Embodiment
Preferably, in the present invention, generate disposable authorization information by the processing terminal that is verified, and then by described processing terminal will this disposable authorization information send to this processing terminal carry out authentication the authenticating user identification system in case this disposable authorization information of this system validation whether by checking.It will be appreciated by those skilled in the art that since preferably aforesaid operations all in described processing terminal, finish, so improved the fail safe of authenticating user identification process.Wherein, described authenticating user identification system can be one and independently be specifically designed to the system that user identity is verified, also can be to be used for subsystem or submodule that user identity is verified in any one information management system or electronic commerce service system or other computer processing system, this does not influence flesh and blood of the present invention, does not repeat them here.
Based on the foregoing invention thinking, Fig. 1 illustrates according to a specific embodiment of the present invention, and processing terminal cooperates the flow chart of finishing the authenticating user identification process with the authenticating user identification system.Execution in step S110 at first, processing terminal generates disposable authorization information, enters step S111 then, and described processing terminal obtains described disposable authorization information.Those skilled in the art understand, preferably, because this disposable authorization information generates in described processing terminal, can directly this disposable authorization information be sent to corresponding processing module so be used to generate the module or the device of this disposable authorization information, deriving means for example shown in Figure 5 so just can be realized described step S111.And change in the example at one, after described processing terminal generates this disposable authorization information, be shown to the user by certain mode, should disposable authorization information input in the described processing terminal by the user again, for example when described processing terminal itself has display, preferably can directly be presented on this display, when described processing terminal does not have display, may be displayed on the display of miscellaneous equipment, for example when this processing terminal is connected with a computer, may be displayed on the screen of this computer.
Next execution in step S112, described processing terminal should disposable authorization information send to an authenticating user identification system, those skilled in the art understand, this authenticating user identification system is corresponding with described processing terminal, promptly arrange the authentication request that this system can handle described processing terminal in advance, for example, the measured agreement of both sides can be finished the process that sends authentication request and authenticate.For example, when described processing terminal was the public transport card that exists with the integrated circuit card form, then this authenticating user identification system was exactly a public transport card charging administration system; Again for example, when described processing terminal was a client as a certain ERP application system, then this authenticating user identification system was specifically designed to the subsystem that carries out authentication in this ERP application system or this ERP application system; Again for example, described processing terminal is a Payment Card, is used for payment request system of handling this Payment Card or the like and this authenticating user identification system just provides the main body (for example bank or other non-banking financial company or other card sending mechanism) of this Payment Card.
Enter step S113 then, described authenticating user identification system receives described disposable authorization information, so that this disposable authorization information is further handled.Those skilled in the art understand, the mode that common this system receives described disposable authorization information is corresponding with the mode that described processing terminal sends described disposable authorization information, for example process of transmitting is finished based on ICP/IP protocol, and then receiving course is also finished based on ICP/IP protocol usually; For example described again disposable authorization information sends by wap protocol, then described subscriber identity authentication system also receives this transaction request information based on wap protocol, a front end processing device of described at least subscriber identity authentication system receives based on wap protocol, this does not influence flesh and blood of the present invention, does not repeat them here.
Execution in step S114 then, described authenticating user identification system judges whether described disposable authorization information is consistent with the checking reference information, if the judged result of this step is sure, be that described disposable authorization information is consistent with described checking reference information, then enter step S115, confirm that described subscriber authentication passes through; Otherwise if the judged result of this step negates, promptly described disposable authorization information and described checking reference information are inconsistent, then enter step S116, confirm that described subscriber authentication do not pass through.No matter be after execution in step S115 or the execution in step S116, all enter step S117, the authenticating user identification feedback information is set, promptly the result according to step S115 or step S116 is provided with this authenticating user identification feedback information, after for example passing through described step S116, step S117, the content of this authenticating user identification feedback information is " subscriber authentication is not passed through " or the content of expressing similar information.Last execution in step S118, described authenticating user identification system sends to described processing terminal with described authenticating user identification feedback information, and this flow process finishes.
It will be appreciated by those skilled in the art that above-mentioned checking reference information is that described authenticating user identification system is used for judging the foundation that disposable authorization information that described processing terminal sends is whether correct.Preferably, in order to improve fail safe, this checking reference information is generated in real time by described authenticating user identification system, and the method for for example such generation checking reference information and the method that described processing terminal generates described disposable authorization information adapt, and example as shown in Figure 2.Suboptimum ground, this checking reference information also can obtain by alternate manner, for example third party system is specifically designed to described authenticating user identification system this checking reference information is provided, then described authenticating user identification system this checking reference information of acquisition after the request of sending of this third party system, even in such variation example, for the accuracy that guarantees subscriber authentication and the fail safe of user cipher, this disposable authorization information is still generated according to this authentication request transaction corresponding parameters by described third party system, thereby realize the requirement of one-time pad, do not retouch in detail at this.
It will be appreciated by those skilled in the art that preferably above-mentioned disposable authorization information comprises disposal password, and this disposal password is generated by described processing terminal.And change in the example at one, described disposable authorization information is except comprising above-mentioned disposal password, can also comprise out of Memory, the information such as identification number of this processing terminal for example, for example also comprise this processing terminal adding description information etc. again, so that described authenticating user identification system can handle the authenticating user identification request that described processing terminal sends, do not repeat them here.
In order to describe above-mentioned step S110 in embodiment illustrated in fig. 1 in detail, Fig. 2 illustrates according to the first embodiment of the present invention, generates the flow chart of disposable authorization information in processing terminal or authenticating user identification system.Present embodiment can be understood that an embodiment to above-mentioned steps S110.Execution in step S121 at first receives the static password of user's input, and for example the keyboard that carries by described processing terminal of user or the external input unit that is connected with described processing terminal are imported this static password.Enter step S122 then, described processing terminal obtains first variable factor; Execution in step S123 then, described processing terminal obtains the challenge factor; Enter step S124 at last, generate described disposable authorization information according to described static password, first variable factor and the challenge factor.
One at the foregoing description changes in the example, after above-mentioned steps S24, " the obtaining the PKI of described authenticating user identification system " that also comprises, " PKI according to described authenticating user identification system is encrypted described disposable authorization information, and with the information after the described encryption as described disposable authorization information " two steps.It will be appreciated by those skilled in the art that these two steps can further encrypt above-mentioned disposable authorization information, thereby further improve fail safe of the present invention, do not repeat them here.Adapt with such variation example, then at step S114 shown in Figure 1 changes in the example, and this step is changed to following four steps:
Step B1 '. obtain the private key of described authenticating user identification system; Step B2 '. the private key according to described authenticating user identification system is decrypted described disposable authorization information; Step B3 '. the static password that comprises in the disposable authorization information after the described deciphering is verified; Step B4 '. judge that whether the static password that comprises in the disposable authorization information after the described deciphering is by checking.By such step, finished that in fact described disposable authorization information is decrypted the encryption of PKI (because passed through), and then the process that static password is verified.Those skilled in the art can realize such variation in conjunction with prior art, do not repeat them here.
Those skilled in the art understand, the process of the disposable authorization information of above-mentioned generation can be used for described authenticating user identification system equally and generate described checking reference information, different is, generate in the process of checking reference information in the authenticating user identification system, described step S122 is changed to " obtaining second variable factor ".This first variable factor and this second variable factor are corresponding a pair of variable factors, this a pair of variable factor is the information of described processing terminal and described authenticating user identification system agreement, for example string number or character, the perhaps character string that is formed by combining of character and numeral, letter.Preferably, in order to improve the degree of safety of authentication, this first variable factor and second variable factor are each all conversion, thereby realize authentication purpose of the present invention.Therefore, described processing terminal and above-mentioned subscriber identity authentication system can arrange to obtain or generate the rule of variable factor.Particularly, this first variable factor can be obtained or generate in several ways, can obtain this variable factor respectively as long as guarantee described processing terminal and authenticating user identification system.For example in the present embodiment, described first variable factor and second variable factor can there are differences, and be promptly incomplete same.For example described processing terminal with the determined time of this processing terminal as first variable factor, and this first variable factor is rounded to hour, for example 20080320110600, first variable factor after " 2008032011 " wherein are and round; Correspondingly, the time of its place equipment is also got as second variable factor by described authenticating user identification system, be rounded to equally hour, for example 3 minutes described authenticating user identification systems begin to handle the ID authentication request of this processing terminal after described processing terminal is obtained first variable factor, promptly begin to obtain this second variable factor, at this moment, time parameter of described authenticating user identification system's acquisition is 20080320110900, second variable factor after " 2008032011 " wherein are and round.Therefore, though this a pair of variable factor is incomplete same, both play same effect but when in fact being used to generate disposable authorization information or checking reference information, thereby make and can successfully finish this authentication request operation in same hour, promptly present embodiment allows the error of above-mentioned first variable factor and second variable factor in the first threshold scope.Further, it will be appreciated by those skilled in the art that at one to change in the example that the scope that also can be further described first variable factor and second variable factor be rounded is dwindled, for example narrow down to minute and to be unit, the authentication request of then only carrying out in same minute operation just might be by authentication.Simultaneously, those skilled in the art understand, above-mentionedly round operation and can be realized neatly, for example also can be considered as at the same time, thereby make that the authentication request operation of crossing over a chronomere also can be passed through obtaining the time at the second variable factor place and the last unit of this time.Change in the example at another, above-mentioned first variable factor and second variable factor also can be identical, for example we directly with time of getting access to hour to be that unit rounds the back as variable factor, for example obtain variable factor again by other factors, do not repeat them here.
It will be appreciated by those skilled in the art that the variable factor of being obtained among the above-mentioned steps S122, is the parameter of obtaining in order to generate dynamic password.If in the process that generates described disposable authorization information, do not have this variable factor, perhaps this variable factor remains unchanged at long periodic regime, then make the fail safe of described disposable authorization information reduce greatly, thereby can't realize the demand of one-time pad.Particularly, the acquisition mode of this variable factor can be relevant with the algorithm of this disposable authorization information of generation among the described step S124, is not described in detail at this.
Particularly, in the present embodiment, described static password is the information that is used to verify its identity that the user sets in advance, and is also referred to as password usually.This static password is stored in the above-mentioned authenticating user identification system usually, for example is stored in this authenticating user identification system and safeguards in the database that maybe can read, and for example stores in the HASH mode again.Theoretically, this static password is only known by the user, the staff who operates described authenticating user identification system can not know this static password yet, but spy upon, steal password owing to exist various means, for example the lawless person is by installing camera or by the backdoor programs in the computer software etc. on cash dispenser, these static passwords tend to be stolen, thereby cause user identity to be pretended to be.Just because of this, simple static password mode can't satisfy present authenticating user identification demand, so just generate above-mentioned disposable authorization information based on this static password in the present invention.
Preferably, the above-mentioned challenge factor is the information that is provided by described authenticating user identification system, for example a string character or numeral, usually this challenge factor only offers the user of the described processing terminal of operation, for example be shown to the user by computer screen, the user just can import this challenge factor by processing terminal then.Similarly, the preferably each all conversion of this challenge factor so that illegal program can't be initiated Replay Attack or other usurps the measure of user identity.In this enforcement, the described challenge factor can occur in the mode of a figure identifying code, and changes in the example at one, the described challenge factor also can be sent to the corresponding communication tool of this user in, for example the user offers the mobile phone of described authenticating user identification system, does not repeat them here.
It will be appreciated by those skilled in the art that in the present embodiment, generate described disposable authorization information, preferably, can generate described disposable authorization information, for example embodiment as shown in Figure 3 by standardization processing by three parameters.And change in the example at one, also can omit the challenge factor wherein, promptly only generate described disposable authorization information, accordingly, in described authenticating user identification system, also generate described checking reference information by static password and variable factor by static password and variable factor.It will be appreciated by those skilled in the art that if do not use the above-mentioned challenge factor to generate described disposable authorization information, make method provided by the invention can't prevent the risk of Replay Attack, but this does not influence flesh and blood of the present invention.
Further, Fig. 3 illustrates according to the first embodiment of the present invention, generates the schematic diagram of disposable authorization information based on static password, variable factor, the challenge factor, and this schematic diagram is elaborated to the process that generates this disposable authorization information.At first, described processing terminal obtains character string S by standardization processing
0, for example MD5 (123456), 8888,20,080,320,110,000 3 parameters are carried out standardization processing, and then by calculating SHA1 (S
0) obtain S
1, at last once more to S
1Carry out standardization processing and obtain disposal password P.It will be appreciated by those skilled in the art that this disposal password P can be used as above-mentioned disposable authorization information, also can be with this disposal password P and out of Memory (for example identification information of processing terminal) as described disposable authorization information.
Otherwise it will be appreciated by those skilled in the art that above-mentioned MD5 algorithm make expressly be converted to ciphertext or, be used to protect the safety of static password, prevent the various risks that its identity information brings in identity authorization system with stored in clear.
Above-mentioned SHA1 algorithm is a kind of of aforementioned HASH algorithm, is used for static password, variable factor, the computing of the challenge factor are obtained disposable authorization information.The present invention is not limited to this algorithm, and other safe HASH algorithm can be selected for use.
Further, those skilled in the art understand, described standardization processing refers to above-mentioned static password, variable factor, the challenge factor are done some preliminary treatment and conversion, make and to carry out the requirement that content after the standardization processing meets the SHA1 algorithm, promptly can also make simultaneously as the legal input information of described SHA1 algorithm once more to S
1Carry out the resulting P of standardization processing and can satisfy the input and the processing requirements of processing terminal.For example, when the user need provide described disposable authorization information to described processing terminal by the mode of manual input, if this authorization information long (data bit is too many) then is unfavorable for operation.Therefore, according to pre-defined rule to described S
1Handle, for example take out this S
1In the particular data position and form short information, i.e. P, those skilled in the art can realize such process in conjunction with prior art, do not repeat them here.
Further, it will be appreciated by those skilled in the art that in the above-described embodiments, realize generating the process of this disposable authorization information and checking reference information by the SHA1 algorithm with reference to above-mentioned Fig. 2, Fig. 3.And change in the example at one, can also realize described process by alternate manner, for example can select one or more the combination of algorithm in MD5, SHA0, MD4, MD2 and DES, 3DES, the AES scheduling algorithm to realize said process, do not repeat them here.Further, it will be appreciated by those skilled in the art that in a variation example, described standardization processing process can be omitted, determine according to the requirement of selected algorithm that specifically those skilled in the art can realize such variation in conjunction with prior art, do not repeat them here.
Above-mentioned Fig. 1 to Fig. 3 has described processing terminal from different perspectives respectively and the authenticating user identification system realizes process of the present invention, how describes below by Fig. 4 and uses the present invention under the network environment.Particularly, Fig. 4 A illustrates according to the first embodiment of the present invention, and processing terminal cooperates the network topology schematic diagram of realizing authenticating user identification with the authenticating user identification system.Wherein, preferably, described processing terminal 92 is integrated circuit cards, wherein comprise (as shown in Figure 5) provided by the invention control device 4, this integrated circuit card is connected to a desktop computer 6 by a communication interface, this desktop computer 6 communicates by network and integrated circuit card processing system 82, and comprises (as shown in Figure 5) provided by the invention sub controlling unit 5 in this integrated circuit card processing system 82.Those skilled in the art understand, said integrated circuit card processing system 82 is exactly above-mentioned authenticating user identification system, comprise above-mentioned authenticating user identification system in this integrated circuit card processing system 82 in other words, this does not influence flesh and blood of the present invention, does not repeat them here.
Particularly, above-mentioned processing terminal 92 generates disposable authorization information by described control device 4, is sent to described desktop computer 6 by communication interface then.Described computer 6 forwards it to described integrated circuit card processing system 82 after receiving described disposable authorization information, particularly, sub controlling unit 5 in this system 82 will be according to this disposable authorization information of processing embodiment illustrated in fig. 1, and finally send the feedback information whether this disposable authorization information is passed through by network to described desktop computer 6, thereby described processing terminal 92 can receive this feedback information by described desktop computer 6.It will be appreciated by those skilled in the art that the network that is used to connect between above-mentioned desktop computer 6 and the subscriber identity authentication system 82 can be a local area network (LAN), also can be the Internet or wireless network.Particularly, described control device 4 and sub controlling unit 5 can not repeat them here with reference to following embodiment illustrated in fig. 5 being achieved.
It will be appreciated by those skilled in the art that preferably, in the above-mentioned desktop computer 6 plug-in unit (computer program is client software in other words) can be installed, this plug-in unit is mainly used in after receiving above-mentioned disposable authorization information can forward it to described system 82.Preferably, 6 pairs of described disposable authorization informations of above-mentioned desktop computer are left intact and directly transmit; Change in the example at one, described desktop computer 6 also can carry out sending to described system 82 again after the section processes to described disposable authorization information, for example it can be changed into the data format that described network can receive, for example will send or the like after its compression again, this does not influence flesh and blood of the present invention again.
One in above-mentioned Fig. 4 A illustrated embodiment changes in the example, described desktop computer 6 can be that other anyly has a computing ability, and can with the equipment of described integrated circuit card processing system 82 and 92 communications of described integrated circuit card, for example when the described communication interface that is used to connect integrated circuit card 92 was USB interface, then this desktop computer 6 can be replaced by POS or ATM or the miscellaneous equipment that has USB interface.In such variation example, preferably, described POS or ATM or miscellaneous equipment still can be installed above-mentioned plug-in unit (computer program is client software in other words).
In a variation example, Fig. 4 B illustrates according to a second embodiment of the present invention, and processing terminal cooperates the network topology schematic diagram of realizing authenticating user identification with the authenticating user identification system, below in conjunction with the description to Fig. 4 A present embodiment is described.Particularly, using processing terminal of the present invention is portable terminal, is the mobile phone (mobile phone) 91 with computing capability more precisely.In the present embodiment, a plurality of mobile phones 91 communicate with an authenticating user identification system 81 by wireless network (for example GSM network), for example mobile phone 91 communicates with the customer service system that China Mobile provides, before these mobile phones 91 are allowed to access this customer service system, come the user of mobile phone 91 is carried out authenticating user identification by said system 81.Change in the example at one, user of Mobile banking or the user of the Internet bank come logging in network bank by mobile phone 91, similarly, allow the user to being requested still to come the user of mobile phone 91 is carried out authenticating user identification before bank account operates formal by system 81.
Particularly, we are that example is set forth concrete verification process of the present invention by mobile phone logging in network bank, wherein, above-mentioned processing is finished with algorithm SHA1, and we suppose bank card password (static password) in system with MD5 form storage, bank card password be 123456, the challenge factor is 8888.Concrete steps are as follows:
1) user opens the control device 4 that is mounted in it in advance by mobile phone (being processing terminal), and selects the menu (order) of generation disposal password wherein;
2) user's logging in network bank (being the authenticating user identification system), inputing user name, bank's card number and figure identifying code (promptly challenging the factor) is 8888;
3) user imports the static password 123456 and the challenge factor 8888 on mobile phone;
4) above-mentioned control device 4 obtains the mobile phone time 20080320110000 (time accuracy to hour) as first variable factor;
5) control device 4 carries out standardization processing MD5 (123456), 8888,20080320110000 and obtains character string S
0
6) control device 4 calculates SHA1 (S
0) obtain S
1
7) control device 4 standardization processing S
1Obtain disposal password P;
8) user sends authentication request information by mobile phone input P to the Internet bank;
9) Internet bank adopts identical standardization processing process to generate the checking reference information, and based on this checking reference information identifying user identity, checking is by then logining successfully, and process finishes.
Those skilled in the art understand, above-mentioned steps also can suitably change, for example above-mentioned steps 8) in also can import described P by other page that the Internet bank provides, for example described mobile phone only is used to generate described disposable authorization information (disposal password), and sends described authentication request by other device to the described Internet bank.For example, the user comes logging in network bank by a desktop computer, and before being allowed to login, the Internet bank shows the described challenge factor 8888 to it, the user is with static password and challenge factor input mobile phone, and the control device 4 in this mobile phone generates described disposable authorization information; Then, the user reads this disposable authorization information and with in its password box that provides by desktop computer fan-in network bank, this disposable authorization information is sent to the Internet bank after clicking " affirmation ", and then the Internet bank verifies this disposable authorization information.In such variation example, in fact the partition of complete checking request and proof procedure is finished to different main bodys, and this does not influence flesh and blood of the present invention, does not repeat them here.
Those skilled in the art understand, above-mentionedly generate described disposable authorization information by portable terminal, and can finish at control device 4 shown in the existing portable terminal figure 5 addition with the process that described subscriber identity authentication system is finished authenticating user identification, particularly, can also not be described in detail at this with reference to such device 4 and the portable terminal realized shown in Figure 6.
On the basis of the above, next we introduced the process of revising the static password that places described authenticating user identification system by described processing terminal, and in the present embodiment, concrete bank card password modify steps is as follows:
(1) user opens control device 4, selects this bank card password modify feature;
(2) user selects change password on Net silver, and the figure identifying code is 6666;
(3) user's enter old password 123456, the challenge factor 6666, new password 654321 on mobile phone;
(4) cell phone software obtains the mobile phone time 200870320110000 as variable factor;
(5) mobile phone standardization processing MD5 (123456), 6666,200870320110000 obtains character string R
0, cell phone software calculates SHA1 (R
0) obtain R
1, standardization R
1Obtain password Q
1
(6) mobile phone standardization processing MD5 (123456), Q
1, 200870320110000 obtain character string R
2, cell phone software calculates SHA1 (R
2) obtain R
3, standardization R
3Obtain disposal password K
1
(7) cell phone software XOR K
1Password Q after being protected with 654321
2
(8) user imports Q in the Internet bank
1And Q
2
(9) Internet bank's checking Q
1If, Q
1Correctly, then use step and algorithm to obtain K with (6)
1, K
1With Q
2XOR obtains new password 654321;
(10) MD5 (654321) and storage are calculated by the Internet bank, and more this finishes password.
Pass through foregoing description, those skilled in the art understand, embodiment provided by the invention has enough abilities and deals with rogue attacks, reason is real password, be that static password " 123456 " never occurs in network, therefore the wooden horse supervisor only can be intercepted and captured disposable authorization information (for example disposal password P), and same, obtaining this disposable authorization information with means such as fishing also is null(NUL).
In conjunction with above-mentioned 1~Fig. 4, Fig. 5 illustrates a third embodiment in accordance with the invention, the structural representation of the sub controlling unit 5 of be used for the structural representation of control device 4 that user identity is verified in processing terminal, user identity being verified in the authenticating user identification system and the schematic diagram of the device matching relationship among both.Particularly, described control device 4 comprises first generating apparatus 41, deriving means 42, first dispensing device 43 and the 4th receiving system 44; Accordingly, described sub controlling unit 5 comprises the 3rd receiving system 51, first judgment means 52, determines the device 53 and second dispensing device 54.Wherein, described first generating apparatus 41 is used to generate described disposable authorization information; Described deriving means 42 is used to obtain disposable authorization information, preferably, by with mutual this information of directly acquisition of described device 41, for example directly this information is sent to described device 42, and change the described disposable authorization information that also can be used for receiving user's input in the example at one by described device 41; Described first dispensing device 43 is used for described disposable authorization information is sent to the authenticating user identification system that adapts with described processing terminal.Correspondingly, described disposable authorization information is received by described the 3rd receiving system 51, further judge by described first judgment means 52 whether described disposable authorization information is consistent with the checking reference information, if judge that both are consistent, then pass through via the described subscriber authentication of described definite device 53 affirmations, be set to the content of " subscriber authentication is passed through " or expression similar information then by described second dispensing device, 54 authenticating user identification feedback informations, then this authenticating user identification feedback information sent to described control device 4.Further, this authenticating user identification feedback information is received by described the 4th receiving system 44, thereby finishes this proof procedure.
Those skilled in the art understand, when described disposable authorization information and described checking reference information are inconsistent, then do not pass through by the described subscriber authentication of other device affirmation in the described sub controlling unit 5, correspondingly, be " subscriber authentication is passed through " or the content of expressing similar information by the content of installing the 54 authenticating user identification feedback informations embodiments that send.Change in the example at one, such function also can be finished by above-mentioned definite device 53, and this does not influence flesh and blood of the present invention, does not repeat them here.
Further, in the present embodiment, above-mentioned first generating apparatus 41 comprises first receiving device 411, and it is used to receive the static password of user's input; And second generating apparatus 412, it is used for generating described disposable authorization information according to the described static password and first variable factor.Accordingly, described first judgment means 52 comprises the 4th generating apparatus 521, and it is used for generating described checking reference information according to the static password and second variable factor; And second judgment means 522, it is used to judge whether described disposable authorization information and checking reference information be consistent.It will be appreciated by those skilled in the art that above-mentioned static password is preestablished by the user of described processing terminal correspondence, described first variable factor and second variable factor obtain according to the agreement of described processing terminal and described authenticating user identification system.Particularly, this first variable factor and this second variable factor are corresponding a pair of variable factors, for example string number or character, perhaps character and character string digital, that letter is formed by combining.Preferably, in order to improve the degree of safety of authentication, this first variable factor and second variable factor are each all conversion.In the present embodiment, the error of described first variable factor and second variable factor is in the first threshold scope, for example with the current time during as variable factor, can be respectively with first variable factor and second variable factor hour being that unit rounds, for example 20080320110600, first variable factor after " 2008032011 " wherein are and round; Again for example, be that unit rounds operation or the like with 5 minutes, thereby guarantee that the authentication request operation of finishing can not repeat them here by authentication in a chronomere.
In an above-mentioned variation example embodiment illustrated in fig. 5, described first generating apparatus 41 can also comprise other device.For example, when described disposable authorization information not only comprises disposal password and described second generating apparatus 412 when only generating described disposal password, then after second generating apparatus 412 generates this disposal password, described other device also is used to further generate described disposable authorization information based on this disposal password and out of Memory (for example identification information of described processing terminal, for example sequence number).Those skilled in the art can realize such variation example in conjunction with prior art, are not described in detail at this.
Change in the example at one, described first generating apparatus 41 can comprise second receiving system (not shown among Fig. 5), and it is used to receive the static password of user's input; And the 3rd generating apparatus (not shown among Fig. 5), be used for generating described disposable authorization information according to described static password, first variable factor and the challenge factor, wherein, described first variable factor is by described processing terminal and described authenticating user identification system agreement, and the described challenge factor generates and offer described processing terminal by described authenticating user identification system.Accordingly, described first judgment means 52 comprises the 5th generating apparatus (not shown among Fig. 5), and it is used for generating described checking reference information according to static password, second variable factor and the challenge factor; And the 3rd judgment means (not shown among Fig. 5), it is used to judge whether described disposable authorization information and checking reference information be consistent.With embodiment illustrated in fig. 5 different be, generate many parameter challenge factors in the process of described disposable authorization information and checking reference information, such generative process can be finished with reference to embodiment illustrated in fig. 3, does not repeat them here.It will be appreciated by those skilled in the art that such variation example can prevent Replay Attack, because the challenge factor can't be predicted, and the term of validity of the challenge factor of a chronomere (for example 1 hour) is useless for the assailant, does not repeat them here.
In another variation example embodiment illustrated in fig. 5, described control device 4 also comprises display control unit (not shown among Fig. 5), and it is used for showing described disposable authorization information by display unit.For example generate described disposable authorization information at described first generating apparatus 41, preferably can directly control this disposable authorization information when described processing terminal itself has display is presented on this display, when not having display, described processing terminal may be displayed on the display of miscellaneous equipment, for example when this processing terminal is connected with a computer, may be displayed on the screen of this computer, do not repeat them here.
At last, we illustrate according to the first embodiment of the present invention by Fig. 6, comprise the structural representation of the processing terminal of control device provided by the invention.In the present embodiment, described processing terminal is a mobile phone 91, and it has also comprised control device 4 provided by the invention having comprised outside the common assembly (for example communication part, short message assembly, display device, amusement assembly) of mobile phone.Those skilled in the art understand, this control device 4 can specifically be realized with reference to embodiment illustrated in fig. 5 and variation example, this control device 4 is mainly used in and generates disposable authorization information and further send checking and please ask, and can also comprise above-mentioned other function described in embodiment illustrated in fig. 5.Make and can finish safe subscriber authentication process by increasing this control device 4 by this mobile phone 91, thus make logging in network bank, carry out that processes such as e-commerce operations, log-on message management system become reliably, safety.It will be appreciated by those skilled in the art that above-mentioned mobile phone 91 and prior art distinguish part mutually and mainly be to have increased this control device 4, other assembly then can be realized with reference to prior art, not repeat them here.
Further, those skilled in the art understand, above-mentioned control device 4 can realize by hardware mode, for example increases a specific chip in this mobile phone 91, is used for realizing that above-mentioned Fig. 1 is to the function that should be finished by described control device 4 set forth in fig. 5; Also can realize by software mode, the software that can not be modified for example is installed in described mobile phone 91 is realized that above-mentioned Fig. 1 is to the function that should be finished by described control device 4 set forth in fig. 5, this does not influence flesh and blood of the present invention, does not repeat them here.
Further, above-mentioned processing terminal can be a plurality of devices, for example can also be that POS, ATM, desktop computer, notebook, set-top box or other have the portable terminal of computing function.Particularly, described processing terminal changes according to different application, as long as in the system that need verify user identity, can use embodiment provided by the invention, and be applied to accordingly on the corresponding processing terminal.When for example being applied to above-mentioned ERP system, the preferably any computer (computer that for example has autonomous computing capability, the terminating machine that does not perhaps have computing capability) that above-mentioned control device 4 is installed of then described processing terminal; Again for example, when being applied to the integrated circuit card processing system, mass transit card charging administration system for example, then this processing terminal is exactly a mass transit card; When for example being applied to bank's treatment system again, then this processing terminal is exactly a bank card, can be magnetic stripe card or IC-card.With reference to foregoing description, those skilled in the art can realize such processing terminal, do not repeat them here.
The present invention is based on the challenge response formula identity identifying method of many application of static password, the selection of many algorithms, many implementations,, and can effectively prevent stealing, prevent fishing, anti-replay-attack with the safety of protection static password.Compared with prior art, the present invention has the following advantages at least:
(1) anti-password theft because the password of the each authentication of user all is different, is nonsensical so snatch password by means such as network monitorings;
(2) anti-replay-attack, the assailant can eavesdrop above-mentioned one-time password, but owing to added the challenge factor, its Replay Attack also is infeasible;
(3) anti-fishing, because above-mentioned 2 points, fishing is nonsensical;
(4) according to the selection of cryptographic algorithm, effectively cryptographic algorithm can also be resisted multiple attacks such as existing differential attack, linear analysis;
(5) use more, client of the present invention can be used for the authentication that bank card, Email account, game account etc. are done kind of an application, a plurality of systems;
(6) many implementations, the present invention can realize with specialized hardware, also can be installed on mobile phone, PDA etc. with software mode;
(7) many algorithms are selected, and security algorithms such as MD5, SHA1,3DES, AES can realize, and can be according to using the different mining algorithms of different;
(8) website only needs the transformation of minute quantity just can support, and can be new and old two kinds of authentications every and deposit transition, very little to customer impact.
For example, compare with the certificate authentication method that is stored among the USB-Key commonly used in the prior art, in fact this authentication method remains a kind of passive authentication mode, promptly controls the use of USB-Key by computer, further finishes the authentication operation.Wherein exist the user use inconvenience, website transformation big, be difficult to realize the problems such as fishing/wooden horse attack of using, can not effectively prevent more, obtained solution by embodiment provided by the invention.
Those skilled in the art understand, when processing terminal of the present invention is an integrated circuit card, the process that then realizes this integrated circuit card can be finished with reference to documents such as " State Standard of the People's Republic of China's " integrated circuit (IC) card reader machine general specification " GB778239-2000 ", " ISO-7816 ", " China's finance integrated circuit (IC) calliper model PBOC2.0 " on the basis of existing integrated circuit card at least, does not repeat them here.
More than specific embodiments of the invention are described.It will be appreciated that the present invention is not limited to above-mentioned specific implementations, those skilled in the art can make various distortion or modification within the scope of the claims, and this does not influence flesh and blood of the present invention.