CN102281137A - Dynamic password authentication method of mutual-authentication challenge response mechanism - Google Patents
Dynamic password authentication method of mutual-authentication challenge response mechanism Download PDFInfo
- Publication number
- CN102281137A CN102281137A CN2010101992970A CN201010199297A CN102281137A CN 102281137 A CN102281137 A CN 102281137A CN 2010101992970 A CN2010101992970 A CN 2010101992970A CN 201010199297 A CN201010199297 A CN 201010199297A CN 102281137 A CN102281137 A CN 102281137A
- Authority
- CN
- China
- Prior art keywords
- dynamic password
- password generator
- sequence number
- dynamic
- generator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses a dynamic password authentication method of a mutual-authentication challenge response mechanism. The dynamic password authentication method comprises the following steps: a dynamic password generator initiates an authentication session and transmitting a sequence number of the dynamic password generator to a server; the server carries out processing according to the received sequence number of the password generator to form a challenge code and feeds back the challenge code to the dynamic password generator; the dynamic password generator verifies the received challenge code, if the received challenge code is legal, the dynamic password generator generates and displays a dynamic token A, and if the received challenge code is illegal, the dynamic password generator cancels and terminates display of the dynamic token A; a dynamic password generator user transmits the dynamic token A displayed by the current dynamic password generator to the server; and the server receives the dynamic token A, then generates a dynamic token B by adopting the dynamic token A, compares the two dynamic tokens, feeds back a comparison result to the dynamic password generator and closes an authentication conversation. According to the invention, the challenge code provided by a server side can be verified by the dynamic password generator, and phishing websites and intermediate attacks can be better prevented.
Description
Technical field
The present invention relates to dynamic cipher verification, relate in particular to a kind of dynamic cipher authentication method of two-way authentication formula challenge response mechanism.
Background technology
Along with Development of E-business, client's Account Security has become a major issue, the identity validation mode that single dependence static password is concluded the business, existing serious quilt to break gets, problems such as conjecture cracks, adopt dynamic password token mode to address the above problem, but on certification mode, there is certain defective at present, most password products adopt the unilateral authentication pattern, promptly when giving, only award the computing that random digit is carried out dynamic password, at fail safe and protection phishing attack with the client challenges sign indicating number by the traditional challenge response pattern of dynamic password token, be short of to some extent in the performance during man-in-the-middle attack.
Summary of the invention
At the problems referred to above, the invention provides a kind of dynamic cipher authentication method that has increased the two-way authentication formula challenge response mechanism that authenticates of server end.
The technical solution used in the present invention is as follows
A kind of dynamic cipher authentication method of two-way authentication formula challenge response mechanism is realized by at least one server and at least one user's dynamic password generator, comprises the steps:
S1, described dynamic password generator is initiated authen session to described server, and sends described dynamic password generator sequence number to described server;
S2, described server uses cryptographic algorithm to handle according to the cipher code generator sequence number that receives, and forms challenge code and feeds back to described dynamic password generator;
S3, described dynamic password generator is verified the challenge code that receives, if the illegal dynamic password generator cancellation of challenge code shows and termination process that the dynamic password generator generates dynamic password A according to cryptographic algorithm and shows if challenge code is legal;
S4, described dynamic password generator sends the dynamic password A that current dynamic password generator shows to described server;
S5, after described server receives dynamic password A, adopt the algorithm identical to produce dynamic password B, and dynamic password A and dynamic password B compared obtain authentication result, feed back to described dynamic password generator and close authen session with described dynamic password generator.
Further, challenge code described in the S2 is realized by the AES cryptographic algorithm, is specifically comprised:
S2-1, described server produces a random number,
S2-2 uses the computing of aes cryptographic algorithm according to described dynamic password generator sequence number that receives and pairing parameter cryptographic seed thereof, and two specified byte of getting the gained result are respectively to 10 deliverys;
S3-3, the end with the delivery result is spliced to the random number of described server generation forms challenge code.
Further, among the S2, described server uses before cryptographic algorithm handles according to the cipher code generator sequence number that receives, and also comprises: the step that described dynamic password generator sequence number is verified.
Further, described described dynamic password generator sequence number is verified, its mode is: described dynamic password generator sequence number prestores on described server, after described server receives the sequence number that described dynamic password generator sends, the dynamic password generator sequence number that prestores and the described dynamic password generator sequence number of reception are compared, if unanimity then carry out downwards, otherwise termination process.
