HK1230361A - Method and device for authenticating user, and method and device for registering wearable device - Google Patents
Method and device for authenticating user, and method and device for registering wearable device Download PDFInfo
- Publication number
- HK1230361A HK1230361A HK17103727.5A HK17103727A HK1230361A HK 1230361 A HK1230361 A HK 1230361A HK 17103727 A HK17103727 A HK 17103727A HK 1230361 A HK1230361 A HK 1230361A
- Authority
- HK
- Hong Kong
- Prior art keywords
- user
- server
- authentication
- terminal
- key
- Prior art date
Links
Description
Technical Field
The present application relates to the field of internet technologies, and in particular, to a method and an apparatus for authenticating a user and a method and an apparatus for registering a wearable device.
Background
With the rapid development of internet technology, users increasingly utilize networks to complete various activities, such as office work, entertainment, shopping, financing, and the like. Users typically obtain these services from multiple service providers, and the users register with the servers of the respective service providers, and each time they obtain a service, they need to provide an account number and a password to the servers, so that the servers authenticate the users and provide the corresponding services.
For security reasons, users should try to avoid using the same account number and password at multiple service providers. As the number of services that users wish to obtain increases, remembering the account number and corresponding password at each service provider becomes an increasingly heavy burden for users. Meanwhile, as network services increasingly spread to the aspects of life, users always need to input accounts and passwords to complete authentication, operation is complex, and efficiency of obtaining network services is reduced.
Disclosure of Invention
In view of this, the present application provides a method for authenticating a user, which is applied to a server, where the server stores a correspondence between a user identifier of the user, a wearable device identifier, and a server authentication key, and the method includes:
receiving an authentication request sent by a user through a terminal, wherein the authentication request carries a user identifier and/or a wearable device identifier of the user;
acquiring downlink authentication information, and issuing a detection instruction carrying the downlink authentication information and the wearable equipment identifier of the user to a terminal;
receiving a detection response carrying uplink authentication information returned by the terminal, wherein the uplink authentication information is generated by the wearable equipment specified in the detection instruction according to an equipment authentication key and the downlink authentication information, and the equipment authentication key is the same as or corresponds to the server authentication key;
and matching the downlink authentication information and the uplink authentication information by using the server authentication key of the user, wherein if the matching is successful, the user passes the authentication.
The application provides a method for authenticating a user, which is applied to a terminal accessed to a wearable device of the user, and comprises the following steps:
sending an authentication request to a server according to the operation of a user, wherein the authentication request carries the user identification and/or the wearable equipment identification of the user;
receiving a detection instruction of a server, wherein the detection instruction carries downlink authentication information and a wearable device identifier;
sending downlink authentication information to the wearable equipment specified in the detection instruction, and receiving uplink authentication information returned by the wearable equipment; the uplink authentication information is generated by the wearable device according to a stored device authentication key and downlink authentication information, and the device authentication key is the same as or corresponds to a server authentication key stored in a server;
sending a detection response carrying the uplink authentication information to a server;
and receiving a user authentication result determined by the server according to the uplink authentication information, the downlink authentication information and the server authentication key.
The application provides a method for registering wearable equipment, which is applied to a server and comprises the following steps:
receiving a wearable device registration request sent by a user through a terminal, wherein the registration request carries a user identifier and a wearable device identifier of the user;
acquiring a server authentication key and an equipment authentication key of the user, and issuing a write-in instruction carrying the equipment authentication key and a wearable equipment identifier of the user to a terminal;
and receiving a write-in response returned by the terminal, and if the write-in response indicates that the equipment authentication key is successfully stored in the wearable equipment specified in the write-in instruction, storing the corresponding relation among the user identifier of the user, the wearable equipment identifier and the server authentication key.
The application provides a method for registering wearable equipment, which is applied to a terminal and comprises the following steps:
sending a wearable device registration request to a server according to the operation of a user, wherein the registration request carries a user identifier and a wearable device identifier of the user;
receiving a write-in instruction of a server, wherein the write-in instruction carries an equipment authentication key and a wearable equipment identifier of the user;
performing an operation of writing the device authentication key to the wearable device specified in the write instruction;
and sending a write-in response to the server, wherein the write-in response carries a message of whether the write-in equipment authentication key succeeds or not.
The application also provides a device for authenticating the user, which is applied to the server, the server stores the corresponding relation between the user identification of the user, the wearable device identification and the server authentication key, and the device comprises:
the authentication request receiving unit is used for receiving an authentication request sent by a user through a terminal, wherein the authentication request carries a user identifier and/or a wearable device identifier of the user;
the detection instruction issuing unit is used for acquiring downlink authentication information and issuing a detection instruction carrying the downlink authentication information and the wearable equipment identifier of the user to a terminal;
the detection response receiving unit is used for receiving a detection response which is returned by the terminal and carries uplink authentication information, the uplink authentication information is generated by the wearable equipment specified in the detection instruction according to an equipment authentication key and downlink authentication information, and the equipment authentication key is the same as or corresponds to the server authentication key;
and the matching unit is used for matching the downlink authentication information and the uplink authentication information by using the server authentication key of the user, and the user passes the authentication if the matching is successful.
The application provides a device of authentication user, uses on the terminal that inserts the wearable equipment of user, the device includes:
the authentication request sending unit is used for sending an authentication request to a server according to the operation of a user, wherein the authentication request carries the user identification and/or the wearable equipment identification of the user;
the system comprises a detection instruction receiving unit, a processing unit and a processing unit, wherein the detection instruction receiving unit is used for receiving a detection instruction of a server, and the detection instruction carries downlink authentication information and a wearable device identifier;
an uplink authentication information unit, configured to send downlink authentication information to the wearable device specified in the detection instruction, and receive uplink authentication information returned by the wearable device; the uplink authentication information is generated by the wearable device according to a stored device authentication key and downlink authentication information, and the device authentication key is the same as or corresponds to a server authentication key stored in a server;
a detection response sending unit, configured to send a detection response carrying the uplink authentication information to the server;
and the authentication result receiving unit is used for receiving the user authentication result determined by the server according to the uplink authentication information, the downlink authentication information and the server authentication key.
The application provides a device of registering wearable equipment, uses on the server, includes:
a registration request receiving unit, configured to receive a wearable device registration request sent by a user through a terminal, where the registration request carries a user identifier and a wearable device identifier of the user;
the write-in instruction issuing unit is used for acquiring a server authentication key and an equipment authentication key of the user and issuing a write-in instruction carrying the equipment authentication key and the wearable equipment identifier of the user to a terminal;
and the write response receiving unit is used for receiving a write response returned by the terminal, and if the write response indicates that the equipment authentication key is successfully stored in the wearable equipment specified in the write instruction, the corresponding relation among the user identifier of the user, the wearable equipment identifier and the server authentication key is stored.
The application provides a register wearable equipment's device uses on the terminal, includes:
a registration request sending unit, configured to send a wearable device registration request to a server according to an operation of a user, where the registration request carries a user identifier and a wearable device identifier of the user;
a write instruction receiving unit, configured to receive a write instruction of a server, where the write instruction carries an equipment authentication key and a wearable equipment identifier of the user;
a write operation execution unit configured to execute an operation of writing the device authentication key to the wearable device specified in the write instruction;
and the writing response sending unit is used for sending a writing response to the server, wherein the writing response carries a message of whether the writing equipment authentication key succeeds or not.
The application provides a payment method, comprising the following steps:
receiving a payment request sent by a user through a payment client, wherein the payment request carries a user identifier and/or a wearable device identifier of the user;
acquiring downlink authentication information, and issuing an authentication instruction comprising the downlink authentication information and a wearable device identifier to a payment client;
receiving authentication response information which is returned by the payment client and carries uplink authentication information, wherein the uplink authentication information is generated by wearable equipment specified in an authentication instruction according to an equipment authentication key and downlink authentication information, and the equipment authentication key is the same as or corresponds to a server authentication key;
and matching the downlink authentication information and the uplink authentication information by using the server authentication key of the user, and if the matching is successful, the user passes the authentication and performs the payment operation after the authentication passes.
The application provides a payment method, which comprises the following steps:
responding to a payment operation of a user on a payment client, and sending a payment request to a server, wherein the payment request carries a user identifier and/or a wearable device identifier of the user;
receiving an authentication instruction which is sent by a server and comprises downlink authentication information and a wearable device identifier, and sending the downlink authentication information to the wearable device so that the wearable device generates uplink authentication information by using a device authentication key and the downlink authentication information which are stored by the wearable device;
and receiving uplink authentication information returned by the wearable device, and sending the uplink authentication information to the server so that the server authenticates the user according to the uplink authentication information and performs payment operation after the authentication is passed.
