A kind of dynamic password authentication method and system based on software token
Technical field
The present invention relates to information security field more particularly to a kind of dynamic password authentication method and systems.
Background technology
With the development of Information technology, information security technology applications in various fields is more extensive.Pacify in information
Full field, authentication are often the first key that information system uses, and safety is more and more paid attention to.Accordingly
Ground, the dynamic-password technique in order to reinforce identification authentication security have been increasingly being applied to each different field, especially
In application fields such as Internetbank, network game, telecom operators, E-Government, enterprise servers.In addition, dynamic password is applied in enterprise
And current hot spot, more and more businesses or entities protect its VPN (Virtual Private using dynamic password
Network, Virtual Private Network), server, the network equipment etc..
Dynamic password is to generate a uncertain random digit combination according to special algorithm, and a password uses one
It is secondary effective, it is widely used in the application fields such as Internetbank, network game, telecom operators, E-Government, enterprise at present.Dynamic password
It is a kind of account anti-theft technology of safe and convenient, the certification safety that can be merchandised and log in effective protection, just using dynamic password
Without periodic modification password, save worry safely, to ensure that the safety of system in most basic cipher authentication this link.Solution
The certainly heavy losses caused by password is cheated, prevent malice invader or artificial destruction, solve to enter caused by being divulged a secret by password
Invade problem.
According to the difference of password generating mode, time-based dynamic-password technique, the dynamic based on event can be divided into
Password technology and dynamic-password technique based on challenge/response.Wherein, time-based dynamic-password technique is in software token
Upper use is relatively broad, however the time of software token is typically all to be obtained by the machine, however the time of the machine but may be used at present
By artificially changing, thus anticipated that the dynamic password of subsequent time, there are security risks.
Invention content
In view of the above-mentioned problems, the present invention provides a kind of authentication method based on software token dynamic password and certification systems
System, the time is accurately obtained in verification process by satellite time transfer module, this ensure that the accuracy of time, to improve
Security performance in user authentication process.
A kind of dynamic password authentication method based on software token, client obtain essence by a built-in satellite time service module
True current time, the current time then obtained are sent in server, to realize the time of client and server
It is synchronous, the certification of dynamic password is completed, following steps are specifically included:
S1 clients obtain current time by built-in satellite time transfer module, while the mark of unique mark user being believed
Breath and the current time obtained are sent to server together;
S2 servers search the key parameter of unique association therewith according to the identification information of the user received;
In S3 clients in conjunction with the current time, be pre-stored in the key with user's unique association in the client
Parameter and algorithm generate the first dynamic password, and first dynamic password is sent to server;
In conjunction with the current time received, the key parameter found and it is pre-stored in service in S4 servers
The identical algorithm generates the second dynamic password with client in device;
The second dynamic password of generation is compared with the first dynamic password received in S5 servers, described in completion
The certification of dynamic password.
In the technical scheme, current time is accurately acquired by satellite time transfer module in the client first, then
It will be sent in server time, then generate the dynamic password of the time based on acquisition in client and server respectively,
The comparison certification of dynamic password is finally carried out in the server.It is this using satellite time transfer module obtain the time by the way of, avoid
Dynamic password due to artificially changing the security risk that the time brings to user, improves security performance during use.
Preferably, the satellite time transfer module is GPS (Global Positioning System, global positioning system)
Time service chip or Big Dipper time service chip or the Big Dipper/GPS dual-mode chip composition.
Preferably, it in step S3 and step S4, generates the algorithm of the first dynamic password and the second dynamic password and is calculated for SM3
Method.
Preferably, in step s3, by being manually entered or NFC (Near Field in the client
Communication, near-field communication) first dynamic password is sent to the service by transmission or the modes of sonic transmissions
Device.
In the technical scheme, user can select the mode of dynamic password transmission according to present case, enhance in this way
The flexibility of verification process.
