CN102884534B - Password generate and checking method and device - Google Patents
Password generate and checking method and device Download PDFInfo
- Publication number
- CN102884534B CN102884534B CN201180023673.3A CN201180023673A CN102884534B CN 102884534 B CN102884534 B CN 102884534B CN 201180023673 A CN201180023673 A CN 201180023673A CN 102884534 B CN102884534 B CN 102884534B
- Authority
- CN
- China
- Prior art keywords
- password
- user
- parity
- character
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 230000000875 corresponding Effects 0.000 claims abstract description 6
- 238000004590 computer program Methods 0.000 abstract description 2
- 239000000203 mixture Substances 0.000 description 9
- 238000000034 method Methods 0.000 description 4
- 238000007689 inspection Methods 0.000 description 2
- 210000003371 Toes Anatomy 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 230000002596 correlated Effects 0.000 description 1
- 230000003111 delayed Effects 0.000 description 1
- 230000001419 dependent Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
Abstract
During user signs in password-protected entity, verify password by repeatedly receiving (310) code characters;And verify that the character received meets at least one pre defined attribute (α) required for setting admissible password.If not this situation, then this shows suffer heavy attack and can take suitably to take action.Attribute α can depend on user.Present invention also offers a kind of corresponding device (120) and computer program (140).
Description
Technical field
The present invention relates generally to computer system, particularly relates to password when logging in such systems
Process.
Background technology
This section is intended to introduce the reader the various aspects of the art, they may be described below and/
Or advocate that the various aspects of the invention of right are correlated with.These discuss to be believed to be helpful in provides the back of the body to reader
Scape information is so that being more fully understood that various aspects of the invention.It is understood, therefore, that should be from
This angle reads these statements, and not treating them as is admission of prior art.
In present computer system, password is ubiquitous, such as, recognize user to be logged in
Card.For its generic definition, password by a succession of take from predefined alphabet (alphabet) (such as:
4 numerical value as PIN code) symbol constitute.
In order to create the password of " by force ", usually require that the password of selection meets predefined strategy.This plan
Can be slightly such as, password should be at least 8 character length and should include at least one capitalization
With at least one spcial character such as &, (illustrate with=.US 2004/250139 and US 2009/158406
Select the solution of such password.
But, even if the system using strong cipher to carry out cryptoguard still may pass through heavy attack (brute
Force attack) (make repeated attempts each probable value) or the dictionary attack subset of preferred value (attempt) and quilt
Attack.Hereinafter, these attacks will be referred to as " automatically attacking ".Implementing to simplify it, these are attacked
Hit the use other layer of lower level and do not use the user interface of Verification System to operate.In these instruments
Some even can be obtained by the Internet, such as John the Ripper Advanced Mailbox Password Recovery.
Existing Verification System can not make differentiation automatically attacking between user error.Under default situations,
Some Verification System postpones or by limiting unsuccessful trial by inserting between asking at two continuous print
Number of times, or implement to minimize the mechanism of automatic risk of attacks by both combinations.Showing at PIN code
In example, the number of times of unsuccessful trial is generally fixed for 3 times.
It is understood, therefore, that exist to so that Verification System detection automatically attack so that
System according to the appropriate strategy demand to the solution that this kind of attack is made a response.The invention provides
This solution.
Summary of the invention
First aspect, the present invention relates to one and verifies defeated during user signs in password-protected entity
The method of the password entered.Processor receives at least one character of the password of input;And verify that reception is extremely
A few character meets at least one pre defined attribute required for setting admissible password.
In the first preferred embodiment, all characters receiving the password of input and the password inputted are
Complete instruction, and processor verifies that complete input password is corresponding with the password protecting entity further.
In deforming at one, complete input password includes Part I and Part II, by Part I
Carry out processing the Part I after checking process whether to mate with Part II and verify that Part II represents
Attribute and with the accordance of this attribute.
In the second preferred embodiments, this attribute depends on user.
In third preferred embodiment, pre-determined number defeated of user property do not observed by processor detecting
When entering password or part input password, determine and had tried to carry out heavy attack.Advantageously, really
When determining to have had tried to heavy attack, take suitably to take action.This suitable action include following in
At least one: give a warning to manager, issue the user with warning, locking system and accepting into one
The scheduled time is waited before the login attempt of step.
Second aspect, the present invention relates to one and tests during signing in password-protected entity user
The device of card input password.This device includes the interface for receiving code characters;And connect for checking
At least one code characters received meets the predefined of at least one requirement for setting admissible password
The processor of attribute.
In the first preferred embodiment, it is complete instruction that interface is further used for receiving input password, and
And wherein processor is further used for verifying that complete input password is corresponding with the password of protection entity.One
In individual deformation, complete input password includes Part I and Part II, and wherein attribute is by Part II
Representing, processor is applicable to by Part I processes the Part I after checking process and the
Whether two parts mate to verify the accordance with this attribute.
In the second preferred embodiments, this attribute depends on the user of password.
In third preferred embodiment, processor be further used for detect not observe user property pre-
When determining input password or the part input password of number of times, determine and had tried to heavy attack.Advantageously,
Determine had tried to heavy attack time, take suitably to take action.This suitable action include with
At least one in Xia: give a warning to manager, issue the user with warning, locking system and accepting
The scheduled time such as before more login attempt.
The third aspect, the present invention relates to the computer program of a kind of instruction storing software program, when
When described instruction is performed by processor, during user signs in password-protected entity, receive input
At least one character of password;And verify that at least one character of reception meets for setting admissible
The pre defined attribute that at least one of password requires.
Accompanying drawing explanation
Below by reference to accompanying drawing, the preferred feature that describes the present invention by means of non-limiting example,
Wherein:
Fig. 1 shows the example system that can implement the present invention;
Fig. 2 shows the method producing password according to the preferred embodiment of the invention;
Fig. 3 shows the method verifying password according to the preferred embodiment of the invention.
Detailed description of the invention
Fig. 1 shows the example system that can implement the present invention.This system includes computer installation (" meter
Calculation machine ") 110 and certificate server 120, it will be appreciated that, the present invention may be implemented within computer 110,
On certificate server 120 or be implemented on both computer 110 and certificate server 120.Computer
110 and certificate server 120 can be the dress that any kind of suitable computer maybe can carry out calculating
Put, such as standard personal computer (PC) or work station.In computer 110 and certificate server 120
Each preferably include at least one processor 111 and 121, RAM memory 112 and 122,
For the user interface 113 and 123 interacted with user, and by connection 130 and other device
The second mutual interface 114,124.Each in computer 110 and certification device 120 is preferably also
Including the interface for reading software program from the digital data carrier 140 of storage instruction, described instruction is worked as
When being performed by processor, perform any cryptographic methods being described below.Those skilled in the art will
Understand, for clearly reason, it is illustrated that device simplify very much, and actual device additionally may
Feature including such as permanent storage device etc.
Central scope is to increase attribute α (also referred to as " regular " or " function ") in password set Ω.
Complete password space is divided into two different subsets by this:
● in accordance with the valid password subset (i.e. valid password space) of this attribute
Ωv=ω ∈ Ω | α (ω) }
● do not observe the invalid password subset of this attribute
It is to be appreciated that there is this situation, such as requirement in the system of some prior art
Password includes at least 8 characters, wherein comprises a capitalization and in addition to letter or number one
Character.It is important, however, that recognize, such requirement be only intended to variation user cipher so that its
Less affected by dictionary attack;It never allows to detect attack automatically, and the most can not by proposition
Allow character and direct the user to valid password.
It will be understood that subset is advantageously dynamic, such that it is able to change over.This dynamically
One illustrative embodiments of property is that password the most most-often used for n kind is put into invalid subset Ωi。
Although subset is different, but define they rule can in order to easily implement and overlapping,
In this situation, a rule should have precedence over Else Rule.Such as, the rule of user's year of birth are prohibitted the use of
The most advantageously veto any rule allowing this particular combination in other cases.
When user is by user interface input password, he is limited in valid password space Ωv.System will
Any from invalid password space ΩiThe request of (being also likely to be the 3rd subset) be considered as attack and can be accordingly
Make a response.
The selection of attribute α is at cipher entropy (ΩvSize) and attack detectability (ΩiSize)
Between balance result.
Therefore, the use of attribute α allows to detect heavy attack.If assailant is systemic
All of password value is attempted on ground, then this will necessarily include ΩiElement.Furthermore it is possible to by by known
Or possible dictionary element add Ω toiIn tackle dictionary attack.
Attribute α can be complicated function.Although it can apply to complete password, but preferably should
This is guaranteed to input for each symbol of user interface.In such a case, it is possible to it is defeated in given step
The symbol entered depends on the symbol being previously entered.
Preferably, in order to ensure that random cipher conjecture has can not neglecting of the use password from invalid subset
Probability slightly, password space is divided into by " mixing well " and has can not ignore big by attribute α
Two little parts.
Such as, text password is inputted, attribute α can be capitalization and lower case alternately.
In this case, during creating password, any character (upper case or lower case) can be selected for
First symbol.Then, if previous is capitalization, then user interface proposes the collection of lowercase character
Closing, vice versa.Therefore, attribute α is verified in each step creating password.
Such as, if valid password space ΩvWith invalid password space ΩiBetween ratio r the least
(r < < 1), then being difficult to provide valid password, system is likely to be easily subject to come from know some rule
The attack of hacker.On the other hand, if r > > 1, then almost all of password is all effective, inspection
The probability measuring attack is little.Therefore, it appears that ratio r ≈ 1, perhaps 0.5 < r < 2, may be used for experience
The good trade-off of rule.
Attribute α is likely to be dependent on multiple element, such as user name.In this case, two users are permissible
Different rules is used to build their password.Such as, if the number of characters of user name is odd number (phase
Ying Di, even number), then password should only comprise capitalization (correspondingly, small letter) character.Big by mix
Write any request with lowercase character composition all will be considered to attack.Another example be requirement user name and
The number of characters sum of password is even number (or odd number).
The definition of attribute α can be extremely complex, and many parameters are taken into account by it.But, excessively complicated
Attribute be likely to be of its own shortcomings: the password obtained may be difficult to note, valid password set omegavSize
May become to be too small to ensure enough entropys.
The integral level of security of system depends on the confidentiality of attribute α.Know or guess this attribute right and may make
Set (the Ω of effective password value must be builtv) and use this set to carry out dictionary attack, and be not detected
Out.
Effective subset Ω is reconstructed in order to allow assailant be more difficult tov, do not logging in the moment on the user interface
Actively emphasize to retrain (highlight constrain), and the most only do so when building password.
Additionally, the classical countermeasure used in Verification System (such as, maximum attempts and incorrect
Constrained delay between Password Input) still can be applied in combination together with the solution of the present invention.
Illustrative examples
This part illustrates the design of the present invention by the research case of PIN code.This example also highlights biography
The popularization of system countermeasure, such as, avoid dictionary attack.
Consideration PIN code: from 0 ..., a string 4 bit digital selected in 9}.
Normally, do not have in the prior art situation of any condition when password generates, password space Ω by
All of (decimal scale) number between " 0000 " to " 9999 " represents, Ω={ p1p2p3p4|pi∈{0,...,9}}。
Hereinafter, PIN code is represented as p, p=p1p2p3p4, wherein pi∈{0,...,9}。
To general scenario:
First step can be to get rid of to use the most frequently or the specific collection (" word of excessively simple combination
Allusion quotation "), the same numbers (such as " 7777 ") being such as repeated 4 times or 4 figure places being wherein incremented by sequence
Word (such as " 1234 ").Therefore, the system of execution verifies the PIN code of selection at password during generating
It not a part for dictionary, and if this situation, confirm that the PIN code selected is effective.Logging in
(or other type of certification) period, if input is from invalid subset ΩiPIN code, then system
Send exception and take the countermeasure mapped out.
Symbolization:
Second step can be to integrate function alpha so that password space Ω is divided into effective subset and invalid subset
(latter of which will be combined with " dictionary ").Such as, function alpha may represent the strange of each numeral
Idol must be relative to previous change.System is alternately through revising its interface and the most only illustrating
Significant digits and generation phase force observe this rule.During cipher authentication, systems inspection input
PIN α the most toe the mark;If do not complied with, then send exception, and system will be taked to map out
Countermeasure.
Symbolization again:
In this example, function alpha " allow some combination forbidden by dictionary condition.
Then, third step be when password generates by interface or simply deny invalid PIN code come
Force condition for validity (active condition).During cipher authentication, system advances to step 2 and step
Verify two conditions when rapid three, otherwise send exception.
Although can easily verify that the transmutability of effective PIN code is reduced to α from α ", but it is still protected
Hold the size that can be used for selecting PIN code.Be also possible to observe is, it is allowed to and the PIN code collection forbidden
Close and all there is the size can not ignore and by " mixing well ".Latter property also depends on for attacking
The instrument of system, not merely depends on the specific αfunction used.
Alternatively, as already mentioned, it is possible for relying on user name to increase transmutability to function alpha.
In this PIN example, it is desirable to the parity of the first digit of PIN code is different from user name length
Parity.Then, login represents the user name that user inputs, and #{login} represents its length;It addition,
p0Represent the parity of #{login}.
This condition is included, symbolization in α:
Fig. 2 shows the method that password generates according to the preferred embodiment of the invention.The method can be by reality
Execute on computer 110 or the certificate server 120 mutual with computer 110.
First, system may propose possible character, i.e. meets the character of attribute α, for use as the next one
User inputs, step 210.Specifically, for first character, if selecting is freely, then
This step can be skipped.It is to be appreciated that attribute α can be met and not with the character of checking input
The step refusing to accept this character when meeting substitutes this step.
Then receive character, step 220 from user there, and verify that password is the most complete, step 230.
Although this can input with user indicates (such as, if user clicks on icon or presses " Return "),
It may also be recessiveness.If password is complete, then the method terminates in step 240;If
It not complete, then the method returns step 210.
Fig. 3 shows method of password authentication according to the preferred embodiment of the invention.Advantageously log in user
This password authentification is performed to during by entity (account, device, the server etc.) of cryptoguard to be verified
Method.As method for generating cipher code, this verification method can be by computer 110 or certificate server 120
Implement.Receive character, step 310, verify whether this character meets attribute α, step 320.If no
Meet, then may determine that and attempted to carry out heavy attack, and can take in a step 330
Suitably action.Suitably action can be such as to give a warning to manager and/or user, at input X
Locking system after secondary incongruent password, and used delay before accepting to further attempt to.To be managed
Solving, may postponing taking suitably to take action until have input whole password, in this case,
The method continues to step 340.Suitably action can also be postponed, until having inputted certain
The incorrect cipher (not observing the password of attribute α) of number of times;The number of times of incorrect cipher can be by the time
Take into account, such as X incorrect cipher in the Y second recently.
In step 340, whether checking password is complete, executive mode and the step 230 of the method for generation
Similar.If not complete, then the method character late to be received such as in step 210;So
And, if complete, then in the password of step 350 checking input, although not observing attribute α
In the case of, this is not likely to be necessary, this is because this password is unlikely to be correct.In other words,
Checking input password is corresponding with the password protecting this entity.As already mentioned, can be at this time point
And take time earlier suitably to take action.It is also to be noted that meeting attribute α can be delayed to
This step (i.e. until step 350 generation step 320 just can occur, or before password authentification,
After unsuccessful password authentification).
Alternate embodiment
The mode of a kind of different expression attribute α is to add one at the password end selected by user's entirety
Or the more character as " certification filling " selected by server.Preferably, these characters be pseudo-with
Machine function uses the secret parameter knot as parameter of the password of user's input, user's login and server side
Really.The shortcoming of this solution is the character that user is forced to learn to be added on its password on a small quantity.
The example of latter method is solution based on HMAC (based on hashed message authentication code):
At generation phase, user inputs its password, and the HMAC of this password of system-computed also returns by being linked at one
The user risen inputs the password of " completely " of the front n position composition of password and HMAC.In authentication phase,
User inputs password, and system checks whether it is possible password accordingly, verifies last n position and HMAC
Value correspondence.
It is to be appreciated that the present invention can provide a kind of method verifying password, the method:
● heavy attack and dictionary attack can be resisted,
● enable the system to distinguish whether it is under attack,
● it is compatible with existing Verification System based on password,
● expansible (can be used on the long password using big alphabet), and
● wherein attribute α goes for different environment (PIN code, text password, graphical passwords).
Each feature disclosed in the description of this specification, (if being suitable for) claims and drawing can
To be provided independently or in any suitable combination.It is described as the spy using hardware to implement
Levying and software can also be used to implement, vice versa.The reference number occurred in claim is only made exemplary
Purposes, and the most restrictive impact of scope on claim.
Claims (6)
1. the method verifying password during user signs in password-protected entity, described method
The following step including in processor (111,112):
At least one character of-reception (310) described password;And
At least one character that-checking (320) is received has different from the parity of user name length
Parity value;And
When receiving all characters of described password and described password is complete instruction, carry out subsequently
The step that checking (350) complete password is corresponding with the password protecting entity;
Wherein the method farther includes step: detecting that its parity value of pre-determined number is equal to user
When the password of the parity of name length or partial password, determine and attempted to carry out heavy attack.
2. the method for claim 1, farther includes step: determine attempted to into
During row heavy attack, take suitably to take action.
3. method as claimed in claim 2, wherein suitably action include following at least one:
Give a warning to manager, issue the user with warning, locking system and accepting further login attempt
The scheduled time such as before.
4. one kind for verify during user signs in password-protected entity password device (110,
120), described device (110,120) including:
-interface (113,114,123,124), for receiving at least one character of input password;And
-processor (111,121), for verifying that at least one code characters of reception has and user name
The parity value that the parity of length is different;And
When receiving all characters of described password and described password is complete instruction, verify subsequently
(350) described complete password is corresponding with the password of protection entity;
Wherein said processor is further used for detecting that its parity value of pre-determined number is equal to user name
When the password of the parity of length or partial password, determine and attempted to carry out heavy attack.
5. device as claimed in claim 4, wherein said processor has attempted to carry out determining
During heavy attack, take further suitably to take action.
6. device as claimed in claim 5, wherein suitably action include following at least one:
Give a warning to manager, issue the user with warning, locking system and accepting further login attempt
The scheduled time such as before.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP10305498.7 | 2010-05-11 | ||
EP10305498A EP2386973A1 (en) | 2010-05-11 | 2010-05-11 | Methods, devices and computer program supports for password generation and verification |
PCT/EP2011/057345 WO2011141388A1 (en) | 2010-05-11 | 2011-05-06 | Methods, devices and computer program supports for password generation and verification |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102884534A CN102884534A (en) | 2013-01-16 |
CN102884534B true CN102884534B (en) | 2016-12-14 |
Family
ID=
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6148406A (en) * | 1995-04-27 | 2000-11-14 | Weisz; Herman | Access control password generated as a function of random numbers |
CN101604366A (en) * | 2009-07-13 | 2009-12-16 | 中山爱科数字科技有限公司 | A kind of password separate dynamic verification method and system |
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6148406A (en) * | 1995-04-27 | 2000-11-14 | Weisz; Herman | Access control password generated as a function of random numbers |
CN101604366A (en) * | 2009-07-13 | 2009-12-16 | 中山爱科数字科技有限公司 | A kind of password separate dynamic verification method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Bojinov et al. | Kamouflage: Loss-resistant password management | |
US8448226B2 (en) | Coordinate based computer authentication system and methods | |
US8918849B2 (en) | Secure user credential control | |
US8191126B2 (en) | Methods and devices for pattern-based user authentication | |
US20060206919A1 (en) | System and method of secure login on insecure systems | |
JP5833640B2 (en) | Method, device, and computer program support for password generation and verification | |
Van Oorschot et al. | TwoStep: An authentication method combining text and graphical passwords | |
Hernandez-Ardieta et al. | A taxonomy and survey of attacks on digital signatures | |
AU2020220152A1 (en) | Interception-proof authentication and encryption system and method | |
Devadiga et al. | E-banking security using cryptography, steganography and data mining | |
KR20130085566A (en) | Apparatus and method of authentifying password using captcha | |
KR20090007944A (en) | Method for protecting exposure of private character string using fake round | |
CN102884534B (en) | Password generate and checking method and device | |
JP2007183931A (en) | Secure device, information processing terminal, server, and authentication method | |
LIM | Multi-grid background Pass-Go | |
Gupta | A new approach of authentication in graphical systems using ASCII submission of values | |
EP2523140B1 (en) | Secure user credential control | |
Pandey et al. | Multiple access point grid based password scheme for enhanced online security | |
Nazir et al. | User authentication for mobile device through image selection | |
Ramyasri et al. | Study and Development of Graphical Authentication System for Secure File Transmission | |
Kausar et al. | Review of Multimedia Graphical Grid Based Text Password Authentication for Advanced User | |
Al-Naamee | Authentication Cloud Computing using chunks of images | |
Anitha et al. | User Privileged CAPTCHA as Graphical Password for Multistage Authentication | |
Haugum et al. | Design, implementation and analysis of a theft-resistant password manager based on Kamouflage architecture | |
KS | Securing Internet Banking with a Two-Shares Visual Cryptography Secret Image |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20161214 Termination date: 20190506 |