condition that the authentication is passed; the issuing server 203 may issue the first information to the management control apparatus 202 according to the user id code sent by the electronic id card authentication server 204; the management control device 202 may transmit the first information issued by the issuance server 203 to the authentication device 201.
According to the embodiment, the issuing authentication and safety payment system can issue the first information to the authentication device in a remote issuing mode based on the electronic identity card (eID) prestored in the authentication device, so that a user does not need to carry out surface signing on an issuing mechanism of the first information, the convenience of information issuing is improved, and the convenience of use is further improved.
In this embodiment, the user may still use a face-to-face label method, and in the issuing authority of the eID, the electronic identity authentication server 204 issues the eID and stores the eID in the authentication device 201, and the issuing authority of the eID may be a bank or a communication operator.
In this embodiment, the second information may also be issued in the authentication apparatus 201 by an issuing authority of the eID, for example, the second information may be one of customer certificate information associated with a bank and telephone number information associated with a communication carrier, that is, the user may issue and store the eID and the customer certificate information (for example, the U shield) in the authentication apparatus 201 by one-time face-signing at the bank, or the user may issue and store the eID and the telephone number information in the authentication apparatus 201 by one-time face-signing at the communication carrier.
The flow of issuing the eID and the second information by one face-labeling will be briefly described below.
When the second information is telephone number information, a procedure of issuing and storing the eID and the telephone number information in the authentication apparatus 201 by one-time surface signing at the communication carrier, for example: the user firstly opens the operator communication service through the identity card on-the-spot real-name authentication at the counter of the operator business hall, the operator provides the sim card (authentication device) written with the telephone number for the user, after the opening is finished, the user signs and issues the special cabinet or the eID signing and issuing self-service machine (self-service terminal) through the eID at the same place, the eID function is opened by the identity card, and the eID certificate is signed and issued in the same sim card.
When the second information is the customer certificate information associated with the bank, the process of issuing and storing the eID and the customer certificate information in the authentication device 201 by one-time face signing at the bank includes: the user firstly opens a bank account and opens u shield payment service on the same side through an identity card at a bank business office counter, the bank provides the sim card (authentication device) for the user and writes a bank client certificate (such as a bank client digital certificate) into the bank account counter, and opens a u shield payment function, after the opening is completed, the user signs and issues a special cabinet or an eID signing and issuing self-service machine (self-service terminal) through eID at the same place, opens an eID function through the identity card and signs and issues an eID certificate in the same sim card.
In this embodiment, the first information may be different from the second information, for example, the first information may be the other of customer certificate information associated with a bank and phone number information associated with a communication carrier, so that the user may issue the second information and the eID to the authentication apparatus 201 by one-time face-to-face signing, and remotely issue the first information to the authentication apparatus 201 by issuing the authentication and secure payment system 200, so that only one-time face-to-face signing is included in the process of issuing the eID, the first information and the second information in the authentication apparatus 201, thereby improving convenience of information issuing.
In addition, the present embodiment may not be limited to this, and for example, the authentication apparatus 201 may not store the second information.
Fig. 3 is a schematic diagram of the authentication apparatus 201 of the present embodiment, and as shown in fig. 3, the authentication apparatus 201 includes: a storage unit 2011, a verification unit 2012, a signature unit 2013, and an authentication device communication unit 2014.
In this embodiment, the storage unit 2011 is configured to store information related to the electronic identity card eID issued by the electronic identity authentication server, and, in a case where the issuing server 203 issues the first information, the storage unit 2011 may further store the first information received via the management control apparatus 202;
the verification unit 2012 may verify the authentication signature password input by the user, for example, the verification unit 2012 may compare the authentication signature password input by the user with information pre-stored in the authentication apparatus 201, and if the comparison result is that the authentication signature password and the information pre-stored in the authentication apparatus 201 are identical, the verification is successful; the signing unit 2013, when the verification unit 2012 successfully verifies the authentication signature password, signs the data to be signed for the identity authentication according to the information related to the electronic identity card eID stored in the storage unit 2011, so as to generate the signature data for the identity authentication, where the information related to the electronic identity card eID may be, for example: a private key generated in the authentication device when the authentication device is issued with an electronic identity card (eID), and the like. The principle of the signature performed by the signature unit 2013 will be described later.
The authentication device communication unit 2014 is configured to perform data interaction with the management control device 202, for example, the authentication device communication unit 2014 receives the authentication pending signature data, the authentication signature password, the first information, and the like from the management control device 202, and sends the authentication signature data, the identification information of the authentication device 201, and the like to the management control device 202.
In this embodiment, as shown in fig. 3, the authentication apparatus 201 may further include: the authentication device requesting unit 2015. In the case where the authentication device 201 receives the identity authentication pending data, the authentication device request unit 2015 may generate authentication signature request information requesting the management control device 202 to input the authentication signature password, and the authentication device communication unit 2014 may transmit the authentication signature request information to the management control device 202.
