CN101309147A - Identity authentication method based on image password - Google Patents
Identity authentication method based on image password Download PDFInfo
- Publication number
- CN101309147A CN101309147A CNA2008101248367A CN200810124836A CN101309147A CN 101309147 A CN101309147 A CN 101309147A CN A2008101248367 A CNA2008101248367 A CN A2008101248367A CN 200810124836 A CN200810124836 A CN 200810124836A CN 101309147 A CN101309147 A CN 101309147A
- Authority
- CN
- China
- Prior art keywords
- authentication
- image
- server
- user
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention relates to an image password identity authentication method based on the one-time key. The invention uses an image to replace the traditional text key; the traditional mouse click of the input mode of the image password is changed into the keyboard input; the one-time key is used for the encryption of the authentication information during the transmission process.
Description
Technical field
The present invention relates to the method for authentication in a kind of computer network security field, particularly a kind of image password identity identifying method based on one time key.
Background technology
Authentication is the first road barrier in the network safety system, and other security service all will depend on it.In case identity authorization system is broken, all safety measures of system will perform practically no function so.Main identity identifying method remains the static authentication of text based at present.But the inconvenience of password memory is the greatest drawback of this authentication method, proposes the notion of image password in recent years for this reason, promptly replaces traditional character string password with image sequence.But also there is shortcoming in this authentication techniques, and at first image password can not effectively prevent to spy upon attack, and secondly image itself is a kind of static password, if directly it is transmitted in network, is easy to be intercepted and captured.But it is a kind of good method to the memory of password really.
Summary of the invention
The present invention is directed to the deficiency that existing image password Verification System exists, a kind of image password identity identifying method based on one time key is proposed, this method can effectively prevent from effectively to guarantee the fail safe of image password in transmission course because of giving away secrets that leak of spying upon attack, network interception, Replay Attack etc. causes.
Method proposed by the invention mainly comprises two stages: registration phase, authentication phase.
Registration phase: the user submits identification identifier U to
IdGive certificate server, request registration.Server calculates the hashed value h=H (U of User Identity symbol
Id), and the tabulation of traversal User Identity symbol, if h exists, then point out the user to reselect new U
Id, to guarantee the uniqueness of User Identity symbol.If there is no, then send a challenge information that comprises the optional authentication image to client, the prompting user selects authentication image, and the defined feature value sequence.The user selects memory easily from optional image set image is as authentication image P, and be the characteristic value that every width of cloth authentication image defines a regular length, by escape way with log-on message (P, P
t) pass to certificate server.Hashed value H (the P of server calculated characteristics value sequence
t), and it is stored in the database of certificate server, so that use during authentication.
Authentication phase: client is calculated the hashed value h=H (U of User Identity symbol
Id), h is sent to the server requests authentication.After server is received authentication request, judge whether h belongs to list of user identifiers L, if h ∈ L shows this U
IdLegal, generate random number r, calculate h
s(r k), uses symmetric key k to random number r, authentication image set I and h to=H
sEncrypt E
s=E (r, I, h
s, k), then with E
sSend to client, and temporarily preserve r.If h! ∈ L then illustrates U
IdBe the disabled user, stop and U
IdSession.After client is received server-challenge information, use symmetric key k that it is decrypted and obtain (r, I, h
s), and judge h
s(whether r k) sets up=H, if be false, proves that then server palm off, stops and the session of server.If set up, then the identity of server has obtained checking, and sequence of display images I requires the user to select.Client is determined authentication image P=P according to the coordinate figure of the authentication image of user's input
1... P
i... P
n, according to the characteristic value sequence P of user's input
tCalculate its hashed value H (P
t).Client is with the hashed value H (P of characteristic value sequence
t) as immobilisation factor, utilize one-way Hash algorithm to calculate one time key E with random number r as variable factor
Tmp, use E
TmpP is encrypted P
e=E (P, E
Tmp), and generate data integrity check position h
c=H (P
e, k), utilize symmetric key k to P
e, h
cEncrypt E
c=E (P
e, h
c, k), send E then
cGive server.The response message of server deciphering client uses the method calculating one time key E same with client
Tmp, judge h
c=H (P
eThereby, the k) integrality of check data.Utilize E
TmpTo P
eBe decrypted and obtain the authentication image sequence, and compare with authentication image sequence in the authentication database.Identical then by authentication, otherwise denied access.
Of the present invention a kind of based in the image password authentication method, characteristic value sequence with authentication image is an immobilisation factor, the random number that generates with server end is that variable factor utilizes the realization principle of one-time password to generate one time key, before the authentication image transmission, use one time key that it is encrypted, what transmit in the network in each verification process all is the authentication information of change at random.
Advantage of the present invention:
1, memory be convenient in password.In the authentication method of the present invention, require the characteristic value of the image password of user's input, be user's brief, character string that the memory of image password is set for convenience, and image password itself is convenient to remember, so the password in the verification process is convenient to remember with certain meaning.
2, prevent to spy upon attack.In the verification process, the user does not need to select by clicking the mouse authentication image, but it is located by the coordinate figure of input authentication image in text box, the distribution of authentication image is a change at random in each verification process, therefore the coordinate figure sequence of the each input of user can effectively prevent to spy upon attack also with change at random.
3, opposing Replay Attack.In each verification process, all be authentication information to be encrypted by one time key, therefore the authentication information that transmits between the client and server all can change at random, even authentication information has been intercepted, also can't send on the server once more and verify, because change has taken place in the decruption key of this moment, thereby has prevented that the disabled user from carrying out Replay Attack to server.
4, increased the checking of client to server.Client does not have the symmetric key of server end, but client is by checking h
s(r k), be sure of that the server end that communicates with has the symmetric key k of client to=H, has so also just verified the identity of server end indirectly.
5, authentication method of the present invention has wide practical use, and can be applied in the industry that finance, public security etc. have higher requirements to the fail safe of own service.
Embodiment
A kind of image password identity identifying method based on one time key may further comprise the steps:
1, the client user sends ID authentication request to server;
Hashed value h=H (the U of User Identity symbol
Id);
2, after server receives authentication request, the legitimacy of identifying user identity identifier, and send authentication challenge information to client:
Server sends authentication image set I, random number r to client, server identity checking position h
s=H (r, k);
3, client is according to h
sAfter the legitimacy of authentication server identity, show authentication image set I, it is positioned according to the coordinate figure of the authentication image of user's input to the user.Generate one time key E
Tmp,, and generate data integrity check position h with its encrypting and authenticating image
cEncrypting and authenticating information sends it to the server requests checking.
4, the server method generation one time key same with client verified client response message integrality.The decrypted authentication image sequence compares the registered value P ' in itself and the authentication database, if identical then by checking, otherwise denied access.
Be applied as example explanation process of the present invention with one of the present invention below:
1, registration process:
User Jauney sends register requirement by user end to server, and submits identification identifier U to
IdGive the certificate server request registration, after server was confirmed the uniqueness of User Identity symbol, the User Identity symbol that sends according to client sent challenge information to client, comprises optional authentication image collection, random number, and server end checking position;
User Jauney selects 4 width of cloth icons from image set
As authentication image.And be that characteristic value of every width of cloth authentication image definition obtains P
t=8304, by safe lane with identification identifier Jauney, authentication image P, characteristic value P
tSubmit to certificate server, server is preserved hashed value, authentication image P, the characteristic value P of User Identity symbol
t
2, authentication process:
1) user is by client browser input User Identity symbol Jauney, and client generates its hashed value and submits authentication request to server.
2) server traversal authentication database is found out the record identical with the hashed value of Jauney, generates challenge information according to this record: the optional authentication image collection
(comprising 4 width of cloth authentication image, 50 width of cloth interfering pictures), random number r=204, server identity checking position:
h
s=H(r,k)=H(204,8300121)=723B9964D07764106052845CDC8EA2F9
(annotate: the symmetric key k=8300121 in this verification process)
And send to client browser after these values are encrypted with symmetric key k as challenge information.If the not record corresponding then refuse this logging request in the database with this user name.
3) after client is received the response message of server transmission, according to h
sThe legitimacy of value authentication server identity.If legal then show optional authentication image set (these images are randomly dispersed in the authentication window), the coordinate figure sequence (2,3) of prompting user Jauney input authentication image, (4,4), (3,6), (2,2) and with every width of cloth authentication image characteristic of correspondence value P
t=8304.
Client is according to the coordinate figure sequence orientation authentication image of user's input
According to random number r and characteristic value P
tGenerate one time key:
E
tmp=MD5(r,H(P
t))=EE63B5A2CBD2E6A0D29A76528B48764A
Utilize E
TmpAuthentication image sequence P encrypted obtain P
e, according to P
eGenerate the data integrity check position with symmetric key k:
h
c=H(P
e,k)=E5D0E4A933E6BAD31DECB976A2FA5C6D
With P
e, h
cBe sent to server after using symmetric key k to encrypt and carry out authentication.
4) deciphering obtained P after server was received user's response message
e, h
cThe method identical with client generates one time key E
Tmp', carry out data integrity check according to the value of hc, if the reply data bag is complete, then decipher P
eObtain authentication image sequence P, with the authentication image of the Jauney that preserves in P and the authentication database relatively more identical then by authentication, if inequality then point out the user to reselect authentication image or correct input feature vector value sequence.
In above-mentioned registration and verification process, the user chooses authentication image by clicking the mouse, but according to authentication image coordinate figure of random distribution in authentication window it is positioned.This password input mode can effectively avoid the assailant in user authentication process, to peep by the side or the tool records of making a video recording under user's whole authentication image choose process, prevent the leakage of authentication image.
Realization of the present invention is not limited to above embodiment, and for example the present invention can also adopt the authentication more than four width of cloth images.
Claims (3)
1. authentication method based on image password comprises following steps:
Registration phase:
The user sends register requirement by user end to server, and submits identification identifier U to
IdGive the certificate server request registration, after server was confirmed the uniqueness of User Identity symbol, the User Identity symbol that sends according to client sent challenge information to client, comprises optional authentication image collection, random number, and server end checking position;
The user selects the image of easily memory as authentication image P from the optional authentication image collection, and be the characteristic value that every width of cloth authentication image defines a regular length, by escape way with log-on message (P, P
t) pass to certificate server;
Hashed value H (the P of server calculated characteristics value sequence
t), and it is stored in the database of certificate server, so that use during authentication;
Authentication phase:
The user sends authentication request by user end to server, and submits identification identifier U to
IdGive the certificate server request authentication;
Client is verified position authentication server legitimacy according to server end, and shows the optional image set to validated user;
The user imports the selected distribution coordinate of authentication image in the current authentication window of registration phase, and with every width of cloth authentication image characteristic of correspondence value;
The random number that client sends over according to characteristic value hashed value, server is calculated current one time key, according to distribution coordinate setting authentication image, utilize one time key encrypting and authenticating image, and generating the data integrity check position, the authentication image after will encrypting again, data integrity check position send to server after with symmetric key encryption;
Server deciphering client response message, according to the data integrity check position integrality of client data bag is tested, hashed value, random number with active user's characteristic value sequence of preserving in the authentication database are calculated current one time key, with gained one time key decrypted authentication image, and the authentication image after will deciphering and the value in the authentication database compare, and be identical then by checking.
2. a kind of authentication method based on image password according to claim 1 is characterized in that: the user positions it according to authentication image coordinate figure of random distribution in authentication window.
3. a kind of authentication method according to claim 1 and 2 based on image password, it is characterized in that: the characteristic value sequence with authentication image is an immobilisation factor, the random number that generates with server end is that variable factor utilizes the realization principle of one-time password to generate one time key, before the authentication image transmission, use one time key that it is encrypted, what transmit in the network in each verification process all is the authentication information of change at random.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2008101248367A CN101309147A (en) | 2008-06-13 | 2008-06-13 | Identity authentication method based on image password |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2008101248367A CN101309147A (en) | 2008-06-13 | 2008-06-13 | Identity authentication method based on image password |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101309147A true CN101309147A (en) | 2008-11-19 |
Family
ID=40125383
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA2008101248367A Pending CN101309147A (en) | 2008-06-13 | 2008-06-13 | Identity authentication method based on image password |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101309147A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102710648A (en) * | 2012-06-11 | 2012-10-03 | 北京慧眼智行科技有限公司 | Identity authentication method, equipment and system |
WO2012174775A1 (en) * | 2011-06-24 | 2012-12-27 | 上海合合信息科技发展有限公司 | Method and system for acquiring designated information |
CN101415004B (en) * | 2008-11-25 | 2013-05-08 | 江岳 | Authentication method for embedded web page application |
WO2016206090A1 (en) * | 2015-06-26 | 2016-12-29 | 华为技术有限公司 | Two-factor authentication method, device and apparatus |
US9710641B2 (en) | 2014-12-12 | 2017-07-18 | Arp-Ip Llc | System and method for replacing common identifying data |
CN108390862A (en) * | 2018-01-29 | 2018-08-10 | 丹露成都网络技术有限公司 | A kind of graphic verification method based on image data encrypted indexes |
WO2018176700A1 (en) * | 2017-03-31 | 2018-10-04 | 深圳市科迈爱康科技有限公司 | Data interaction method and system for remote access service |
US11455386B2 (en) | 2019-10-07 | 2022-09-27 | International Business Machines Corporation | Authentication based on image classification |
-
2008
- 2008-06-13 CN CNA2008101248367A patent/CN101309147A/en active Pending
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101415004B (en) * | 2008-11-25 | 2013-05-08 | 江岳 | Authentication method for embedded web page application |
WO2012174775A1 (en) * | 2011-06-24 | 2012-12-27 | 上海合合信息科技发展有限公司 | Method and system for acquiring designated information |
CN102710648A (en) * | 2012-06-11 | 2012-10-03 | 北京慧眼智行科技有限公司 | Identity authentication method, equipment and system |
CN102710648B (en) * | 2012-06-11 | 2016-04-06 | 北京慧眼智行科技有限公司 | The method of authentication, equipment and system |
US9710641B2 (en) | 2014-12-12 | 2017-07-18 | Arp-Ip Llc | System and method for replacing common identifying data |
US10204217B2 (en) | 2014-12-12 | 2019-02-12 | Arp-Ip Llc | System and method for replacing common identifying data |
WO2016206090A1 (en) * | 2015-06-26 | 2016-12-29 | 华为技术有限公司 | Two-factor authentication method, device and apparatus |
CN106489155A (en) * | 2015-06-26 | 2017-03-08 | 华为技术有限公司 | Double factor authentication method, device and equipment |
WO2018176700A1 (en) * | 2017-03-31 | 2018-10-04 | 深圳市科迈爱康科技有限公司 | Data interaction method and system for remote access service |
CN108390862A (en) * | 2018-01-29 | 2018-08-10 | 丹露成都网络技术有限公司 | A kind of graphic verification method based on image data encrypted indexes |
CN108390862B (en) * | 2018-01-29 | 2021-04-27 | 丹露成都网络技术有限公司 | Graph verification method based on picture data encryption index |
US11455386B2 (en) | 2019-10-07 | 2022-09-27 | International Business Machines Corporation | Authentication based on image classification |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106330850B (en) | Security verification method based on biological characteristics, client and server | |
US8209744B2 (en) | Mobile device assisted secure computer network communication | |
Sood et al. | An improvement of Xu et al.'s authentication scheme using smart cards | |
US8156333B2 (en) | Username based authentication security | |
CN102685110B (en) | Universal method and system for user registration authentication based on fingerprint characteristics | |
US11063941B2 (en) | Authentication system, authentication method, and program | |
CN107809317A (en) | A kind of identity identifying method and system based on token digital signature | |
CN101309147A (en) | Identity authentication method based on image password | |
CN104796265A (en) | Internet-of-things identity authentication method based on Bluetooth communication access | |
CN110177134B (en) | Secure password manager based on multi-cloud storage and use method thereof | |
CN101174953A (en) | Identity authentication method based on S/Key system | |
CN102026195A (en) | One-time password (OTP) based mobile terminal identity authentication method and system | |
CN104243494B (en) | A kind of data processing method | |
US10701070B2 (en) | Personalized security system | |
CN103856468A (en) | Authentication system and method | |
CN101741860A (en) | Computer remote security control method | |
CN103701787A (en) | User name password authentication method implemented on basis of public key algorithm | |
CN109347887B (en) | Identity authentication method and device | |
CN105072110A (en) | Two-factor remote identity authentication method based on smart card | |
CN114401153B (en) | Authentication method and system of intelligent well lid equipment | |
CN101867588A (en) | Access control system based on 802.1x | |
CN114244508A (en) | Data encryption method, device, equipment and storage medium | |
CN106953731A (en) | The authentication method and system of a kind of terminal management person | |
CN115438320B (en) | Hidden data right determining method based on blockchain and digital fingerprint | |
CN115955320A (en) | Video conference identity authentication method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20081119 |