Summary of the invention
The present invention discloses a kind of password separate dynamic verification method and system, by the method or system, can solve effectively that keyboard operation is monitored, input operation is monitored etc. and cause the stolen problem of password.Enforcement of the present invention; can not change on the one hand length and the content of the existing password of user; do not increase the difficulty of people's memory cipher, be fit on the other hand cooperate with the encryption method of various complexity yet, the safety of the processes such as real performance protection Password Input, transmission, checking.
The present invention is achieved by the following scheme:
A kind of password separate dynamic verification method is characterized in that, the method comprises:
A. the user will have password and be divided into two groups of subciphers, i.e. the first subcipher and the second subcipher;
B. the user inputs the first subcipher or the second subcipher and the system that is sent in operation interface and accepts checking;
C. system carries out checking partial according to subcipher to password, as passes through, and then produces a random cipher group and be sent to operation interface to show;
D. the user makes up random cipher group and remaining another subcipher according to the prompting of operation interface, and password and the system that is sent to after operation interface input combination accept checking;
E. system will extract another subcipher to be verified and verify from the combination pin of receiving; By then being proved to be successful.
As a supplement, the method can also comprise: if step e place checking not by point out input error, system regenerates a random cipher group and is sent to operation interface and shows, and forwards step D to;
The checking of step C place is not by then pointing out input error and return interface, and the user re-enters subcipher;
One Security Audit Strategy, the input error number of times when step C or E place reaches setting value, and system stops/lock out action this user's subsequent authentication automatically.
As optimization, the password dividing method at the steps A place of the above comprises in order and cutting apart, uniformly-spaced cut apart to extract with intermediate mass and cut apart;
The described password combination method in step D place comprises that subcipher integral body assigns arbitrary position, subcipher in the random cipher group to disperse in order to assign in the random cipher group.
In order to guarantee the checking quality to subcipher, the first subcipher of the above and the second subcipher are to have two or more passwords.
Further, the figure place of the described random cipher group of step C is a random number, and namely the random cipher group is not for fixing.
A kind ofly adopt logging in or payment system of password separate dynamic verification, it comprises and one logging in/payment interface, a password authentification platform that be characterised in that: the method for password authentication that this system logs in/adopts when paying is the password separate dynamic verification method of the above.
The present invention in contrast to existing method of password authentication, and its outstanding beneficial effect comprises:
1. the length and the content that have kept the original password of user, additionally increase has made things convenient for the user to remember difficulty, and is simultaneously easy to use;
2. by wooden horse automatic monitoring or the artificial stolen problem of password that causes such as monitor, just protect from the password operational phase when effectively having solved the user because of the input password;
3. the random cipher group that produces by introduction system, and the length of this cipher code set also is at random, realizes the dynamic password protection;
4. also there is kinds of schemes in the combination of original password with multiple splitting scheme, subcipher and random cipher group, has the security audit function that a pair of input error number of times calculates, even subcipher is stolen going all, steal taker and also can't in limited number of times, reduce to original password.
Embodiment
Embodiment one
A kind of password separate dynamic verification method, password that provide according to the service side for a kind of user or voluntarily registration is inputted this password and is accepted the method that system/service side verifies in operation interface.
With reference to shown in Figure 1, be one in this method of password authentication checking flow process.By this flow process, can reproduce clearly the present invention program's core content;
At first as Fig. 1 101 shown in, the password that the user will have first is divided into two groups of subciphers, i.e. the first subcipher and the second subcipher; The method of cutting apart can comprise in order and cutting apart, uniformly-spaced cut apart to extract with intermediate mass and the method such as cut apart.
For example, establishing the existing password of user is six password (X
1X
2X
3X
4X
5X
6), X wherein
1, X
2, X
3, X
4, X
5, X
6Can be numeral, letter, punctuation mark even Chinese character etc.The first subcipher can have following splitting scheme according to different dividing methods with the second subcipher:
1. cut apart in order, be about to password and be divided in order two piecemeals, each password position of two piecemeals keeps original neighbouring relations.Namely the first subcipher and the second subcipher correspond to respectively:
The first subcipher |
The second subcipher |
X
1 X
2 |
X
3 X
4 X
5 X
6 |
X
3 X
4 X
5 X
6 |
X
1 X
2 |
X
1 X
2 X
3 |
X
4 X
5 X
6 |
X
4 X
5 X
6 |
X
1 X
2 X
3 |
X
1 X
2 X
3 X
4 |
X
5 X
6 |
X
5 X
6 |
X
1 X
2 X
3 X
4 |
2. uniformly-spaced cut apart, namely from original code, extract password unit separated by a certain interval and be reassembled into subcipher.Namely the first subcipher and the second subcipher correspond to respectively:
The first subcipher |
The second subcipher |
X
1 X
3 X
5 |
X
2 X
4 X
6 |
X
2 X
4 X
6 |
X
1 X
3 X
5 |
[0035]3. intermediate mass extracts and cuts apart, and namely extracts some adjacent passwords as a subcipher from original code, and remaining is another password.Namely the first subcipher and the second subcipher correspond to respectively:
The first subcipher |
The second subcipher |
X
2 X
3 |
X
1 X
4 X
5 X
6 |
X
1 X
4 X
5 X
6 |
X
2 X
3 |
X
3 X
4 |
X
1 X
2 X
5 X
6 |
X
1 X
2 X
5 X
6 |
X
3 X
4 |
X
4 X
5 |
X
1 X
2 X
3 X
6 |
X
1 X
2 X
3 X
6 |
X
4 X
5 |
X
2 X
3 X
4 |
X
1 X
5 X
6 |
X
1 X
5 X
6 |
X
2 X
3 X
4 |
X
3 X
4 X
5 |
X
1 X
2 X
6 |
X
1 X
2 X
6 |
X
3 X
4 X
5 |
By contrast, can know that the array configuration that intermediate mass extracts dividing method is more complicated, the risk that password is stolen at last is also just lower.
If in order to make the cipher anti theft function reach optimum, that verification system can all be verified support to above-mentioned arbitrary dividing method, even two subciphers are stolen like this, that probability that successfully it is combined into original code also drops to minimum.
But, if consider for the convenience of user's use, can only carry out the password cutting operation by first method, namely cut apart in order; In such operation time,, operation interface is in addition promptings such as " please input the front three of password ... " again, and the user then can understand rapidly dividing method wherein, and carries out next step operation.
At present, the general employing of the system of bank is the method for password authentication of six bit digital.For being known, the user how password is cut apart, if method of the present invention is applied to the cash dispenser of bank, then the cash dispenser operation interface can be made corresponding prompting such as " please inputting in order the front two numeral of original code ... ", " please inputting in order the front three numeral of original code ... ", " please inputting in order any three bit digital of original code ... " etc.
At present, the risk that is stolen in order to reduce password, a lot of online login systems have all adopted the password more than six such as eight, ten etc., and password can be comprised of numeral, letter, punctuation mark even Chinese character etc.So when these passwords were cut apart, its scheme was also just more, the array configuration of the first subcipher and the second subcipher is also just more complicated, and the risk that password is stolen is just lower.
In order to guarantee the checking quality to system's subcipher, namely the first subcipher and the second subcipher should be and have two or more passwords.If namely existing password is six password (X
1X
2X
3X
4X
5X
6) and X
1, X
2, X
3, X
4, X
5, X
6Be numeral.So, cut apart by split plot design in order, scheme can comprise that " 2+4 ", " 3+3 " (are X
1X
2And X
3X
4X
5X
6, X
1X
2X
3And X
4X
5X
6); If eight passwords can comprise that then " 2+6 ", " 3+5 ", " 4+4 " (are X
1X
2And X
3X
4X
5X
6X
7X
8, X
1X
2X
3And X
4X
5X
6X
7X
8, X
1X
2X
3X
4And X
5X
6X
7X
8).For six and eight passwords, can select respectively " 3+3 ", " 3+5 " to be preferred version.The probability that subcipher such as the input of 102 places of Fig. 1 is 1, then hit it is 1/10th; If 2, the probability of then being hit it is one of percentage; If 3, the probability of then being hit it is per mille.So for the checking quality at 103 places that guarantee Fig. 1, the subcipher of 102 places input is more than 2 or 2, namely the first subcipher and the second subcipher are to have two or more passwords.
As Fig. 1 102 shown in, the user is from being about to that password is cut apart or after cutting apart under the prompting of operation interface, in Password Input frame Position input the first subcipher or second subcipher of operation interface.The principle of wherein inputting the first subcipher or the second subcipher is identical, and for convenience, what suppose the input of this place is the first subcipher, and employing is the first dividing method.After then the user inputted the first subcipher, password was transferred into system and accepts checking.Password is transmitted also to have coding, encryption, adds the processes such as source address and destination address in the process, these processes are because non-emphasis of the present invention, so and this area can be easy to per capita understand and realize not being described in detail.The system that in addition subcipher is verified can be the verification platform (for example, if the cash dispenser of bank then refers to its system software backstage) of this locality or long-range verification system (for example the service device of certain on the network and supporting service system).
As Fig. 1 103 and 104 shown in, system verifies the first subcipher of user input (i.e. 102 places input password).If eligible then verify by and forward 108 to, otherwise forward 105 to; Described checking, final the first subcipher that obtains of the system that refers to compares with the original code that is pre-stored in system, if judge that the first subcipher is the local password that splits of original code after the contrast, that checking is passed through.That is, if original code is (X
1X
2X
3X
4X
5X
6), according to the first dividing method, when the first subcipher of input is ABK, and (A=X
1, B=X
2, K=X
3) or (A=X
4, B=X
5, K=X
6) time checking passes through, otherwise do not pass through; And for example, if cut apart according to the second dividing method, the first subcipher when input is ABK so, when being (A=X
1, B=X
3, K=X
5) or (A=X
2, B=X
4, K=X
6) time, checking is passed through, otherwise does not pass through.
For the various password dividing methods of compatibility (namely no matter how cutting apart), then its by the condition of checking for being defined as: as long as the password potential energy that respectively forms of the first subcipher of input finds with its corresponding composition password position and the relative sequencing that respectively forms the password position at original code respectively and is consistent then by verifying with original password.When realizing with program, can read by turn subcipher respectively by two loop statements (being two stage cycle), and contrast by turn realization with the password of former preservation.
As Fig. 1 105 shown in, if the first subcipher checking is not passed through, then input error is pointed out in operation interface by system, and the number of times of the number of times of record input error or this input error adds 1 and turn to 106 places;
As Fig. 1 106 shown in, judge whether the input error number of times behind 105 places reaches setting value (can arrange according to actual needs, generally can be made as 3), if it is stop/locking the follow-up password verification operation of this user, be cracked to prevent password; The input error number of times does not reach setting value, then returns 102 places, and the user re-enters the first subcipher;
As Fig. 1 108 shown in, system passes through the first subcipher checking, then automatically produces a random cipher array, the random cipher array is sent to operation interface and shows behind system storage.Different systems, the random cipher array can comprise different components, such as numeral, letter, symbol, punctuate even Chinese character etc.The figure place of random cipher array is random number, and namely the length of random cipher array is uncertain.The at random degree of random cipher array and figure place thereof is higher in theory, and the security of password is also just better, but actual use can be established a upper limit to the length of random cipher group.
As Fig. 1 109 shown in, the user makes up random cipher array and remaining another subcipher (i.e. the second subcipher) according to the prompting of operation interface.The mode of random cipher array and the second subcipher combination comprises that subcipher integral body assigns arbitrary position, subcipher in the random cipher group to disperse in order to assign in the random cipher group etc.For example, suppose that original code is (X
1X
2X
3X
4X
5X
6), the user inputs the first subcipher (X
1X
2X
3) by system verification, the random cipher group of supposing the system auto-returned is six random number (Y
1Y
2Y
3Y
4Y
5Y
6), so random cipher array and the second subcipher (X
4X
5X
6) combination form can for:
Method one. subcipher integral body is assigned the arbitrary position in the random cipher group;
Y
1 X
4 X
5 X
6 Y
2 Y
3 Y
4 Y
5 Y
6 |
Y
1 Y
2 X
4 X
5 X
6 Y
3 Y
4 Y
5 Y
6 |
Y
1 Y
2 Y
3 X
4 X
5 X
6 Y
4 Y
5 Y
6 |
Y
1 Y
2 Y
3 Y
4 X
4 X
5 X
6 Y
5 Y
6 |
Y
1 Y
2 Y
3 Y
4 Y
5 X
4 X
5 X
6 Y
6 |
Method two. subcipher disperses to assign in order in the random cipher group;
Y
1 X
4 Y
2 X
5 Y
3 X
6 Y
4 Y
5 Y
6 |
Y
1 Y
2 X
4 Y
3 X
5 Y
4 X
6 Y
5 Y
6 |
Y
1 Y
2 Y
3 X
4 Y
4 X
5 Y
5 X
6 Y
6 |
Y
1 Y
2 Y
3 Y
4 X
4 Y
5 X
5 Y
6 X
6 |
Y
1 Y
2 Y
3 Y
4 X
4 Y
5 X
5 Y
6 X
6 |
Y
1 X
4 Y
2 Y
3 X
5 Y
4 X
6 Y
5 Y
6 |
Y
1 X
4 Y
2 Y
3 X
5 Y
4 Y
5 X
6 Y
6 |
...... |
Method three. other array mode;
In the actual use procedure of system, the user generally compares indigestibility and how to carry out the combination of random cipher array and the second subcipher, so operation interface can be done some promptings, for example: the demonstration of random cipher component two parts (is assumed to be A section and B section, wherein the figure place of A section is random number, the length that is A section is unfixing), then can input in order " A+ remains password+B " by prompting user; And for example, can be with the whole demonstration of random cipher array, the position that needs to fill the second subcipher stays the room, and then prompting user is inputted in order the random cipher array of seeing and is inserted remaining password in vacant position and gets final product; The user is made up according to the prompting of system, both user-friendly, also make things convenient for system to the extraction of the second subcipher.
As Fig. 1 110 shown in, the user is the password after operation interface input combination in order.
As Fig. 1 111 shown in, the password after the combination is received by system, and extracts remaining another subcipher, i.e. the second subcipher from the password after this combination.The method of extracting, according to the difference of array mode, flow process is not identical yet.For example, if operation interface is to input combination pin with the mode prompting user of " A+ remains password+B ", that method of extracting the second subcipher is fairly simple, namely only need the random cipher group of the combination pin that will receive and storage relatively, in the combination pin with A section and B part from obtaining the second subcipher; If other array mode, then can namely read by turn combination pin with general extracting method, and whether identical on judgement and the random cipher group, extract the composition identical with the random cipher group, remaining composition reconfigures and can obtain by former relative sequencing.
As Fig. 1 112 shown in, system verifies the second subcipher that extracts.Verification method is for to compare the second subcipher and existing password, if can judge that the second subcipher for the part of existing password, then is proved to be successful (i.e. 113 places).The principle of checking is identical with 103 and 104 places with method.
As Fig. 1 114 and 115 shown in, if the checking at 112 places does not have by then the input error number of times is recorded and calculate the input error number of times, and judge whether the input error number of times reaches setting value and (can arrange according to actual needs, generally be made as 3 times), if reach setting value then stop/locking the follow-up password verification operation of this user (namely 116), be cracked to prevent password; Otherwise forward 108 to, system regenerates a random cipher group and is shown in operation interface, then repeats the operation of 109,110,111 grades.
Embodiment two
A kind ofly adopt logging in or payment system of password separate dynamic verification, this system is comprised of hardware supported and software support two large divisions.Wherein, system should have one and log in/payment interface and a guidance panel, and its effect is to make things convenient for the user to carry out the Password Input operation; One password authentification platform, its effect are that user's password is verified.
System can be the payment system of bank such as ATM ATM (automatic teller machine) etc., also can be Web bank's payment system, online login system etc.
A kind ofly adopt logging in or payment system of password separate dynamic verification, it is characterised in that: the method for password authentication that this system logs in/adopts when paying is embodiment one described method of password authentication.
The below as an example of Web bank's payment system example to how realizing that password authentification is described further:
Suppose the user on the net bank payment system registered a user name and payment cipher, this password is eight passwords, is designated as (X
1X
2X
3X
4X
5X
6X
7X
8), then its password authentification can adopt according to the invention core of embodiment one following scheme to realize:
1. the user is according to the front three of interface prompt (as shown in Figure 2) input payment cipher, i.e. X
1X
2X
3
2. system contrasts the front three password of user input and judges whether consistent with the front three of original password.If unanimously then produce a random cipher array and be shown in operation interface, suppose that the random cipher array is " 87487654654 ", and minute two parts show; The interface prompt user inputs random cipher array and remaining five passwords, (as shown in Figure 3); Otherwise judge whether the input error number of times reaches set point number, do not reach and then point out input error, and show operation interface such as Fig. 4, the user re-enters the front three of payment cipher, if reach set point number then show interface shown in Figure 5, and stop this user's follow-up checking;
3. the user inputs random cipher group and remaining five passwords in order according to interface prompt as shown in Figure 3;
4. system compares the random cipher group of the combination pin of user input and storage and extracts remaining five seat passwords, and this five seats password and original password compared judges whether it is the part that original password splits.If it is be proved to be successful closing the transaction or carry out other follow-up operation; Otherwise prompting input password mistake, and judge whether the input error number of times reaches set point number, reach set point number and then show interface shown in Figure 5, and stop this user's follow-up checking, if do not reach then show operation interface such as Fig. 6, namely system produces another random cipher group automatically (such as " 6896685248 ", and minute two parts show, i.e. " 689668 " and " 5248 "), and be sent to interface display, prompting user re-enters password; The user re-enters password by prompting;
The operation interface of the above and implementation are a simple mode; the extracting mode of the actual partitioning scheme that can increase according to the explanation of embodiment one content, change original password, change random cipher group and the array mode of residue password, the suggestion content that changes the interface and style, change subcipher and checking flow process then should be considered as in protection scope of the present invention at the core content that does not break away from the inventive method realization.
In addition, native system can also have one and notify this user cipher authentication error number of times to reach setting value prior to the contact method (such as phone number, mail, telephone number etc.) of this system registry and by modes such as note, mail, voice in advance by reading the user, and notify the registered user to carry out the operations such as release and Modify password, can further guarantee the risk that password is stolen like this.