Fig. 4 is a schematic diagram of the management control apparatus 202 of the present embodiment, and as shown in fig. 4, the management control apparatus 202 may include: an issuance request unit 2021, a management control first communication unit 2022, and a management control second communication unit 2023.
The issuance request unit 2021 may generate issuance request information according to the user information, where the issuance request information is used to request the issuance server to issue the first information, for example, the management control apparatus 202 may receive the user information input by the user on the operation interface of the mobile terminal, and the issuance request unit 2021 may generate the issuance request information according to the user information;
the management control first communication unit 2022 performs data interaction with the issuing server 203, for example, the management control first communication unit 2022 transmits the issuing request information, the identification information of the authentication device and the authentication signature data to the issuing server 203, and receives the authentication pending data and the first information from the issuing server;
the management control second Communication Unit 2023 performs Data exchange with the authentication device 201, for example, the management control second Communication Unit 2023 may perform Data exchange with the authentication device Communication Unit 2014, and the management control second Communication Unit 2023 may perform Data exchange with the authentication device Communication Unit 2014 by using a plurality of Communication methods, such as bluetooth Communication, Near Field Communication (NFC), Transmission Protocol Data Unit (TPDU) Communication, and the like, or a Communication method using a customized unique Protocol between the authentication device and the management control device.
As shown in fig. 4, management control apparatus 202 may further include: an input unit 2024. The input unit 2024 can receive an authentication signature password input by the user, and the authentication signature password can be transmitted to the authentication apparatus 201 through the management control second communication unit 2023.
Fig. 5 is a schematic diagram of the issuance server of the present embodiment, in which the issuance server 203 includes: an authentication requesting unit 2031, an issuing service first communication unit 2032, a first information generating unit 2033, and an issuing service second communication unit 2034.
The identity authentication request unit 2031 extracts user information from the received signing request information, and generates identity authentication request information, where the identity authentication request information is used to request the electronic identity authentication server 204 to perform identity authentication on the user information;
the first communication unit 2032 of the issuing service performs data interaction with the electronic authentication server 204, for example, the first communication unit 2032 of the issuing service transmits the authentication request information, the identification information of the authentication device, the authentication signature data, and the like generated by the authentication request unit 2031 to the electronic authentication server 204, and the first communication unit 2032 of the issuing service receives the data to be signed of the authentication, the user identification code, and the like from the electronic authentication server 204;
in a case where the issuing server 203 receives the user id transmitted by the electronic identity authentication server 204 (i.e., the electronic identity authentication of the user is successful), the first information generating unit 2033 may generate the first information corresponding to the user id;
the issue service second communication unit 2034 performs data exchange with the management control apparatus 202, and for example, the issue service second communication unit 2034 transmits the first information generated by the first information generation unit 2033 to the management control apparatus 202, thereby issuing the first information to the management control apparatus 202.
In this embodiment, the first information may be customer certificate information associated with a bank or telephone number information associated with a communication carrier, and the issuing server 203 may be a server for issuing the customer certificate information or a server for issuing the telephone number information, in correspondence therewith. In addition, the embodiment may not be limited thereto, and the issuing server may also be used to issue other types of first information.
Fig. 6 is a schematic diagram of the electronic identity authentication server of the embodiment, and as shown in fig. 6, the electronic identity authentication server 204 includes: a pending data generation unit 2041, an authentication unit 2042, an id generation unit 2043, and an authentication service communication unit 2044.
The to-be-signed data generating unit 2041 generates identity authentication to-be-signed data according to the identity authentication request information sent by the issuing server 203;
the authentication unit 2042 performs user authentication based on the authentication signature data generated by the authentication device 201 and the identification information of the authentication device, wherein the principle of authentication performed by the authentication unit 2042 is described below;
in case that the identity authentication by the authentication unit 2042 is successful, the identity code generation unit 2043 generates a user identity code corresponding to the electronic identity card (eID);
the authentication service communication unit 2043 performs data interaction with the issuance server 203, for example, the authentication service communication unit 2043 transmits the authentication pending data, the user id, and the like to the issuance server 203.
The following briefly describes the principle of signing by the signing unit 2013 and authenticating by the authenticating unit 2042:
in the process that an authentication device is issued with eID, a pair of public and private keys can be generated in the authentication device, the public key is exported from the authentication device in a safe environment when being issued, a corresponding eID public key digital certificate is generated in an electronic identity authentication server, the private key is not allowed to be read out of the authentication device, and the eID digital certificate generated by the electronic identity authentication server is written into the authentication device when being issued and is simultaneously stored in the identity authentication server. When digital signature is carried out, after data to be signed is transmitted into the authentication device, the signature unit 2013 carries out digital signature (namely encryption) by using a private key in the authentication device, then identification information of the authentication device and the signed data are sent to the identity authentication server, the identity authentication server carries out decryption by using a public key contained in a digital certificate corresponding to the eID according to the identification information of the authentication device, and whether the decrypted content and the content to be signed are consistent or not is compared to judge whether the signature is effective or not, so that user identity authentication is carried out.
