CN101741852B - Authentication method, system and device - Google Patents
Authentication method, system and device Download PDFInfo
- Publication number
- CN101741852B CN101741852B CN2009102446393A CN200910244639A CN101741852B CN 101741852 B CN101741852 B CN 101741852B CN 2009102446393 A CN2009102446393 A CN 2009102446393A CN 200910244639 A CN200910244639 A CN 200910244639A CN 101741852 B CN101741852 B CN 101741852B
- Authority
- CN
- China
- Prior art keywords
- password
- dynamic
- dynamic password
- checking
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention provides authentication method, system and device, which belong to the technical field of information security. In the method, a service end receives a user name and a first numerical value from a client, searches seeds of a dynamic password token, and generates a first dynamic password according to the first numerical value and the seeds; the first dynamic password is converted into a first authentication password and a second authentication password, and the first authentication password is returned to the user; the dynamic password token generates a second dynamic password and the second dynamic password is converted into a third authentication password and a fourth authentication password; the user confirms that the service end is valid after comparing the consistency of the first authentication password and the third authentication password; the fourth authentication password is transmitted to the service end; and the service end confirms that the user is valid after comparing the consistency of the fourth authentication password and the second authentication password. The invention effectively prevents the attack of malicious sites and operations of invalid users, thereby enhancing the safety of user information and properties.
Description
Technical field
The present invention relates to field of information security technology, in particular to a kind of authentication method, system and authenticate device.
Background technology
Along with the application of network technology in people's daily life more and more widely, people have more and more depended on network and have carried out more daily routines, for example utilize that network is done shopping, office, amusement etc.Also just because of the reinforcement of network application; Also arising at the historic moment in the various websites of convenient service that provide, makes the quantity of website constantly increase, also increasingly high to the security requirement of network simultaneously; Especially the Internet bank, the government relevant website of office require validated user to land and are perfectly safe.Because the development of hacking technique, the verification mode that traditional user name adds static password can not satisfy existing security requirement.
In recent years, field of authentication has proposed the authentication mode of dynamic password, on the basis that static password is verified, has increased the checking of dynamic password, and having made more than the user password layer of protecting has increased fail safe greatly.In the prior art, the authentication of dynamic password is generally following mode:
The service orientation user provides dynamic password token, and this token is a kind of electronic equipment that carries processor, and its size is as USB flash disk, in that battery is housed or connects can independent operating under the situation of electricity.Usually at the seed corresponding with it that store of dynamic password token internal security, be also referred to as the static factor, this seed is a long character string or data;
Dynamic password token can utilize seed and dynamic factor to generate dynamic password according to built-in dynamic password algorithm;
The dynamic password that the user uses dynamic password token to generate lands service side; Because dynamic factor is associated with time or incident factor usually; Therefore each dynamic password that generates can be different, and the user uses this dynamic password service of landing can be to reach the effect of one-time pad, and fail safe is than higher.
Fishing website is a kind of fake site, and it imitates the interface of true website fully, just on URL, with true website nuance is arranged; Domestic consumer is easy to obscure fishing website and true website under the situation of carefully not checking; Fishing website is pretended to be true website, if the user has opened fishing website and has landed, and the logon information that Fishing net standing-meeting recording user is imported; And use these information to pretend to be the user on true website, to land, cause the loss of user profile and property.
Though dynamic password fail safe of the prior art is higher, be difficult for cracking, but can't prevent the attack of malicious websites (for example fishing website).
To the lower problem of dynamic password authentication method fail safe in the correlation technique, effective solution is not proposed as yet at present.
Summary of the invention
The present invention aims to provide a kind of authentication method, system and authenticate device, and it is lower to solve existing authentication method fail safe, can not prevent problems such as malicious websites attack.
According to an aspect of the present invention, the embodiment of the invention provides a kind of authentication method, and said method comprises:
Service end receives the user name and first numerical value from client, and said first numerical value is that the dynamic factor by dynamic password token obtains;
The seed of the said dynamic password token that the said user name of said server side searches is corresponding is proofreaied and correct the dynamic factor of said service end according to said first numerical value, and is generated first dynamic password according to dynamic factor after the said correction and said seed; Rule by appointment converts said first dynamic password into the first checking password and the second checking password, and the said first checking password is returned to the user;
Said dynamic password token according in the dynamic factor of said dynamic password token and the said dynamic password token in advance the seed of storage generate second dynamic password, will said second dynamic password convert the 3rd checking password and the 4th into according to the rule of said agreement and verify password;
After said user contrasts the said first checking password and said the 3rd checking password is consistent, confirm that said service end is legal; Said the 4th checking password is sent to said service end;
After said service end contrasts said the 4th checking password and the said second checking password is consistent, confirm that said user is legal.
According to a further aspect in the invention, the embodiment of the invention also provides a kind of Verification System, and said system comprises:
Dynamic password token is used to generate first numerical value, and generates second dynamic password according to the seed of dynamic factor and storage in advance, and rule by appointment converts said second dynamic password into the 3rd checking password and the 4th checking password;
Client is used for the information of user's input is sent to service end, and the information of said user's input comprises user name, said first numerical value and said the 4th checking password, and the information that said service end is returned is exported to said user;
Service end; Be used to receive the said user name and first numerical value; Search the seed of said user name corresponding dynamic password token, the dynamic factor of said service end is proofreaied and correct, and generate first dynamic password according to dynamic factor after the said correction and said seed according to said first numerical value; Rule according to said agreement converts said first dynamic password into the first checking password and the second checking password; And with said first the checking password return to said client; After contrasting the said first checking password and the said the 3rd verifies that password is consistent in order to said user, confirm that said service end is legal;
After said service end also is used to contrast said the 4th checking password and the said second checking password is consistent, confirm that said user is legal.
According to a further aspect in the invention, the embodiment of the invention also provides a kind of authenticate device, and said device comprises:
Memory module is used to store the related information that generates dynamic password, and said related information comprises seed and the algorithm that generates dynamic password, and converts dynamic password the rule of the agreement of checking password into;
Receiver module is used to receive the affirmation information that the user imports;
The dynamic password generation module; After being used for first confirmation that said receiver module receives said user input; Generate first numerical value; Said receiver module generates second dynamic password according to the seed of storing in dynamic factor and the said memory module after receiving second confirmation of said user's input;
Modular converter, second dynamic password that is used to use the rule of agreement that said dynamic password generation module is generated converts the 3rd checking password and the 4th checking password into;
Output module; Be used for when said receiver module receives first confirmation of said user's input; Export first numerical value that said dynamic password generation module generates; When said modular converter is converted to the 3rd checking password and the 4th checking password, export said the 3rd checking password and the 4th checking password.
The embodiment of the invention adopts and converts the dynamic password that generates into two checking passwords, and more secure authentication can be provided, and has prevented the attack of malicious websites and disabled user's operation effectively, and then the fail safe that has improved user profile and property.
Description of drawings
Accompanying drawing is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 shows the authentication method flow chart that embodiment 1 provides;
Fig. 2 shows the authentication method flow chart that embodiment 2 provides;
Fig. 3 shows the authentication method flow chart that embodiment 3 provides;
Fig. 4 shows the structured flowchart of the Verification System that embodiment 4 provides;
Fig. 5 shows the structured flowchart of the authenticate device that embodiment 5 provides.
Embodiment
Below with reference to accompanying drawing and combine embodiment, specify the present invention.
Embodiment 1
Present embodiment provides a kind of authentication method; This method has been used dynamic password token; Dynamic password token is corresponding with user's user name, and seed and algorithm that the numbering of this dynamic password token, generation dynamic password use all are stored on the service end in advance, and are associated with its user's user name; Referring to Fig. 1, this method comprises:
Wherein, user name can be user's a identification card number, also can be user's mailbox, or user's Bank Account Number, as long as the information of ability identifying user identity all can be used as this user's user name;
First numerical value is that dynamic password token generates; It can be a random number; Also can be numerical value according to the self information generation of dynamic password token; For example, the numerical value of confirming according to the number of times that generates dynamic password etc., wherein dynamic factor comprises that random number or dynamic password token generate the dynamic password number of times;
On service end, store the algorithm of producing first dynamic password, this algorithm has also been stored on above-mentioned dynamic password token, can generate identical dynamic password in order to guarantee legal service end with dynamic password token, and then realizes authentication function;
When first numerical value is random number, said service end according to this random number with search the seed that obtains and generate first dynamic password;
When first numerical value numerical value that to be dynamic password token confirm according to the number of times that self generates dynamic password; Service end is according to the generation dynamic password number of times of the first data calibration service end self storage, and generation dynamic password number of times and seed after the use correction generate first dynamic password;
Wherein, The rule of agreement is a transfer algorithm that is stored in advance on service end and the dynamic password token; For example: transfer algorithm is the byte of from first dynamic password, taking out preset length; With the byte conversion of taking out is that password is verified as first in the letter back, and the remainder of first dynamic password is verified password as second;
This step 104 can be carried out between step 101 and step 102, also can between step 102 and step 103, carry out, and is not limited to the execution sequence in the present embodiment;
The user can obtain the 3rd checking password and the 4th checking password through the sound that content displayed on the dynamic password token or its acoustic component send, and the sound that displaying contents or its acoustic component through client sends obtains the first checking password;
After step 106, service end contrast the 4th checking password and the second checking password is consistent, confirm that this user is legal.
