CN101335623A - Network identity authentication method adopting password transforming - Google Patents
Network identity authentication method adopting password transforming Download PDFInfo
- Publication number
- CN101335623A CN101335623A CNA2008100237473A CN200810023747A CN101335623A CN 101335623 A CN101335623 A CN 101335623A CN A2008100237473 A CNA2008100237473 A CN A2008100237473A CN 200810023747 A CN200810023747 A CN 200810023747A CN 101335623 A CN101335623 A CN 101335623A
- Authority
- CN
- China
- Prior art keywords
- user
- random string
- server
- algorithm
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a network identification method by adopting password change which is realized by utilizing a computer and network technology. The method comprises the steps that a user and a server agree to an algorithm in advance that is used for carrying out one of four changes or the combination of a plurality of the changes of alternation, replacement, deletion and insertion to the characters in one position or a plurality of positions in random character strings. In the process of certification, both the user and the server use the algorithm to change a section of the random character string to respectively obtain an authentication code and a comparison code which are then compared to know whether the authentication code and the comparison code are in agreement, thereby realizing the authentication of network identity.
Description
Technical field
The present invention relates to information security field, is to utilize password transforming to carry out network ID authentication, and this technical method can prevent access to netwoks illegal or that go beyond one's commission, is applicable to various websites such as government, bank, security, insurance, network game, blog, Email.
Background technology
At present, most network identification systems all are based on password, and the leakage of password will directly cause the success of illegal or unauthorized access.The main mode that password is revealed has: keyboard monitor (assailant by implanting subscriber computer virus or the keyboard or the mouse action of trojan horse program monitoring users), communication steals (the password content that the assailant intercepts and captures open transmission on network) and external leakage (assailant obtains other people password by network mode in addition, and for example user's victim when the bank ATM terminal operation is peeped).Because the password of existing most network identification systems all is relatively-stationary, in a single day the assailant obtains password, and the validated user that just can disguise oneself as sends authentication request or utilizes Replay Attack to carry out unauthorized access or unauthorized access.This type of incident is comparatively spread unchecked on network, and stolen incidents such as for example all kinds of IM (MSN, for example QQ and MSN) account number, Internet bank's account number, network game account number occur repeatedly, and brings very big threat for the normal operation of the network information security and website.
From the prior art means, mainly adopt at present hardware means, such as USB token, synchronous dynamic password generator etc.; Perhaps complicated encryption and decryption technique, such as digital signature, zero knowledge technology, long key etc. dealt with the problems referred to above.The shortcoming of hardware means is that high cost, user use inconvenience (must carry), and complicated encryption and decryption technology then is that to consume too much processor resource and the communication resource be cost.
Summary of the invention
Network authentication method of the present invention adopts the mode of password transforming, allows the prior set algorithm of user and server, with this algorithm a string random string is changed respectively again, and whether both change results unanimously carry out authentication by comparison.
The present invention can be subdivided into three inventions arranged side by side, and each among the three can realize this beneficial effect of the invention independently as scheme independently, and its technical scheme is respectively as follows:
Scheme 1. server ends provide in order to support the operation interface of user's on-line setup algorithm, the user promptly on this interface with the server commitment algorithm, the purposes of this algorithm is that one section random string is changed to another section character string, that the basic mode of change comprises is alternative, displacement, deletion and insert, this algorithm be specifically to position in the random string or successively the character of a plurality of positions carry out a kind of change in these four kinds of changes or the combination of multiple change successively; After agreement was finished, server left algorithm in storage area corresponding with user name in the server end memory with the form of fixed routine, and the user then need remember this algorithm voluntarily.
When the user carries out authentication, earlier in client user name is sent to server end by network, server end receives after the user name, produce one section random string, and this random string is sent to client by network, use simultaneously the algorithm of appointing in advance with the user that this random string is changed, will change as a comparison code M1 of gained; The user receives after this random string, also uses the identical algorithm appoint in advance that this random string is changed, and the new character strings of change gained as authentication code M2, as parameters for authentication, is sent to server by network; Server compares comparison code M1 and authentication code M2, and identical then is validated user, and difference then is the disabled user.Formed by 26 English lower case, 26 English capitalizations and 10 Arabic numerals by this character string, as long as the random character string length reaches 6 more than 560 hundred million kinds of possibilities are arranged just, even certain user authenticates 100 every day, authentication is 100 years continuously, the probability that identical random string occurs still can not surpass the e-7 order of magnitude, can guarantee fully that in theory same user receives same random string never twice.So, even the assailant utilizes the authentication code that keyboard is monitored or communication is stolen or certain channel has obtained this certain authentication of validated user in addition, because this authentication code can not mate with the random string that the assailant receives, also just can not be consistent with the comparison code that server draws, so this parameter can not help the illegal authentication success of assailant.
Scheme 2. at first, be same as scheme 1, server end provides in order to support the operation interface of user's on-line setup algorithm, the user must be in advance on this interface with the server commitment algorithm, the purposes of this algorithm is that one section random string is changed to another section character string, that the basic mode of change comprises is alternative, displacement, deletion and insert, this algorithm be specifically to position in the random string or successively the character of a plurality of positions carry out a kind of change in these four kinds of changes or the combination of multiple change successively; After agreement was finished, server left algorithm in storage area corresponding with user name in the server end memory with the form of fixed routine, and the user then need remember this algorithm voluntarily.
Then, when the user proposes authentication request in client, client software generates one section random string, the user uses the algorithm of appointing in advance with server that this random string is changed, to change gained as authentication code M1, together with user name and described random string, as parameters for authentication, send to server by network; Server receives after this parameters for authentication, at first retrieving comparison in the record in the past, to judge whether the random string in this time parameters for authentication was once sent to the server mistake by this user in the past, if being the random string of this time, judged result do not sent to the server mistake by this user in the past, the random string that then server will this time is stored to storage area corresponding with user name on the server end memory, give over to the usefulness of later retrieval comparison, also use then the identical algorithm of appointing in advance that this random string is changed, with the change gained new character strings as a comparison the code M2, and with M2 with recognize M1 and compare, identical then is validated user, and difference then is the disabled user; Once sent to the server mistake by this user if judged result is the random string of this time in the past, then looked this authentication request for illegal, the refusal authentication request.Be same as the reason in the scheme 1, the random string that client software produces can not repeat in theory, so if server is received the random string that certain user sends for the second time, just illegal authentication request and the refusal authentication for the assailant that can look.So certain parameters for authentication of certain user of obtaining of assailant can not help the illegal authentication success of assailant.
Scheme 3. at first still is same as scheme 1, server end provides in order to support the operation interface of user's on-line setup algorithm, the user must be in advance on this interface with the server commitment algorithm, the purposes of this algorithm is that one section random string is changed to another section character string, that the basic mode of change comprises is alternative, displacement, deletion and insert, this algorithm be specifically to position in the random string or successively the character of a plurality of positions carry out a kind of change in these four kinds of changes or the combination of multiple change successively; After agreement was finished, server left algorithm in storage area corresponding with user name in the server end memory with the form of fixed routine, and the user then need remember this algorithm voluntarily.
Then, when the user carries out authentication, earlier in client authentication request is sent to server, server end is after receiving authentication request, produce the numbering of one section random string and this random string, and the two is sent to client by network, simultaneously this character string and numbering are preserved, and set up points relationship between numbering and the random string; The user receives after this random string and the numbering, use the algorithm of appointing in advance with server end that this random string is changed, will change gained as authentication code M1, together with user name and random string numbering, as parameters for authentication, send to server by network; After server receives this parameters for authentication, select corresponding random string according to random string numbering wherein, also use then the identical algorithm of appointing in advance that this random string is changed, to change as a comparison code M2 of gained, again M2 and M1 are compared, identical then is validated user, and difference then is the disabled user; After authentication finished, regardless of the result, server destroyed the points relationship between numbering and the random string immediately, made numbering invalid.Because in this scheme, the random string that server gets off according to random string numbering Selective storage, and this random string numbering all can be destroyed after each authentication finishes, namely only effective in once authenticating, even so assailant's access authentication parameter, the again authentication of its validated user that disguises oneself as or Replay Attack can be not successful yet.
Replenish a bit, any in above-mentioned three kinds of schemes, dictionary attack is equally invalid.Because the authentication code that gets according to random string must be random equally, can not comprise the character that birthday, intrinsic word or the like are easy to guess.
Description of drawings
Fig. 1: the flow chart of such scheme 1.
Fig. 2: the flow chart of such scheme 2.
Fig. 3: the flow chart of such scheme 3.
Embodiment
Below in conjunction with description of drawings the specific embodiment of the present invention.
Fig. 1: illustrate that the user sends user name to server end in client by network earlier, server end generates one section random string and sends to the user by network after receiving user name, uses simultaneously the algorithm of appointing in advance with the user that this random string is changed and obtains comparison code M1; After the user receives random string, also use the identical algorithms of appointing in advance that this random string is changed and obtain authentication code M2, again M2 is sent to server as parameters for authentication by network, whether server relatively M1 identical with M2, if identical then be validated user; Otherwise be the disabled user.
Fig. 2: illustrate that the user is after client proposes authentication request, client software generates one section random string, the user uses the algorithm of appointing in advance with server that this random string is changed, to change gained as authentication code M1, together with user name and described random string, as parameters for authentication, send to server by network; Server receives after this parameters for authentication, at first retrieving comparison in the record in the past, to judge whether the random string in this time parameters for authentication was once sent to the server mistake by this user in the past, if being the random string of this time, judged result once sent to the server mistake by this user in the past, then look this authentication request for illegal, the refusal authentication request; If being the random string of this time, judged result do not sent to the server mistake by this user in the past, the random string that then server will this time is stored to storage area corresponding with user name on the server end memory, give over to the usefulness of later retrieval comparison, also use then the identical algorithm of appointing in advance that this random string is changed, with the change gained new character strings as a comparison the code M2, and M1 and M2 compared, identical then is validated user, difference then is the disabled user.
Fig. 3: illustrate that the user sends to server by network with authentication request in client, server is after receiving authentication request, produce the numbering of one section random string and this random string, and the two is sent to client by network, simultaneously this character string and numbering are preserved, and the points relationship between foundation numbering and the random string; The user receives after this random string and the numbering, use the algorithm of appointing in advance with server end that this random string is changed, to change the new character strings of gained as authentication code M1, together with user name and random string numbering, as parameters for authentication, send to server by network; After server receives this parameters for authentication, select corresponding random string according to random string numbering wherein, also use then the identical algorithm of appointing in advance that this random string is changed, to change as a comparison code M2 of gained, again M1 and M2 are compared, identical then is validated user, and difference then is the disabled user; After authentication finished, regardless of the result, server destroyed the points relationship between numbering and the random string immediately, made numbering invalid.
Claims (10)
1. network authentication method that adopts password transforming, to utilize computer and network technologies to realize, it is characterized in that: the user is sent to user name server end and proposes authentication request by network in client, server end receives after the user name, produce one section random string, and this random string is sent to client by network, and use simultaneously the algorithm of appointing in advance with the user that this random string is changed, will change gained as a comparison yard; The user receives after this random string, also uses the identical algorithm appoint in advance that this random string is changed, and the new character strings of change gained as authentication code, as parameters for authentication, is sent to server by network; Server compares comparison code and authentication code, and identical then is validated user, and difference then is the disabled user.
2. the method that requires according to right 1, it is characterized in that: the prior and server commitment algorithm of user's palpus, the purposes of this algorithm is that described random string is changed to another section character string, that the basic mode of change comprises is alternative, displacement, deletion and insert, this algorithm be to position in the random string or successively the character of a plurality of positions carry out a kind of change in these four kinds of changes or the combination of multiple change successively; After agreement was finished, algorithm left storage area corresponding with user name in the server end memory in the form of fixed routine.
3. according to right 1 or 2 methods that require, it is characterized in that: server end provides in order to support the operation interface of the described algorithm of user's on-line setup.
4. network authentication method that adopts password transforming, to utilize computer and network technologies to realize, it is characterized in that: the user is after client proposes authentication request, client software generates one section random string, the user uses the algorithm of appointing in advance with server that this random string is changed, and will change gained as authentication code, together with user name and described random string, as parameters for authentication, send to server by network; Server receives after this parameters for authentication, at first retrieving comparison in the record in the past, to judge whether the random string in this time parameters for authentication was once sent to the server mistake by this user in the past, if being the random string of this time, judged result do not sent to the server mistake by this user in the past, the random string that then server will this time is stored to storage area corresponding with user name on the server end memory, give over to the usefulness of later retrieval comparison, also use then the identical algorithm of appointing in advance that this random string is changed, with the change gained new character strings as a comparison the code, and comparison code and authentication code compared, identical then is validated user, and difference then is the disabled user; Once sent to the server mistake by this user if judged result is the random string of this time in the past, then looked this authentication request for illegal, the refusal authentication request.
5. the method that requires according to right 4, it is characterized in that: the prior and server commitment algorithm of user's palpus, the purposes of this algorithm is that described random string is changed to another section character string, that the basic mode of change comprises is alternative, displacement, deletion and insert, this algorithm be to position in the random string or successively the character of a plurality of positions carry out a kind of change in these four kinds of changes or the combination of multiple change successively; After agreement was finished, algorithm left storage area corresponding with user name in the server end memory in the form of fixed routine.
6. according to right 4 or 5 methods that require, it is characterized in that: server end provides in order to support the operation interface of the described algorithm of user's on-line setup.
7. network authentication method that adopts password transforming, to utilize computer and network technologies to realize, it is characterized in that: server end is receiving the user after the authentication request that client proposes, produce the numbering of one section random string and this random string, and the two is sent to client by network, simultaneously this character string and numbering are preserved, and the points relationship between foundation numbering and the random string; The user receives after this random string and the numbering, use the algorithm of appointing in advance with server end that this random string is changed, to change the new character strings of gained as authentication code, together with user name and random string numbering, as parameters for authentication, send to server by network; After server receives this parameters for authentication, select corresponding random string according to random string numbering wherein, also use then the identical algorithm of appointing in advance that this random string is changed, to change as a comparison code of gained, again comparison code and authentication code are compared, identical then is validated user, and difference then is the disabled user; After authentication finished, regardless of the result, server destroyed the points relationship between numbering and the random string immediately, made numbering invalid.
8. the method that requires according to right 7 is characterized in that: behind the random string and numbering that client sends over to server, keep numbering not visible to the user, and make random string visual to the user.
9. the method that requires according to right 7, it is characterized in that: the prior and server commitment algorithm of user's palpus, the purposes of this algorithm is that described random string is changed to another section character string, that the basic mode of change comprises is alternative, displacement, deletion and insert, this algorithm be to position in the random string or successively the character of a plurality of positions carry out a kind of change in these four kinds of changes or the combination of multiple change successively; After agreement was finished, algorithm left storage area corresponding with user name in the server end memory in the form of fixed routine.
10. according to right 8 or 9 methods that require, it is characterized in that: server end provides in order to support the operation interface of the described algorithm of user's on-line setup.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100237473A CN101335623A (en) | 2008-04-17 | 2008-04-17 | Network identity authentication method adopting password transforming |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100237473A CN101335623A (en) | 2008-04-17 | 2008-04-17 | Network identity authentication method adopting password transforming |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101335623A true CN101335623A (en) | 2008-12-31 |
Family
ID=40197961
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100237473A Pending CN101335623A (en) | 2008-04-17 | 2008-04-17 | Network identity authentication method adopting password transforming |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101335623A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014012476A1 (en) * | 2012-07-18 | 2014-01-23 | Tencent Technology (Shenzhen) Company Limited | Method and system of login authentication |
| CN105096121A (en) * | 2015-06-25 | 2015-11-25 | 百度在线网络技术(北京)有限公司 | Voiceprint authentication method and device |
| CN105225664A (en) * | 2015-09-24 | 2016-01-06 | 百度在线网络技术(北京)有限公司 | The generation method and apparatus of Information Authentication method and apparatus and sample sound |
| CN106612249A (en) * | 2015-10-21 | 2017-05-03 | 阿里巴巴集团控股有限公司 | Token authentication method, toke terminal and token server |
-
2008
- 2008-04-17 CN CNA2008100237473A patent/CN101335623A/en active Pending
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014012476A1 (en) * | 2012-07-18 | 2014-01-23 | Tencent Technology (Shenzhen) Company Limited | Method and system of login authentication |
| CN103581105A (en) * | 2012-07-18 | 2014-02-12 | 深圳市财付通科技有限公司 | Login verification method and login verification system |
| US9246897B2 (en) | 2012-07-18 | 2016-01-26 | Tencent Technology (Shenzhen) Company Limited | Method and system of login authentication |
| CN103581105B (en) * | 2012-07-18 | 2017-09-22 | 财付通支付科技有限公司 | Login validation method and login authentication system |
| CN105096121A (en) * | 2015-06-25 | 2015-11-25 | 百度在线网络技术(北京)有限公司 | Voiceprint authentication method and device |
| CN105096121B (en) * | 2015-06-25 | 2017-07-25 | 百度在线网络技术(北京)有限公司 | voiceprint authentication method and device |
| US9792913B2 (en) | 2015-06-25 | 2017-10-17 | Baidu Online Network Technology (Beijing) Co., Ltd. | Voiceprint authentication method and apparatus |
| CN105225664A (en) * | 2015-09-24 | 2016-01-06 | 百度在线网络技术(北京)有限公司 | The generation method and apparatus of Information Authentication method and apparatus and sample sound |
| CN105225664B (en) * | 2015-09-24 | 2019-12-06 | 百度在线网络技术(北京)有限公司 | Information verification method and device and sound sample generation method and device |
| CN106612249A (en) * | 2015-10-21 | 2017-05-03 | 阿里巴巴集团控股有限公司 | Token authentication method, toke terminal and token server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Bojinov et al. | Kamouflage: Loss-resistant password management | |
| US20070039042A1 (en) | Information-security systems and methods | |
| CN106936771A (en) | A kind of secure cloud storage method and system based on graded encryption | |
| CN100416446C (en) | Method and system for detecting resource attacks on protected computer | |
| Singh et al. | SQL injection: Types, methodology, attack queries and prevention | |
| Archana et al. | Survey on usable and secure two-factor authentication | |
| Pantic et al. | Covert botnet command and control using twitter | |
| CN103414562A (en) | Method and device for controlling user right based on URL fingerprint technology | |
| CN104899499A (en) | Internet image search based Web verification code generation method | |
| US7757080B1 (en) | User validation using cookies and isolated backup validation | |
| Wang et al. | The web security password authentication based the single-block hash function | |
| CN101894232A (en) | Safe input method applied to identity authentication and input terminal | |
| CN110225014B (en) | Internet of things equipment identity authentication method based on fingerprint centralized issuing mode | |
| CN109726578B (en) | Dynamic two-dimensional code anti-counterfeiting solution | |
| CN101335623A (en) | Network identity authentication method adopting password transforming | |
| Boonkrong | Security of passwords | |
| CN104009851A (en) | One-time pad bidirectional authentication safe logging technology for internet bank | |
| Hart et al. | Phorcefield: A phish-proof password ceremony | |
| Komakula et al. | Honey Encryption With Quantum Key Distribution | |
| CN210270894U (en) | Enterprise database security access device | |
| Yeole | Proposal for novel 3D password for providing authentication in critical web applications | |
| CN112615815B (en) | User authority management method based on token | |
| Chen et al. | Memory leakage-resilient dynamic and verifiable multi-keyword ranked search on encrypted smart body sensor network data | |
| CN117077185B (en) | Data storage and protection method, system and medium based on HMAC and secret sharing | |
| Wang et al. | SEIGuard: An Authentication-simplified and Deceptive Scheme to Protect Server-side Social Engineering Information Against Brute-force Attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| DD01 | Delivery of document by public notice |
Addressee: Wang Haochen Document name: Notification of before Expiration of Request of Examination as to Substance |
|
| DD01 | Delivery of document by public notice |
Addressee: Wang Haochen Document name: Notification that Application Deemed to be Withdrawn |
|
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20081231 |