CN102148683A - Dual-factor authentication method based on HASH chip or encryption chip - Google Patents
Dual-factor authentication method based on HASH chip or encryption chip Download PDFInfo
- Publication number
- CN102148683A CN102148683A CN2010101055291A CN201010105529A CN102148683A CN 102148683 A CN102148683 A CN 102148683A CN 2010101055291 A CN2010101055291 A CN 2010101055291A CN 201010105529 A CN201010105529 A CN 201010105529A CN 102148683 A CN102148683 A CN 102148683A
- Authority
- CN
- China
- Prior art keywords
- chip
- hash
- client
- server
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a dual-factor authentication method based on a HASH chip or an encryption chip, which comprises the steps that: (1) a client carries a chip sequence number to the HASH chip or the encryption chip, and writes a randomly generated seed into the HASH chip or the encryption chip; (2) the client transmits an authentication request to a server when applying for authentication; (3) the server transmits a randomly generated security information string to the client after receiving the authentication request; (4) the client performs HASH or encryption processing on the security information string and the built-in seed of the chip by using the HASH chip or the encryption chip to obtain a dynamic verification code as a processing result, and transmits the chip sequence number, the dynamic verification code and user and password information to the server; and (5) the server verifies a verification factor consisting of the chip sequence number and the dynamic verification code and another verification factor consisting of the user and password information to determine whether the client and a user are legal or not, and returns authentication results to the client. By the method, not only the legal identity of the user can be ensured, but also the user is ensured to acquire services by the legal client.
Description
Technical field
The invention belongs to the computer application system security fields, relate in particular to a kind of two-factor authentication method based on HASH chip or encryption chip.The present invention is very suitable for large user's amount, high concurrent, based on the Internet or mobile network's distributed apparatus or user authentication process.
Background technology
Along with popularizing of the Internet, the Distributed Application on the network is more and more, and a very main step is arranged in the process of Distributed Application, that be exactly the application that must verify far-end whether be own desired that.Can't guarantee in traditional password verification fail safe that along with the surcharge of number of the account or authentication is more and more higher, the number of the account situation that cracked or usurp by other people was more and more in recent years.The mode that present various use hardware-based cryptographic and user password carry out two-factor authentication also emerges in an endless stream, what but these methods adopted all is asymmetric deciphering chip, it is very high that this method exists cost, operation efficiency is low, need the content of transmission on the net many, to defectives such as the pressure of far-end server are big.Most critical be that asymmetric enciphering and deciphering algorithm is because shared resource is higher, can not realize at every turn use " first secretary's one key " that all upgrade of public private key pair.This fail safe for verification process has caused great injury.
Summary of the invention
The technical problem to be solved in the present invention provides a kind of two-factor authentication method based on HASH chip or encryption chip, and this method can either be guaranteed user's legal identity, can guarantee that again the user obtains service by legal client.
For solving the problems of the technologies described above, a kind of two-factor authentication method based on HASH chip or encryption chip of the present invention comprises the steps:
(1) the HASH chip of client use or encryption chip attach a chip serial number and write a seed that generates at random;
(2) during the client application authentication, send authentication request to server;
(3) server is received after the authentication request, sends a security information string that generates at random to client;
(4) client is used HASH chip or encryption chip, the security information string that generates at random that server is sent and the seed of built-in chip type make up laggard capable HASH and handle or encryption, result is a dynamic verification code, and chip serial number, dynamic verification code and user and password information are sent to server;
(5) chip serial number and the dynamic verification code sent at client of server carries out two-factor authentication as authentication factor, user and a password information as another authentication factor, what definite connection was come in is legal client and legal users, and authentication result is returned client.
Beneficial effect of the present invention is: adopt the inventive method, it all is the safety check bit string that generates at random that each client is landed employed each time, accomplished real " first secretary's one key ", in whole process, can only carry out the irreversible HASH computing of individual event, when this has guaranteed fail safe to the full extent, improved treatment effeciency and server concurrent processing ability, shared network bandwidth resources also greatly reduces.This method is very suitable for large user's amount, high concurrent, based on the Internet or mobile network's distributed apparatus or user authentication process.In addition, this method can either be guaranteed user's legal identity (effectively user), can guarantee that again the user is by the service of obtaining of legal client (guaranteeing that the user uses effective terminal), has improved fail safe.
Description of drawings
Fig. 1 is the schematic flow sheet that the present invention is based on the two-factor authentication method of HASH chip or encryption chip.
Embodiment
The present invention can use the HASH chip (adopting the chip of HASH algorithm) or the encryption chip of economical and efficient to carry out two-factor authentication.HASH generally translates into " hash ", also has direct transliteration to be " Hash ", and (be called pre-mapping again, pre-image), by hashing algorithm, be transformed into the output of regular length, this output is exactly hashed value the input of random length exactly.Among the present invention, at first, HASH chip that client is used or encryption chip attach a chip serial number and write a seed that generates at random when dispatching from the factory; Client is in application authentication, server is received after the request, send a security information string that generates at random to client, client is used HASH chip or encryption chip, the string of security information at random that server is sent and the seed of built-in chip type make up laggard capable HASH and handle or encryption, result is a dynamic verification code, and chip serial number, dynamic verification code and user and password information are sent to server; Server is at chip serial number and dynamic authentication, and user and these two factors of password information directly verify, final to determine to connect what come in be legal client and legal users.
As shown in Figure 1, the invention provides a kind of two-factor authentication method based on HASH chip or encryption chip, HASH chip or encryption chip that the client of this method is used, attach a chip serial number and write a seed that generates at random when dispatching from the factory, described seed is the random number sequence of a regular length; This method specifically comprises the steps:
1. the client application authentication sends authentication request to server, does not comprise any authentication information in this request, and just notification server has a client to begin verification process, and request server is provided security information string at random.
2. server generates the security information string at random, and sends to client; Server generates a security information string at random automatically, and sends it to client in the client requests authentication, and each client in the time of application each time, can obtain a different security information string.
3. client is used HASH chip or encryption chip, and the string of security information at random that server is sended over and the seed of built-in chip type make up laggard capable HASH and handle or encryption, and result is a dynamic verification code.
Described HASH processing refers to carry out unidirectional HASH conversion by the HASH chip hardware, and (this HASH conversion is a kind of compressing mapping, just, the space of hashed value is usually much smaller than the space of importing, different inputs may hash to identical output, and can not come to determine uniquely input value from hashed value, briefly, HASH is exactly a kind of function that the message compression of random length is arrived the eap-message digest of a certain regular length, HASH is mainly used in cryptographic algorithm in the information security field, it changes into the information of some different lengths in 128 the mixed and disorderly coding, be called the HASH value, we can say that also HASH is exactly the mapping relations that find between a kind of data content and the deposit data address); Use hardware HASH chip, carry out HASH together after the string of security information at random that server is sended over and the seed combination of built-in chip type and handle, all be not repeat to guarantee all contents that need propagate on network, irreversible to cracking.
Under the condition of encryption chip, seed is encryption key usually, and nobody grasps this encryption key except this encryption chip and server.Therefore encryption process also just has and is similar to HASH and has handled the irreversibility of computing.That is to say, reach the effect that is similar to the HASH computing with cryptographic algorithm.
4. as an authentication factor, user and password information send to server as the dual factors information of another authentication factor to client with chip serial number and dynamic verification code.Wherein, this user and password information adopt manual input method to be imported in client by the user.Simple automation authentication and simple craft authentication all can not well guarantee the safety and the reliability that authenticate, are two-factor authentication so this place takes, must the client manually import the user and the password information of being correlated with.
5. server carries out two-factor authentication according to the information that client sends, and authentication result is returned client; The information that server sends over according to the client is directly confirmed (consistent as confirming, as then to show user and password information authentication success) with the user with password information in the authentication storehouse, guarantee not preserve the user and the password information that can reversely crack on the server; Simultaneously chip serial number and dynamic verification code and client are caught the secure authenticated information of coming and compare,, then show chip serial number and dynamic verification code authentication success as identical; In addition, the string of security information at random that comprises in the dynamic verification code is effective property, if the client application at random behind the security information string, the time that authenticates has surpassed the safe timeliness of security information string at random, then is judged to be authentification failure.The authentication of having only chip serial number and dynamic verification code and user and password information all after the success, could be confirmed to authenticate and pass through, wherein any one authentification failure, all return authentication failure information.
The inventive method has been used to the distributed authentication work of some embedded hardware systems of realization at present, the built-in seed of HASH chip or encryption chip, and when equipment is connected to server, the string of security information at random that server sends over and the seed of built-in chip type make up laggard capable HASH and handle or encryption, result is a dynamic verification code, and chip serial number, dynamic verification code are formed two authentication factors of two-factor authentication with user and password information.In addition, this method also has been applied to the verification process of user account.
Claims (8)
1. the two-factor authentication method based on HASH chip or encryption chip is characterized in that, comprises the steps:
(1) the HASH chip of client use or encryption chip attach a chip serial number and write a seed that generates at random;
(2) during the client application authentication, send authentication request to server;
(3) server is received after the authentication request, sends a security information string that generates at random to client;
(4) client is used HASH chip or encryption chip, the security information string that generates at random that server is sent and the seed of built-in chip type make up laggard capable HASH and handle or encryption, result is a dynamic verification code, and chip serial number, dynamic verification code and user and password information are sent to server;
(5) chip serial number and the dynamic verification code sent at client of server carries out two-factor authentication as authentication factor, user and a password information as another authentication factor, what definite connection was come in is legal client and legal users, and authentication result is returned client.
2. the two-factor authentication method based on HASH chip or encryption chip as claimed in claim 1 is characterized in that, in the step (1), described seed is the random number sequence of a regular length.
3. the two-factor authentication method based on HASH chip or encryption chip as claimed in claim 1 or 2, it is characterized in that, in the step (1), use encryption chip as client, described seed is an encryption key, unmanned this encryption key of grasping except this encryption chip and server.
4. the two-factor authentication method based on HASH chip or encryption chip as claimed in claim 1 is characterized in that, in the step (4), described user and password information adopt manual input method to be imported in client by the user.
5. the two-factor authentication method based on HASH chip or encryption chip as claimed in claim 1, it is characterized in that, in the step (2), described user end to server sends authentication request, in this request, do not comprise any authentication information, just notification server has a client to begin verification process, the security information string that the request server granting generates at random.
6. the two-factor authentication method based on HASH chip or encryption chip as claimed in claim 1, it is characterized in that, in the step (3), the described security information string that generates at random is that server generates automatically, each client, during application authentication, can obtain a different security information string, and this security information string is effective property each time.
7. the two-factor authentication method based on HASH chip or encryption chip as claimed in claim 1, it is characterized in that, in the step (4), described HASH handles and refers to carry out unidirectional HASH conversion by the HASH chip hardware, be specially: carry out unidirectional HASH conversion after security information string that server is sent and the combination of the seed of HASH built-in chip type together, guaranteeing that all contents that need propagate all are not repeat on network, irreversible to cracking.
8. the two-factor authentication method based on HASH chip or encryption chip as claimed in claim 1, it is characterized in that, in the step (5), described two-factor authentication is specially: the information that server sends over according to the client, user and password information are directly confirmed in the authentication storehouse, guarantee not preserve the user and the password information that can reversely crack on the server, simultaneously chip serial number and dynamic verification code and client are caught the secure authenticated information of coming and compare; The security information string that comprises in the dynamic verification code is effective property, if the client application behind the security information string that generates at random, the time that authenticates has surpassed the safe timeliness of the security information string that generates at random, then is judged to be authentification failure; The authentication of having only chip serial number and dynamic verification code and user and password information all after the success, could be confirmed to authenticate and pass through, wherein any one authentification failure, all return authentication failure information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101055291A CN102148683A (en) | 2010-02-04 | 2010-02-04 | Dual-factor authentication method based on HASH chip or encryption chip |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101055291A CN102148683A (en) | 2010-02-04 | 2010-02-04 | Dual-factor authentication method based on HASH chip or encryption chip |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102148683A true CN102148683A (en) | 2011-08-10 |
Family
ID=44422705
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010101055291A Pending CN102148683A (en) | 2010-02-04 | 2010-02-04 | Dual-factor authentication method based on HASH chip or encryption chip |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102148683A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103559454A (en) * | 2012-05-28 | 2014-02-05 | 阿莱尼亚·马基公司 | Data protection system and method |
| CN103595703A (en) * | 2013-03-08 | 2014-02-19 | 重庆城市管理职业学院 | Linux safety file transmission system based on OpenSSL and Linux safety file transmission method based on OpenSSL |
| CN103763104A (en) * | 2014-01-02 | 2014-04-30 | 中国移动(深圳)有限公司 | Method and system for dynamic verification |
| CN105577627A (en) * | 2014-11-11 | 2016-05-11 | 腾讯数码(天津)有限公司 | Communication method, device, network device, terminal device, and communication system |
| CN106375287A (en) * | 2016-08-30 | 2017-02-01 | 上海电享信息科技有限公司 | Charging method for new energy automobile |
| WO2017202136A1 (en) * | 2016-05-24 | 2017-11-30 | 飞天诚信科技股份有限公司 | One-time-password authentication method and device |
| CN108305078A (en) * | 2017-01-11 | 2018-07-20 | 北京京东尚科信息技术有限公司 | Program brush list recognition methods and equipment |
| CN109150891A (en) * | 2018-09-05 | 2019-01-04 | 北京深思数盾科技股份有限公司 | A kind of verification method, device and information safety devices |
| CN109286501A (en) * | 2018-11-13 | 2019-01-29 | 北京深思数盾科技股份有限公司 | Authentication method and encryption equipment for encryption equipment |
| CN110941805A (en) * | 2019-11-21 | 2020-03-31 | 北京达佳互联信息技术有限公司 | Identity authentication method and device |
| CN112398647A (en) * | 2020-11-03 | 2021-02-23 | 武汉先同科技有限公司 | Consumable dynamic encryption method for channel distribution management |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030037261A1 (en) * | 2001-03-26 | 2003-02-20 | Ilumin Corporation | Secured content delivery system and method |
| CN1703002A (en) * | 2005-07-05 | 2005-11-30 | 江苏乐希科技有限公司 | Portable one-time dynamic password generator and security authentication system using the same |
| CN101350719A (en) * | 2007-07-18 | 2009-01-21 | 康佳集团股份有限公司 | Novel identification authentication method |
| CN101459516A (en) * | 2009-02-20 | 2009-06-17 | 浙江工业大学 | Dynamic password safe login method |
-
2010
- 2010-02-04 CN CN2010101055291A patent/CN102148683A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030037261A1 (en) * | 2001-03-26 | 2003-02-20 | Ilumin Corporation | Secured content delivery system and method |
| CN1703002A (en) * | 2005-07-05 | 2005-11-30 | 江苏乐希科技有限公司 | Portable one-time dynamic password generator and security authentication system using the same |
| CN101350719A (en) * | 2007-07-18 | 2009-01-21 | 康佳集团股份有限公司 | Novel identification authentication method |
| CN101459516A (en) * | 2009-02-20 | 2009-06-17 | 浙江工业大学 | Dynamic password safe login method |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103559454A (en) * | 2012-05-28 | 2014-02-05 | 阿莱尼亚·马基公司 | Data protection system and method |
| CN103559454B (en) * | 2012-05-28 | 2018-04-17 | 阿莱尼亚·马基公司 | Data protection system and method |
| CN103595703A (en) * | 2013-03-08 | 2014-02-19 | 重庆城市管理职业学院 | Linux safety file transmission system based on OpenSSL and Linux safety file transmission method based on OpenSSL |
| CN103595703B (en) * | 2013-03-08 | 2017-02-22 | 重庆城市管理职业学院 | Linux safety file transmission system based on OpenSSL and Linux safety file transmission method based on OpenSSL |
| CN103763104A (en) * | 2014-01-02 | 2014-04-30 | 中国移动(深圳)有限公司 | Method and system for dynamic verification |
| CN103763104B (en) * | 2014-01-02 | 2018-05-22 | 中移信息技术有限公司 | A kind of method and system of dynamic authentication |
| CN105577627B (en) * | 2014-11-11 | 2020-08-28 | 腾讯数码(天津)有限公司 | Communication method, device, network equipment, terminal equipment and communication system |
| CN105577627A (en) * | 2014-11-11 | 2016-05-11 | 腾讯数码(天津)有限公司 | Communication method, device, network device, terminal device, and communication system |
| WO2017202136A1 (en) * | 2016-05-24 | 2017-11-30 | 飞天诚信科技股份有限公司 | One-time-password authentication method and device |
| CN106375287A (en) * | 2016-08-30 | 2017-02-01 | 上海电享信息科技有限公司 | Charging method for new energy automobile |
| CN106375287B (en) * | 2016-08-30 | 2020-03-10 | 上海电享信息科技有限公司 | Charging method of new energy automobile |
| CN108305078A (en) * | 2017-01-11 | 2018-07-20 | 北京京东尚科信息技术有限公司 | Program brush list recognition methods and equipment |
| CN108305078B (en) * | 2017-01-11 | 2021-11-02 | 北京京东尚科信息技术有限公司 | Program order-swiping identification method and device |
| CN109150891A (en) * | 2018-09-05 | 2019-01-04 | 北京深思数盾科技股份有限公司 | A kind of verification method, device and information safety devices |
| CN109286501A (en) * | 2018-11-13 | 2019-01-29 | 北京深思数盾科技股份有限公司 | Authentication method and encryption equipment for encryption equipment |
| CN109286501B (en) * | 2018-11-13 | 2021-07-13 | 北京深思数盾科技股份有限公司 | Authentication method for encryption device and encryption device |
| CN110941805A (en) * | 2019-11-21 | 2020-03-31 | 北京达佳互联信息技术有限公司 | Identity authentication method and device |
| CN110941805B (en) * | 2019-11-21 | 2022-06-10 | 北京达佳互联信息技术有限公司 | Identity authentication method and device |
| CN112398647A (en) * | 2020-11-03 | 2021-02-23 | 武汉先同科技有限公司 | Consumable dynamic encryption method for channel distribution management |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102148683A (en) | Dual-factor authentication method based on HASH chip or encryption chip | |
| CN101005361B (en) | Server and software protection method and system | |
| US8527762B2 (en) | Method for realizing an authentication center and an authentication system thereof | |
| CN101964800B (en) | Method for authenticating digital certificate user in SSL VPN | |
| CN106921663B (en) | Identity continuous authentication system and method based on intelligent terminal software/intelligent terminal | |
| CN101651666A (en) | Method and device for identity authentication and single sign-on based on virtual private network | |
| CN106470190A (en) | A kind of Web real-time communication platform authentication cut-in method and device | |
| CN101697540A (en) | Method for authenticating user identity through P2P service request | |
| CN101420298B (en) | Method and system for negotiating cipher | |
| CN109714370B (en) | HTTP (hyper text transport protocol) -based cloud security communication implementation method | |
| CN104410622A (en) | Safety authentication method, client side and system for logging in Web system | |
| US9544152B2 (en) | Dual layer transport security configuration | |
| CN102685749A (en) | Wireless safety authentication method orienting to mobile terminal | |
| CN102624687A (en) | Networking program user authentication method based on mobile terminal | |
| CN104378379A (en) | Encryption transmission method, equipment and system for digital content | |
| CN106713360A (en) | Method for realizing web encrypted access and information encryption storage based on gateway device | |
| CN106789069B (en) | zero-knowledge identity authentication method | |
| Huang et al. | A token-based user authentication mechanism for data exchange in RESTful API | |
| CN103368831B (en) | A kind of anonymous instant communicating system identified based on frequent visitor | |
| CN106453321A (en) | Authentication server, system and method, and to-be-authenticated terminal | |
| CN103546292A (en) | Third-party certification system or method with multiple identification codes | |
| CN103179564B (en) | Based on the network application login method of mobile terminal authentication | |
| CN107493283A (en) | A kind of implementation method and its system of the message security encryption based on live platform | |
| CN109862009A (en) | A kind of client identity method of calibration and device | |
| CN102510336A (en) | Security certification system or method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: SHANGHAI SHENGXUAN NETWORK TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: SHANGHAI GUOKE ELECTRONIC CO., LTD. Effective date: 20130301 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 201210 PUDONG NEW AREA, SHANGHAI TO: 201203 PUDONG NEW AREA, SHANGHAI |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20130301 Address after: 201203 Shanghai Guo Shou Jing Road, Zhangjiang hi tech Park No. 356 building 3 room 126 Applicant after: Shanghai Shengxuan Network Technology Co., Ltd. Address before: 201210, room 1, building 380, 108 Yin Yin Road, Shanghai, Pudong New Area Applicant before: Shanghai Guoke Electronic Co., Ltd. |
|
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110810 |