The following describes an example of a process of issuing the first information by the electronic identification card issuing authentication and secure payment system according to this embodiment.
Fig. 7 is a schematic diagram of a process of issuing first information using the electronic identification card issuing authentication and secure payment system of the present embodiment.
In the flow shown in fig. 7, the first information may be client certificate information associated with a bank, and the issuing server 203 is configured to issue the client certificate information. The authentication device 201 may store the eID issued by the electronic identity authentication server 204 in advance. The authentication apparatus 201 may store in advance telephone number information, which is second information issued by the communications carrier. Wherein, the user can make the eID and the phone number information be signed and stored in the authentication device 201 by one time of face signing at the communication operator.
As shown in fig. 7, the process includes the following steps:
1) the control management device 202 generates issuing request information and sends the issuing request information to the issuing server 203, and the issuing request information is used for requesting the issuing server to remotely issue first information, such as client certificate information and the like;
2) the issuing server 203 generates identity authentication request information and submits the identity authentication request information to the electronic identity card authentication server 204;
3) the electronic identity card authentication server 204 generates the data to be signed for identity authentication and returns the data to be signed for identity authentication to the issuing server 203;
4) the issuing server 204 returns the data to be signed of the identity authentication to the control management device 202;
5) the control management device 202 sends the data to be signed of the identity authentication to the authentication device 201;
6) the authentication device 201 generates authentication signature request information and sends the authentication signature request information to the control management device 202 to request to input an authentication signature password;
7) the control management device 202 receives the authentication signature password input by the user and sends the authentication signature password to the authentication device 201;
8) after the authentication signature password of the authentication device 201 passes verification, signing the data to be signed of the identity authentication by using the pre-stored eID to generate the signature data of the identity authentication, and sending the signature data of the identity authentication and the identification information (for example, the serial number of the authentication device 201) of the authentication device 201 to the control management device 202;
9) the control management device 202 submits the identity authentication signature data and the identification information of the authentication device 201 to the issuing server 203;
10) the issuing server 203 submits the identity authentication signature data and the identification information of the authentication device 201 to the electronic identity card authentication server 204;
11) the electronic identity card authentication server 204 authenticates according to the identity authentication signature data and the identification information of the authentication device 201, generates a user identity identification code after the authentication is successful, and returns the user identity identification code to the issuing server 203;
12) the issuing server 203 receives the user identification code and remotely issues first information to the control management device 202;
13) the control management device 202 transmits the first information to the authentication device 201.
Through the embodiment, the remote real-name signing and issuing process of the signing and issuing server for the first information can be realized by controlling the management device and verifying the electronic identity card in the authentication device, so that the requirement that the signing and issuing server needs the real identity real-name signing and issuing of the first information of the user is met, and the use of the user is greatly facilitated.
In the present embodiment, in the case where the first information and the second information are other information, the flow of issuing the first information is similar to fig. 7.
Example 2
The embodiment 2 of the application provides another electronic identity card issuing authentication and secure payment system based on an authentication device.
Fig. 8 is a schematic diagram of the issuance authentication and secure payment system of embodiment 2, and as shown in fig. 8, the issuance authentication and secure payment system 800 includes: authentication means 801, management control means 802, payment authentication server 803, and electronic identity authentication server 804.
In this embodiment, the authentication apparatus 801 may store first information and an electronic identity card eID, where the first information may be client certificate information associated with a bank; the authentication device 801 may sign the first authentication to-be-signed data sent by the electronic identity card authentication server 804 according to the electronic identity card to generate first authentication signature data, and the authentication device 801 may sign the payment authentication data sent by the payment authentication server 803 according to the first information to generate a payment authentication data digital signature; the electronic identity card authentication server 804 may authenticate according to the first identity authentication signature data and the identification information of the authentication device, and send a user identity identification code corresponding to an electronic identity card (eID) to the payment authentication server 803 in case of passing the authentication; the payment authentication server 204 verifies the payment authentication digital signature when receiving the user identification code, and determines whether to allow payment for the account associated with the first information according to a verification result.
According to the embodiment, the payment can be safely carried out based on the electronic identity card information in the authentication device and the customer certificate information associated with the bank, and the convenience and the safety of the payment are improved.
Fig. 9 is a schematic diagram of a process of payment using the electronic identification card issuance authentication and secure payment system of the present embodiment.
As shown in fig. 9, the process includes the following steps:
1) when the user needs to make a payment, a payment request is initiated to the payment authentication server 803 by the management control apparatus 802;
2) the payment authentication server 803 generates payment authentication data and issues an identity authentication request to the electronic identity authentication server 804;
3) the electronic identity authentication server 804 generates first identity authentication pending-to-be-signed data and returns the first identity authentication pending-to-be-signed data to the payment authentication server 803;
4) the payment authentication server 803 returns the payment authentication data and the first identity authentication to-be-signed data to the management control apparatus 802;
5) the management control means 802 transmits the payment authentication data and the first identity authentication pending data sent from the payment authentication server 803 to the authentication means 801;
6) the authentication device 801 generates first authentication signature request information and sends the first authentication signature request information to the control management device 802 to request input of a first authentication signature password;
7) the control management device 802 receives a first authentication signature password input by a user and sends the first authentication signature password to the authentication device 801;
8) after the authentication device 801 passes the verification of the first authentication signature password, signing the payment authentication data by using pre-stored first information (for example, client certificate information) to generate a payment authentication data digital signature, signing the first identity authentication data to be signed by using pre-stored eID to generate first identity authentication signature data, and returning the payment authentication digital signature, the first identity authentication signature data and the identification information of the authentication device 801 to the management control device 802;
9) the management control device 802 sends the payment authentication digital signature and the first identity authentication signature data returned by the authentication device and the identification information of the authentication device back to the payment authentication server 803;
10) the payment authentication server 803 sends the first identity authentication signature data and the identification information of the authentication device to the electronic identity authentication server 804;
11) the electronic identity authentication server 804 verifies the first identity authentication signature data and the identification information of the authentication device, and returns a user identity identification code after the verification is successful;
12) when the user id is received, the payment authentication server 803 verifies the payment authentication digital signature transmitted from the management control apparatus 802 according to the identification information of the authentication apparatus, and completes the payment process after the verification is passed.
The step of verifying by the payment authentication server 803 may be: after receiving the user identification code, according to the identification information of the authentication device, the user identification code of the user is found, which is synchronized to the payment authentication server by an issuing server (for example, the electronic identification authentication server 804) and stored when issuing the eID to the authentication device, the stored user identification code is compared with the received user identification code, the user identification passes the authentication after the comparison is successful, and then the public key in the payment authentication digital certificate of the corresponding user is utilized to check the payment authentication digital signature.
The payment authentication server 803 may perform the payment by: after the order is verified, the bank payment transaction is started for the order to be paid, corresponding amount is deducted from the bank account of the user, and meanwhile, the payment application is informed of the successful payment state, and the specific process can refer to the prior art.
In this embodiment, the authentication apparatus 801 may further include: a storage unit 2011, a verification unit 2012, a signature unit 2013, an authentication device communication unit 2014, an authentication device request unit 2015, and the like. The function of each unit can be referred to example 1.
In this embodiment, management control apparatus 802 may further include: an issuance request unit 2021, a management control first communication unit 2022, a management control second communication unit 2023, an input unit 2024, and the like. The function of each unit can be referred to example 1.
In this embodiment, the electronic identity authentication server 804 may further include: a data to be signed generating unit 2041, an authentication unit 2042, an identification code generating unit 2043, and an authentication service communication unit 2044. The function of each unit can be referred to example 1.
Therefore, when the first information needs to be remotely issued, the authentication device 801, the management control device 802, and the electronic identity authentication server 804 of the present embodiment may constitute the electronic identity card issuing authentication and secure payment system 200 of embodiment 1 with the issuing server 203 of embodiment 1, so as to remotely issue the first information to the authentication device 801 according to the flow shown in fig. 7.
When the payment needs to be performed by using the information in the authentication device, the authentication device 801, the management control device 802, and the electronic identity authentication server 804 of this embodiment may constitute the electronic identity card issuing authentication and secure payment system 800 of embodiment 2 with the payment authentication server 803 of this embodiment 2, so as to perform secure mobile payment according to the flow shown in fig. 9.
In one embodiment, the authentication apparatus 801, the management control apparatus 802, the payment authentication server 803, and the electronic identity authentication server 804 of this embodiment may form an electronic identity card issuing authentication and security payment system with extended functions with the issuing server 203 of embodiment 1, where the extended electronic identity card issuing authentication and security payment system is capable of performing both remote issuing of the first information and secure mobile payment.
The above devices in the present application may be implemented by hardware, or may be implemented by hardware in combination with software. The present application relates to a computer-readable program which, when executed by a logic component, enables the logic component to implement the above-described apparatus or constituent components, or to implement various methods or steps described above. The present application also relates to a storage medium such as a hard disk, a magnetic disk, an optical disk, a DVD, a flash memory, or the like, for storing the above program.
The present application has been described in conjunction with specific embodiments, but it should be understood by those skilled in the art that these descriptions are intended to be illustrative, and not limiting. Various modifications and adaptations of the present application may occur to those skilled in the art based on the spirit and principles of the application and are within the scope of the application.

