CN113630238B - User request permission method and device based on password confusion - Google Patents

User request permission method and device based on password confusion Download PDF

Info

Publication number
CN113630238B
CN113630238B CN202110927400.7A CN202110927400A CN113630238B CN 113630238 B CN113630238 B CN 113630238B CN 202110927400 A CN202110927400 A CN 202110927400A CN 113630238 B CN113630238 B CN 113630238B
Authority
CN
China
Prior art keywords
password
user
salt
hash value
hash
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110927400.7A
Other languages
Chinese (zh)
Other versions
CN113630238A (en
Inventor
廖俊宇
孔永锋
林芝峰
姚泽雄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202110927400.7A priority Critical patent/CN113630238B/en
Publication of CN113630238A publication Critical patent/CN113630238A/en
Application granted granted Critical
Publication of CN113630238B publication Critical patent/CN113630238B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Strategic Management (AREA)
  • Computing Systems (AREA)
  • Power Engineering (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The user request permission method and device based on password confusion can be used in the technical field of finance, and the password confusion method and device based on password confusion combines a hash function to carry out confusion in a reasonable salt adding mode, so that the password confusion method and device have the characteristics of camouflage prevention, eavesdropping prevention, replay attack prevention, dictionary attack prevention after database leakage prevention, incapability of acquiring password plaintext in the whole process, violent exhaustion, infeasibility of reversely cracking the password plaintext in calculation cost and the like, and the safety of a user logging in an account through a webpage is guaranteed to the greatest extent.

Description

User request permission method and device based on password confusion
Technical Field
The invention relates to the technical field of internet finance, in particular to a user request permission method and device based on password confusion.
Background
The user login identity authentication system based on the webpage uses related technologies of cryptography and network security to carry out confusion and hash processing on sensitive information such as user passwords and the like in the network transmission and background processing processes and carry out lasting storage in a database when the user registers and logs in an account, so as to ensure that the user passwords pass through system authentication under the condition of not being revealed, cracked and tampered as much as possible. However, in practical application, various loopholes can occur more or less, such as hash processing of the password without adding salt, using a hash function that has been found to have a collision, transmitting a plaintext password to background processing, etc., all of which can generate risks to different extents, and reduce user account security.
Disclosure of Invention
In the prior art, when a user registers and logs in an account, sensitive information such as a user password and the like in the processes of network transmission and background processing are subjected to confusion and hash processing and are stored in a database in a lasting manner, so that the user password is ensured to pass through system authentication under the condition of not being revealed, cracked and tampered as much as possible. However, various loopholes can appear in practical application, such as hash processing is carried out on passwords without adding salt, a hash function with collision is used, plaintext passwords are transmitted to background processing and the like, risks of different degrees can be generated, and the problem of user account safety is reduced.
In order to solve the technical problems, the invention provides the following technical scheme:
An embodiment of a first aspect of the present invention provides a method for requesting permission from a user based on password confusion, including:
acquiring a password and a user request input by a user, and calling first salt value and preset hash value data corresponding to the user from a database; the preset hash value data is obtained by performing hash function processing on the first salt value and a set password after splicing; the salt value is a random value with a finite length;
processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data;
and comparing the hash value data with the preset hash value data, and if the comparison is consistent, permitting the user request.
In a preferred embodiment, the generating of the preset hash value data includes:
the system generates a first salt value, a second salt value corresponding to the first salt value and the iteration times;
splicing the set password and the first salt value to generate a first combined character string;
carrying out hash processing on the first combined character string to obtain a corresponding hash value;
splicing the second salt value and the first combined character string to generate a second combined character string;
And generating the preset hash value data according to the second combined character string and the iteration times.
In a preferred embodiment, the generating the preset hash value data according to the second combined string and the iteration number includes:
performing an iterative operation, the iterative operation comprising: carrying out hash processing on the second combined character string to obtain a corresponding hash value; combining the hash value and the second salt value to generate a second updated combined string;
and repeating the iterative operation until the number of times of currently executing the iterative operation reaches the iterative number.
In a preferred embodiment, the processing the first salt value and the password in the same manner as the hash value data to generate a hash value data includes:
the system generates a first salt value, a second salt value corresponding to the first salt value and the iteration times;
splicing the password and the first salt value to generate a combined character string;
carrying out hash processing on the combined character string to obtain a corresponding hash value;
splicing the second salt value and the combined character string to generate another combined character string;
and generating corresponding hash value data according to the other combined character string and the iteration times.
In a preferred embodiment, further comprising:
after a user registers an account, a first salt value corresponding to the user one to one is randomly generated.
In a preferred embodiment, further comprising:
after the user registers the account, a first salt value, a second salt value and the iteration number which are in one-to-one correspondence with the user are randomly generated.
An embodiment of a second aspect of the present invention provides a user request permission apparatus based on password confusion, including:
the acquisition module acquires a password and a user request input by a user, and invokes first salt value and preset hash value data corresponding to the user from the database; the preset hash value data is obtained by performing hash function processing on the first salt value and a set password after splicing; the salt value is a random value with a finite length;
the hash value data generation module is used for processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data;
and the comparison module is used for comparing the hash value data with the preset hash value data, and if the comparison is consistent, the user request is permitted.
In a preferred embodiment, the generating of the preset hash value data includes:
The system generates a first salt value, a second salt value corresponding to the first salt value and the iteration times;
splicing the set password and the first salt value to generate a first combined character string;
carrying out hash processing on the first combined character string to obtain a corresponding hash value;
splicing the second salt value and the first combined character string to generate a second combined character string;
and generating the preset hash value data according to the second combined character string and the iteration times.
In a preferred embodiment, the generating the preset hash value data according to the second combined string and the iteration number includes:
performing an iterative operation, the iterative operation comprising: carrying out hash processing on the second combined character string to obtain a corresponding hash value; combining the hash value and the second salt value to generate a second updated combined string;
and repeating the iterative operation until the number of times of currently executing the iterative operation reaches the iterative number.
In a preferred embodiment, the hash value data generation module includes:
the first splicing unit splices the password and the first salt value to generate a combined character string;
The first hash processing unit is used for carrying out hash processing on the combined character string to obtain a corresponding hash value;
the generation unit is used for generating a first salt value, a second salt value corresponding to the first salt value and the iteration times by the system;
the second splicing unit splices the second salt value and the combined character string to generate another combined character string;
and the iteration unit generates corresponding hash value data according to the other combined character string and the iteration times.
In a preferred embodiment, further comprising:
and the random generation unit is used for randomly generating first salt values corresponding to the users one by one after the users register the accounts.
In a preferred embodiment, further comprising:
and the random generation unit is used for randomly generating a first salt value, a second salt value and the iteration times which are in one-to-one correspondence with the user after the user registers the account.
In a third aspect, the present invention provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the password obfuscation-based user request permission method when executing the program.
In a fourth aspect, the present invention provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the password obfuscation-based user request permission method.
As can be seen from the above technical solution, the present invention provides a method and apparatus for user request permission based on password confusion, which includes firstly obtaining a password input by a user and a user request, and retrieving a first salt value and a preset hash value data corresponding to the user from a database; the preset hash value data is obtained by performing hash function processing on the first salt value and a set password after splicing; the salt value is a random value with a finite length; processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data; finally, comparing the hash value data with the preset hash value data, and if the hash value data are consistent, permitting the user request, wherein the invention can be seen that the invention combines the hash function to carry out salt mixing in a reasonable salt adding treatment mode, so that the invention has the characteristics of camouflage prevention, eavesdropping prevention, replay attack prevention, dictionary attack prevention after database leakage, incapability of acquiring cipher plaintext in the whole process, violent exhaustion, infeasibility of reversely cracking the cipher plaintext in calculation cost and the like, and maximally ensures the safety of logging in an account by a user through a webpage, improves the speed of processing transaction data, increases data throughput and reduces the waiting time of the user.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a process of successfully establishing SSL/TLS connection by both browser servers in an embodiment of the present invention.
Fig. 2 is a schematic diagram of dictionary attack in an embodiment of the present invention.
Fig. 3 is a schematic diagram of the principle of cryptographic salification against dictionary/rainbow table attacks in an embodiment of the present invention.
Fig. 4 is a schematic diagram of a password confusion and authentication process before and after a user logs in to a website in an embodiment of the invention.
FIG. 5 is a flowchart of a method for requesting permission by a user based on password confusion in an embodiment of the present invention.
FIG. 6 is a schematic diagram of a user request permission device based on password confusion in an embodiment of the present invention.
Fig. 7 is a schematic structural diagram of an electronic device in an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that the method and the device for user request permission based on password confusion disclosed by the invention can be used in the financial field and also can be used in any field except the financial field, and the application field of the method and the device for user request permission based on password confusion disclosed by the invention is not limited.
In the prior art, a user login identity authentication system based on a webpage uses related technologies of cryptography and network security, when a user registers and logs in an account, sensitive information such as a user password in the processes of network transmission and background processing is subjected to confusion and hash processing and is stored in a database for a long time, so that the user password is ensured to pass through system authentication under the condition of not being revealed, cracked and tampered as much as possible. However, in practical application, various loopholes can occur more or less, such as hash processing of the password without adding salt, using a hash function that has been found to have a collision, transmitting a plaintext password to background processing, etc., all of which can generate risks to different extents, and reduce user account security.
Aiming at various loopholes and problems existing in the prior art, the invention provides a user password security confusion and authentication scheme based on webpage login for improving the account security of a user through webpage login, and the user password security confusion and authentication scheme based on webpage login has the characteristics of anti-camouflage, anti-eavesdropping, anti-replay attack, anti-dictionary attack after database leakage, incapability of acquiring password plaintext in the whole process, violent exhaustion, infeasibility of reversely cracking the password plaintext in terms of calculation cost and the like by reasonably using the technical schemes of HTTPS, an asymmetric encryption algorithm, a hash function, salt confusion, verification code login verification and the like, and ensures the security of the user through webpage login account to the greatest extent.
The invention provides a method and a device for requesting permission by a user based on password confusion in one or more embodiments of the invention, which concretely comprise the following steps: acquiring a password and a user request input by a user, and calling first salt value and preset hash value data corresponding to the user from a database; the preset hash value data is obtained by performing hash function processing on the first salt value and a set password after splicing; the salt value is a random value with a finite length; processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data; and comparing the hash value data with the preset hash value data, and if the comparison is consistent, permitting the user request. The invention combines the hash function to carry out the salt mixing by a reasonable salt adding treatment mode, so that the invention has the characteristics of camouflage prevention, eavesdropping prevention, replay attack prevention, dictionary attack prevention after database leakage, incapability of acquiring the password plaintext in the whole process, violent exhaustion, infeasibility of reversely cracking the password plaintext in the calculation cost and the like, ensures the safety of logging in an account by a user through a webpage to the greatest extent, improves the speed of processing transaction data, increases the data throughput and reduces the waiting time of the user.
It will be appreciated that the password confusion-based user request permission apparatus of the present invention may be a server or a mobile terminal, and may include, for example, a smart phone, a tablet electronic device, a portable computer, a desktop computer, a Personal Digital Assistant (PDA), a smart wearable device, etc. Wherein, intelligent wearing equipment can include intelligent glasses, intelligent wrist-watch, intelligent bracelet etc..
The user request permission device based on the password confusion is provided with a communication module which can be in communication connection with a user terminal to realize data transmission with the user terminal.
The above-described password obfuscation-based user request permission means and the user terminal may communicate using any suitable network protocol, including one that has not yet been developed on the filing date of the present invention. The network protocols may include, for example, TCP/IP protocol, UDP/IP protocol, HTTP protocol, HTTPS protocol, etc. Of course, the network protocol may also include, for example, RPC protocol (Remote Procedure Call Protocol ), REST protocol (Representational State Transfer, representational state transfer protocol), etc. used above the above-described protocol.
The invention provides a user request permission method and a device based on password confusion, which are characterized in that the password confusion is reasonably salted, a hash function is combined for salting confusion, so that the password confusion method and the device have the characteristics of camouflage prevention, eavesdropping prevention, replay attack prevention, dictionary attack prevention after database leakage, incapability of acquiring password plaintext in the whole process, violent exhaustion, infeasibility of reversely cracking the password plaintext in the calculation cost and the like, the safety of logging in an account by a user through a webpage is ensured to the greatest extent, the speed of processing transaction data is improved, the data throughput is increased, and the waiting time of the user is reduced.
The following embodiments and application examples are described in detail.
In order to solve the problem that in the prior art, when a user registers and logs in an account, sensitive information such as a user password and the like in the processes of network transmission and background processing are subjected to confusion and hash processing and are stored in a database in a lasting manner, so that the user password is ensured to pass through system authentication under the condition of not being revealed, cracked and tampered as much as possible. However, in practical applications, various vulnerabilities may occur more or less, such as hashing the password without adding salt, using a hash function that has found that there is a collision, transmitting a plaintext password to a background process, etc., which may generate different degrees of risk, and reduce the security problem of the user account, the present invention provides an embodiment of a user request licensing method based on password confusion, which specifically includes the following contents:
Step S101: acquiring a password and a user request input by a user, and calling first salt value and preset hash value data corresponding to the user from a database; the preset hash value data is obtained by performing hash function processing on the first salt value and a set password after splicing; the salt value is a random value of finite length.
In the invention, the requirement analysis is an essential link in the software development, and the requirement scheme is mainly used for defining the scene, flow and the like of the service. Analysis and understanding of the requirement document is critical to the developer, the requirement is not explicitly faced with the problem of code modification and even rewriting, and as business logic complexity increases, the requirement for requirement document flow patterning is more urgent.
Step S102: and processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data.
Step S103: and comparing the hash value data with the preset hash value data, and if the comparison is consistent, permitting the user request.
According to the technical scheme, the user request permission method based on password confusion, provided by the invention, combines a hash function to carry out the password confusion in a reasonable salt treatment mode, so that the password confusion method has the characteristics of camouflage prevention, eavesdropping prevention, replay attack prevention, dictionary attack prevention after database leakage prevention, incapability of acquiring password plaintext in the whole process, violent exhaustion, infeasibility of reversely cracking the password plaintext in calculation cost and the like, and the safety of a user logging in an account through a webpage is ensured to the greatest extent.
In order to provide an operation flow of the generation step of the preset hash value data, in one or more embodiments of the present invention, the generation step of the preset hash value data includes:
s201: the system generates a first salt value, a second salt value corresponding to the first salt value, and a number of iterations.
S202: and carrying out hash processing on the first combined character string to obtain a corresponding hash value.
S203: and splicing the set password and the first salt value to generate a first combined character string.
S204: and splicing the second salt value and the first combined character string to generate a second combined character string.
S205: and generating the preset hash value data according to the second combined character string and the iteration times.
In the above embodiment, the generating the preset hash value data according to the second combined string and the iteration number includes:
performing an iterative operation, the iterative operation comprising: carrying out hash processing on the second combined character string to obtain a corresponding hash value; combining the hash value and the second salt value to generate a second updated combined string;
and repeating the iterative operation until the number of times of currently executing the iterative operation reaches the iterative number.
Correspondingly, the processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data comprises the following steps:
the system generates a first salt value, a second salt value corresponding to the first salt value and the iteration times;
splicing the password and the first salt value to generate a combined character string;
carrying out hash processing on the combined character string to obtain a corresponding hash value;
splicing the second salt value and the combined character string to generate another combined character string;
and generating corresponding hash value data according to the other combined character string and the iteration times.
In the above embodiment, further comprising:
after a user registers an account, a first salt value corresponding to the user one to one is randomly generated.
Embodiments corresponding to the second salt value of the present invention further comprise:
after the user registers the account, a first salt value, a second salt value and the iteration number which are in one-to-one correspondence with the user are randomly generated.
The following description is made in connection with specific examples.
In the specific case of the invention, the scheme ensures that the sensitive information of the user is transmitted in a secure channel during registration or login by establishing HTTPS connection, and carries out salt mixing hash processing on the password plaintext at the front end and carries out repeated circulating salt mixing and hash processing on the transmitted hash value at the rear end. The specific embodiments are described in detail with reference to the accompanying drawings.
For security reasons, the asymmetric encryption algorithm used in the scheme is RSA and the key length should be 2048 bits or more, and the symmetric encryption algorithm selects AES and the key length is 256 bits or more. The hash function used cannot select MD4/5, SHA-1/2, etc., where a collision has been found, SHA-256/512 should be selected.
Fig. 1 is a process of successfully establishing an SSL/TLS connection. The process uses cryptographic and network security related techniques including symmetric/asymmetric encryption algorithms, hash functions, digital signatures, etc. HTTPS is actually a layer of SSL (secure sockets layer) or TLS (transport layer security) added between TCP and HTTP for encrypting and decrypting transport data.
First, the server needs to generate RSA public-private keys s.pub and s.pri with a key length of 2048 bits. And the public key S.pub, the domain name and other information are handed to a third party authority CA. After the information verification is passed, the CA uses a hash function to generate a signature for the S.pub, uses a private key C.pri of the CA to encrypt the signature information, generates a certificate, sends back to the organization to which the server belongs, and the server deploys the certificate. When a user accesses a web page, after establishing a TCP connection, the user enters a handshake flow of SSL/TLS. The first step is client_hello, the browser generates a random number R_c, and then the SSL/TLS version supported by the browser, the encryption algorithm family and R_c are sent to the server. Next is server_hello, the server generates a random number r_s, and selects a set of SSL/TLS versions and encryption algorithm schemes provided in client_hello as the encryption scheme for establishing a connection afterwards, e.g. the "tls_rsa_with_aes_256_cbc_sha256" is selected as the representation:
Asymmetric encryption algorithm using TLS protocol, RSA as key exchange
Encryption and decryption of transmitted information using an AES symmetric encryption algorithm with a key length of 256 bits
Verifying data integrity using SHA256 hash function
The r_s, TLS version and encryption algorithm scheme are then sent to the browser. The certificate verification process is followed, the server sends the previous certificate to the browser, the browser uses the public key C.pub in the built-in CA root certificate to decrypt the signature information, and simultaneously uses the hash function same as the certificate to sign the attached server public key S.pub, and whether the public key S.pub is consistent with the built-in CA root certificate is compared; and meanwhile, information such as a certificate chain, an issuing organization, a validity period, whether a target domain name is consistent with the certificate domain name and the like is verified, so that the validity of the certificate is verified. The step is very important, and a user is required to obtain the browser from an official way, so that a modified version cannot be used, otherwise, the built-in root certificate of the browser cannot be tampered, and the middle person can use the fake certificate to eavesdrop, tamper and replay the transmitted information, so that the information security of the user is influenced. And after the certificate is validated, performing a key exchange step. The browser generates a new random number Pre-master using the random numbers r_c and r_s, and generates a symmetric key for symmetric encryption using a specific calculation method, wherein the symmetric key enc_key=func (r_c, r_s, pre-master). And then encrypting the Pre-master by using the public key S.pub provided by the server, processing handshake information by using a agreed hash function, symmetrically encrypting the handshake information by using the symmetric key enc_key obtained before, and sending the symmetric encrypted handshake information to the server. After receiving, the server decrypts the Pre-master by using the private key S.pri, calculates and generates the same symmetric key enc_key by the same method, and is used for decrypting the handshake information of the browser to verify the correctness of the key. The same hash function is then used to calculate the handshake information and compare whether the two handshake information are identical. If the two information are consistent, the handshake flow is completed, and both browser servers encrypt and decrypt the transmitted and received information by using the same symmetric key, so that the information exchange of eavesdropping prevention, tamper prevention and replay attack prevention is realized.
After successfully establishing an HTTPS connection, a user may securely transmit his or her sensitive information in an unsecure network environment without fear of eavesdropping, tampering with the information, or other sensitive operations with replay attacks by third parties in the network. However, the information transmission safety is guaranteed, and a series of processing is needed for the user password to improve the account safety of the user. The user password is never available in the back-end database in the clear, once the database is compromised, the account security of the user at the website is threatened, and the account using the same account password at other websites is equivalent to the compromised account. Based on this consideration, a solution has been developed to store the resulting hash value in a database after processing the cipher text using a one-way hash function. If an attacker breaks the website database, the attacker can still break through dictionary attack although the password plaintext cannot be directly and reversely broken through the hash value. A schematic diagram of the principle of "dictionary attack" is shown in fig. 2. The principle is that an attacker collects common passwords of a user as much as possible, such as common word combinations, simple characters, numbers or concatenation of the common words and the simple characters, numbers or both, then uses the disclosed hash functions including MD4/5, SHA-1/2/128 and the like to process, and stores the obtained hash values into a table to obtain a dictionary of the common passwords. Dictionary attacks save a lot of time compared to brute force exhaustion and can break up most simple passwords that are only processed with hash functions. There is also a "rainbow table" based on dictionary attacks and hash chain set improvement, which has lower time complexity when broken. To combat this type of attack, a solution has been created in which the password is hashed after adding a "salt", and the user password obfuscation authentication scheme herein is based on this invention.
The Password authentication scheme of salt confusion is as follows, when a website server needs to generate a random value with a length of 8-16 characters or longer as a salt to splice with a Password plaintext Password when a user registers, the spliced value is processed by a one-way hash function, and then the obtained hash value P is obtained H The credentials for password authentication are stored in a database together with the salt. Every time a user logs in to a website, the salt corresponding to the user needs to be obtained from a databaseThe salt, the hash value obtained after the same splicing mode and hash function processing is then compared with the hash value P stored in the database H And comparing, if the passwords are consistent, the passwords of the users are considered to be correct, and the login is successful. When the password is modified, new salt is generated and the same processing is carried out, and the new salt and the password hash value are updated into the database.
Database storage examples:
account number/user name Password code Salt
XXX P H salt
xxx@XX.com I61c11b3642a079e9a117f9efcd4d4692a9a262a8 U1pm93br
P H =Hash(Password+salt)
Fig. 3 is a schematic diagram of the principle of cryptographic salification against dictionary attacks and rainbow table attacks. Assuming that the number of common password combinations is n, the number of dictionary or rainbow table records processed using only the hash function is also n. If the number of website users is m, and a password confusion scheme of adding salt to the user password and then carrying out hash processing is adopted, and the salt of all users is different, the dictionary/rainbow table established by an attacker based on the hash function only before is completely invalid. After an attacker breaks through the database to obtain all data in the user table, because m different salts exist, a dictionary/rainbow table with the record number of n is required to be re-established, which is equivalent to establishing a dictionary/rainbow table with the record number of n for each user, and the table cannot be reused, so that the time cost and the storage cost required by the attacker to break the user password are greatly increased.
The password obfuscation and authentication processing logic is similar to the password concatenation described herein, where the hash value is calculated using a hash function and then compared. On the premise of ensuring safe information transmission, when a user registers an account number in a website, a 16-character-length random value salt is generated firstly f And sent to the front end. A certain check rule is set, such as a password with a length less than 8 bits, a pure number or a pure English word, etc. is forbidden. After the front-end form is checked, salt transmitted by the rear end of the server is checked f Splicing with the password plaintext P meeting the requirements, and then calculating a hash value Ph of a splicing result by using a hash function f . Hash value Ph f And front end salt f The front-end salt storage salt is sent to a server together with the related information f In the database, hash value Ph f And (5) carrying out password confusion processing of the back end. The plaintext password of the user is not directly transmitted to the back-end for processing, so that the risk of real password leakage caused by malicious recording of the user password by the log is reduced. For the back-end, the hash value Ph obtained after the front-end processing f It can be regarded as the user's password.
Database storage examples:
Ph f =Hash(P+salt f )
when the back end carries out the password confusion processing, a random value salt with the length of 256 bits and more is generated b As backend code splicing obfuscated salts. And introduces a concept of iteration number. When the password confusion and authentication scheme is designed, the iteration coefficient r calculated by the hash function is required to be set, and the r is an exponent with the base number of 2, so that the final iteration times are obtainedn=2 r . The value range of r is 3-16, and the default value is 10. The iteration number of n represents the operation that the password needs to be subjected to n times of cyclic salting and then hash calculation, and the obtained hash value Ph is finally obtained b Is stored in the database as a cryptographic authentication credential. The schematic steps of iterative salt hashing are as follows:
P 1 =Hash(Ph f +salt b )
P 2 =Hash(P 1 +salt b )
P 3 =Hash(P 2 +salt b )
......
Ph b =Hash(P n-1 +salt b )
wherein n=2 r
The password confusion and authentication process before and after the user logs in the website is as shown in fig. 4. When a user logs in a website, the front-end salt corresponding to the user needs to be obtained from a database f The hash value Ph obtained after the same splicing mode and hash function processing is processed f Sent to the back end through HTTPS connection, and back end salt is obtained from the database b Iteration coefficient r, cyclic salification hash 2 r The second time, finally obtain the hash value and store the hash value Ph in the database b And comparing, if the passwords are consistent, the passwords of the users are considered to be correct, and the login is successful. When the password is modified, new salt is generated and the same logic is used for processing, so that the new salt and the password hash value are updated into the database.
The purpose of performing the multiple round-robin salt hash computation is to minimize the time and hardware resources spent on single-sign-on authentication. Compared with single hash function calculation, when the iteration coefficient is 10, namely 1024 times of iteration loops are needed, the time spent for carrying out hash operation is increased by three orders of magnitude, only hundreds of milliseconds are spent for user login, and the use experience is not affected. But the time and economic costs (hardware resources, power) spent on large-scale attacks on systems using such password obfuscation and authentication schemes are not affordable to an attacker using brute force and rainbow tables. Therefore, the institutions with very high requirements on the safety of the user account numbers, such as banks, securities companies and the like, are suitable for adopting the scheme as a user password confusion and authentication mode.
The invention realizes a user password security confusion and authentication scheme through webpage login by comprehensively utilizing the symmetric/asymmetric encryption algorithm, the one-way hash function, HTTPS and other cryptography and computer network related technologies.
1. Anti-eavesdropping, tamper-proof, replay attack-proof: the scheme uses HTTPS as a network protocol for connection, wherein SSL/TLS can ensure that user sensitive information is transmitted in a safe channel, and user information is prevented from being revealed in an unsafe network environment.
2. The whole process cannot acquire the password plaintext: the system firstly uses a salt hash mode to the password plaintext at the front end to confuse the password, and transmits the calculated hash value to the rear end for subsequent authentication, so that the security risk caused by malicious password recording of the log is prevented.
3. Cracking the plaintext of the password is not cost-effective: the back end can perform repeated circulating salt adding hash calculation on the password hash value again, and on the premise that the increase time of single login of a user is not obvious, the calculation cost of violent exhaustion and rainbow table attack is greatly increased, so that the attack is not feasible in terms of benefit and cost measurement.
In order to solve the problem that in the prior art, when a user registers and logs in an account, sensitive information such as a user password and the like in the processes of network transmission and background processing are subjected to confusion and hash processing and are stored in a database in a lasting manner, so that the user password is ensured to pass through system authentication under the condition of not being revealed, cracked and tampered as much as possible. However, in practical applications, various vulnerabilities may occur more or less, such as hashing the password without adding salt, using a hash function that has found that there is a collision, transmitting a plaintext password to a background process, etc., which may generate different degrees of risk, and reduce the security problem of the user account, in one or more embodiments of the present invention, an apparatus for user request licensing based on password confusion is provided, as shown in fig. 6, including:
The acquisition module 11 acquires a password and a user request input by a user, and invokes first salt value and preset hash value data corresponding to the user from a database; the preset hash value data is obtained by performing hash function processing on the first salt value and a set password after splicing; the salt value is a random value with a finite length;
a hash value data generation module 12 for processing the first salt value and the password in the same generation manner as the hash value data to generate hash value data;
and a comparison module 13 for comparing the hash value data with the preset hash value data, and if the comparison is consistent, permitting the user request.
According to the technical scheme, the user request permission method device based on password confusion, provided by the invention, combines a hash function to carry out the password confusion in a reasonable salt treatment mode, so that the device has the characteristics of camouflage prevention, eavesdropping prevention, replay attack prevention, dictionary attack prevention after database leakage prevention, incapability of acquiring password plaintext in the whole process, violent exhaustion, infeasibility of reversely cracking the password plaintext in calculation cost and the like, and ensures the safety of a user logging in an account through a webpage to the greatest extent.
In a preferred embodiment, the generating of the preset hash value data includes:
splicing the set password and the first salt value to generate a first combined character string;
carrying out hash processing on the first combined character string to obtain a corresponding hash value;
the system generates a first salt value, a second salt value corresponding to the first salt value and the iteration times;
splicing the second salt value and the first combined character string to generate a second combined character string;
and generating the preset hash value data according to the second combined character string and the iteration times.
In a preferred embodiment, the generating the preset hash value data according to the second combined string and the iteration number includes:
performing an iterative operation, the iterative operation comprising: carrying out hash processing on the second combined character string to obtain a corresponding hash value; combining the hash value and the second salt value to generate a second updated combined string;
and repeating the iterative operation until the number of times of currently executing the iterative operation reaches the iterative number.
In a preferred embodiment, the hash value data generation module includes:
the generation unit is used for generating a first salt value, a second salt value corresponding to the first salt value and the iteration times by the system;
The first splicing unit splices the password and the first salt value to generate a combined character string;
the first hash processing unit is used for carrying out hash processing on the combined character string to obtain a corresponding hash value;
the second splicing unit splices the second salt value and the combined character string to generate another combined character string;
and the iteration unit generates corresponding hash value data according to the other combined character string and the iteration times.
In a preferred embodiment, further comprising:
and the random generation unit is used for randomly generating first salt values corresponding to the users one by one after the users register the accounts.
In a preferred embodiment, further comprising:
and the random generation unit is used for randomly generating a first salt value, a second salt value and the iteration times which are in one-to-one correspondence with the user after the user registers the account.
In order to solve the problem in the prior art that when a user registers and logs in an account, sensitive information such as a user password and the like in the processes of network transmission and background processing are subjected to confusion and hash processing and are stored in a database in a lasting manner, so that the user password is ensured to pass through system authentication under the condition of not being revealed, cracked and tampered as much as possible. However, in practical applications, various vulnerabilities may occur more or less, such as hashing the password without adding salt, using a hash function that has found that there is a collision, transmitting a plaintext password to a background process, etc., which may generate different degrees of risk, and reduce the security problem of the user account, the present invention provides an embodiment of an electronic device for implementing all or part of the content in the password confusion-based user request licensing method, where the electronic device specifically includes:
Fig. 7 is a schematic block diagram of an apparatus configuration of an electronic device 9600 according to an embodiment of the present invention. As shown in fig. 7, the electronic device 9600 may include a central processor 9100 and a memory 9140; the memory 9140 is coupled to the central processor 9100. Notably, this fig. 7 is exemplary; other types of structures may also be used in addition to or in place of the structures to implement telecommunications functions or other functions.
In one embodiment, the password obfuscation-based user request licensing method functionality may be integrated into the central processor. Wherein the central processor may be configured to control:
step S101: acquiring a password and a user request input by a user, and calling first salt value and preset hash value data corresponding to the user from a database; the preset hash value data is obtained by performing hash function processing on the first salt value and a set password after splicing; the salt value is a random value of finite length.
Step S102: and processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data.
Step S103: and comparing the hash value data with the preset hash value data, and if the comparison is consistent, permitting the user request.
According to the technical scheme, the electronic equipment provided by the invention combines a hash function to carry out salt adding confusion in a reasonable salt adding treatment mode, so that the electronic equipment has the characteristics of camouflage prevention, eavesdropping prevention, replay attack prevention, dictionary attack prevention after database leakage, incapability of acquiring a password plaintext in the whole flow, exhaustion of violence, infeasibility of reversely cracking the password plaintext in calculation cost and the like, and the safety of logging in an account by a user through a webpage is ensured to the greatest extent.
In another embodiment, the server may be configured separately from the central processor 9100, for example, the server may be a chip connected to the central processor 9100, and the user request permission method function based on password confusion is implemented through control of the central processor.
As shown in fig. 7, the electronic device 9600 may further include: a communication module 9110, an input unit 9120, an audio processor 9130, a display 9160, and a power supply 9170. It is noted that the electronic device 9600 need not include all of the components shown in fig. 7; in addition, the electronic device 9600 may further include components not shown in fig. 7, and reference may be made to the related art.
As shown in fig. 7, the central processor 9100, sometimes referred to as a controller or operational control, may include a microprocessor or other processor device and/or logic device, which central processor 9100 receives inputs and controls the operation of the various components of the electronic device 9600.
The memory 9140 may be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information about failure may be stored, and a program for executing the information may be stored. And the central processor 9100 can execute the program stored in the memory 9140 to realize information storage or processing, and the like.
The input unit 9120 provides input to the central processor 9100. The input unit 9120 is, for example, a key or a touch input device. The power supply 9170 is used to provide power to the electronic device 9600. The display 9160 is used for displaying display objects such as images and characters. The display may be, for example, but not limited to, an LCD display.
The memory 9140 may be a solid state memory such as Read Only Memory (ROM), random Access Memory (RAM), SIM card, etc. But also a memory which holds information even when powered down, can be selectively erased and provided with further data, an example of which is sometimes referred to as EPROM or the like. The memory 9140 may also be some other type of device. The memory 9140 includes a buffer memory 9141 (sometimes referred to as a buffer). The memory 9140 may include an application/function storage portion 9142, the application/function storage portion 9142 storing application programs and function programs or a flow for executing operations of the electronic device 9600 by the central processor 9100.
The memory 9140 may also include a data store 9143, the data store 9143 for storing data, such as contacts, digital data, pictures, sounds, and/or any other data used by an electronic device. The driver storage portion 9144 of the memory 9140 may include various drivers of the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging applications, address book applications, etc.).
The communication module 9110 is a transmitter/receiver 9110 that transmits and receives signals via an antenna 9111. A communication module (transmitter/receiver) 9110 is coupled to the central processor 9100 to provide input signals and receive output signals, as in the case of conventional mobile communication terminals.
Based on different communication technologies, a plurality of communication modules 9110, such as a cellular network module, a bluetooth module, and/or a wireless local area network module, etc., may be provided in the same electronic device. The communication module (transmitter/receiver) 9110 is also coupled to a speaker 9131 and a microphone 9132 via an audio processor 9130 to provide audio output via the speaker 9131 and to receive audio input from the microphone 9132 to implement usual telecommunications functions. The audio processor 9130 can include any suitable buffers, decoders, amplifiers and so forth. In addition, the audio processor 9130 is also coupled to the central processor 9100 so that sound can be recorded locally through the microphone 9132 and sound stored locally can be played through the speaker 9131.
An embodiment of the present invention further provides a computer readable storage medium capable of implementing all steps in the password confusion-based user request permission method in the above embodiment, where the computer readable storage medium stores a computer program, and when the computer program is executed by a processor, the computer program implements all steps in the password confusion-based user request permission method in the above embodiment in which an execution subject is a server or a client, for example, the processor implements the following steps when executing the computer program:
step S101: acquiring a password and a user request input by a user, and calling first salt value and preset hash value data corresponding to the user from a database; the preset hash value data is obtained by performing hash function processing on the first salt value and a set password after splicing; the salt value is a random value of finite length.
In the invention, the requirement analysis is an essential link in the software development, and the requirement scheme is mainly used for defining the scene, flow and the like of the service. Analysis and understanding of the requirement document is critical to the developer, the requirement is not explicitly faced with the problem of code modification and even rewriting, and as business logic complexity increases, the requirement for requirement document flow patterning is more urgent.
Step S102: and processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data.
Step S103: and comparing the hash value data with the preset hash value data, and if the comparison is consistent, permitting the user request.
According to the technical scheme, the computer storage medium provided by the invention combines a hash function to carry out salt adding confusion in a reasonable salt adding processing mode, so that the computer storage medium has the characteristics of camouflage prevention, eavesdropping prevention, replay attack prevention, dictionary attack prevention after database leakage, incapability of acquiring password plaintext in the whole process, exhaustion of violence, infeasibility of reversely cracking the password plaintext in the calculation cost and the like, and the safety of logging in an account by a user through a webpage is ensured to the greatest extent.
It will be apparent to those skilled in the art that embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principles and embodiments of the present invention have been described in detail with reference to specific examples, which are provided to facilitate understanding of the method and core ideas of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.

Claims (10)

1. A method for requesting permission by a user based on password confusion, comprising:
acquiring a password and a user request input by a user, and calling first salt value and preset hash value data corresponding to the user from a database; the preset hash value data is obtained by performing hash function processing on the first salt value and a set password after splicing; the salt value is a random value with a finite length;
Processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data;
comparing the hash value data with the preset hash value data, and if the comparison is consistent, permitting the user request; the generating step of the preset hash value data comprises the following steps: the system generates a first salt value, a second salt value corresponding to the first salt value and the iteration times; splicing the set password and the first salt value to generate a first combined character string; carrying out hash processing on the first combined character string to obtain a corresponding hash value; splicing the second salt value and the hash value of the first combined character string to generate a second combined character string; generating the preset hash value data according to the second combined character string and the iteration times;
the generating the preset hash value data according to the second combined character string and the iteration times comprises the following steps:
performing an iterative operation, the iterative operation comprising: carrying out hash processing on the second combined character string to obtain a corresponding hash value; combining the hash value and the second salt value to generate a second updated combined string;
Repeating the iterative operation until the number of times of currently executing the iterative operation reaches the iterative number;
wherein, before acquiring the password input by the user and the user request, the method further comprises:
sending the CA certificate to the front end corresponding to the user so that the front end corresponding to the user verifies the validity of the CA certificate;
receiving encrypted handshake information sent by a front end corresponding to the user; the encrypted handshake information is obtained by generating handshake information through a agreed hash function after the CA certificate is validated by the front end corresponding to the user and encrypting the handshake information through an encryption algorithm scheme; the encryption algorithm scheme is obtained in advance;
generating verification handshake information according to the agreed hash function, decrypting the encrypted handshake information based on the encryption algorithm scheme, and obtaining decrypted handshake information;
and if the verification handshake information is consistent with the decrypted handshake information, completing a handshake flow to establish HTTPS connection.
2. The method of claim 1, wherein said processing said first salt value and said password in the same manner as said hash value data is performed to generate a hash value data, comprising:
The system generates a first salt value, a second salt value corresponding to the first salt value and the iteration times;
splicing the password and the first salt value to generate a combined character string;
carrying out hash processing on the combined character string to obtain a corresponding hash value;
splicing the second salt value and the hash value of the combined character string to generate another combined character string;
and generating corresponding hash value data according to the other combined character string and the iteration times.
3. The password obfuscated user request permission method according to claim 2, further comprising:
after a user registers an account, a first salt value corresponding to the user one to one is randomly generated.
4. The password obfuscated user request permission method according to claim 1, further comprising:
after the user registers the account, a first salt value, a second salt value and the iteration number which are in one-to-one correspondence with the user are randomly generated.
5. A user request permission device based on password confusion, comprising:
the acquisition module acquires a password input by a user and a user request, and invokes first salt value and preset hash value data corresponding to the user from a database; the preset hash value data is obtained by performing hash function processing on the first salt value and a set password after splicing; the salt value is a random value with a finite length;
The hash value data generation module is used for processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data;
the comparison module is used for comparing the hash value data with the preset hash value data, and if the comparison is consistent, the user request is permitted;
the generating step of the preset hash value data comprises the following steps:
the system generates a first salt value, a second salt value corresponding to the first salt value and the iteration times;
splicing the set password and the first salt value to generate a first combined character string;
carrying out hash processing on the first combined character string to obtain a corresponding hash value;
splicing the second salt value and the hash value of the first combined character string to generate a second combined character string;
generating the preset hash value data according to the second combined character string and the iteration times;
the generating the preset hash value data according to the second combined character string and the iteration times comprises the following steps:
performing an iterative operation, the iterative operation comprising: carrying out hash processing on the second combined character string to obtain a corresponding hash value; combining the hash value and the second salt value to generate a second updated combined string;
Repeating the iterative operation until the number of times of currently executing the iterative operation reaches the iterative number;
before the password input by the user and the user request are acquired, the following operations are further performed:
sending the CA certificate to the front end corresponding to the user so that the front end corresponding to the user verifies the validity of the CA certificate;
receiving encrypted handshake information sent by a front end corresponding to the user; the encrypted handshake information is obtained by generating handshake information through a agreed hash function after the CA certificate is validated by the front end corresponding to the user and encrypting the handshake information through an encryption algorithm scheme; the encryption algorithm scheme is obtained in advance;
generating verification handshake information according to the agreed hash function, decrypting the encrypted handshake information based on the encryption algorithm scheme, and obtaining decrypted handshake information;
and if the verification handshake information is consistent with the decrypted handshake information, completing a handshake flow to establish HTTPS connection.
6. The password obfuscated user request permission apparatus according to claim 5, wherein the hash value data generation module includes:
the generation unit is used for generating a first salt value, a second salt value corresponding to the first salt value and the iteration times by the system;
The first splicing unit splices the password and the first salt value to generate a combined character string;
the first hash processing unit is used for carrying out hash processing on the combined character string to obtain a corresponding hash value;
the second splicing unit splices the second salt value and the hash value of the combined character string to generate another combined character string;
and the iteration unit generates corresponding hash value data according to the other combined character string and the iteration times.
7. The password obfuscated user request permission apparatus of claim 6, further comprising:
and the random generation unit is used for randomly generating first salt values corresponding to the users one by one after the users register the accounts.
8. The password obfuscated user request permission apparatus of claim 4, further comprising:
and the random generation unit is used for randomly generating a first salt value, a second salt value and the iteration times which are in one-to-one correspondence with the user after the user registers the account.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 4 when executing the program.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any of claims 1 to 4.
CN202110927400.7A 2021-08-10 2021-08-10 User request permission method and device based on password confusion Active CN113630238B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110927400.7A CN113630238B (en) 2021-08-10 2021-08-10 User request permission method and device based on password confusion