Further, when described dynamic password generator sequence number compare inconsistent after, further comprise: the step that sends prompting sequence number non-existent information to described dynamic password generator.
Further, described dynamic password generates and further comprises: using the aes algorithm encryption seed, is key with Salt, uses the ECB mode promptly directly to call encryption function, generates one 128 ciphertext blocks;
Use high-end N byte of this ciphertext blocks, with its respectively divided by 10 remainder as wherein one of final described dynamic password, finally obtain the dynamic password of a N decimal digit.
Beneficial effect of the present invention
Utilize dynamic password generator of the present invention to verify the challenge code that server end provides, this bidirectional authentication mechanism can better protect fishing website and man-in-the-middle attack.
Description of drawings
Fig. 1 is the present invention's one specific embodiment flow chart.
Embodiment
For describing the present invention better, describe the present invention in detail below in conjunction with accompanying drawing.
(dynamic password is generally dynamically generated according to special algorithm by the handheld terminal of a kind of built-in power, algorithm chip and display screen this programme in the dynamic password authentication mode of traditional challenge response mechanism, be characterized in changing once every the regular hour, password after using once and passing password are all invalid) in added the authentication of client to server end, specific as follows:
Described dynamic password generator is initiated authen session by step 101 to described server, and sends described dynamic password generator sequence number to described server end;
Server is verified according to step 102 pair described dynamic password generator sequence number, verify whether it is legal, verification mode is: described dynamic password generator sequence number prestores on described server, after described server receives the sequence number that described dynamic password generator sends, the dynamic password generator sequence number that prestores and the described dynamic password generator sequence number of reception are compared, if unanimity then carry out step 104, otherwise by step 103 termination process and point out dynamic password generator sequence number not exist.
The cipher code generator sequence number that described server receives by step 104 basis, pairing certain special parameter of dynamic password generator sequence number that receives is carried out the aes computing as key, with gained result's specific double figures to 10 deliverys, and, form 6/8 challenge code and feed back to the dynamic password generator the end that the delivery result is spliced to the random number of server generation;
Described dynamic password generator is verified by the step 105 pair challenge code that receives, if the illegal dynamic password generator of challenge code shows and termination process that by step 107 cancellation the dynamic password generator generates dynamic password A by step 106 according to cryptographic algorithm and shows if challenge code is legal;
Described dynamic password generator sends the dynamic password A that current dynamic password generator shows by step 108 to described server;
After server receives dynamic password A, adopt the algorithm identical to produce dynamic password B by step 109 with described dynamic password generator, and dynamic password A and dynamic password B compared obtain authentication result, feed back to described dynamic password generator and close authen session by step 110.
The algorithm principle of the above dynamic password is as follows:
Dynamic password adopts aes algorithm: the dynamic password generator generates 6 metric disposal passwords according to seed (seed) and 128 salt of one 128.For the dynamic password generator of determining, seed (Seed) is the number of one 128 true random, writes in the handheld terminal when producing and preserves, and therefore for a definite handheld terminal, this is a constant.Salt is 128 bit data that are made of sequence number, time and filler.In present algorithm, per minute produces a password, calculates with minute unit, and fill with 0 when participating in calculating real-time clock position second; In order further to increase the difficulty that is cracked, we can revise algorithm, for every 30s produces a password, or customize according to customer requirement.
The above generation OTP is that the process of dynamic password is: using aes algorithm (128 bit data, the version of 128 keys) encryption seed, is key with Salt, uses ECB mode (being exactly directly to call encryption function), does not fill (Padding).This can generate one 128 ciphertext blocks, on this basis, in order to obtain a N decimal digit (N=6 in realizing at present, or according to the customer requirements customized lengths) the OTP password, we use high-end N byte of this ciphertext blocks, current byte are removed as final OTP of 10 remainder respectively.
For example, if aes algorithm obtains following ciphertext blocks:
0x11?0x22?0x33?0x44?0x55?0x66?0x77?0x88
0x990xAA?0xBB?0xCC?0xDD?0xEE?0xFF0x00
Get 0x11 0x22 0x33 0x44 0x55 0x66 (17,34,51,68,85,102) this moment
Can obtain after blocking: 741852
More than describe the present invention in detail by specific embodiment; but it should be appreciated by those skilled in the art that the present invention is not limited to the above embodiment, within the spirit and principles in the present invention all; any modification of being done, be equal to replacement etc., all should be included within protection scope of the present invention.
Claims (6)
1. the dynamic cipher authentication method of a two-way authentication formula challenge response mechanism is realized by at least one server and at least one user's dynamic password generator, it is characterized in that: comprise the steps:
S1, described dynamic password generator is initiated authen session to described server, and sends described dynamic password generator sequence number to described server;
S2, described server uses cryptographic algorithm to handle according to the cipher code generator sequence number that receives, and forms challenge code and feeds back to described dynamic password generator;
S3, described dynamic password generator is verified the challenge code that receives, if the illegal dynamic password generator cancellation of challenge code shows and termination process that the dynamic password generator generates dynamic password A according to cryptographic algorithm and shows if challenge code is legal;
S4, described dynamic password generator sends the dynamic password A that current dynamic password generator shows to described server;
S5, after described server receives dynamic password A, adopt the algorithm identical to produce dynamic password B, and dynamic password A and dynamic password B compared obtain authentication result, feed back to described dynamic password generator and close authen session with described dynamic password generator.
2. the dynamic cipher authentication method of two-way authentication formula challenge response mechanism according to claim 1 is characterized in that:
Challenge code described in the S2 is realized by the AES cryptographic algorithm, is specifically comprised:
S2-1, described server produces a random number,
S2-2 uses the computing of aes cryptographic algorithm according to described dynamic password generator sequence number that receives and pairing parameter cryptographic seed thereof, and two specified byte of getting the gained result are respectively to 10 deliverys;
S3-3, the end with the delivery result is spliced to the random number of described server generation forms challenge code.
3. the dynamic cipher authentication method of two-way authentication formula challenge response mechanism according to claim 2, it is characterized in that: among the S2, described server uses before cryptographic algorithm handles according to the cipher code generator sequence number that receives, and also comprises: the step that described dynamic password generator sequence number is verified.
4. the dynamic cipher authentication method of two-way authentication formula challenge response mechanism according to claim 3, it is characterized in that: described described dynamic password generator sequence number is verified, its mode is: described dynamic password generator sequence number prestores on described server, after described server receives the sequence number that described dynamic password generator sends, the dynamic password generator sequence number that prestores and the described dynamic password generator sequence number of reception are compared, if unanimity then carry out downwards, otherwise termination process.
5. the dynamic cipher authentication method of two-way authentication formula challenge response mechanism according to claim 4, it is characterized in that: when described dynamic password generator sequence number compare inconsistent after, further comprise: the step that sends prompting sequence number non-existent information to described dynamic password generator.
6. the dynamic cipher authentication method of two-way authentication formula challenge response mechanism according to claim 1, it is characterized in that: described dynamic password generates and further comprises: use the aes algorithm encryption seed, with Salt is key, use the ECB mode promptly directly to call encryption function, generate one 128 ciphertext blocks;
Use high-end N byte of this ciphertext blocks, with its respectively divided by 10 remainder as wherein one of final described dynamic password, finally obtain the dynamic password of a N decimal digit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2010101992970A CN102281137A (en) | 2010-06-12 | 2010-06-12 | Dynamic password authentication method of mutual-authentication challenge response mechanism |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2010101992970A CN102281137A (en) | 2010-06-12 | 2010-06-12 | Dynamic password authentication method of mutual-authentication challenge response mechanism |
Publications (1)
Publication Number | Publication Date |
---|---|
CN102281137A true CN102281137A (en) | 2011-12-14 |
Family
ID=45106336
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2010101992970A Pending CN102281137A (en) | 2010-06-12 | 2010-06-12 | Dynamic password authentication method of mutual-authentication challenge response mechanism |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102281137A (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102904883A (en) * | 2012-09-25 | 2013-01-30 | 上海交通大学 | Man-in-middle attack defense method of online trading system |
CN103297413A (en) * | 2012-01-28 | 2013-09-11 | 查平 | Sharable online file secure safe |
CN103580874A (en) * | 2013-11-15 | 2014-02-12 | 清华大学 | Identity authentication method and system and password protection device |
CN104378199A (en) * | 2014-12-05 | 2015-02-25 | 珠海格力电器股份有限公司 | Dynamic password generating method and system and dynamic password generator of unit |
CN104410498A (en) * | 2014-12-03 | 2015-03-11 | 上海众人科技有限公司 | Dynamic password authentication method and system |
WO2015032248A1 (en) * | 2013-09-06 | 2015-03-12 | 天地融科技股份有限公司 | Token, dynamic password generation method, and dynamic password authentication method and system |
CN104426662A (en) * | 2013-09-05 | 2015-03-18 | 珠海格力电器股份有限公司 | Physical equipment login password processing method and device |
CN105024813A (en) * | 2014-04-15 | 2015-11-04 | 中国银联股份有限公司 | Server, user equipment and interactive method of the user equipment and the server |
CN105530094A (en) * | 2014-09-28 | 2016-04-27 | 中国移动通信集团公司 | Method, device and system for identity authentication and cipher device |
CN105807681A (en) * | 2016-03-04 | 2016-07-27 | 广东格兰仕集团有限公司 | Method for guaranteeing communication safety of smart products |
CN108040030A (en) * | 2017-10-24 | 2018-05-15 | 武汉米风通信技术有限公司 | Position message mutual authentication method |
CN108234519A (en) * | 2013-09-30 | 2018-06-29 | 瞻博网络公司 | Detect and prevent the man-in-the-middle attack on encryption connection |
CN108964884A (en) * | 2017-05-24 | 2018-12-07 | 武汉斗鱼网络科技有限公司 | Generation method, storage medium, electronic equipment and the system of mobile terminal dynamic password |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1569381A1 (en) * | 2004-02-24 | 2005-08-31 | Intersil Americas INC. | System and method for authentification |
CN1703002A (en) * | 2005-07-05 | 2005-11-30 | 江苏乐希科技有限公司 | Portable one-time dynamic password generator and security authentication system using the same |
CN1992590A (en) * | 2005-12-29 | 2007-07-04 | 盛大计算机(上海)有限公司 | Identity authentication system of network user and method |
US20070277224A1 (en) * | 2006-05-24 | 2007-11-29 | Osborn Steven L | Methods and Systems for Graphical Image Authentication |
CN101163014A (en) * | 2007-11-30 | 2008-04-16 | 中国电信股份有限公司 | Dynamic password identification authenticating system and method |
CN101252437A (en) * | 2008-01-15 | 2008-08-27 | 深圳市九思泰达技术有限公司 | Dynamic verification method, system and apparatus of client terminal identification under C/S architecture |
-
2010
- 2010-06-12 CN CN2010101992970A patent/CN102281137A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1569381A1 (en) * | 2004-02-24 | 2005-08-31 | Intersil Americas INC. | System and method for authentification |
CN1703002A (en) * | 2005-07-05 | 2005-11-30 | 江苏乐希科技有限公司 | Portable one-time dynamic password generator and security authentication system using the same |
CN1992590A (en) * | 2005-12-29 | 2007-07-04 | 盛大计算机(上海)有限公司 | Identity authentication system of network user and method |
US20070277224A1 (en) * | 2006-05-24 | 2007-11-29 | Osborn Steven L | Methods and Systems for Graphical Image Authentication |
CN101163014A (en) * | 2007-11-30 | 2008-04-16 | 中国电信股份有限公司 | Dynamic password identification authenticating system and method |
CN101252437A (en) * | 2008-01-15 | 2008-08-27 | 深圳市九思泰达技术有限公司 | Dynamic verification method, system and apparatus of client terminal identification under C/S architecture |
Non-Patent Citations (2)
Title |
---|
《中国信息科技》 20090228 黄朝阳,徐颖 一种改进的基于挑战_应答机制的动态口令认证方案 , 第4期 * |
黄朝阳,徐颖: "一种改进的基于挑战_应答机制的动态口令认证方案", 《中国信息科技》 * |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103297413A (en) * | 2012-01-28 | 2013-09-11 | 查平 | Sharable online file secure safe |
CN103297413B (en) * | 2012-01-28 | 2018-02-02 | 查平 | A kind of security network document storing method and system |
CN102904883A (en) * | 2012-09-25 | 2013-01-30 | 上海交通大学 | Man-in-middle attack defense method of online trading system |
CN102904883B (en) * | 2012-09-25 | 2015-07-08 | 上海交通大学 | Man-in-middle attack defense method of online trading system |
CN104426662A (en) * | 2013-09-05 | 2015-03-18 | 珠海格力电器股份有限公司 | Physical equipment login password processing method and device |
CN104426662B (en) * | 2013-09-05 | 2018-11-06 | 珠海格力电器股份有限公司 | The processing method and processing device of physical equipment login password |
WO2015032248A1 (en) * | 2013-09-06 | 2015-03-12 | 天地融科技股份有限公司 | Token, dynamic password generation method, and dynamic password authentication method and system |
CN108234519B (en) * | 2013-09-30 | 2020-11-24 | 瞻博网络公司 | Detecting and preventing man-in-the-middle attacks on encrypted connections |
CN108234519A (en) * | 2013-09-30 | 2018-06-29 | 瞻博网络公司 | Detect and prevent the man-in-the-middle attack on encryption connection |
CN103580874B (en) * | 2013-11-15 | 2017-01-04 | 清华大学 | Identity identifying method, system and cipher protection apparatus |
CN103580874A (en) * | 2013-11-15 | 2014-02-12 | 清华大学 | Identity authentication method and system and password protection device |
CN105024813A (en) * | 2014-04-15 | 2015-11-04 | 中国银联股份有限公司 | Server, user equipment and interactive method of the user equipment and the server |
CN105024813B (en) * | 2014-04-15 | 2018-06-22 | 中国银联股份有限公司 | A kind of exchange method of server, user equipment and user equipment and server |
CN105530094B (en) * | 2014-09-28 | 2019-04-23 | 中国移动通信集团公司 | A kind of identity identifying method, device, system and scrambler |
CN105530094A (en) * | 2014-09-28 | 2016-04-27 | 中国移动通信集团公司 | Method, device and system for identity authentication and cipher device |
CN104410498B (en) * | 2014-12-03 | 2018-04-03 | 上海众人网络安全技术有限公司 | A kind of dynamic password authentication method and its system |
CN104410498A (en) * | 2014-12-03 | 2015-03-11 | 上海众人科技有限公司 | Dynamic password authentication method and system |
CN104378199B (en) * | 2014-12-05 | 2018-05-25 | 珠海格力电器股份有限公司 | A kind of generation method, system and the time dynamic password generator of unit dynamic password |
CN104378199A (en) * | 2014-12-05 | 2015-02-25 | 珠海格力电器股份有限公司 | Dynamic password generating method and system and dynamic password generator of unit |
CN105807681A (en) * | 2016-03-04 | 2016-07-27 | 广东格兰仕集团有限公司 | Method for guaranteeing communication safety of smart products |
CN108964884A (en) * | 2017-05-24 | 2018-12-07 | 武汉斗鱼网络科技有限公司 | Generation method, storage medium, electronic equipment and the system of mobile terminal dynamic password |
CN108040030A (en) * | 2017-10-24 | 2018-05-15 | 武汉米风通信技术有限公司 | Position message mutual authentication method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102281137A (en) | Dynamic password authentication method of mutual-authentication challenge response mechanism | |
TW201812630A (en) | Block chain identity system | |
US8132020B2 (en) | System and method for user authentication with exposed and hidden keys | |
Nyang et al. | Keylogging-resistant visual authentication protocols | |
CN101197667B (en) | Dynamic password authentication method | |
US20130042111A1 (en) | Securing transactions against cyberattacks | |
CN105072125B (en) | A kind of http communication system and method | |
CN103929307A (en) | Password input method, intelligent secret key device and client device | |
CN1879072A (en) | System and method providing disconnected authentication | |
CN103036681B (en) | A kind of password safety keyboard device and system | |
CN109361508A (en) | Data transmission method, electronic equipment and computer readable storage medium | |
CN104125064B (en) | A kind of dynamic cipher authentication method, client and Verification System | |
EP2840735A1 (en) | Electronic cipher generation method, apparatus and device, and electronic cipher authentication system | |
CN108040048A (en) | A kind of mobile client end subscriber dynamic secret key encryption communication method based on http protocol | |
CN106685644A (en) | Communication encryption method, apparatus, gateway, server, intelligent terminal and system | |
CN113067823A (en) | Mail user identity authentication and key distribution method, system, device and medium | |
SG175860A1 (en) | Methods of robust multi-factor authentication and authorization and systems thereof | |
JP5324813B2 (en) | Key generation apparatus, certificate generation apparatus, service provision system, key generation method, certificate generation method, service provision method, and program | |
CN102227106B (en) | Method and system for intelligent secret key equipment to communicate with computer | |
US11693944B2 (en) | Visual image authentication | |
Long et al. | Energy-efficient and intrusion-resilient authentication for ubiquitous access to factory floor information | |
Kaur et al. | A comparative analysis of various multistep login authentication mechanisms | |
WO2006062838A1 (en) | Anti-phising logon authentication object oriented system and method | |
CN103929743B (en) | A kind of encryption method to mobile intelligent terminal transmission data | |
CN103825740B (en) | A kind of mobile terminal payment password Transmission system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20111214 |