Claims (10)

1. An electronic ID card issuing authentication and security payment system based on an authentication device comprises the authentication device, a management control device, an issuing server and an electronic ID authentication server, wherein:
the authentication device is arranged on the mobile terminal and used for carrying out mobile user identity authentication, the authentication device is pre-stored with information related to an electronic identity card issued by an electronic identity authentication server, and the authentication device carries out signature on identity authentication to-be-signed data sent by the electronic identity card authentication server according to the information related to the electronic identity card so as to generate identity authentication signature data;
the electronic identity card authentication server authenticates according to the identity authentication signature data and the identification information of the authentication device, and sends a user identity identification code corresponding to the electronic identity card to an issuing server under the condition that the authentication is passed;
the issuing server issues first information to the management control device according to the user identification code;
the management control device sends the first information issued by the issuing server to the authentication device.
2. The issuance authentication and secure payment system of claim 1, wherein the authentication means comprises:
a storage unit that stores the electronic identification card and the first information;
a verification unit that verifies an authentication signature password input by a user;
the signature unit is used for signing the data to be signed in the identity authentication to generate the identity authentication signature data under the condition that the verification unit successfully verifies the authentication signature password;
an authentication device communication unit that receives the authentication pending data, the authentication signature password, and the first information from the management control device, and transmits the authentication signature data and identification information of the authentication device to the management control device.
3. The issuance authentication and secure payment system of claim 2, wherein the authentication device further comprises:
an authentication device request unit that generates authentication signature request information requesting the management control device to input the authentication signature password in a case where the authentication pending data is received,
and, the authentication device communication unit transmits the authentication signature request information to the management control device.
4. The issuance authentication and secure payment system according to claim 1, wherein the management control apparatus comprises:
an issuing request unit that generates issuing request information for requesting the issuing server to issue the first information, according to user information;
a management control first communication unit that transmits the issuance request information, the identification information of the authentication device, and the authentication signature data to the issuance server, and receives the authentication pending data and the first information from the issuance server;
and the management control second communication unit is used for carrying out data interaction with the authentication device.
5. The issuance authentication and secure payment system according to claim 4, wherein the management control apparatus further comprises:
an input unit for receiving the authentication signature password input by the user.
6. The issuance authentication and secure payment system of claim 1, wherein the issuance server comprises:
the identity authentication request unit extracts user information from the received signing request information and generates identity authentication request information, wherein the identity authentication request information is used for requesting the electronic identity authentication server to perform identity authentication on the user information;
an issuing service first communication unit that transmits the authentication request information, the identification information of the authentication device and the authentication signature data to the electronic authentication server, and receives the authentication pending data and the user identification code from the electronic authentication server;
a first information generating unit that generates the first information corresponding to the user id code when the user id code is received;
an issuing service second communication unit that transmits the first information to the management control apparatus to issue the first information to the management control apparatus.
7. The issuance authentication and secure payment system according to claim 1, wherein the electronic identity authentication server comprises:
the data generating unit to be signed generates the identity authentication data to be signed according to the identity authentication request information of the issuing server;
an authentication unit for performing authentication based on the identity authentication signature data and the identification information of the authentication device;
an identification code generating unit which generates a user identification code corresponding to the electronic identification card when the authentication by the authentication unit is successful;
and the authentication service communication unit is used for carrying out data interaction with the issuing server.
8. The issuance authentication and secure payment system of claim 1,
the authentication device also stores second information in advance, wherein,
the first information is one of customer certificate information associated with a bank and telephone number information associated with a communications carrier,
the second information is the other of the client certificate information and the phone number information.
9. The issuance authentication and secure payment system of claim 8,
the issuing server is a server for issuing the client certificate information,
or
The issuing server is a server for issuing the telephone number information.
10. The issuance authentication and secure payment system according to claim 1, wherein the issuance authentication and secure payment system further has a payment authentication server, the first information is customer certificate information associated with a bank,
the authentication device signs the first identity authentication data to be signed sent by the electronic identity card authentication server according to the electronic identity card to generate first identity authentication signature data, and the authentication device signs the payment authentication data sent by the payment authentication server according to the first information to generate a payment authentication data digital signature;
the electronic identity card authentication server authenticates according to the first identity authentication signature data and the identification information of the authentication device, and sends a user identity identification code corresponding to the electronic identity card to the payment authentication server under the condition that the authentication is passed;
and the payment authentication server verifies the payment authentication digital signature under the condition of receiving the user identification code, and determines whether to allow the account associated with the first information to pay or not according to a verification result.
HK18109686.0A 2018-07-26 2018-07-26 Electronic identity issuing and authentication and safe payment system based on authentication device HK1250275A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
HK18109686.0A HK1250275A1 (en) 2018-07-26 2018-07-26 Electronic identity issuing and authentication and safe payment system based on authentication device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
HK18109686.0A HK1250275A1 (en) 2018-07-26 2018-07-26 Electronic identity issuing and authentication and safe payment system based on authentication device

Publications (1)

Publication Number Publication Date
HK1250275A1 true HK1250275A1 (en) 2018-12-07

Family

ID=71452996

Family Applications (1)

Application Number Title Priority Date Filing Date
HK18109686.0A HK1250275A1 (en) 2018-07-26 2018-07-26 Electronic identity issuing and authentication and safe payment system based on authentication device

Country Status (1)

Country Link
HK (1) HK1250275A1 (en)

Similar Documents

Publication Publication Date Title
US11720943B2 (en) Trusted remote attestation agent (TRAA)
US11258777B2 (en) Method for carrying out a two-factor authentication
JP7706455B2 (en) Contactless Card Personal Identification System
US9900148B1 (en) System and method for encryption
CN105429760B (en) A TEE-based digital certificate authentication method and system
CN105516104B (en) A TEE-based dynamic password authentication method and system
US20190087814A1 (en) Method for securing a payment token
CN112889046A (en) System and method for password authentication of contactless cards
CN105959287A (en) Biological feature based safety certification method and device
US10504110B2 (en) Application system for mobile payment and method for providing and using mobile means for payment
US11341232B2 (en) Smart card as a security token
CN112769574B (en) Key injection method and system, key management system, device and machine readable medium
CN101425901A (en) Control method and device for customer identity verification in processing terminals
KR20110029033A (en) Method and system for issuing a public certificate using universal subscriber identification module information and recording medium therefor
HK1250275A1 (en) Electronic identity issuing and authentication and safe payment system based on authentication device
EP4250208B1 (en) Devices, methods and a system for secure electronic payment transactions
KR101619282B1 (en) Cloud system for manging combined password and control method thereof
JP4148465B2 (en) Electronic value distribution system and electronic value distribution method
TWI801744B (en) Financial transaction device, method and system with non-contact authentication function
EP4250207A1 (en) Devices, methods and a system for secure electronic payment transactions
EP4250210A1 (en) Devices, methods and a system for secure electronic payment transactions
KR101212237B1 (en) System and Method for Paying Input by VoIP Terminal, VoIP Terminal and Recording Medium
CN121352795A (en) Method and system for off-line payment of digital currency by using wearable communication equipment
KR101598993B1 (en) Method for Operating Certificate
WO2023056569A1 (en) A method and a validation device for executing blockchain transactions