CN103368918A - Method, device and system for dynamic password authentication - Google Patents
Method, device and system for dynamic password authentication Download PDFInfo
- Publication number
- CN103368918A CN103368918A CN2012100965848A CN201210096584A CN103368918A CN 103368918 A CN103368918 A CN 103368918A CN 2012100965848 A CN2012100965848 A CN 2012100965848A CN 201210096584 A CN201210096584 A CN 201210096584A CN 103368918 A CN103368918 A CN 103368918A
- Authority
- CN
- China
- Prior art keywords
- user
- dynamic password
- authentication
- serial
- short message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a method, a device and a system for dynamic password authentication, which are used for avoiding dynamic passwords from being illegally obtained or intercepted, and improving the safety of dynamic password authentication. The method comprises that an authentication request of a user is received, a digital sequence is generated according to the authentication request, and a first dynamic password is obtained based on digital sequence calculation and according to an algorithm set by the user; the digital sequence is sent to the user; and the user calculates the digital sequence to obtain a second dynamic password, the second dynamic password is compared with the first dynamic password, and if the two passwords are identical, authentication succeeds, otherwise, authentication fails.
Description
Technical field
The present invention relates to the secure authentication technology field, relate in particular to a kind of dynamic password authentication method, Apparatus and system.
Background technology
Along with the development of network, ecommerce and based on network transaction are more and more general, and the safety problem of the Internet is more and more outstanding.Traditional static password authentication method, namely there are a lot of potential safety hazards in the authentication method of static user name encrypted code, is difficult to resist hacker's attack.For example, traditional static password authentication method, monitored on network easily, cause information leakage; Account and encrypted message are intercepted and captured easily, and the login of being assumed another's name; And static password is guessed acquisition by the acquaintance easily.Although some company requires the client to change a password at least in 90 days, the method for this static password authentication still causes the loss of client's property easily, and affects the reputation of company.
Network attack in order to prevent from constantly developing many improved safety certifying methods occurred, wherein, a kind of relatively effective ways adopt dynamic password (One Time Password, OTP claims again disposal password) authenticate, when each authentication, all can generate a new password.In the practical application, a kind of method is to adopt the dynamic password card of example, in hardware to generate dynamic password, dynamic password card is a hardware device that can generate the stochastic and dynamic password, had by the user, this hardware device utilizes the time synchronized sequence, in conjunction with the characteristic information (such as unique informations such as random seed, sequence tables) of storage, calculate the dynamic password that generates current time and be shown to the user according to special algorithm.As seen, the Main Function of dynamic password card is to generate a dynamic password, and is shown to the user by the display screen of physical equipment front end, carries out authentication for the user, and each dynamic password is disposable.Yet, adopt the dynamic password card cost of example, in hardware higher, and typical hardware equipment all have certain life cycle, need to upgrade or again buy hardware device, cost is higher.
In another kind of OTP authentication method, adopt Short Message Service (Short Message Service, SMS) send dynamic password, namely adopt portable terminal to replace the dynamic password card of example, in hardware, when the user who carries portable terminal need to carry out login authentication, the PIN of certificate server authentication of users, and the checking include the short message of dynamic password to user's portable terminal by rear transmission, the user adopts the dynamic password that comprises in the short message to carry out login authentication.Although the mode that adopts Short Message Service to send dynamic password can be saved cost, because the dynamic password that comprises in the short message is textual form, and is not encrypted protection, there is certain potential safety hazard.For example; some users often can be retained in mobile phone on the desk; other people obtain the dynamic password that comprises in the short message easily; even some hacker can use special communication equipment to intercept and capture the short message that comprises dynamic password of wireless transmission; and in case the dynamic password of being intercepted and captured is effective, the login of just may being assumed another's name.
Summary of the invention
In view of this, the invention provides a kind of dynamic password authentication method, can avoid dynamic password to be illegally accessed or to intercept and capture, improved the fail safe of dynamic password authentication.The present invention also provides a kind of dynamic password authentication Apparatus and system.
According to the embodiment of the present invention, provide a kind of dynamic password authentication method, comprising:
Receive user's authentication request, according to described authentication request generating digital sequence, the algorithm of setting according to the user calculates acquisition the first dynamic password based on described Serial No.;
Described Serial No. is sent to described user;
Receive described user self and calculate the second dynamic password that obtains based on described Serial No., and described the second dynamic password and described the first dynamic password are compared, if both identical then authentication successs, otherwise authentification failure.
Can find out that from such scheme after the authentication request that receives the user, according to this authentication request generating digital sequence, the algorithm of setting according to the user calculates the first dynamic password based on this Serial No., and Serial No. is sent to the user; Receive user self and calculate acquisition the second dynamic password based on the Serial No. of receiving, this second dynamic password and the first dynamic password are compared, authenticate with the authentication request for the user, thereby the potential safety hazard of having avoided directly dynamic password being sent to the user and having existed, improved the fail safe that sends dynamic password, and calculate the second dynamic password by user self based on Serial No., avoided carrying out the second dynamic password at the algorithm that the hardware device preservation is set and calculated existing potential safety hazard.
Alternatively, receive the described authentication request that described user sends by authentication proxy; Described Serial No. is sent to described authentication proxy, obtain described Serial No. by described user from described authentication proxy; Receive described the second dynamic password that described user sends by described authentication proxy.
Preferably, receive the described authentication request that described user sends by authentication proxy; Described Serial No. is sent to short message service center, by described short message service center described Serial No. is sent to described user's portable terminal, by described user from the described Serial No. of described acquisition for mobile terminal; Receive the second dynamic password that described user sends by short message service center or described authentication proxy.
Preferably, described Serial No. is carried at sends to described short message service center in the short message, the short message that will carry described Serial No. by described short message service center is sent to described user's portable terminal.
Preferably, carry user ID and PIN in the described authentication request; Before described reception user's authentication request, register described user's user ID and PIN, described user ID and PIN are used for verifying described user's legal identity; After described reception user's authentication request, user ID and the PIN of the user ID of carrying in the described authentication request and PIN and user's registration are compared, if coupling then generates the Serial No. that is used for calculating dynamic password according to described authentication request mutually.
By user ID and the PIN that will carry in the authentication request, compare with user ID and the PIN of user's registration, thereby after identifying user identity is legal, authentication request according to the user generates the Serial No. that is used for calculating dynamic password, the fail safe that further improves verification process again.
Preferably, when the described algorithm of setting according to the user calculates acquisition the first dynamic password based on described Serial No., the algorithm that adopts the user to set calculates described Serial No., obtain the first dynamic password, and the authentication state that obtains rise time, the life cycle of described the first dynamic password and represent whether to have authenticated.
Preferably, receive described user self and calculate the second dynamic password that obtains based on described Serial No., obtain described the first dynamic password corresponding rise time, life cycle and authentication state, if determine that according to rise time and life cycle that described the first dynamic password is corresponding described the first dynamic password is out of date, or determine to carry out authentication based on described the first dynamic password this authentification failure then according to described authentication state; Otherwise, described the second dynamic password and described the first dynamic password are compared, if both identical then authentication successs.
Embodiments of the present invention also provide a kind of dynamic password authentication device, comprising:
The first processing unit, for the authentication request that receives the user, according to described authentication request generating digital sequence, the algorithm of setting according to the user calculates acquisition the first dynamic password based on described Serial No.;
The second processing unit is used for described Serial No. is sent to described user;
The 3rd processing unit is used for receiving described user self and calculates the second dynamic password that obtains based on described Serial No., and described the second dynamic password and described the first dynamic password are compared, if both identical then authentication successs, otherwise authentification failure.
Alternatively, described the first processing unit specifically is used for receiving the described authentication request that described user sends by authentication proxy;
Described the second processing unit specifically is used for described Serial No. is sent to described authentication proxy, obtains described Serial No. by described user from described authentication proxy;
Described the 3rd processing unit specifically is used for receiving described the second dynamic password that described user sends by described authentication proxy.
Preferably, described the first processing unit specifically is used for receiving the described authentication request that described user sends by authentication proxy;
Described the second processing unit specifically is used for described Serial No. is sent to short message service center, by described short message service center described Serial No. is sent to described user's portable terminal, by described user from the described Serial No. of described acquisition for mobile terminal;
Described the 3rd processing unit specifically is used for receiving the second dynamic password that described user sends by short message service center or described authentication proxy.
Preferably, described the second processing unit specifically is used for that described Serial No. is carried at short message and sends to described short message service center, and the short message that will carry described Serial No. by described short message service center is sent to described user's portable terminal.
Preferably, carry user ID and PIN in the described authentication request; Described the first processing unit also is used for registering described user's user ID and PIN before the authentication request that receives the user, and described user ID and PIN are used for verifying described user's legal identity; Described the first processing unit also is used for after the authentication request that receives described user, user ID and the PIN of the user ID of carrying in the described authentication request and PIN and user's registration are compared, if coupling then generates the Serial No. that is used for calculating dynamic password according to described authentication request mutually.
Preferably, described the first processing unit specifically is used for when the algorithm of setting according to the user calculates acquisition the first dynamic password based on described Serial No., the algorithm that adopts the user to set calculates described Serial No., obtain the first dynamic password, and the authentication state that obtains rise time, the life cycle of described the first dynamic password and represent whether to have authenticated.
Preferably, described the 3rd processing unit specifically is used for:
Receive described user self and calculate the second dynamic password that obtains based on described Serial No., obtain described the first dynamic password corresponding rise time, life cycle and authentication state, if determine that according to rise time and life cycle that described the first dynamic password is corresponding described the first dynamic password is out of date, or determine to carry out authentication based on described the first dynamic password this authentification failure then according to described authentication state;
Otherwise, described the second dynamic password and described the first dynamic password are compared, if both identical then authentication successs.
