CN101815091A - Cipher providing equipment, cipher authentication system and cipher authentication method - Google Patents
Cipher providing equipment, cipher authentication system and cipher authentication method Download PDFInfo
- Publication number
- CN101815091A CN101815091A CN201010122569A CN201010122569A CN101815091A CN 101815091 A CN101815091 A CN 101815091A CN 201010122569 A CN201010122569 A CN 201010122569A CN 201010122569 A CN201010122569 A CN 201010122569A CN 101815091 A CN101815091 A CN 101815091A
- Authority
- CN
- China
- Prior art keywords
- password
- cipher
- providing equipment
- authentication
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The embodiment of the invention provides cipher providing equipment. The cipher providing equipment comprises a cipher acquirement unit, a cipher storage unit, an interface unit and a cipher encryption unit, wherein the cipher acquirement unit is used for acquiring the cipher; the cipher storage unit is used for storing the cipher which is acquired by the cipher acquirement unit in the mode of a cipher storage list, and the cipher storage list is also stored with a cipher identification corresponding to the cipher; the interface unit is used for receiving an authentication request containing the cipher identification and sending the encrypted cipher ciphertext into the cipher providing equipment for authentication; and the cipher encryption unit is used for analyzing the cipher identification from the authentication request, inquires the cipher corresponding to the cipher identification from the cipher storage list, encrypts the cipher and sends the encrypted cipher ciphertext into the cipher providing equipment by the interface unit for authentication. The invention also provides a cipher authentication system and a cipher authentication method, and realizes the effect that one cipher providing equipment is suitable for various authentication systems, thus improving authentication system safety and bringing convenience for users to manage and use authentication equipment.
Description
Technical field
The present invention relates to field of information security technology, more specifically, relate to a kind of cipher providing equipment, cipher authentication system and cipher authentication method.
Background technology
Along with constantly popularizing of network application, people often need visit various websites, as e-bank, electronic business transaction, send and receive e-mail (Email), online chat, online game etc.Before Website login, all need the user to import the username and password of oneself usually.Yet, exist various viruses at present on the net, can when the user inputs password, stealthily note the character that the user imports by keyboard, thereby steal user's password, this just brings very big risk to the user.
Just because of above reason, the higher authentication method of multiple fail safe has appearred at present, as: dynamic token, USB-Key certificate verification etc.But all there is a problem in the authentication method of these two kinds of high securities, and that is exactly that a client certificate equipment (dynamic token or USB-Key) can only be used for a Verification System.Such as: if user has the online number of the account of two tame different banks, then he just needs two corresponding client certificate equipment.This problem has not only increased user's expense, returns the user and all brought great inconvenience on use and administrative authentication equipment.
Summary of the invention
Embodiment of the present invention proposes a kind of cipher providing equipment, can be applicable to a plurality of Verification Systems.Embodiment of the present invention also proposes a kind of cipher authentication system, has realized the technique effect of a cipher providing equipment corresponding to a plurality of Verification Systems.Embodiment of the present invention also proposes a kind of cipher authentication method, has realized the technique effect of a cipher providing equipment corresponding to a plurality of Verification Systems.
Technical scheme of the present invention is achieved in that a kind of cipher providing equipment, and this cipher providing equipment comprises interface unit, password acquiring unit, password memory cell and password encryption unit, and wherein: the password acquiring unit is used to obtain password; The password memory cell is used for storing the password that is obtained by the password acquiring unit with the form of password storage list, also stores the cipher mark corresponding to described password in the described password storage list; Interface unit is used to receive the authentication request that comprises cipher mark, and the password ciphertext of encrypting sent to is used for authentication outside the described cipher providing equipment; The password encryption unit, be used for parsing cipher mark from described authentication request, from described password storage list, inquire password corresponding to described cipher mark, and described password encrypted, the password ciphertext after will encrypting then sends to by interface unit and is used for authentication outside the described cipher providing equipment.A kind of cipher authentication system, this cipher authentication system comprises cipher providing equipment, Authentication Client and certificate server, wherein: cipher providing equipment, be used for the form of password storage list storage password and corresponding to the cipher mark of password, and from described password storage list, inquire password corresponding to user-selected cipher mark, according to cryptographic algorithm described password is encrypted, the password ciphertext after encrypting is sent to described certificate server by Authentication Client be used for authentication; Authentication Client is used for obtaining from cipher providing equipment the cipher mark of tabulation, and the cipher mark that will tabulate is shown to the user, selects cipher mark for the user from this tabulation; Certificate server, be used for the password that stores synchronized is preserved in cipher providing equipment, and according to the cryptographic algorithm identical with cipher providing equipment to encrypting corresponding to the password of user-selected cipher mark, and the password ciphertext that generates when this certificate server and the cipher providing equipment password ciphertext of sending is when identical, and the password that the judgement cipher providing equipment provides is correct.A kind of cipher authentication method, this method comprises: cipher providing equipment is with the form of password storage list storage password and corresponding to the cipher mark of password, the password that the certificate server stores synchronized is preserved in cipher providing equipment; Authentication Client obtains the cipher mark of tabulation from cipher providing equipment, and the cipher mark that will tabulate is shown to the user, selects cipher mark for the user from this tabulation; Cipher providing equipment inquires the password corresponding to user-selected cipher mark from described password storage list, and according to cryptographic algorithm described password is encrypted, and the password ciphertext after will encrypting then sends to described certificate server and is used for authentication; Certificate server according to the cryptographic algorithm identical with cipher providing equipment to encrypting corresponding to the password of user-selected cipher mark, and the password ciphertext that generates when this certificate server and the cipher providing equipment password ciphertext of sending is when identical, and the password that the judgement cipher providing equipment provides is correct.
From technique scheme as can be seen, in embodiment of the present invention, cipher providing equipment is with the data structure storage password of password storage list, and from the password storage list, inquiring password according to the cipher mark that parses by authentication request, the password ciphertext after will encrypting again sends to and is used for authentication outside the cipher providing equipment.This shows that because single cipher providing equipment can be preserved a plurality of passwords corresponding to the different authentication system, therefore single cipher providing equipment can be applicable to a plurality of Verification Systems.The cost that this had just both reduced the client hardware authenticating device has made things convenient for management and the use of user to authenticating device again.And Authentication Client can only obtain " password is described tabulation " from cipher providing equipment, wherein only comprises information such as password ID and password descriptor, does not comprise the True Data of password, therefore the fail safe that has improved Verification System.And, provide equipment to preserve password owing to access to your password, the password of longer figure place can be set, thereby reduce password by the possibility of Brute Force, further improved the fail safe of Verification System.
Not only in this, the cryptosync of embodiment of the present invention also can be given the bringing great convenience property of operation and the fail safe of user's maintain cryptographic.
Description of drawings
Fig. 1 is the cipher providing equipment structural representation according to embodiment of the present invention;
Fig. 2 is the structural representation according to the cipher authentication system of embodiment of the present invention;
Fig. 3 is first kind of cipher providing equipment structural representation according to embodiment of the present invention;
Fig. 4 is the password editing system structural representation according to first kind of cipher providing equipment of embodiment of the present invention;
Fig. 5 is second kind of cipher providing equipment structural representation according to embodiment of the present invention;
Fig. 6 is the cipher authentication method schematic flow sheet according to embodiment of the present invention;
Fig. 7 is cipher authentication method schematic flow sheet according to the preferred embodiment of the present invention;
Fig. 8 is the exemplary detail flowchart that cipher providing equipment is calculated the password ciphertext among Fig. 7;
Fig. 9 is the exemplary detail flowchart of certificate server authentication password ciphertext among Fig. 7;
Figure 10 is the cryptosync mode schematic diagram according to the cipher providing equipment of embodiment of the present invention and cipher authentication system;
Figure 11 is the system configuration schematic diagram that network carries out cryptosync that passes through according to the cipher providing equipment of embodiment of the present invention and cipher authentication system;
Figure 12 is the cryptosync process flow schematic diagram according to the employing rivest, shamir, adelman of embodiment of the present invention;
Figure 13 is the cryptosync process flow schematic diagram according to the employing symmetric encipherment algorithm of embodiment of the present invention;
Figure 14 is according to the direct-connected mode cryptosync of the equipment of embodiment of the present invention system configuration schematic diagram;
Figure 15 is according to the direct-connected mode cryptosync of the equipment of embodiment of the present invention flow chart;
Figure 16 is the method flow schematic diagram that the password of first kind of cipher providing equipment according to the preferred embodiment of the present invention produces and preserves.