After service end confirms that the user is legal, can allow this user to land to go forward side by side the line correlation operation.
First numerical value and second dynamic password that the dynamic password token of present embodiment generates can trigger generation by the user, promptly import an instruction (for example pressing the some particular key on the dynamic password token) back by the user and generate.
Present embodiment is through converting the dynamic password that generates into two checking passwords; Use these two checking passwords to carry out authentication; Can guarantee that service end and user are all legal; Prevent the attack of malicious websites (for example fishing website) effectively, and then strengthened the fail safe of system, guaranteed user's information security.
Embodiment 2
Present embodiment provides a kind of authentication method; It is that example describes that present embodiment goes to bank with the authentication mode debarkation net of user through dynamic password; The identifying procedure of specific descriptions dynamic password authentication server in the process that the user lands, wherein, employed in the present embodiment dynamic password token and user's number of the account is bound; Referring to Fig. 2, this authentication method comprises:
In the present embodiment, dynamic password token has button, and after the user pushed button for the first time, dynamic password token generated a random number according to built-in algorithm, and wherein, random number can be one 2 to 8 bit digital, but is not limited to the 2-8 position;
In the present embodiment, input unit input random number and its own user name of user through client host, and send to service end through client host, user name comprise at least a in user account, identification card number, the mailbox;
In the present embodiment; Dynamic password token has unique numbering, and all stores seed in each dynamic password token, and this seed is dynamic password token required static parameter when utilizing the dynamic password algorithm to generate dynamic password; The seed of storing in each dynamic password token does not repeat; The user will store numbering and seed with user account corresponding dynamic password token after user name (for example, number of the account) and dynamic password token are bound on the service end; And store the dynamic password algorithm identical with dynamic password token, in order to generate dynamic password;
The seed that service end is searched the dynamic password token that the user holds according to user name comprises: service end is searched the dynamic password token numbering of binding with this user's user name according to user name, searches the seed of dynamic password token according to the dynamic password token numbering;
Service end according to user name search the dynamic password token that the user holds seed can also for: when the user binds dynamic password token and user name; Service end is set up the corresponding relation of user name and dynamic password token seed; At the server side searches kind period of the day from 11 p.m. to 1 a.m, directly just can find corresponding dynamic password token seed according to user name;
In the present embodiment, be that 8 bit digital describe with first dynamic password that generates, the algorithm that uses when service end generates first dynamic password can be any in HMAC, MD5, SHA-1, the SHA-2 scheduling algorithm;
Preferably, the rule of above-mentioned agreement is: the part of first dynamic password is taken out, convert alphabetical into, as the first checking password, remaining part is as the second checking password;
The rule of agreement can also be for taking out a part as the first checking password, and remaining part is as the second checking password;
For example: first dynamic password of generation is 65882632, and front three 6,5,8 is taken out, and make up first and second position; First and third is made up, and make up second and third position, obtains 65; 68,58 three numerals use these three numerals and 26 to be divided by; Obtain remainder 13,16,6 respectively, establish 26 English alphabet A-Z corresponding with digital 1-26 respectively (situation of alphabetical case-insensitive), then can obtain alphabetical M, P, F according to the corresponding alphabet of above-mentioned remainder; And then obtain first the checking password be MPF, in first dynamic password rest parts 82632 as second the checking password;
When the display of dynamic password token is segmented display, comprise that also converting first identifying code to seven sections shows sign indicating number, supposes that the letter that segmented display can be represented is: A, b, C, d, E, F, P; Under the situation of case-insensitive, make above-mentioned letter corresponding, with above-mentioned method with digital 1-7; The front three 6,5,8 of first dynamic password 65882632 is taken out, and make up first and second position, and first and third is made up; Make up second and third position, must make a call to 65,68; 58 3 numerals use these three numerals and 7 to be divided by, and obtain remainder 2,5,2 respectively; Can know that by remainder 2,5,2 corresponding letters the first checking password is bEb, rest parts 82632 in first dynamic password is verified password as second;
Wherein, Obtain in first, second method of verifying password at above-mentioned two kinds, the second checking password also can convert letter into by said method, and first, second checking password is not limited to numeral, letter; Also can be other characters, like ". " "-" etc.;
In the present embodiment, the method for the client host output first checking password comprises, shows the mode of output or the mode that audio frequency is reported;
In the present embodiment; Dynamic password token generates second dynamic password under user's triggering; Second dynamic password is the seed according to the random number that generates in the step 201 and its storage inside; Generate according to the dynamic password algorithm, wherein, to generate the algorithm of first dynamic password identical for service end in the dynamic password algorithm that generates second dynamic password and the step 204;
It is identical with method in the step 204 with the 4th checking password to convert second dynamic password to the 3rd checking password by the rule of agreement, repeats no more.
When dynamic password token verifies that with the 3rd checking password and the 4th password is exported, adopt display to export simultaneously, when for example dynamic password token was the segment code type display, output form was: bEb82632;
If the user identical, thinks then that service end is legal with the 3rd checking password and the first checking password contrast; The 4th checking password is imported through client host, sent to service end, if inequality; Think that then service end is illegal, stop landfall process;
In the present embodiment; Preset time is the effective time that service end receives the 4th checking password; For example: sent the first checking password from service end and picked up counting, if do not receive yet that through 10 minutes the 4th verifies password, service end thinks that then the input of the 4th checking password is overtime;
Step 208 is returned error reporting to client host, and prompting user the 4th checking password input is overtime;
Whether step 209, service end contrast the 4th checking password identical with the second checking password, if identical, execution in step 210, if inequality, execution in step 211;
Step 211 is returned the 4th checking password mistake, and the prompting user lands again.
When if the user logins according to information again; Need the repetition above-mentioned steps; When service end verifies that the 4th checking password arrival maximum times (predefined numerical value) is all incorrect, when perhaps this user's login times surpasses preset maximum times, forbid that the user lands again.
Can also comprise that at present embodiment the user imports static password through client host to service end, service end is to the 4th checking password authentication the time; Also static password is verified,, thought that then user identity is legal if all legal; Otherwise user identity is illegal, lands failure.
Present embodiment is through converting the dynamic password that generates into two checking passwords; Use these two checking passwords to carry out authentication; Can guarantee that service end and user are all legal; Prevent the attack of malicious websites (for example fishing website) effectively, and then strengthened the fail safe of system, guaranteed user's information security.
Embodiment 3
Present embodiment provides a kind of authentication method; Identical with embodiment 2; Present embodiment is that example describes to utilize the dynamic password token debarkation net to go to bank also; First numerical value of dynamic password token generation in the present embodiment is to obtain according to the number of times that generates dynamic password, rather than the random number among the embodiment 2.Referring to Fig. 3, this authentication method comprises:
Preferably; First numerical value that generates of dynamic password token is taked following method in the present embodiment: with dynamic password token generate the dynamic password number of times be 6322 times be that example describes; When the user presses the button of dynamic password token for the first time; Dynamic password token with 6322 back two as first numerical value, and show that on the display of dynamic password token output first numerical value is 22;
Adopt the method for above-mentioned output first numerical value convenient, and good confidentiality; Also can whole numerals that dynamic password token generates the number of times of dynamic password be exported as first numerical value;
In the present embodiment, the user imports first numerical value and its own user name through the input unit of client host, and sends to service end through client host, and user name comprises at least a in user account, identification card number, the mailbox;
In the present embodiment; After dynamic password token and user name were bound, service end stored the number of times of numbering, seed and the generation dynamic password of dynamic password token, and stores the corresponding relation of the numbering of user name and dynamic password token; When service end receives user name and generates the dynamic password number of times; Service end is searched corresponding dynamic password token numbering and seed according to user name, and reads the number of times that it generates dynamic password, for example is 6320; Being merely dynamic password token with first numerical value of present embodiment user input, to generate last two of dynamic password number of times be example, and service end is carried out timing and adopted following method generating number of times:
A; The dynamic password of preserving when service end generates last two during less than first numerical value of number of times; Its that uses that first numerical value replacement service end preserves generates last two of number of times of dynamic password, for example, and in the present embodiment; First numerical value is 22, and the dynamic password of proofreading and correct the service end preservation generates number of times and obtains 6322;
B; The dynamic password of preserving when service end generates last two during greater than first numerical value of number of times; The dynamic password that uses first numerical value replacement service end to preserve generates last two of number of times, and adds 100, for example; If first numerical value is 15, the dynamic password of then proofreading and correct the service end preservation generates number of times and obtains 6415;
C, the dynamic password of preserving when service end generate last two when equaling first numerical value of number of times, and it is consistent with the dynamic password generation number of times of dynamic password token storage to think that dynamic password that service end is preserved generates number of times;
Wherein, When the dynamic password of dynamic password token storage generates that dynamic password that number of times preserves greater than service end generates number of times 100 and when above; Think that the error that dynamic password that service end is preserved generates between the dynamic password generation number of times of number of times and dynamic password token storage is excessive, need dynamic password token be bound with user name again;
Wherein, the algorithm that generates first dynamic password can be any in HMAC, MD5, SHA-1, the SHA-2 scheduling algorithm;
In the present embodiment, identical among the rule that rule according to a preconcerted arrangement converts first dynamic password into the first checking password and the agreement of second checking in the password and the embodiment 2, repeat no more here;
In the present embodiment, the method for the client host output first checking password comprises, shows the mode of output or the mode that audio frequency is reported;
In the present embodiment; Dynamic password token uses the number of times and the seed of the generation dynamic password of self preserving to generate second dynamic password according to the dynamic password algorithm; Wherein, to generate the algorithm of first dynamic password identical for service end in the dynamic password algorithm that generates second dynamic password and the step 304;
In this step, convert first dynamic password into the first checking password and the second checking password regular identical in the rule of agreement and the step 304, here detailed description no longer;
If the user identical, thinks then that service end is legal with the 3rd checking password and the first checking password contrast; The 4th checking password is imported through client host, sent to service end, if inequality; Think that then service end is illegal, stop landfall process;
In the present embodiment, preset time is the effective time that service end receives the 4th checking password;
Step 308 is returned error reporting to client host, and prompting user the 4th checking password input is overtime;
Step 311 is returned the 4th checking password mistake, and the prompting user lands again;
When if the user logins according to information again; Need the repetition above-mentioned steps; When service end verifies that the 4th checking password arrival maximum times (predefined numerical value) is all incorrect, when perhaps this user's login times surpasses preset maximum times, forbid that this user lands again.
Can also comprise that at present embodiment the user imports static password through client host to service end, service end is to the 4th checking password authentication the time; Also static password is verified,, thought that then user identity is legal if all legal; Otherwise user identity is illegal, lands failure.
Present embodiment is through converting dynamic password into two checking passwords; Legitimacy through two mutual authentication the other side of checking password; Realized authentication, improved the dynamic password identification authenticating technology in the fail safe that prevents aspect the attack technologies such as phishing to service end and user.
Embodiment 4
Present embodiment provides a kind of Verification System, and referring to Fig. 4, this system comprises: dynamic password token 402, client 404 and service end 406, and wherein, each functions of the equipments is following:
Dynamic password token 402 in the present embodiment can generate first numerical value and second dynamic password according to user's triggering, when for example the user presses the specific keys in the dynamic password token 402 for the first time, generates first numerical value; During for the second time by this specific keys, generate second dynamic password; Perhaps, the user generates first numerical value by first particular key, generates second dynamic password by second particular key;
This client 404 links to each other through the Internet with service end, and input unit and output device are arranged on it, and input unit is used to receive the information of user's input, and through network this information is sent to service end 406, and this input unit can be a keyboard etc.; Output device is used for the information that receives from service end 406 is exported to the user, and this output device can be a display, also can be audio player etc.;
After service end 406 also is used to contrast the 4th checking password and the second checking password is consistent, confirm that this user is legal.
The rule of the agreement in present embodiment service end 406 and the dynamic password token 402 is identical, can be each other through authentication in order to guarantee legal service end and dynamic password token; Concrete rule can with embodiment 1,2 or 3 in regular identical, repeat no more here.
Present embodiment is through converting dynamic password into two checking passwords; Legitimacy through two mutual authentication the other side of checking password; Realized authentication, improved the dynamic password identification authenticating technology in the fail safe that prevents aspect the attack technologies such as phishing to service end and user.
Embodiment 5
Present embodiment provides a kind of authenticate device, and this authenticate device specifically can be for the dynamic password token in the foregoing description, and referring to Fig. 5, this device comprises:
Memory module 500 is used to store the related information that generates dynamic password, and this related information comprises seed and the algorithm that generates dynamic password, and converts dynamic password the rule of the agreement of checking password into;
Receiver module 502 is used to receive the affirmation information that the user imports; For example, parts such as button;
Dynamic password generation module 504; Be used for after receiver module 502 receives first confirmation of user's input; Generate first numerical value; Receive second confirmation of user's input when receiver module 502 after, generate second dynamic password according to the seed of storing in dynamic factor and the memory module 500;
Modular converter 506, second dynamic password that is used to use the rule of agreement that dynamic password generation module 504 is generated converts the 3rd checking password and the 4th checking password into;
Output module 508; Be used for when receiver module 502 receives first confirmation of user's input, first numerical value that output dynamic password generation module 504 generates is after modular converter 506 is converted to the 3rd checking password and the 4th checking password; Export the 3rd checking password and the 4th checking password; In order to the user contrast the 3rd checking password that first checking password and the service end generate consistent after, confirm that service end is legal, verify that with the 4th password returns to service end.
Memory module in the present embodiment can also be stored the number of times that generates dynamic password or the random number of generation, uses when generating first numerical value;
Wherein, modular converter 506 comprises:
The 3rd checking password generation unit is used for from the byte of second dynamic password taking-up preset length of dynamic password generation module 504 generations, is that password is verified as the 3rd in the letter back with the byte conversion of taking out;
The 4th checking password generation unit is used for the remainder of second dynamic password is verified password as the 4th, and remainder is the remainder bytes after second dynamic password is taken out by the 3rd checking password generation unit.
The algorithm of the generation dynamic password of present embodiment storage and to convert dynamic password the algorithm of checking password into identical with corresponding algorithm in the foregoing description repeats no more here.
Service end in the present embodiment can have the function of the service end of mentioning among the embodiment 4; This authenticate device converts the 3rd checking password and the 4th checking password into through second dynamic password that will generate; The user can be compared the first checking password and above-mentioned the 3rd checking password of service end; And then whether certificate server is legal, prevented the attack of malicious websites such as fishing website; Simultaneously, the user sends to service end with above-mentioned the 4th checking password, supplies service end that its legitimacy is carried out authentication, has guaranteed that the user who lands service end is validated user, and then has guaranteed the fail safe of user profile and property.
From above description, can find out that the above embodiments of the present invention have realized following technique effect:
Through dynamic password being converted into two checking passwords, service end and user can carry out more secure authentication, and authentication is more reliable, has prevented the attack of malicious websites effectively, and has prevented that the disabled user from landing service end.
Obviously; Each module or each step that it is apparent to those skilled in the art that the invention described above can realize that they can concentrate on the single calculation element with the general calculation device; Perhaps be distributed on the network that a plurality of calculation element forms; Alternatively, they can be realized with the executable program code of calculation element, carried out by calculation element thereby can they be stored in the storage device; Perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is merely the preferred embodiments of the present invention, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (11)
1. an authentication method is characterized in that, said method comprises:
Service end receives the user name and first numerical value from client, and said first numerical value is that the dynamic factor by dynamic password token obtains;
The seed of the said dynamic password token that the said user name of said server side searches is corresponding is proofreaied and correct the dynamic factor of said service end according to said first numerical value, and is generated first dynamic password according to dynamic factor after the said correction and said seed; Rule by appointment converts said first dynamic password into the first checking password and the second checking password, and the said first checking password is returned to the user;
Said dynamic password token according in the dynamic factor of said dynamic password token and the said dynamic password token in advance the seed of storage generate second dynamic password, will said second dynamic password convert the 3rd checking password and the 4th into according to the rule of said agreement and verify password;
After said user contrasts the said first checking password and said the 3rd checking password is consistent, confirm that said service end is legal; Said the 4th checking password is sent to said service end;
After said service end contrasts said the 4th checking password and the said second checking password is consistent, confirm that said user is legal.
2. method according to claim 1 is characterized in that, said method also comprises:
Said service end judges whether in the time of agreement, to receive said the 4th checking password, if whether contrast said the 4th checking password consistent with the said second checking password; Otherwise, send password input time-out information to said client.
3. method according to claim 1 is characterized in that, said method also comprises:
Said service end receives the static password of user's input;
Verify whether said static password is correct, if correct, whether with said second checking password consistent, if inconsistent, confirm that said user is illegal if contrasting said the 4th checking password, forbid that said user lands.
4. method according to claim 1 is characterized in that,
The dynamic factor of said dynamic password token is the number of times that random number or said dynamic password token generate dynamic password;
5. method according to claim 4 is characterized in that,
When the dynamic factor of said dynamic password token was random number, said first numerical value was said random number;
When the dynamic factor of said dynamic password token was the number of times of said dynamic password token generation dynamic password, said first numerical value was obtained by the number of times of said dynamic password token according to the dynamic password of its generation.
6. method according to claim 5 is characterized in that,
When the dynamic factor of said dynamic password token is random number; Said service end is proofreaied and correct the dynamic factor of said service end according to said first numerical value; And generate first dynamic password according to the dynamic factor after the said correction and said seed and comprise; Said first numerical value that said service end will receive is as said dynamic factor, and utilizes said first numerical value and said seed to generate first dynamic password;
When the dynamic factor of said dynamic password token is the number of times of said dynamic password token generation dynamic password; Said service end is proofreaied and correct the dynamic factor of said service end according to said first numerical value; And generate first dynamic password according to the dynamic factor after the said correction and said seed and comprise; Said service end is proofreaied and correct the number of times of the generation dynamic password of said service end storage according to said first numerical value, and said service end uses generation dynamic password number of times and the said seed after the said correction to generate first dynamic password.
7. method according to claim 1 is characterized in that, said user is called one or more in user account, user identity card number, user's the mailbox.
8. method according to claim 1 is characterized in that, rule by appointment converts said first dynamic password into first checking password and the second checking password comprises:
Said service end is taken out the byte of preset length from first dynamic password, be that password is verified as first in the letter back with the byte conversion of taking out, and the remainder of said first dynamic password is verified password as second;
Correspondingly, convert said second dynamic password into the 3rd checking password according to the rule of said agreement and the 4th checking password comprises:
Said dynamic password token takes out the byte of said preset length from second dynamic password, be that password is verified as the 3rd in the letter back with the byte conversion of taking out, and the remainder of said second dynamic password is verified password as the 4th.
9. a Verification System is characterized in that, said system comprises:
Dynamic password token is used to generate first numerical value, and generates second dynamic password according to the seed of dynamic factor and storage in advance, and rule by appointment converts said second dynamic password into the 3rd checking password and the 4th checking password;
Client is used for the information of user's input is sent to service end, and the information of said user's input comprises user name, said first numerical value and said the 4th checking password, and the information that said service end is returned is exported to said user;
Service end; Be used to receive the said user name and first numerical value; Search the seed of said user name corresponding dynamic password token, the dynamic factor of said service end is proofreaied and correct, and generate first dynamic password according to dynamic factor after the said correction and said seed according to said first numerical value; Rule according to said agreement converts said first dynamic password into the first checking password and the second checking password; And with said first the checking password return to said client; After contrasting the said first checking password and the said the 3rd verifies that password is consistent in order to said user, confirm that said service end is legal;
After said service end also is used to contrast said the 4th checking password and the said second checking password is consistent, confirm that said user is legal.
10. an authenticate device is characterized in that, said device comprises:
Memory module is used to store the related information that generates dynamic password, and said related information comprises seed and the algorithm that generates dynamic password, and converts dynamic password the rule of the agreement of checking password into;
Receiver module is used to receive the affirmation information that the user imports;
The dynamic password generation module; After being used for first confirmation that said receiver module receives said user input; Generate first numerical value; Said receiver module generates second dynamic password according to the seed of storing in dynamic factor and the said memory module after receiving second confirmation of said user's input;
Modular converter, second dynamic password that is used to use the rule of agreement that said dynamic password generation module is generated converts the 3rd checking password and the 4th checking password into;
Output module; Be used for when said receiver module receives first confirmation of said user's input; Export first numerical value that said dynamic password generation module generates; When said modular converter is converted to the 3rd checking password and the 4th checking password, export said the 3rd checking password and the 4th checking password.
11. device according to claim 10 is characterized in that, said modular converter comprises:
The 3rd checking password generation unit is used for from the byte of second dynamic password taking-up preset length of said dynamic password generation module generation, is that password is verified as the 3rd in the letter back with the byte conversion of taking out;
The 4th checking password generation unit is used for the remainder of said second dynamic password is verified password as the 4th, and said remainder is the remainder bytes after said second dynamic password is taken out by said the 3rd checking password generation unit.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102446393A CN101741852B (en) | 2009-12-31 | 2009-12-31 | Authentication method, system and device |
| US13/125,130 US8522024B2 (en) | 2009-12-31 | 2010-12-24 | Authentication method, system, and device |
| PCT/CN2010/080274 WO2011079753A1 (en) | 2009-12-31 | 2010-12-24 | Authentication method, authentication trade system and authentication apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102446393A CN101741852B (en) | 2009-12-31 | 2009-12-31 | Authentication method, system and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101741852A CN101741852A (en) | 2010-06-16 |
| CN101741852B true CN101741852B (en) | 2012-08-08 |
Family
ID=42464738
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102446393A Active CN101741852B (en) | 2009-12-31 | 2009-12-31 | Authentication method, system and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101741852B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011079753A1 (en) * | 2009-12-31 | 2011-07-07 | 北京飞天诚信科技有限公司 | Authentication method, authentication trade system and authentication apparatus |
| CN102411682B (en) * | 2011-08-01 | 2014-01-01 | 吴成贵 | Password setting and authentication method |
| CN102651743B (en) * | 2012-05-02 | 2014-07-30 | 飞天诚信科技股份有限公司 | Method for generating token seeds |
| CN102752311B (en) * | 2012-07-16 | 2016-04-06 | 天地融科技股份有限公司 | A kind of authentication method, system and device |
| CN105162767B (en) * | 2015-07-31 | 2018-06-12 | 中国联合网络通信集团有限公司 | Authentication method and system based on fingerprint |
| CN106656907B (en) * | 2015-10-28 | 2021-03-02 | 阿里巴巴集团控股有限公司 | Method, device, terminal equipment and system for authentication |
| CN108667608B (en) | 2017-03-28 | 2021-07-27 | 阿里巴巴集团控股有限公司 | Method, device and system for protecting data key |
| CN108667773B (en) | 2017-03-30 | 2021-03-12 | 阿里巴巴集团控股有限公司 | Network protection system, method, device and server |
| CN108736981A (en) | 2017-04-19 | 2018-11-02 | 阿里巴巴集团控股有限公司 | It is a kind of wirelessly to throw screen method, apparatus and system |
| CN109994115B (en) | 2018-01-03 | 2023-07-07 | 阿里巴巴集团控股有限公司 | Communication method and device, data processing method and device |
| CN109450620B (en) | 2018-10-12 | 2020-11-10 | 创新先进技术有限公司 | Method for sharing security application in mobile terminal and mobile terminal |
| US11038852B2 (en) | 2019-02-08 | 2021-06-15 | Alibaba Group Holding Limited | Method and system for preventing data leakage from trusted network to untrusted network |
| CN112583600B (en) * | 2020-11-26 | 2022-11-18 | 平安普惠企业管理有限公司 | User authentication method, device, electronic equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101577697A (en) * | 2008-05-07 | 2009-11-11 | 深圳市络道科技有限公司 | Authentication method and authentication system for enforced bidirectional dynamic password |
| CN101582762A (en) * | 2009-04-02 | 2009-11-18 | 北京飞天诚信科技有限公司 | Method and system for identity authentication based on dynamic password |
| CN101582763A (en) * | 2009-04-02 | 2009-11-18 | 北京飞天诚信科技有限公司 | Method and system for identity authentication based on dynamic password |
-
2009
- 2009-12-31 CN CN2009102446393A patent/CN101741852B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101577697A (en) * | 2008-05-07 | 2009-11-11 | 深圳市络道科技有限公司 | Authentication method and authentication system for enforced bidirectional dynamic password |
| CN101582762A (en) * | 2009-04-02 | 2009-11-18 | 北京飞天诚信科技有限公司 | Method and system for identity authentication based on dynamic password |
| CN101582763A (en) * | 2009-04-02 | 2009-11-18 | 北京飞天诚信科技有限公司 | Method and system for identity authentication based on dynamic password |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101741852A (en) | 2010-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101741852B (en) | Authentication method, system and device | |
| CN101699820B (en) | Method and device for authenticating dynamic passwords | |
| CN101272237B (en) | Method and system for automatically generating and filling login information | |
| ES2741513T3 (en) | Software based multi-channel polymorphic data obfuscation | |
| CN103152172B (en) | Method and client side and server and system for mobile token dynamic password generation | |
| US8214888B2 (en) | Two-factor USB authentication token | |
| CN101897165B (en) | Method of authentication of users in data processing systems | |
| US9294473B1 (en) | Server methods and apparatus for processing passcodes generated by configurable one-time authentication tokens | |
| CN1716855B (en) | Call signs | |
| CN101741567B (en) | Dynamic password-based authentication method and device | |
| US20090276839A1 (en) | Identity collection, verification and security access control system | |
| CN101777158B (en) | Method and system for secure transaction | |
| CN103763104B (en) | A kind of method and system of dynamic authentication | |
| US20100293376A1 (en) | Method for authenticating a clent mobile terminal with a remote server | |
| CN102684880A (en) | Method and system for authenticating USB (universal serial bus) challenge-response token | |
| GB2488310A (en) | A method and system for authenticating a computer user by using an array of elements | |
| KR101202245B1 (en) | System and Method For Transferring Money Using OTP Generated From Account Number | |
| TWI540874B (en) | Identity authentication method, device and system | |
| CN102185696B (en) | Mobile phone user authentication method without trusted third party on basis of handwriting characteristics | |
| CN101964792B (en) | Multimode mapping based strong authentication method | |
| Gabor et al. | Security issues related to e-learning education | |
| CN104301285B (en) | Login method for web system | |
| Karp | Site-specific passwords | |
| Tellini et al. | Two-Factor Authentication: Selecting and implementing a two-factor authentication method for a digital assessment platform | |
| CN107645382A (en) | A kind of identity marking equipment and its method of work |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |