Summary of the invention
The technical problem to be solved in the present invention provides a kind of two-factor authentication method based on HASH chip or encryption chip, and this method can either be guaranteed user's legal identity, can guarantee that again the user obtains service by legal client.
For solving the problems of the technologies described above, a kind of two-factor authentication method based on HASH chip or encryption chip of the present invention comprises the steps:
(1) the HASH chip of client use or encryption chip attach a chip serial number and write a seed that generates at random;
(2) during the client application authentication, send authentication request to server;
(3) server is received after the authentication request, sends a security information string that generates at random to client;
(4) client is used HASH chip or encryption chip, the security information string that generates at random that server is sent and the seed of built-in chip type make up laggard capable HASH and handle or encryption, result is a dynamic verification code, and chip serial number, dynamic verification code and user and password information are sent to server;
(5) chip serial number and the dynamic verification code sent at client of server carries out two-factor authentication as authentication factor, user and a password information as another authentication factor, what definite connection was come in is legal client and legal users, and authentication result is returned client.
Beneficial effect of the present invention is: adopt the inventive method, it all is the safety check bit string that generates at random that each client is landed employed each time, accomplished real " first secretary's one key ", in whole process, can only carry out the irreversible HASH computing of individual event, when this has guaranteed fail safe to the full extent, improved treatment effeciency and server concurrent processing ability, shared network bandwidth resources also greatly reduces.This method is very suitable for large user's amount, high concurrent, based on the Internet or mobile network's distributed apparatus or user authentication process.In addition, this method can either be guaranteed user's legal identity (effectively user), can guarantee that again the user is by the service of obtaining of legal client (guaranteeing that the user uses effective terminal), has improved fail safe.
Embodiment
The present invention can use the HASH chip (adopting the chip of HASH algorithm) or the encryption chip of economical and efficient to carry out two-factor authentication.HASH generally translates into " hash ", also has direct transliteration to be " Hash ", and (be called pre-mapping again, pre-image), by hashing algorithm, be transformed into the output of regular length, this output is exactly hashed value the input of random length exactly.Among the present invention, at first, HASH chip that client is used or encryption chip attach a chip serial number and write a seed that generates at random when dispatching from the factory; Client is in application authentication, server is received after the request, send a security information string that generates at random to client, client is used HASH chip or encryption chip, the string of security information at random that server is sent and the seed of built-in chip type make up laggard capable HASH and handle or encryption, result is a dynamic verification code, and chip serial number, dynamic verification code and user and password information are sent to server; Server is at chip serial number and dynamic authentication, and user and these two factors of password information directly verify, final to determine to connect what come in be legal client and legal users.
As shown in Figure 1, the invention provides a kind of two-factor authentication method based on HASH chip or encryption chip, HASH chip or encryption chip that the client of this method is used, attach a chip serial number and write a seed that generates at random when dispatching from the factory, described seed is the random number sequence of a regular length; This method specifically comprises the steps:
1. the client application authentication sends authentication request to server, does not comprise any authentication information in this request, and just notification server has a client to begin verification process, and request server is provided security information string at random.
2. server generates the security information string at random, and sends to client; Server generates a security information string at random automatically, and sends it to client in the client requests authentication, and each client in the time of application each time, can obtain a different security information string.
3. client is used HASH chip or encryption chip, and the string of security information at random that server is sended over and the seed of built-in chip type make up laggard capable HASH and handle or encryption, and result is a dynamic verification code.
Described HASH processing refers to carry out unidirectional HASH conversion by the HASH chip hardware, and (this HASH conversion is a kind of compressing mapping, just, the space of hashed value is usually much smaller than the space of importing, different inputs may hash to identical output, and can not come to determine uniquely input value from hashed value, briefly, HASH is exactly a kind of function that the message compression of random length is arrived the eap-message digest of a certain regular length, HASH is mainly used in cryptographic algorithm in the information security field, it changes into the information of some different lengths in 128 the mixed and disorderly coding, be called the HASH value, we can say that also HASH is exactly the mapping relations that find between a kind of data content and the deposit data address); Use hardware HASH chip, carry out HASH together after the string of security information at random that server is sended over and the seed combination of built-in chip type and handle, all be not repeat to guarantee all contents that need propagate on network, irreversible to cracking.
Under the condition of encryption chip, seed is encryption key usually, and nobody grasps this encryption key except this encryption chip and server.Therefore encryption process also just has and is similar to HASH and has handled the irreversibility of computing.That is to say, reach the effect that is similar to the HASH computing with cryptographic algorithm.
4. as an authentication factor, user and password information send to server as the dual factors information of another authentication factor to client with chip serial number and dynamic verification code.Wherein, this user and password information adopt manual input method to be imported in client by the user.Simple automation authentication and simple craft authentication all can not well guarantee the safety and the reliability that authenticate, are two-factor authentication so this place takes, must the client manually import the user and the password information of being correlated with.
5. server carries out two-factor authentication according to the information that client sends, and authentication result is returned client; The information that server sends over according to the client is directly confirmed (consistent as confirming, as then to show user and password information authentication success) with the user with password information in the authentication storehouse, guarantee not preserve the user and the password information that can reversely crack on the server; Simultaneously chip serial number and dynamic verification code and client are caught the secure authenticated information of coming and compare,, then show chip serial number and dynamic verification code authentication success as identical; In addition, the string of security information at random that comprises in the dynamic verification code is effective property, if the client application at random behind the security information string, the time that authenticates has surpassed the safe timeliness of security information string at random, then is judged to be authentification failure.The authentication of having only chip serial number and dynamic verification code and user and password information all after the success, could be confirmed to authenticate and pass through, wherein any one authentification failure, all return authentication failure information.
The inventive method has been used to the distributed authentication work of some embedded hardware systems of realization at present, the built-in seed of HASH chip or encryption chip, and when equipment is connected to server, the string of security information at random that server sends over and the seed of built-in chip type make up laggard capable HASH and handle or encryption, result is a dynamic verification code, and chip serial number, dynamic verification code are formed two authentication factors of two-factor authentication with user and password information.In addition, this method also has been applied to the verification process of user account.