Embodiment
Express clearlyer for the purpose, technical scheme and the advantage that make embodiment of the present invention, the present invention is further described in more detail below in conjunction with the drawings and the specific embodiments.
Fig. 1 is the cipher providing equipment structural representation according to embodiment of the present invention.
As shown in Figure 1, this cipher providing equipment 100 comprises interface unit 101, password acquiring unit 102, password memory cell 103 and password encryption unit 104, and wherein: password acquiring unit 102 is used to obtain password; Password memory cell 103 is used for storing the password that is obtained by password acquiring unit 102 with the form of password storage list, also stores the cipher mark corresponding to described password in the described password storage list; Interface unit 101 is used to receive from outside the cipher providing equipment 100 and comprise the authentication request of cipher mark, and the password ciphertext of encrypting sent to is used for authentication outside the described cipher providing equipment 100; Password encryption unit 104, be used for parsing cipher mark from described authentication request, from described password storage list, inquire password corresponding to described cipher mark, and described password encrypted, the password ciphertext after will encrypting then sends to by interface unit 101 and is used for authentication outside the described cipher providing equipment 100.
As seen, in the password storage list of password memory cell 103, can store password, thereby be applicable to a plurality of Verification Systems corresponding to a plurality of Verification Systems.In a preferred implementation, interface unit 101 is connected with outer cipher editing equipment (not illustrating among Fig. 1).At this moment, password acquiring unit 102 is used for obtaining password by described interface unit 101 from described outer cipher editing equipment.And in a further preferred embodiment, this cipher providing equipment 100 further is included in the mode switch element of switching between password obtaining mode and the cipher authentication pattern.This mode switch element is used for when working in the password obtaining mode, excites described password acquiring unit 102 to obtain password by described interface unit 101 from described outer cipher editing equipment; And when working in the cipher authentication pattern, excite after described password encryption unit 104 will be encrypted the password ciphertext by interface unit 101 send to be used for outside the described cipher providing equipment 100 authentication.In another preferred implementation, can self produce password by cipher providing equipment 100.At this moment, password acquiring unit 102 is used for producing password according to the predetermined cipher generating algorithm.
Further, in authentication request, can also comprise challenge code.At this moment, password encryption unit 104, be used for parsing cipher mark and challenge code from authentication request, from the password storage list of password memory cell 103, inquire password again corresponding to described cipher mark, and according to challenge code and hash (HASH) function password is encrypted, the password ciphertext after will encrypting then sends to by interface unit 101 and is used for authentication outside the described cipher providing equipment 100.Preferably, this cipher providing equipment 100 further comprises cryptosync unit (not illustrating among Fig. 1).This cryptosync unit is used for the cryptosync that password memory cell 103 is preserved is saved in each Verification System outside the described cipher providing equipment 100.
Based on cipher providing equipment shown in Figure 1, Fig. 2 is the structural representation according to the cipher authentication system of embodiment of the present invention.As shown in Figure 2, this cipher authentication system 200 comprises cipher providing equipment 201, Authentication Client 202 and certificate server 203, wherein: cipher providing equipment 201, be used for the form of password storage list storage password and corresponding to the cipher mark of password, and from described password storage list, inquire password corresponding to user-selected cipher mark, according to cryptographic algorithm described password is encrypted, the password ciphertext after encrypting is sent to described certificate server 203 by Authentication Client 202 be used for authentication; Authentication Client 202 is used for obtaining from cipher providing equipment 201 cipher mark of tabulation, and the cipher mark that will tabulate is shown to the user, selects cipher mark for the user from this tabulation; Certificate server 203, be used for the password that stores synchronized is preserved in cipher providing equipment 201, and according to the cryptographic algorithm identical with cipher providing equipment 201 to encrypting corresponding to the password of user-selected cipher mark, and the password ciphertext that generates when this certificate server 203 and the cipher providing equipment 201 password ciphertext of sending is when identical, and the password that judgement cipher providing equipment 201 provides is correct.
Such as, can comprise database in the certificate server 203, store user account in this database and corresponding to the password of user account.The user can import user account on Authentication Client 202, Authentication Client 202 sends to user account certificate server 203 again, certificate server 203 is inquired about password corresponding to this user account according to the user account that receives in database then, according to the cryptographic algorithm identical the password that inquires is encrypted again with cipher providing equipment 201, and the password ciphertext that generates when this certificate server 203 and the cipher providing equipment 201 password ciphertext of sending is when identical, and the password of this user account correspondence that judgement cipher providing equipment 201 provides is correct.
More than listed the mode that transmits user accounts by Authentication Client 202, made the mode of certificate server 203 inquiring user passwords, but embodiment of the present invention is not limited thereto.In the practical application, may exist multiple user account to send to the mode of certificate server 203, such as directly sending user accounts to certificate server 203 by cipher providing equipment 201, or the like, these execution modes all should comprise within the scope of the present invention.
In specific implementation, preferred, certificate server 203 can be the server that is used for the authenticated user identity, preserves user's number of the account and password therein.Authentication Client 202 is a kind of software that operates on the client computer, can provide login interface for the user, and carries out protocol interaction with certificate server 203 and cipher providing equipment 201, finishes user's authentication.
Provide before equipment carries out cipher authentication accessing to your password, the preparation that a necessity is arranged: that is exactly that the password that will be preserved in the cipher providing equipment similarly is set to (promptly synchronous) in the corresponding certificate server, could guarantee that like this certificate server carries out correct authentication, this problem is called " cryptosync " problem.The embodiment of the present invention back will provide total solution to this, crossed by synchronous at this first password of supposing that cipher providing equipment and certificate server are preserved.
One preferred embodiment in, realize cryptosync (below will the method for synchronization between cipher providing equipment 201 and the certificate server 203 being described in more details) by the direct-connected mode of equipment, the network interconnection mode that adopts symmetric encipherment algorithm, the network interconnection mode that adopts rivest, shamir, adelman or the manual method of synchronization of user between cipher providing equipment 201 and the certificate server 203.
In embodiment of the present invention, the password storage list stores password and corresponding to the cipher mark of password, wherein cipher mark can comprise cipher mark symbol and/or password descriptor.No matter be cipher mark symbol or password descriptor, all corresponding with password.
Such as, in cipher providing equipment, the preferred employing preserved user's password as the data structure of following table 1 form:
Table 1
| ID (identifier) | Descriptor (descriptor) | Password (password) |
| ??1 | ??JiaotongBank | ??123456789 |
| ??2 | ??ICBCBank | ??e9139d1e6ee064ef8cf514fc7d??c83e86 |
| ??3 | ??ABCBank | ??750c783e6ab0b503eaa86e310??a5db738 |
Wherein:
ID: being identifier field, is an integer, is used for an encrypted message record in the unique identification password storage list.Descriptor: being the password descriptor field, is a character string, is the name of user to password, is used for describing the pairing account information of password.Password: being password field, is the character string as code data.Bigger length can be set according to the security needs of user and cryptographic algorithm.
It will be appreciated by those of skill in the art that and to preserve password and cipher mark according to the form of multiple form that embodiment of the present invention is to this and indefinite.Based on structure shown in Figure 1, cipher providing equipment can be a kind of small-sized electronic equipment, has the ability of computations and storage password, and it can link to each other with computer equipment by interface.Embodiment of the present invention can conversion goes out the cipher providing equipment of various ways.
Such as, Fig. 3 is first kind of cipher providing equipment structural representation according to embodiment of the present invention.As shown in Figure 3, first kind cipher providing equipment comprises interface unit 301, computing unit 302, password memory cell 303, password acquiring unit 304, mode switch button 305, edit pattern indicator light 306 and certification mode indicator light 307, wherein each unit is described in detail as follows respectively: interface unit 301: be the electronic module that is used to connect external computer device, can be but be not limited to existing USB interface, serial ports, parallel port, network interface etc. in the present prior art.Computing unit 302: be electronic module with algorithm calculations and logical calculated ability, in embodiment of the present invention, computing unit 302 can by hardware or software provide and external computer system between function such as communication, cryptographic algorithm, management equipment operation.In this cipher providing equipment of first kind, computing unit 302 can also obtain authentication request by interface unit 301, from authentication request, parse cipher mark, from the password storage list of password memory cell 303, inquire password corresponding to cipher mark, and password encrypted, the password ciphertext after will encrypting then sends to by interface unit 301 and is used for authentication outside the cipher providing equipment.At this moment, computing unit 302 has been realized the function of password encryption unit 102 among Fig. 1.Password memory cell 303: be electronic module, can be but be not limited to existing Flash memory in the present prior art, magnetic disc store etc. with lasting (or non-volatile) storage capacity.Password acquiring unit 304: be the unit that generates code data for the user, can realize generating code data with software or hardware.The algorithm that password acquiring unit 304 generates code data can have multiple, and the present invention does not limit, and is preferably Hash HASH algorithm.The user can by with computer that equipment links to each other on software trigger password acquiring unit 304 and carry out computing functions, generate the random number password of designated length for the user.Mode switch button 305: but the button of a manual control provided in the appearance of cipher providing equipment, be used to switch the operation of entire equipment pattern.By this button equipment can be set and be in " edit pattern " or " certification mode ".Edit pattern indicator light 306: when the user placed " edit pattern " with equipment, this indicator light was just bright, otherwise for going out.When equipment was in " edit pattern ", equipment provided the function of password in editor and the preservation equipment to external computer system by interface.Certification mode indicator light 307: when the user placed " certification mode " with equipment, this indicator light was just bright, otherwise for going out.When equipment was in " certification mode ", equipment externally provided the cipher authentication function by interface unit 301; Receive the parameter of external computer system input, output adds overstocked code data.Under this pattern, the user can't expressly read and operation such as editor the password in the password memory cell 303.
Adopt above-mentioned double mode working method, help protecting the safety of password.Generally speaking, the cipher providing equipment of this kind execution mode works under " certification mode ", and the virus in the computer just is difficult to read by equipment interface the plaintext of user cipher like this.When the user need revise password in the cipher providing equipment, by " mode switch button " announcement apparatus clearly: " user will revise password ", the equipment this moment external plaintext of output password, and the permission user makes amendment to it and preserves.
First kind cipher providing equipment also needs to provide following subfunctions, so that used effectively.Preferably, this subfunction comprises the input of password.Because first kind cipher providing equipment itself does not provide keyboard and display, so can not carry out alternately with the user.Thereby editor depends on the outside computer equipment that links to each other with the preservation password on first kind cipher providing equipment.
Fig. 4 is the password editing system structural representation according to first kind of cipher providing equipment of embodiment of the present invention.As seen from Figure 4, this first kind of cipher providing equipment links to each other with the computer with keyboard and display.
The process of this first kind of cipher providing equipment editor and preservation password is as follows:
At first, this first kind of cipher providing equipment is connected by the computer system of interface module with the outside.Then, move one on computers and be called as the program of " password edit cell ", this program can be carried out communication by interface module and first kind of cipher providing equipment.Then, operation " mode switch button " places " edit pattern " with first kind of cipher providing equipment.Again then, the interface that " the password edit cell " on the computer opened Edit Password for the user allows the user to set up new password, revise original password, carries out the operation of preserving password then.Under " edit pattern ", " password edit cell " passed to this first kind of cipher providing equipment with amended code data and preserved.
In first kind of cipher providing equipment, cause leaking of password for fear of device losses, the PIN code protection mechanism can be set in equipment.The PIN code protection mechanism has been a kind of common electronic equipment guard method, can comprise following function items:
(1) in device power, perhaps for the first time during access means, equipment requirements external system or user provide password to external computer system.Have only the correct password of input, equipment just can externally provide normal function; Otherwise equipment will not worked.
(2) number of times of password is attempted in restriction.After the number of times of continuous input error password had surpassed a threshold value, equipment no longer worked on locked.
More than describe the concrete structure of first kind of cipher providing equipment in detail, describe the detailed structure of second kind of cipher providing equipment below in detail.Fig. 5 is second kind of cipher providing equipment structural representation according to embodiment of the present invention.As shown in Figure 5, this second kind of cipher providing equipment comprises interface unit 501, computing unit 502, password memory cell 503, password encryption unit 504, display unit 505 and keyboard unit 506.Here, display unit 505 and the keyboard unit 506 password acquiring unit 102 that combines and be equivalent to Fig. 1.Wherein each unit is described in detail as follows respectively:
Interface unit 501: be the electronic module that is used to connect external computer device, can be but be not limited to existing USB interface, serial ports, parallel port, network interface etc. in the present prior art.Computing unit 502: be electronic module with algorithm calculations and logical calculated ability, in embodiment of the present invention, computing unit 502 can by hardware or software provide and external computer system between function such as communication, cryptographic algorithm, management equipment operation.Different with first kind of cipher providing equipment, the password that this computing unit 502 will limit the plaintext form transfers out from interface unit 501.Second kind of cipher providing equipment is owing to the function that has carried the input password, so do not need to open to outer computer the function of Edit Password.Password memory cell 503: be electronic module, can be but be not limited to existing Flash memory in the present prior art, magnetic disc store etc. with lasting (or non-volatile) storage capacity.Password encryption unit 504, obtain authentication request by interface unit 501, from authentication request, parse cipher mark, from the password storage list of password memory cell 503, inquire password corresponding to cipher mark, and password encrypted, the password ciphertext after will encrypting then sends to by interface unit 501 and is used for authentication outside the cipher providing equipment.The user can pass through display unit 505 and keyboard unit 506, generates the random number password of designated length for the user.Carried display unit 505 in 505: the second kinds of cipher providing equipment of display unit, this unit can be present existing small-sized LCD.Carried keyboard unit 506 in 506: the second kinds of cipher providing equipment of keyboard unit, the button of importing various characters is provided above, and the function key that triggers specific function.
Compare with first kind of cipher providing equipment, second kind of cipher providing equipment had with the user carries out ability of man-machine interaction.The user just can not input password by computer like this, and uses special-purpose input equipment to input password to cipher providing equipment, thus the possibility of having avoided password in input process, to be stolen by virus.
Second kind of cipher providing equipment do not need special " edit pattern ", just do not needed " mode switch button " and " pattern indicator light " yet.In addition, second kind of cipher providing equipment preferably also has and first kind of identical or similar password storage list of cipher providing equipment and PIN code protection mechanism.Second kind of cipher providing equipment be not owing to needing to obtain clear-text passwords from outer computer, so the fail safe of preservation password is than first kind of cipher providing equipment height; But owing to carried display and keyboard, so the cipher providing equipment volume is big and cost is high than first kind for second kind of cipher providing equipment.
Based on above-mentioned detailed introduction to cipher providing equipment and cipher authentication system, embodiment of the present invention has also proposed a kind of cipher authentication method.Fig. 6 is the cipher authentication method schematic flow sheet according to embodiment of the present invention.As shown in Figure 6, this method comprises:
Step 601: cipher providing equipment is with the form of password storage list storage password and corresponding to the cipher mark of password, the password of being preserved in the certificate server stores synchronized cipher providing equipment.
Step 602: Authentication Client obtains the cipher mark of tabulation from cipher providing equipment, and the cipher mark that will tabulate is shown to the user, selects cipher mark for the user from this tabulation.
Step 603: cipher providing equipment inquires the password corresponding to user-selected cipher mark from described password storage list, and according to cryptographic algorithm described password is encrypted, the password ciphertext after will encrypting then sends to described certificate server and is used for authentication.
Step 604: certificate server according to the cryptographic algorithm identical with cipher providing equipment to encrypting corresponding to the password of user-selected cipher mark, and the password ciphertext that generates when this certificate server and the cipher providing equipment password ciphertext of sending is when identical, and the password that the judgement cipher providing equipment provides is correct.
In above-mentioned flow process, certificate server can further provide challenge code by Authentication Client to cipher providing equipment, this moment, step 603~step 604 was specially: cipher providing equipment inquires the password corresponding to described cipher mark from described password storage list, and according to challenge code and hash HASH function described password is encrypted, the password ciphertext after will encrypting then sends to certificate server and is used for authentication; Certificate server according to described HASH function and challenge code to encrypting corresponding to the password of user-selected cipher mark, and the password ciphertext that generates when this certificate server and the cipher providing equipment password ciphertext of sending is when identical, and the password that the judgement cipher providing equipment provides is correct.
Though be that example is illustrated cryptographic algorithm with the Hash function herein, it will be appreciated by those of skill in the art that the application's cryptographic algorithm is not limited to the Hash function, but can be cryptographic algorithm arbitrarily.Based on the flow process of Fig. 6, below various concrete execution modes are elaborated.Fig. 7 is cipher authentication method schematic flow sheet according to the preferred embodiment of the present invention.As shown in Figure 7, this method comprises:
The first step: logging request;
At first send a logging request message to certificate server here, by Authentication Client.
Second step: login is replied;
Here, certificate server has been set up a session (being a kind of state recording) for this login activity, and session has distributed that unique integer is used for identifying this conversation recording in the system for this reason, and this integer is called as session id; For this login sessions produces a random number, be called as " challenge code " simultaneously, this challenge code be kept in the conversation recording of certificate server; Certificate server returns a login response message to Authentication Client then, has wherein comprised " session id " and " challenge code " two parameters.
The 3rd step: obtain password and describe tabulation;
Here, Authentication Client sends request to cipher providing equipment, obtains " password is described tabulation " in the cipher providing equipment.
The 4th step: return password and describe tabulation;
Here, cipher providing equipment is returned one to Authentication Client and is called as the data block of " password is described tabulation ", has wherein only comprised the password ID in the password storage list and the information of two fields of password descriptor.
Wherein: the exemplary data structure of " password is described tabulation " is as shown in table 2 below:
Table 2
| ID (identifier) | Descriptor (descriptor) |
| ??1 | ??JiaotongBank |
| ??2 | ??ICBCBank |
| ??3 | ??ABCBank |
The 5th step: input user account;
On the login interface of Authentication Client, import the number of the account of login system here, by the user.
The 6th step: display password is described tabulation;
Here, Authentication Client has shown one " password is described tabulation " to the user, only comprises the information of password ID and password descriptor therein, selects the password that will use for the user.
The 7th step: select authentication password;
Here, the user selects a password in " password is described tabulation ", login current Verification System with this password.And give Authentication Client with the result notification of selecting.
The 8th step: request password ciphertext;
Here, Authentication Client is determined the password ID of this password correspondence according to the situation of user-selected password, sends the message of " request password ciphertext " then to cipher providing equipment, has comprised two parameters of " password ID " and " challenge code " in this message.
The 9th step: reply code ciphertext;
Here, cipher providing equipment is searched corresponding password storage item according to the password ID that receives in the password storage list, find the corresponding password 1 of password ID therewith.
Then, the numerical value of this password 1 of use and challenge code carry out certain computations as input parameter in the password encryption unit.The preferred hmac algorithm that uses in embodiment of the present invention.So just obtained the ciphertext of a password 1.Fig. 8 is the exemplary detail flowchart that cipher providing equipment is calculated the password ciphertext among Fig. 7.
At last, by cipher providing equipment the ciphertext of password 1 is sent to Authentication Client by message.
The tenth step: authentication request;
Here, Authentication Client sends authentication request message to certificate server, has comprised the parameters such as ciphertext of session id, user account, password therein.
The 11 step: authentication response;
Here, certificate server therefrom finds corresponding challenge code again according to the conversation recording of the session id in the authentication request message in the database lookup correspondence of this locality; Then, the number of the account according to the user finds corresponding code data in account database again, is designated as password 2; Then, certificate server access to your password 2 and challenge code as input parameter, adopt the cryptographic algorithm the same to carry out computations with cipher providing equipment, obtain the ciphertext of password 2.At last, whether the ciphertext of the ciphertext of certificate server password comparison 1 and password 2 is seen identical.If identical, think that then the user provides correct password, just send the response message of authentication success to Authentication Client; Otherwise, just think that the password that the user provides is wrong, send the response message of authentification failure to Authentication Client.Fig. 9 is the exemplary detail flowchart of certificate server authentication password ciphertext among Fig. 7.
In above verification process, the plaintext that does not occur password in the data of being transmitted between Authentication Client and the cipher providing equipment, the data such as ciphertext of password ID, password descriptor and password only occur, thereby guaranteed the fail safe that password uses in the verification process.
As aforementioned, need to keep the synchronous of password between cipher providing equipment and the cipher authentication system.In further detail the cryptosync between cipher providing equipment and the cipher authentication system is described below.For first kind of cipher providing equipment, it is longer that the user can produce figure place by certain software that generates password, and the password that complexity is higher is saved in the password that generates in first kind of cipher providing equipment by " password edit cell " then.For second kind of cipher providing equipment, the password acquiring unit that the user can access to your password provides equipment to carry produces and preserves password.Then, the user also needs the new password that cipher providing equipment is preserved is synchronized in the corresponding Verification System.
The method of Synchronizing Passwords has multiplely between cipher providing equipment and cipher authentication system, comprises that mainly the user is manual synchronously, the network interconnection is synchronous and equipment is direct-connected synchronously.
Figure 10 is the cryptosync mode schematic diagram according to the cipher providing equipment of embodiment of the present invention and cipher authentication system.In the manual method of synchronization of user, each password under the user record in the cipher providing equipment is as writing on password on the paper; The user as bank counter, imports the password that is write down by hand on the terminal that corresponding Verification System provided then, thereby each password and the corresponding Verification System that keep preserving in the cipher providing equipment are consistent.Network interconnection mode synchronously in, the user upgrades the mode of operation of user cipher by network communication, employed network can be various wired or wireless network systems.Use network to transmit the password that will upgrade, bring very big facility can for the operation of user's Synchronizing Passwords.But this mode of operation also exists very big insecurity.
Because cipher providing equipment is a kind of portable miniaturized electronics, the general network communication function that complexity is not provided, so just cipher providing equipment need be linked to each other with computer, carry out communication by the network capacity of " telecommunication customer end " software and computer and long-range Verification System.Because Virus and the hacker in the network in the computer can monitor by process, intercept and capture communication packet.And then message made amendment, send the message that is forged to communication two party then, thereby under the situation that communication two party is discovered not, stolen user's true password.
In order to protect the fail safe of cryptosync process effectively, need whole communication system to accomplish:
(1) communication two party can both be verified the data that received, with the integrality and the credible wilfulness of proof data.Wherein the integrality of data is meant that message is not distorted in communication process, and the final data that the recipient received are consistent with the initial data that transmit leg is sent.The credible wilfulness of data is meant that the recipient can verify the data of being received from legal communication side, the data that can use the other side to transmit relievedly.Guarantee the integrality and the credible wilfulness of communication data, generally all adopt hmac algorithm at communication field.Because hmac algorithm has the effect of calculating message digest, so can be used for verifying the integrality of communication packet.In addition, hmac algorithm requires communication two party to use common key, by checking HMAC value, can be sure of whether the other side has and own identical key parameter, thereby determine that whether message is from communication side trusty.
In general data communication system, need communication two party before communication begins, to use key agreement protocol to consult the key parameter of HMAC.This is the process of a more complicated, is a bigger computing cost to cipher providing equipment, implements the comparison difficulty.Yet; in the cipher authentication system that uses cipher providing equipment of the present invention; because communication two party (cipher providing equipment and Verification System) is all held identical user cipher; and this key is finely private protected; can do not stolen, thereby the user cipher that provides in the equipment to be preserved of can accessing to your password is as the required key parameter of hmac algorithm by hacker in the network and computer virus.The present invention will propose the method for safely carrying out of cipher providing equipment by the Network Synchronization password on this basis.
(2) communication process is encrypted, and encryption key is difficult for being cracked by the third party;
Particularly, embodiment of the present invention can provide the cryptosync method of two kinds of network modes, is respectively: the cryptosync method that (a) adopts rivest, shamir, adelman; (b) the cryptosync method of employing symmetric encipherment algorithm.
Figure 11 is the system configuration schematic diagram that network carries out cryptosync that passes through according to the cipher providing equipment of embodiment of the present invention and cipher authentication system.As shown in figure 11, this system comprises: (1) cipher providing equipment: first kind or second kind of cipher providing equipment being preferably embodiment of the present invention.(2) cryptosync client: be a software that operates on the client computer, be mainly used in the communication packet of transmitting between cipher providing equipment and the Verification System, and the function of client identity authentication is provided.(3) cryptosync unit: be a module in the Verification System, be used for externally providing the network service of Synchronizing Passwords.(4) login unit: be the module of being responsible for the identifying user identity authenticity in the Verification System.(5) CA: be the CA service module of Verification System, depositing public key certificate and the corresponding private key of Verification System CA therein.(annotate: this module is useful to " adopting the cryptosync method of rivest, shamir, adelman ", and is useless to " adopting the cryptosync method of symmetric encipherment algorithm ".) (6) account database: the storage accounts database of information, preserved information such as user's number of the account and password therein.
Following elder generation is once described the cryptosync process of asymmetric encryption.Figure 12 is the cryptosync process flow schematic diagram according to the employing rivest, shamir, adelman of embodiment of the present invention.In Figure 12, establishing the original login password of user is Key1, and the ID value in cipher providing equipment is Key_ID1; The user is newly-generated password Key2, the ID value in cipher providing equipment is Key_ID2.And, in the bracket of the message back of Figure 12, comprised the entrained major parameter of message.
As shown in figure 12, this method comprises:
The first step: network entry operation;
Here, the user adopts described the accessing to your password of embodiment of the present invention that the authentication method of equipment is provided, and by cryptosync client accession authorization system, carries out relevant register.
Second step: record login password ID (Key_ID1);
Here, in login process, the user need describe the tabulation from password and select login password, and the cryptosync client will be noted user's login password ID this moment, and this ID is designated as Key_ID1.
The 3rd step: network entry request;
Here, the cryptosync client provides the authentication method of equipment according to described the accessing to your password of embodiment of the present invention, submits the network entry request to the login unit of Verification System.
The 4th step: network entry is replied;
Here, the login unit of Verification System authentication information that the cryptosync client is submitted to is verified.If the verification passes, then permit user's login, and notice cryptosync unit users is legal; Otherwise login with regard to refusing user's.
The 5th step: cryptosync begins request;
Here, the cryptosync client sends beginning cryptosync request of operating to the cryptosync unit of Verification System.
The 6th step: cryptosync begins to reply (public key certificate, identifying code VC1);
Here, the cryptosync unit returns the response message that cryptosync begins to ask to the cryptosync client.The public key certificate that has wherein comprised Verification System CA, and the identifying code of public key certificate, this identifying code is designated as VC1, the computing formula of VC1:
(h) formula 1 for Cert, Key1 for VC1=HMAC
Wherein:
The public key certificate data of Cert: Verification System CA;
Key1: the login password that the user is current;
H: certain hash algorithm, as md5, sha1 etc.Need adopt identical algorithm with the cipher providing equipment agreement.
The 7th step: public key certificate message (public key certificate, VC1, Key_ID1)
Here, the cryptosync client is to public key certificate and the identifying code VC1 thereof of cipher providing equipment forwarding from Verification System, and the ID value Key_ID1 of the user login code that is write down in second step.
The 8th step: checking is also preserved public key certificate;
Here, cipher providing equipment finds the concrete data Key11 of password according to Key_ID1, and this Key11 should be identical with the Key1 in the 6th step.
Cipher providing equipment adopts formula 1 then, and identical hash algorithm h, the public key certificate of receiving is carried out HMAC calculate, and has obtained identifying code VC11.If VC11 is identical with VC1, the integrality that public key certificate then is described does not have destroyed in transmission course, the certification authentication success; This indicates that also the server of far-end has the password Key1 identical with Key11 simultaneously, and the other side can trust, and can use received public key certificate.Cipher providing equipment will be kept at this public key certificate in the internal memory of equipment, in order to the usefulness of subsequent operation.Otherwise, just illustrate that public key certificate is replaced or revises, the certification authentication failure.
The 9th step: certificate verification result;
Here, cipher providing equipment is with the checking result notification cryptosync client of public key certificate.If be proved to be successful, the cryptosync client will continue the operation of back, otherwise with regard to termination codon simultaneous operation.
The tenth step: the request password is described tabulation;
Here, the cryptosync client sends message to cipher providing equipment, and the request password is described tabulation.
The 11 step: return password and describe tabulation;
Here, cipher providing equipment is returned password to the cryptosync client and is described tabulation, and the structure of table is as shown in table 2.
The 12 step: display password is described tabulation;
Here, the cryptosync client is described tabulation to user's display password.
The 13 step: select new password ID (Key_ID2);
Here, before the operation of carrying out Synchronizing Passwords, the user has generated new password and it has been kept among the cipher providing equipment, and establishing this password is Key2, and corresponding ID is Key_ID2.
In current step, the user just can describe the new password of selecting the Key_ID2 representative the tabulation from password, and notifies the cryptosync client with selection result.
The 14 step: the ciphertext of request new password (Key_ID1, Key_ID2);
Here, the cryptosync client sends message to cipher providing equipment, request obtain Key_ID2 the ciphertext of corresponding password, also carrying the ID value Key_ID1 that the current accession authorization system of user is accessed to your password in this message.
The 15 step: the ciphertext (new password ciphertext, identifying code VC2) of returning new password
Here, cipher providing equipment is at first searched corresponding new password data according to Key_ID2, is designated as Key2; Use the PKI in the public key certificate of certificate server CA then, adopt with server end and arrange consistent rivest, shamir, adelman, Key2 is encrypted, just obtained the ciphertext of new password.
In order to make Verification System can verify the integrality of new password, cipher providing equipment will be the additional identifying code of the ciphertext of new password, and this identifying code is designated as VC2, and the computing formula of VC2 is:
(h) formula 2 for CK2, Key1 for VC2=HMAC
Wherein:
CK2: be the asymmetric encryption ciphertext of new password Key2.
Key1: be the used password of the current accession authorization system of user.Cipher providing equipment can find the data of Key1 according to parameter K ey_ID1.
H: certain hash algorithm, as md5, sha1 etc., consistent with the employed algorithm of server end.
At last, cipher providing equipment sends to the cryptosync client with the ciphertext and the identifying code VC2 thereof of new password by message.
The 16 step: the cryptosync operation requests (ciphertext of new password, VC2);
Here, the cryptosync client sends the message of carrying out the cryptosync operation to the cryptosync unit, has wherein comprised the ciphertext and the identifying code VC2 thereof of new password.
The 17 step: obtain new password;
Here, at first, the cryptosync unit can find the login password Key1 of the current use of user according to user's log-on message; And then identical algorithm of employing and formula 2 and identical hash function h, the ciphertext of the new password that receives is carried out HMAC calculate, obtain the identifying code VC21 of this encrypt data.Then, VC21 and VC2 are compared.If both unanimities are complete and trusty with regard to the encrypt data that new password is described.Otherwise, just think that the encrypt data of new password is destroyed, should end the cryptosync process.At last, the cryptosync unit uses the private key of Verification System CA that the ciphertext of new password is carried out the deciphering of asymmetric arithmetic, has obtained new password Key2.
The 18 step: preserve new password;
Here, the cryptosync unit sends to the account database of Verification System with user's new password, upgrades user's password.
In above communication process because the plaintext of user's login password Key1 is not exposed in network and the computer, so identifying code VC1 and VC2 be difficult to be forged, thereby guaranteed the integrality and the credible wilfulness of public key certificate and new password ciphertext.
The cryptosync process of symmetric cryptography is below described again.Figure 13 is the cryptosync process flow schematic diagram according to the employing symmetric encipherment algorithm of embodiment of the present invention.As shown in figure 13, this method comprises:
The first step: network entry operation;
Here, the user adopts described the accessing to your password of embodiment of the present invention that the authentication method of equipment is provided, and by cryptosync client accession authorization system, carries out relevant register.
Second step: record login password ID (Key_ID1);
Here, in login process, the user need describe the tabulation from password and select login password, and the cryptosync client will be noted user's login password ID this moment, and this ID is designated as Key_ID1.
The 3rd step: network entry request;
Here, the cryptosync client provides the authentication method of equipment according to described the accessing to your password of embodiment of the present invention, submits the network entry request to the login unit of Verification System.
The 4th step: network entry is replied;
Here, the login unit of Verification System is verified the authentication information of cryptosync client submission.If the verification passes, then permit user's login, and notice cryptosync unit users is legal; Otherwise login with regard to refusing user's.
The 5th step: the request password is described tabulation;
Here, the cryptosync client sends message to cipher providing equipment, and the request password is described tabulation.
The 6th step: return password and describe tabulation;
Here, cipher providing equipment is returned password to the cryptosync client and is described tabulation, and the structure of table is as shown in table 2.
The 7th step: display password is described tabulation;
Here, the cryptosync client is described tabulation to user's display password.
The 8th step: select new password ID (Key_ID2);
Here, before the operation of carrying out Synchronizing Passwords, the user has generated new password and it has been kept among the cipher providing equipment, and establishing this password is Key2, and corresponding ID is Key_ID2.
In current step, the user just can describe the new password of selecting the Key_ID2 representative the tabulation from password, and with the result notification cryptosync client of selecting.
The 9th step: the ciphertext of request new password (Key_ID1, Key_ID2);
Here, the cryptosync client sends message to cipher providing equipment, request obtain Key_ID2 the ciphertext of corresponding password, also carrying the ID value Key_ID1 that the current accession authorization system of user is accessed to your password in this message.
The tenth step: the ciphertext (the ciphertext CK3 of new password, identifying code VC3) of returning new password;
At first, cipher providing equipment is searched corresponding new password data according to Key_ID2, is designated as Key2; And then find corresponding code data Key1 according to Key_ID1.Then, use Key1 to be key, Key2 is carried out the computations of symmetric encipherment algorithm, obtain the ciphertext CK3 of Key2.
Then, use hmac algorithm to calculate the identifying code VC3 of CK3, computing formula is as follows:
(h) formula 3 for CK3, Key1 for VC3=HMAC
Wherein:
CK3: be the symmetric cryptography ciphertext of new password Key2.
Key1: be the used password of the current accession authorization system of user.
H: certain hash algorithm, as md5, sha1 etc., consistent with the employed algorithm of server end.
At last, cipher providing equipment sends to the cryptosync client with the ciphertext and the identifying code VC3 thereof of new password by message.
The 11 step: the cryptosync operation requests (CK3, VC3);
Here, the cryptosync client sends the message of carrying out the cryptosync operation to the cryptosync unit, has wherein comprised the ciphertext CK3 and the identifying code VC3 thereof of new password.
The 12 step: obtain new password;
Here, at first, the cryptosync unit can find the presently used login password Key1 of user according to user's log-on message; Adopt algorithm identical and identical hash function h again, the new password ciphertext CK3 that receives is calculated, obtain the identifying code VC31 of this encrypt data with formula 2.Then, relatively VC31 and VC3 see whether both are consistent.If consistent, be complete and can be trusted with regard to the ciphertext that shows new password.At last, the cryptosync unit uses Key1 that the ciphertext of new password is carried out the deciphering of symmetry algorithm (consistent with the symmetric encipherment algorithm that close memory uses), thereby has obtained new password Key2.
The 13 step: preserve new password;
Here, the cryptosync unit sends to the account database of Verification System with user's new password, upgrades user's password.
More than the establishment of two kinds of cryptosync methods of Xiang Ximiaoshuing all depends on original user authentication password Key1, so use for the first time the user before the cryptosync of network mode, need an initial authentication password, this password has been kept among cipher providing equipment and the Verification System.The setting of initial password can be adopted on-the-spot manual (as bank counter), initial password letter (as bank's hair fastener time password letter) to be set, and existing mode such as SMS notification, and these ways can guarantee the fail safe of initial password.
Introduce the direct-connected method of synchronization of equipment below again.
In the direct-connected method of synchronization of equipment, the hardware interface that the interface and the Verification System of cipher providing equipment provided directly links up, and provides operation interface by Verification System for the user, and allowing the user select will be the new password that system is provided with.
Figure 14 is according to the direct-connected mode cryptosync of the equipment of embodiment of the present invention system configuration schematic diagram.In Figure 14, comprising: cipher providing equipment, it can be specially first kind or second kind of cipher providing equipment of front depicted in greater detail.Verification System is the system that user identity is authenticated, and comprises account database, relevant equipment and network.The password setting unit is a unit that is embedded in the Verification System, is responsible for externally providing the service that user cipher is set.The login unit is a module of being responsible for the identifying user identity authenticity in the Verification System.Interface, the hardware module that cipher providing equipment is docked with Verification System is as USB interface.
Based on structure shown in Figure 14, Figure 15 is according to the direct-connected mode cryptosync of the equipment of embodiment of the present invention flow chart.As the user with cipher providing equipment with after the interface of Verification System docks, cipher providing equipment has just realized being connected with Verification System, thereby can carry out data communication.The cryptosync process of the direct-connected mode of equipment and the cryptosync process of network mode are similar, are not described in detail in this.No matter the cryptosync method that is symmetric cryptography or asymmetric encryption can be used in this system.
In actual applications, the interface of revising password is likely a kind of long-range terminal installation, as the ATM of bank.According to some cases, the offender can embed the device of certain monitored data communication in ATM, thereby steals user's password information.So in operating process shown in Figure 15, the cryptosync of the direct-connected mode of equipment has still been carried out encryption to new password, thereby realized safety communication end to end from cipher providing equipment to the password setting unit.
In front in first kind of cipher providing equipment of Jie Shaoing, owing to do not have with the user and carry out ability of man-machine interaction, so first kind of cipher providing equipment need connect computer, obtain the password of user's input by " the password edit cell " that moves on the computer." virus " program owing to might hide on the computer, thereby the user might be caused password to be stolen by the intercepting and capturing of " virus " program in the input password.
Embodiment of the present invention also provides a kind of method, makes also can safely generate and preserve password with first kind of cipher providing equipment.Figure 16 is the method flow schematic diagram that the password of first kind of cipher providing equipment according to the preferred embodiment of the present invention produces and preserves.As shown in figure 16, this method comprises:
The first step: display password generates the interface;
Here, the password edit cell shows the interface that an operator password generates to the user.
Second step: input password descriptor;
Here, the user inputs to the descriptor that new password is provided with in operation interface.
The 3rd step: submit the request that generates password to;
Here, the user will generate a new password by operation man-machine interface notice password edit cell in cipher providing equipment,
The 4th step: request generates new password (password descriptor);
Here, the computing unit of password edit cell in cipher providing equipment sends message, and request generates and preserve a new password in cipher providing equipment.Carried user's descriptor of password setting for this reason in the message.
The 5th step: carry out the operation that generates password;
Here, computing unit requires the password acquiring unit to generate a new password by the instruction of internal system.
The 6th step: the password that returns generation;
Here, the password acquiring unit returns newly-generated code data to computing unit.
The 7th step: the ID that distributes new password;
Here, computing unit is that new password distributes ID data, guarantee that this ID value is unique in the password storage list.
The 8th step: preserve new password (ID, descriptor, password value);
Here, computing unit is deposited the related data of new password: ID in memory cell, descriptor and password value.
This shows that behind the application said method, the user just can generate a new password by the aforesaid operations process in first kind of cipher providing equipment, and it is kept in the password storage list.In the aforesaid operations process, the concrete data of new password only appear in first kind of cipher providing equipment, externally do not expose, and be safe therefore.After generating new password, the user can use the user cipher in the described cryptosync method of embodiment of the present invention (network interconnection mode, the direct-connected mode of equipment) the renewal Verification System.So just accomplished that in the process that generates password and Synchronizing Passwords, password expressly is not exposed in unsafe computer and the network environment all the time, for the process of user's operator password has been brought fail safe and convenience.
To sum up, from technique scheme as can be seen, in embodiment of the present invention, cipher providing equipment is with the data structure storage password of password storage list, and from the password storage list, inquiring password according to the cipher mark that parses by authentication request, the password ciphertext after will encrypting again sends to and is used for authentication outside the cipher providing equipment.This shows that because single cipher providing equipment can be preserved a plurality of passwords corresponding to the different authentication system, therefore single cipher providing equipment can be applicable to a plurality of Verification Systems.The cost that this had just both reduced the client hardware authenticating device has made things convenient for management and the use of user to authenticating device again.
And Authentication Client can only obtain " password is described tabulation " from cipher providing equipment, wherein only comprises information such as password ID and password descriptor, does not comprise the True Data of password, therefore the fail safe that has improved Verification System.And, provide equipment to preserve password owing to access to your password, the password of longer figure place can be set, thereby reduce password by the possibility of Brute Force, further improved the fail safe of Verification System.
Not only in this, the cryptosync of embodiment of the present invention also can be given the bringing great convenience property of operation and the fail safe of user's maintain cryptographic.
The above is the preferred embodiment of embodiment of the present invention only, is not the protection range that is used to limit embodiment of the present invention.All within the spirit and principle of embodiment of the present invention, any modification of being done, be equal to replacement, improvement etc., all should be included within the protection range of embodiment of the present invention
Claims (10)
1. a cipher providing equipment is characterized in that, this cipher providing equipment comprises interface unit, password acquiring unit, password memory cell and password encryption unit, wherein:
The password acquiring unit is used to obtain password;
The password memory cell is used for storing the password that is obtained by the password acquiring unit with the form of password storage list, also stores the cipher mark corresponding to described password in the described password storage list;
Interface unit is used to receive the authentication request that comprises cipher mark, and the password ciphertext of encrypting sent to is used for authentication outside the described cipher providing equipment;
The password encryption unit, be used for parsing cipher mark from described authentication request, from described password storage list, inquire password corresponding to described cipher mark, and described password encrypted, the password ciphertext after will encrypting then sends to by interface unit and is used for authentication outside the described cipher providing equipment.
2. cipher providing equipment according to claim 1 is characterized in that, described interface unit is connected with the outer cipher editing equipment,
Described password acquiring unit is used for obtaining password by described interface unit from described outer cipher editing equipment.
3. cipher providing equipment according to claim 2 is characterized in that, this cipher providing equipment further is included in the mode switch element of switching between password obtaining mode and the cipher authentication pattern,
Described mode switch element is used for when working in the password obtaining mode, excites described password acquiring unit to obtain password by described interface unit from described outer cipher editing equipment; And when working in the cipher authentication pattern, excite after described password encryption unit will be encrypted the password ciphertext by interface unit send to be used for outside the described cipher providing equipment authentication.
4. cipher providing equipment according to claim 1 is characterized in that, described password acquiring unit is used for producing described password according to the predetermined cipher generating algorithm.
5. according to each described cipher providing equipment among the claim 1-4, it is characterized in that, further comprise challenge code in the described authentication request;
The password encryption unit, be used for parsing cipher mark and challenge code from described authentication request, from described password storage list, inquire password corresponding to described cipher mark, and according to challenge code and hash HASH function described password is encrypted, the password ciphertext after will encrypting then sends to by interface unit and is used for authentication outside the described cipher providing equipment.
6. according to each described cipher providing equipment among the claim 1-4, it is characterized in that this cipher providing equipment further comprises the cryptosync unit,
Be used for the cryptosync that the password memory cell is preserved is saved in the Verification System outside the described cipher providing equipment.
7. a cipher authentication system is characterized in that, this cipher authentication system comprises cipher providing equipment, Authentication Client and certificate server, wherein:
Cipher providing equipment, be used for the form of password storage list storage password and corresponding to the cipher mark of password, and from described password storage list, inquire password corresponding to user-selected cipher mark, according to cryptographic algorithm described password is encrypted, the password ciphertext after encrypting is sent to described certificate server by Authentication Client be used for authentication;
Authentication Client is used for obtaining from cipher providing equipment the cipher mark of tabulation, and the cipher mark that will tabulate is shown to the user, selects cipher mark for the user from this tabulation;
Certificate server, be used for the password that stores synchronized is preserved in cipher providing equipment, and according to the cryptographic algorithm identical with cipher providing equipment to encrypting corresponding to the password of user-selected cipher mark, and the password ciphertext that generates when this certificate server and the cipher providing equipment password ciphertext of sending is when identical, and the password that the judgement cipher providing equipment provides is correct.
8. cipher authentication system according to claim 7, it is characterized in that, realize cryptosync by the direct-connected mode of equipment, the network interconnection mode that adopts symmetric encipherment algorithm, the network interconnection mode that adopts rivest, shamir, adelman or the manual method of synchronization of user between described cipher providing equipment and the certificate server.
9. a cipher authentication method is characterized in that, this method comprises:
Cipher providing equipment is with the form of password storage list storage password and corresponding to the cipher mark of password, the password that the certificate server stores synchronized is preserved in cipher providing equipment;
Authentication Client obtains the cipher mark of tabulation from cipher providing equipment, and the cipher mark that will tabulate is shown to the user, selects cipher mark for the user from this tabulation;
Cipher providing equipment inquires the password corresponding to user-selected cipher mark from described password storage list, and according to cryptographic algorithm described password is encrypted, and the password ciphertext after will encrypting then sends to described certificate server and is used for authentication;
Certificate server according to the cryptographic algorithm identical with cipher providing equipment to encrypting corresponding to the password of user-selected cipher mark, and the password ciphertext that generates when this certificate server and the cipher providing equipment password ciphertext of sending is when identical, and the password that the judgement cipher providing equipment provides is correct.
10. method according to claim 9 is characterized in that certificate server further provides challenge code by Authentication Client to cipher providing equipment; In this method:
Cipher providing equipment inquires the password corresponding to described cipher mark from described password storage list, and according to challenge code and hash HASH function described password is encrypted, and the password ciphertext after will encrypting then sends to certificate server and is used for authentication;
Certificate server according to described HASH function and challenge code to encrypting corresponding to the password of user-selected cipher mark, and the password ciphertext that generates when this certificate server and the cipher providing equipment password ciphertext of sending is when identical, and the password that the judgement cipher providing equipment provides is correct.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010122569A CN101815091A (en) | 2010-03-12 | 2010-03-12 | Cipher providing equipment, cipher authentication system and cipher authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010122569A CN101815091A (en) | 2010-03-12 | 2010-03-12 | Cipher providing equipment, cipher authentication system and cipher authentication method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101815091A true CN101815091A (en) | 2010-08-25 |
Family
ID=42622206
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010122569A Pending CN101815091A (en) | 2010-03-12 | 2010-03-12 | Cipher providing equipment, cipher authentication system and cipher authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101815091A (en) |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101997678A (en) * | 2010-11-18 | 2011-03-30 | 东莞宇龙通信科技有限公司 | Password acquisition method and terminal |
| CN102325026A (en) * | 2011-07-14 | 2012-01-18 | 易讯天空计算机技术(深圳)有限公司 | Account password secure encryption system |
| CN102831340A (en) * | 2012-07-24 | 2012-12-19 | 华为终端有限公司 | Unlock device and unlock method of electronic device |
| CN102833276A (en) * | 2011-06-14 | 2012-12-19 | 赛酷特(北京)信息技术有限公司 | Webpage login system based on token |
| CN102833213A (en) * | 2011-06-14 | 2012-12-19 | 赛酷特(北京)信息技术有限公司 | Webpage authentication and login method based on TokenLite |
| CN102833214A (en) * | 2011-06-14 | 2012-12-19 | 赛酷特(北京)信息技术有限公司 | Webpage login system and method based on credential |
| CN102882686A (en) * | 2012-10-09 | 2013-01-16 | 北京深思洛克软件技术股份有限公司 | Authentication method and authentication device |
| CN103139136A (en) * | 2011-11-22 | 2013-06-05 | 阿里巴巴集团控股有限公司 | Method and device for managing passwords |
| CN103678964A (en) * | 2012-09-13 | 2014-03-26 | 上海斐讯数据通信技术有限公司 | Mobile terminal and password input method and system |
| CN104182677A (en) * | 2014-07-14 | 2014-12-03 | 联想(北京)有限公司 | Information processing method and electronic equipment |
| CN104506557A (en) * | 2015-01-07 | 2015-04-08 | 北京深思数盾科技有限公司 | Method and device for managing login information |
| CN104506518A (en) * | 2014-12-22 | 2015-04-08 | 中软信息系统工程有限公司 | Identity authentication method for access control of MIPS (Million Instructions Per Second) platform network system |
| CN106301780A (en) * | 2015-06-05 | 2017-01-04 | 张华永 | Authentication method and Verification System |
| CN106571908A (en) * | 2016-10-19 | 2017-04-19 | 携程计算机技术(上海)有限公司 | Hotel password setting method |
| CN107038368A (en) * | 2016-02-04 | 2017-08-11 | 张越显 | A kind of Portable, personal password management equipment |
| CN108306872A (en) * | 2018-01-24 | 2018-07-20 | 腾讯科技(深圳)有限公司 | Network request processing method, device, computer equipment and storage medium |
| CN108566274A (en) * | 2018-03-15 | 2018-09-21 | 中国地质大学(武汉) | Method, equipment and the storage device of slitless connection between a kind of block chain Verification System |
| CN108573581A (en) * | 2018-03-20 | 2018-09-25 | 中国工商银行股份有限公司 | ATM initial keys setting method, device, system and storage medium |
| CN109347839A (en) * | 2018-10-25 | 2019-02-15 | 深圳壹账通智能科技有限公司 | Centralized password management method and centralized password management, device, electronic equipment and computer storage medium |
| CN110022326A (en) * | 2019-04-19 | 2019-07-16 | 上海法诺光电技术有限公司 | A kind of Internet of Things cipher authentication method using cipher table synchronization |
| CN110430203A (en) * | 2019-08-12 | 2019-11-08 | 徐州恒佳电子科技有限公司 | A kind of improved safety JSON transmission method towards sensitive data |
| CN111080857A (en) * | 2019-12-30 | 2020-04-28 | 华人运通(上海)云计算科技有限公司 | Vehicle digital key management and use method and device, mobile terminal and storage medium |
| CN111586124A (en) * | 2020-04-28 | 2020-08-25 | 广州锦行网络科技有限公司 | Method for obtaining remote connection certificate |
| CN112929188A (en) * | 2019-12-05 | 2021-06-08 | 中国电信股份有限公司 | Device connection method, system, apparatus and computer readable storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101340439A (en) * | 2008-08-11 | 2009-01-07 | 中兴通讯股份有限公司 | Identity authenticating method, system and mobile terminal |
-
2010
- 2010-03-12 CN CN201010122569A patent/CN101815091A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101340439A (en) * | 2008-08-11 | 2009-01-07 | 中兴通讯股份有限公司 | Identity authenticating method, system and mobile terminal |
Cited By (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101997678A (en) * | 2010-11-18 | 2011-03-30 | 东莞宇龙通信科技有限公司 | Password acquisition method and terminal |
| CN102833276A (en) * | 2011-06-14 | 2012-12-19 | 赛酷特(北京)信息技术有限公司 | Webpage login system based on token |
| CN102833213A (en) * | 2011-06-14 | 2012-12-19 | 赛酷特(北京)信息技术有限公司 | Webpage authentication and login method based on TokenLite |
| CN102833214A (en) * | 2011-06-14 | 2012-12-19 | 赛酷特(北京)信息技术有限公司 | Webpage login system and method based on credential |
| CN102325026A (en) * | 2011-07-14 | 2012-01-18 | 易讯天空计算机技术(深圳)有限公司 | Account password secure encryption system |
| CN103139136A (en) * | 2011-11-22 | 2013-06-05 | 阿里巴巴集团控股有限公司 | Method and device for managing passwords |
| CN103139136B (en) * | 2011-11-22 | 2016-06-08 | 阿里巴巴集团控股有限公司 | The management process of a kind of password and equipment |
| CN102831340B (en) * | 2012-07-24 | 2016-03-30 | 华为终端有限公司 | The tripper of electronic equipment and unlock method thereof |
| CN102831340A (en) * | 2012-07-24 | 2012-12-19 | 华为终端有限公司 | Unlock device and unlock method of electronic device |
| CN103678964A (en) * | 2012-09-13 | 2014-03-26 | 上海斐讯数据通信技术有限公司 | Mobile terminal and password input method and system |
| CN102882686A (en) * | 2012-10-09 | 2013-01-16 | 北京深思洛克软件技术股份有限公司 | Authentication method and authentication device |
| CN104182677A (en) * | 2014-07-14 | 2014-12-03 | 联想(北京)有限公司 | Information processing method and electronic equipment |
| CN104506518A (en) * | 2014-12-22 | 2015-04-08 | 中软信息系统工程有限公司 | Identity authentication method for access control of MIPS (Million Instructions Per Second) platform network system |
| CN104506518B (en) * | 2014-12-22 | 2018-07-24 | 中软信息系统工程有限公司 | The identity identifying method of MIPS platform network system access controls |
| CN104506557A (en) * | 2015-01-07 | 2015-04-08 | 北京深思数盾科技有限公司 | Method and device for managing login information |
| CN106301780A (en) * | 2015-06-05 | 2017-01-04 | 张华永 | Authentication method and Verification System |
| CN107038368A (en) * | 2016-02-04 | 2017-08-11 | 张越显 | A kind of Portable, personal password management equipment |
| CN106571908A (en) * | 2016-10-19 | 2017-04-19 | 携程计算机技术(上海)有限公司 | Hotel password setting method |
| CN106571908B (en) * | 2016-10-19 | 2020-03-17 | 携程计算机技术(上海)有限公司 | Hotel password setting method |
| CN108306872A (en) * | 2018-01-24 | 2018-07-20 | 腾讯科技(深圳)有限公司 | Network request processing method, device, computer equipment and storage medium |
| CN108306872B (en) * | 2018-01-24 | 2022-03-18 | 腾讯科技(深圳)有限公司 | Network request processing method and device, computer equipment and storage medium |
| CN108566274A (en) * | 2018-03-15 | 2018-09-21 | 中国地质大学(武汉) | Method, equipment and the storage device of slitless connection between a kind of block chain Verification System |
| CN108573581A (en) * | 2018-03-20 | 2018-09-25 | 中国工商银行股份有限公司 | ATM initial keys setting method, device, system and storage medium |
| CN108573581B (en) * | 2018-03-20 | 2020-08-18 | 中国工商银行股份有限公司 | ATM initial key setting method, device, system and computer readable storage medium |
| CN109347839A (en) * | 2018-10-25 | 2019-02-15 | 深圳壹账通智能科技有限公司 | Centralized password management method and centralized password management, device, electronic equipment and computer storage medium |
| CN110022326A (en) * | 2019-04-19 | 2019-07-16 | 上海法诺光电技术有限公司 | A kind of Internet of Things cipher authentication method using cipher table synchronization |
| CN110430203A (en) * | 2019-08-12 | 2019-11-08 | 徐州恒佳电子科技有限公司 | A kind of improved safety JSON transmission method towards sensitive data |
| CN112929188A (en) * | 2019-12-05 | 2021-06-08 | 中国电信股份有限公司 | Device connection method, system, apparatus and computer readable storage medium |
| CN112929188B (en) * | 2019-12-05 | 2022-06-14 | 中国电信股份有限公司 | Device connection method, system, apparatus and computer readable storage medium |
| CN111080857A (en) * | 2019-12-30 | 2020-04-28 | 华人运通(上海)云计算科技有限公司 | Vehicle digital key management and use method and device, mobile terminal and storage medium |
| CN111080857B (en) * | 2019-12-30 | 2022-05-03 | 华人运通(上海)云计算科技有限公司 | Vehicle digital key management and use method and device, mobile terminal and storage medium |
| CN111586124B (en) * | 2020-04-28 | 2020-12-18 | 广州锦行网络科技有限公司 | Method for obtaining remote connection certificate |
| CN111586124A (en) * | 2020-04-28 | 2020-08-25 | 广州锦行网络科技有限公司 | Method for obtaining remote connection certificate |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101815091A (en) | Cipher providing equipment, cipher authentication system and cipher authentication method | |
| US10142107B2 (en) | Token binding using trust module protected keys | |
| KR101769282B1 (en) | Data security service | |
| TWI233739B (en) | Systems, methods and computer readable recording medium for remote password authentication using multiple servers | |
| JP4866863B2 (en) | Security code generation method and user device | |
| US9118661B1 (en) | Methods and apparatus for authenticating a user using multi-server one-time passcode verification | |
| CN107359998B (en) | A kind of foundation and operating method of portable intelligent password management system | |
| Xie et al. | Cloud-based RFID authentication | |
| He et al. | A social-network-based cryptocurrency wallet-management scheme | |
| CN104158827B (en) | Ciphertext data sharing method, device, inquiry server and upload data client | |
| CN101510888B (en) | Method, device and system for improving data security for SaaS application | |
| CN106130716A (en) | Cipher key exchange system based on authentication information and method | |
| CN109618326A (en) | User's dynamic identifier generation method and service registration method, login validation method | |
| CN106576043A (en) | Virally distributable trusted messaging | |
| CN104253694A (en) | Encrypting method for network data transmission | |
| CN110380859B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol | |
| CN102055685B (en) | Method for encrypting webmail information | |
| CN103237305A (en) | Password protection method for smart card on mobile terminals | |
| CN109981287A (en) | A kind of code signature method and its storage medium | |
| Das | A secure and robust password-based remote user authentication scheme using smart cards for the integrated epr information system | |
| CN109347923A (en) | Anti- quantum calculation cloud storage method and system based on unsymmetrical key pond | |
| Tao et al. | Anonymous identity authentication mechanism for hybrid architecture in mobile crowd sensing networks | |
| CN201717885U (en) | Code providing equipment and code identification system | |
| Amintoosi et al. | TAMA: three-factor authentication for multi-server architecture | |
| CN110176989A (en) | Quantum communications service station identity identifying method and system based on unsymmetrical key pond |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| DD01 | Delivery of document by public notice |
Addressee: Xue Ming Document name: the First Notification of an Office Action |
|
| DD01 | Delivery of document by public notice |
Addressee: Xue Ming Document name: Notification that Application Deemed to be Withdrawn |
|
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20100825 |