A kind of dynamic password authentication system based on software token, including client and server, in the client extremely
Include less:
Satellite time transfer module, for accurately obtaining current time;
Data obtaining module, for obtaining and the user information of user's unique association;
First computing module is connect with the satellite time transfer module, in conjunction with the satellite time transfer module obtain it is current when
Between, the key parameter that is pre-stored in the client and algorithm generate the first dynamic password;
Information sending module, respectively with the satellite time transfer module, described information acquisition module and first operation
Module connects, described in the current time and the acquisition of described information acquisition module for obtaining the satellite time transfer module
User information and first dynamic password are sent to the server;
It is included at least in the server:
Information receiving module, for receiving the current time, user information that the client sends and first dynamic
State password;
Information searching module is connect with described information receiving module, is searched therewith only by the user information of reception
One associated key parameter;
Second computing module is connect with described information searching module, for being looked into conjunction with the current time, in described information
It looks for the key parameter found in module and the identical algorithm generates the second dynamic password with client;
Comparing module is connect respectively with described information receiving module and second computing module, for what will be received
First dynamic password and second dynamic password are compared, and complete the certification of dynamic password.
Preferably, the satellite time transfer module is GPS time services chip or Big Dipper time service chip or the Big Dipper/GPS dual-mode chip
Composition.
Preferably, NFC module is respectively further comprised in the client and the server, wherein in the client
NFC module is connect with the first computing module, and the NFC module in the server is connect with comparing module, is led in the client
It crosses the NFC module first dynamic password is sent in the server.
In the technical scheme, as long as being provided simultaneously with NFC module in client and server, you can realize dynamic password
Transmission.
Preferably, further include in the client the first audio conversion module being connect with first computing module and with
The audio sending module of first audio conversion module connection, first audio conversion are used instead in by first dynamic password
Audio-frequency information is converted to, the audio sending module is used to the audio-frequency information being sent to the server;
Further include audio receiving module and the second audio conversion module in the server, the audio receiving module is used for
Receive the audio-frequency information that the client is sent, second audio conversion module respectively with the audio receiving module and
The comparing module connection, for the audio-frequency information received to be converted to first dynamic password.
Preferably, the client includes display module, is connect with first computing module, for showing described
One dynamic password;
The server includes input module, is connect with the comparing module, for being manually entered first dynamic
Password.
Dynamic password authentication method and system provided by the invention based on software token, advantage are:
1. the time that in the present invention, software token uses by the way that satellite locator acquisition in the client is arranged, protects
The accuracy of time has been demonstrate,proved, while having avoided the occurrence of traditional software token feelings that time of occurrence is tampered during use
Condition, in this way, substantially increasing the security performance that user uses software token;
2. in the present invention, the communication between client and server provides various ways, including the near fields NFC lead to
Letter, is manually entered sonic transmissions, improves flexibility of the system in verification process in this way, and user can be according to practical feelings
Condition is selected, convenient and efficient.
Description of the drawings
Invention is further described in detail with reference to the accompanying drawings and detailed description:
Fig. 1 is the dynamic password authentication method flow diagram based on software token in the present invention;
Fig. 2 is the structure diagram of the dynamic password authentication system based on software token in the present invention.
Specific implementation mode
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, below in conjunction with the accompanying drawings and implement
The present invention is specifically described in example.Drawings in the following description are only some embodiments of the invention.For this field
For those of ordinary skill, without creative efforts, other drawings may also be obtained based on these drawings.
As shown in Figure 1 for the present invention provides the dynamic password authentication method flow diagrams based on software token, specifically
For, client obtains accurate current time by a built-in satellite time service module, the current time hair then obtained
It send into server, to realize the time synchronization of client and server, completes the certification of dynamic password.It is first before certification
First respectively in the identical algorithm of middle storage and key parameter of client and server, and key parameter here and user are one by one
It is corresponding, certainly, it is understood that the key parameter of a user can not possibly be only stored in the server, such as the service of QQ secret tokens
The corresponding key parameter of each QQ number is stored in device, searching corresponding key parameter according to the QQ of user in server carries out
The certification of dynamic password.Specifically include following steps:
S1 clients obtain current time by built-in satellite time transfer module, while the mark of unique mark user being believed
Breath and the current time obtained are sent to server together;
S2 servers search the key parameter of unique association therewith according to the identification information of the user received;
Current time is combined in S3 clients, is prestored and is given birth in the client with the key parameter of user's unique association and algorithm
It is sent to server at the first dynamic password, and by the first dynamic password;
Combined in S4 servers the current time received, the key parameter that finds and prestore in the server with visitor
Identical algorithm generates the second dynamic password in the end of family;
The second dynamic password of generation is compared with the first dynamic password received in S5 servers, completes dynamic
The certification of password.
Specifically, in step sl, satellite time transfer module is GPS time services chip or Big Dipper time service chip or the Big Dipper/GPS
Dual-mode chip forms, and in a particular embodiment, the GPS of model UBLOX or M8729 chip can be selected in satellite time transfer module
Time service chip is also made of the Big Dipper of model UM220- III and GPS dual-mode chip, and certainly, in the present invention, we are to satellite
The concrete model for the time service chip for including in time service module does not limit, as long as it can be achieved the object of the present invention, is included in
In present disclosure.In addition, the identification information for being used for identity user in step sl is specifically including but not limited to user name, uses
The identification card number etc. at family is included in as long as it can be used for unique identity user in present disclosure.
In step s3, algorithm is used in client, if SM3 algorithms generate the first dynamic password, certainly, we are to client
The algorithm that the first dynamic password generates in end is not especially limited, as long as it can be achieved the object of the present invention, is included in this hair
In bright purpose.Identical algorithm generates the second dynamic password with client for use in server in step s 4.
In addition, in step s3, in client be manually entered or NFC transmission or sonic transmissions by way of first is moved
State password is sent to server.Specifically, then include using in the client to be transmitted by way of being manually entered
Include using the input module for inputting first dynamic password in the server, such as in the display module for showing the first dynamic password
Keyboard etc.;To be transmitted by NFC, there is NFC chip can be realized in only needing client and server;To logical
It crosses sound wave mode to be transmitted, then to include respectively audio conversion module in client and server, be used for audio signal
It is converted between digital information.
As shown in Fig. 2, the present invention also provides a kind of dynamic password authentication system based on software token, including client
And server, specifically, client obtains accurate current time by a built-in satellite time service module, is then obtained
Current time be sent in server, to realize the time synchronization of client and server, complete the certification of dynamic password.
It is included at least in client:
Satellite time transfer module, for accurately obtaining current time, specifically, satellite time transfer module is GPS time service chips
Or Big Dipper time service chip or the Big Dipper/GPS dual-mode chip form, and in a particular embodiment, type can be selected in satellite time transfer module
Number be UBLOX or M8729 chips GPS time service chips, be also made of the Big Dipper of model UM220- III and GPS dual-mode chip,
Certainly, in the present invention, our concrete models of the time service chip to including in satellite time transfer module do not limit, as long as its energy
It achieves the object of the present invention, is included in present disclosure;Data obtaining module, for obtaining and user's unique association
User information, here, the concrete mode of acquisition of information includes keyboard input etc.;First computing module connects with satellite time transfer module
It connects, in conjunction with the current time that satellite time transfer module obtains, the key parameter and the algorithm (e.g., SM3 algorithms) that prestore in the client
Generate the first dynamic password;Information sending module, respectively with satellite time transfer module, data obtaining module and the first operation mould
Block connects, the user information and first that the current time and data obtaining module for obtaining satellite time transfer module obtain
Dynamic password is sent to server.
