1. Technical Field
Embodiments of the present disclosure relate to network security technique, and more specifically relates to apparatus, system and method of authentication for online transactions.
2. Description of Related Art
With the Internet developing and growing everyday, online transactions have become an important way whereby people conduct some everyday business activities. However, online transactions typically require an Internet connection. For most transaction, users typically need to input a password or passwords through computers connected to the Internet during a transaction payment process. Passwords may be exposed to hacking, and if a user is hacked, the user may consequently suffer economic losses.
To increase the security of a transaction, dynamic password techniques, such as one-time password, (abbreviated as OTP) have been developed to improve protection of online transactions. The OTP is a password that is valid for only one login session or transaction.
However, conventional OTP technique may be still weak for some forms of hacker attacks, such as Trojan phishing. Trojan phishing refers to a method of simultaneously using a Trojan horse and phishing to accomplish the following: hijacking a user's transaction, creating the transaction on a third-party website, falsifying a display of the user's transaction, presenting the user with the transaction they wish to see, tricking the users into inputting their password, and causing the user to pay the bill to the hacker on the third-party website.
In general, the word “module,” as used hereinafter, refers to logic embodied in hardware or firmware, or to a collection of software instructions, written in a programming language, such as, for example, Java, C, or assembly. One or more software instructions in the modules may be embedded in firmware. It will be appreciated that modules may comprise connected logic units, such as gates and flip-flops, and may comprise programmable units, such as programmable gate arrays or processors. The modules described herein may be implemented as either software and/or hardware modules and may be stored in any type of non-transitory computer-readable storage medium or other computer storage device.
The first authentication system 10 and the second authentication system 20 respectively includes a plurality of function modules (see description of
The processor 11 of the application server 1 and the processor 12 of the client device 2 may be an application-specific integrated circuit (ASIC), or a field programmable gate array, (FPGA) for example.
The storage system 12 of the application server 1 and the storage device 22 of the client 2 may respectively include some type(s) of non-transitory computer-readable storage medium, such as a hard disk drive, a compact disc, a digital video disc, or a tape drive.
In step S1, the first digital certificate verification module 100 of the application server 1 receives a login request to a network application system installed in the application server 1 from one of the client devices 2. In one embodiment, when a user inputs a username and a communication password to the network application system via the network 4 using the client device 2, a login request is generated and transmitted to the first digital certificate verification module 100.
In step S2, the first digital certificate verification module 100 of the application server 1 verifies a digital certificate of the client device 2, and a second digital certificate verification module 200 of the client device 2 verifies a digital certificate of the application server 1. A detailed description of step S2 please refers to the description of
In step S3, the first digital certificate verification module 100 of the application server 1 determines if the digital certificate of the client device 2 is valid, and the second digital certificate verification module 200 of the client device 2 determines if the digital certificate of the application server 1 is valid. Step S4 is implemented when the digital certificates of both of the application server 1 and the client device 2 are valid. Otherwise, step S7 is implemented when the digital certificate of any of the application server 1 and the client 2 is invalid.
In step S4, the first authentication module 101 of the application server 1 and the second authentication module 201 of the client device 2 authenticate an identification of the client 2. A detailed description of the step S4 please refers to the description of
In step S5, the first authentication module 101 of the application server 1 determines if the identification of the client 1 is valid. Step S6 is implemented when the identification of the client 1 is valid. Otherwise, step S7 is implemented the identification of the client 1 is invalid.
In step S6, the first authentication module 101 of the application server 1 permits the client device 2 to log in the network application system of the application server 1.
In step S7, the first authentication module 101 of the application server 1 forbids the client device 2 to log in the network application system of the application server 1.
In step S20, the first digital certificate verification module 100 of the application server 1 sends the digital certificate of the application server 1 to the client device 2. The digital certificate includes user information, a public key, a period of validity, and so on.
In step S21, the second digital certificate verification module 200 of the client device 2 receives the digital certificate of the application server 1 and verifies the digital certificate of the application server 1 using the authentication server 3.
In step S22, the second digital certificate verification module 200 of the client device 2 determines if the digital certificate of the application server 1 is valid according to a result returned from the authentication server 3. Step S23 is implemented when the digital certificate of the application server 1 is valid. Otherwise, step S26 is implemented when the digital certificate of the application server 1 is invalid.
In step S23, the second digital certificate verification module 200 of the client device 2 sends the digital certificate of the client device 2 to the application server 1. The digital certificate of the client device 2 also includes user information, a public key, a period of validity, and so on.
In step S24, the first digital certificate verification module 100 of the application server 1 verifies the digital certificate of the client device 2 using the authentication server 3.
In step S25, the first digital certificate verification module 100 of the application server 1 determines if the digital certificate of the client device 2 is valid according to a result returned from the authentication server 3. Step S26 is implemented when the digital certificate of the client device 2 is invalid. Otherwise, step S27 is implemented when the digital certificate of the client device 2 is valid.
In step S26, the digital certificate of either the client device 2 or the application server 1 is determined to be invalid.
In step S27, the digital certificate of both the client device 2 and the application server 1 are determined to be valid.
Referring to
In step S41, the first encryption and decryption sub-module 103 of the application server 1 encrypts the challenge code using a private key of the digital certificate of the application server 1.
In step S42, the first encryption and decryption sub-module 103 encrypts the challenge code again using a public key of the digital certificate of the client device 2.
In step S43, the first communication sub-module 104 sends the challenge code which have been encrypted twice to the client device 2.
In step S44, the second communication sub-module 202 of the client device 2 receives the challenge code, and the second encryption and decryption sub-module 203 of the client device 2 decrypts the challenge code using a private key of the digital certificate of the client device 2.
In step S45, the second encryption and decryption sub-module 203 of the client device 2 decrypts the challenge code again using a public key of the digital certificate of the application server 1.
In step S46, the second computation sub-module 204 of the client device 2 computes a second OTP value according to the communication password and the challenge code. The second OTP value is computed using the same algorithm with computing the first OTP value.
Referring to
In step S48, the second computation sub-module 204 of the client device 2 encrypts the second OTP value again using the public key of the digital certificate of the application server 1.
In step S49, the second communication sub-module 202 of the client device 2 sends the second OTP value which have been encrypted twice to the application server 1.
In step S50, the first encryption and decryption sub-module 103 of the application server 1 decrypts the second OTP value using the private key of the digital certificate of the application server 1.
In step S51, the first encryption and decryption sub-module 103 decrypts the second OTP value again using the public key of the digital certificate of the client device 2.
In step S52, the comparison sub-module 105 of the application server 1 determines whether the first OTP value is identical to the second OTP value. Step S54 is implemented when the first OTP value is identical to the second OTP value. Otherwise, step S53 is implemented when the first OTP value is not identical to the second OTP value.
In step S53, the determination sub-module 106 of the application determines that the identification of the client device 2 is invalid.
In step S54, the determination sub-module 106 of the application determines that the identification of the client device 2 is valid.
It should be emphasized that the above-described embodiments of the present disclosure, including any particular embodiments, are merely possible examples of implementations, set forth for a clear understanding of the principles of the disclosure. Many variations and modifications may be made to the above-described embodiment(s) of the disclosure without departing substantially from the spirit and principles of the disclosure. All such modifications and variations are intended to be included herein within the scope of this disclosure and protected by the following claims.
Number | Date | Country | Kind |
---|---|---|---|
2012105192032 | Dec 2012 | CN | national |