SECURE AUTHENTICATION METHOD AND SYSTEM FOR ONLINE TRANSACTIONS

US 20130124421A1
Filed: 11/01/2012
Published: 05/16/2013
Est. Priority Date: 11/04/2011
Status: Abandoned Application

First Claim

Patent Images

1. A secure authentication method for online transactions, the method comprising:

generating, using one or more computer processors, a random session key to encrypt communications between a client and a server;

verifying a user identity of a user using the client based on the generated random session key;

in the event that the verification of the user identity is successful, generating transaction image information, encrypting the transaction image information based on the random session key, and transmitting the encrypted transaction image information to the client;

receiving a confirmation of the transaction image information, the confirmation comprising a transaction signature;

verifying the transaction signature based on the random session key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention relate to a secure authentication method for online transactions, an online transaction secure authentication system, an online transaction secure authentication client, and a computer program product for secure authentication of online transactions thereof. The secure authentication method includes: generating, using one or more computer processors, a random session key to encrypt communications between a client and a server; verifying a user identity of a user using the client based on the generated random session key; in the event that the verification of the user identity is successful, generating transaction image information, encrypting the transaction image information based on the random session key, and transmitting the encrypted transaction image information to the client; receiving a confirmation of the transaction image information, the confirmation comprising a transaction signature; and verifying the transaction signature based on the random session key.

23 Citations

View as Search Results

26 Claims

1. A secure authentication method for online transactions, the method comprising:
- generating, using one or more computer processors, a random session key to encrypt communications between a client and a server;
  
  verifying a user identity of a user using the client based on the generated random session key;
  
  in the event that the verification of the user identity is successful, generating transaction image information, encrypting the transaction image information based on the random session key, and transmitting the encrypted transaction image information to the client;
  
  receiving a confirmation of the transaction image information, the confirmation comprising a transaction signature;
  
  verifying the transaction signature based on the random session key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as described in claim 1, wherein the generating of the random session key comprises:
    - receiving an encrypted random number that is generated by the client;
      
      generating the random session key based on the encrypted random number; and
      
      sending the random session key to the client.
  - 3. The method as described in claim 1, wherein verifying of the user identity comprises:
    - receiving user machine information from the client; and
      
      determining whether the user machine information matches previously stored user machine information to a predefined level.
  - 4. The method as described in claim 3 further comprising:
    - generating a capture factor;
      
      sending the capture factor to the client;
      
      receiving the encrypted user machine information and the encrypted capture factor from the client;
      
      decrypting the received capture factor and user machine information based on the ransom session key; and
      
      determining the match level of the user machine information based on the received capture factor.
  - 5. The method as described in claim 3 further comprising:
    - in the event the concluding of the user identity is unsuccessful verified, performing the following steps;
      
      determining whether a mobile phone short-message send request is received from the client;
      
      in the event the mobile phone short-message send request is received from the client, performing the following steps;
      
      acquiring user information;
      
      generating a mobile phone short-message verification code, andsending the mobile phone short-message verification code to a mobile phone related to the client;
      
      receiving the mobile short-message verification code from the client;
      
      verifying the mobile short-message verification code; and
      
      in the event the mobile short-message verification code is successfully verified, sending user identity verification successful result to the client.
  - 6. The method as described in claim 1, wherein the generating of the transaction image information comprises:
    - generating a transaction verification code based on transaction information, the random session key, time, and user seed;
      
      generating summary information based on the transaction information and the random session key;
      
      generating a base image;
      
      adding summary information to the base image; and
      
      adding the transaction information and the transaction verification code to the base image to generate the transaction image information.
  - 7. The method as described in claim 6, wherein the verifying of the transaction signature comprises:
    - receiving the transaction signature from the client;
      
      verifying whether the transaction signature is correct; and
      
      sending the verification result to the client.

8. An online transaction secure authentication system, the system comprising:
- a one time password (OTP) control;
  
  an OTP control server; and
  
  an OTP authentication platform,wherein;
  
  the OTP control and OTP control server are configured to generate random session keys for encrypted communications between the OTP control and the OTP control server and verify user identity of the OTP control based on the random session keys; and
  
  the OTP authentication platform;
  
  is connected to the OTP control server,generates transaction image information after receiving a user identity verification successful message sent by the OTP control server,encrypts the transaction image information based on a random session key,transmits the transaction image information to the OTP control, andafter the OTP control confirms the transaction image information, verifies a transaction signature based on the random session key.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A system as described in claim 8, wherein:
    - in the event the random session key is generated, the OTP control generates a random number, encrypts the random number based on a preset RSA public key, and sends the encrypted random number to the OTP control server, andthe OTP control server generates another random session key based on the encrypted random number and sends the other random session key to the OTP control.
  - 10. A system as described in claim 8, wherein the verification of the user identity of the OTP control comprises:
    - the OTP control extracts user machine information, encrypts the user machine information based on the random session key, and sends the user machine information to the OTP control server;
      
      the OTP control server verifies a match level of the user machine information;
      
      in the event the match level of the user machine information exceeds a predefined threshold, the OTP control server sends a result indicating the user identity is successfully verified; and
      
      in the event the match level of the user machine information falls below the predefined threshold, the OTP control server sends a result indicating the user identity is unsuccessfully verified.
  - 11. A system as described in claim 10, wherein:
    - the OTP control server generates a capture factor and sends the capture factor to the OTP control;
      
      the OTP control extracts user machine information based on the capture factor, uses the random session key to encrypt the user machine information and the capture factor, and sends the encrypted user machine information and capture factor to the OTP control server; and
      
      the OTP control server verifies the match level of the user machine information based on the capture factor.
  - 12. A system as described in claim 10, wherein in the event the user identity is unsuccessfully verified, the system comprises:
    - the OTP authentication platform acquires user information;
      
      after receiving a mobile phone short-message send request, the OTP control server generates a mobile phone short-message verification code and sends the mobile phone short-message verification code to a mobile phone related to the OTP control;
      
      the OTP control server verifies the short-message verification code; and
      
      in the event verifying the short-message verification code is successful, the OTP control server sends a user identity verification successful result to the OTP control.
  - 13. A system as described in claim 8, wherein the OTP authentication platform comprises:
    - an OTP algorithm driving module configured to generate a transaction verification code based on transaction information, the random session key, time, and user seed;
      
      an OTP business system configured to generate summary information based on the transaction information and the random session key; and
      
      an image server configured to generate a base image and add the summary information to the base image, and add the transaction information and transaction verification code to the base image containing the summary information to generate the transaction image information.
  - 14. A system as described in claim 8, wherein:
    - in to the event the transaction signature is verified, the OTP control inputs the transaction verification code, digitally signs the transaction image information and the transaction verification code based on the random session key to create the transaction signature, and sends the transaction signature to the OTP authentication platform; and
      
      the OTP authentication platform verifies whether the transaction signature is correct and sends a verification result to the OTP control.

15. A computer program product for secure authentication of online transactions, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- generating, using one or more computer processors, a random session key to encrypt communications between a client and a server;
  
  verifying a user identity of a user using the client based on the generated random session key;
  
  in the event that the verification of the user identity is successful, generating transaction image information, encrypting the transaction image information based on the random session key, and transmitting the encrypted transaction image information to the client;
  
  receiving a confirmation of the transaction image information, the confirmation comprising a transaction signature;
  
  verifying the transaction signature based on the random session key.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product as described in claim 15, wherein the generating of the random session key comprises:
    - receiving an encrypted random number that is generated by the client;
      
      generating the random session key based on the encrypted random number; and
      
      sending the random session key to the client.
  - 17. The computer program product as described in claim 15, wherein verifying of the user identity comprises:
    - receiving user machine information from the client; and
      
      determining whether the user machine information matches previously stored user machine information to a predefined level.
  - 18. The computer program product as described in claim 17 further comprising:
    - generating a capture factor;
      
      sending the capture factor to the client;
      
      receiving the encrypted user machine information and the encrypted capture factor from the client;
      
      decrypting the received capture factor and user machine information based on the ransom session key; and
      
      determining the match level of the user machine information based on the received capture factor.
  - 19. The computer program product as described in claim 17 further comprising:
    - in the event the concluding of the user identity is unsuccessful verified, performing the following steps;
      
      determining whether a mobile phone short-message send request is received from the client;
      
      in the event the mobile phone short-message send request is received from the client, performing the following steps;
      
      acquiring user information;
      
      generating a mobile phone short-message verification code, andsending the mobile phone short-message verification code to a mobile phone related to the client;
      
      receiving the mobile short-message verification code from the client;
      
      verifying the mobile short-message verification code; and
      
      in the event the mobile short-message verification code is successfully verified, sending user identity verification successful result to the client.
  - 20. The computer program product as described in claim 15, wherein the generating of the transaction image information comprises:
    - generating a transaction verification code based on transaction information, the random session key, time, and user seed;
      
      generating summary information based on the transaction information and the random session key;
      
      generating a base image;
      
      adding summary information to the base image; and
      
      adding the transaction information and the transaction verification code to the base image to generate the transaction image information.
  - 21. The computer program product as described in claim 20, wherein the verifying of the transaction signature comprises:
    - receiving the transaction signature from the client;
      
      verifying whether the transaction signature is correct; and
      
      sending the verification result to the client.

22. An online transaction secure authentication client, the client comprising:
- at least one processor configured to;
  
  receive a random session key to encrypt communications between the client and a server;
  
  encrypt user machine information of a user based on the received random session key;
  
  send the encrypted user machine information to the server;
  
  receive encrypted transaction image information from the server;
  
  encrypt a confirmation of the transaction image information; and
  
  send the confirmation of the transaction image information to the server; and
  
  a memory coupled with the processor, wherein the memory provides the processor with instructions.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The client as described in claim 22, wherein the receiving of the random session key comprises:
    - generating a random number;
      
      encrypting the random number based on a preset RSA public key; and
      
      sending the encrypted random number to the server.
  - 24. The client as described in claim 22, wherein the encrypting of the user machine information comprises:
    - extracting the user machine information of the user; and
      
      encrypting the user machine information based on the random session key.
  - 25. The client as described in claim 24, wherein extracting of the user machine information comprises:
    - receiving a capture factor from the server;
      
      extracting the user machine information relating to the received capture factor;
      
      encrypting the user machine information based on the random session key; and
      
      sending the encrypted user machine information to the server.
  - 26. The client as described in claim 22, wherein the at least one processor is further configured to:
    - send a mobile phone short-message send request to the server;
      
      receive a mobile phone short-message verification code from the server;
      
      send the mobile short-message verification code to the server; and
      
      receive a user identity verification successful result from the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Advanced New Technologies Company Limited (Ant Group Co., Ltd.)
Original Assignee
Alibaba Group Holding Ltd.
Inventors
Deng, Yuliang

Application Number

US13/666,671
Publication Number

US 20130124421A1
Time in Patent Office

Days
Field of Search
US Class Current

705/71
CPC Class Codes

G06Q 20/027   involving a payment switch ...

G06Q 20/3825   Use of electronic signatures

G06Q 20/3829   involving key management

G06Q 20/385   using an alias or single-us...

G06Q 20/4014   Identity check for transact...

G06Q 20/40975   using encryption therefor

SECURE AUTHENTICATION METHOD AND SYSTEM FOR ONLINE TRANSACTIONS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE AUTHENTICATION METHOD AND SYSTEM FOR ONLINE TRANSACTIONS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links