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110927400.7A CN113630238B (en) 2021-08-10 2021-08-10 User request permission method and device based on password confusion

Publications (2)

Publication Number Publication Date
CN113630238A CN113630238A (en) 2021-11-09
CN113630238B true CN113630238B (en) 2024-02-23

Family

ID=78385171

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110927400.7A Active CN113630238B (en) 2021-08-10 2021-08-10 User request permission method and device based on password confusion

Country Status (1)

Country Link
CN (1) CN113630238B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115086008B (en) * 2022-06-13 2024-02-09 北京信长城科技发展有限公司 Method and device for realizing password security protection, storage medium and electronic equipment
CN116092623B (en) * 2023-04-12 2023-07-28 四川执象网络有限公司 Health data management method based on basic medical quality control

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656476A (en) * 2017-01-18 2017-05-10 腾讯科技(深圳)有限公司 Password protecting method and device
CN107070948A (en) * 2017-05-23 2017-08-18 广东工业大学 Signature and verification method based on hybrid encryption algorithm in cloud storage
CN110232044A (en) * 2019-06-17 2019-09-13 山东浪潮通软信息科技有限公司 A kind of realization system and method for big data aggregates dispatch service
CN110943841A (en) * 2018-09-24 2020-03-31 恩智浦有限公司 Password authentication using white-box encryption

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656476A (en) * 2017-01-18 2017-05-10 腾讯科技(深圳)有限公司 Password protecting method and device
CN107070948A (en) * 2017-05-23 2017-08-18 广东工业大学 Signature and verification method based on hybrid encryption algorithm in cloud storage
CN110943841A (en) * 2018-09-24 2020-03-31 恩智浦有限公司 Password authentication using white-box encryption
CN110232044A (en) * 2019-06-17 2019-09-13 山东浪潮通软信息科技有限公司 A kind of realization system and method for big data aggregates dispatch service

Also Published As

Publication number Publication date
CN113630238A (en) 2021-11-09

Similar Documents

Publication Publication Date Title
US11757662B2 (en) Confidential authentication and provisioning
US8862889B2 (en) Protocol for controlling access to encryption keys
EP2737656B1 (en) Credential validation
Cheng Security attack safe mobile and cloud-based one-time password tokens using rubbing encryption algorithm
CN108347419A (en) Data transmission method and device
CN110188551B (en) Policy encryption transmission method and system
Alhothaily et al. A secure and practical authentication scheme using personal devices
CN113630238B (en) User request permission method and device based on password confusion
CN101420302A (en) Safe identification method and device
CN110868291B (en) Data encryption transmission method, device, system and storage medium
CN111130799B (en) Method and system for HTTPS protocol transmission based on TEE
WO2018030289A1 (en) Ssl communication system, client, server, ssl communication method, and computer program
Raddum et al. Security analysis of mobile phones used as OTP generators
Rastogi et al. Secured identity management system for preserving data privacy and transmission in cloud computing
Kumari et al. Hacking resistance protocol for securing passwords using personal device
TWI459786B (en) Multi-channel active identityauthentication system and related computer program product and method
US11343078B2 (en) System and method for secure input at a remote service
CN102780812A (en) Method and system for achieving safe input by using mobile terminal
KR101210411B1 (en) Transaction Protection System and Method using Connection of Certificate and OTP Generated by Keystream
KR102200553B1 (en) A method for judging application forgery using user secret key, a packet validation authentication method using dynamic token, and its system
Boraiah Secure Cardless Transaction Android Application using ECC algorithm and QR code
CN117675182A (en) Identity authentication method, system, equipment and medium
Moia et al. Cloud privacy guard (cpg): Security and privacy on data storage in public clouds
CN114238996A (en) Method and system for bypassing decryption of logging JavaScript
CN115134152A (en) Data transmission method, data transmission device, storage medium, and electronic apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant