Summary of the invention
The present invention discloses a kind of password separate dynamic verification method and system, by this method or system, can solve effectively that keyboard operation is monitored, input operation is monitored etc. and cause the stolen problem of password.Enforcement of the present invention; can not change the length and the content of the existing password of user on the one hand; do not increase the difficulty of people's memory cipher, be fit on the other hand cooperate yet, the safety of processes such as the input of real performance protection password, transmission, checking with the encryption method of various complexity.
The present invention is achieved by the following scheme:
A kind of password separate dynamic verification method is characterized in that, this method comprises:
A. the user will have password and be divided into two groups of subciphers, i.e. first subcipher and second subcipher;
B. the user imports first subcipher or second subcipher and the system of being sent in operation interface and accepts checking;
C. system carries out checking partial according to subcipher to password, as passes through, and then produces a random cipher group and be sent to operation interface to show;
D. the user makes up random cipher group and remaining another subcipher according to the prompting of operation interface, and password and the system of being sent to after operation interface input combination accept checking;
E. system will extract another subcipher to be verified and verify from the combination pin of receiving; By then being proved to be successful.
As a supplement, this method can also comprise: if step e place checking not by point out input error, system produces a random cipher group again and is sent to operation interface and shows, and forwards step D to;
The checking of step C place is not by then pointing out input error and return interface, and the user re-enters subcipher;
One Security Audit Strategy, the input error number of times when step C or E place reaches setting value, and system stops/lock out action this user's subsequent authentication automatically.
As optimization, the password dividing method at the steps A place of the above comprises in order and cutting apart, uniformly-spaced cut apart to extract with intermediate mass and cut apart;
The described password combination method in step D place comprises that subcipher integral body assigns arbitrary position, subcipher in the random cipher group to disperse in order to assign in the random cipher group.
In order to guarantee the checking quality to subcipher, first subcipher of the above and second subcipher are to have two or above password.
Further, the figure place of the described random cipher group of step C is a random number, and promptly the random cipher group is not for fixing.
A kind ofly adopt landing or payment system of password separate dynamic verification, it comprises and landing/payment interface, a password authentification platform that be characterised in that: the method for password authentication that this system lands/adopts when paying is the password separate dynamic verification method of the above.
The present invention in contrast to existing method of password authentication, and its outstanding beneficial effect comprises:
1. the length and the content that have kept the original password of user, additionally increase has made things convenient for the user to remember difficulty, and is simultaneously easy to use;
2. by wooden horse monitoring or the artificial stolen problem of password that causes such as monitor automatically, just protect when effectively having solved the user from the password operational phase because of the input password;
3. the random cipher group that produces by introduction system, and the length of this cipher code set also is at random, realizes the dynamic password protection;
4. also there is multiple scheme in the combination that original password has multiple splitting scheme, subcipher and random cipher group, has the security audit function that a pair of input error number of times calculates, go even subcipher is all stolen, steal taker and also can't in limited number of times, reduce original password.
Embodiment
Embodiment one
A kind of password separate dynamic verification method, password that provide according to service side for a kind of user or registration voluntarily is inputed this password and is accepted the method that system/service side verifies in operation interface.
With reference to shown in Figure 1, be one in this method of password authentication checking flow process.By this flow process, can reproduce the present invention program's core content clearly;
At first as Fig. 1 101 shown in, the password that the user will have earlier is divided into two groups of subciphers, i.e. first subcipher and second subcipher; The method of cutting apart can comprise in order and cutting apart, uniformly-spaced cut apart to extract with intermediate mass and method such as cut apart.
For example, establishing the existing password of user is six password (X
1X
2X
3X
4X
5X
6), X wherein
1, X
2, X
3, X
4, X
5, X
6Can be numeral, letter, punctuation mark even Chinese character etc.First subcipher can have following splitting scheme according to different dividing methods with second subcipher:
1. cut apart in order, be about to password and be divided into two piecemeals in order, each password position of two piecemeals keeps original neighbouring relations.Promptly first subcipher and second subcipher correspond to respectively:
First subcipher |
Second subcipher |
X
1?X
2 |
?X
3?X
4?X
5?X
6 |
X
3?X
4?X
5?X
6 |
?X
1?X
2 |
X
1?X
2?X
3 |
?X
4?X
5?X
6 |
X
4?X
5?X
6 |
?X
1?X
2?X
3 |
X
1?X
2?X
3?X
4 |
?X
5?X
6 |
X
5?X
6 |
?X
1?X
2?X
3?X
4 |
2. uniformly-spaced cut apart, promptly from original code, extract password unit separated by a certain interval and be reassembled into subcipher.Promptly first subcipher and second subcipher correspond to respectively:
First subcipher |
Second subcipher |
??X
1?X
3?X
5 |
??X
2?X
4?X
6 |
??X
2?X
4?X
6 |
??X
1?X
3?X
5 |
3. intermediate mass extracts and cuts apart, and promptly extracts some adjacent passwords as a subcipher from original code, and remaining is another password.Promptly first subcipher and second subcipher correspond to respectively:
First subcipher |
Second subcipher |
??X
2?X
3 |
??X
1?X
4?X
5?X
6 |
??X
1?X
4?X
5?X
6 |
??X
2?X
3 |
??X
3?X
4 |
??X
1?X
2?X
5?X
6 |
??X
1?X
2?X
5?X
6 |
??X
3?X
4 |
??X
4?X
5 |
??X
1?X
2?X
3?X
6 |
??X
1?X
2?X
3?X
6 |
??X
4?X
5 |
??X
2?X
3?X
4 |
??X
1?X
5?X
6 |
??X
1?X
5?X
6 |
??X
2?X
3?X
4 |
??X
3?X
4?X
5 |
??X
1?X
2?X
6 |
??X
1?X
2?X
6 |
??X
3?X
4?X
5 |
By contrast, can know that the array configuration that intermediate mass extracts dividing method is more complicated, the risk that password is stolen at last is also just more lower.
If in order to make the cipher anti theft function reach optimum, that verification system can all be verified support to above-mentioned arbitrary dividing method, even two subciphers are stolen like this, that probability that successfully it is combined into original code also drops to minimum.
But, if consider, can only carry out the password cutting operation by first method for the convenience of user's use, promptly cut apart in order; In operation time like this,, operation interface is in addition promptings such as " please input the front three of password ... " again, and the user then can understand dividing method wherein rapidly, and carries out next step operation.
At present, the general employing of the system of bank is the method for password authentication of six bit digital.For being known, the user how password is cut apart, if method of the present invention is applied to the cash dispenser of bank, then the cash dispenser operation interface can be made corresponding prompt as " please importing the front two numeral of original code in order ... ", " please importing the front three numeral of original code in order ... ", " please importing any three bit digital of original code in order ... " etc.
At present, in order to reduce the risk that password is stolen, a lot of online login systems have all adopted for example eight, ten in the password more than six etc., and password can be made up of numeral, letter, punctuation mark even Chinese character etc.So when these passwords were cut apart, its scheme was also just more, the array configuration of first subcipher and second subcipher is also just complicated more, and the risk that password is stolen is just low more.
In order to guarantee the checking quality to system's subcipher, promptly first subcipher and second subcipher should be and have two or above password.If promptly existing password is six password (X
1X
2X
3X
4X
5X
6) and X
1, X
2, X
3, X
4, X
5, X
6Be numeral.So, cut apart by split plot design in order, scheme can comprise that " 2+4 ", " 3+3 " (are X
1X
2And X
3X
4X
5X
6, X
1X
2X
3And X
4X
5X
6); If eight passwords can comprise that then " 2+6 ", " 3+5 ", " 4+4 " (are X
1X
2And X
3X
4X
5X
6X
7X
8, X
1X
2X
3And X
4X
5X
6X
7X
8, X
1X
2X
3X
4And X
5X
6X
7X
8).For six and eight passwords, can select " 3+3 ", " 3+5 " to be preferred version respectively.The probability that subcipher as the input of 102 places of Fig. 1 is 1, then hit it is 1/10th; If 2, then the probability of being hit it is one of percentage; If 3, then the probability of being hit it is a per mille.So for the checking quality at 103 places that guarantee Fig. 1, the subcipher of 102 places input is more than 2 or 2, promptly first subcipher and second subcipher are to have two or above password.
As Fig. 1 102 shown in, cut apart or the prompting of operation interface under cut apart after, in the password input frame position of operation interface import first subcipher or second subcipher from being about to by password for the user.The principle of wherein importing first subcipher or second subcipher is identical, and for convenience, what suppose the input of this place is first subcipher, and employing is first kind of dividing method.After then the user imported first subcipher, password was transferred into system and accepts checking.Password is transmitted also to have coding, encryption, adds processes such as source address and destination address in the process, these processes are because non-emphasis of the present invention, so and this area can be easy to per capita understand and realize not doing detailed description.The system that subcipher is verified can be verification platform (for example, if the cash dispenser of bank then refers to its system software backstage) of this locality or long-range verification system (for example service device of certain on the network and supporting service system) in addition.
As Fig. 1 103 and 104 shown in, system verifies first subcipher of user input (i.e. 102 places import password).If eligible would verify by and forward 108 to, otherwise forward 105 to; Described checking, final first subcipher that obtains of the system that is meant compares with the original code that is pre-stored in system, if the contrast back judges that first subcipher is the local password that splits of original code, that checking is passed through.That is, if original code is (X
1X
2X
3X
4X
5X
6), according to first kind of dividing method, when first subcipher of input is ABK, and (A=X
1, B=X
2, K=X
3) or (A=X
4, B=X
5, K=X
6) time checking passes through, otherwise do not pass through; And for example, if cut apart according to second kind of dividing method, first subcipher when input is ABK so, when being (A=X
1, B=X
3, K=X
5) or (A=X
2, B=X
4, K=X
6) time, checking is passed through, otherwise does not pass through.
For the various password dividing methods of compatibility (promptly no matter how cutting apart), then its by the condition of checking for being defined as: as long as the password potential energy of respectively forming of first subcipher of input finds with its corresponding composition password position and the relative sequencing of respectively forming the password position at original code respectively and is consistent then by verifying with original password.When realizing, can read by turn subcipher respectively, and contrast realization by turn with the password of former preservation by two loop statements (be two-stage circulation) with program.
As Fig. 1 105 shown in, if first subcipher checking is not passed through, then input error is pointed out in operation interface by system, and the number of times of the number of times of record input error or this input error adds 1 and turn to 106 places;
As Fig. 1 106 shown in, judge whether the input error number of times behind 105 places reaches setting value (can be provided with according to actual needs, generally can be made as 3), if then stop/locking the follow-up password verification operation of this user, be cracked to prevent password; The input error number of times does not reach setting value, then returns 102 places, and the user re-enters first subcipher;
As Fig. 1 108 shown in, system passes through first subcipher checking, then produces a random cipher array automatically, the random cipher array is sent to operation interface and shows after system's storage.Different systems, the random cipher array can comprise different components, for example numeral, letter, symbol, punctuate even Chinese character etc.The figure place of random cipher array is a random number, and promptly the length of random cipher array is uncertain.The degree at random of random cipher array and figure place thereof is high more in theory, and the security of password is also just good more, but actual use can be established a upper limit to the length of random cipher group.
As Fig. 1 109 shown in, the user makes up random cipher array and remaining another subcipher (i.e. second subcipher) according to the prompting of operation interface.The mode of random cipher array and second subcipher combination comprises that subcipher integral body assigns arbitrary position, subcipher in the random cipher group to disperse in order to assign in the random cipher group etc.For example, suppose that original code is (X
1X
2X
3X
4X
5X
6), the user imports the first subcipher (X
1X
2X
3) by system verification, the random cipher group that supposing the system returns automatically is six random number (Y
1Y
2Y
3Y
4Y
5Y
6), the random cipher array and the second subcipher (X so
4X
5X
6) combination form can for:
Method one. subcipher integral body is assigned the arbitrary position in the random cipher group;
Y
1?X
4?X
5?X
6?Y
2?Y
3?Y
4?Y
5?Y
6 |
Y
1?Y
2?X
4?X
5?X
6?Y
3?Y
4?Y
5?Y
6 |
Y
1?Y
2?Y
3?X
4?X
5?X
6?Y
4?Y
5?Y
6 |
Y
1?Y
2?Y
3?Y
4?X
4?X
5?X
6?Y
5?Y
6 |
Y
1?Y
2?Y
3?Y
4?Y
5?X
4?X
5?X
6?Y
6 |
Method two. subcipher disperses to assign in order in the random cipher group;
Y
1?X
4?Y
2?X
5?Y
3?X
6?Y
4?Y
5?Y
6 |
Y
1?Y
2?X
4?Y
3?X
5?Y
4?X
6?Y
5?Y
6 |
Y
1?Y
2?Y
3?X
4?Y
4?X
5?Y
5?X
6?Y
6 |
Y
1?Y
2?Y
3?Y
4?X
4?Y
5?X
5?Y
6?X
6 |
Y
1?Y
2?Y
3?Y
4?X
4?Y
5?X
5?Y
6?X
6 |
Y
1?X
4?Y
2?Y
3?X
5?Y
4?X
6?Y
5?Y
6 |
Y
1?X
4?Y
2?Y
3?X
5?Y
4?Y
5?X
6?Y
6 |
...... |
Method three. other array mode;
In the actual use of system, how the general difficult understanding of user carries out the combination of the random cipher array and second subcipher, so operation interface can be done some promptings, for example: the demonstration of random cipher component two parts (is assumed to be A portion and B portion, wherein the figure place of A portion is a random number, the length that is A portion is unfixing), then can point out the user to input " A+ remains password+B " in order; And for example, can show that the position that needs to fill second subcipher stays the room with the random cipher array is whole, the random cipher array of then pointing out the user to input in order to see is also inserted remaining password in vacant position and is got final product; The user is made up according to the prompting of system, both user-friendly, also make things convenient for the extraction of system to second subcipher.
As Fig. 1 110 shown in, the user is the password after operation interface input combination in order.
As Fig. 1 111 shown in, the password after the combination is received by system, and extracts remaining another subcipher, i.e. second subcipher from the password after this combination.The method of extracting, according to the difference of array mode, flow process is also inequality.For example, if operation interface is to point out the user to import combination pin in the mode of " A+ remains password+B ", that method of extracting second subcipher is fairly simple, the random cipher group that promptly only needs the combination pin that will receive and storage relatively, in the combination pin with A portion and B part from obtaining second subcipher; If other array mode, then can promptly read combination pin by turn with general extracting method, and whether identical on judgement and the random cipher group, extract the composition identical with the random cipher group, remaining composition reconfigures and can obtain by former relative sequencing.
As Fig. 1 112 shown in, system verifies second subcipher that extracts.Verification method if can judge the part of second subcipher for existing password, then is proved to be successful (i.e. 113 places) for second subcipher and existing password are compared.The principle of checking is identical with 103 and 104 places with method.
As Fig. 1 114 and 115 shown in, if the checking at 112 places not by the input error number of times is write down and calculates the input error number of times, and judge whether the input error number of times reaches setting value and (can be provided with according to actual needs, generally be made as 3 times), if reach setting value then stop/locking the follow-up password verification operation of this user (promptly 116), be cracked to prevent password; Otherwise forward 108 to, system produces a random cipher group again and is shown in operation interface, repeats the operation of 109,110,111 grades then.
Embodiment two
A kind ofly adopt landing or payment system of password separate dynamic verification, this system supports that by hardware supported and software the two large divisions forms.Wherein, system should have and lands/payment interface and a guidance panel, and its effect is to make things convenient for the user to carry out the password input operation; One password authentification platform, its effect are that user's password is verified.
System can be the payment system of bank such as ATM ATM (automatic teller machine) etc., also can be Web bank's payment system, online login system etc.
A kind ofly adopt landing or payment system of password separate dynamic verification, it is characterised in that: the method for password authentication that this system lands/adopts when paying is embodiment one a described method of password authentication.
Below with Web bank's payment system be example to how realizing that password authentification is described further:
Suppose the user on the net bank payment system registered a user name and payment cipher, this password is eight passwords, is designated as (X
1X
2X
3X
4X
5X
6X
7X
8), then its password authentification can adopt following scheme to realize according to the invention core of embodiment one:
1. the user is according to the front three of interface prompt (as shown in Figure 2) input payment cipher, i.e. X
1X
2X
3
2. system contrasts the front three password of user input and judges whether consistent with the front three of original password.If unanimity then produce a random cipher array and be shown in operation interface is supposed that the random cipher array is " 87487654654 ", and is divided two parts to show; The interface prompt user inputs random cipher array and remaining five passwords, (as shown in Figure 3); Otherwise judge whether the input error number of times reaches set point number, do not reach and then point out input error, and show operation interface as Fig. 4, the user re-enters the front three of payment cipher, if reach set point number then show interface shown in Figure 5, and stop this user's follow-up checking;
3. the user inputs random cipher group and remaining five passwords in order according to interface prompt as shown in Figure 3;
4. system compares the random cipher group of the combination pin of user input and storage and extracts remaining five seat passwords, and this five seats password and original password compared judges whether it is the part that original password splits.If then be proved to be successful, closing the transaction or carry out other follow-up operation; Otherwise prompting input password mistake, and judge whether the input error number of times reaches set point number, reach set point number and then show interface shown in Figure 5, and stop this user's follow-up checking, if do not reach then show operation interface as Fig. 6, promptly system produces another random cipher group automatically (as " 6896685248 ", and divide two parts to show, i.e. " 689668 " and " 5248 "), and be sent to interface display, the prompting user re-enters password; The user re-enters password by prompting;
Operation interface of the above and implementation are a simple mode; the extracting mode of the actual partitioning scheme that can increase content according to the explanation of embodiment one, change original password, change random cipher group and the array mode of residue password, the suggestion content that changes the interface and style, change subcipher and checking flow process then should be considered as in protection scope of the present invention at the core content that does not break away from the inventive method realization.
In addition, native system can also have one and notify this user cipher authentication error number of times to reach setting value prior to the contact method (as phone number, mail, telephone number etc.) of this system registry and by modes such as note, mail, voice in advance by reading the user, and notify the registered user to carry out operations such as release and modification password, can further guarantee the risk that password is stolen like this.