CN100431297C - Method for preventing user's pin from illegal use by double verification protocol - Google Patents

Method for preventing user's pin from illegal use by double verification protocol Download PDF

Info

Publication number
CN100431297C
CN100431297C CNB2005100089815A CN200510008981A CN100431297C CN 100431297 C CN100431297 C CN 100431297C CN B2005100089815 A CNB2005100089815 A CN B2005100089815A CN 200510008981 A CN200510008981 A CN 200510008981A CN 100431297 C CN100431297 C CN 100431297C
Authority
CN
China
Prior art keywords
user
protocol
network
authentication
authenticating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CNB2005100089815A
Other languages
Chinese (zh)
Other versions
CN1645796A (en
Inventor
胡祥义
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CNB2005100089815A priority Critical patent/CN100431297C/en
Publication of CN1645796A publication Critical patent/CN1645796A/en
Application granted granted Critical
Publication of CN100431297C publication Critical patent/CN100431297C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention discloses a method for preventing user's pin from illegal use by a double verification protocol, which stores two sets of authentication protocols in authentication equipment of a client end by using the computer, network and cryptographic technique, wherein authentication protocols in one set are network authentication protocols, and authentication protocols in the other set are authentication protocols of the authentication equipment. A static password is used as partial cipher key, and the other part of cipher key is automatically generated by the authentication protocols of the authentication equipment. The two parts of cipher keys are combined into an encryption key of the symmetric encryption algorithm to encrypt and decrypt a user certificate and the network authentication protocols so as to identify the authentication equipment and control the network authentication protocols, and simultaneously, the network authentication protocols are arranged on a network server end and are corresponding to the network authentication protocols of the client end, and the symmetrical or asymmetric encryption algorithm is used to generate a variable dynamic password to realize the personal identification on the network user, and therefore, embezzling the user password is prevented.

Description

Adopt double verification protocol to prevent the method for user's pin from illegal use
Technical field:
The present invention relates to information security field, be utilization computer, network and cryptographic technique, solve the network user's the stolen problem of password, this technical method can carry out strict protection to user's password, realization is to the authentication of authenticating device and the secure log of network, simultaneously, stop " steal-number " phenomenon of industries such as E-Government, ecommerce, Web bank and online game, the present invention is applicable to that diverse network need be with the system of identification.
Background technology:
At present, technical method and product that domestic external enwergy solves network " steal-number " problem fully also do not have, anti-network " steal-number " product of some manufacturers produce, be to adopt smart card and encryption technology to produce the dynamic password of one time one change, realize network ID authentication, but, if the user loses smart card, stolen easily, also have some manufacturers to adopt the double factor network ID authentication, adopt user's the static password and the dynamic password of authentication protocol generation to carry out network ID authentication simultaneously, this series products also has the characteristics that easily crack, and " steal-number " person can analyze by trojan horse with to user's authentication protocol, usurps user's static password and the dynamic password that authentication protocol produces, in a word, existing anti-network " steal-number " method and product all can not satisfy the demand in market.
Summary of the invention:
Originally prevent the method for user's pin from illegal use, be that utilization computer, network and cryptographic technique are set up network security authentication system, at network server end and each client-side, a pair of identical encryption device is set respectively, its cryptographic algorithm is used symmetric cryptographic algorithm or asymmetric cryptographic algorithm, server and client-side are set up a group network authentication protocol respectively, and this network authenticating protocol produces one time one dynamic password that becomes, and realizes the authentication between the client computer and the webserver; In the authenticating device of client-side, set up another group authentication protocol, be used for identification to the client-side authenticating device, use symmetric encipherment algorithm to realize, its encryption key is made up of two parts: a part is user's a static password, another part is that the authentication protocol in the authenticating device produces automatically, both are combined into encryption key, user certificate and part or all of network authenticating protocol are added, deciphering, reach to the identification of authenticating device with to the regulation and control of network authenticating protocol, after user's static password has passed through the identification of client-side authenticating device, the network authenticating protocol deciphering is generated expressly, call this network authenticating protocol again and finish identification the webserver, thereby, user's pin from illegal use prevented, all processes is with pure software or soft, the combination of hardware mode realizes that concrete grammar is as follows:
1, sets up network authenticating protocol respectively at the webserver and client computer two ends, the authentication protocol of network server end leaves in the encryption device, for example: encrypted card, encryption equipment etc., or leave in the hard disk of server, the authentication protocol of client-side leaves in the authenticating device, and wherein authenticating device refers to: smart card, USB flash disk, CD, floppy disk, hard disk etc.
2, network authenticating protocol is based upon on symmetry or the rivest, shamir, adelman system, produce the dynamic password K of one time one change by the network authenticating protocol of client-side, wherein: " 0 " of K=80~2000bit position, " 1 " number, and this dynamic password and parameters for authentication thereof sent to the webserver, after network server end is received dynamic password and parameters for authentication, generate the dynamic password of equal length according to network authenticating protocol, whether the dynamic password through the contrast two ends is identical, judges client user's identity.
3, when network authenticating protocol adopts symmetric encipherment algorithm,
(1) symmetric cryptographic key adopts " key seed " technology, under the control of user's session key and timestamp, picked at random generates the encryption key N of one-time pad, wherein: " 0 " of N=80~128bit, " 1 " number, be used for user certificate is encrypted the close certificate that generates the user, and it is defined as dynamic password K, since one time one change of encryption key, then one time one change of the dynamic password K of Chan Shenging.
(2) user name or user number are made up of Y bit digital or English alphabet, wherein: Y=4~12, timestamp is 8 bit digital, represent year respectively, month, day, clock generating according to the client-side computer system, session key is made up of N1=8~16 bit digital, the N1 position random digit that produces by the network authenticating protocol of client-side, " key seed " is digital for the M1 group, M1=100~2000, the length of every group of number are M2, " 0 " of M2=4~32bit, " 1 " number, under session key and timestamp control, from user's M1 group " key seed ", choose a N1 group " key seed " and a synthetic set of encryption keys N.
(3) network authenticating protocol is the dynamic password that is at first produced one time one change by client, again this password and parameters for authentication are sent to the webserver, after network server end is received, generate encryption key according to parameters for authentication, and to the user certificate that is pre-stored in server end encrypt generate the user close certificate promptly: dynamic password, through the dynamic password at the contrast two ends identical identity of judging the user whether, wherein parameters for authentication comprises: user name or user number, session key and timestamp etc.
4, when network authenticating protocol adopts rivest, shamir, adelman,
(1) in the client-side authenticating device, deposits one group of user's private key, its length is 1024 or 2048bit, deposit one group of user's PKI in network server end, its length also is 1024 or 2048bit, set up array S1 at random, wherein: S1=100~2000, the length of every group of random number be S2=8~32bit's " 0 ", " 1 " number, and under the control of user's session key and timestamp, array is at random chosen, choose N1 group random number and synthetic one group of random number S at every turn, " 0 " of S=80~2000bit, " 1 " number in conjunction with as expressly, is encrypted one group of ciphertext of generation with user's private key to it with random number S and user's certificate again, this ciphertext is defined as dynamic password, because one time one change of choosing of random number S is then through also one time one change of encrypted ciphertext, that is: one time one change of dynamic password.
(2) dynamic password that becomes for a time by the client-side generation, again this password and parameters for authentication are sent to the webserver, after network server end is received, the PKI that takes out this user according to parameters for authentication is decrypted dynamic password and generates expressly, generate random number SF according to parameters for authentication again, simultaneously, access the user certificate that network server end prestores, certificate through the contrast two ends, and contrast random number S and the SF identical identity of judging the user whether, wherein parameters for authentication comprises: user name or user number, session key and timestamp etc.
5, in the authenticating device of client-side, set up the authentication protocol that user identity is discerned,
(1) uses symmetric encipherment algorithm, the static password that the user is provided with is as the part of encryption key, another part encryption key is produced automatically by authentication protocol, both synthesize one group of complete encryption key, user's certificate is encrypted the close certificate that generates the user, simultaneously, part or all of network authenticating protocol is encrypted the generation ciphertext, be close network authenticating protocol, and user's certificate and close certificate and close network authenticating protocol are left in the authenticating device.
(2) in the authentication protocol in authenticating device, static password is made as K1, K1 is made up of the English alphabet between numeral or the A~F, and length is L1, L1=8~32, and after authentication protocol becomes 4 with L1 position password through 1 again, L1=32~128bit.
(3) another part encryption key that is produced automatically by authentication protocol is made as K2, its length is L2=80~128, K2 is under the control of timestamp and session key, from user " key seed ", choose N1 group " key seed " and merge and form, with K1 and K2 two parts encryption key in conjunction with generating a set of encryption keys K3, be used for to the user certificate encryption with to the network authenticating protocol encryption and decryption, wherein: the mode of K1 and K2 combination is: the same or logical difference of logic, simultaneously, the position of both combinations is by the regulation of the authentication protocol in the authenticating device, and the encryption key K3 length of generation is L2.
(4) user's close certificate is defined as the authentication code of authentication protocol in the authenticating device, the reduced parameter of using static password K1 that authenticating device is authenticated as the user, that is: static password K1 and the automatic another part encryption key K2 that produces of authentication protocol with the user synthesizes a set of encryption keys K3 together, with K3 user's certificate is encrypted, generate user's close certificate authentication authorization and accounting sign indicating number, with leave that user's close certificate authentication authorization and accounting sign indicating number compares in the authenticating device in, realize that the user discerns authenticating device.
(5) user's static password is by after the authentication of authenticating device, and the encryption key K3 that generates with this static password is decrypted into close network authenticating protocol expressly, and promptly network authenticating protocol calls the identification that it carries out the network user again; If user's static password is failed by the authentication of authenticating device, close network authenticating protocol can not be decrypted into correct plaintext with the encryption key K3 of its generation, then can not call the identification that network authenticating protocol carries out the network user.
6, user's static password a part encryption key as authentication protocol in the authenticating device, and not as the authentication reduced parameter in two groups of authentication protocols, user's static password is that memory is in user's brain, the user can make amendment at any time to its static password, user's static password does not leave in authenticating device and the client computer, do not leave in the webserver yet, simultaneously, also not in transmission over networks.
7, two kinds of authentication protocols that leave in the client-side authenticating device comprise: the authentication protocol of authenticating device and close network authenticating protocol, simultaneously, also deposit user name or user number, user's certificate, user's close certificate, " key seed ", and data such as the timestamp of control generation encryption key K2 and session key.
Description of drawings:
Fig. 1: the authentication protocol flow chart of authenticating device
Fig. 2: user's static password modification process figure in the authentication protocol
Embodiment:
Prevent the performing step of user's pin from illegal use method below in conjunction with description of drawings:
Fig. 1: the authentication protocol flow process that authenticating device is described, at first, the user imports its static password to behind the authenticating device, in authenticating device, generate encryption key, and encryption key imported in the symmetric encipherment algorithm, user's certificate is encrypted the close certificate of generation promptly: authentication code, the one group of authentication code that prestores in this group authentication code and the authenticating device is compared? if it is correct, then the user passes through the authentication of authenticating device, next with the encryption key that has generated the close network authenticating protocol in the authenticating device is decrypted into expressly, that is: network authenticating protocol calls existing network network user identity identification in fact again, and can repeat to call it, shut down afterwards; As if incorrect, then point out user's static password mistake, please re-enter static password or shutdown.
Fig. 2: the static password process that user in the user's modification authentication protocol is described, at first, the user imports its existing static password and gives authenticating device, also import simultaneously user's new static password, and repeat to import new static password once, whether the new static password of user of twice input of contrast identical in authenticating device? if inequality, then re-enter new static password twice or shutdown; If it is identical; then use existing static password to generate encryption key; call cryptographic algorithm user certificate is encrypted the close certificate of generation; the authentication authorization and accounting sign indicating number; another group authentication code in the authenticating device is left in taking-up in; whether identical through contrasting two groups of authentication codes? if it is inequality; then the existing static password mistake of prompting input is re-entered existing static password or shutdown, if identical; then call the encryption key that existing static password generates; close network authenticating protocol deciphering is generated expressly, and promptly network authenticating protocol generates new encryption key with new static password again; part or all of network authenticating protocol is encrypted the generation ciphertext; that is: new close network authenticating protocol, and replace former close network authenticating protocol, leave in the authenticating device; the encryption key that generates with new static password is encrypted user certificate and is generated new close certificate again; be new authentication code, new authentication code is replaced former authentication code, leave in the authenticating device; so far, can repeat the modification or the shutdown of user's static password.

Claims (6)

1, adopting double verification protocol to prevent the method for user's pin from illegal use, is that utilization computer, network and cryptographic technique realize that implementation step is as follows:
In the authenticating device of client, deposit two groups of authentication protocols, one group is network authenticating protocol, one group is the authentication protocol of authenticating device, with static password as the part key, another part key is produced automatically by the authentication protocol of authenticating device, both are combined into the encryption key of symmetric encipherment algorithm, user certificate and network authenticating protocol are added, deciphering, reach to the identification of authenticating device with to the regulation and control of network authenticating protocol, simultaneously, also set up network authenticating protocol in network server end, corresponding with the network authenticating protocol of client, and adopt symmetry or rivest, shamir, adelman, generate the dynamic password of one time one change, realization is to the network user's identification, thereby, prevent user's pin from illegal use.
2, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 1, it is characterized in that:
(1) according to network authenticating protocol, the dynamic password that is generated one time one change by client-side automatically sends to the webserver, realizes network ID authentication;
(2), directly import static password by the user and realize identification authenticating device according to the authentication protocol of authenticating device.
3, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 1, it is characterized in that:
In the authentication protocol of authenticating device, user's static password is the part as key, a part of in addition key is produced automatically by the authentication protocol in the authenticating device, the encryption key of both synthetic symmetric encipherment algorithms, with this encryption key and symmetric encipherment algorithm, respectively user's certificate and part or all of network authenticating protocol are encrypted the generation ciphertext, prevent that user's static password is decrypted, prevent that also network authenticating protocol is stolen.
4, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 3, it is characterized in that:
Close certificate authentication authorization and accounting sign indicating number with the user, the reduced parameter of using static password that authenticating device is authenticated as the user, that is: another part encryption key that produces automatically with static password and authentication protocol synthesizes a set of encryption keys together, certificate to the user is encrypted, generate user's close certificate authentication authorization and accounting sign indicating number, with leave that user's close certificate authentication authorization and accounting sign indicating number compares in the authenticating device in, realize that the user discerns authenticating device.
5, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 3, it is characterized in that:
(1) fails authentication by authenticating device when user's static password, then can not call network authenticating protocol by force, because the network authenticating protocol that leaves in the authenticating device is a ciphertext;
(2) have only user's static password to pass through the authentication of authenticating device after, close network authenticating protocol could be decrypted into expressly, and call the identification that it carries out the network user.
6, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 3 and 4, it is characterized in that:
User's static password is not as the authentication reduced parameter in two groups of authentication protocols, user's static password is that memory is in user's brain, the user can make amendment at any time to its static password, user's static password does not leave in authenticating device and the client computer, do not leave in the webserver yet, simultaneously, also not in transmission over networks.
CNB2005100089815A 2005-02-28 2005-02-28 Method for preventing user's pin from illegal use by double verification protocol Active CN100431297C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2005100089815A CN100431297C (en) 2005-02-28 2005-02-28 Method for preventing user's pin from illegal use by double verification protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005100089815A CN100431297C (en) 2005-02-28 2005-02-28 Method for preventing user's pin from illegal use by double verification protocol

Publications (2)

Publication Number Publication Date
CN1645796A CN1645796A (en) 2005-07-27
CN100431297C true CN100431297C (en) 2008-11-05

Family

ID=34875369

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100089815A Active CN100431297C (en) 2005-02-28 2005-02-28 Method for preventing user's pin from illegal use by double verification protocol

Country Status (1)

Country Link
CN (1) CN100431297C (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101364872B (en) * 2007-08-08 2011-09-21 精品科技股份有限公司 Method for instruction execution through verification
FR2951343A1 (en) * 2009-10-14 2011-04-15 Alcatel Lucent COMMUNICATION DEVICE MANAGEMENT THROUGH A TELECOMMUNICATIONS NETWORK
CN102064936B (en) * 2010-11-29 2012-08-22 北京卓微天成科技咨询有限公司 Data encryption and decryption methods and devices
CN101984574B (en) * 2010-11-29 2012-09-05 北京卓微天成科技咨询有限公司 Data encryption and decryption method and device
CN102012993B (en) * 2010-11-29 2012-07-11 北京卓微天成科技咨询有限公司 Methods and devices for selectively encrypting and decrypting data
KR101944741B1 (en) * 2016-10-28 2019-02-01 삼성에스디에스 주식회사 Apparatus and method for encryption
CN108632296B (en) * 2018-05-17 2021-08-13 中体彩科技发展有限公司 Dynamic encryption and decryption method for network communication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004059415A2 (en) * 2002-12-31 2004-07-15 International Business Machines Corporation Method and system for authentification in a heterogeneous federated environment, i.e. single sign on in federated domains
CN1549482A (en) * 2003-05-16 2004-11-24 华为技术有限公司 Method for realizing high rate group data service identification

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004059415A2 (en) * 2002-12-31 2004-07-15 International Business Machines Corporation Method and system for authentification in a heterogeneous federated environment, i.e. single sign on in federated domains
CN1549482A (en) * 2003-05-16 2004-11-24 华为技术有限公司 Method for realizing high rate group data service identification

Also Published As

Publication number Publication date
CN1645796A (en) 2005-07-27

Similar Documents

Publication Publication Date Title
EP3289723B1 (en) Encryption system, encryption key wallet and method
CN101828357B (en) Credential provisioning method and device
US7571320B2 (en) Circuit and method for providing secure communications between devices
US6985583B1 (en) System and method for authentication seed distribution
CN100468438C (en) Encryption and decryption method for realizing hardware and software binding
CN101282222B (en) Digital signature method based on CSK
US20060034456A1 (en) Method and system for performing perfectly secure key exchange and authenticated messaging
CN109728909A (en) Identity identifying method and system based on USBKey
CN102664739A (en) PKI (Public Key Infrastructure) implementation method based on safety certificate
US8230218B2 (en) Mobile station authentication in tetra networks
CN100431297C (en) Method for preventing user's pin from illegal use by double verification protocol
US20130097427A1 (en) Soft-Token Authentication System
US6640303B1 (en) System and method for encryption using transparent keys
CN111526007B (en) Random number generation method and system
CN102833075A (en) Identity authentication and digital signature method based on three-layered overlapping type key management technology
CN108199847A (en) Security processing method, computer equipment and storage medium
CN107707562A (en) A kind of method, apparatus of asymmetric dynamic token Encrypt and Decrypt algorithm
CN109218251B (en) Anti-replay authentication method and system
CN104079577A (en) Authentication method and authentication device
CN117675285A (en) Identity verification method, chip and equipment
CN101867471A (en) Irrational number based DES authentication encryption algorithm
CN115276978A (en) Data processing method and related device
CN1980127A (en) Command identifying method and command identifying method
CN107463977B (en) Circuit and method for authenticating a card by contactless reading
WO2017109058A1 (en) Security management system for securing a communication between a remote server and an electronic device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee
CP02 Change in the address of a patent holder

Address after: 100091 No. 4, building 22, West 1, Hongqi hospital, Beijing, Haidian District

Patentee after: Hu Xiangyi

Address before: 100044 Beijing city Xicheng District Xizhimen Street No. 138 room 620 Beijing Planetarium

Patentee before: Hu Xiangyi