WO2015180689A1

WO2015180689A1 - Method and apparatus for acquiring verification information

Info

Publication number: WO2015180689A1
Application number: PCT/CN2015/080315
Authority: WO
Inventors: 胡宇光
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Priority date: 2014-05-30
Filing date: 2015-05-29
Publication date: 2015-12-03
Anticipated expiration: 2016-11-30
Also published as: CN105142139B; CN105142139A; CN109451495A

Abstract

Disclosed are a method and an apparatus for acquiring verification information. The method for acquiring verification information comprises: a terminal negotiates with a network device on a key used for decrypting the verification information, the verification information being a message used for verifying an identity or right of the terminal or a user when a target application program executes a specific service; the network device encrypts the verification information by using the key, and sends the encrypted verification information to the terminal; the terminal decrypts the encrypted verification information by using the negotiated key, and acquires the verification information; and verify, by using the verification information, the identity or the right of the terminal or the user when the target application program executes the specific service. The present invention can effectively ensure the security when payment and other services are operated on an application program.

Description

Method and device for obtaining verification information

Technical field

本发明涉及网络安全技术领域，具体涉及验证信息的获取方法及装置。The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for acquiring authentication information.

Background technique

现有移动业务中，常常需要用户利用验证信息进行操作，以保证业务的安全性。用户可以通过短信或邮件等方式获取验证信息。例如，用手机注册帐号或进行支付时，需要服务端向当前手机号下发短信进行身份验证，且短信都以明文形式下发。但是目前一些操作系统(例如Android)平台比较开放，任意软件在注册短信权限后都可随意读取短信内容，在安全方面造成极大的隐患。In the existing mobile service, users are often required to use authentication information to operate to ensure the security of the service. Users can obtain verification information by SMS or email. For example, when registering an account with a mobile phone or making a payment, the server needs to send a text message to the current mobile phone number for authentication, and the short message is sent in clear text. However, some operating systems (such as Android) platforms are relatively open at present, and any software can read the short message content after registering the short message permission, which causes great hidden dangers in security.

在许多认证，尤其是支付过程中，手机短信验证都是最后一道安全措施。通常而言是由服务器(服务提供商，例如支付宝)通过短信网关给用户此前绑定的手机号发送一个包含数字或字符的验证码的短信。用户收到短信之后将短信中的验证码通过手机APP或者认证或支付的WEB页面并提交给服务器。服务器根据提交的验证码判断是否的确是该用户在进行验证或者支付操作。In many certifications, especially in the payment process, SMS verification is the last security measure. Generally speaking, a server (a service provider, such as Alipay) sends a text message containing a digit or a character verification code to a previously bound mobile phone number through a short message gateway. After receiving the short message, the user passes the verification code in the short message to the server through the mobile APP or the WEB page of the authentication or payment. The server judges whether the user is performing the verification or payment operation according to the submitted verification code.

问题在于，作为私人物品的手机，其短信并不像服务提供商以及用户所理解的那么安全。随便打开一个手机并查看每一个安装的应用，就会发现，许多看似完全无关的应用都会要求阅读短信甚至是发送短信的权限。由此可见，用户是根本不会在意安装的应用拥有一些权限。一个恶意的木马应用完全可以悄无声息的读到前面所述的验证码。Android4.4以前的系统(目前市场上绝大部分Android手机)，木马甚至可以在无Root的情况下在偷窃了验证码短信之后删除该短信，在用户毫无察觉的情况下就盗走验证码。The problem is that as a personal item, the text message is not as secure as the service provider and the user understands. Just open a phone and view each installed app, you will find that many seemingly completely unrelated applications will require permission to read text messages or even send text messages. It can be seen that the user does not care about the installed application at all. A malicious Trojan application can silently read the verification code described earlier. Android4.4 before the system (currently the majority of Android phones on the market), Trojans can even delete the SMS after stealing the verification code message without Root, stealing the verification code without the user's awareness. .

除了恶意的木马可能盗取验证码短信之外，还有一个严重的问题是手机可能丢失。在手机丢失的情况，获得手机的人可以很容易的利用短信找回密码的功能进行非常多的操作，包括修改用户登录密码、支付、转账等等。In addition to malicious Trojans that may steal verification code text messages, there is a serious problem that the phone may be lost. In the case of a lost mobile phone, the person who obtains the mobile phone can easily use the function of retrieving the password by using the short message to perform a lot of operations, including modifying the user login password, payment, transfer, and the like.

发明内容Summary of the invention

鉴于上述问题，提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的验证信息的获取方法及装置。In view of the above problems, the present invention has been made in order to provide a method and apparatus for acquiring verification information that overcomes the above problems or at least partially solves the above problems.

依据本发明的一个方面，提供一种验证信息的获取方法，包括：终端与网络设备协商用于对所述验证信息进行加解密的密钥，其中，所述验证信息是用于验证在目标应用程序执行特定服务过程中终端或用户的身份或权限的消息；所述网络设备利用所述密钥对验证信息进行加密，并将加密的验证信息发送给所述终端；所述终端利用协商的密钥对加密的验证信息进行解密，获得验证信息；在所述目标应用程序执行特定服务过程中，利用所述验证信息验证终端或用户的身份或权限。According to an aspect of the present invention, a method for obtaining authentication information is provided, comprising: a terminal negotiating, with a network device, a key for encrypting and decrypting the verification information, wherein the verification information is used to verify a target application. The program executes a message of the identity or authority of the terminal or the user in the specific service process; the network device encrypts the verification information by using the key, and sends the encrypted verification information to the terminal; the terminal utilizes the negotiated secret The key decrypts the encrypted verification information to obtain a verification letter. And verifying the identity or authority of the terminal or the user by using the verification information during the execution of the specific service by the target application.

依据本发明的另一个方面，提供一种验证信息的获取装置，包括：密钥协商单元，用于在终端与网络设备之间协商用于对验证信息进行加解密的密钥，其中，所述验证信息是用于验证在目标应用程序执行特定服务过程中终端或用户的身份或权限的消息；加密验证信息获取单元，用于接收所述网络设备利用所述密钥对验证信息进行加密的验证信息；解密单元，用于利用协商的密钥对加密的验证信息进行解密，获得验证信息；服务执行单元，用于在所述目标应用程序执行特定服务过程中，利用所述验证信息验证终端或用户的身份或权限。According to another aspect of the present invention, an apparatus for acquiring authentication information is provided, including: a key agreement unit, configured to negotiate a key for encrypting and decrypting verification information between a terminal and a network device, where The verification information is a message for verifying the identity or authority of the terminal or the user in the specific service process of the target application; the encryption verification information obtaining unit is configured to receive the verification that the network device encrypts the verification information by using the key a decryption unit, configured to decrypt the encrypted verification information by using the negotiated key to obtain the verification information, and the service execution unit is configured to use the verification information to verify the terminal or the target application to perform a specific service process The identity or permissions of the user.

依据本发明的又一个方面，提供了一种计算机程序，其包括计算机可读代码，当所述计算机可读代码在终端上运行时，导致所述终端执行前项所述验证信息的获取的方法。According to still another aspect of the present invention, a computer program is provided, comprising computer readable code, a method for causing a terminal to perform acquisition of the verification information of the preceding item when the computer readable code is run on a terminal .

依据据本发明的再一个方面，提供了一种计算机可读介质，其中存储了前项所述的计算机程序。According to still another aspect of the present invention, a computer readable medium storing the computer program described in the preceding paragraph is provided.

由上述实施例可以看出，与现有技术相比，本发明的有益效果在于：通过应用程序与网络设备之间的密钥协商，对验证信息加密处理，并且应用程序直接读取加密的验证信息，从而利用解密的验证信息进行业务等操作，也就是，只有这个应用程序才能对密文形式的验证信息进行解密，对于木马等恶意应用程序，即使能获取到验证信息，但由于验证信息是密文形式的，也无从利用，有效保证了在应用程序上进行支付等业务操作的安全性。It can be seen from the above embodiment that compared with the prior art, the beneficial effects of the present invention are: encrypting the verification information by key negotiation between the application and the network device, and the application directly reads the encrypted verification. Information, thereby utilizing the decrypted verification information to perform operations such as business, that is, only the application can decrypt the verification information in the form of ciphertext. For a malicious application such as a Trojan, even if the verification information can be obtained, the verification information is The ciphertext form is also not available, which effectively guarantees the security of business operations such as payment on the application.

另外，本发明对于GSM(Global System for Mobile Communications，全球移动通信系统)信号窃听，sim(Subscriber Identity Module，客户识别模块)卡复制等攻击手段具有很好的防御效果，因为通过本发明的加密验证信息方式，GSM信号窃听、sim卡复制等方案的攻击者都只能获取到密文，是没办法得到明文的，当然也就无法继续攻击。In addition, the present invention has a good defense effect against GSM (Global System for Mobile Communications) signal eavesdropping, sim (Subscriber Identity Module) card copying and the like, because the cryptographic verification by the present invention The attack mode of the information mode, GSM signal eavesdropping, sim card copying, etc. can only obtain the ciphertext, there is no way to get the plaintext, and of course, it is impossible to continue the attack.

上述说明仅是本发明技术方案的概述，为了能够更清楚了解本发明的技术手段，而可依照说明书的内容予以实施，并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂，以下特举本发明的具体实施方式。The above description is only an overview of the technical solutions of the present invention, and the above-described and other objects, features and advantages of the present invention can be more clearly understood. Specific embodiments of the invention are set forth below.

DRAWINGS

通过阅读下文优选实施方式的详细描述，各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的，而并不认为是对本发明的限制。而且在整个附图中，用相同的参考符号表示相同的部件。在附图中：Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not to be construed as limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:

图1示出了根据本发明一个实施例的验证信息的获取方法流程图； FIG. 1 is a flow chart showing a method for acquiring verification information according to an embodiment of the present invention; FIG.

图2示出了根据本发明一个实施例的验证信息的获取方法实例一流程图；2 is a flow chart showing an example of an acquisition method of verification information according to an embodiment of the present invention;

图3示出了根据本发明一个实施例的验证信息的获取方法实例二流程图；FIG. 3 is a flowchart showing an example 2 of an acquisition method of verification information according to an embodiment of the present invention; FIG.

图4示出了根据本发明一个实施例的验证信息的获取方法实例三流程图；FIG. 4 is a flowchart showing an example 3 of an acquisition method of verification information according to an embodiment of the present invention; FIG.

图5示出了根据本发明一个实施例的验证信息的获取装置结构示意图；FIG. 5 is a schematic structural diagram of an apparatus for acquiring verification information according to an embodiment of the present invention; FIG.

图6示出了用于执行根据本发明的验证信息的获取方法的终端的框图；以及Figure 6 is a block diagram showing a terminal for performing an acquisition method of verification information according to the present invention;

图7示出了用于保持或者携带实现根据本发明的验证信息的获取方法的程序代码的存储单元。Fig. 7 shows a storage unit for holding or carrying program code for implementing an acquisition method of verification information according to the present invention.

Specific embodiment

下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例，然而应当理解，可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反，提供这些实施例是为了能够更透彻地理解本公开，并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While the embodiments of the present invention have been shown in the drawings, the embodiments Rather, these embodiments are provided so that this disclosure will be more fully understood and the scope of the disclosure will be fully disclosed.

参见图1，为本发明实施例提供的验证信息的获取方法的流程图。包括以下步骤：FIG. 1 is a flowchart of a method for obtaining authentication information according to an embodiment of the present invention. Includes the following steps:

S101：终端与网络设备协商用于对验证信息进行加解密的密钥，其中，所述验证信息是用于验证在目标应用程序执行特定服务过程中终端或用户的身份或权限的消息；S101: The terminal negotiates, with the network device, a key used to encrypt and decrypt the verification information, where the verification information is a message for verifying the identity or authority of the terminal or the user in the specific service process performed by the target application;

S102：网络设备利用密钥对验证信息进行加密，并将加密的验证信息发送给终端；S102: The network device encrypts the verification information by using a key, and sends the encrypted verification information to the terminal.

S103：终端利用协商的密钥对加密的验证信息进行解密，获得验证信息；S103: The terminal decrypts the encrypted verification information by using the negotiated key to obtain verification information.

S104：在目标应用程序执行特定服务过程中，利用验证信息验证终端或用户的身份或权限。S104: Verify the identity or authority of the terminal or the user by using the verification information during the execution of the specific service by the target application.

本发明中，终端是指具有通信功能的终端，例如，智能手机等。网络设备是指发送用于目标应用程序的业务的验证信息的服务器、网关或代理服务器。目标应用程序是指需要对验证信息进行验证从而进行服务(业务)的应用程序，包括但不限于通信软件、支付软件或电商软件，例如现在流行的支付宝软件、微信等等。在目标应用程序上执行特定服务是指利用验证信息通过终端或者用户的身份或权限的验证之后，在目标应用程序上执行支付、登录、下载等业务。上述步骤S101和S103可以由目标应用程序执行，也可以由安全应用程序执行，后续实施例会有详细介绍。In the present invention, a terminal refers to a terminal having a communication function, for example, a smartphone or the like. A network device refers to a server, gateway, or proxy server that sends authentication information for a service of a target application. A target application refers to an application that needs to verify authentication information for service (business), including but not limited to communication software, payment software, or e-commerce software, such as the now popular Alipay software, WeChat, and the like. Executing a specific service on the target application means performing payment, login, download, etc. on the target application after the authentication information is verified by the terminal or the identity or authority of the user. The above steps S101 and S103 may be performed by the target application or by the security application, which will be described in detail in the following embodiments.

可以理解的是，验证信息就是目标应用程序服务器发起的用于在目标应用程序上进行用户身份验证的信息。验证信息的获取方式不限，现在常用的是通过短信方式获取验证信息，但是本发明对此不作限制，对于通过邮件或者即时通信工具等方式获取验证信息的方式都是可行的。It can be understood that the verification information is initiated by the target application server for the target application. Information about user authentication on the program. The method for obtaining the verification information is not limited. The commonly used method is to obtain the verification information by using the short message method. However, the present invention does not limit this, and the manner of obtaining the verification information by means of mail or instant communication tools is feasible.

本发明实施例一个实现条件在于，应用程序是具有访问获取验证信息的通信方式的权限的，例如，终端通过短信接收验证信息，那么，应用程序就具有访问验证短信的权限，此后，应用程序利用自身具有的访问短信的权限，直接访问短信获取加密的验证信息。由此，才能执行步骤S103，对加密的短信进行解密，从而最终获得解密的验证信息。An implementation condition of the embodiment of the present invention is that the application program has the right to access the communication mode for obtaining the verification information. For example, if the terminal receives the verification information by using the short message, the application program has the right to access the verification short message, and thereafter, the application utilizes The user has the right to access the short message, and directly access the short message to obtain the encrypted verification information. Thereby, step S103 can be performed to decrypt the encrypted short message, thereby finally obtaining the decrypted verification information.

本发明方案中，通过应用程序和网络设备之间的密钥协商，确定密钥，并利用协商的密钥对验证信息进行加密。本领域技术人员了解，密钥可分为对称密钥和非对称密钥。对称密钥加密，又称私钥加密或会话密钥加密算法，即信息的发送方和接收方使用同一个密钥去加密和解密数据。它的最大优势是加/解密速度快，适合于对大数据量进行加密，但密钥管理困难。非对称密钥加密系统，又称公钥密钥加密。它需要使用不同的密钥来分别完成加密和解密操作，一个公开发布，即公开密钥或称为公钥，另一个由用户自己秘密保存，即私用密钥或称为私钥。信息发送者用公开密钥去加密，而信息接收者则用私用密钥去解密。公钥机制灵活，但加密和解密速度却比对称密钥加密慢得多。本发明中，密钥可以是对称密钥，也可以是非对称密钥。当采用对称密钥方式时，网络设备与应用程序使用同一个密钥对验证信息进行加密和解密；当采用非对称密钥时，网络设备使用公钥对验证信息进行加密，应用程序使用私钥对加密的验证信息进行解密。In the solution of the present invention, the key is determined by key agreement between the application and the network device, and the verification information is encrypted by using the negotiated key. Those skilled in the art understand that keys can be divided into symmetric keys and asymmetric keys. Symmetric key encryption, also known as private key encryption or session key encryption, means that the sender and receiver of the message use the same key to encrypt and decrypt the data. Its biggest advantage is that the encryption/decryption speed is fast, suitable for encrypting large amounts of data, but key management is difficult. An asymmetric key encryption system, also known as public key encryption. It requires different keys to perform encryption and decryption operations separately, one public release, the public key or public key, and the other privately stored by the user, a private key or private key. The sender of the message encrypts with a public key, while the recipient of the message decrypts it with a private key. The public key mechanism is flexible, but encryption and decryption are much slower than symmetric key encryption. In the present invention, the key may be a symmetric key or an asymmetric key. When the symmetric key mode is adopted, the network device and the application use the same key to encrypt and decrypt the verification information; when the asymmetric key is used, the network device encrypts the verification information by using the public key, and the application uses the private key. Decrypt the encrypted authentication information.

可见，本发明通过应用程序与网络设备之间的密钥协商，对验证信息加密处理，并且应用程序直接读取加密的验证信息，从而利用解密的验证信息进行业务等操作，也就是，只有这个应用程序才能对密文形式的验证信息进行解密，对于木马等恶意应用程序，即使能获取到验证信息，但由于验证信息是密文形式的，也无从利用，有效保证了在应用程序上进行支付等业务操作的安全性。It can be seen that the present invention encrypts the verification information through key negotiation between the application and the network device, and the application directly reads the encrypted verification information, thereby performing the operation of the service by using the decrypted verification information, that is, only this The application can decrypt the authentication information in the cipher text form. For a malicious application such as a Trojan, even if the verification information can be obtained, since the verification information is in the form of ciphertext, it is not utilized, which effectively ensures payment on the application. The security of business operations.

另外，本发明对于GSM信号窃听，sim卡复制等攻击手段具有很好的防御效果，因为通过本发明的加密验证信息方式，GSM信号窃听、sim卡复制等方案的攻击者都只能获取到密文，是没办法得到明文的，当然也就无法继续攻击。In addition, the present invention has a good defense effect on attack methods such as GSM signal eavesdropping and sim card copying, because the attacker of the GSM signal eavesdropping, sim card copying and the like can only obtain the confidentiality by the cryptographic authentication information method of the present invention. Wen, there is no way to get clear text, of course, can not continue to attack.

下面以几个实例对本发明实施例进行详细介绍。The embodiments of the present invention are described in detail below with a few examples.

实例一Example one

参见图2，为实例一提供的验证信息的获取方法的流程图，包括：Referring to FIG. 2, a flowchart of a method for obtaining verification information provided in Example 1 includes:

S201：终端的目标应用程序与网络设备协商用于验证信息的密钥；S201: the target application of the terminal negotiates a key for verifying the information with the network device;

S202：网络设备利用密钥对验证信息进行加密，并将加密的验证信息发送给终端； S202: The network device encrypts the verification information by using a key, and sends the encrypted verification information to the terminal.

S203：目标应用程序利用协商的密钥对加密的验证信息进行解密，获得验证信息。S203: The target application decrypts the encrypted verification information by using the negotiated key to obtain verification information.

其中，目标应用程序是指需要验证所述验证信息从而进行业务的应用程序；那么可以理解，网络设备是指发送用于目标应用程序的业务的验证信息的服务器、网关或代理服务器。The target application refers to an application that needs to verify the verification information to perform a service; then, it can be understood that the network device refers to a server, a gateway, or a proxy server that transmits verification information for a service of a target application.

下面以通过手机短信方式获取验证信息的例子进行说明。The following is an example of obtaining verification information by means of a mobile phone short message.

首先，安装在用户手机的APP(目标APP)和网络设备基于某种方式协商一个密钥。网络设备是指位于网络侧的与验证信息对应的功能实体，可有多种形式。具体地，APP可以与APP服务器直接协商密钥、发送密文短信，也可以与短信网关协商密钥以及发送密文短信，还可以通过短信网关的代理服务器，由代理服务器负责协商密钥及发送密文短信。本领域技术人员了解，短信业务是由运营商控制的，那么，如果APP服务器要给终端发送APP业务的验证短信，一般都是借助运营商的短信业务线路进行发送，因此，一般情况下，需要借助短信网关或者短信网关代理服务器进行密钥协商，当然也可以如上所述的通过与APP服务器进行密钥协商。First, the APP (target APP) installed on the user's mobile phone and the network device negotiate a key based on some means. A network device refers to a functional entity corresponding to authentication information located on the network side, and can have various forms. Specifically, the APP may directly negotiate a key with the APP server, send a cipher text message, negotiate a key with the SMS gateway, and send a cipher text message, and may also use a proxy server of the SMS gateway to negotiate a key and send the message. Cipher text message. A person skilled in the art understands that the short message service is controlled by the operator. Then, if the APP server sends the authentication message of the APP service to the terminal, it is generally sent by the operator's short message service line. Therefore, in general, it is required. Key negotiation is performed by means of a short message gateway or a short message gateway proxy server, and of course, key negotiation with the APP server can be performed as described above.

然后，网络设备给用户手机发送短信时用协商的密钥进行加密。Then, when the network device sends a short message to the user's mobile phone, the encrypted key is used for encryption.

最后，用户在手机上收到加密的验证短信，该APP在后台自动获取该短信并解密获得真正的验证码。Finally, the user receives the encrypted verification message on the mobile phone, and the APP automatically acquires the short message in the background and decrypts to obtain the real verification code.

例如，本实例中的APP是指支付宝软件，那么，手机上的支付宝软件首先需要与网络设备(支付宝服务器、短信网关或者短信网关代理服务器)协商验证码密钥；在用户进行支付等业务时，需要验证码，此时，网络设备利用预先约定的密钥对验证码进行加密并发送到该用户手机上；最后，用户在手机上通过短信接收到的是一条密文形式的验证短信，而手机上的支付宝软件从后台直接读取该密文短信，并利用预先约定的密钥进行读取，获取到解密的验证码，最终进行验证并完成业务。For example, the APP in this example refers to Alipay software. Then, the Alipay software on the mobile phone first needs to negotiate a verification code key with the network device (an Alipay server, a short message gateway, or a short message gateway proxy server); when the user performs a service such as payment, A verification code is required. At this time, the network device encrypts the verification code and sends it to the user's mobile phone by using a pre-agreed key. Finally, the user receives a verification message in the form of a ciphertext through the short message on the mobile phone, and the mobile phone The Alipay software directly reads the ciphertext short message from the background, and uses the pre-agreed key to read, obtains the decrypted verification code, and finally verifies and completes the business.

可见，因为手机收到的是加密短信，除了目标APP是无法读取验证信息的，有效地解决了验证短信被木马等恶意软件窃取的问题。It can be seen that because the mobile phone receives the encrypted short message, the target APP cannot read the verification information, which effectively solves the problem that the verification message is stolen by malicious software such as Trojan.

实例二Example two

参见图3，为实例二提供的验证信息的获取方法的流程图，包括：Referring to FIG. 3, a flowchart of a method for obtaining verification information provided by example 2 includes:

S301：安全应用程序与网络设备协商用于验证信息的密钥，其中，验证信息是在目标应用程序的业务中需要被验证的信息；S301: The security application negotiates, with the network device, a key used for verifying the information, where the verification information is information that needs to be verified in the service of the target application;

S302：网络设备利用密钥对验证信息进行加密，并将加密的验证信息发送给终端；S302: The network device encrypts the verification information by using a key, and sends the encrypted verification information to the terminal.

S303：安全应用程序利用协商的密钥对加密的验证信息进行解密，获得验证信息；S303: The security application decrypts the encrypted verification information by using the negotiated key, and obtains the verification. Certificate information;

S304：安全应用程序将验证信息提供给所述目标应用程序，和/或，安全应用程序将验证信息展示给用户。S304: The security application provides verification information to the target application, and/or the security application presents the verification information to the user.

该实例二与上述实例一区别在于，通过引入一个安全应用程序，为各个目标应用程序统一管理验证信息。具体的，由这个安全应用程序与网络设备进行密钥协商，并且仅由这个安全应用程序可以读取并解密验证信息，并且由这个安全应用程序将解密的验证信息提供给目标应用程序。The second example differs from the above example in that the verification information is uniformly managed for each target application by introducing a security application. Specifically, the security application performs key agreement with the network device, and the authentication information can be read and decrypted only by the security application, and the decrypted verification information is provided by the security application to the target application.

与实例一区别在于，用户手机上需要安装一个安全APP。The difference from the example one is that a security app needs to be installed on the user's mobile phone.

首先，安全APP和网络设备进行密钥协商。网络设备是指位于网络侧的与验证信息对应的功能实体，可有多种形式。具体地，安全APP可以与目标APP服务器直接协商密钥、发送密文短信，也可以与短信网关协商密钥以及发送密文短信，还可以通过短信网关的代理服务器，由代理服务器负责协商密钥及发送密文短信。本领域技术人员了解，短信业务是由运营商控制的，那么，如果目标APP服务器要给终端发送目标APP业务的验证短信，一般都是借助运营商的短信业务线路进行发送，因此，一般情况下，需要借助短信网关或者短信网关代理服务器进行密钥协商，当然也可以如上所述的通过与目标APP服务器进行密钥协商。First, the secure APP and the network device perform key negotiation. A network device refers to a functional entity corresponding to authentication information located on the network side, and can have various forms. Specifically, the security APP may directly negotiate a key with the target APP server, send a cipher text message, negotiate a key with the short message gateway, and send a cipher text message, and may also use a proxy server of the short message gateway to negotiate a key. And send cipher text messages. A person skilled in the art understands that the short message service is controlled by the operator. Then, if the target APP server sends a verification short message of the target APP service to the terminal, it is generally sent by using the short message service line of the operator, so generally, Key negotiation needs to be performed by means of a short message gateway or a short message gateway proxy server. Of course, key negotiation with the target APP server can also be performed as described above.

接着，用户在手机上收到加密的验证短信，仅有这个安全APP可以解密并且显示给用户。Next, the user receives an encrypted verification message on the mobile phone, and only this secure application can be decrypted and displayed to the user.

最后，目标APP通过安全APP提供的接口获得解密的验证短信。Finally, the target APP obtains the decrypted verification message through the interface provided by the security APP.

可见，其他APP如果需要读取对应的短信，则不再通过手机操作系统的短信接口获取短信，而是通过该安全APP提供的接口获取。安全APP负责验证试图调用该接口的APP的合法性(验证该APP的签名，以及判断该短信的确是属于该APP。比如仅有微信APP可以读微信服务器发来的验证码短信)，只有目标APP合法时，才将验证信息提供给目标APP。It can be seen that if other APPs need to read the corresponding short message, the short message is not obtained through the short message interface of the mobile operating system, but is obtained through the interface provided by the secure APP. The security APP is responsible for verifying the legitimacy of the APP attempting to invoke the interface (validating the signature of the APP, and determining that the short message belongs to the APP. For example, only the WeChat APP can read the verification code SMS sent by the WeChat server), only the target APP The verification information is provided to the target APP when it is legal.

其中，安全APP验证目标APP的合法性包括：通过目标APP的签名判断目标APP是否合法，和/或，判断目标APP是否具有读取验证信息的权限。具体的，判断目标APP是否合法包括：根据目标APP的签名判断目标APP是否属于安全APP(白APP)，或者，根据所述目标APP的签名判断目标APP是否属于恶意APP(黑APP)，如果目标APP属于安全APP或者不属于恶意APP，则确定目标APP合法。可以理解，白APP和黑APP名单是预先获取并存储在手机上的，获取方式可以是手动设置或者网络抓取等等。具体的，判断目标APP是否具有读取验证信息的权限包括：判断目标APP是否是与提供验证信息的网络设备对应的应用程序，如果是，则确定目标APP具有读取验证信息的权限。具体地，通过判断验证信息携带的标识是否与提供验证信息的网络设备对应。比如，通过发送短信的号码进行判断。The validity of the security APP verification target APP includes: determining whether the target APP is legal by the signature of the target APP, and/or determining whether the target APP has the right to read the verification information. Specifically, determining whether the target APP is legal includes: determining whether the target APP belongs to the secure APP (white APP) according to the signature of the target APP, or determining whether the target APP belongs to the malicious APP (black APP) according to the signature of the target APP, if the target APP is a security app or not a malicious app. Then determine that the target APP is legal. It can be understood that the white APP and the black APP list are pre-acquired and stored on the mobile phone, and the acquisition manner may be manual setting or network crawling, and the like. Specifically, determining whether the target APP has the right to read the verification information includes: determining whether the target APP is an application corresponding to the network device that provides the verification information, and if yes, determining that the target APP has the right to read the verification information. Specifically, it is determined whether the identifier carried in the verification information corresponds to the network device that provides the verification information. For example, judging by sending a text message number.

例如，本实例中的目标APP是指微信软件，那么，手机上的安全APP(例如，360安全通讯录)首先需要与网络设备(微信服务器、短信网关或者短信网关代理服务器)协商验证码密钥；在用户进行支付等业务时，需要验证码，此时，网络设备利用预先约定的密钥对验证码进行加密并发送到该用户手机上；接着，用户在手机上通过短信接收到的是一条密文形式的验证短信，而手机上的安全APP从后台直接读取该密文短信，并利用预先约定的密钥进行读取，获取到解密的验证码，并将明文的验证码展示给用户；最后，如果需要，微信从安全APP提供的接口获取到该明文的验证码。For example, the target APP in this example refers to WeChat software, then the secure APP on the mobile phone (for example, 360 secure address book) first needs to negotiate the verification code key with the network device (WeChat server, SMS gateway or SMS gateway proxy server). When the user performs a service such as payment, a verification code is required. At this time, the network device encrypts the verification code and sends it to the user's mobile phone by using a pre-agreed key; then, the user receives a message through the short message on the mobile phone. The cipher text form verification message, and the security APP on the mobile phone directly reads the cipher text message from the background, and uses the pre-agreed key to read, obtains the decrypted verification code, and presents the plaintext verification code to the user. Finally, if necessary, WeChat obtains the plaintext verification code from the interface provided by the security APP.

可见，因为手机收到的是加密短信，除了安全APP是无法读取验证信息的，而且安全APP是在验证目标APP合法性基础上才向APP提供验证短信，有效地解决了验证短信被木马等恶意软件窃取的问题。而且，与实例一相比，本实例二还可以向用户展示明文的验证信息，这就可以满足通过PC浏览器发送验证码的情况，也就是，适用于在PC机上通过目标APP进行操作的情况。It can be seen that because the mobile phone receives the encrypted short message, the security APP cannot read the verification information, and the security APP provides the verification message to the APP on the basis of verifying the legality of the target APP, effectively solving the verification message being Trojan, etc. The problem of malware theft. Moreover, compared with the first example, the second embodiment can also display the verification information of the plaintext to the user, which can satisfy the situation that the verification code is sent through the PC browser, that is, the case that the operation is performed on the PC through the target APP. .

实例三Example three

参见图4，为实例三提供的验证信息的获取方法的流程图，包括：Referring to FIG. 4, a flowchart of a method for obtaining verification information provided by example 3 includes:

S401：安全应用程序与网络设备协商用于验证信息的密钥，其中，验证信息是在目标应用程序的业务中需要被验证的信息；S401: The security application negotiates, with the network device, a key used for verifying the information, where the verification information is information that needs to be verified in the service of the target application;

S402：网络设备利用密钥对验证信息进行加密，并将加密的验证信息发送给终端；S402: The network device encrypts the verification information by using a key, and sends the encrypted verification information to the terminal.

S403：安全应用程序利用协商的密钥对加密的验证信息进行解密，获得验证信息；S403: The security application decrypts the encrypted verification information by using the negotiated key to obtain verification information.

S404：获取用户输入的密码，根据与用户预先约定密码确定用户输入的密码是否正确；S404: Obtain a password input by the user, and determine whether the password input by the user is correct according to a password agreed with the user in advance;

S405：在用户输入密码正确情况下，安全应用程序将验证信息提供给目标应用程序，和/或，安全应用程序将验证信息展示给用户。S405: The security application provides the verification information to the target application when the user inputs the password correctly, and/or the security application presents the verification information to the user.

该实例三与上述实例二类似，通过引入一个安全应用程序，为各个目标应用程序统一管理验证信息。具体的，由这个安全应用程序与网络设备进行密钥协商，并且仅由这个安全应用程序可以读取并解密验证信息，并且由这个安全应用程序将解密的验证信息提供给目标应用程序。与实例二区别在于，在向用户展示验证信息之前或者在向目标应用程序提供验证信息之前，需要用户输入与安全应用程序事先约定的密码。This example three is similar to the above example two, by introducing a security application, for each target should Use the program to manage the verification information in a unified manner. Specifically, the security application performs key agreement with the network device, and the authentication information can be read and decrypted only by the security application, and the decrypted verification information is provided by the security application to the target application. The difference from the second example is that the user is required to enter a password agreed in advance with the security application before presenting the verification information to the user or before providing the verification information to the target application.

用户手机上需要安装一个安全APP。A security app needs to be installed on the user's mobile phone.

接着，用户在手机上收到加密的验证短信，安全APP进行解密。Then, the user receives the encrypted verification message on the mobile phone, and the security APP decrypts.

继而，用户在需要查看解密的验证短信时，或者目标APP需要读取该验证短信时，需要用户输入与安全APP预先约定的密码。Then, when the user needs to view the decrypted verification short message, or the target APP needs to read the verification short message, the user needs to input a password agreed in advance with the security APP.

最后，目标APP向用户展示解密的验证短信，或者，目标APP通过安全APP提供的接口获得解密的验证短信。Finally, the target APP presents the decrypted verification message to the user, or the target APP obtains the decrypted verification message through the interface provided by the security APP.

其中，安全APP验证目标APP的合法性包括：通过目标APP的签名判断目标APP是否合法，和/或，判断目标APP是否具有读取验证信息的权限。具体的，判断目标APP是否合法包括：根据目标APP的签名判断目标APP是否属于安全APP(白APP)，或者，根据所述目标APP的签名判断目标APP是否属于恶意APP(黑APP)，如果目标APP属于安全APP或者不属于恶意APP，则确定目标APP合法。可以理解，白APP和黑APP名单是预先获取并存储在手机上的，获取方式可以是手动设置或者网络抓取等等。具体的，判断目标APP是否具有读取验证信息的权限包括：判断目标APP是否是与提供验证信息的网络设备对应的应用程序，如果是，则确定目标APP具有读取验证信息的权限。具体地，通过判断验证信息携带的标识是否与提供验证信息的网络设备对应。比如，通过发送短信的号码进行判断。The validity of the security APP verification target APP includes: determining whether the target APP is legal by the signature of the target APP, and/or determining whether the target APP has the right to read the verification information. Specifically, determining whether the target APP is legal includes: determining whether the target APP belongs to the secure APP (white APP) according to the signature of the target APP, or determining whether the target APP belongs to the malicious APP (black APP) according to the signature of the target APP, if the target If the APP belongs to a secure APP or does not belong to a malicious APP, it is determined that the target APP is legal. It can be understood that the white APP and the black APP list are pre-acquired and stored on the mobile phone, and the acquisition manner may be manual setting or network crawling, and the like. Specifically, determining whether the target APP has the right to read the verification information includes: determining whether the target APP is a network that provides verification information The application corresponding to the network device, if yes, determines that the target APP has the right to read the verification information. Specifically, it is determined whether the identifier carried in the verification information corresponds to the network device that provides the verification information. For example, judging by sending a text message number.

例如，本实例中的目标APP是指亚马逊链接到的银行支付平台，那么，手机上的安全APP(例如360安全通讯录)首先需要与网络设备(银行支付平台服务器、短信网关或者短信网关代理服务器)协商验证码密钥；在用户进行支付等业务时，需要验证码，此时，网络设备利用预先约定的密钥对验证码进行加密并发送到该用户手机上；接着，用户在手机上通过短信接收到的是一条密文形式的验证短信，而手机上的安全APP从后台直接读取该密文短信，并利用预先约定的密钥进行读取，获取到解密的验证码；在用户输入正确的密码后，将明文的验证码展示给用户；最后，如果需要，银行支付平台从安全APP提供的接口获取到该明文的验证码。For example, the target APP in this example refers to the bank payment platform to which Amazon is linked. Then, the security APP on the mobile phone (for example, 360 secure address book) first needs to be associated with the network device (bank payment platform server, SMS gateway or SMS gateway proxy server). Negotiating the verification code key; when the user performs the payment and other services, the verification code is required. At this time, the network device encrypts the verification code and sends it to the user's mobile phone by using a pre-agreed key; then, the user passes the mobile phone The short message received by the short message is a verification message in the form of a cipher text, and the security APP on the mobile phone directly reads the cipher text message from the background, and uses the pre-agreed key to read and obtain the decrypted verification code; After the correct password, the plaintext verification code is displayed to the user; finally, if necessary, the bank payment platform obtains the plaintext verification code from the interface provided by the security APP.

可见，因为手机收到的是加密短信，除了安全APP是无法读取验证信息的，而且安全APP是在验证目标APP合法性基础上才向APP提供验证短信，有效地解决了验证短信被木马等恶意软件窃取的问题。而且，同实例二类似，实例三还可以向用户展示明文的验证信息，这就可以满足通过PC浏览器发送验证码的情况，也就是，适用于在PC机上通过目标APP进行操作的情况。另外，与实例二相比，本实例三在用户输入正确密码之后才向用户展示验证信息或者提供给目标APP，也就是又进一步保证了验证信息的安全性，通过密文验证信息以及用户密码的双重保险，即使在手机丢失的情况下，也能保证验证信息的安全性。It can be seen that because the mobile phone receives the encrypted short message, the security APP cannot read the verification information, and the security APP provides the verification message to the APP on the basis of verifying the legality of the target APP, effectively solving the verification message being Trojan, etc. The problem of malware theft. Moreover, similar to the second example, the third example can also display the verification information of the plaintext to the user, which can satisfy the situation that the verification code is sent through the PC browser, that is, it is suitable for the operation on the PC through the target APP. In addition, compared with the second example, the third embodiment displays the verification information or provides the target information to the user after the user inputs the correct password, that is, further ensures the security of the verification information, and the cipher text verification information and the user password. Double insurance ensures the security of the verification information even when the phone is lost.

与上述方法相对应，本发明还提供一种验证信息的获取装置。该装置可以通过硬件、软件或软硬件结合方式实现。该装置可以是指终端内部的功能模块，也可以是指终端本身，只要终端包括实现该装置的功能即可。参见图5，该装置包括：Corresponding to the above method, the present invention also provides an apparatus for acquiring verification information. The device can be implemented by hardware, software or a combination of software and hardware. The device may refer to a functional module inside the terminal, or may refer to the terminal itself, as long as the terminal includes a function of implementing the device. Referring to Figure 5, the device includes:

密钥协商单元501，用于在终端与网络设备之间协商用于对验证信息进行加解密的密钥，其中，所述验证信息是用于验证在目标应用程序执行特定服务过程中终端或用户的身份或权限的消息；The key negotiation unit 501 is configured to negotiate, between the terminal and the network device, a key for encrypting and decrypting the verification information, where the verification information is used to verify that the terminal or the user is in the process of executing the specific service in the target application. Message of identity or authority;

加密验证信息获取单元502，用于接收所述网络设备利用所述密钥对验证信息进行加密的验证信息；The cryptographic verification information obtaining unit 502 is configured to receive verification information that the network device encrypts the verification information by using the key;

解密单元503，用于利用协商的密钥对加密的验证信息进行解密，获得验证信息；The decrypting unit 503 is configured to decrypt the encrypted verification information by using the negotiated key to obtain verification information.

服务执行单元504，用于在所述目标应用程序执行特定服务过程中，利用所述验证信息验证终端或用户的身份或权限。The service execution unit 504 is configured to use the verification information to verify the identity or authority of the terminal or the user during the execution of the specific service process by the target application.

优选的，一种方案中，由所述目标应用程序执行密钥协商单元501以及解密单元503的功能，即，由所述目标应用程序执行所述与网络设备协商用于验证信息的密钥以及所述利用协商的密钥对加密的验证信息进行解密。Preferably, in a solution, the function of the key agreement unit 501 and the decryption unit 503 is performed by the target application, that is, the target application performs the negotiation with the network device for verification. The key of the certificate information and the decrypted authentication information are decrypted using the negotiated key.

优选地，另一种方案中，由一个安全应用程序执行密钥协商单元501以及解密单元503的功能，即，由安全应用程序执行所述与网络设备协商用于验证信息的密钥以及所述利用协商的密钥对加密的验证信息进行解密；所述密钥协商单元501具体用于：利用所述安全应用程序与网络设备协商用于验证信息的密钥，其中，所述验证信息是在目标应用程序的业务中需要被验证的信息；所述装置还包括：验证信息提供单元505，用于利用所述安全应用程序将所述验证信息提供给所述目标应用程序。Preferably, in another solution, the function of the key agreement unit 501 and the decryption unit 503 is performed by a security application, that is, the security application executes the negotiation of a key for verifying information with the network device and the Decrypting the encrypted verification information by using the negotiated key; the key negotiation unit 501 is specifically configured to: negotiate, by using the security application, a key for verifying information with the network device, where the verification information is The device of the target application needs to be verified; the device further includes: a verification information providing unit 505, configured to provide the verification information to the target application by using the security application.

其中，所述目标应用程序调用所述安全应用程序提供的接口，从所述安全应用程序获取所述验证信息。The target application invokes an interface provided by the security application to obtain the verification information from the security application.

可选的，装置还包括：目标合法性验证单元506，用于利用所述安全应用程序验证所述目标应用程序的合法性；此情况下，所述验证信息提供单元505只有所述目标应用程序合法时，才将所述验证信息提供给所述目标应用程序。Optionally, the device further includes: a target legality verification unit 506, configured to verify validity of the target application by using the security application; in this case, the verification information providing unit 505 has only the target application. The verification information is provided to the target application only when it is legal.

其中，所述目标合法性验证单元506具体用于：通过所述目标应用程序的签名判断所述目标应用程序是否合法，和/或，判断所述目标应用程序是否具有读取所述验证信息的权限。The target validity verification unit 506 is specifically configured to: determine, by the signature of the target application, whether the target application is legal, and/or determine whether the target application has the verification information. Permissions.

具体地，所述目标合法性验证单元506具体用于：根据所述目标应用程序的签名判断所述目标应用程序是否属于安全应用程序，或者，根据所述目标应用程序的签名判断所述目标应用程序是否属于恶意应用程序，如果所述目标应用程序属于安全应用程序或者不属于恶意安全程序，则确定所述目标应用程序合法。Specifically, the target legality verification unit 506 is specifically configured to: determine, according to the signature of the target application, whether the target application belongs to a security application, or determine the target application according to the signature of the target application. Whether the program belongs to a malicious application, and if the target application belongs to a security application or is not a malicious security program, it is determined that the target application is legitimate.

具体地，所述目标合法性验证单元506具体用于：判断所述目标应用程序是否是与提供所述验证信息的网络设备对应的应用程序，如果是，则确定所述目标应用程序具有读取所述验证信息的权限。Specifically, the target legality verification unit 506 is specifically configured to: determine whether the target application is an application corresponding to the network device that provides the verification information, and if yes, determine that the target application has read The authority to verify the information.

具体地，所述目标合法性验证单元506具体用于：判断所述验证信息携带的标识是否与提供所述验证信息的网络设备对应。Specifically, the target validity verification unit 506 is specifically configured to: determine whether the identifier carried in the verification information corresponds to a network device that provides the verification information.

优选地，另一种方案中，装置还包括：密码验证单元507，用于获取用户输入的密码，根据与用户预先约定密码确定用户输入的密码是否正确；所述验证信息提供单元505在用户输入的密码正确时，才将所述验证信息提供给所述目标应用程序。Preferably, in another solution, the device further includes: a password verification unit 507, configured to acquire a password input by the user, and determine whether the password input by the user is correct according to a password agreed in advance with the user; the verification information providing unit 505 inputs the user The verification information is provided to the target application when the password is correct.

其中，所述与用户预先约定密码是指安全应用程序与用户之间约定的密码。Wherein, the pre-agreed password with the user refers to a password agreed between the security application and the user.

优选地，另一种方案中，所述应用程序是指安全应用程序；所述密钥协商单元501具体用于：利用所述安全应用程序与网络设备协商用于验证信息的密钥；所述装置还包括：验证信息展示单元508，用于利用所述安全应用程序将解密后的验证信息展示给用户。 Preferably, in another solution, the application refers to a security application; the key negotiation unit 501 is specifically configured to: negotiate, by using the security application, a key for verifying information with a network device; The device further includes: a verification information display unit 508, configured to display the decrypted verification information to the user by using the security application.

可选的，所述装置还包括：密码验证单元507，用于获取用户输入的密码，根据与用户预先约定密码确定用户输入的密码是否正确；所述验证信息展示单元508，在用户输入的密码正确时，才将所述验证信息展示给所述用户。Optionally, the device further includes: a password verification unit 507, configured to acquire a password input by the user, determine whether the password input by the user is correct according to a password agreed with the user in advance; the verification information display unit 508, the password input by the user The verification information is presented to the user when correct.

其中，所述目标应用程序包括即时通信软件、支付软件或电商软件。The target application includes instant messaging software, payment software, or e-commerce software.

其中，所述网络设备是指发送验证信息的服务器、网关或代理服务器。The network device refers to a server, a gateway, or a proxy server that sends authentication information.

其中，所述网络设备通过预先获得的有关所述终端验证信息的协商参数，获知所述终端支持密文验证信息。The network device learns that the terminal supports cipher text verification information by using a negotiation parameter about the terminal verification information that is obtained in advance.

其中，所述密钥是指对称密钥，所述网络设备与所述应用程序使用同一个密钥对验证信息进行加密和解密；或者，所述密钥是指非对称密钥，所述网络设备使用公钥对验证信息进行加密，所述应用程序使用私钥对加密的验证信息进行解密。The key refers to a symmetric key, and the network device encrypts and decrypts the verification information by using the same key with the application; or the key refers to an asymmetric key, and the network The device encrypts the authentication information using a public key that decrypts the encrypted authentication information using the private key.

其中，所述终端通过短信、邮件或者即时通信工具的通信方式从所述网络设备获取所述加密的验证信息。The terminal obtains the encrypted verification information from the network device by using a short message, a mail, or an instant messaging tool.

优选地，所述装置还包括：权限访问单元509，用于支持所述应用程序利用自身具有的访问所述通信方式的权限，直接访问所述通信方式获取所述加密的验证信息。Preferably, the device further includes: a rights access unit 509, configured to support the application to directly access the communication mode to obtain the encrypted verification information by using a right that the user has access to the communication mode.

需要说明的是：It should be noted:

在此提供的算法和显示不与任何特定计算机、虚拟装置或者其它设备固有相关。各种通用装置也可以与基于在此的示教一起使用。根据上面的描述，构造这类装置所要求的结构是显而易见的。此外，本发明也不针对任何特定编程语言。应当明白，可以利用各种编程语言实现在此描述的本发明的内容，并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms and displays provided herein are not inherently related to any particular computer, virtual device, or other device. Various general purpose devices can also be used with the teaching based on the teachings herein. The structure required to construct such a device is apparent from the above description. Moreover, the invention is not directed to any particular programming language. It is to be understood that the invention may be embodied in a variety of programming language, and the description of the specific language has been described above in order to disclose the preferred embodiments of the invention.

在此处所提供的说明书中，说明了大量具体细节。然而，能够理解，本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中，并未详细示出公知的方法、结构和技术，以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques are not shown in detail so as not to obscure the understanding of the description.

类似地，应当理解，为了精简本公开并帮助理解各个发明方面中的一个或多个，在上面对本发明的示例性实施例的描述中，本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而，并不应将该公开的方法解释成反映如下意图：即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说，如下面的权利要求书所反映的那样，发明方面在于少于前面公开的单个实施例的所有特征。因此，遵循具体实施方式的权利要求书由此明确地并入该具体实施方式，其中每个权利要求本身都作为本发明的单独实施例。 Similarly, the various features of the invention are sometimes grouped together into a single embodiment, in the above description of the exemplary embodiments of the invention, Figure, or a description of it. However, the method disclosed is not to be interpreted as reflecting the intention that the claimed invention requires more features than those recited in the claims. Rather, as the following claims reflect, inventive aspects reside in less than all features of the single embodiments disclosed herein. Therefore, the claims following the specific embodiments are hereby explicitly incorporated into the embodiments, and each of the claims as a separate embodiment of the invention.

本领域那些技术人员可以理解，可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件，以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外，可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述，本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art will appreciate that the modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components. In addition to such features and/or at least some of the processes or units being mutually exclusive, any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined. Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.

此外，本领域的技术人员能够理解，尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征，但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如，在下面的权利要求书中，所要求保护的实施例的任意之一都可以以任意的组合方式来使用。In addition, those skilled in the art will appreciate that, although some embodiments described herein include certain features that are included in other embodiments and not in other features, combinations of features of different embodiments are intended to be within the scope of the present invention. Different embodiments are formed and formed. For example, in the following claims, any one of the claimed embodiments can be used in any combination.

本发明的各个部件实施例可以以硬件实现，或者以在一个或者多个处理器上运行的软件模块实现，或者以它们的组合实现。本领域的技术人员应当理解，可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的实现验证信息获取的装置中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如，计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上，或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到，或者在载体信号上提供，或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or digital signal processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the means for implementing authentication information acquisition in accordance with embodiments of the present invention. The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.

例如，图6示出了可以实现根据本发明的验证信息的获取方法的终端，例如智能终端。该终端传统上包括处理器610和以存储器620形式的计算机程序产品或者计算机可读介质。存储器620可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器620具有用于执行上述方法中的任何方法步骤的程序代码631的存储空间630。例如，用于程序代码的存储空间630可以包括分别用于实现上面的方法中的各种步骤的各个程序代码631。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘，紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为如参考图7所述的便携式或者固定存储单元。该存储单元可以具有与图6的终端中的存储器620类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常，存储单元包括计算机可读代码631’，即可以由例如诸如610之类的处理器读取的代码，这些代码当由终端运行时，导致该终端执行上面所描述的方法中的各个步骤。 For example, FIG. 6 shows a terminal, such as a smart terminal, that can implement an acquisition method of authentication information according to the present invention. The terminal conventionally includes a processor 610 and a computer program product or computer readable medium in the form of a memory 620. The memory 620 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM. Memory 620 has a memory space 630 for program code 631 for performing any of the method steps described above. For example, storage space 630 for program code may include various program code 631 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such a computer program product is typically a portable or fixed storage unit as described with reference to FIG. The storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 620 in the terminal of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit includes computer readable code 631', code that can be read by a processor, such as 610, which when executed by the terminal causes the terminal to perform various steps in the methods described above.

应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制，并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中，不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中，这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。 It is to be noted that the above-described embodiments are illustrative of the invention and are not intended to be limiting, and that the invention may be devised without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or steps that are not recited in the claims. The word "a" or "an" The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.

Claims

A method for obtaining verification information, comprising:

The terminal negotiates, with the network device, a key for encrypting and decrypting the verification information, where the verification information is a message for verifying the identity or authority of the terminal or the user in the specific service process performed by the target application;

The network device encrypts the verification information by using the key, and sends the encrypted verification information to the terminal;

The terminal decrypts the encrypted verification information by using the negotiated key to obtain verification information;

The verification information is used to verify the identity or authority of the terminal or the user during the execution of the specific service by the target application.

The method according to claim 1, wherein said key application for verifying information negotiated with said network device and said verification of encryption using said negotiated key pair is performed by said target application on said terminal The step of decrypting the information.

The method of claim 1, wherein the security application on the terminal performs a negotiation of a key for verifying information with the network device and decrypting the encrypted verification information using the negotiated key step;

The key used by the terminal to negotiate with the network device for verifying information includes:

The security application negotiates a key for verifying information with the network device;

After the terminal decrypts the encrypted verification information by using the negotiated key to obtain the verification information, the method further includes:

The security application provides the verification information to the target application.

The method of claim 3 wherein said target application invokes an interface provided by said secure application to retrieve said verification information from said secure application.

The method of claim 3, wherein the method further comprises:

The security application verifies the legitimacy of the target application, and the verification information is provided to the target application only when the target application is legitimate.

The method of claim 5 wherein the security application verifies the legitimacy of the target application comprises:

Determining whether the target application is legitimate by the signature of the target application, and/or determining whether the target application has the right to read the verification information.

The method of claim 6, wherein the determining whether the target application is legitimate comprises:

Determining, according to the signature of the target application, whether the target application belongs to a secure application Or determining, according to the signature of the target application, whether the target application belongs to a malicious application, and if the target application belongs to a security application or does not belong to a malicious security program, determining that the target application is legal.

The method according to claim 6, wherein the determining whether the target application has the right to read the verification information comprises:

Determining whether the target application is an application corresponding to the network device providing the verification information, and if so, determining that the target application has the right to read the verification information.

The method according to claim 8, wherein the determining whether the target application is an application corresponding to the network device providing the verification information comprises:

Determining whether the identifier carried in the verification information corresponds to a network device that provides the verification information.

The method of claim 3, wherein before the security application provides the verification information to the target application, the method further comprises:

Obtain the password input by the user, and determine whether the password input by the user is correct according to the password agreed with the user in advance;

The security application provides the verification information to the target application when the password entered by the user is correct.

The method of claim 10 wherein said pre-agreed password with the user is a password agreed between the secure application and the user.

The security application presents the decrypted verification information to the user.

The method of claim 12, wherein before the security application presents the decrypted verification information to the user, the method further comprises:

The security application presents the verification information to the user when the password entered by the user is correct.

The method of claim 13 wherein said pre-agreed password with the user is a password agreed between the secure application and the user.

The method according to claim 1, wherein before the network device encrypts the verification information by using the key, the method further includes:

The network device learns that the terminal supports cipher text verification information by using a negotiation parameter about the terminal verification information that is obtained in advance.

The method of claim 1 wherein

The key refers to a symmetric key, and the network device encrypts and decrypts the verification information by using the same key with the terminal; or

The key refers to an asymmetric key, the network device encrypts the authentication information using a public key, and the terminal decrypts the encrypted verification information using the private key.

The method according to claim 1, wherein said terminal acquires said encrypted verification information from said network device by means of a short message, a mail or an instant communication means.

The method according to claim 17, wherein after the terminal obtains the encrypted verification information from the network device, the method further includes:

The target application or the security application directly accesses the communication method to obtain the encrypted verification information by using the permission that the user has access to the communication mode.

The method of claims 1-18, wherein the target application comprises instant messaging software, payment software, or e-commerce software.

The method according to any one of claims 1 to 18, wherein the network device refers to a server, a gateway or a proxy server that transmits the verification information.

An apparatus for acquiring verification information, comprising:

a key negotiation unit, configured to negotiate, between the terminal and the network device, a key for encrypting and decrypting the verification information, where the verification information is used to verify the terminal or the user in the process of executing the specific service in the target application Message of identity or authority;

An encryption verification information obtaining unit, configured to receive verification information that the network device encrypts the verification information by using the key;

a decryption unit, configured to decrypt the encrypted verification information by using the negotiated key to obtain verification information;

And a service execution unit, configured to use the verification information to verify the identity or authority of the terminal or the user during the execution of the specific service process by the target application.

The apparatus according to claim 21, wherein said key application negotiates a key for verifying information with the network device and said decrypted authentication information is decrypted by said negotiated key.

The apparatus according to claim 21, wherein a key for authenticating information negotiated with the network device and said key pair encrypted using said negotiation is performed by a security application on said terminal Verify the information for decryption;

The key negotiation unit is specifically configured to: negotiate, by using the security application, a key for verifying information with a network device;

The device also includes:

a verification information providing unit for providing the verification information to the target application by using the security application.

The apparatus of claim 23, wherein the target application invokes an interface provided by the secure application to obtain the verification information from the secure application.

The device of claim 23, wherein the device further comprises:

a target legality verification unit, configured to verify validity of the target application by using the security application;

The verification information providing unit provides the verification information to the target application only when the target application is legal.

The device according to claim 25, wherein the target legality verification unit is specifically configured to: determine whether the target application is legal by a signature of the target application, and/or determine the target application Whether the program has permission to read the verification information.

The device according to claim 26, wherein the target legality verification unit is specifically configured to: determine, according to a signature of the target application, whether the target application belongs to a security application, or according to the target The signature of the application determines whether the target application belongs to a malicious application, and if the target application belongs to a security application or does not belong to a malicious security program, determines that the target application is legitimate.

The device according to claim 26, wherein the target validity verification unit is specifically configured to: determine whether the target application is an application corresponding to a network device that provides the verification information, and if so, Determining that the target application has permission to read the verification information.

The device according to claim 28, wherein the target validity verification unit is specifically configured to: determine whether the identifier carried by the verification information corresponds to a network device that provides the verification information.

The device of claim 23, further comprising:

The password verification unit is configured to obtain a password input by the user, and determine whether the password input by the user is correct according to the password agreed with the user in advance;

The verification information providing unit provides the verification information to the target application when the password input by the user is correct.

The apparatus according to claim 30, wherein said pre-agreed password with the user is a password agreed between the secure application and the user.

The apparatus according to claim 21, wherein the security application on the terminal performs a negotiation of a key for verifying information with the network device and decrypting the encrypted verification information by using the negotiated key;

The device further includes: a verification information display unit, configured to display the decrypted verification information to the user by using the security application.

The device of claim 32, wherein the device further comprises:

The verification information display unit displays the verification information to the user when the password input by the user is correct.

The apparatus according to claim 33, wherein said pre-agreed password with the user is a password agreed between the secure application and the user.

The device according to claim 21, wherein the network device learns that the terminal supports ciphertext verification information by using a negotiation parameter about the terminal verification information obtained in advance.

The device of claim 21, wherein

The key refers to a symmetric key, and the network device encrypts and decrypts the verification information by using the same key with the application; or

The key refers to an asymmetric key, the network device encrypts the authentication information using a public key, and the application decrypts the encrypted authentication information using the private key.

The apparatus according to claim 21, wherein said terminal acquires said encrypted verification information from said network device by means of a short message, a mail or a communication means of an instant communication means.

The device according to claim 37, wherein the device further comprises: a rights access unit, configured to support the application to directly access the communication mode acquisition center by using a right that has access to the communication mode Describe the encrypted verification information.

The apparatus according to claims 21-38, wherein said target application comprises instant messaging software, payment software or e-commerce software.

The apparatus according to any one of claims 21 to 38, wherein the network device is a server, a gateway or a proxy server that transmits the verification information.

A computer program comprising computer readable code that, when executed on a terminal, causes the terminal to perform the method of any of claims 1-20.

A computer readable medium storing the computer program of claim 41.