CN107454115B - digest authentication method and digest authentication system - Google Patents

digest authentication method and digest authentication system Download PDF

Info

Publication number
CN107454115B
CN107454115B CN201710935972.3A CN201710935972A CN107454115B CN 107454115 B CN107454115 B CN 107454115B CN 201710935972 A CN201710935972 A CN 201710935972A CN 107454115 B CN107454115 B CN 107454115B
Authority
CN
China
Prior art keywords
verification
random number
server
client
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710935972.3A
Other languages
Chinese (zh)
Other versions
CN107454115A (en
Inventor
马永建
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN201710935972.3A priority Critical patent/CN107454115B/en
Publication of CN107454115A publication Critical patent/CN107454115A/en
Application granted granted Critical
Publication of CN107454115B publication Critical patent/CN107454115B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses digest authentication methods and digest authentication systems, wherein, the client only needs to send messages to the server in the digest authentication process according to the digest authentication method, thereby reducing the times of sending requests to the server, and reducing the pressure of the server caused by sending requests by the client for multiple times in the digest authentication process.

Description

digest authentication method and digest authentication system
Technical Field
The present application relates to the field of digest authentication technologies, and in particular, to digest authentication methods and digest authentication systems.
Background
SIP (Session Initiation Protocol) is a multimedia communication Protocol established by IETF (internet engineering Task Force), and is a mainstream Protocol of current IP phones. HTTP Digest authentication (Digest authentication) is the main security mechanism in SIP, which is implemented based on a challenge-response mechanism.
In the prior art, the verification process between the client and the server by using digest authentication mainly comprises the following steps: firstly, a client sends a request to a server, the server generates a random number after receiving the request, generates challenge information by using the random number and a domain name and sends the challenge information to the client; after receiving the challenge information, the client calculates a response according to the random number, the domain name, the user name and the password and sends the response to the server; and the server verifies the client after receiving the response.
In the authentication process, the client needs to send two requests to the server, and with the increasing number of clients, the authentication mode causes great pressure on the server.
Disclosure of Invention
In order to solve the above technical problems, the present invention provides kinds of digest authentication methods and digest authentication systems, so as to achieve the purpose of reducing the pressure on the server caused by the client during the digest authentication process.
In order to achieve the technical purpose, the embodiment of the invention provides the following technical scheme:
A digest authentication method, applied to a communication system, the communication system comprises a client and a server, the digest authentication method comprises:
taking a timestamp corresponding to the current time of the client as a random number, and determining an encryption key from an initial key built in the client according to the timestamp and a preset rule;
calculating a random signature through a preset encryption algorithm according to the random number and the encryption key;
calculating response parameters according to the random number, the encryption key and the access parameters;
and generating a message according to the response parameter, the random number, the random signature and the preset encryption algorithm, and sending the message to the server so that the server performs abstract verification on the client according to the message.
Optionally, the calculating response parameters according to the random number, the encryption key, and the access parameters includes:
and calculating response parameters according to the random number, the encryption key and the access parameters by utilizing a secure hash algorithm.
Optionally, the performing, by the server, digest verification on the client according to the packet includes:
the server determines a verification key from a built-in initial key according to a preset rule according to a timestamp corresponding to the random number, and calculates a verification signature according to the random number and the verification key by using the preset encryption algorithm;
and judging whether the verification signature and the random signature are , if so, the client passes the verification, and if not, discarding the message.
Optionally, the performing, by the server, digest verification on the client according to the packet includes:
the server determines a verification key from a built-in initial key according to a preset rule according to a timestamp corresponding to the random number, and calculates a verification signature according to the random number and the verification key by using the preset encryption algorithm;
judging whether the verification signature and the random signature are satisfied, if not, discarding the message;
if not, the server inquires a built-in password which is preset in the server and corresponds to the user name in a preset database according to the user name, and calculates a verification parameter according to the user name, a domain name, the built-in password, the random number and an encryption key in the access parameter, and when the verification parameter meets the response parameter , the client passes the verification;
and the preset database stores the corresponding relation between the user name and the built-in password.
Optionally, the value range of the preset threshold is 30s to 90s, including an endpoint value.
A digest authentication system applied to a communication system, the communication system comprises a client and a server, the digest authentication system comprises:
the random number determining module is used for taking a timestamp corresponding to the current time of the client as a random number and determining an encryption key from an initial key built in the client according to the timestamp and a preset rule;
the signature calculation module is used for calculating a random signature through a preset encryption algorithm according to the random number and the encryption key;
the response parameter calculation module is used for calculating response parameters according to the random number, the encryption key and the access parameters;
and the message generation module is used for generating a message according to the response parameter, the random number, the random signature and the preset encryption algorithm and sending the message to the server so that the server performs abstract verification on the client according to the message.
Optionally, the specific process of the response parameter calculation module calculating the response parameter according to the random number, the encryption key and the access parameter includes:
and calculating response parameters according to the random number, the encryption key and the access parameters by utilizing a secure hash algorithm.
Optionally, the specific process of the server performing digest verification on the client according to the packet includes:
the server determines a verification key from a built-in initial key according to a preset rule according to a timestamp corresponding to the random number, and calculates a verification signature according to the random number and the verification key by using the preset encryption algorithm;
and judging whether the verification signature and the random signature are , if so, the client passes the verification, and if not, discarding the message.
Optionally, the specific process of the server performing digest verification on the client according to the packet includes:
the server determines a verification key from a built-in initial key according to a preset rule according to a timestamp corresponding to the random number, and calculates a verification signature according to the random number and the verification key by using the preset encryption algorithm;
judging whether the verification signature and the random signature are satisfied, if not, discarding the message;
if not, the server inquires a built-in password which is preset in the server and corresponds to the user name in a preset database according to the user name, calculates an authentication parameter according to the user name, a domain name, the built-in password, the random number and an encryption key in the access parameter, and if the authentication parameter meets the response parameter , the client passes the authentication;
and the preset database stores the corresponding relation between the user name and the built-in password.
Optionally, the value range of the preset threshold is 30s to 90s, including an endpoint value.
It can be seen from the foregoing technical solutions that the embodiments of the present invention provide digest authentication methods and digest authentication systems, where in a process of performing digest authentication by the client according to the digest authentication method, only times of messages need to be sent to the server, so that the number of times of sending requests to the server is reduced, and thus the pressure of the server caused by multiple requests sent by the client in the digest authentication process is reduced.
And the client uses a timestamp corresponding to the current time of the client as a random number, and determines an encryption key according to the timestamp and a preset rule so as to ensure the encryption characteristic of the message sent to the server, and the password of the user is embodied in the message in a response parameter mode, so that the risk of information leakage caused by message leakage in the transmission process is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flowchart of digest authentication methods provided in embodiments of the present application;
FIG. 2 is a schematic flowchart of clients and servers performing digest authentication by using a digest authentication method according to embodiments of the present application;
FIG. 3 is a schematic flowchart of clients and servers performing digest authentication by using a digest authentication method according to another embodiments of the present application;
fig. 4 is a schematic flowchart of a process for verifying a client by servers according to a message, provided by embodiments of the present application;
fig. 5 is a schematic flowchart of a process of verifying a client by servers according to a message according to another embodiments of the present application;
fig. 6 is a schematic structural diagram of digest authentication systems provided in embodiments of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only partial embodiments of of the present invention, rather than all embodiments.
The embodiment of the application provides digest authentication methods, which are applied to a communication system as shown in fig. 1 and fig. 2, wherein the communication system comprises a client and a server, and the digest authentication method comprises the following steps:
s101: taking a timestamp corresponding to the current time of the client as a random number, and determining an encryption key from an initial key built in the client according to the timestamp and a preset rule;
it should be noted that the preset rule is a rule for the client and the server to implement an agreed encryption key determination in the communication system.
For example, when the initial key is 123456789, the preset rule may be that, at minutes within hours, a number at a preset position is selected as the encryption key, then the preset position as the encryption key is moved backward by bits every 0 hours, and when the preset position covers the last bits of the initial key, the preset position is reset next times of preset position change, taking the initial preset position as the first three bits as an example, at minutes within hours, the encryption key determined from the initial key is 123, when times of time passes, the initial position is moved backward by bits, the encryption key determined from the initial key is 234, and so on, when the initial position is the last three bits, that is, when the encryption key determined from the initial key is 789, the preset position needs to be changed next times, and the preset position is reset to the first three bits.
Of course, the above example is only used for more clearly explaining the process of determining the encryption key from the built-in initial key according to the timestamp according to the preset rule, and in the practical application process, the determination of the preset rule is determined according to the actual situation. This is not a limitation of the present application.
S102: calculating a random signature through a preset encryption algorithm according to the random number and the encryption key;
s103: calculating response parameters according to the random number, the encryption key and the access parameters;
, the access parameters include a user name, a password and a domain name, wherein the user name and the password are authentication parameters of the user authority, the server can determine whether the user has corresponding authority by determining whether the user name is registered and whether the user name and the password correspond, and the domain name represents the target address that the user wants to access.
For example, when a user wants to access domain names of abc.com, a user name zhangsan, a password zhangsan123, and a destination address (abc.com) that the user wants to access, which are registered in advance in the domain name, need to be sent to the server, and after receiving the access information, the server first determines whether a user name , which is zhangsan, exists in a user list corresponding to the domain name, and if so, determines whether a password corresponding to zhangsan is zhangsan123, and only after all verifications pass, allows a subsequent corresponding access operation to be performed.
S104: and generating a message according to the response parameter, the random number, the random signature and the preset encryption algorithm, and sending the message to the server so that the server performs abstract verification on the client according to the message.
In order to ensure that the password of the user is not leaked in the transmission process, in the message, the password in the access parameter is transmitted in the form of a response parameter, specifically, in embodiments of the present application, the form of the message may be as follows:
Authorization:Digest username="10089",realm="example",nonce="1482556327",
noncesign="c6c7d1a858c77c93fc222842",response="6d0660adbfc8c81d167c76de25129a42",algorithm=SHA1;
the username is a user name, the realm is a domain name, the noncesign is a random signature, the response is a response parameter, the algorithm is a preset encryption algorithm type, and the SHA1 is a secure hash algorithm.
The preset encryption algorithm types include, but are not limited to, a hash algorithm, a secure hash algorithm, and an RSA algorithm. In this embodiment, a secure hash algorithm is taken as an example.
It should be further noted that, in the process of performing digest authentication according to the digest authentication method, the client only needs to send times of messages to the server, which reduces the number of times of sending requests to the server, thereby reducing the pressure caused by multiple times of sending requests by the client in the digest authentication process by the server.
And the client uses a timestamp corresponding to the current time of the client as a random number, and determines an encryption key according to the timestamp and a preset rule so as to ensure the encryption characteristic of the message sent to the server, and the password of the user is embodied in the message in a response parameter mode, so that the risk of information leakage caused by message leakage in the transmission process is avoided.
On the basis of the above embodiments, in embodiments of the present application, as shown in fig. 3, the calculating response parameters according to the random number, the encryption key, and the access parameter includes:
s1021: and calculating response parameters according to the random number, the encryption key and the access parameters by utilizing a secure hash algorithm.
That is, the nonce represents the random number, the key represents the encryption key, the password represents the password, the username represents the user name, and the realm represents the domain name, then using the secure hash algorithm, calculating the response parameter according to the random number, the encryption key, and the access parameter can be represented as:
response ═ F (nonce, username, password, realm, key); wherein F represents the secure hash algorithm, and response represents the response parameter.
The Secure Hash Algorithm (SHA 1) is mainly suitable for a Digital Signature Algorithm (DSA) defined in a Digital Signature Standard (DSS). For lengths less than 264The SHA1 has the property that it is not possible to recover information from the message digest, and two different messages do not generate the same message digest, this property of SHA1 ensures the security of the user's password during transmission.
Based on the foregoing embodiments, in another embodiments of the present application, as shown in fig. 4, the performing, by the server, digest verification on the client according to the packet includes:
s201: the server determines a verification key from a built-in initial key according to a preset rule according to a timestamp corresponding to the random number, and calculates a verification signature according to the random number and the verification key by using the preset encryption algorithm;
s202, judging whether the verification signature and the random signature are , if so, the client passes the verification, and if not, discarding the message.
The server and the client are internally provided with initial keys, the authentication key and the encryption key determined from the initial keys in the same time period are the same as long as the preset rules of the server and the preset rules of the client are the same, uses the preset encryption algorithm to calculate the authentication signature according to the random number and the authentication key, and the authentication signature calculated according to the random number and the encryption key is the same as the random signature calculated according to the random number and the encryption key by using the preset encryption algorithm, so that the message transmitted from the client to the server is not intercepted to a certain extent , and the client can be authenticated to a certain extent .