The application provides a payment method of wearable equipment, which comprises the following steps:
receiving payment authentication information sent by a payment client, wherein the payment authentication information comprises downlink authentication information issued by a server based on a payment request of a user sent by the payment client;
and generating uplink authentication information according to the stored equipment authentication key and the downlink authentication information, and sending the uplink authentication information to the payment client so that the payment client sends the uplink authentication information to the server, so that the server can authenticate the user based on the uplink authentication information and perform payment operation after the authentication is passed.
The application provides a payment device, including:
the payment request receiving unit is used for receiving a payment request sent by a user through a payment client, wherein the payment request carries a user identifier and/or a wearable device identifier of the user;
the authentication instruction issuing unit is used for acquiring downlink authentication information and issuing an authentication instruction comprising the downlink authentication information and the wearable equipment identifier to the payment client;
the authentication response receiving unit is used for receiving authentication response information which is returned by the payment client and carries uplink authentication information, the uplink authentication information is generated by the wearable equipment specified in the authentication instruction according to an equipment authentication key and downlink authentication information, and the equipment authentication key is the same as or corresponds to the server authentication key;
and the payment matching unit is used for matching the downlink authentication information and the uplink authentication information by using the server authentication key of the user, and if the matching is successful, the user passes the authentication and performs payment operation after the authentication passes.
The application provides a payment device includes:
the payment request sending unit is used for responding to payment operation of a user on a payment client and sending a payment request to the server, wherein the payment request carries a user identifier and/or a wearable device identifier of the user;
the authentication instruction receiving unit is used for receiving an authentication instruction which is issued by the server and comprises downlink authentication information and a wearable device identifier, and sending the downlink authentication information to the wearable device so that the wearable device can generate uplink authentication information by using a device authentication key and the downlink authentication information which are stored by the wearable device;
and the authentication response sending unit is used for receiving the uplink authentication information returned by the wearable device and sending the uplink authentication information to the server so that the server authenticates the user according to the uplink authentication information and performs payment operation after the authentication is passed.
The application also provides a payment device of wearable equipment, includes:
the payment authentication information receiving unit is used for receiving payment authentication information sent by a payment client, wherein the payment authentication information comprises downlink authentication information issued by a server based on a payment request of a user sent by the payment client;
and the uplink authentication information generating unit is used for generating uplink authentication information according to the stored equipment authentication key and the downlink authentication information, and sending the uplink authentication information to the payment client so that the payment client sends the uplink authentication information to the server, so that the server can authenticate the user based on the uplink authentication information and perform payment operation after the authentication is passed.
According to the technical scheme, the server authentication key and the equipment authentication key are arranged on the server and the wearable equipment, the server authenticates the designated wearable equipment by utilizing the arranged server authentication key and the arranged equipment authentication key through interaction with the terminal, so that authentication of a user corresponding to the wearable equipment is completed, the user does not need to remember an account number and a password, the account number and the password do not need to be input in the authentication process, the burden of the user is reduced, and the efficiency of the user for acquiring network service is improved.
Drawings
FIG. 1 is a network architecture diagram of an application scenario of the present application;
FIG. 2 is a flowchart of a method applied to a server for authenticating a user in an embodiment of the present application;
fig. 3 is a flowchart of a method applied to a terminal for authenticating a user in an embodiment of the present application;
fig. 4 is a flowchart of a method for registering a wearable device applied to a server in an embodiment of the present application;
fig. 5 is a flowchart of a method for registering a wearable device applied to a terminal in an embodiment of the present application;
FIG. 6 is a hardware block diagram of a server, wearable device or terminal;
FIG. 7 is a logic structure diagram of a device for authenticating a user applied to a server in an embodiment of the present application;
FIG. 8 is a logic structure diagram of an apparatus for authenticating a user applied to a terminal in an embodiment of the present application;
fig. 9 is a logic structure diagram of an apparatus for registering a wearable device applied to a server in an embodiment of the present application;
fig. 10 is a logic structure diagram of an apparatus applied to register a wearable device on a terminal in an embodiment of the present application.
Detailed Description
Wearable devices are portable devices that can be worn on the body by a user, or integrated into a user's clothing or accessories, such as bracelets, smart watches, smart sports shoes, smart clothing, smart glasses, smart helmets, smart rings, and the like. The wearable device has partial calculation function, can be connected to terminals such as smart phones, tablet computers and personal computers through hardware interfaces or wireless local area networks, and realizes various functions through data exchange with the terminals.
Wearable devices are usually dedicated to a user, and some wearable devices are worn on the user at any time and any place, and to a certain extent, such wearable devices represent the user. The embodiment of the application provides a method for authenticating a user, which authenticates the user by using the storage and calculation functions of wearable equipment, and does not need the user to memorize and frequently input an account number and a password, so that the problems in the prior art are solved.
A network environment applied in the embodiment of the present application is as shown in fig. 1, where the wearable device is accessed to the terminal through a hardware interface or a Wireless local area network, the hardware interface may be an audio interface, a USB (universal serial Bus) interface, and the like, the Wireless local area network may be a Bluetooth (Bluetooth), a Wi-Fi (Wireless-Fidelity), a ZigBee (ZigBee protocol), and the like, and the terminal may be a smart phone, a tablet computer, a personal computer, and the like. The terminal communicates with the server via a communication network, such as the internet and/or a mobile communication network, on which the user sends access to the server, which authenticates the user. In the embodiment of the application, the type of the terminal, the hardware interface or the wireless local area network protocol of the wearable device access terminal, the protocol and the networking structure of the communication network, and the specific implementation mode of the server are not limited.
In one embodiment of the present application, the flow of the method for authenticating a user on a server is shown in fig. 2, and the flow on a terminal is shown in fig. 3.
In this embodiment, the server stores the corresponding relationship between the user identifier of the user, the wearable device identifier, and the server authentication key. The user identifier is a unique identity which is different from other users for a certain user to the server, such as a user name, a registered mailbox and the like; if the user is bound to the Mobile terminal, the user may also be a number, an IMEI (International Mobile equipment identity), and the like of the bound Mobile terminal. The wearable device identifier is used to uniquely represent the wearable device, and may be a hardware address of the wearable device, such as a Media Access Control (MAC) address, depending on the specific device type and the wireless local area network protocol used. The server authentication key is stored on the server, and is identical to or corresponds to the device authentication key stored on the wearable device, according to an encryption algorithm using the server authentication key. The wearable device identification and the server authentication key stored on the server correspond to each other, and if a user can have more than one wearable device for authentication, one user identification may correspond to two or more wearable device identifications and server authentication keys. It should be noted that the corresponding relationship between the user identifier, the wearable device identifier, and the server authentication key may be stored locally in the server, or may be stored in another storage device accessible by the server, such as a disk array of a storage area network or a cloud storage network, which is not limited in this embodiment.
On the terminal, step 310, an authentication request is sent to the server according to the operation of the user, where the authentication request carries the user identifier and/or the wearable device identifier of the user.
At the server, an authentication request sent by the user through the terminal is received, step 210.
When a user requests a service (such as login, personal account access, payment and the like) needing identity authentication from a server on a terminal, the server requests related information needed by the user to the terminal. The terminal sends an authentication request to the server, and the authentication request carries the user identification of the user, or the wearable device identification of the user, or the user identification and the wearable device identification of the user.
After the server receives the authentication request of the terminal, the server can determine which user requests authentication through the user identification and/or the wearable device identification in the authentication request.
On the server, step 220, downlink authentication information is acquired, and a detection instruction carrying the downlink authentication information and the wearable device identifier of the user is issued to the terminal.
The downlink authentication information may be a piece of authentication data, or may be a ciphertext obtained by encrypting the authentication data using a server authentication key stored in the server. The server may obtain the authentication data in any manner, such as randomly generating, or intercepting a certain number of bytes from a certain file or picture; the server can generate authentication data locally and can also obtain the authentication data from other servers; this embodiment is not limited to this.
After receiving an authentication request of a terminal, a server extracts a user identifier and/or a wearable device identifier in the authentication request, searches whether the identifier is included in a corresponding relation among the stored user identifier, the wearable device identifier and a server authentication key, and rejects the authentication request of the terminal if the identifier is not included or the user identifier and the wearable device identifier in the authentication request do not belong to the same user; otherwise, the server acquires authentication data, and for downlink authentication information of a plaintext, the server encapsulates the authentication data and the wearable equipment identifier of the user in a detection instruction and sends the detection instruction to the terminal; and for the downlink authentication information of the ciphertext, the server encrypts authentication data by using a server authentication key corresponding to the user identifier or the wearable device identifier in the authentication request to generate downlink authentication information, encapsulates the downlink authentication information and the wearable device identifier of the user in a detection instruction, and issues the downlink authentication information and the wearable device identifier of the user to the terminal.
On the terminal, step 320, a detection instruction of the server is received, where the detection instruction carries downlink authentication information and a wearable device identifier.
On the terminal, step 330, sending the downlink authentication information to the wearable device specified in the detection instruction, and receiving the uplink authentication information returned by the wearable device; and the uplink authentication information is generated by the wearable device according to the stored device authentication key and the downlink authentication information.
The terminal receives the detection instruction of the server, extracts the wearable equipment identification and the downlink authentication information from the detection instruction, and sends the downlink authentication information to the wearable equipment (namely, the wearable equipment with the wearable equipment identification in the detection instruction) specified in the detection instruction. If the wearable device specified in the detection instruction has not been accessed to the terminal, the terminal needs to complete the connection with the wearable device according to the wireless local area network protocol supported by the wearable device.
As described above, the wearable device designated by the server stores the device authentication key that is the same as or corresponds to the server authentication key. After the wearable device receives the downlink authentication information, encrypting the downlink authentication information of the plaintext by using the device authentication key by the wearable device to generate uplink authentication information of a ciphertext; and for the downlink authentication information of the ciphertext, the wearable equipment decrypts the downlink authentication information by using the equipment authentication key to generate the uplink authentication information of the plaintext. The plaintext downstream authentication information corresponds to the ciphertext upstream authentication information, and the ciphertext downstream authentication information corresponds to the plaintext upstream authentication information. And the wearable equipment returns the uplink authentication information to the terminal.
On the terminal, step 340, sending a detection response carrying the uplink authentication information to the server.
And after receiving the uplink authentication information returned by the wearable equipment, the terminal encapsulates the uplink authentication information in a detection response and sends the detection response to the server. The detection response usually also carries the wearable device identifier.
On the server, step 230, a detection response carrying the uplink authentication information returned by the terminal is received.
On the server, step 240, the server authentication key of the user is used to match the downlink authentication information and the uplink authentication information, and if the matching is successful, the user passes the authentication.
And the server receives the detection response returned by the terminal, extracts the uplink authentication information from the detection response, and judges whether the uplink authentication information is matched with the downlink authentication information by using the server authentication key of the user so as to determine the authentication result of the user. Specifically, for the uplink authentication information of the plaintext, the uplink authentication information may be compared with authentication data used to generate a ciphertext, or the uplink authentication information is encrypted by a server authentication key and then compared with the downlink authentication information, if the uplink authentication information is the same as the downlink authentication information, the user passes the authentication, otherwise, the authentication fails; and comparing the decrypted uplink authentication information of the ciphertext with the downlink authentication information by using a server authentication key, if the decrypted uplink authentication information is the same as the downlink authentication information, the user passes the authentication, and otherwise, the authentication fails.
And the server returns the authentication result of whether the user passes the authentication to the terminal.
On the terminal, step 350, receiving a user authentication result determined by the server according to the uplink authentication information, the downlink authentication information and the server authentication key.
In the embodiment, the same or corresponding server authentication key and device authentication key are arranged on the server and the wearable device, the server authenticates the designated wearable device by using the device authentication key stored on the wearable device and the server authentication key stored on the server through interaction with the terminal, so that authentication of a user corresponding to the wearable device is completed, the user does not need to remember an account number and a password, and input the account number and the password in the authentication process, the burden of the user is reduced, and the efficiency of the user for acquiring network service is improved.
In one implementation, a user public key of a user may be stored in a server, a user private key of the user may be stored in a terminal, different user identifications use different user public keys and different user private keys, and the user public key and the user private key are a pair of keys in asymmetric encryption. The user public key stored on the server corresponds to the user identification, the wearable device identification and the server authentication key of the user. In this implementation manner, the terminal signs data (including uplink authentication information, and may also include other data such as wearable device identifier, user identifier, and the like) carried in the detection response with the stored user private key, and sends the signed detection response to the server; the server uses the user public key of the user to perform signature verification on the detection response, if the detection response passes the verification, step 240 is executed to perform matching of the uplink authentication information and the downlink authentication information, and if the detection response fails the signature verification, the server notifies the terminal that the authentication fails. This implementation requires that a terminal accessed by a user performs authentication using a wearable device should store the user private key of the user, which can achieve better security.
In addition, the terminal identifier may be added to a correspondence relationship between the user identifier of the user, the wearable device identifier, and the server authentication key stored in the server, so as to restrict the terminal that can perform user authentication through the accessed wearable device. In this case, the server stores the corresponding relationship between the user identifier of the user, the wearable device identifier, the server authentication key and the terminal identifier; the terminal carries the terminal identification of the terminal in the authentication request sent to the server; after receiving the authentication request, the server searches the stored corresponding relationship for the terminal identifier corresponding to the user identifier or the wearable device identifier in the authentication request, compares the terminal identifier with the terminal identifier sending the authentication request, if the terminal identifier is the same as the user identifier or the wearable device identifier in the authentication request, the step 220 is executed to continue the authentication process, and if the terminal identifier is different from the terminal identifier in the authentication request, the authentication request of the terminal is rejected, and the user authentication fails. This implementation amounts to binding the wearable device and the terminal that can authenticate the user through the wearable device; since the terminal (especially the mobile terminal) is usually also dedicated to one user, binding the wearable device and the terminal can greatly increase the security of user authentication.
The authentication process in this embodiment is applicable to any scenario where the user identity needs to be authenticated, such as user identity authentication during login, identity authentication when the user accesses a personal account, identity authentication when the user pays through a third-party payment platform, and the like. After the user passes the authentication, the server can provide subsequent services in the scene, and the terminal executes subsequent operations in the scene, for example, when the terminal is used for identity authentication in a payment scene, the authentication request sent by the terminal to the payment server is a payment request; after the user is authenticated, the payment server may provide a payment service to the authenticated user; and after receiving the authentication result that the server user passes the authentication, the terminal can cooperate with the payment server to complete the payment operation of the user.
In this embodiment, the correspondence between the user identifier of the user, the wearable device identifier, and the server authentication key may be preset on the server, and the corresponding device authentication key may be preset on the wearable device; before the authentication process, the correspondence relationship may be generated on a server through a registration process, and a device authentication key may be written in the wearable device.
Another embodiment of the present application provides a method for registering a wearable device, where the flow of the method on a server is shown in fig. 4, and the flow on a terminal is shown in fig. 5.
On the terminal, step 510, a wearable device registration request is sent to a server according to a user operation.
On the server, step 410, a wearable device registration request sent by a user through a terminal is received.
The user registers the wearable device on the terminal to the server, the terminal sends a wearable device registration request to the server according to the operation of the user, and the registration request comprises the user identification and the wearable device identification of the user.
On the server, step 420, a server authentication key and an equipment authentication key of the user are obtained, and a write-in instruction carrying the equipment authentication key and the wearable equipment identifier of the user is issued to the terminal.
After receiving a wearable device registration request of a terminal, according to an encryption algorithm adopted by uplink authentication information or downlink authentication information in an authentication process, a server acquires a server authentication key and a device authentication key which are used for the encryption algorithm and correspond to a wearable device identifier. The server authentication key and the device authentication key may be one key (e.g., a key of a symmetric encryption algorithm) or may be a pair of keys (e.g., a public key and a private key of an asymmetric encryption algorithm). The server may generate itself or may obtain the server authentication key and the device authentication key from other servers.
And the server encapsulates the acquired equipment authentication key and the corresponding wearable equipment identification in a write-in instruction and sends the write-in instruction to the terminal.
On the terminal, step 520, a write instruction of the server is received, where the write instruction carries the device authentication key and the wearable device identifier of the user.
On the terminal, step 530, the operation of writing the device authentication key is performed on the wearable device specified in the write instruction.
And after the terminal receives the write-in instruction of the server, the terminal sends the equipment authentication key in the write-in instruction to the wearable equipment and requests the wearable equipment to store the equipment authentication key. According to the difference of the wearable device and the difference of the set authority, the wearable device may need the user to confirm the write operation before completing the storage of the device authentication key. For example, with a hand ring, the user typically needs to tap to confirm.
On the terminal, step 540, a write response is sent to the server, and the write response carries a message indicating whether the write device authentication key is successful. And after the terminal finishes the writing operation with the wearable device, packaging the message of whether the writing is successful in the writing response, and sending the message to the server.
On the server, step 430, receiving a write-in response returned by the terminal, and if the write-in response indicates that the device authentication key has been successfully stored in the wearable device specified in the write-in instruction, storing a correspondence between the user identifier of the user, the wearable device identifier, and the server authentication key, and the wearable device being successfully registered; and if the message carried in the write response is that the equipment authentication key is not successfully written, the registration process fails. And the server sends the registration result to the terminal.
The server may require the terminal to provide the user's password to increase the security of wearable device registration. Specifically, the server receives a write-in response of the terminal, and if the message carried in the write-in response is that the equipment authentication key is successfully stored in the wearable equipment, a password confirmation request is issued to the terminal to request the terminal to provide a password of the user identifier corresponding to the wearable equipment identifier; the terminal receives the password confirmation request of the server, and returns the user password input by the user to the server by carrying the user password in the password confirmation response; receiving a password confirmation response carrying a user password by the terminal on the server, if the user password is correct, storing the corresponding relation of the user identification of the user, the wearable equipment identification and the server authentication key, and successfully registering the wearable equipment; and if the user password is wrong, rejecting the registration request of the terminal, and failing to register. And the server sends the registration result to the terminal.
In one implementation, the user public key and the user private key of the user may be automatically generated during the registration process. Specifically, after the operation that the terminal writes the device authentication key into the wearable device is successful, the terminal generates a user private key and a user public key of the user according to a certain algorithm, locally stores the generated user private key, encapsulates the user public key in a write-in response, and sends the write-in response to the server; and after the terminal successfully writes the equipment authentication key into the wearable equipment or verifies that the user password is correct, the server stores the corresponding relation among the user identifier of the user, the wearable equipment identifier, the server authentication key and the user public key.
In some application scenarios, a server public key and a server private key are preset on a server, and a terminal private key and a terminal public key are preset on a terminal, wherein the server public key and the terminal private key are a pair of keys, and the server private key and the terminal public key are a pair of keys. In these scenarios, the server in the authentication method embodiment may sign the detection instruction with the stored server private key, and send the signed detection instruction to the terminal; and the terminal performs signature verification on the received detection instruction by using the stored terminal public key, and if the verification fails, the detection instruction is rejected, and the authentication fails. In the embodiment of the registration method, the server can sign the write-in command by using a stored server private key and send the signed write-in command to the terminal; and the terminal performs signature verification on the received write-in command by using the stored terminal public key, and if the verification fails, the write-in command is rejected, and the registration fails. The terminal can sign the write-in response by using the stored terminal private key and send the signed write-in response to the server; and the server performs signature verification on the received write response by using the stored server public key, and rejects the registration request of the terminal if the verification fails.
The server and the terminal can communicate through an encrypted channel to further improve the security of wearable device registration and user authentication. For example, the detection command and the detection response in the authentication method embodiment, and the write command and the write response in the registration method embodiment may be transmitted in an encrypted channel. For the implementation of the encryption channel and the encryption method adopted, please refer to the prior art, and further description is omitted.
In one embodiment of the application, a payment client running on a terminal authenticates the identity of a user during a payment process by using a wearable device of an access terminal. The specific flow of this embodiment is as follows:
receiving, at a wearable device, a payment binding request of a payment client, where the payment binding request includes a device authentication key of the wearable device. The wearable device responds to a payment binding request issued by a user through a payment client, and stores a device authentication key carried in the payment binding request in a local memory;
when a user carries out payment operation on a payment client, selecting wearable equipment to carry out payment, triggering the payment client to respond to the user operation, and sending a payment request to a server, wherein the payment request carries a user identifier and/or a wearable equipment identifier of the user;
the method comprises the steps that after a server receives a payment request sent by a user through a payment client, downlink authentication information is obtained, and an authentication instruction comprising the downlink authentication information and a wearable device identifier is issued to the payment client;
the payment client receives an authentication instruction issued by the server and sends the downlink authentication information in payment authentication information to the wearable equipment specified in the authentication instruction;
the wearable device receives payment authentication information sent by a payment client, and extracts downlink authentication information issued by a server based on a payment request of a user sent by the payment client from the payment authentication information; generating uplink authentication information according to the stored equipment authentication key and the downlink authentication information, and sending the uplink authentication information to the payment client;
the payment client receives uplink authentication information returned by the wearable device and sends the uplink authentication information to the server in authentication response information;
the server receives authentication response information which is returned by the payment client and carries uplink authentication information, a server authentication key of the user is used for matching the downlink authentication information and the uplink authentication information, if the matching is successful, the user passes the authentication, and payment operation is carried out after the authentication is passed; the server authentication key of the user is the same as or corresponds to the device authentication key of the wearable device specified in the authentication instruction.
In the embodiment, the same or corresponding server authentication key and device authentication key are arranged on the server and the wearable device, and the wearable device is authenticated by using the device authentication key and the server authentication key, so that the payment authentication of the user corresponding to the wearable device is completed, the user can pay by using the wearable device on the payment client, the account and the password do not need to be memorized, the account and the password do not need to be input in the authentication process, the burden of the user is reduced, and the payment efficiency is improved.
In an application example of the application, after a user registers a bracelet in a payment server through a client App (application program) running on a mobile phone terminal, network payment can be completed through the bracelet without inputting an account number and a password. Paired server public keys and terminal private keys, and paired server private keys and terminal public keys are preset on the payment server and the client App. The payment server can run a server of a server program corresponding to the client App, and can also be a server of a third-party payment platform supporting the client App. The specific process is as follows:
the user sends a wearable device registration request to a payment server through a client App (application program) running on a mobile phone terminal, applies for opening bracelet payment, and uploads a user identifier (an account number of the user in the payment server), a mobile phone terminal identifier (IMEI) and a bracelet identifier (a bracelet MAC address) to the server in the registration request.
The payment server generates a symmetric key (namely the same server authentication key and equipment authentication key) for authenticating the bracelet through a preset algorithm, signs the symmetric key, the user identifier and the bracelet identifier through a preset server private key, encapsulates the signed symmetric key, the user identifier and the bracelet identifier in a write-in instruction, and sends the signed symmetric key, the user identifier and the bracelet identifier to the client through an encryption channel between the payment server and the client.
After receiving the write-in command of the server, the client firstly verifies the legality of the data in the write-in command according to a preset terminal public key, and directly refuses the write-in command if the data is not legal. After passing the validity verification, the client connects with the designated bracelet in the write-in instruction, and writes the symmetric key issued by the payment server into the bracelet after the connection is successful. The user need strike the bracelet and come to confirm writing operation in the in-process that the symmetric key wrote into the bracelet, and after the user struck the bracelet, the symmetric key wrote into the memory area of bracelet.
And after the write-in operation is successful, the client generates a pair of asymmetric keys, namely a user public key and a user private key corresponding to the user identifier according to the user identifier. And the client signs the result of whether the write-in operation is successful, the bracelet identification and the generated user public key through a preset terminal private key, encapsulates the signed information in a write-in response, and sends the write-in response to the payment server through an encryption channel. The user private key is stored locally by the client.
After receiving the write-in response of the client, the payment server verifies the signature of the client through a preset server public key, and rejects the registration request of the client if the verification fails. And after the signature verification is passed, the payment server issues a password confirmation request to the client, and the client is required to provide the password of the account of the user on the payment server.
The client displays prompt information for inputting the password to the user, and the user inputs the password of the account number of the user on the payment server at the client. The client sends the received password to the payment server in a password confirmation response.
And the payment server checks the user password in the password confirmation response, stores the corresponding relation of the symmetric key (server authentication key), the user identifier, the mobile phone terminal identifier, the bracelet identifier and the user public key generated by the client after the verification is passed, informs the client that the bracelet is successfully registered, and finishes the registration process.
After the bracelet is successfully registered on the payment server, when a user wants to pay through the bracelet, an authentication request of payment is sent to the server through the client, wherein the authentication request comprises order information to be paid, a user identifier, a mobile phone terminal identifier and the bracelet identifier.
After receiving an authentication request of the client, the payment server compares the mobile phone terminal identification in the authentication request with the mobile phone terminal identification corresponding to the bracelet identification in the authentication request in the stored corresponding relation, if the mobile phone terminal identification is different from the bracelet identification in the authentication request, the authentication request is rejected, and the payment fails; and if the authentication information is the same, the payment server generates random plaintext data, and the plaintext data is used as downlink authentication information. And the payment server signs the downlink authentication information, the user identification and the bracelet identification by using a preset server private key, encapsulates the signed downlink authentication information, the user identification and the bracelet identification in a detection instruction, and sends the signed downlink authentication information, the user identification and the bracelet identification to the client through an encryption channel between the payment server and the client.
After receiving the detection instruction of the payment server, the client firstly verifies the validity of the signature data in the detection instruction according to a preset terminal public key, and if the data is not legal, the detection instruction is rejected, and the payment fails. After the validity of the signature is verified, the client is connected with the designated bracelet in the detection instruction, and the downlink authentication information in the detection instruction is sent to the bracelet after the connection is successful. The bracelet encrypts the downlink authentication information by using the stored symmetric key to generate uplink authentication information and returns the uplink authentication information to the client. The process that the bracelet encrypts the downlink authentication information does not need knocking confirmation of the user, so that the user operation can be further reduced, and the user experience is optimized.
After receiving the uplink authentication information generated by the bracelet, the client signs the uplink authentication information by using a locally stored user private key, encapsulates the signed data and the bracelet identification in a detection response, and sends the detection response to the payment server through an encryption channel between the client and the payment server.
And after receiving the detection response uploaded by the client, the payment server performs signature verification on the detection response according to the user public key corresponding to the bracelet identification in the detection response, and if the signature verification fails, the authentication request fails. After the signature verification is successful, the payment server encrypts downlink authentication information by using a symmetric key corresponding to the bracelet identification, and compares the encrypted data with the uplink authentication information in the detection response, namely, whether the downlink authentication information encrypted by the payment server is the same as the downlink authentication information encrypted by the bracelet is compared, and if the downlink authentication information encrypted by the payment server is the same as the uplink authentication information encrypted by the bracelet, a message of successful authentication is returned to the client and the payment of the order is continued; if not, returning a message of authentication failure to the client. After receiving the message of successful authentication, the client and the payment server complete the payment operation of the user order; and if the client receives the authentication failure message, informing the user that the payment can not be finished due to the authentication failure.
Corresponding to the above flow implementation, an embodiment of the present application further provides an apparatus for authenticating a user on a server, an apparatus for authenticating a user on a terminal accessing wearable equipment of a user, an apparatus for registering wearable equipment on a server, an apparatus for registering wearable equipment on a terminal, a payment apparatus applied on a server, a payment apparatus applied on a terminal, and a payment apparatus applied on wearable equipment. These means may be implemented by software, hardware, or a combination of software and hardware. Taking software implementation as an example, as a device in a logical sense, the device is formed by reading corresponding computer program instructions into a memory through a server, a terminal or a CPU of wearable equipment to run. In terms of hardware, in addition to the CPU, the memory, and the nonvolatile memory shown in fig. 6, a terminal or a wearable device where the apparatus is located typically includes other hardware such as a chip for transmitting and receiving a wireless signal, and a server where the apparatus is located typically includes other hardware such as a board card for implementing a network communication function.
Fig. 7 shows that the apparatus for authenticating a user provided in this embodiment is applied to a server, where the server stores a corresponding relationship between a user identifier of the user, a wearable device identifier, and a server authentication key, and the apparatus includes an authentication request receiving unit, a detection instruction issuing unit, a detection response receiving unit, and a matching unit, where: the authentication request receiving unit is used for receiving an authentication request sent by a user through a terminal, wherein the authentication request carries a user identifier and/or a wearable device identifier of the user; the detection instruction issuing unit is used for acquiring downlink authentication information and issuing a detection instruction carrying the downlink authentication information and the wearable equipment identifier of the user to a terminal; the detection response receiving unit is used for receiving a detection response which is returned by the terminal and carries uplink authentication information, the uplink authentication information is generated by the wearable equipment specified in the detection instruction according to an equipment authentication key and downlink authentication information, and the equipment authentication key is the same as or corresponds to the server authentication key; the matching unit is used for matching the downlink authentication information and the uplink authentication information by using the server authentication key of the user, and the user passes the authentication if the matching is successful.
Optionally, the server further stores a user public key of the user, where the user public key corresponds to the user identifier of the user, the wearable device identifier, and the server authentication key, and forms a pair of keys with a user private key stored in the terminal; the detection response returned by the terminal is signed by a user private key stored in the terminal; the device also comprises a detection response verification unit which is used for carrying out signature verification on the detection response of the terminal according to the user public key of the user, and if the verification fails, the user authentication fails.
Optionally, the server further stores a terminal identifier, where the terminal identifier corresponds to the user identifier of the user, the wearable device identifier, and the server authentication key; the authentication request further comprises: sending a terminal identification of the authentication request; the device further comprises: and the terminal identification checking unit is used for failing the user authentication when the terminal identification corresponding to the user identification or the wearable equipment identification in the authentication request is different from the terminal identification sending the authentication request.
Optionally, the server further stores a server private key, and the server private key and a terminal public key stored in the terminal are a pair of keys; the device also comprises a detection instruction signature unit used for signing the detection instruction by using a server private key.
Optionally, the server is a payment server, and the authentication request is a payment request; the device further comprises: and a payment service unit for providing a payment service to the authenticated user.
Fig. 8 shows that the apparatus for authenticating a user provided in this embodiment is applied to a terminal accessing to a wearable device of a user, and the apparatus includes an authentication request sending unit, a detection instruction receiving unit, an uplink authentication information unit, a detection response sending unit, and an authentication result receiving unit, where: the authentication request sending unit is used for sending an authentication request to a server according to the operation of a user, wherein the authentication request carries the user identification and/or the wearable equipment identification of the user; the detection instruction receiving unit is used for receiving a detection instruction of the server, wherein the detection instruction carries downlink authentication information and a wearable device identifier; the uplink authentication information unit is used for sending downlink authentication information to the wearable equipment specified in the detection instruction and receiving uplink authentication information returned by the wearable equipment; the uplink authentication information is generated by the wearable device according to a stored device authentication key and downlink authentication information, and the device authentication key is the same as or corresponds to a server authentication key stored in a server; the detection response sending unit is used for sending a detection response carrying the uplink authentication information to the server; and the authentication result receiving unit is used for receiving a user authentication result determined by the server according to the uplink authentication information, the downlink authentication information and the server authentication key.
Optionally, the terminal stores a user private key of the user, and the user private key and a user public key stored in the server are a pair of keys; the device also comprises a detection response signature unit which is used for signing the detection response by using the user private key of the user.
Optionally, the terminal stores a terminal public key, and the terminal public key and a server private key stored in the server are a pair of keys; the detection instruction issued by the server is signed by a server private key; the device also comprises a detection instruction checking unit which is used for carrying out signature checking on the detection instruction of the server according to the terminal public key, and rejecting the detection instruction if the checking fails.
Optionally, the authentication request is a payment request, and the terminal completes the payment operation of the user after the user authentication result is that the user passes the authentication.
Fig. 9 shows that the apparatus for registering a wearable device provided in this embodiment is applied to a server, and is functionally divided, the apparatus further includes a registration request receiving unit, a write instruction issuing unit, and a write response receiving unit, where: the registration request receiving unit is used for receiving a wearable device registration request sent by a user through a terminal, wherein the registration request carries a user identifier and a wearable device identifier of the user; the write-in instruction issuing unit is used for acquiring a server authentication key and an equipment authentication key of the user and issuing a write-in instruction carrying the equipment authentication key and the wearable equipment identifier of the user to a terminal; and the write-in response receiving unit is used for receiving a write-in response returned by the terminal, and if the write-in response indicates that the equipment authentication key is successfully stored in the wearable equipment specified in the write-in instruction, storing the corresponding relation among the user identifier of the user, the wearable equipment identifier and the server authentication key.
Optionally, the write-in response receiving unit includes a password confirmation request issuing module and a password confirmation response receiving module, where: the password confirmation request issuing module is used for issuing a password confirmation request to the terminal when the write-in response indicates that the equipment authentication key is successfully stored in the wearable equipment specified in the write-in instruction; and the password confirmation response receiving module is used for receiving a password confirmation response of the terminal carrying the user password, and if the user password is correct, storing the corresponding relation among the user identifier of the user, the wearable equipment identifier and the server authentication key.
Optionally, the write response returned by the terminal further includes a user public key generated by the terminal; the password confirmation response receiving unit is specifically configured to: and receiving a password confirmation response carrying the user password by the terminal, and if the user password is correct, storing the corresponding relation among the user identifier of the user, the wearable equipment identifier, the server authentication key and the user public key.
Optionally, the server further stores a server private key and a server public key; the server private key and a terminal public key stored in the terminal are a pair of keys; the server public key and a terminal private key stored in the terminal are a pair of keys. The device also comprises a write-in instruction signature unit which is used for signing the write-in instruction by using a server private key; the device also comprises a write-in response verification unit which is used for adopting the server public key to carry out signature verification on the write-in response of the terminal, and refusing the registration request if the verification fails.
Fig. 10 shows an apparatus for registering a wearable device provided in this embodiment, which is applied to a terminal and functionally divided, and further includes a registration request sending unit, a write instruction receiving unit, a write operation executing unit, and a write response sending unit, where: the registration request sending unit is used for sending a wearable device registration request to a server according to the operation of a user, wherein the registration request carries a user identifier and a wearable device identifier of the user; the write-in instruction receiving unit is used for receiving a write-in instruction of the server, wherein the write-in instruction carries an equipment authentication key and the wearable equipment identifier of the user; the write operation execution unit is used for executing the operation of writing the equipment authentication key to the wearable equipment specified in the write instruction; the write response sending unit is used for sending a write response to the server, wherein the write response carries a message of whether the write device authentication key succeeds or not.
Optionally, the apparatus further includes a password confirmation request receiving unit, configured to receive a password confirmation request from the server after sending the write response to the server, and return the user password input by the user to the server by carrying the user password in the password confirmation response.
Optionally, the apparatus further includes a user key generating unit, configured to generate a user private key and a user public key of the user after the operation of writing the device authentication key is successful, and store the user private key; the write response also carries the user public key of the user.
Optionally, the terminal stores a terminal public key and a terminal private key; the terminal public key and a server private key stored in the server are a pair of keys; the terminal private key and a server public key stored in the server are a pair of keys; the device also comprises a write-in instruction checking unit which is used for carrying out signature checking on the write-in instruction of the server by adopting a terminal public key, and refusing the write-in instruction if the checking fails. The device also comprises a write-in response signature unit which is used for signing the write-in response by using a terminal private key.
The embodiment of the application provides a payment device, which is applied to a server and is divided functionally, and comprises a payment request receiving unit, an authentication instruction issuing unit, an authentication response receiving unit and a payment matching unit, wherein: the payment request receiving unit is used for receiving a payment request sent by a user through a payment client, wherein the payment request carries a user identifier and/or a wearable device identifier of the user; the authentication instruction issuing unit is used for acquiring downlink authentication information and issuing an authentication instruction comprising the downlink authentication information and the wearable equipment identifier to the payment client; the authentication response receiving unit is used for receiving authentication response information which is returned by the payment client and carries uplink authentication information, the uplink authentication information is generated by the wearable equipment specified in the authentication instruction according to an equipment authentication key and downlink authentication information, and the equipment authentication key is the same as or corresponds to the server authentication key; and the payment matching unit is used for matching the downlink authentication information and the uplink authentication information by using the server authentication key of the user, and if the matching is successful, the user passes the authentication and performs the payment operation after the authentication passes.
Optionally, the payment request is triggered by the user through information selected on the payment client indicating that payment is made by the wearable device.
The embodiment of the application provides a payment device, which is applied to a terminal, is divided in function and comprises a payment request sending unit, an authentication instruction receiving unit and an authentication response sending unit, wherein: the payment request sending unit is used for responding to payment operation of a user on a payment client and sending a payment request to the server, wherein the payment request carries a user identifier and/or a wearable device identifier of the user; the authentication instruction receiving unit is used for receiving an authentication instruction which is issued by the server and comprises downlink authentication information and a wearable device identifier, and sending the downlink authentication information to the wearable device so that the wearable device can generate uplink authentication information by using a device authentication key and the downlink authentication information which are stored by the wearable device; the authentication response sending unit is used for receiving the uplink authentication information returned by the wearable device and sending the uplink authentication information to the server, so that the server authenticates the user according to the uplink authentication information and performs payment operation after the authentication is passed.
Optionally, the payment operation of the user on the payment client is specifically an operation selected by the user and representing payment performed by the wearable device.
The embodiment of the application provides a payment device of wearable equipment, uses on wearable equipment, divides from the function, including payment authentication information receiving element and ascending authentication information generation unit, wherein: the payment authentication information receiving unit is used for receiving payment authentication information sent by a payment client, wherein the payment authentication information comprises downlink authentication information issued by a server based on a payment request of a user sent by the payment client; the uplink authentication information generation unit is used for generating uplink authentication information according to the stored equipment authentication key and the downlink authentication information, and sending the uplink authentication information to the payment client so that the payment client can send the uplink authentication information to the server, the server can authenticate the user based on the uplink authentication information, and payment operation is carried out after the authentication is passed.
Optionally, the apparatus further comprises: and the payment binding unit is used for responding to a payment binding request issued by a user through a payment client and storing the equipment authentication key carried in the payment binding request.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include transitory computer readable media (transmyedia) such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Claims (47)
1. A method for authenticating a user is applied to a server, and the server stores a corresponding relation among a user identifier of the user, a wearable device identifier and a server authentication key, and the method comprises the following steps:
receiving an authentication request sent by a user through a terminal, wherein the authentication request carries a user identifier and/or a wearable device identifier of the user;
acquiring downlink authentication information, and issuing a detection instruction carrying the downlink authentication information and the wearable equipment identifier of the user to a terminal;
receiving a detection response carrying uplink authentication information returned by the terminal, wherein the uplink authentication information is generated by the wearable equipment specified in the detection instruction according to an equipment authentication key and the downlink authentication information, and the equipment authentication key is the same as or corresponds to the server authentication key;
and matching the downlink authentication information and the uplink authentication information by using the server authentication key of the user, wherein if the matching is successful, the user passes the authentication.
2. The method according to claim 1, wherein the server further stores a user public key of the user, wherein the user public key corresponds to the user identifier of the user, the wearable device identifier and the server authentication key, and is a pair of keys with a user private key stored in the terminal;
the detection response returned by the terminal is signed by a user private key stored in the terminal;
the method further comprises the following steps: and carrying out signature verification on the detection response of the terminal according to the user public key of the user, wherein if the verification fails, the user authentication fails.
3. The method of claim 1, wherein the server further maintains a terminal identity, wherein the terminal identity corresponds to a user identity, a wearable device identity, and a server authentication key of the user;
the authentication request further comprises: sending a terminal identification of the authentication request;
the method further comprises the following steps: and if the terminal identification corresponding to the user identification or the wearable equipment identification in the authentication request is different from the terminal identification sending the authentication request, the user authentication fails.
4. The method according to any one of claims 1 to 3, characterized in that the server also stores a server private key, and the server private key and a terminal public key stored in the terminal are a pair of keys;
the method further comprises the following steps: the detection instruction is signed with a server private key.
5. The method according to any one of claims 1 to 3, wherein the detection instruction and the detection response are transmitted through an encrypted channel between the server and the terminal.
6. The method according to any one of claims 1 to 3, wherein the server is a payment server and the authentication request is a payment request;
the method further comprises the following steps: providing a payment service to the authenticated user.
7. A method for authenticating a user, applied to a terminal accessing a wearable device of the user, is characterized in that the method comprises:
sending an authentication request to a server according to the operation of a user, wherein the authentication request carries the user identification and/or the wearable equipment identification of the user;
receiving a detection instruction of a server, wherein the detection instruction carries downlink authentication information and a wearable device identifier;
sending downlink authentication information to the wearable equipment specified in the detection instruction, and receiving uplink authentication information returned by the wearable equipment; the uplink authentication information is generated by the wearable device according to a stored device authentication key and downlink authentication information, and the device authentication key is the same as or corresponds to a server authentication key stored in a server;
sending a detection response carrying the uplink authentication information to a server;
and receiving a user authentication result determined by the server according to the uplink authentication information, the downlink authentication information and the server authentication key.
8. The method according to claim 7, wherein the terminal stores a user private key of the user, and the user private key and a user public key stored in a server are a pair of keys;
the method further comprises the following steps: and signing the detection response by using the user private key of the user.
9. The method according to claim 7 or 8, characterized in that the terminal stores a terminal public key, and the terminal public key and a server private key stored in a server are a pair of keys;
the detection instruction issued by the server is signed by a server private key;
the method further comprises the following steps: and carrying out signature verification on the detection instruction of the server according to the terminal public key, and rejecting the detection instruction if the verification fails.
10. The method according to claim 7 or 8, wherein the authentication request is a payment request, and the terminal completes the payment operation of the user after the user authentication result is that the user is authenticated.
11. A method for registering a wearable device, applied to a server, includes:
receiving a wearable device registration request sent by a user through a terminal, wherein the registration request carries a user identifier and a wearable device identifier of the user;
acquiring a server authentication key and an equipment authentication key of the user, and issuing a write-in instruction carrying the equipment authentication key and a wearable equipment identifier of the user to a terminal;
and receiving a write-in response returned by the terminal, and if the write-in response indicates that the equipment authentication key is successfully stored in the wearable equipment specified in the write-in instruction, storing the corresponding relation among the user identifier of the user, the wearable equipment identifier and the server authentication key.
12. The method of claim 11, wherein saving the correspondence between the user identifier of the user, the wearable device identifier, and the server authentication key comprises:
sending a password confirmation request to a terminal;
and receiving a password confirmation response carrying the user password by the terminal, and if the user password is correct, storing the corresponding relation among the user identifier of the user, the wearable equipment identifier and the server authentication key.
13. The method according to claim 11 or 12, characterized in that the write response returned by the terminal further includes a user public key generated by the terminal;
the storing of the corresponding relationship between the user identifier of the user, the wearable device identifier and the server authentication key further includes: and storing the corresponding relation between the user identification of the user, the wearable equipment identification, the server authentication key and the user public key.
14. The method according to claim 11 or 12, wherein the server further maintains a server private key and a server public key; the server private key and a terminal public key stored in the terminal are a pair of keys; the server public key and a terminal private key stored in the terminal are a pair of keys.
The method further comprises the following steps: signing the write-in instruction by using a server private key;
the method further comprises the following steps: and carrying out signature verification on the write-in response of the terminal by adopting a server public key, and rejecting the registration request if the verification fails.
15. A method for registering a wearable device, applied to a terminal, includes:
sending a wearable device registration request to a server according to the operation of a user, wherein the registration request carries a user identifier and a wearable device identifier of the user;
receiving a write-in instruction of a server, wherein the write-in instruction carries an equipment authentication key and a wearable equipment identifier of the user;
performing an operation of writing the device authentication key to the wearable device specified in the write instruction;
and sending a write-in response to the server, wherein the write-in response carries a message of whether the write-in equipment authentication key succeeds or not.
16. The method of claim 15, further comprising: and after sending the write-in response to the server, receiving a password confirmation request of the server, and returning the user password input by the user to the server by carrying the user password in the password confirmation response.
17. The method according to claim 15 or 16, characterized in that the method further comprises: after the operation of writing in the equipment authentication key is successful, generating a user private key and a user public key of the user, and storing the user private key;
the write response also carries the user public key of the user.
18. The method according to claim 15 or 16, characterized in that the terminal holds a terminal public key and a terminal private key; the terminal public key and a server private key stored in the server are a pair of keys; the terminal private key and a server public key stored in the server are a pair of keys;
the method further comprises the following steps: and carrying out signature verification on the write-in instruction of the server by adopting a terminal public key, and rejecting the write-in instruction if the verification fails.
The method further comprises the following steps: and signing the write-in response by using a terminal private key.
19. An apparatus for authenticating a user, applied to a server, wherein the server stores a correspondence between a user identifier of the user, a wearable device identifier, and a server authentication key, the apparatus comprising:
the authentication request receiving unit is used for receiving an authentication request sent by a user through a terminal, wherein the authentication request carries a user identifier and/or a wearable device identifier of the user;
the detection instruction issuing unit is used for acquiring downlink authentication information and issuing a detection instruction carrying the downlink authentication information and the wearable equipment identifier of the user to a terminal;
the detection response receiving unit is used for receiving a detection response which is returned by the terminal and carries uplink authentication information, the uplink authentication information is generated by the wearable equipment specified in the detection instruction according to an equipment authentication key and downlink authentication information, and the equipment authentication key is the same as or corresponds to the server authentication key;
and the matching unit is used for matching the downlink authentication information and the uplink authentication information by using the server authentication key of the user, and the user passes the authentication if the matching is successful.
20. The apparatus according to claim 19, wherein the server further stores a user public key of the user, the user public key corresponding to the user identifier of the user, the wearable device identifier and the server authentication key, and being a pair of keys with a user private key stored in the terminal;
the detection response returned by the terminal is signed by a user private key stored in the terminal;
the device further comprises: and the detection response verification unit is used for performing signature verification on the detection response of the terminal according to the user public key of the user, and if the verification fails, the user authentication fails.
21. The apparatus of claim 19, wherein the server further stores a terminal identifier, wherein the terminal identifier corresponds to a user identifier, a wearable device identifier, and a server authentication key of the user;
the authentication request further comprises: sending a terminal identification of the authentication request;
the device further comprises: and the terminal identification checking unit is used for failing the user authentication when the terminal identification corresponding to the user identification or the wearable equipment identification in the authentication request is different from the terminal identification sending the authentication request.
22. The apparatus according to any one of claims 19 to 21, wherein the server further stores a server private key, and the server private key and a terminal public key stored in the terminal are a pair of keys;
the device further comprises: and the detection instruction signature unit is used for signing the detection instruction by using a server private key.
23. The apparatus according to any one of claims 19 to 21, wherein the server is a payment server and the authentication request is a payment request;
the device further comprises: and a payment service unit for providing a payment service to the authenticated user.
24. An apparatus for authenticating a user, applied to a terminal accessing a wearable device of the user, the apparatus comprising:
the authentication request sending unit is used for sending an authentication request to a server according to the operation of a user, wherein the authentication request carries the user identification and/or the wearable equipment identification of the user;
the system comprises a detection instruction receiving unit, a processing unit and a processing unit, wherein the detection instruction receiving unit is used for receiving a detection instruction of a server, and the detection instruction carries downlink authentication information and a wearable device identifier;
an uplink authentication information unit, configured to send downlink authentication information to the wearable device specified in the detection instruction, and receive uplink authentication information returned by the wearable device; the uplink authentication information is generated by the wearable device according to a stored device authentication key and downlink authentication information, and the device authentication key is the same as or corresponds to a server authentication key stored in a server;
a detection response sending unit, configured to send a detection response carrying the uplink authentication information to the server;
and the authentication result receiving unit is used for receiving the user authentication result determined by the server according to the uplink authentication information, the downlink authentication information and the server authentication key.
25. The apparatus according to claim 24, wherein the terminal stores a user private key of the user, and the user private key and a user public key stored in the server are a pair of keys;
the device further comprises: and the detection response signature unit is used for signing the detection response by using the user private key of the user.
26. The apparatus according to claim 24 or 25, wherein the terminal stores a terminal public key, and the terminal public key and a server private key stored in the server are a pair of keys;
the detection instruction issued by the server is signed by a server private key;
the device further comprises: and the detection instruction checking unit is used for carrying out signature checking on the detection instruction of the server according to the terminal public key, and rejecting the detection instruction if the checking fails.
27. The device according to claim 24 or 25, wherein the authentication request is a payment request, and the terminal completes the payment operation of the user after the user authentication result is that the user is authenticated.
28. An apparatus for registering a wearable device, applied to a server, comprising:
a registration request receiving unit, configured to receive a wearable device registration request sent by a user through a terminal, where the registration request carries a user identifier and a wearable device identifier of the user;
the write-in instruction issuing unit is used for acquiring a server authentication key and an equipment authentication key of the user and issuing a write-in instruction carrying the equipment authentication key and the wearable equipment identifier of the user to a terminal;
and the write response receiving unit is used for receiving a write response returned by the terminal, and if the write response indicates that the equipment authentication key is successfully stored in the wearable equipment specified in the write instruction, the corresponding relation among the user identifier of the user, the wearable equipment identifier and the server authentication key is stored.
29. The apparatus of claim 28, wherein the write response receiving unit comprises:
the password confirmation request issuing module is used for issuing a password confirmation request to the terminal when the write-in response indicates that the equipment authentication key is successfully stored in the wearable equipment specified in the write-in instruction;
and the password confirmation response receiving module is used for receiving a password confirmation response of the user password carried by the terminal, and if the user password is correct, storing the corresponding relation among the user identifier of the user, the wearable equipment identifier and the server authentication key.
30. The apparatus according to claim 28 or 29, wherein the write response returned by the terminal further includes a user public key generated by the terminal;
the password confirmation response receiving unit is specifically configured to: and receiving a password confirmation response carrying the user password by the terminal, and if the user password is correct, storing the corresponding relation among the user identifier of the user, the wearable equipment identifier, the server authentication key and the user public key.
31. The apparatus according to claim 28 or 29, wherein the server further maintains a server private key and a server public key; the server private key and a terminal public key stored in the terminal are a pair of keys; the server public key and a terminal private key stored in the terminal are a pair of keys.
The device further comprises: the write-in command signature unit is used for signing the write-in command by using a server private key;
the device further comprises: and the write-in response verification unit is used for performing signature verification on the write-in response of the terminal by adopting a server public key, and rejecting the registration request if the verification fails.
32. An apparatus for registering a wearable device, applied to a terminal, comprising:
a registration request sending unit, configured to send a wearable device registration request to a server according to an operation of a user, where the registration request carries a user identifier and a wearable device identifier of the user;
a write instruction receiving unit, configured to receive a write instruction of a server, where the write instruction carries an equipment authentication key and a wearable equipment identifier of the user;
a write operation execution unit configured to execute an operation of writing the device authentication key to the wearable device specified in the write instruction;
and the writing response sending unit is used for sending a writing response to the server, wherein the writing response carries a message of whether the writing equipment authentication key succeeds or not.
33. The apparatus of claim 32, further comprising: and the password confirmation request receiving unit is used for receiving the password confirmation request of the server after sending the write-in response to the server, and returning the user password input by the user to the server by carrying the user password in the password confirmation response.
34. The apparatus of claim 32 or 33, further comprising: the user key generating unit is used for generating a user private key and a user public key of the user and storing the user private key after the operation of writing the equipment authentication key is successful;
the write response also carries the user public key of the user.
35. The apparatus according to claim 32 or 33, wherein the terminal holds a terminal public key and a terminal private key; the terminal public key and a server private key stored in the server are a pair of keys; the terminal private key and a server public key stored in the server are a pair of keys;
the device further comprises: and the write-in instruction checking unit is used for carrying out signature checking on the write-in instruction of the server by adopting a terminal public key, and refusing the write-in instruction if the checking fails.
The device further comprises: and the write response signature unit is used for signing the write response by using a terminal private key.
36. A payment method, comprising:
receiving a payment request sent by a user through a payment client, wherein the payment request carries a user identifier and/or a wearable device identifier of the user;
acquiring downlink authentication information, and issuing an authentication instruction comprising the downlink authentication information and a wearable device identifier to a payment client;
receiving authentication response information which is returned by the payment client and carries uplink authentication information, wherein the uplink authentication information is generated by wearable equipment specified in an authentication instruction according to an equipment authentication key and downlink authentication information, and the equipment authentication key is the same as or corresponds to a server authentication key;
and matching the downlink authentication information and the uplink authentication information by using the server authentication key of the user, and if the matching is successful, the user passes the authentication and performs the payment operation after the authentication passes.
37. The method of claim 36, wherein the payment request is triggered by a user through information selected on a payment client indicating payment made by a wearable device.
38. A payment method, comprising:
responding to a payment operation of a user on a payment client, and sending a payment request to a server, wherein the payment request carries a user identifier and/or a wearable device identifier of the user;
receiving an authentication instruction which is sent by a server and comprises downlink authentication information and a wearable device identifier, and sending the downlink authentication information to the wearable device so that the wearable device generates uplink authentication information by using a device authentication key and the downlink authentication information which are stored by the wearable device;
and receiving uplink authentication information returned by the wearable device, and sending the uplink authentication information to the server so that the server authenticates the user according to the uplink authentication information and performs payment operation after the authentication is passed.
39. A payment method as recited in claim 38, wherein the payment operation of the user on the payment client is specific to an operation selected by the user to represent a payment made by the wearable device.
40. A payment method of a wearable device, comprising:
receiving payment authentication information sent by a payment client, wherein the payment authentication information comprises downlink authentication information issued by a server based on a payment request of a user sent by the payment client;
and generating uplink authentication information according to the stored equipment authentication key and the downlink authentication information, and sending the uplink authentication information to the payment client so that the payment client sends the uplink authentication information to the server, so that the server can authenticate the user based on the uplink authentication information and perform payment operation after the authentication is passed.
41. The method of claim 40, further comprising:
and responding to a payment binding request issued by a user through a payment client, and storing the equipment authentication key carried in the payment binding request.
42. A payment device, comprising:
the payment request receiving unit is used for receiving a payment request sent by a user through a payment client, wherein the payment request carries a user identifier and/or a wearable device identifier of the user;
the authentication instruction issuing unit is used for acquiring downlink authentication information and issuing an authentication instruction comprising the downlink authentication information and the wearable equipment identifier to the payment client;
the authentication response receiving unit is used for receiving authentication response information which is returned by the payment client and carries uplink authentication information, the uplink authentication information is generated by the wearable equipment specified in the authentication instruction according to an equipment authentication key and downlink authentication information, and the equipment authentication key is the same as or corresponds to the server authentication key;
and the payment matching unit is used for matching the downlink authentication information and the uplink authentication information by using the server authentication key of the user, and if the matching is successful, the user passes the authentication and performs payment operation after the authentication passes.
43. The apparatus of claim 42, wherein the payment request is triggered by a user through information selected on a payment client indicating payment made by a wearable device.
44. A payment device, comprising:
the payment request sending unit is used for responding to payment operation of a user on a payment client and sending a payment request to the server, wherein the payment request carries a user identifier and/or a wearable device identifier of the user;
the authentication instruction receiving unit is used for receiving an authentication instruction which is issued by the server and comprises downlink authentication information and a wearable device identifier, and sending the downlink authentication information to the wearable device so that the wearable device can generate uplink authentication information by using a device authentication key and the downlink authentication information which are stored by the wearable device;
and the authentication response sending unit is used for receiving the uplink authentication information returned by the wearable device and sending the uplink authentication information to the server so that the server authenticates the user according to the uplink authentication information and performs payment operation after the authentication is passed.
45. The apparatus of claim 44, wherein the payment operation of the user on the payment client is specific to an operation selected by the user to represent payment made by the wearable device.
46. A payment device of a wearable device, comprising:
the payment authentication information receiving unit is used for receiving payment authentication information sent by a payment client, wherein the payment authentication information comprises downlink authentication information issued by a server based on a payment request of a user sent by the payment client;
and the uplink authentication information generating unit is used for generating uplink authentication information according to the stored equipment authentication key and the downlink authentication information, and sending the uplink authentication information to the payment client so that the payment client sends the uplink authentication information to the server, so that the server can authenticate the user based on the uplink authentication information and perform payment operation after the authentication is passed.
47. The apparatus of claim 46, further comprising: and the payment binding unit is used for responding to a payment binding request issued by a user through a payment client and storing the equipment authentication key carried in the payment binding request.
Publications (3)
| Publication Number | Publication Date |
|---|---|
| HK1230361A1 HK1230361A1 (en) | 2017-12-01 |
| HK1230361A true HK1230361A (en) | 2017-12-01 |
| HK1230361B HK1230361B (en) | 2020-10-16 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110417797B (en) | Method and device for authenticating user | |
| EP3474211B1 (en) | Offline payment method and device | |
| CN111756533B (en) | System, method and storage medium for secure password generation | |
| EP3535724B1 (en) | Verifying an association between a communication device and a user | |
| CN109992949B (en) | Device authentication method, air card writing method and device authentication device | |
| JP6704919B2 (en) | How to secure your payment token | |
| JP6374119B2 (en) | Security protocol for integrated near field communication infrastructure | |
| JP7309261B2 (en) | Authentication method for biometric payment device, authentication device for biometric payment device, computer device, and computer program | |
| US20190386972A1 (en) | Systems and methods for user authentication based on multiple devices | |
| US20150310427A1 (en) | Method, apparatus, and system for generating transaction-signing one-time password | |
| EP3206329B1 (en) | Security check method, device, terminal and server | |
| KR20180013710A (en) | Public key infrastructure based service authentication method and system | |
| US20240289798A1 (en) | Techniques to provide secure cryptographic authentication, verification, functionality access, and payments between contactless cards and communication devices | |
| US20250307819A1 (en) | Systems and methods for validating and securing transactions | |
| US20150302506A1 (en) | Method for Securing an Order or Purchase Operation Means of a Client Device | |
| HK1230361A1 (en) | Method and device for authenticating user, and method and device for registering wearable device | |
| HK1230361A (en) | Method and device for authenticating user, and method and device for registering wearable device | |
| KR102547682B1 (en) | Server for supporting user identification using physically unclonable function based onetime password and operating method thereof | |
| KR101705293B1 (en) | Authentication System and method without secretary Password | |
| KR102528051B1 (en) | Terminal for payment and operaing method of thereof | |
| US20250240290A1 (en) | Authentication using sequence of facial images | |
| HK1230361B (en) | Method and device for authenticating user, and method and device for registering wearable device | |
| JP2026501787A (en) | Technology for providing secure cryptographic authentication, verification, feature access, and payment between contactless cards and communication devices | |
| WO2025231423A1 (en) | Device binding using cryptographic keys | |
| CN118981767A (en) | Identity authentication method, device, equipment, readable storage medium and program product |