CN104063650B - A kind of key storage device and using method thereof - Google Patents
A kind of key storage device and using method thereof Download PDFInfo
- Publication number
- CN104063650B CN104063650B CN201410254187.8A CN201410254187A CN104063650B CN 104063650 B CN104063650 B CN 104063650B CN 201410254187 A CN201410254187 A CN 201410254187A CN 104063650 B CN104063650 B CN 104063650B
- Authority
- CN
- China
- Prior art keywords
- key
- authentication
- information
- seed information
- storage device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of key storage device and using method thereof, for improving the security of key storage and use, and then improving the security of authentication process itself.Key storage device comprises: security module, and for storage key, described key is used for identifying user identity; Computing module, for generating authentication information when needs carry out authentication, at least comprise in described authentication information the double secret key seed information utilizing described security module to store carry out processing the process obtained after seed information, described seed information is arbitrary information that computer system can process; Cipher key interaction module, for described authentication information mutual with external device.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of key storage device and using method thereof.
Background technology
Along with the develop rapidly of Internet technology especially development of Mobile Internet technology, the internet, applications provided by internet is got more and more.User is when accessing these internet, applications, and as access Email, the application of access instant messaging, access websites etc., in order to ensure the security that user accesses, the provider of each internet, applications needs to verify user identity when user logs in usually.
At present, the most frequently used auth method comprises password, key, certificate etc., password is made up of upper and lower case letter, numeral, the symbol etc. that can input usually, key is normally according to file or the character string of special algorithm generation, certificate is also the special file that particular organization is issued, above method is inherently identical, and the unique data only having litigant to know or to hold by verifies the identity of litigant, and these data can be referred to as key.In the internet, applications higher to security requirement, as Web bank, on-line payment application etc., usually also can use other auxiliary authentication means, common are mobile phone identifying code, the checking of RSA SecurID dual factors token and smart card etc.
In existing identity validation technology, because Password Length has certain restriction, password arranges too short, too simple simon says, is easily cracked, oversize too complicated with being not easy to memory.And password, when by input through keyboard, is easily stolen by the malicious code in terminal device, thus is reduced the security of authentication.
If mobile phone identifying code is as auxiliary authentication means, because smart mobile phone is easy to implanted malicious code, it can tackle the mobile phone identifying code that network side issues, thus also cannot ensure the security of authentication.And smart card is due to hardware constraints, be difficult to universal and versatility is not strong.As for RSA SecurID dual factors checking token, it is widely used in important information system all over the world, but is that employing 6 bit digital is verified due to it, is only suitable for using as identifying code, and can not as the user name of identity verification and main password.And the method intelligence uses in independently infosystem, cannot be general, user needs to hold multiple different securid token usually.
As can be seen here, the security how improving authentication process itself becomes one of technical matters urgently to be resolved hurrily in prior art.
Summary of the invention
Embodiments providing a kind of key storage device and using method thereof, for improving the security of key storage and use, and then improving the security of authentication process itself.
The embodiment of the present invention provides a kind of application system for authentication, comprising: key storage device, and this equipment comprises: security module, and for storage key, described key is used for identifying user identity; Computing module, for generating authentication information when needs carry out authentication, at least comprise in described authentication information the double secret key seed information utilizing described security module to store carry out processing the process obtained after seed information, described seed information is the current time of this key storage device, also comprises the device identification of key storage device in this authentication information; Described computing module processes specifically for the double secret key seed information utilizing described security module in accordance with the following methods and store: the double secret key seed information utilizing described security module to store is encrypted, signs or Hash operation; Cipher key interaction module, comprising: display sub-module, and for described authentication information mutual with external device, described authentication information is Quick Response Code; Communicator module, for establishing a communications link with terminal device, and described authentication information is transferred to described terminal device, specifically for establishing a communications link according to following either type and described terminal device by the communication connection of setting up: earphone interface, bluetooth, infrared, near-field communication NFC, Wireless Fidelity WIFI, USB (universal serial bus) USB or data transmission interface OTG.
This system also comprises terminal device: the graphic code of scanning display sub-module display, obtain the seed information after the process that graphic code comprises, and the seed information after the process obtained is carried in authentication request the Authentication server being sent to network side;
Further, this system also comprises Authentication server: according to device identification from the device identification prestored with directly search key corresponding to this device identification the corresponding relation of key, and use the seed information after the key recovery process found, when being interposed between within prefixed time interval scope between determining between the current time of the key storage device restored and the current time of Authentication server, determining one's identity and be verified.
The key storage device that the embodiment of the present invention provides, authentication information is generated when needs carry out authentication, this authentication information at least comprises the seed information after the process obtained after double secret key seed information that computing module utilizes security module to store processes, and by cipher key interaction module, the authentication information of generation is supplied to external device and is used for carrying out authentication.The key storage device that the embodiment of the present invention provides and using method thereof, after utilizing owing to using key storage device the double secret key seed information process stored, real-time generation authentication information, and the external device be supplied to for authentication, therefore, remember username and password without the need to user and pass through input through keyboard, while simplifying user operation, avoid the safety issue of the password use caused by being stolen during input through keyboard password, on the other hand, authentication information be according to process after seed information generate, the password that its complexity can be remembered higher than the mankind, and it is unique and unrepeatable, therefore, also cannot reuse and forge even if midway is monitored, thus the security that improve password storage and use, and then the security of authentication can be improved.
Other features and advantages of the present invention will be set forth in the following description, and, partly become apparent from instructions, or understand by implementing the present invention.Object of the present invention and other advantages realize by structure specifically noted in write instructions, claims and accompanying drawing and obtain.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, forms a part of the present invention, and schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is in the embodiment of the present invention, the structural representation of key storage device;
Fig. 2 is in the embodiment of the present invention, the schematic flow sheet of key storage device using method;
Fig. 3 is in the embodiment of the present invention, the structural representation of the first application system of key storage device;
Fig. 4 is in the embodiment of the present invention, based on the using method schematic flow sheet of the first application system;
Fig. 5 is in the embodiment of the present invention, the structural representation of key storage device the second application system;
Fig. 6 is in the embodiment of the present invention, based on the using method schematic flow sheet of the second application system.
Embodiment
In order to improve the security of key storage and use, and then improving the security of authentication process itself, embodiments providing a kind of key storage device and using method thereof.
Below in conjunction with Figure of description, the preferred embodiments of the present invention are described, be to be understood that, preferred embodiment described herein is only for instruction and explanation of the present invention, be not intended to limit the present invention, and when not conflicting, the embodiment in the present invention and the feature in embodiment can combine mutually.
Embodiment one
As shown in Figure 1, be the structural representation of the key storage device that the embodiment of the present invention provides, comprise:
Security module 11, for storage key, described key is used for identifying user identity.
Computing module 12, for generating authentication information when needs carry out authentication.
Wherein, at least comprise in the authentication information that computing module 12 generates the double secret key seed information utilizing security module 11 to store carry out processing the process obtained after seed information, this seed information is arbitrary information that computer system can process, fix information as is known (such as name, fixing numeral etc.), random number, time, summary counter etc., as long as key can be used to carry out the information processed, the present invention does not limit this.Preferably, when specifically implementing, seed information can be the current time of key storage device.
Cipher key interaction module 13, for authentication information mutual with external device.
During concrete enforcement, cipher key interaction module 13 can comprise display sub-module 131 and/or communicator module 132, wherein:
Display sub-module 131 may be used for the authentication information showing computing module 12 generation, and external device can carry out authentication by the authentication information obtaining this display.Preferably, the authentication information that display sub-module 131 shows can be graphic code, this graphic code can be one-dimension code (bar code) and Quick Response Code, wherein, Quick Response Code comprises standard two-dimensional code and non-standard Quick Response Code (the i.e. Quick Response Code of some distortion, as circular two-dimensional code, color 2 D code etc.), the present invention does not limit this.Like this, the authentication information that external device can be shown by scanning display sub-module 131 obtains this authentication information.
Communicator module 132, may be used for establishing a communications link with external device, and by the communication connection of setting up, the authentication information that computing module 12 generates is transferred to external device.Preferably, communicator module 132, can be, but not limited to for establishing a communications link according to following either type and described external device: earphone interface, bluetooth, infrared, NFC (near-field communication), WIFI (Wireless Fidelity), USB (USB (universal serial bus)) or OTG (data transmission interface).
During concrete enforcement, the double secret key seed information that computing module 12 can be, but not limited to utilize security module 11 to store in accordance with the following methods processes: the double secret key seed information utilizing security module 11 to store is encrypted, sign or Hash operation obtains corresponding cryptographic hash.Concrete, the double secret key seed information that computing module 12 can utilize security module 11 to store is encrypted and obtains cipher-text information corresponding to this seed information; Or the double secret key seed information that computing module also can utilize security module 11 to store carries out signing and obtains the seed information after signing, Hash operation can also be carried out to seed information and obtain corresponding cryptographic hash.
Based on same inventive concept, a kind of using method of key storage device is additionally provided in the embodiment of the present invention, the principle of dealing with problems due to said method is similar to key storage device, and therefore the enforcement of said method see the enforcement of key storage device, can repeat part and repeat no more.
Embodiment two
Based on the above-mentioned key storage device provided, the embodiment of the present invention additionally provides a kind of using method of its correspondence, as shown in Figure 2, can comprise the following steps:
S21, computing module generate authentication information when needs carry out authentication.
Wherein, at least comprise in authentication information the double secret key seed information utilizing described security module to store carry out processing the process obtained after seed information, this seed information is arbitrary information that computer system can process.
S22, cipher key interaction module after described computing module generates described authentication information, described authentication information mutual with external device.
During concrete enforcement, in step S22, cipher key interaction module can adopt following either type and the mutual authentication information of external device:
The authentication information that the display sub-module display computing module that mode one, cipher key interaction module comprise generates.
The communicator module that mode two, cipher key interaction module comprise and external device establish a communications link, and by the communication connection of setting up, the authentication information that computing module generates are transferred to external device.
During concrete enforcement, the key storage device that the embodiment of the present invention provides can be applied to following three kinds of application scenarioss needing to carry out authentication, and it is corresponding three kinds of different embodiments respectively, are described respectively below.
Embodiment three
The first embodiment,
As shown in Figure 3, be the structural representation of the first application system of key storage device that the embodiment of the present invention provides, comprise key storage device and Authentication server, wherein:
Key storage device, for generating subscriber authentication information when needs carry out authentication, wherein, subscriber authentication information at least comprises the seed information after utilizing the double secret key seed information stored to carry out processing the process obtained;
Authentication server, for the authentication request that receiving terminal apparatus sends, carry the seed information after process in authentication request, the seed information wherein after process is that terminal device obtains from the subscriber authentication information that key storage device obtains; From the key that self stores, search the key that the double secret key that stores in key storage device is answered; Utilize the seed information after the key recovery and/or verification process found; Determine one's identity to verify whether pass through according to reduction result or the result.
For convenience of explanation, take seed information as the current time of key storage device be example.Like this, when Authentication server is interposed between within prefixed time interval scope between may be used between the current time and the current time of self of the key storage device determining to restore, determines one's identity and be verified; When can also be used for determining to being verified of the current time of key storage device, determine one's identity and be verified.
Preferably, the authentication information that key storage device generates can be, but not limited to as graphic code, when needs carry out authentication, key storage device can generate this graphic code in accordance with the following methods: the double secret key seed information that computing module utilizes security module to prestore carries out processing the seed information after obtaining process.Seed information (cipher-text information obtained above or the seed information of having signed or cryptographic hash) after computing module utilizes process is generated a graphic code and is shown by display sub-module.Like this, terminal device can by scanning the graphic code of display sub-module display thus the seed information after obtaining the process comprised in this graphic code.Seed information after the process obtained is carried in authentication request the Authentication server sending to network side by terminal device, Authentication server is searched the key corresponding to key that this key storage device stores and also is used the seed information after the key recovery and/or verification process found from the key self stored, and determines one's identity to verify whether pass through according to reduction result or the result.
Preferably, when specifically implementing, the authentication system that the embodiment of the present invention provides can adopt symmetric key encryption system, also can adopt asymmetric-key encryption system.If adopt symmetric key encryption system, the key that security module stores is identical with the key that Authentication server stores.If adopt asymmetric-key encryption system, can be each key storage device stochastic generation one group of PKI and private key, the security module of key storage device stores private key, Authentication server storage of public keys.Compared to symmetric key encryption mechanism, asymmetric-key encryption mechanism can improve the security of authentication system further, and in this case, even if Authentication server is invaded, assailant also cannot forge user and log in.
Concrete, when using asymmetric-key encryption technology, if key storage device uses private key to sign to seed information, then the seed information that the PKI that Authentication server stores may be used for having signed is verified; If key storage device uses private key to be encrypted seed information, then the PKI that Authentication server stores may be used for being decrypted the seed information of encryption, obtains seed information.If use symetric key cryptography, if key storage device uses the double secret key seed information stored to sign, then the seed information that the key that Authentication server stores may be used for having signed is verified; If key storage device use store double secret key seed information be encrypted, then Authentication server store key both may be used for encryption seed information be decrypted obtain seed information after verify again, also can not reduce and directly verify ciphertext; If key storage device uses hash algorithm to carry out Hash operation to seed information and obtains cryptographic hash, then the cryptographic hash that Authentication server may be used for obtaining is verified.
Take seed information as the current time of key storage device be example, if the time interval (as being set to the extremely short time interval) within prefixed time interval scope between the current time of the key storage device that reduction obtains and the current time of Authentication server, determine one's identity and be verified, otherwise the checking that determines one's identity is not passed through; Or when determining being verified of the current time of key storage device, determine one's identity and be verified, otherwise the checking that determines one's identity is not passed through.
In said method, Authentication server, after the authentication request receiving terminal device, needs to search all keys stored from self seed information after the key recovery and/or verification process that the double secret key that stores in key storage device answers.Concrete, Authentication server can attempt each key that self stores successively, can to reduce and/or till seed information after verification process until it.
Preferably, in order to improve the efficiency of the seed information after Authentication server reduction and/or verification process, in the embodiment of the present invention, the device identification of this key storage device can also be comprised in the authentication information that key storage device generates, like this, terminal device can obtain this device identification from authentication information, and be carried in authentication request and send to Authentication server in the lump together with the seed information after process, Authentication server can according to device identification from the device identification prestored with directly search key corresponding to this device identification the corresponding relation of key, it can be used as the key that the double secret key stored in key storage device is answered.
Embodiment four
Embodiment for a better understanding of the present invention, be described below in conjunction with the specific implementation process of information interaction flow process to embodiment of the present invention during authentication, for convenience of explanation, the embodiment of the present invention is accessed Web bank for user and is described, the flow process of user's logging in online banks as shown in Figure 4, can comprise the following steps:
S41, key storage device generate and show the Quick Response Code being used for user being carried out to authentication.
During concrete enforcement, user can access Web bank by following two kinds of modes:
Mode one,
User uses the terminal device access Web bank obtaining subscriber authentication information, and such as, user uses mobile phone access Web bank, uses this mobile phone to obtain the subscriber authentication information of key storage device generation simultaneously.In this case, the login page of the Web bank that user accesses needs to provide the application programming interfaces of the auth method encapsulation using the embodiment of the present invention to provide, when user needs logging in online banks by calling the authentication of this application programming interfaces triggered for user.
Mode two,
User uses the other-end device access Web bank beyond the terminal device obtaining subscriber authentication information, and such as user uses computer to access Web bank, uses the mobile phone of oneself to obtain the subscriber authentication information of key storage device generation.In this case, Web bank's login page needs the proving program embedding the auth method encapsulation that the embodiment of the present invention provides, and show with the form of graphic code (can be, but not limited to as Quick Response Code) at login page, when user needs logging in online banks, directly scanning this Quick Response Code just can the authentication of triggered for user.
After the authentication of triggered for user, user generates subscriber authentication information by triggering one's own key storage device (this equipment can for being supplied to user by bank when user registers bank account), concrete grammar see the description in above-described embodiment one, can repeat no more here.
Preferably, in order to avoid the risk that user's Lost Security Key memory device brings, in the embodiment of the present invention, key storage device can also identify user identity before generation subscriber authentication information, such as, can be identified by fingerprint, the codon pair user that also can be pre-set by user is identified, here do not limit, accordingly, key storage device can also comprise digital keys or fingerprint acquisition device.
The Quick Response Code that S42, terminal device scans key storage device generate, obtains the device identification of the current time information after process and key storage device.
During concrete enforcement, for mode one, the authentication application program that the auth method that it can directly call provides according to the embodiment of the present invention realizes scans the subscriber authentication information that key storage device generates.For mode two, user starts the authentication application program that the auth method provided according to the embodiment of the present invention installed in terminal device realizes voluntarily, scans the subscriber authentication information that key storage device generates.
S43, terminal device send authentication request to the Authentication server of network side.
Wherein, the device identification of the seed information after the process obtained and key storage device is carried in authentication request.In addition, terminal device also needs to carry the application identities of the internet, applications of user's access or Apply Names and the unique identification of this internet, applications in global scope in authentication request, this unique identification is the unique coding of an overall situation, and different internet, applications, different terminal devices, different time do not repeat.Preferably, this unique identification can be, but not limited to as UUID (Universally Unique Identifier, general unique identifier) or GUID (Globally Unique Identifier, Globally Unique Identifier), can certainly be adopt a mark in the global scope of similar techniques realization, be described for UUID for convenience of description.
If user is by above-mentioned first kind of way access internet, applications, then the UUID of the terminal device application identities or Apply Names and correspondence thereof that directly can obtain the current internet, applications of accessing of user sends to Authentication server in the lump; If user is by above-mentioned second way access internet, applications, then comprise UUID corresponding to the application identities of internet, applications or Apply Names and this internet, applications at the graphic code generating login page display, like this, terminal device just can obtain UUID corresponding to application identities or Apply Names and this internet, applications by this graphic code of scanning, sends to Authentication server in the lump with the device identification of the seed information after the process obtained in the Quick Response Code generated from key storage device and key storage device.
During concrete enforcement, terminal device can pass through the Authentication server transmission authentication request to network side such as cable network, wireless network and mobile communications network.
S44, Authentication server search corresponding key according to the device identification of carrying in authentication request.
S45, Authentication server utilize the current time information after the key recovery and/or verification process found.
S46, Authentication server carry out authentication.
During concrete enforcement, be encrypted as example with key storage device to current time, Authentication server compares current time and the current time of self of the key storage device restored, if the time interval is no more than the default time interval, determines to be verified, otherwise, determine that checking is not passed through.
S47, Authentication server send the result to providing the application server of internet, applications.
During concrete enforcement, Authentication server provides the result according to the application identities of carrying in authentication request or Apply Names to this application identities or application server corresponding to Apply Names, and carries the UUID of the internet, applications of user's current accessed in the result sent.
S48, application server send the response message of permission/denied access to terminal device.
During concrete enforcement, according to UUID, application server determines that user accesses terminal device and the application program of internet, applications, and sends the response message of permission/denied access to this terminal device according to the result.
In security system due to existing employing encryption mechanism, the security of asymmetric-key encryption technology has obtained abundant theoretical proof, and widely uses.But its topmost shortcoming is that key is oversize, the mankind cannot directly remember and input, and user needs usually by key storage in computer document or hardware device, imports during use, like this, just there is the risk of Key Exposure, and use very inconvenience.And in the embodiment of the present invention, because graphic code is as one machine automatic identification technology easily, can be used for representing and and be easily identified cipher-text information and transmits and then decipher.Which solve key in existing asymmetric-key encryption mechanism oversize, be not easy to the problem directly used.In addition, in the embodiment of the present invention, use separate hardware to generate graphic code, private key can be avoided to be stolen, to copy and to distort, and the internet, applications physical isolation used with user, fundamentally avoids the possibility suffering hacker attacks, has high security.Simultaneously, when using asymmetric-key encryption mechanism in the embodiment of the present invention, private key is stored in authorization information and generates in the security module of equipment, PKI is stored in Authentication server, even if Authentication server suffers hacker attacks, PKI is all revealed, and the identity that assailant also cannot forge any user is verified, thus does not form any threat.Finally, due to the length of key and intensity enough, therefore authorization information can be directly used to generate the device identification (can be its unique numbering) of equipment as user name, each cipher-text information to seed information encryption generation or the information of having signed carry out authentication as password, realize one-time pad, and password complexity is far away higher than the password that the common mankind are arranged, security and convenience improve all greatly.
The second embodiment,
As shown in Figure 5, be the structural representation of key storage device the second application system that the invention process provides, comprise key storage device, Authentication server and terminal device, wherein:
Terminal device, for when accessing internet, applications and needing to carry out authentication, generates equipment with authorization information and establishes a communications link; Generate after equipment is verified the authentication information that information generating device generates alternately by communication connection and the authorization information set up, to Authentication server transmission authentication request, in authentication request, carry authentication information; Authorization information generates equipment, for generating authentication information, and by the communication connection of setting up with terminal device and the mutual authentication information of terminal device, authentication information at least comprise utilize the first double secret key seed information stored to process after seed information after the process that obtains, seed information is arbitrary information that computer system can process; Authentication server, for after receiving authentication request, the seed information after the process comprised in the second key recovery that the first double secret key using self to store is answered and/or identity verification authorization information; Determine one's identity to verify whether pass through according to reduction result or the result.
During concrete enforcement, when user is when accessing internet, applications and needing to carry out authentication, the communication connection of setting up between terminal device and authorization information generation equipment can be triggered.Preferably, can be, but not limited between terminal device and authorization information generation equipment in the embodiment of the present invention adopt following either type to establish a communications link: earphone interface, bluetooth, infrared, NFC (near-field communication), WIFI (Wireless Fidelity), USB (USB (universal serial bus)) or OTG (data transmission interface) etc.
During concrete enforcement, after establishing a communications link, authorization information generates the authentication information that equipment self can be generated alternately by the communication connection of foundation and terminal device.During specific implementation, can be that terminal device initiatively reads from authorization information the authentication information that authorization information generates equipment generation, also initiatively the authentication information that self generates can be sent to terminal device for authorization information generates equipment.The embodiment of the present invention does not limit this.Wherein, authorization information generate in the authentication information that equipment generates at least comprise authorization information generate the first double secret key seed information that equipment utilization stores process after seed information after the process that obtains.
For convenience of explanation, be that to generate the current time of equipment be example to authorization information with seed information.Like this, when Authentication server may be used for being interposed between within prefixed time interval scope between the authorization information determining to restore generates between the current time of equipment and the current time of self, determine one's identity and be verified; When can also be used for determining to generate being verified of the current time of equipment to authorization information, determine one's identity and be verified.
When needs carry out authentication, authorization information generates equipment can generate authentication information in accordance with the following methods:
The key (i.e. the first key) that computing module utilizes security module to prestore processes seed information and obtains the seed information after processing.During concrete enforcement, the double secret key seed information that computing module can utilize security module to store is encrypted and obtains cipher-text information corresponding to this seed information; Or the double secret key seed information that computing module also can utilize security module to store carries out signing and obtains the seed information after signing, Hash operation can also be carried out to seed information and obtain corresponding cryptographic hash.
Seed information after the process that computing module obtains by communicator module is carried in authentication information and sends to terminal device, or also initiatively can be obtained the authentication information of the seed information after comprising process to communicator module by terminal device.Seed information after the process obtained is carried in authentication request the Authentication server sending to network side by terminal device, Authentication server is searched this authorization information and is generated the key (i.e. the second key) corresponding to key of device storage and the seed information after using the key recovery and/or verification process found from the key self stored, and determines one's identity to verify whether pass through according to reduction result or the result.
Preferably, when specifically implementing, the interactive authentication system that the embodiment of the present invention provides can adopt symmetric key encryption system, also can adopt asymmetric-key encryption system.If adopt symmetric key encryption system, the key that the security module that authorization information generates equipment stores is identical with the key that Authentication server stores.If adopt asymmetric-key encryption system, can generate equipment stochastic generation one group of PKI and private key for each authorization information, the security module that authorization information generates equipment stores private key, Authentication server storage of public keys.Compared to symmetric key encryption mechanism, asymmetric-key encryption mechanism can improve the security of authentication system further, and in this case, even if Authentication server is invaded, assailant also cannot forge user and log in.
During concrete enforcement, when using asymmetric-key encryption technology, sign to seed information if authorization information generates equipment use private key, then the seed information that the PKI that Authentication server stores may be used for having signed is verified; If authorization information generates equipment use private key and is encrypted seed information, then the PKI that Authentication server stores may be used for being decrypted the seed information of encryption, obtains seed information.If use symetric key cryptography, if the double secret key seed information that authorization information generates equipment use storage is signed, then the seed information that the key that Authentication server stores may be used for having signed is verified; If the double secret key seed information that authorization information generates equipment use storage is encrypted, then Authentication server store key both may be used for encryption seed information be decrypted obtain seed information after verify again, also can not reduce and directly verify ciphertext; If authorization information generation equipment use hash algorithm carries out Hash operation to seed information and obtains cryptographic hash, then the cryptographic hash that Authentication server may be used for obtaining is verified.
Be that to generate the current time of equipment be example to authorization information with seed information, if the authorization information that reduction obtains generates the time interval (as being set to the extremely short time interval) within prefixed time interval scope between the current time of equipment and the current time of Authentication server, determine one's identity and be verified, otherwise the checking that determines one's identity is not passed through; Or when determining to generate being verified of the current time of equipment to authorization information, determine one's identity and be verified, otherwise the checking that determines one's identity is not passed through.
In said method, Authentication server, after the authentication request receiving terminal device, needs to search all keys stored from self seed information after the key recovery and/or verification process that the double secret key that stores in authorization information generation equipment answers.Concrete, Authentication server can attempt each key that self stores successively, can to reduce and/or till seed information after verification process until it.
Preferably, in order to improve the efficiency of the seed information after Authentication server reduction and/or verification process, in the embodiment of the present invention, authorization information generates equipment when generating authentication information, the device identification that this authorization information generates equipment can also be comprised, like this, terminal device can obtain this device identification from the authentication information received, and be carried in authentication request and send to Authentication server in the lump together with the seed information after process, Authentication server can according to device identification from the device identification prestored with directly search key corresponding to this device identification the corresponding relation of key, it can be used as the key that the double secret key stored in authorization information generation equipment is answered.
During concrete enforcement, terminal device can also be used for before sending authentication request to Authentication server, obtain the application identities of internet, applications that user accesses, and the application identities of acquisition is carried in authentication request sends to Authentication server.So that Authentication server is after obtaining authentication result, the authentication result obtained is informed to application server corresponding to this application identities.Concrete, Authentication server can from the application identities prestored with search application server identifier corresponding to described application identities the corresponding relation of application server identifier, according to the application server identifier found, authentication result is sent to the application server that this application server identifier is corresponding.
During concrete enforcement, because user may use the terminal device access internet, applications of carrying out authentication, also can by other terminal device access internet, applications, therefore, during the embodiment of the present invention is converged, terminal device can obtain the application identities of the internet, applications that user accesses according to any one in following two kinds of modes:
If when mode one user uses the terminal device carrying out authentication to access internet, applications, the interface that terminal device can provide by calling internet, applications obtains the application identities of this internet, applications; If when user uses other terminal device to access internet, applications, the graphic code (can be, but not limited to as Quick Response Code) that it can use this internet, applications of terminal device scans to provide obtains the application identities of this internet, applications.
During concrete enforcement, in order to improve the security of internet, applications access, terminal device is after setting up the communication connection between authorization information generation equipment, terminal device can also obtain the application identification code of the internet, applications that user accesses, and the application identification code of acquisition sent to authorization information to generate equipment, after this application identification code of the first double secret key that authorization information generation equipment utilization self stores processes, be carried in authentication information and sent to terminal device, terminal device is carried in authentication request sends to Authentication server by receiving the application identification code after process.During concrete enforcement, the mode that terminal device obtains application identification code is identical with the mode that above-mentioned terminal device obtains application identities, repeats no more here.
Preferably, application identification code is the unique coding of an overall situation, and different internet, applications, different terminal devices, different time do not repeat.Preferably, this application identification code can be, but not limited to as UUID (Universally Unique Identifier, general unique identifier) or GUID (Globally Unique Identifier, Globally Unique Identifier), can certainly be adopt a mark in the global scope of similar techniques realization, be described for UUID for convenience of description.
After the application identification code of Authentication server after receiving process, if authorization information generates equipment carried out encryption to this application identification code, then Authentication server the second secret key pair of needing to utilize self to store its be decrypted after send to corresponding application server in the lump with authentication result, according to the application identification code received, application server can determine that user accesses the terminal device of internet, applications, and send the response message of permission/denied access according to the authentication result that Authentication server sends to this terminal device.
Embodiment six
Embodiment for a better understanding of the present invention, be described below in conjunction with the specific implementation process of information interaction flow process to embodiment of the present invention during authentication, for convenience of explanation, the embodiment of the present invention is accessed Web bank for user and is described, the flow process of user's logging in online banks as shown in Figure 6, can comprise the following steps:
When S61, user access internet, applications, set up the communication connection between terminal device and authorization information generation equipment.
During concrete enforcement, user can access Web bank by following two kinds of modes:
Mode one,
User uses the terminal device access Web bank obtaining authentication information, and such as, user uses mobile phone access Web bank, uses this mobile phone to obtain the authentication information of authorization information generation equipment generation simultaneously.In this case, the login page of the Web bank that user accesses needs to provide the application programming interfaces of the auth method encapsulation using the embodiment of the present invention to provide, when user needs logging in online banks by calling the authentication of this application programming interfaces triggered for user.
Mode two,
User uses the other-end device access Web bank beyond the terminal device obtaining authentication information, and such as user uses computer to access Web bank, uses the mobile phone of oneself to obtain the authentication information that authorization information generates equipment generation.In this case, Web bank's login page needs the proving program embedding the auth method encapsulation that the embodiment of the present invention provides, and show with the form of graphic code (can be, but not limited to as Quick Response Code) at login page, when user needs logging in online banks, directly scanning this Quick Response Code just can the authentication of triggered for user.
S62, authorization information generate equipment and generate authentication information.
After the authentication of triggered for user, user generates equipment (this equipment can for being supplied to user by bank when user registers bank account) generate authentication information by triggering one's own authorization information, such as, the button trigger authentication information generating device that user is provided by authorization information generation equipment generates authentication information, the concrete grammar that authorization information generates equipment generation authentication information see the description in above-described embodiment one, can repeat no more here.
Preferably, the risk brought of equipment is generated in order to avoid user loses authorization information, in the embodiment of the present invention, authorization information generates equipment and can also identify user identity before generation authentication information, such as, can be identified by fingerprint, the codon pair user that also can be pre-set by user is identified, here do not limit, accordingly, authorization information generates equipment can also comprise digital keys or fingerprint acquisition device.
During concrete enforcement, step S62 also can perform prior to step S61, and namely authorization information generates equipment and first generates authentication information, then establishes a communications link with terminal device, and the two also can perform simultaneously, and the embodiment of the present invention does not limit this.
S63, authorization information generate equipment and the mutual authentication information self generated of terminal device.
During concrete enforcement, the double secret key seed information that authorization information generates equipment utilization self storage carries out processing the seed information after obtaining process, seed information after process and the device identification of self are carried in authentication information and send to terminal device, or also initiatively can be obtained the authentication information of the seed information after comprising process to communicator module by terminal device.
S64, terminal device send authentication request to the Authentication server of network side.
Wherein, the device identification of the seed information after the process obtained and authorization information generation equipment is carried in authentication request.
It should be noted that, terminal device can also obtain application identification code and the application identities of the internet, applications that user accesses, and is carried in authentication request and sends to Authentication server in the lump.
During concrete enforcement, terminal device can generate with authorization information the application identities obtaining the internet, applications that user accesses before equipment establishes a communications link, also can generating with authorization information the application identities obtaining the internet, applications that user accesses after equipment establishes a communications link, also after receiving authentication information, the application identities of the internet, applications that user accesses can be obtained again, as long as obtained before transmission authentication request, the present invention does not limit this.
Such as, if user is by above-mentioned first kind of way access internet, applications, then the UUID of the terminal device application identities or Apply Names and correspondence thereof that directly can obtain the current internet, applications of accessing of user sends to Authentication server in the lump; If user is by above-mentioned second way access internet, applications, then comprise UUID corresponding to the application identities of internet, applications or Apply Names and this internet, applications at the graphic code generating login page display, like this, terminal device just can obtain UUID corresponding to application identities or Apply Names and this internet, applications by this graphic code of scanning, and the device identification that the seed information after the process obtained in the Quick Response Code generated with the equipment that generates from authorization information and authorization information generate equipment sends to Authentication server in the lump.
Preferably, in order to improve the security of data transmission, the UUID of acquisition can send to authorization information to generate after equipment processes by terminal device, then sends to Authentication server, is tampered in transmitting procedure to prevent it.Be to be understood that, if UUID sends to authorization information to generate equipment when processing by terminal device, its need to obtain before establishing a communications link UUID and application identities or connect communicate after receive authentication information before obtain UUID and application identities.So that the UUID after process is carried in authentication information by authorization information generation equipment send to terminal device in the lump.
During concrete enforcement, terminal device can pass through the Authentication server transmission authentication request to network side such as cable network, wireless network and mobile communications network.
S65, Authentication server search corresponding key according to the device identification of carrying in authentication request.
S66, Authentication server utilize the current time information after the key recovery and/or verification process found.
S67, Authentication server carry out authentication.
During concrete enforcement, generate equipment with authorization information and example is encrypted as to current time, Authentication server compares current time and the current time of self that the authorization information restored generates equipment, if the time interval is no more than the default time interval, determine to be verified, otherwise, determine that checking is not passed through.
S68, Authentication server send the result to providing the application server of internet, applications.
During concrete enforcement, Authentication server provides the result according to the application identities of carrying in authentication request or Apply Names to this application identities or application server corresponding to Apply Names, and carries the UUID of the internet, applications of user's current accessed in the result sent.
S69, application server send the response message of permission/denied access to terminal device.
During concrete enforcement, according to UUID, application server determines that user accesses terminal device and the application program of internet, applications, and sends the response message of permission/denied access to this terminal device according to the result.
In security system due to existing employing encryption mechanism, the security of asymmetric-key encryption technology has obtained abundant theoretical proof, and widely uses.But its topmost shortcoming is that key is oversize, the mankind cannot directly remember and input, and user needs usually by key storage in computer document or hardware device, imports during use, like this, just there is the risk of Key Exposure, and use very inconvenience.And in the embodiment of the present invention, because graphic code is as one machine automatic identification technology easily, can be used for representing and and be easily identified cipher-text information and transmits and then decipher.Which solve key in existing asymmetric-key encryption mechanism oversize, be not easy to the problem directly used.In addition, in the embodiment of the present invention, use separate hardware to generate authentication information, private key can be avoided to be stolen, to copy and to distort, there is high security.Simultaneously, when using asymmetric-key encryption mechanism in the embodiment of the present invention, private key is stored in authorization information and generates in the security module of equipment, PKI is stored in Authentication server, even if Authentication server suffers hacker attacks, PKI is all revealed, and the identity that assailant also cannot forge any user is verified, thus does not form any threat.Finally, due to the length of key and intensity enough, therefore authorization information can be directly used to generate the device identification (can be its unique numbering) of equipment as user name, each cipher-text information to seed information encryption generation or the information of having signed carry out authentication as password, realize one-time pad, and password complexity is far away higher than the password that the common mankind are arranged, security and convenience improve all greatly.
The third embodiment,
The authentication system that the embodiment of the present invention provides can also be used for enterprise's gate control system, namely enterprise only needs installation diagram code scanner device (can be such as camera), and be equipped with a key storage device for each employee, the subscriber authentication information that can be generated by scanning key storage device when entering is verified it, by then allowing to enter, meanwhile, the information such as an opening time can also be recorded.
During concrete enforcement, the authentication system that the embodiment of the present invention provides can provide a key storage device for different internet, applications, also independent key storage device can be provided for internet, applications such as Web bank, the on-line payment etc. that safety requirements is high, now, corresponding relation between the device identification of the key storage device that the application identities that Authentication server needs to safeguard internet, applications is corresponding with it and key, to provide authentication to different internet, applications.
It should be noted that, the terminal device related in the embodiment of the present invention can be the mobile terminal devices such as mobile phone, panel computer, PDA (personal digital assistant), intelligent watch, also can be the equipment such as PC (PC), as long as be provided with camera head or scanister, the terminal device obtaining the graphic code that key storage device generates can be scanned.
In addition, the internet, applications related in the embodiment of the present invention comprises the website, application client etc. that can be conducted interviews by internet/mobile Internet.
Therefore, relative to traditional auth method, the auth method security that the embodiment of the present invention provides is higher, achieves password and the one-time pad of high complexity, avoids the risk that password is stolen.And the auth method that the embodiment of the present invention provides, more convenient and quicker, user is without the need to memory and input various different username and password, and direct scintigram shape code can complete authentication process itself fast.
6 pure digi-tal that the password arranged due to the Password Length in the auth method that the embodiment of the present invention provides and strength ratio domestic consumer and existing RSA SecurID two-factor authentication token use are high a lot, therefore, directly authentication can be carried out as main password.
Those skilled in the art should understand, embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt the form of complete hardware embodiment, completely software implementation or the embodiment in conjunction with software and hardware aspect.And the present invention can adopt in one or more form wherein including the upper computer program implemented of computer-usable storage medium (including but not limited to magnetic disk memory, CD-ROM, optical memory etc.) of computer usable program code.
The present invention describes with reference to according to the process flow diagram of the method for the embodiment of the present invention, equipment (system) and computer program and/or block scheme.Should understand can by the combination of the flow process in each flow process in computer program instructions realization flow figure and/or block scheme and/or square frame and process flow diagram and/or block scheme and/or square frame.These computer program instructions can being provided to the processor of multi-purpose computer, special purpose computer, Embedded Processor or other programmable data processing device to produce a machine, making the instruction performed by the processor of computing machine or other programmable data processing device produce device for realizing the function of specifying in process flow diagram flow process or multiple flow process and/or block scheme square frame or multiple square frame.
These computer program instructions also can be stored in can in the computer-readable memory that works in a specific way of vectoring computer or other programmable data processing device, the instruction making to be stored in this computer-readable memory produces the manufacture comprising command device, and this command device realizes the function of specifying in process flow diagram flow process or multiple flow process and/or block scheme square frame or multiple square frame.
These computer program instructions also can be loaded in computing machine or other programmable data processing device, make on computing machine or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computing machine or other programmable devices is provided for the step realizing the function of specifying in process flow diagram flow process or multiple flow process and/or block scheme square frame or multiple square frame.
Although describe the preferred embodiments of the present invention, those skilled in the art once obtain the basic creative concept of cicada, then can make other change and amendment to these embodiments.So claims are intended to be interpreted as comprising preferred embodiment and falling into all changes and the amendment of the scope of the invention.
Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.
Claims (1)
1. for an application system for authentication, it is characterized in that, comprising:
Key storage device, this equipment comprises:
Security module, for storage key, described key is used for identifying user identity;
Computing module, for generating authentication information when needs carry out authentication, at least comprise in described authentication information the double secret key seed information utilizing described security module to store carry out processing the process obtained after seed information, described seed information is the current time of this key storage device, also comprises the device identification of key storage device in this authentication information; Described computing module processes specifically for the double secret key seed information utilizing described security module in accordance with the following methods and store: the double secret key seed information utilizing described security module to store is encrypted, signs or Hash operation;
Cipher key interaction module, comprising:
Display sub-module, for described authentication information mutual with external device, described authentication information is Quick Response Code;
Communicator module, for establishing a communications link with terminal device, and described authentication information is transferred to described terminal device, specifically for establishing a communications link according to following either type and described terminal device by the communication connection of setting up: earphone interface, bluetooth, infrared, near-field communication NFC, Wireless Fidelity WIFI, USB (universal serial bus) USB or data transmission interface OTG;
Terminal device: the graphic code of scanning display sub-module display, obtains the seed information after the process that graphic code comprises, and the seed information after the process obtained is carried in authentication request the Authentication server being sent to network side;
Authentication server: according to device identification from the device identification prestored with directly search key corresponding to this device identification the corresponding relation of key, and use the seed information after the key recovery process found, when being interposed between within prefixed time interval scope between determining between the current time of the key storage device restored and the current time of Authentication server, determining one's identity and be verified.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410254187.8A CN104063650B (en) | 2014-06-09 | 2014-06-09 | A kind of key storage device and using method thereof |
| US14/902,396 US20170085561A1 (en) | 2014-06-09 | 2014-07-18 | Key storage device and method for using same |
| PCT/CN2014/082518 WO2015188424A1 (en) | 2014-06-09 | 2014-07-18 | Key storage device and method for using same |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410254187.8A CN104063650B (en) | 2014-06-09 | 2014-06-09 | A kind of key storage device and using method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104063650A CN104063650A (en) | 2014-09-24 |
| CN104063650B true CN104063650B (en) | 2015-08-19 |
Family
ID=51551358
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410254187.8A Expired - Fee Related CN104063650B (en) | 2014-06-09 | 2014-06-09 | A kind of key storage device and using method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104063650B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105528695B (en) * | 2014-09-28 | 2019-12-24 | 中国银联股份有限公司 | Mobile payment method and mobile payment system based on marks |
| CN104579675B (en) * | 2014-10-15 | 2018-09-07 | 深圳市金溢科技股份有限公司 | Security module, parking lot data read-write system and security setting method |
| CN105844315B (en) * | 2016-03-14 | 2019-03-22 | 广州赛莱拉干细胞科技股份有限公司 | A kind of sample source data information management method and apparatus |
| CN108234412B (en) * | 2016-12-15 | 2021-02-12 | 腾讯科技(深圳)有限公司 | Identity verification method and device |
| CN108737080B (en) * | 2017-04-18 | 2021-11-02 | 阿里巴巴集团控股有限公司 | Password storage method, device, system and equipment |
| CN107947931B (en) * | 2017-12-29 | 2018-12-21 | 北京海泰方圆科技股份有限公司 | A kind of method and system of key agreement, bluetooth equipment |
| EP3817280A4 (en) * | 2018-06-26 | 2022-03-16 | Japan Communications, Inc. | Online service provision system, ic chip, and application program |
| CN112884960B (en) * | 2019-11-29 | 2022-12-27 | 北京小米移动软件有限公司 | Key verification method, device and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100492966C (en) * | 2004-11-26 | 2009-05-27 | 王小矿 | Identity certifying system based on intelligent card and dynamic coding |
| CN100566254C (en) * | 2007-01-24 | 2009-12-02 | 北京飞天诚信科技有限公司 | Improve the method and system of safety of intelligent key equipment |
-
2014
- 2014-06-09 CN CN201410254187.8A patent/CN104063650B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN104063650A (en) | 2014-09-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104065653B (en) | A kind of interactive auth method, device, system and relevant device | |
| CN104065652B (en) | A kind of auth method, device, system and relevant device | |
| CN104063650B (en) | A kind of key storage device and using method thereof | |
| CN114788226B (en) | Unmanaged tool for building decentralized computer applications | |
| US8751794B2 (en) | System and method for secure nework login | |
| US9722984B2 (en) | Proximity-based authentication | |
| CN111245870B (en) | Identity authentication method based on mobile terminal and related device | |
| CN109981561A (en) | Monomer architecture system moves to the user authen method of micro services framework | |
| CN104767616B (en) | A kind of information processing method, system and relevant device | |
| CN104767617A (en) | Message processing method, system and related device | |
| US20170085561A1 (en) | Key storage device and method for using same | |
| TW201545526A (en) | Method, apparatus, and system for providing a security check | |
| US9137224B2 (en) | System and method for secure remote access | |
| JP2012530311A5 (en) | ||
| WO2019226115A1 (en) | Method and apparatus for user authentication | |
| US20150208238A1 (en) | Terminal identity verification and service authentication method, system and terminal | |
| CN110278084B (en) | eID establishing method, related device and system | |
| CN113515756B (en) | High-credibility digital identity management method and system based on block chain | |
| Sain et al. | A survey on the security in cyber physical system with multi-factor authentication | |
| Pampori et al. | Securely eradicating cellular dependency for e-banking applications | |
| Binu et al. | A mobile based remote user authentication scheme without verifier table for cloud based services | |
| CN114090996A (en) | Multi-party system mutual trust authentication method and device | |
| CA2805539C (en) | System and method for secure remote access | |
| Li et al. | Digital Signature Technology of Mobile Phone Verification Code based on Biometrics | |
| Culnane et al. | Formalising Application-Driven Authentication & Access-Control based on Users’ Companion Devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING SHIDUN TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: HAN SHENG Effective date: 20141120 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100107 CHAOYANG, BEIJING TO: 100081 HAIDIAN, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20141120 Address after: 100081, room 1008, Qingyun contemporary building, No. 43 West Third Ring Road, Haidian District, Beijing Applicant after: Beijing Shidun Technology Co., Ltd. Address before: 100107 Beijing city Chaoyang District Village Building 6, room 2807 of the day in the park Applicant before: Han Cheng |
|
| ASS | Succession or assignment of patent right |
Owner name: HAN SHENG Free format text: FORMER OWNER: BEIJING SHIDUN TECHNOLOGY CO., LTD. Effective date: 20141128 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100081 HAIDIAN, BEIJING TO: 100107 CHAOYANG, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20141128 Address after: 100107 Beijing city Chaoyang District Village Building 6, room 2807 of the day in the park Applicant after: Han Cheng Address before: 100081, room 1008, Qingyun contemporary building, No. 43 West Third Ring Road, Haidian District, Beijing Applicant before: Beijing Shidun Technology Co., Ltd. |
|
| C53 | Correction of patent for invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 430063, Wuchang District, Hubei, Wuhan province talent street, run road, Vanke long court, A, building 3007 Applicant after: Han Cheng Address before: 100107 Beijing city Chaoyang District Village Building 6, room 2807 of the day in the park Applicant before: Han Cheng |
|
| ASS | Succession or assignment of patent right |
Owner name: BEIJING SHIDUN TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: HAN SHENG Effective date: 20150422 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 430063 WUHAN, HUBEI PROVINCE TO: 100086 HAIDIAN, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20150422 Address after: 100086, room 1008, Qingyun contemporary building, No. 43 West Third Ring Road, Haidian District, Beijing Applicant after: Beijing Shidun Technology Co., Ltd. Address before: 430063, Wuchang District, Hubei, Wuhan province talent street, run road, Vanke long court, A, building 3007 Applicant before: Han Cheng |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150819 Termination date: 20180609 |