Based on the foregoing embodiments, in still another embodiments of the present application, as shown in fig. 5, the performing, by the server, digest verification on the client according to the message includes:
s201: the server determines a verification key from a built-in initial key according to a preset rule according to a timestamp corresponding to the random number, and calculates a verification signature according to the random number and the verification key by using the preset encryption algorithm;
s203, judging whether the verification signature and the random signature are satisfied, if not, discarding the message;
if not, the server inquires a built-in password which is preset in the server and corresponds to the user name in a preset database according to the user name, and calculates a verification parameter according to the user name, a domain name, the built-in password, the random number and an encryption key in the access parameter, and when the verification parameter meets the response parameter , the client passes the verification;
and the preset database stores the corresponding relation between the user name and the built-in password.
In this embodiment, since the verification signature is verified so that it can only be determined to a certain extent that the message transmitted from the client to the server is not intercepted in , but there still exists a possibility that the message is transmitted by an attacker or retransmitted after the message is intercepted, in this embodiment, on the premise that the verification signature is verified, it is first verified whether the difference between the timestamp corresponding to the random number and the current timestamp of the server exceeds a preset threshold, and if the difference between the timestamp corresponding to the random number and the current timestamp of the server exceeds the preset threshold, there are two possibilities that is that the local time of the client is inaccurate, and that the message may be an attack packet transmitted by an attacker, and therefore, in this case, the message is untrusted, the server generates challenge information to transmit the challenge information to the client, so that the client transmits a request to the server according to a flow in the prior art to complete digest authentication;
and under the condition that the difference between the timestamp corresponding to the random number and the current timestamp of the server does not exceed a preset threshold value, the server further inquires a built-in password corresponding to the user name in a preset database according to the user name, calculates an authentication parameter according to the built-in password, the user name, the domain name, the random number and an encryption key, and judges whether the authentication parameter and the response parameter are , if so, the client passes the authentication, and if not, the message is discarded.
In embodiments of the present application, a value range of the preset threshold is 30s to 90s, including an endpoint value, in embodiments of the present application, the value of the preset threshold is 60s, of course, in other embodiments of the present application, the value of the preset threshold may also be other values, and the specific value of the preset threshold is not limited in the present application, and is specifically determined according to an actual situation.
In another embodiments of the present application, the process of generating challenge information by the server specifically includes:
the server generates a verification random number and generates the challenge information according to the verification random number and the domain name.
Specifically, in this embodiment, when the verification signature and the random signature pass the verification (when the verification signature and the random signature meet), it is further necessary to perform a time-based determination, that is, it is further necessary to determine whether a difference between a timestamp corresponding to the random number and a timestamp corresponding to the current time of the server exceeds a preset threshold, if the difference between the timestamps exceeds the preset threshold, an error may occur in the time of the client or the server, and a safety hazard exists, at this time, the server is required to perform digest authentication of the client according to a challenge-response mechanism in the prior art.
Since the conventional digest authentication process after the server sends the challenge information to the client is well known to those skilled in the art, it is not described herein.
Correspondingly, the embodiment of the present application further provides kinds of digest authentication systems, as shown in fig. 6, which are applied to a communication system, the communication system includes a client and a server, and the digest authentication system includes:
a random number determining module 100, configured to use a timestamp corresponding to the current time of the client as a random number, and determine an encryption key from an initial key built in the client according to a preset rule according to the timestamp;
a signature calculation module 200, configured to calculate a random signature through a preset encryption algorithm according to the random number and the encryption key;
a response parameter calculation module 300, configured to calculate a response parameter according to the random number, the encryption key, and the access parameter;
a message generating module 400, configured to generate a message according to the response parameter, the random number, the random signature, and the preset encryption algorithm, and send the message to the server, so that the server performs digest verification on the client according to the message.
It should be noted that the preset rule is a rule for the client and the server to implement an agreed encryption key determination in the communication system.
For example, when the initial key is 123456789, the preset rule may be that, at minutes within hours, a number at a preset position is selected as the encryption key, and then the preset position as the encryption key is moved backward by bits every hours, and when the preset position covers the last bits of the initial key, the preset position is reset at the next preset position change;
taking the initial preset position as the first three positions as an example, at the th minute within hours, the encryption key determined from the initial key is 123, after hours, the initial position moves backward positions, the encryption key determined from the initial key is 234, and so on, and when the initial position is the last three positions, that is, when the encryption key determined from the initial key is 789, the preset position is reset to the first three positions in the next times when the preset position needs to be changed.
Of course, the above example is only used for more clearly explaining the process of determining the encryption key from the built-in initial key according to the timestamp according to the preset rule, and in the practical application process, the determination of the preset rule is determined according to the actual situation. This is not a limitation of the present application.
In order to ensure that the password of the user is not leaked in the transmission process, in the message, the password in the access parameter is transmitted in the form of a response parameter, specifically, in embodiments of the present application, the form of the message may be as follows:
Authorization:Digest username="10089",realm="example",nonce="1482556327",
noncesign="c6c7d1a858c77c93fc222842",response="6d0660adbfc8c81d167c76de25129a42",algorithm=SHA1;
the username is a user name, the realm is a domain name, the noncesign is a random signature, the response is a response parameter, the algorithm is a preset encryption algorithm type, and the SHA1 is a secure hash algorithm.
It should be further noted that, in the digest authentication system, the client only needs to send times of messages to the server in the digest authentication process, which reduces the number of times of sending requests to the server, thereby reducing the pressure of the server caused by multiple requests sent by the client in the digest authentication process.
And the client uses a timestamp corresponding to the current time of the client as a random number, and determines an encryption key according to the timestamp and a preset rule so as to ensure the encryption characteristic of the message sent to the server, and the password of the user is embodied in the message in a response parameter mode, so that the risk of information leakage caused by message leakage in the transmission process is avoided.
, the access parameters include a user name, a password and a domain name, wherein the user name and the password are authentication parameters of the user authority, the server can determine whether the user has corresponding authority by determining whether the user name is registered and whether the user name and the password correspond, and the domain name represents the target address that the user wants to access.
For example, when a user wants to access domain names of abc.com, a user name zhangsan, a password zhangsan123, and a destination address (abc.com) that the user wants to access, which are registered in advance in the domain name, need to be sent to the server, and after receiving the access information, the server first determines whether a user name , which is zhangsan, exists in a user list corresponding to the domain name, and if so, determines whether a password corresponding to zhangsan is zhangsan123, and only after all verifications pass, allows a subsequent corresponding access operation to be performed.
Based on the foregoing embodiments, in embodiments of the present application, the specific process of the response parameter calculating module 300 calculating the response parameter according to the random number, the encryption key, and the access parameter includes:
and calculating response parameters according to the random number, the encryption key and the access parameters by utilizing a secure hash algorithm.
That is, the nonce represents the random number, the key represents the encryption key, the password represents the password, the username represents the user name, and the realm represents the domain name, then using the secure hash algorithm, calculating the response parameter according to the random number, the encryption key, and the access parameter can be represented as:
response ═ F (nonce, username, password, realm, key); wherein F represents the secure hash algorithm, and response represents the response parameter.
The Secure Hash Algorithm (SHA 1) is mainly suitable for a Digital Signature Algorithm (DSA) defined in a Digital Signature Standard (DSS). For lengths less than 264The bit message, SHA1, generates message digests of 160 bits, which can be used to validate a number when the message is receivedAccording to the integrity of the data. During the transmission, the data is likely to change, and then different message digests are generated at this time. SHA1 has the following characteristics: information may not be recovered from the message digest; two different messages do not produce the same message digest. This feature of SHA1 ensures the security of the user's password during transmission.
On the basis of the foregoing embodiments, in another embodiments of the present application, the specific process of the server performing digest verification on the client according to the packet includes:
the server determines a verification key from a built-in initial key according to a preset rule according to a timestamp corresponding to the random number, and calculates a verification signature according to the random number and the verification key by using the preset encryption algorithm;
and judging whether the verification signature and the random signature are , if so, the client passes the verification, and if not, discarding the message.
The server and the client are internally provided with initial keys, the authentication key and the encryption key determined from the initial keys in the same time period are the same as long as the preset rules of the server and the preset rules of the client are the same, uses the preset encryption algorithm to calculate the authentication signature according to the random number and the authentication key, and the authentication signature calculated according to the random number and the encryption key is the same as the random signature calculated according to the random number and the encryption key by using the preset encryption algorithm, so that the message transmitted from the client to the server is not intercepted to a certain extent , and the client can be authenticated to a certain extent .
On the basis of the foregoing embodiments, in still another embodiments of the present application, the specific process of the server performing digest verification on the client according to the packet includes:
the server determines a verification key from a built-in initial key according to a preset rule according to a timestamp corresponding to the random number, and calculates a verification signature according to the random number and the verification key by using the preset encryption algorithm;
judging whether the verification signature and the random signature are satisfied, if not, discarding the message;
if not, the server inquires a built-in password corresponding to the user name in a preset database according to the user name, calculates verification parameters according to the user name and the domain name in the access parameters, the random number and an encryption key, and when the verification parameters are consistent with the response parameters , the client passes the verification;
and the preset database stores the corresponding relation between the user name and the built-in password.
In this embodiment, since the verification signature is verified so that it can only be determined to a certain extent that the message transmitted from the client to the server is not intercepted in , but there still exists a possibility that the message is transmitted by an attacker or retransmitted after the message is intercepted, in this embodiment, on the premise that the verification signature is verified, it is first verified whether the difference between the timestamp corresponding to the random number and the current timestamp of the server exceeds a preset threshold, and if the difference between the timestamp corresponding to the random number and the current timestamp of the server exceeds the preset threshold, there are two possibilities that is that the local time of the client is inaccurate, and that the message may be an attack packet transmitted by an attacker, and therefore, in this case, the message is untrusted, the server generates challenge information to transmit the challenge information to the client, so that the client transmits a request to the server according to a flow in the prior art to complete digest authentication;
and under the condition that the difference between the timestamp corresponding to the random number and the current timestamp of the server does not exceed a preset threshold value, the server further inquires a built-in password corresponding to the user name in a preset database according to the user name, calculates an authentication parameter according to the built-in password, the user name, the domain name, the random number and an encryption key, and judges whether the authentication parameter and the response parameter are , if so, the client passes the authentication, and if not, the message is discarded.
Specifically, in this embodiment, when the verification signature and the random signature pass the verification (when the verification signature and the random signature meet), it is further necessary to perform a time-based determination, that is, it is further necessary to determine whether a difference between a timestamp corresponding to the random number and a timestamp corresponding to the current time of the server exceeds a preset threshold, if the difference between the timestamps exceeds the preset threshold, an error may occur in the time of the client or the server, and a safety hazard exists, at this time, the server is required to perform digest authentication of the client according to a challenge-response mechanism in the prior art.
Since the conventional digest authentication process after the server sends the challenge information to the client is well known to those skilled in the art, it is not described herein.
In embodiments of the present application, a value range of the preset threshold is 30s to 90s, including an endpoint value, in embodiments of the present application, the value of the preset threshold is 60s, of course, in other embodiments of the present application, the value of the preset threshold may also be other values, and the specific value of the preset threshold is not limited in the present application, and is specifically determined according to an actual situation.
In another embodiments of the present application, the process of generating challenge information by the server specifically includes:
the server generates a verification random number and generates the challenge information according to the verification random number and the domain name.
In summary, the embodiments of the present application provide digest authentication methods and digest authentication systems, where in the process of performing digest authentication by the client according to the digest authentication method, only times of messages need to be sent to the server, which reduces the number of times of sending requests to the server, thereby reducing the pressure caused by multiple requests sent by the client in the digest authentication process by the server.
And the client uses a timestamp corresponding to the current time of the client as a random number, and determines an encryption key according to the timestamp and a preset rule so as to ensure the encryption characteristic of the message sent to the server, and the password of the user is embodied in the message in a response parameter mode, so that the risk of information leakage caused by message leakage in the transmission process is avoided.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention.

Claims (10)

  1. The digest authentication method is applied to a communication system, wherein the communication system comprises a client and a server, and the digest authentication method comprises the following steps:
    taking a timestamp corresponding to the current time of the client as a random number, and determining an encryption key from an initial key built in the client according to the timestamp and a preset rule;
    calculating a random signature through a preset encryption algorithm according to the random number and the encryption key;
    calculating response parameters according to the random number, the encryption key and the access parameters;
    generating a message according to the response parameter, the random number, the random signature and the preset encryption algorithm, and sending the message to the server so that the server performs abstract verification on the client according to the message;
    the initial passwords built in the server and the client are the same.
  2. 2. The method of claim 1, wherein computing response parameters from the random number, encryption key, and access parameters comprises:
    and calculating response parameters according to the random number, the encryption key and the access parameters by utilizing a secure hash algorithm.
  3. 3. The method of claim 1, wherein the server performing digest verification on the client according to the packet comprises:
    the server determines a verification key from a built-in initial key according to a preset rule according to a timestamp corresponding to the random number, and calculates a verification signature according to the random number and the verification key by using the preset encryption algorithm;
    and judging whether the verification signature and the random signature are , if so, the client passes the verification, and if not, discarding the message.
  4. 4. The method of claim 1, wherein the server performing digest verification on the client according to the packet comprises:
    the server determines a verification key from a built-in initial key according to a preset rule according to a timestamp corresponding to the random number, and calculates a verification signature according to the random number and the verification key by using the preset encryption algorithm;
    judging whether the verification signature and the random signature are satisfied, if not, discarding the message;
    if not, the server inquires a built-in password which is preset in the server and corresponds to the user name in a preset database according to the user name, and calculates a verification parameter according to the user name, the domain name, the built-in password, the random number and an encryption key in the access parameter, and when the verification parameter is consistent with the response parameter , the client passes the verification;
    and the preset database stores the corresponding relation between the user name and the built-in password.
  5. 5. The method of claim 4, wherein the preset threshold value ranges from 30s to 90s, inclusive.
  6. The digest authentication system of is applied to a communication system, wherein the communication system includes a client and a server, and the digest authentication system includes:
    the random number determining module is used for taking a timestamp corresponding to the current time of the client as a random number and determining an encryption key from an initial key built in the client according to the timestamp and a preset rule;
    the signature calculation module is used for calculating a random signature through a preset encryption algorithm according to the random number and the encryption key;
    the response parameter calculation module is used for calculating response parameters according to the random number, the encryption key and the access parameters;
    the message generation module is used for generating a message according to the response parameter, the random number, the random signature and the preset encryption algorithm and sending the message to the server so that the server performs abstract verification on the client according to the message;
    the initial passwords built in the server and the client are the same.
  7. 7. The system according to claim 6, wherein the response parameter calculating module calculates the response parameter according to the random number, the encryption key and the access parameter by a specific process comprising:
    and calculating response parameters according to the random number, the encryption key and the access parameters by utilizing a secure hash algorithm.
  8. 8. The system according to claim 6, wherein the specific process of the server performing digest verification on the client according to the packet includes:
    the server determines a verification key from a built-in initial key according to a preset rule according to a timestamp corresponding to the random number, and calculates a verification signature according to the random number and the verification key by using the preset encryption algorithm;
    and judging whether the verification signature and the random signature are , if so, the client passes the verification, and if not, discarding the message.
  9. 9. The system according to claim 6, wherein the specific process of the server performing digest verification on the client according to the packet includes:
    the server determines a verification key from a built-in initial key according to a preset rule according to a timestamp corresponding to the random number, and calculates a verification signature according to the random number and the verification key by using the preset encryption algorithm;
    judging whether the verification signature and the random signature are satisfied, if not, discarding the message;
    if not, the server inquires a built-in password which is preset in the server and corresponds to the user name in a preset database according to the user name, calculates verification parameters according to the user name, the domain name, the built-in password, the random number and the encryption key in the access parameters, and if the verification parameters are consistent with the response parameters , the client passes the verification;
    and the preset database stores the corresponding relation between the user name and the built-in password.
  10. 10. The system of claim 9, wherein the preset threshold value ranges from 30s to 90s, inclusive.
CN201710935972.3A 2017-10-10 2017-10-10 digest authentication method and digest authentication system Active CN107454115B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710935972.3A CN107454115B (en) 2017-10-10 2017-10-10 digest authentication method and digest authentication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710935972.3A CN107454115B (en) 2017-10-10 2017-10-10 digest authentication method and digest authentication system

Publications (2)

Publication Number Publication Date
CN107454115A CN107454115A (en) 2017-12-08
CN107454115B true CN107454115B (en) 2020-01-31

Family

ID=60498661

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710935972.3A Active CN107454115B (en) 2017-10-10 2017-10-10 digest authentication method and digest authentication system

Country Status (1)

Country Link
CN (1) CN107454115B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108718324B (en) * 2018-07-11 2021-09-07 北京明朝万达科技股份有限公司 Efficient SIP abstract authentication method, system and device
CN110730063B (en) * 2018-07-16 2022-11-11 中国电信股份有限公司 Security verification method and system, internet of things platform, terminal and readable storage medium
CN109067799A (en) * 2018-09-28 2018-12-21 歌尔科技有限公司 Data transmission method, system and equipment
CN109936447B (en) * 2019-01-31 2021-10-08 平安科技(深圳)有限公司 Encryption and authentication method and system based on timestamp and computer equipment
US20210105611A1 (en) * 2019-10-04 2021-04-08 Qualcomm Incorporated User equipment radio capability protection
CN113411283B (en) * 2020-03-16 2022-08-30 中国电信股份有限公司 Bidirectional authentication method, device and system
CN112861089B (en) * 2021-03-17 2024-02-20 北京数字医信科技有限公司 Authorization authentication method, resource server, resource user, equipment and medium
CN112966242A (en) * 2021-03-29 2021-06-15 成都卫士通信息产业股份有限公司 User name and password authentication method, device and equipment and readable storage medium
CN113922952B (en) * 2021-09-30 2024-03-01 恒众创美(深圳)发展合伙企业(有限合伙) Access request response method, device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101005357A (en) * 2006-12-28 2007-07-25 北京飞天诚信科技有限公司 Method and system for updating certification key
CN104753881A (en) * 2013-12-30 2015-07-01 上海格尔软件股份有限公司 WebService security certification access control method based on software digital certificate and timestamp
CN105577691A (en) * 2016-02-03 2016-05-11 飞天诚信科技股份有限公司 Security access method and server
CN105681470A (en) * 2012-03-29 2016-06-15 北京奇虎科技有限公司 Communication method, server and terminal based on hypertext transfer protocol
CN105763331A (en) * 2014-12-19 2016-07-13 北大方正集团有限公司 Data encryption method, device, data decryption method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9654466B1 (en) * 2012-05-29 2017-05-16 Citigroup Technology, Inc. Methods and systems for electronic transactions using dynamic password authentication
US9614682B2 (en) * 2014-04-11 2017-04-04 Guardtime IP Holdings, Ltd. System and method for sequential data signatures

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101005357A (en) * 2006-12-28 2007-07-25 北京飞天诚信科技有限公司 Method and system for updating certification key
CN105681470A (en) * 2012-03-29 2016-06-15 北京奇虎科技有限公司 Communication method, server and terminal based on hypertext transfer protocol
CN104753881A (en) * 2013-12-30 2015-07-01 上海格尔软件股份有限公司 WebService security certification access control method based on software digital certificate and timestamp
CN105763331A (en) * 2014-12-19 2016-07-13 北大方正集团有限公司 Data encryption method, device, data decryption method and device
CN105577691A (en) * 2016-02-03 2016-05-11 飞天诚信科技股份有限公司 Security access method and server

Also Published As

Publication number Publication date
CN107454115A (en) 2017-12-08

Similar Documents

Publication Publication Date Title
CN107454115B (en) digest authentication method and digest authentication system
CN107948189B (en) Asymmetric password identity authentication method and device, computer equipment and storage medium
US7600255B1 (en) Preventing network denial of service attacks using an accumulated proof-of-work approach
KR100811419B1 (en) Countermeasure Against Denial-of-Service Attack in Authentication Protocols Using Public-Key Encryption
JP4861327B2 (en) Proximity check server
EP1894383B1 (en) Method and devices for secure measurements of time-based distance between two devices
US8392980B1 (en) Trusted host list for TLS sessions
EP1526677A1 (en) Inter-authentication method and device
JP2008545353A (en) Establishing a reliable relationship between unknown communicating parties
Tang et al. Cryptanalysis of Arshad et al.’s ECC-based mutual authentication scheme for session initiation protocol
US20080148043A1 (en) Establishing a secured communication session
JP4591894B2 (en) Maintaining privacy for processing that can be performed by user devices with security modules
CN110838920B (en) Password authentication and key agreement protocol in web system without storing password related information
KR20050117478A (en) Inter-authentication method and device
CN113824570B (en) Block chain-based security terminal authentication method and system
Nikooghadam et al. A secure and robust elliptic curve cryptography‐based mutual authentication scheme for session initiation protocol
CN107517194B (en) Return source authentication method and device of content distribution network
CN107395627B (en) Lightweight authentication protocol based on one-way function
CN104065619B (en) login method and device
JP4571117B2 (en) Authentication method and apparatus
CN115955320A (en) Video conference identity authentication method
JP5004086B2 (en) Authentication system using short sequences
US8769280B2 (en) Authentication apparatus and method for non-real-time IPTV system
JP2004274134A (en) Communication method, communication system using the communication method, server and client
Nik et al. Mutual SIP authentication scheme based on ECC

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant