TWI526871B - Server, user device, and user device and server interaction method - Google Patents

Server, user device, and user device and server interaction method Download PDF

Info

Publication number
TWI526871B
TWI526871B TW104111785A TW104111785A TWI526871B TW I526871 B TWI526871 B TW I526871B TW 104111785 A TW104111785 A TW 104111785A TW 104111785 A TW104111785 A TW 104111785A TW I526871 B TWI526871 B TW I526871B
Authority
TW
Taiwan
Prior art keywords
server
user equipment
website
signature
information
Prior art date
Application number
TW104111785A
Other languages
Chinese (zh)
Other versions
TW201539239A (en
Inventor
Hai Zhao
yan-jun Xu
Fang Chen
Hao Zhou
Ming Zhang
Ming Zhou
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed filed Critical
Publication of TW201539239A publication Critical patent/TW201539239A/en
Application granted granted Critical
Publication of TWI526871B publication Critical patent/TWI526871B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Transfer Between Computers (AREA)

Description

伺服器、用戶設備以及用戶設備與伺服器的交互方法 Server, user equipment, and interaction method between user equipment and server

本發明涉及網路安全,並且尤其涉及伺服器、用戶設備以及用戶設備與伺服器的交互方法。 The present invention relates to network security, and more particularly to a server, a user equipment, and a method of interacting a user equipment with a server.

可以通過在用戶端安裝防釣魚的用戶端軟體或是流覽器插件來鑒別網站真偽。這種方法包括靜態鑒別和動態鑒別。靜態鑒別通常通過用戶舉報、網路掃描等在伺服器端維護惡意網站黑名單,該方法應用廣泛、實施成本低,但由於釣魚網站不斷出現,造成黑名單的覆蓋面較窄、更新頻率過慢,導致惡意網站漏報率較高。動態鑒別方法建立基於網站功能變數名稱、圖片、頁面腳本等的網站行為分析模型,在用戶流覽網頁時即時地對網站真偽進行鑒別,其較靜態的傳統方法,鑒別效率有所提升,但由於不斷發展的網站偽造技術,動態鑒別方法仍存在誤報和漏報,而且由於動態鑒別方法通過軟體實現,其容易受到木馬等惡意程式的干擾和阻斷,可靠性較低。 You can authenticate the website by installing anti-phishing client software or browser plug-in on the client. This method includes static authentication and dynamic authentication. Static authentication usually maintains a malicious website blacklist on the server side through user reporting, network scanning, etc. This method is widely used and low in implementation cost. However, due to the continual appearance of phishing websites, the coverage of blacklists is narrow and the update frequency is too slow. Resulting in a false negative rate for malicious websites. The dynamic authentication method establishes a website behavior analysis model based on the website function variable name, picture, page script, etc., and instantly authenticates the website authenticity when the user views the webpage, and the authentication efficiency is improved compared with the static traditional method, but Due to the continuous development of website forgery technology, the dynamic identification method still has false positives and false negatives, and because the dynamic authentication method is implemented by software, it is easily interfered and blocked by malicious programs such as Trojans, and the reliability is low.

提供一種能夠向用戶設備發送網站認證資訊的伺服器,該伺服器至少存儲一個或多個用戶設備公鑰、伺服器私鑰,該伺服器被配置成執行如下過程:經由網站接收用戶設備簽名、用戶設備簽名要素,並從該網站接收網站資訊,根據所述網站資訊判斷該網站是否經過認證,當確定該網站經過認證時,根據所述用戶設備簽名要素確定用戶設備公鑰,並利用所述用戶設備公鑰驗證所述用戶設備簽名,當所述驗證成功時,使用動態口令加密該網站認證資訊,並使用伺服器私鑰對經加密的網站認證資訊簽名得到伺服器簽名,以及將該伺服器簽名、作為伺服器簽名要素的經加密的網站認證資訊、伺服器資訊經由該網站發送至該用戶設備使得該用戶設備能夠基於所述伺服器資訊得到伺服器公鑰來驗證所述伺服器簽名。 Providing a server capable of transmitting website authentication information to a user equipment, the server storing at least one or more user equipment public keys and a server private key, the server being configured to perform a process of: receiving a user equipment signature via a website, User equipment signature element, and receiving website information from the website, determining whether the website is authenticated according to the website information, determining that the website is authenticated, determining a user equipment public key according to the user equipment signature element, and using the The user equipment public key verifies the user equipment signature, and when the verification is successful, encrypts the website authentication information by using a dynamic password, and uses the server private key to sign the encrypted website authentication information to obtain a server signature, and the server The device signature, the encrypted website authentication information as the server signature element, and the server information sent to the user equipment via the website enable the user equipment to obtain the server public key based on the server information to verify the server signature .

提供一種能夠從伺服器接收網站認證資訊的用戶設備,該用戶設備至少存儲一個或多個伺服器公鑰、用戶設備私鑰,該用戶設備被配置成執行如下過程:使用所述用戶設備私鑰基於用戶設備簽名要素產生用戶設備簽名,並將該用戶設備簽名、該用戶設備簽名要素經由網站發送至所述伺服器,經由網站從所述伺服器接收該伺服器簽名、作為伺服 器簽名要素的經加密的網站認證資訊、伺服器資訊,基於所述伺服器資訊得到伺服器公鑰來驗證所述伺服器簽名,當所述驗證成功時,使用動態口令來解密所述經加密的網站認證資訊。 Providing a user equipment capable of receiving website authentication information from a server, the user equipment storing at least one or more server public keys, a user equipment private key, the user equipment being configured to perform a process of using the user equipment private key Generating a user equipment signature based on the user equipment signature element, and transmitting the user equipment signature, the user equipment signature element to the server via a website, and receiving the server signature from the server via a website as a servo Encrypted website authentication information, server information of the signature element, the server public key is used to verify the server signature based on the server information, and when the verification is successful, the dynamic password is used to decrypt the encrypted Website certification information.

提供一種用戶設備與伺服器的交互方法,該伺服器至少存儲一個或多個用戶設備公鑰、伺服器私鑰,該方法包括:所述伺服器經由網站接收用戶設備簽名、用戶設備簽名要素,並從該網站接收網站資訊,所述伺服器根據所述網站資訊判斷該網站是否經過認證,當確定該網站經過認證時,所述伺服器根據所述用戶設備簽名要素確定用戶設備公鑰,並利用所述用戶設備公鑰驗證所述用戶設備簽名,當所述驗證成功時,所述伺服器使用動態口令加密該網站認證資訊,並使用伺服器私鑰對經加密的網站認證資訊簽名得到伺服器簽名,以及將該伺服器簽名、作為伺服器簽名要素的經加密的網站認證資訊、伺服器資訊經由該網站發送至該用戶設備使得該用戶設備能夠基於所述伺服器資訊得到伺服器公鑰來驗證所述伺服器簽名。 Providing a method for interacting a user equipment with a server, the server storing at least one or more user equipment public keys and a server private key, the method comprising: the server receiving a user equipment signature and a user equipment signature element via a website, Receiving website information from the website, the server determining, according to the website information, whether the website is authenticated, and when determining that the website is authenticated, the server determines the user equipment public key according to the user equipment signature element, and Verifying the user equipment signature by using the user equipment public key. When the verification is successful, the server encrypts the website authentication information by using a dynamic password, and uses the server private key to sign the encrypted website authentication information to obtain a servo. And the server signature, the encrypted website authentication information as the server signature element, and the server information are sent to the user equipment via the website, so that the user equipment can obtain the server public key based on the server information. To verify the server signature.

提供一種用戶設備與伺服器的交互方法,該用戶設備至少存儲一個或多個伺服器公鑰、用戶設備私鑰, 該方法包括:該用戶設備使用所述用戶設備私鑰基於用戶設備簽名要素產生用戶設備簽名,並將該用戶設備簽名、該用戶設備簽名要素經由網站發送至所述伺服器,該用戶設備經由網站從所述伺服器接收該伺服器簽名、作為伺服器簽名要素的經加密的網站認證資訊、伺服器資訊,該用戶設備基於所述伺服器資訊得到伺服器公鑰來驗證所述伺服器簽名,當所述驗證成功時,該用戶設備使用動態口令來解碼所述經加密的網站認證資訊。 Providing a method for interacting a user equipment with a server, where the user equipment stores at least one or more server public keys and user equipment private keys, The method includes: the user equipment generates a user equipment signature based on the user equipment signature element using the user equipment private key, and sends the user equipment signature, the user equipment signature element to the server via a website, the user equipment Receiving the server signature, the encrypted website authentication information as the server signature element, and the server information from the server, the user equipment obtaining the server public key to verify the server signature based on the server information, When the verification is successful, the user equipment uses the dynamic password to decode the encrypted website authentication information.

根據實施例的一個場景,網站真偽由統一的伺服器進行鑒別,鑒別結果真實可信。 According to a scenario of the embodiment, the authenticity of the website is authenticated by a unified server, and the authentication result is authentic.

根據實施例的一個場景,伺服器與用戶設備間建立雙向認證安全通道,並且返回的鑒別結果通過用戶設備顯示,鑒別方法安全可靠。 According to a scenario of the embodiment, a two-way authentication secure channel is established between the server and the user equipment, and the returned authentication result is displayed by the user equipment, and the authentication method is safe and reliable.

根據實施例的一個場景,在不影響用戶設備的線上支付體驗的同時,能幫助用戶判斷網站的合法性,而且鑒別過程方便快捷。 According to a scenario of the embodiment, the user can judge the legitimacy of the website while not affecting the online payment experience of the user equipment, and the authentication process is convenient and fast.

根據一個或多個實施例,在物理鏈路上,僅網站可以與後臺伺服器通信,驗證資訊通過透傳經過安全控制項、網站到達用戶設備,中間環節無法解密。 According to one or more embodiments, on the physical link, only the website can communicate with the background server, and the verification information can be decrypted by transparently passing through the security control item and the website to the user equipment.

根據一個或多個實施例,通過用戶設備的安全晶片進行解密和顯示,可靠性高。 According to one or more embodiments, the decryption and display by the security chip of the user device is highly reliable.

在參照附圖閱讀了本發明的具體實施方式以後,本領域技術人員將會更清楚地瞭解本發明的各個方面。本領域技術人員應當理解的是,這些附圖僅僅用於配合具體實施方式說明本發明的技術方案,而並非意在對本發明的保護範圍構成限制。 Various aspects of the present invention will become apparent to those skilled in the <RTIgt; It should be understood by those skilled in the art that these drawings are only used to illustrate the technical solutions of the present invention, and are not intended to limit the scope of the present invention.

圖1是根據一個實施例的用戶設備與伺服器的交互架構示意圖。 1 is a schematic diagram of an interaction architecture of a user equipment and a server, according to an embodiment.

圖2是根據一個實施例的伺服器與用戶設備的交互示意圖。 2 is a schematic diagram of interaction of a server with a user equipment, in accordance with one embodiment.

圖3是根據一個實施例的伺服器與用戶設備的交互示意圖。 3 is a schematic diagram of interaction of a server with a user device, in accordance with one embodiment.

圖4是根據一個實施例的鑒別網站的流程圖。 4 is a flow diagram of an authentication website in accordance with one embodiment.

下面參照附圖,對本發明的具體實施方式作進一步的詳細描述。在下面的描述中,為了解釋的目的,陳述許多具體細節以便提供對實施例的一個或多個方面的透徹理解。然而,對於本領域技術人員可以顯而易見的是,可以這些具體細節的較少程度來實踐實施例的一個或多個方面。另外,儘管可以僅關於實施例的一個公開了該實施例的特定特徵或方面,但可針對任何給定的或特定的 應用所期望和有利的那樣,該特徵或方面可與其他實施例的一個或多個特徵或方面相組合。因此下面的描述不被視為局限性的,而是通過所附權利要求來限定保護範圍。 Specific embodiments of the present invention will be further described in detail below with reference to the drawings. In the following description, numerous specific details are set forth However, it will be apparent to those skilled in the art that one or more aspects of the embodiments can be In addition, although specific features or aspects of the embodiment may be disclosed in relation to only one embodiment, it may be directed to any given or specific This feature or aspect may be combined with one or more features or aspects of other embodiments as desired and advantageous for the application. The following description is therefore not to be taken in a limiting

圖1是用戶設備與伺服器的交互架構示意圖。用戶設備與伺服器的交互經由網站進行。用戶設備與伺服器的交互可以基於雙向驗證,從而建立安全通道。可以在用戶設備中配置伺服器公鑰證書、用戶設備公私鑰對,在伺服器中配置用戶設備公鑰證書、伺服器公私鑰對用於雙向驗證。 FIG. 1 is a schematic diagram of an interaction structure between a user equipment and a server. The interaction of the user device with the server takes place via a website. The user device's interaction with the server can be based on two-way authentication to establish a secure channel. The server public key certificate and the user equipment public and private key pair can be configured in the user equipment, and the user equipment public key certificate and the server public private key pair are configured in the server for mutual authentication.

在一個實例中,可以由伺服器對用戶設備進行管理,在其中預置伺服器公鑰證書、用戶設備公私鑰對。 In one example, the user equipment can be managed by the server, in which the server public key certificate, the user equipment public and private key pair are preset.

在一個實例中,用戶設備可以是移動通信裝置例如手機,或者個人電腦。 In one example, the user device can be a mobile communication device such as a cell phone, or a personal computer.

在一個實例中,可以在用戶設備中裝載安全晶片,在安全晶片中設置伺服器公鑰證書、用戶設備公私鑰對。安全晶片也可以被設置在能夠與用戶設備通信的獨立硬體設備。 In one example, a security chip can be loaded in the user device, and a server public key certificate, a user device public-private key pair can be set in the security chip. The security chip can also be placed in a separate hardware device capable of communicating with the user device.

用戶設備與伺服器的交互可以在伺服器對網站進行認證的基礎上進行。在一個實例中,伺服器對通過認證的網站簽發站點證書,並維護經認證網站的白名單。 The interaction between the user device and the server can be performed on the basis of the server authenticating the website. In one example, the server issues a site certificate to a certified website and maintains a whitelist of authenticated websites.

以下是伺服器認證網站的一個示例性實例:網站向伺服器發起“站點證書”的申請請求,該申請請求包含網站身份資訊; 伺服器收到請求後,對網站身份資訊進行核實,判斷是否為合法網站;若為合法網站,則伺服器簽發“站點證書”,否則拒絕申請。 The following is an illustrative example of a server authentication website: a website initiates a "site certificate" application request to a server, the application request containing website identity information; After receiving the request, the server verifies the identity information of the website to determine whether it is a legitimate website; if it is a legitimate website, the server issues a "site certificate", otherwise the application is rejected.

在一個實例中,經認證的網站可以在其頁面上添加該網站支援真偽鑒別的標識。 In one example, an authenticated website may add an identification on its page that supports the authenticity of the website.

在一個實例中,伺服器可以在網站上設置安全控制項,用戶設備經由該安全控制項與伺服器交互。 In one example, the server can set a security control item on the website via which the user device interacts with the server.

圖2是根據一個實施例的伺服器與用戶設備的交互示意圖。在圖2中,伺服器至少存儲一個或多個用戶設備公鑰、伺服器私鑰。其中,伺服器與用戶設備的交互包括伺服器被配置成執行如下過程:經由網站接收用戶設備簽名、用戶設備簽名要素,並從網站接收網站資訊,根據網站資訊判斷網站是否經過認證,當確定網站經過認證時,根據用戶設備簽名要素確定用戶設備公鑰,並利用用戶設備公鑰驗證用戶設備簽名,當驗證成功時,使用動態口令加密網站認證資訊,並使用伺服器私鑰對經加密的網站認證資訊簽名得到伺服器簽名,以及將伺服器簽名、作為伺服器簽名要素的經加密的網站認證資訊、伺服器資訊經由網站發送至用戶設備使得用戶設備能夠基於伺服器資訊得到伺服器公鑰來驗證伺服器簽名。 2 is a schematic diagram of interaction of a server with a user equipment, in accordance with one embodiment. In Figure 2, the server stores at least one or more user equipment public keys and server private keys. The interaction between the server and the user equipment includes the server being configured to perform the following steps: receiving the user equipment signature, the user equipment signature element via the website, and receiving the website information from the website, determining whether the website is authenticated according to the website information, and determining the website. After authentication, the user equipment public key is determined according to the user equipment signature element, and the user equipment public key is used to verify the user equipment signature. When the verification is successful, the dynamic password is used to encrypt the website authentication information, and the server private key is used to encrypt the website. The authentication information signature is signed by the server, and the server signature, the encrypted website authentication information as the server signature element, and the server information are sent to the user equipment via the website, so that the user equipment can obtain the server public key based on the server information. Verify the server signature.

在一個實例中,用戶設備簽名要素基於用戶 設備序列號、用戶簽名時間戳,伺服器被配置成根據用戶設備序列號確定用戶設備公鑰。 In one example, the user device signature element is based on the user The device serial number, the user signature timestamp, and the server is configured to determine the user equipment public key based on the user equipment serial number.

在一個實例中,網站資訊包括用於讓伺服器判斷網站是否經過認證的站點證書,伺服器被配置成判斷站點證書是否由其簽發。 In one example, the website information includes a site certificate for the server to determine whether the website is authenticated, and the server is configured to determine whether the site certificate was issued by it.

可以在用戶設備與伺服器中分別設置用戶設備種子密鑰,用於對網站認證資訊加解密。由此,在一個實例中,伺服器還存儲一個或多個用戶設備種子密鑰,伺服器被配置成基於用戶設備種子密鑰產生動態口令。 The user equipment seed key may be separately set in the user equipment and the server for encrypting and decrypting the website authentication information. Thus, in one example, the server also stores one or more user equipment seed keys, and the server is configured to generate a dynamic password based on the user equipment seed key.

在一個實例中,該伺服器被配置成接收來自一個或多個網站的認證請求,並且在認證通過後向該一個或多個網站發送站點證書,該伺服器被配置成通過判斷來自該網站的站點證書是否真實來判斷該網站是否適於用戶設備訪問。 In one example, the server is configured to receive an authentication request from one or more websites and send a site certificate to the one or more websites after the authentication is passed, the server being configured to determine from the website by Whether the site certificate is authentic to determine whether the site is suitable for user device access.

在一個實例中,伺服器被配置成當確定該網站未經過認證時,拒絕與該網站通信。 In one example, the server is configured to refuse to communicate with the website when it is determined that the website is not authenticated.

在一個實例中,伺服器被配置成當所述驗證失敗時,提醒網站驗證結果。 In one example, the server is configured to alert the website of the verification result when the verification fails.

圖3是根據一個實施例的伺服器與用戶設備的交互示意圖。在圖3中,用戶設備至少存儲一個或多個伺服器公鑰、用戶設備私鑰,伺服器與用戶設備的交互包括用戶設備被配置成執行如下過程:使用用戶設備私鑰基於用戶設備簽名要素產生用戶設備簽名,並將用戶設備簽名、用戶設備簽名要素經由網站 發送至伺服器,經由網站從伺服器接收伺服器簽名、作為伺服器簽名要素的經加密的網站認證資訊、伺服器資訊,基於伺服器資訊得到伺服器公鑰來驗證伺服器簽名,當驗證成功時,使用動態口令來解碼經加密的網站認證資訊。 3 is a schematic diagram of interaction of a server with a user device, in accordance with one embodiment. In FIG. 3, the user equipment stores at least one or more server public keys, user equipment private keys, and the interaction of the server with the user equipment includes the user equipment being configured to perform the following process: using the user equipment private key based on the user equipment signature elements Generate a user device signature, and sign the user device, user device signature elements via the website Send to the server, receive the server signature from the server via the website, the encrypted website authentication information as the server signature element, the server information, and obtain the server public key based on the server information to verify the server signature, when the verification succeeds The dynamic password is used to decode the encrypted website authentication information.

在一個實例中,用戶設備簽名要素基於用戶設備序列號、用戶簽名時間戳,用戶設備被配置成根據伺服器資訊確定伺服器公鑰。 In one example, the user equipment signature element is based on the user equipment serial number, the user signature timestamp, and the user equipment is configured to determine the server public key based on the server information.

在一個實例中,用戶設備還存儲用戶設備種子密鑰,用戶設備被配置成基於用戶設備種子密鑰產生動態口令。 In one example, the user equipment also stores a user equipment seed key, the user equipment being configured to generate a dynamic password based on the user equipment seed key.

在一個實例中,解密的網站認證資訊被顯示在用戶設備上。網站認證資訊能夠用於提醒用戶網站真偽。 In one example, the decrypted website authentication information is displayed on the user device. Website authentication information can be used to remind users of the authenticity of the website.

圖4是根據一個實施例的鑒別網站的流程圖。 4 is a flow diagram of an authentication website in accordance with one embodiment.

在1中,用戶設備用“設備私鑰”對設備SN號、時間等資訊進行簽名,並將該數位簽名及參與簽名的要素經安全控制項上送至網站;在2中,網站按照約定的格式要求,組織網站真偽鑒別請求報文,並上送至伺服器。該報文中至少應包含設備簽名資訊、參與簽名的要素、“站點證書”;在3中,伺服器收到請求報文後,完成報文解析,判 斷上送的“站點證書”是否有效;在4中,若為有效的“站點證書”,則伺服器通過設備SN號索引得到對應的“設備公鑰”,判斷上送的設備簽名資訊是否有效;否則進入異常處理A;在5中,若為有效的設備簽名資訊,則伺服器組織並回傳網站真偽鑒別應答報文:(1)通過SN號索引得到對應的“設備種子密鑰”,計算得到當前的動態口令,並用該動態口令對網站認證資訊進行加密,形成“網站真偽憑證”;(2)用“伺服器私鑰”對“網站真偽憑證”進行簽名;(3)組成報文並經網站和安全控制項回傳至用戶設備中,應答報文中至少應包含伺服器簽名資訊、參與簽名的要素及伺服器資訊;否則進入異常處理B;在6中,用戶設備收到應答報文後,完成報文解析,並通過預置的“伺服器公鑰”判斷伺服器簽名資訊是否有效;在7中,若為有效的伺服器簽名資訊,則由預置的“設備種子密鑰”計算得到當前的動態口令,對“網站真偽憑證”進行解密,在用戶設備上顯示網站認證資訊;否則進入異常處理C。 In 1, the user equipment signs the device SN number, time and other information with the "device private key", and sends the digital signature and the elements participating in the signature to the website through the security control item; in 2, the website according to the agreement The format requires that the website authenticity authentication request message be organized and sent to the server. The message shall include at least the device signature information, the elements participating in the signature, and the “site certificate”; in 3, after receiving the request message, the server completes the message parsing and judges Whether the "site certificate" sent by the disconnection is valid; in 4, if it is a valid "site certificate", the server obtains the corresponding "device public key" through the device SN number index, and judges the device signature information sent. Whether it is valid; otherwise, it enters the exception handling A; in 5, if it is a valid device signature information, the server organizes and returns the website authenticity authentication response message: (1) The corresponding device seed density is obtained through the SN index. "key", calculate the current dynamic password, and use the dynamic password to encrypt the website authentication information to form a "website authenticity certificate"; (2) use the "server private key" to sign the "website authenticity certificate"; 3) The message is composed and transmitted back to the user equipment through the website and the security control item. The response message should at least contain the server signature information, the elements participating in the signature and the server information; otherwise, the exception processing B is entered; in 6, the user After receiving the response message, the device completes the message parsing, and judges whether the server signature information is valid through the preset "server public key"; in 7, if it is a valid server signature information, The preset "device seed key" calculates the current dynamic password, decrypts the "website authenticity certificate", and displays the website authentication information on the user equipment; otherwise, it enters the exception processing C.

異常處理可以例如為:A-拒絕網站請求; B-回復網站“非合法的用戶設備”;C-在用戶設備上顯示”非合法的網站真偽憑證”。 The exception handling can be, for example: A-rejecting a website request; B-Reply to the website "non-legal user equipment"; C- display "non-legal website authenticity certificate" on the user equipment.

上述實施例基於非對稱密碼體系和動態口令技術,通過設計安全通道而有效地鑒別網站真偽。其有以下這些優勢:“網站真偽憑證”可信度高,抗偽造,“網站真偽憑證“由伺服器產生,且伺服器與用戶設備間進行了雙向認證,互相之間能識別偽造的用戶設備或是後臺伺服器。“網站真偽憑證”抗篡改,抗重放攻擊,“網站真偽憑證”被由動態口令加密形成,能防止攻擊者通過開放的互聯網環境對其進行篡改,或是截取後的重放攻擊。鑒別結果的顯示直觀且可靠性高,用戶設備將鑒別結果給予直觀的顯示,能有效提示用戶當前訪問網站的資訊,且“網站真偽憑證”的解密與顯示均可以在安全晶片中完成,不會被木馬等惡意軟體劫持或篡改。用戶使用門檻低,整個網站真偽的鑒別流程由用戶設備、安全控制項和伺服器配合完成。 The above embodiment is based on an asymmetric cryptosystem and a dynamic password technique to effectively authenticate a website by designing a secure channel. It has the following advantages: "Website authenticity certificate" has high credibility and anti-counterfeiting. "Website authenticity certificate" is generated by the server, and the server and the user equipment are authenticated in both directions, and each other can be identified as forged. User device or background server. "Website authenticity certificate" is anti-tampering and anti-replay attack. "Website authenticity certificate" is formed by dynamic password encryption, which can prevent an attacker from tampering with an open Internet environment or intercepting a replay attack. The display of the identification result is intuitive and reliable, and the user equipment gives the identification result an intuitive display, which can effectively prompt the user to access the information of the website, and the decryption and display of the “authentication document of the website” can be completed in the security chip, Will be hijacked or tampered with by malicious software such as Trojans. The user's use threshold is low, and the authentication process of the entire website is completed by the user equipment, the security control item and the server.

Claims (14)

一種能夠向用戶設備發送網站認證資訊的伺服器,其特徵在於,該伺服器至少存儲一個或多個用戶設備公鑰、伺服器私鑰,該伺服器被配置成執行如下過程:經由網站接收用戶設備簽名、用戶設備簽名要素,並從該網站接收網站資訊,根據所述網站資訊判斷該網站是否經過認證,當確定該網站經過認證時,根據所述用戶設備簽名要素確定用戶設備公鑰,並利用所述用戶設備公鑰驗證所述用戶設備簽名,當所述驗證成功時,使用動態口令加密該網站認證資訊,並使用伺服器私鑰對經加密的網站認證資訊簽名得到伺服器簽名,以及將該伺服器簽名、作為伺服器簽名要素的經加密的網站認證資訊、伺服器資訊經由該網站發送至該用戶設備使得該用戶設備能夠基於所述伺服器資訊得到伺服器公鑰來驗證所述伺服器簽名。 A server capable of transmitting website authentication information to a user equipment, wherein the server stores at least one or more user equipment public keys and a server private key, the server being configured to perform a process of receiving a user via a website Device signature, user equipment signature element, and receiving website information from the website, determining whether the website is authenticated according to the website information, and determining that the website is authenticated, determining the user equipment public key according to the user equipment signature element, and Using the user equipment public key to verify the user equipment signature, when the verification is successful, encrypting the website authentication information by using a dynamic password, and using the server private key to sign the encrypted website authentication information to obtain a server signature, and Transmitting the server signature, the encrypted website authentication information as the server signature element, and the server information to the user equipment via the website, so that the user equipment can obtain the server public key based on the server information to verify the Server signature. 如申請專利範圍第1項所述的伺服器,其中,所述用戶設備簽名要素基於用戶設備序列號、用戶簽名時間戳,所述伺服器被配置成根據所述用戶設備序列號確定用戶設備公鑰。 The server of claim 1, wherein the user equipment signature element is based on a user equipment serial number, a user signature time stamp, and the server is configured to determine a user equipment public according to the user equipment serial number. key. 如申請專利範圍第1項所述的伺服器,其中, 所述網站資訊包括用於讓伺服器判斷該網站是否經過認證的站點證書,所述伺服器被配置成判斷該站點證書是否由其簽發。 The server described in claim 1, wherein The website information includes a site certificate for causing the server to determine whether the website is authenticated, the server being configured to determine whether the site certificate is issued by it. 如申請專利範圍第1項所述的伺服器,其中,所述伺服器還存儲所述一個或多個用戶設備種子密鑰,所述伺服器被配置成基於所述用戶設備種子密鑰產生所述動態口令。 The server of claim 1, wherein the server further stores the one or more user equipment seed keys, the server being configured to generate a location based on the user equipment seed key Dynamic password. 一種能夠從伺服器接收網站認證資訊的用戶設備,其特徵在於,該用戶設備至少存儲一個或多個伺服器公鑰、用戶設備私鑰,該用戶設備被配置成執行如下過程:使用所述用戶設備私鑰基於用戶設備簽名要素產生用戶設備簽名,並將該用戶設備簽名、該用戶設備簽名要素經由網站發送至所述伺服器,經由網站從所述伺服器接收該伺服器簽名、作為伺服器簽名要素的經加密的網站認證資訊、伺服器資訊,基於所述伺服器資訊得到伺服器公鑰來驗證所述伺服器簽名,當所述驗證成功時,使用動態口令來解碼所述經加密的網站認證資訊。 A user equipment capable of receiving website authentication information from a server, wherein the user equipment stores at least one or more server public keys and a user equipment private key, the user equipment being configured to perform the process of using the user The device private key generates a user equipment signature based on the user equipment signature element, and sends the user equipment signature, the user equipment signature element to the server via a website, and receives the server signature from the server via a website as a server. Encrypted website authentication information, server information of the signature element, the server public key is used to verify the server signature based on the server information, and when the verification is successful, the dynamic password is used to decode the encrypted Website certification information. 如申請專利範圍第5項所述的用戶設備,其中,所述用戶設備簽名要素基於用戶設備序列號、用戶簽 名時間戳,所述用戶設備被配置成根據所述伺服器資訊確定伺服器公鑰。 The user equipment of claim 5, wherein the user equipment signature element is based on a user equipment serial number, a user sign A timestamp, the user equipment being configured to determine a server public key based on the server information. 如申請專利範圍第5項所述的用戶設備,其中,所述用戶設備還存儲用戶設備種子密鑰,所述用戶設備被配置成基於所述用戶設備種子密鑰產生所述動態口令。 The user equipment of claim 5, wherein the user equipment further stores a user equipment seed key, the user equipment being configured to generate the dynamic password based on the user equipment seed key. 一種用戶設備與伺服器的交互方法,其特徵在於,該伺服器至少存儲一個或多個用戶設備公鑰、伺服器私鑰,該方法包括:所述伺服器經由網站接收用戶設備簽名、用戶設備簽名要素,並從該網站接收網站資訊,所述伺服器根據所述網站資訊判斷該網站是否經過認證,當確定該網站經過認證時,所述伺服器根據所述用戶設備簽名要素確定用戶設備公鑰,並利用所述用戶設備公鑰驗證所述用戶設備簽名,當所述驗證成功時,所述伺服器使用動態口令加密該網站認證資訊,並使用伺服器私鑰對經加密的網站認證資訊簽名得到伺服器簽名,以及將該伺服器簽名、作為伺服器簽名要素的經加密的網站認證資訊、伺服器資訊經由該網站發送至該用戶設備使得該用戶設備能夠基於所述伺服器資訊得到伺服器公鑰來驗證所述伺服器簽名。 A method for interacting a user equipment with a server, wherein the server stores at least one or more user equipment public keys and a server private key, the method comprising: the server receiving a user equipment signature and a user equipment via a website Signing the element and receiving the website information from the website, the server determining whether the website is authenticated according to the website information, and when determining that the website is authenticated, the server determines the user equipment according to the user equipment signature element Key, and verifying the user equipment signature by using the user equipment public key, when the verification is successful, the server encrypts the website authentication information by using a dynamic password, and uses the server private key to authenticate the encrypted website information. The signature is obtained by the server, and the server signature, the encrypted website authentication information as the server signature element, and the server information are sent to the user equipment via the website, so that the user equipment can obtain the servo based on the server information. The public key to verify the server signature. 如申請專利範圍第8項所述的方法,其中,所述用戶設備簽名要素基於用戶設備序列號、用戶簽名時間戳,該方法包括:所述伺服器根據所述用戶設備序列號確定用戶設備公鑰。 The method of claim 8, wherein the user equipment signature element is based on a user equipment serial number and a user signature timestamp, the method comprising: the server determining, according to the user equipment serial number, a user equipment public key. 如申請專利範圍第8項所述的方法,其中,所述網站資訊包括用於讓伺服器判斷該網站是否經過認證的站點證書,該方法包括:所述伺服器判斷該站點證書是否由其簽發。 The method of claim 8, wherein the website information includes a site certificate for causing the server to determine whether the website is authenticated, the method comprising: the server determining whether the site certificate is It is issued. 如申請專利範圍第8項所述的方法,其中,所述伺服器還存儲所述一個或多個用戶設備種子密鑰,該方法包括:所述伺服器基於所述用戶設備種子密鑰產生所述動態口令。 The method of claim 8, wherein the server further stores the one or more user equipment seed keys, the method comprising: the server generating a location based on the user equipment seed key Dynamic password. 一種用戶設備與伺服器的交互方法,其特徵在於,該用戶設備至少存儲一個或多個伺服器公鑰、用戶設備私鑰,該方法包括:該用戶設備使用所述用戶設備私鑰基於用戶設備簽名要素產生用戶設備簽名,並將該用戶設備簽名、該用戶設 備簽名要素經由網站發送至所述伺服器,該用戶設備經由網站從所述伺服器接收該伺服器簽名、作為伺服器簽名要素的經加密的網站認證資訊、伺服器資訊,該用戶設備基於所述伺服器資訊得到伺服器公鑰來驗證所述伺服器簽名,當所述驗證成功時,該用戶設備使用動態口令來解碼所述經加密的網站認證資訊。 A method for interacting a user equipment with a server, wherein the user equipment stores at least one or more server public keys and a user equipment private key, the method comprising: the user equipment using the user equipment private key based on the user equipment The signature element generates a user device signature, and the user device is signed, and the user is set. The backup signature element is sent to the server via a website, and the user equipment receives the server signature, the encrypted website authentication information, and the server information as a server signature element from the server via a website, and the user equipment is based on the The server information is obtained by the server public key to verify the server signature. When the verification is successful, the user equipment uses the dynamic password to decode the encrypted website authentication information. 如申請專利範圍第12項所述的方法,其中,所述用戶設備簽名要素基於用戶設備序列號、用戶簽名時間戳,該方法包括:所述用戶設備根據所述伺服器資訊確定伺服器公鑰。 The method of claim 12, wherein the user equipment signature element is based on a user equipment serial number and a user signature timestamp, the method comprising: the user equipment determining a server public key according to the server information . 如申請專利範圍第12項所述的方法,其中,所述用戶設備還存儲用戶設備種子密鑰,該方法包括:所述用戶設備基於所述用戶設備種子密鑰產生所述動態口令。 The method of claim 12, wherein the user equipment further stores a user equipment seed key, the method comprising: the user equipment generating the dynamic password based on the user equipment seed key.
TW104111785A 2014-04-15 2015-04-13 Server, user device, and user device and server interaction method TWI526871B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410149579.8A CN105024813B (en) 2014-04-15 2014-04-15 A kind of exchange method of server, user equipment and user equipment and server

Publications (2)

Publication Number Publication Date
TW201539239A TW201539239A (en) 2015-10-16
TWI526871B true TWI526871B (en) 2016-03-21

Family

ID=54323479

Family Applications (1)

Application Number Title Priority Date Filing Date
TW104111785A TWI526871B (en) 2014-04-15 2015-04-13 Server, user device, and user device and server interaction method

Country Status (3)

Country Link
CN (1) CN105024813B (en)
TW (1) TWI526871B (en)
WO (1) WO2015158228A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107368737A (en) 2016-05-13 2017-11-21 阿里巴巴集团控股有限公司 A kind of processing method for preventing copy-attack, server and client
TWI608361B (en) * 2016-09-23 2017-12-11 群暉科技股份有限公司 Electrionic device, server, communication system and communication method
CN106533665B (en) * 2016-10-31 2018-08-07 北京百度网讯科技有限公司 Mthods, systems and devices for storing website private key plaintext
CN109872140A (en) * 2019-01-31 2019-06-11 篱笆墙网络科技有限公司 Method, apparatus, equipment and the storage medium of payment and settlement
CN109981591B (en) * 2019-02-28 2021-09-21 矩阵元技术(深圳)有限公司 Key management method for generating private key by single client and electronic equipment
CN110276206B (en) * 2019-06-10 2021-03-23 Oppo广东移动通信有限公司 Viewing method and viewing system of encrypted content
CN115348078A (en) * 2022-08-12 2022-11-15 广东岭南通股份有限公司 Method, electronic device and storage medium for preventing APP eavesdropping based on verification signature certificate

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8332627B1 (en) * 2006-02-08 2012-12-11 Cisco Technology, Inc. Mutual authentication
CN100558035C (en) * 2006-08-03 2009-11-04 西安电子科技大学 A two-way authentication method and system
CN102281137A (en) * 2010-06-12 2011-12-14 杭州驭强科技有限公司 Dynamic password authentication method of mutual-authentication challenge response mechanism
CN102143134B (en) * 2010-08-05 2014-04-30 华为技术有限公司 Method, device and system for distributed identity authentication
CN102761529A (en) * 2011-04-29 2012-10-31 上海格尔软件股份有限公司 Website authentication method based on picture identification digital signatures
CN103634307A (en) * 2013-11-19 2014-03-12 北京奇虎科技有限公司 Method for certificating webpage content and browser

Also Published As

Publication number Publication date
CN105024813B (en) 2018-06-22
CN105024813A (en) 2015-11-04
WO2015158228A1 (en) 2015-10-22
TW201539239A (en) 2015-10-16
HK1217065A1 (en) 2016-12-16

Similar Documents

Publication Publication Date Title
CN109309565B (en) Security authentication method and device
US9838205B2 (en) Network authentication method for secure electronic transactions
TWI526871B (en) Server, user device, and user device and server interaction method
US9231925B1 (en) Network authentication method for secure electronic transactions
US9887989B2 (en) Protecting passwords and biometrics against back-end security breaches
US8112787B2 (en) System and method for securing a credential via user and server verification
CN103763631B (en) Authentication method, server and television set
CN102647461B (en) Communication method, server and terminal based on hypertext transfer protocol
JP6399382B2 (en) Authentication system
JP2019502286A (en) Key exchange through partially trusted third parties
CN102624740A (en) A data interaction method and client and server
CN104243494B (en) A kind of data processing method
CN110198295A (en) Safety certifying method and device and storage medium
CN101860540A (en) Method and device for identifying legality of website service
KR101879758B1 (en) Method for Generating User Digital Certificate for Individual User Terminal and for Authenticating Using the Same Digital Certificate
CN109040079A (en) The establishment of live streaming chained address and verification method and related device
WO2008053279A1 (en) Logging on a user device to a server
Mumtaz et al. An RSA based authentication system for smart IoT environment
JP2018026631A (en) SSL communication system, client, server, SSL communication method, computer program
WO2023284691A1 (en) Account opening method, system, and apparatus
CN114745115A (en) An information transmission method, device, computer equipment and storage medium
KR20130100032A (en) Method for distributting smartphone application by using code-signing scheme
Balisane et al. Trusted execution environment-based authentication gauge (TEEBAG)
Alzomai et al. The mobile phone as a multi OTP device using trusted computing
Subpratatsavee et al. Internet banking transaction authentication using mobile one-time password and qr code