Background technology
The operation of existing mobile-phone payment software (comprise remote payment and near field pay) or important mobile phone client software is generally the user identity while by the cell-phone number of short message content authentication of users, realizing registration binding and payment authentication.Specific practice is: the cell-phone number of being claimed to the user by service end sends dynamic short-message verification code, requires this dynamic verification code of user's backfill, and whether the cell-phone number of identifying the active user with this is correct.And then whether the identity of identification active user's identity while binding with registration be consistent, judge the legitimacy of current operation.But the authentication mode of these existing note dynamic verification codes exists some shortcomings:
There is the possibility be replicated in SIM cards of mobile phones.Once SIM card is replicated, be equivalent to obtain the SIM cards of mobile phones of duplicate numbers, although the same time can only can normally receive calls by a card, but can be by the card that copies transmitting-receiving note, call and surf the Net.Like this,, there is larger risk in the identification authentication mode of existing note dynamic verification code.In addition, the information that SIM cards of mobile phones comprises mainly contains: ICCID, IMSI, KI, SMSP etc., as long as the people that these four information are had ulterior motives grasps, are easy to copy the SIM card that multiple numbers are identical.So the mode of simple checking dynamic verification code can not be avoided the risk that identity is falsely used and the operation of concluding the business is forged fully.Along with the technical threshold of the development that cracks technology and forgery is more and more lower, the risk of this pattern is increasing.
Therefore, how to avoid SIM cards of mobile phones to be replicated rear produced risk, also just become those skilled in the art's urgent problem.According to inventor's inspection information and research, find can produce larger risk after SIM cards of mobile phones is replicated, be mainly just to have used merely the relevant information (as ICCID, IMSI) of SIM card in present authentication method, other physical messages with uniqueness in mobile phone do not taken into account.Such as, the IMEI of mobile phone, IMEI (International Mobile Equipment Identity) is the abbreviation of International Mobile Equipment Identity code, international Mobile Equipment identification code, form " electronics string number " by 15 bit digital, it is corresponding one by one with every mobile phone, and this yard is that the whole world is unique.So, be badly in need of a kind of method of utilizing multinomial cellphone information to carry out authentication on market.
Summary of the invention
The object of the invention is to for the deficiencies in the prior art, provide a kind of safe and reliable, can effectively avoid SIM cards of mobile phones to be replicated the risk of rear generation, the registration binding based on the mobile phone hardware characteristic information easily realized and the method for authentication.
To achieve these goals, the present invention has adopted following technical scheme:
A kind of registration binding based on the mobile phone hardware characteristic information and the method for authentication comprise the following steps:
(1) set up authentication server after the Communication Gateway of common carrier, receive and process application registration binding and ID authentication request;
(2) user installs the client software that can gather the mobile phone hardware characteristic information on mobile phone, then in mobile phone open Mobile data communication access way state, and running client software;
(3) select the binding current phone as the user while registering certain applied business filling in personal information, client software reads the hardware characteristics information of current phone, then together with filled in personal information and encrypted message, by the wireless data communication function of mobile phone, to authentication server, submits the registration bind request to;
(4) when authentication server is received the registration bind request, obtain the MSISDN information of current phone simultaneously from communications protocol, after definite MSISDN information is legal, record safety-critical information and password and other personal information that mobile phone hardware characteristic information and MSISDN form, and safety-critical information is key element generating digital certificate, and adopt the symmetrical enciphering and deciphering algorithm of RSA rivest, shamir, adelman and AES256, set up the special communication channel with the cell-phone customer terminal communication, digital certificate transmission and private key and Transaction Information, determine the secure binding of this applied business and current phone,
(5) use corresponding applied business as the user, in the time of need to carrying out authentication, client software again reads hardware characteristics information and the operation requests of mobile phone and submits to authentication server simultaneously, authentication server obtains the MSISDN information of current phone simultaneously from communications protocol, after definite MSISDN information is legal, the password of the safety-critical information that checking mobile phone hardware characteristic information and MSISDN form and user's input, when the information recorded during with registration binding before when these information of password of safety-critical information and user input is consistent, judge that identity is legal, agree operation requests, when the information of record is inconsistent when these information of password of safety-critical information and user's input have one or more and registration binding before, judge that identity is illegal, the refusal operation requests.
Described client software is mobile phone hardware characteristic information acquisition software, can gather the physical message of mobile phone.This software can directly adopt the related software of having developed on market, also can self-developing, as long as can realize its function (gathering the physical message of mobile phone).
Described hardware characteristics information is including but not limited to ICCID, IMSI, IMEI, bluetooth MAC Address, WLAN MAC Address etc.
In the present invention, we take full advantage of the hardware characteristics information that possesses uniqueness (ICCID, IMSI, IMEI, bluetooth MAC Address, WLAN MAC Address) that multinomial mobile phone exists and the unmodifiable MSISDN information in communications protocol as safety-critical information, can effectively avoid SIM cards of mobile phones to be replicated rear produced risk, make us safe and reliable when carrying out authentication, repair and maintenance user's interests.
ICCID:(Integrate circuit card identity) integrated circuit card identification code (being solidificated in the factory's sequence number in SIM cards of mobile phones) is the unique identification number in the whole world of IC-card, has 20 bit digital and forms.Popular says, ICCID is exactly factory's sequence number of SIM card, refers to which card entity.
IMSI:(International Mobile Subscriber Identification Number) be the abbreviation of international mobile subscriber identity, it is difference mobile subscriber's sign, by 15 bit digital, formed, comprise the information such as wireless network number, mobile identification number, can be used for distinguishing mobile subscriber's effective information.Popular says, IMEI is exactly the mobile phone sequence number, refers to which concrete mobile phone.
IMEI (International Mobile Equipment Identity) is the abbreviation of International Mobile Equipment Identity code, international Mobile Equipment identification code, form " electronics string number " by 15 bit digital, it is corresponding one by one with every mobile phone, and this yard is that the whole world is unique.Popular says, IMEI is exactly the mobile phone sequence number, refers to which concrete mobile phone.
Bluetooth MAC Address, WLAN MAC Address: MAC(Media Access Control) address is the position for define grid equipment.In osi model, the three-layer network layer is responsible for the IP address, and second layer data link layer is responsible for the MAC address.Therefore a main frame has an IP address, and each network site has a MAC address that is specific to it.Bluetooth equipment on mobile phone and wlan device are a kind of of the network equipment, have exclusive, unique MAC Address.
MSISDN:(Mobile Subscriber International ISDN/PSTN number) be mobile user comprehensive service digital net number, abbreviation) refer to that the calling subscriber is the number of calling out required group an of mobile subscriber in GSM PLMN, i.e. mobile subscriber's phone number.This number is to obtain from the Communication Gateway of wireless data and the communications protocol between application server, have anti-assume another's name, anti-tamper characteristic.
Above-mentioned multinomial information all has global uniqueness, can form safe information combination, as long as have one or multinomial information not meet (owing to changing mobile phone, change SIM card, the number of changing causes), just requires to re-start registration binding checking; By the checking to these four information and password, can fundamentally solve that SIM card is replicated and the risk brought.
And in the method for the invention, owing to adopting operator's charging communications protocol, be that basic MSISDN obtains and verification technique, when mobile phone is lost, can realize saving from damage accordingly demand by operator's application, suspending Communications service, turn up service again after mobile phone is given for change, or change after mobile phone binding again and can recover normal use; The greatly user friendly while, can guarantee in time account number safety again.In addition, owing to using high level digital certificate, also guaranteed that communication channel is safe.
Advantage of the present invention:
1. reliable, devoid of risk safely.Method of the present invention is based on mobile phone multinomial not reproducible globally unique physical medium information and carries out identification, assumes another's name after can effectively avoiding SIM card to be replicated, the risk of pseudo-manufacturing operation.Utilize the combination of the multinomial hardware characteristics information of mobile phone to realize the representative of not reproducible globally unique physical medium as identity, add that password authentification just can realize safe identification and authentication; Stopped due to copy SIM card relevant assume another's name, the illegal operation such as forgery.
2. easily realize, hardware characteristics information is used in conjunction with each other, practical.Adopting operator's charging communications protocol is that basic MSISDN obtains and verification technique, when mobile phone is lost, by operator's application, suspending Communications service, can realize saving from damage accordingly demand.Stopped because mobile phone is lost the relevant illegal operation of assuming another's name.
3. applied range.Method of the present invention can be applied in mobile phone remote payment, the payment of mobile phone near field or some application when key message is changed the authentication that need to carry out.
Embodiment
Below in conjunction with specific embodiment, the present invention is further described.
Embodiment 1:
A kind of registration binding based on the mobile phone hardware characteristic information and the method for authentication comprise the following steps:
(1) at first, after the Communication Gateway of common carrier, set up authentication server, for receiving and process application registration binding and ID authentication request;
(2) then, exploitation can gather the client software of mobile phone hardware characteristic information and be arranged on user mobile phone, in mobile phone open Mobile data communication access way state, and running client software;
(3) select the binding current phone as the user while registering certain applied business filling in personal information, client software reads the hardware characteristics information of current phone, then together with filled in personal information and encrypted message, by the wireless data communication function of mobile phone, to authentication server, submits the registration bind request to; Described hardware characteristics information comprises ICCID, IMSI, IMEI, bluetooth MAC Address, WLAN MAC Address;
(4) when authentication server is received the registration bind request, obtain the MSISDN information of current phone simultaneously from communications protocol, after definite MSISDN information is legal, record safety-critical information and password and other personal information that hardware characteristics information and MSISDN form, and this safety-critical information is key element generating digital certificate, and adopt the symmetrical enciphering and deciphering algorithm of RSA rivest, shamir, adelman and AES256, set up the special communication channel with the cell-phone customer terminal communication, digital certificate transmission and private key and Transaction Information, determine the secure binding of this applied business and current phone,
(5) use corresponding applied business as the user, in the time of need to carrying out authentication, client software again reads hardware characteristics information and the operation requests of mobile phone and submits to authentication server simultaneously, authentication server obtains the MSISDN information of current phone simultaneously from communications protocol, after definite MSISDN information is legal, the password of the safety-critical information that checking hardware characteristics information and MSISDN form and user's input, when the information recorded during with registration binding before when these information of password of safety-critical information and user input is consistent, judge that identity is legal, agree operation requests, when the information of record is inconsistent when these information of password of safety-critical information user input have one or more and registration binding before, judge that identity is illegal, the refusal operation requests.