It is included at least in server:
Information receiving module, current time, user information and the first dynamic password for receiving client transmission;
Information searching module, connect with information receiving module, and the key parameter of unique association therewith is searched by the user information of reception;
Second computing module is connect with information searching module, the key for combining current time, being found in information searching module
Parameter and the second dynamic password of identical algorithm (e.g., SM3 algorithms) generation with client;Comparing module, respectively with information
Receiving module and the connection of the second computing module, the first dynamic password and the second dynamic password for that will receive are compared,
If comparing the certification for successfully completing dynamic password, if comparison is unsuccessful, user is prompted to confirm.
In a particular embodiment, NFC module is respectively further comprised in client and server, wherein the NFC moulds in client
Block is connect with the first computing module, and the NFC module in server is connect with comparing module, by NFC module by client
One dynamic password is sent in server.Specifically, client includes the mobile phone of built-in NFC module, and NFC chip is installed
In interior of mobile phone, the reading of label information is realized, short distance information exchange is accomplished that by NFC, not only enormously simplify entire
Certification identification process, and enhance the security performance of the present invention.Further more, during dynamic password transmits, user can be with
The speed for selecting data transmission in NFC module in the client, such as 106kbps, 212kbps or 424kbps;Transmission speed is selected
Later, dynamic password is sent to server by NFC module with the speed that user selectes.
Further include the first audio modulus of conversion being connect with the first computing module in another specific embodiment, in client
Block and the audio sending module being connect with the first audio conversion module, the first audio conversion is used instead to be converted in by the first dynamic password
Audio-frequency information, audio sending module are used to audio-frequency information being sent to server;Further include in server audio receiving module and
Second audio conversion module, audio receiving module are used to receive the audio-frequency information of client transmission, the second audio conversion module point
It is not connect with audio receiving module and comparing module, for the audio-frequency information received to be converted to the first dynamic password.Specifically
For, the second audio conversion module that the first audio conversion module and server that client includes include all uses identical
Audio switch technology converted to sent data and the data of reception, such as DTMF (Dual-Tone Multi-
Frequency, multitone multifrequency) technology etc., certainly, we are not especially limited the method for audio conversion, as long as it can be realized
The purpose of the present invention.
In another specific embodiment, client includes display module, such as liquid crystal display, with the first operation mould
Block connects, for showing the first dynamic password;Server includes input module, such as keyboard light, is connect with comparing module, is used for
It is manually entered the first dynamic password.
Certainly, in some special cases, client and server can be same equipment, the biography of such dynamic password
It is defeated to be realized by mutually redirecting between application program.
The embodiment completed as one, if all including NFC module in client and server, client includes GPS
Specific descriptions are made to the verification process of dynamic password below locator:
Client obtains the identification information of unique mark user, such as user name, while visitor by input equipments such as keyboards
GPS locator in the end of family obtains current time, and later, the time of identification information and acquisition is sent collectively to service by client
At the same time device combines current time, key parameter and SM3 algorithms to generate the first dynamic password in client;Server receives
Later, the key parameter being associated is found first with the identification information received, later in conjunction with receive it is current when
Between information, the key parameter that finds and SM3 algorithms generate dynamic password;Finally, client and server establishes NFC connections,
First dynamic password is sent to server by client, server by the first dynamic password received and the second dynamic password into
Row compares, and completes the certification of dynamic password, if authentification failure, reminds user's re-authentication.
Finally, it is noted that dynamic password authentication method and system provided by the invention based on software token are all bases
Include satellite time transfer module in client, the time obtained in client is then sent to the situation in server, at it
In his embodiment, the time in server can also be obtained by the satellite time transfer module of setting in the server, this
Satellite time transfer module is arranged in sample in client and server respectively, and the time oneself obtained is respectively used to generate dynamic password,
The certification of dynamic password is finally realized in the server.
The specific embodiment of invention is described in detail above, but the present invention be not restricted to it is described above specific
Embodiment is intended only as example.To those skilled in the art, any equivalent modifications and replacement that the system is carried out
Also all among scope of the invention.Therefore, impartial conversion made under the spirit and scope for not departing from invention and modification,
It all should be contained within the scope of the invention.