Embodiments of the present invention also provide a kind of dynamic password authentication system, comprising:
Authentication proxy is used for sending to certificate server user's authentication request, and receives the authentication result that certificate server returns; And receive the second dynamic password of user's input and send to certificate server;
Certificate server, be used for receiving user's authentication request, according to this authentication request generating digital sequence, the algorithm of setting according to the user calculates acquisition the first dynamic password based on described Serial No., described Serial No. is sent to described user, receive described user self and calculate the second dynamic password that obtains and pass through the transmission of described authentication proxy based on described Serial No., and described the second dynamic password and described the first dynamic password compared, if both identical then authentication successs, otherwise authentification failure.
Preferably, described dynamic password authentication system also comprises short message service center and described user's portable terminal;
Described certificate server is further used for described Serial No. is sent to described short message service center;
Described short message service center is used for described Serial No. is sent to described user's portable terminal;
Described user's portable terminal is used for receiving the described Serial No. that described certificate server sends by described short message service center, to offer described user.
Preferably, described authentication service implement body sends to described short message service center for described Serial No. is carried at short message;
Described short message service center specifically sends to described user's portable terminal for the short message that will carry described Serial No..
Technique scheme has been avoided direct transmission dynamic password and the potential safety hazard that exists, improved the fail safe that sends dynamic password, and calculate the second dynamic password by user self based on Serial No., avoided carrying out the second dynamic password at the algorithm that the hardware device preservation is set and calculated existing potential safety hazard, can avoid dynamic password to be illegally accessed or to intercept and capture, improve the fail safe of dynamic password authentication.In addition, send Serial No. with the form of the short message portable terminal by the user to the user, the great number cost that can avoid using the dynamic password card of example, in hardware and produce has not only reduced the implementation cost of technical solution of the present invention, can also guarantee simultaneously the fail safe of dynamic password authentication.
Description of drawings
Hereinafter will be by to detailed description of the preferred embodiment and come by reference to the accompanying drawings the above-mentioned characteristic of the present invention, technical characterictic, advantage and execution mode thereof are further described, wherein:
Fig. 1 is the method flow diagram of dynamic password authentication in the embodiment of the invention;
Fig. 2 is the method detailed flow chart of dynamic password authentication in the embodiment of the invention;
Fig. 3 is the configuration diagram of dynamic password authentication system in the embodiment of the invention;
Fig. 4 is the configuration diagram of another dynamic password authentication system in the embodiment of the invention;
Fig. 5 is the structural representation of dynamic password authentication device in the embodiment of the invention.
Embodiment
The potential safety hazard that exists for fear of direct transmission dynamic password is avoided dynamic password to be illegally accessed or is intercepted and captured, and improves the fail safe of dynamic password authentication, and the embodiment of the invention provides a kind of dynamic password authentication method, Apparatus and system.
Below in conjunction with accompanying drawing preferred implementation of the present invention is described in detail.
As shown in Figure 1, in the embodiment of the invention, the method flow that carries out dynamic password authentication is as follows:
Step 101: receive user's authentication request, according to this authentication request generating digital sequence, the algorithm of setting according to the user calculates acquisition the first dynamic password based on this Serial No.;
Step 102: Serial No. is sent to the user;
Step 103: receive user self and calculate the second dynamic password that obtains based on Serial No., and this second dynamic password and the first dynamic password are compared, if both identical then authentication successs, otherwise authentification failure.
In a specific embodiment, carrying out dynamic password authentication is finished by certificate server, certificate server receives the authentication request that the user sends by authentication proxy, according to this authentication request generating digital sequence, the algorithm of setting according to the user calculates acquisition the first dynamic password based on this Serial No., and by authentication proxy this Serial No. is sent to the user; After the user obtains Serial No. and calculates voluntarily acquisition the second dynamic password by this authentication proxy, with this second dynamic password input authentication agency; Authentication proxy sends to certificate server with the second dynamic password; After certificate server reception user sends the second dynamic password by authentication proxy, this second dynamic password and the first dynamic password are compared, if both identical then authentication successs, otherwise authentification failure.
In a further advantageous embodiment, carrying out dynamic password authentication is finished by certificate server, certificate server receives the authentication request that the user sends by authentication proxy, according to this authentication request generating digital sequence, the algorithm of setting according to the user calculates acquisition the first dynamic password based on this Serial No., and this Serial No. is sent to short message service center; Short message service center is sent to this Serial No. user's portable terminal; The user is by this Serial No. of its acquisition for mobile terminal; After user self calculates acquisition the second dynamic password based on this Serial No., this the second dynamic password can be inputted its portable terminal or authentication proxy: if the user inputs its portable terminal with the second dynamic password, then by its portable terminal this second dynamic password is sent to short message service center, by short message service center this second dynamic password is sent to certificate server; If the user acts on behalf of the second dynamic password input authentication, then by authentication proxy this second dynamic password is sent to certificate server; Certificate server compares the second dynamic password and the first dynamic password again, if both identical then authentication successs, otherwise authentification failure.
In the practical application, except Serial No. being sent to user's the portable terminal, Serial No. can also be sent to the terminal equipment of other form, this terminal equipment only need possess network communications capability and get final product.Correspondingly, certificate server sends to message center with Serial No., by message center this Serial No. is sent to the described terminal equipment that possesses network communications capability again.According to concrete application, this message center can be a server.
Preferably, certificate server is carried at Serial No. and sends to short message service center in the short message, and the short message that will carry this Serial No. by short message service center again is sent to user's portable terminal.
Preferably, certificate server is according to authentication request generating digital sequence at random.In the practical application, can have multiplely according to the mode of authentication request generating digital sequence, for example can also be according to specific algorithm generating digital sequence, and the embodiment of the invention only needs to satisfy that the Serial No. that generates for different authentication request is different gets final product.
When user self calculated the second dynamic password based on Serial No., the user can not adopt any software and/or hardware device to calculate the second dynamic password, was only calculated according to the algorithm of oneself setting by user self and obtained the second dynamic password.In the practical application, be not limited in this mode, also can assist to calculate the second dynamic password by software and/or hardware device by the user, but in this software and/or hardware device, do not preserve the algorithm of its setting, the aid that this software and/or hardware device only calculate as assisting users when calculating the second dynamic password, and this software and/or hardware device are independent of outside the security certification system.
Alternatively, before sending authentication request to certificate server, register interface registered user's sign that the user provides by certificate server, PIN, user-defined algorithm with and Terminal Equipment Identifier.When the user sends authentication request by authentication proxy, in this authentication request, carry user ID and PIN, certificate server compares user ID and individual's identification of carrying in the authentication request with user ID and the PIN that the user registers, when mutually mating, namely when assert that this user is validated user, just generate the Serial No. that is used for calculating dynamic password according to this authentication request.
Wherein, the Terminal Equipment Identifier of user's registration can be the sign of any terminal equipment of its message that can receive the certificate server transmission, for example, can for the sign of user's the terminal equipment that possesses arbitrarily network communications capability, for example be the IP address of client personal computer.Preferably, this terminal iidentification is user's mobile terminal identification, for example is user's phone number.
In a preferred embodiment, certificate server records the rise time of this first dynamic password when generating the first dynamic password, and sets its life cycle and the authentication state whether expression has authenticated is set.Certificate server is after receiving the second dynamic password, rise time and life cycle according to the first dynamic password judge whether the first dynamic password is out of date, and judge whether to carry out authentication according to the authentication state of the first dynamic password, out of date at definite the first dynamic password, or determine to carry out authentication based on the first dynamic password, authentification failure then, otherwise, judge whether the first dynamic password is identical with the second dynamic password, if identical then authentication success.By life cycle and the authentication state that dynamic password is set, the fail safe that further improves dynamic password authentication.According to the practical application scene, the life cycle of dynamic password can only be set, the authentication state of dynamic password also can only be set, to improve the fail safe of dynamic password authentication.
As shown in Figure 2, below by a specific embodiment method flow that the present invention carries out safety certification is elaborated, specific as follows:
Step 201: the user registers by the register interface that certificate server provides, and the content of registration comprises user ID, PIN, user-defined algorithm and mobile terminal identification.
Wherein, user ID, PIN, mobile terminal identification are optional registration content, when limited subscriber is not the registered user, need not registered user's sign and PIN according to practical application; In the time only Serial No. need being sent to authentication proxy, need not registered user's mobile terminal identification.
The user can set according to individual's hobby when the algorithm of its definition of certificate server registration.Wherein, user-defined algorithm adopts the code data form to carry out typing, and this algorithm is used for certificate server and calculates the first dynamic password based on the Serial No. that generates.Wherein, adopt the typing of code data form that multiple implementation can be arranged, for example, adopt data encryption standard (DES) algorithm to be encrypted user-defined algorithm, perhaps adopt triple DES (3DES) algorithm to be encrypted, perhaps adopt symmetric key encryption algorithm to be encrypted.User-defined algorithm by the typing of code data form, so that only have user oneself to know the algorithm that it sets, has been guaranteed to generate the fail safe of dynamic password.For example, user-defined algorithm is per three adjacent digital additions in the Serial No., the result of all additions is arranged in order obtain the first dynamic password; And for example, user-defined algorithm is per three adjacent digital multiplies in the Serial No., all results that multiply each other is arranged in order obtain the first dynamic password.In the practical application, user-defined algorithm can adopt single operation method, also can be the hybrid operation that multiple operation method forms.
In the practical application, then user-defined algorithm can calculate every group of numeral respectively at first the Serial No. that generates being divided into groups, and result of calculation corresponding to each group numeral is arranged in order obtain the first dynamic password again.For example, Serial No. length is 27, and user-defined algorithm is for to be divided into 9 groups with this Serial No., and every group comprises 3 numerals, and with every group of 3 digital additions that comprise, and the result of each group is arranged in order obtain the first dynamic password.Serial No. after supposing to divide is 123223332101275234278382230, respectively the numeral in each group is carried out add operation, i.e. 1+2+3=6,2+2+3=7,3+3+2=8,1+0+1=2,2+7+5=14,2+3+4=9,2+7+8=17,3+8+2=13,2+3+0=5, then the first corresponding dynamic password is 678214917135; In like manner, if user-defined algorithm is for to be divided into 9 groups with this Serial No., every group comprises 3 numerals, and with every group of 3 digital subtractions that comprise, the result of each group arranged in order obtain the first dynamic password, then the numeral in Serial No. 123223332101275234278382230 each group is carried out subtraction, obtain respectively-4 ,-3 ,-2,0 ,-10 ,-5,-13,-7 ,-1, then the first corresponding dynamic password is-4-3-20-10-5-13-7-1; If with every group of 3 digital multiplies that comprise, then the numeral in Serial No. 123223332101275234278382230 each group is carried out multiplying, 1 * 2 * 3=6,2 * 2 * 3=12,3 * 3 * 2=18,1 * 0 * 1=0,2 * 7 * 5=70,2 * 3 * 4=24,2 * 7 * 8=112,3 * 8 * 2=48,2 * 3 * 0=0, then the first corresponding dynamic password is 6121807024112480; If every group of first digit that comprises and second digit are multiplied each other, with the third digit summation, then the first dynamic password of Serial No. 123223332101275234278382230 correspondences is 57111191022266 again.
In the practical application, the user is during according to personal preference's algorithm that authentication registration adopts on certificate server, also can be set in Serial No. calculated after, choose the data in precalculated position in the result of calculation, and with these data as the first dynamic password.For example, obtaining corresponding data after adopting additional calculation is 678214917135, according to agreement get its front 6 as the first dynamic password; Perhaps get thereafter 6 as the first dynamic password.In the present embodiment, only be that the form of obtaining to user-defined algorithm and dynamic password is illustrated, can be applied to dynamic password generating mode of the present invention for other, the present invention is also included it.
In the present embodiment, mobile terminal identification is user's phone number.When the user adopts other the terminal equipment of form, can unique Terminal Equipment Identifier of determining this terminal equipment in the certificate server registration, certificate server sends Serial No. according to this Terminal Equipment Identifier to terminal equipment.For example, when user's terminal equipment was computer, then Terminal Equipment Identifier can be the IP address of terminal equipment.
Step 202: the user initiates authentication request by authentication proxy, and this authentication request comprises user ID and PIN at least.
Step 203: authentication proxy sends to certificate server with user's authentication request.
Step 204: certificate server receives user's authentication request, with the user ID of carrying in the authentication request and user's PIN, user ID and the PIN of user's registration of preserving with this locality compare, if mutually mate, then generate the Serial No. that is used for calculating dynamic password, and calculate the first dynamic password according to the algorithm of user registration based on this Serial No., and be saved in the local database.By user ID and the PIN that will carry in the authentication request, user ID and the PIN registered in certificate server with the user mate, thereby after can confirming that user identity is legal, authentication request according to the user generates the Serial No. that is used for calculating dynamic password, the fail safe that further improves verification process again.
Preferably, in the generating digital sequence, when calculating the first dynamic password and being saved to local database based on this Serial No., the rise time of corresponding preservation the first dynamic password, life cycle and corresponding authentication state.
Step 205: certificate server carries the short message of Serial No. and sends to short message service center according to the mobile terminal identification generation of user's registration.
Step 206: the short message that Serial No. will carry in short message service center is sent to user's portable terminal.
After portable terminal was received the short message that carries Serial No., user self calculated acquisition the second dynamic password according to the algorithm of registering at certificate server for the Serial No. that carries in the short message.
For example, the algorithm that the user registers at certificate server is for to do add operation to every group of numeral in the Serial No., after then user's portable terminal is received short message, adopt the algorithm of registration to calculate for the Serial No. that carries in the short message, namely do add operation for every group of numeral in the Serial No., obtain the second dynamic password.
If the user has set the mode of choosing dynamic password from the result who calculates when registering in certificate server, then the user is after the algorithm according to registration calculates Serial No., according to the mode of choosing that when registration set, from result of calculation, choose data acquisition second dynamic password in precalculated position.For example, if set the mode of choosing be get result of calculation front 6 as the second dynamic password, obtain the second dynamic password after then calculating and choose according to this mode.
Step 207: the user inputs the second dynamic password that calculates based on the Serial No. that carries in the short message in authentication proxy.
Step 208: authentication proxy sends to certificate server with the second dynamic password of user's input.
Preferably, authentication proxy is sent to authentication agent server after this second dynamic password is encrypted behind the second dynamic password that obtains user's input.For example, after authentication proxy receives the second dynamic password of user input, calculate the cryptographic Hash of the second dynamic password, and send to certificate server according to the cryptographic Hash that cipher mode will calculate acquisition.Correspondingly, when adopting cipher mode to send the second dynamic password in authentication proxy, certificate server adopts corresponding manner of decryption to be decrypted, and in the practical application, only needs authentication proxy and certificate server mutually to arrange the encryption and decryption mode and gets final product.
In the practical application, the cipher mode that adopts when authentication proxy sends the second dynamic password, and the manner of decryption of certificate server can be set in advance by the user.
Step 209: certificate server receives the second dynamic password, and the second dynamic password and local the first dynamic password of preserving are compared, and obtains authentication result, and this authentication result is sent to authentication proxy.
Preferably, when certificate server receives authentication proxy and uses cipher mode to the cryptographic Hash of the second dynamic password of its transmission, certificate server adopts corresponding mode to be decrypted, and calculate the cryptographic Hash of the first dynamic password, then the cryptographic Hash of the second dynamic password cryptographic Hash with the first dynamic password is compared, so that the user is authenticated.
In the present embodiment, certificate server is when receiving the second dynamic password, can also obtain the local rise time corresponding with the first dynamic password, life cycle and authentication state of preserving, if rise time and life cycle according to the first dynamic password determine that the first dynamic password is expired, or determine to carry out authentication (inefficacys of the first dynamic password) based on the first dynamic password according to authentication state, then local authentication is unsuccessfully; Otherwise, the second dynamic password and the first dynamic password are compared, if both identical then authentication successs, otherwise, authentification failure.
In the present embodiment, after authentication, based on authentication result the authentication state of the first dynamic password is made amendment, for example, authentication success then status modifier that the first password is corresponding for losing efficacy.
Based on above-mentioned principle, as shown in Figure 3, also provide a kind of dynamic password authentication system in the embodiment of the invention, because this Verification System is identical with the know-why of above-mentioned authentication method, detail can referring to the description of method, repeat part and repeat no more.This Verification System mainly comprises authentication proxy 301 and certificate server 302, wherein,
Alternatively, certificate server 302 also is used for Serial No. is sent to authentication proxy 301, obtains this Serial No. by the user from authentication proxy 301.
Preferably, this Verification System also comprises user's portable terminal 303 and short message service center 304, and certificate server 302 sends to short message service center 304 with Serial No.; Short message service center 304 sends to portable terminal 303 with Serial No.; Portable terminal 303 receives the Serial No. that certificate server 302 sends, and offers the user.Wherein, certificate server 302 is carried at Serial No. and sends to short message service center 304 in the short message, and the short message that Serial No. will carry in short message service center 304 sends to portable terminal 303.
In another specific embodiment of the present invention, dynamic password authentication system shown in Figure 3 is out of shape the another kind of dynamic password authentication system that can obtain as shown in Figure 4, this Verification System mainly comprises authentication proxy 401, certificate server 402, message center 403 and terminal equipment 404, wherein
Authentication proxy 401 is used for sending to certificate server user's authentication request, and receives the authentication result that certificate server returns;
Certificate server 402, be used for receiving user's authentication request, according to this authentication request generating digital sequence, the algorithm of setting according to the user calculates acquisition the first dynamic password based on this Serial No., this Serial No. is sent to the user, receive user self and calculate the second dynamic password that obtains and pass through message center 403 transmissions based on Serial No., and the second dynamic password and the first dynamic password are compared, if both identical then authentication successs, otherwise authentification failure;
Message center 403 be used for to receive the second dynamic password that user's terminal equipment 404 sends and sends to certificate server 402;
Terminal equipment 404 is used for obtaining the second dynamic password of user's input and sending to message center 403.
Particularly, when certificate server sent described Serial No. to the user, certificate server 402 can send to the user with Serial No. by authentication proxy 401; Perhaps, certificate server 402 can send to Serial No. message center 403, by message center 403 Serial No. is sent to terminal equipment 404, to offer the user.
Wherein, described terminal equipment is preferably portable terminal, also can possess for other terminal equipment of network communications capability.When being portable terminal, corresponding message center is short message service center; When possessing the terminal equipment of network communications capability for other, corresponding message center is a server.
As shown in Figure 5, the embodiment of the invention also provides a kind of dynamic password authentication device, and this device mainly comprises following processing unit:
The first processing unit 501, for the authentication request that receives the user, according to this authentication request generating digital sequence, the algorithm of setting according to the user calculates acquisition the first dynamic password based on this Serial No.;
The second processing unit 502 is used for Serial No. is sent to the user;
The 3rd processing unit 503 is used for receiving user self and calculates the second dynamic password that obtains based on Serial No., and the second dynamic password and the first dynamic password are compared, if both identical then authentication successs, otherwise authentification failure.
In actual applications, the dynamic password authentication device that the embodiment of the invention provides is embodied as certificate server usually, and its embodiment can referring to the description of above-mentioned specific embodiment for dynamic password authentication system, repeat part and repeat no more.
This shows, based on the above embodiment of the present invention, after receiving user's authentication request, according to this authentication request generating digital sequence, the algorithm of setting according to the user calculates the first dynamic password based on this Serial No., simultaneously this Serial No. is sent to the user, and receive user self according to the second dynamic password of this Serial No. calculating acquisition, this second dynamic password and the first dynamic password are compared, authenticate with the authentication request for the user, thereby the potential safety hazard of having avoided direct transmission dynamic password and having existed, improved the fail safe that sends dynamic password, and calculate the second dynamic password by user self based on described Serial No., avoided preserving at hardware device the existing potential safety hazard of algorithm of its setting, can avoid dynamic password to be illegally accessed or to intercept and capture, improve the fail safe of dynamic password authentication.In addition, send Serial No. with the form of the short message portable terminal by the user to the user, the great number cost that can avoid using the dynamic password card of example, in hardware and produce has not only reduced the implementation cost of technical solution of the present invention, can also guarantee simultaneously the fail safe of dynamic password authentication.
The a plurality of discrete operation of a plurality of operating procedures for carrying out successively of mentioning in more than describing, this mode helps to understand embodiments of the invention; Yet the order of description should not be construed as these operations and depends on order.In addition, the mode that can utilize hardware, software or software and hardware to combine of the operating procedure among each embodiment described above realizes.When above-described embodiment was realized with software, software instruction can be stored in the storage medium, and so that described each steps of execution above-described embodiment such as processor, programmable logic device, DSP.
Above by accompanying drawing and preferred implementation the present invention has been carried out detail display and explanation, yet the invention is not restricted to the execution mode that these have disclosed, other scheme that those skilled in the art therefrom derive out is also within protection scope of the present invention.Therefore, protection scope of the present invention should be defined by appending claims.
Claims (17)
1. a dynamic password authentication method comprises the steps:
Receive user's authentication request, according to described authentication request generating digital sequence, the algorithm of setting according to the user calculates acquisition the first dynamic password based on described Serial No.;
Described Serial No. is sent to described user;
Receive described user self and calculate the second dynamic password that obtains based on described Serial No., and described the second dynamic password and described the first dynamic password are compared, if both identical then authentication successs, otherwise authentification failure.
2. the method for claim 1 is characterized in that, described reception user's authentication request comprises:
Receive the described authentication request that described user sends by authentication proxy;
Described Serial No. is sent to described user, comprising:
Described Serial No. is sent to described authentication proxy, obtain described Serial No. by described user from described authentication proxy;
Receive described user self and calculate acquisition the second dynamic password based on described Serial No., comprising:
Receive described the second dynamic password that described user sends by described authentication proxy.
3. the method for claim 1 is characterized in that, described reception user's authentication request comprises:
Receive the described authentication request that described user sends by authentication proxy;
Described Serial No. is sent to described user, comprising:
Described Serial No. is sent to short message service center, by described short message service center described Serial No. is sent to described user's portable terminal, by described user from the described Serial No. of described acquisition for mobile terminal;
Receive described user self and calculate the second dynamic password that obtains based on described Serial No., comprising:
Receive the second dynamic password that described user sends by short message service center or described authentication proxy.
4. method as claimed in claim 3 is characterized in that, described Serial No. is sent to described user, comprising:
Described Serial No. is carried at sends to described short message service center in the short message, the short message that will carry described Serial No. by described short message service center is sent to described user's portable terminal.
5. such as each described method of claim 1-4, it is characterized in that, carry user ID and PIN in the described authentication request;
Before described reception user's authentication request, further comprise:
Register described user's user ID and PIN, described user ID and PIN are used for verifying described user's legal identity;
After described reception user's authentication request, further comprise:
User ID and the PIN of the user ID of carrying in the described authentication request and PIN and user's registration are compared, if mutual coupling then generates the Serial No. that is used for calculating dynamic password according to described authentication request.
6. such as each described method of claim 1-4, it is characterized in that the described algorithm of setting according to the user calculates acquisition the first dynamic password based on described Serial No. and comprises:
The algorithm that adopts the user to set calculates described Serial No., obtains the first dynamic password, and the authentication state that obtains rise time, the life cycle of described the first dynamic password and represent whether to have authenticated.
7. method as claimed in claim 6 is characterized in that, receives described user self and calculates the second dynamic password that obtains based on described Serial No., and described the second dynamic password and described the first dynamic password are compared, and comprising:
Receive described user self and calculate the second dynamic password that obtains based on described Serial No., obtain described the first dynamic password corresponding rise time, life cycle and authentication state, if determine that according to rise time and life cycle that described the first dynamic password is corresponding described the first dynamic password is out of date, or determine to carry out authentication based on described the first dynamic password this authentification failure then according to described authentication state;
Otherwise, described the second dynamic password and described the first dynamic password are compared, if both identical then authentication successs.
8. dynamic password authentication device comprises:
The first processing unit, for the authentication request that receives the user, according to described authentication request generating digital sequence, the algorithm of setting according to the user calculates acquisition the first dynamic password based on described Serial No.;
The second processing unit is used for described Serial No. is sent to described user;
The 3rd processing unit is used for receiving described user self and calculates the second dynamic password that obtains based on described Serial No., and described the second dynamic password and described the first dynamic password are compared, if both identical then authentication successs, otherwise authentification failure.
9. device as claimed in claim 8 is characterized in that, described the first processing unit specifically is used for receiving the described authentication request that described user sends by authentication proxy;
Described the second processing unit specifically is used for described Serial No. is sent to described authentication proxy, obtains described Serial No. by described user from described authentication proxy;
Described the 3rd processing unit specifically is used for receiving described the second dynamic password that described user sends by described authentication proxy.
10. device as claimed in claim 8 is characterized in that, described the first processing unit specifically is used for receiving the described authentication request that described user sends by authentication proxy;
Described the second processing unit specifically is used for described Serial No. is sent to short message service center, by described short message service center described Serial No. is sent to described user's portable terminal, by described user from the described Serial No. of described acquisition for mobile terminal;
Described the 3rd processing unit specifically is used for receiving the second dynamic password that described user sends by short message service center or described authentication proxy.
11. device as claimed in claim 10, it is characterized in that, described the second processing unit specifically is used for that described Serial No. is carried at short message and sends to described short message service center, and the short message that will carry described Serial No. by described short message service center is sent to described user's portable terminal.
12. such as each described device of claim 8-11, it is characterized in that, carry user ID and PIN in the described authentication request;
Described the first processing unit also is used for registering described user's user ID and PIN before the authentication request that receives the user, and described user ID and PIN are used for verifying described user's legal identity;
Described the first processing unit also is used for after the authentication request that receives the user, user ID and the PIN of the user ID of carrying in the described authentication request and PIN and user's registration are compared, if coupling then generates the Serial No. that is used for calculating dynamic password according to described authentication request mutually.
13. such as each described device of claim 8-11, it is characterized in that, described the first processing unit also is used for when the algorithm of setting according to the user calculates acquisition the first dynamic password based on described Serial No., the algorithm that adopts the user to set calculates described Serial No., obtain the first dynamic password, and the authentication state that obtains rise time, the life cycle of described the first dynamic password and represent whether to have authenticated.
14. device as claimed in claim 13 is characterized in that, described the 3rd processing unit specifically is used for:
Receive described user self and calculate the second dynamic password that obtains based on described Serial No., obtain described the first dynamic password corresponding rise time, life cycle and authentication state, if determine that according to rise time and life cycle that described the first dynamic password is corresponding described the first dynamic password is out of date, or determine to carry out authentication based on described the first dynamic password this authentification failure then according to described authentication state;
Otherwise, described the second dynamic password and described the first dynamic password are compared, if both identical then authentication successs.
15. a dynamic password authentication system comprises:
Authentication proxy is used for sending to certificate server user's authentication request, and receives the authentication result that certificate server returns; And receive the second dynamic password of user's input and send to certificate server;
Certificate server, be used for receiving user's authentication request, according to this authentication request generating digital sequence, the algorithm of setting according to the user calculates acquisition the first dynamic password based on described Serial No., described Serial No. is sent to described user, receive described user self and calculate the second dynamic password that obtains and pass through the transmission of described authentication proxy based on described Serial No., and described the second dynamic password and described the first dynamic password compared, if both identical then authentication successs, otherwise authentification failure.
16. system as claimed in claim 15 is characterized in that, also comprises short message service center and described user's portable terminal;
Described certificate server is further used for described Serial No. is sent to described short message service center;
Described short message service center is used for described Serial No. is sent to described user's portable terminal;
Described user's portable terminal is used for receiving the described Serial No. that described certificate server sends by described short message service center, to offer described user.
17. system as claimed in claim 16 is characterized in that, described authentication service implement body is used for that described Serial No. is carried at short message and sends to described short message service center;
Described short message service center specifically sends to described user's portable terminal for the short message that will carry described Serial No..
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100965848A CN103368918A (en) | 2012-04-01 | 2012-04-01 | Method, device and system for dynamic password authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100965848A CN103368918A (en) | 2012-04-01 | 2012-04-01 | Method, device and system for dynamic password authentication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103368918A true CN103368918A (en) | 2013-10-23 |
Family
ID=49369468
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012100965848A Pending CN103368918A (en) | 2012-04-01 | 2012-04-01 | Method, device and system for dynamic password authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103368918A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103944889A (en) * | 2014-04-04 | 2014-07-23 | 联动优势科技有限公司 | Method for online identity authentication of network user and authentication server |
| CN104579649A (en) * | 2013-10-28 | 2015-04-29 | 腾讯科技(深圳)有限公司 | Identity recognition method and system |
| CN105139204A (en) * | 2015-07-27 | 2015-12-09 | 飞天诚信科技股份有限公司 | Method and system for carrying out security authentication |
| CN105282738A (en) * | 2015-11-24 | 2016-01-27 | 苏州铭冠软件科技有限公司 | Security authentication method for mobile terminal |
| CN109525565A (en) * | 2018-11-01 | 2019-03-26 | 石豫扬 | A kind of defence method and system for SMS interception attack |
| CN112217632A (en) * | 2020-10-12 | 2021-01-12 | 国网电子商务有限公司 | Identity authentication method and device based on intelligent contract and Hash chain |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1937498A (en) * | 2006-10-09 | 2007-03-28 | 网之易信息技术(北京)有限公司 | Dynamic cipher authentication method, system and device |
| CN101640591A (en) * | 2008-07-31 | 2010-02-03 | 西门子(中国)有限公司 | Authentication method |
| CN102387016A (en) * | 2010-08-26 | 2012-03-21 | 西门子公司 | Authentication method, device and system |
-
2012
- 2012-04-01 CN CN2012100965848A patent/CN103368918A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1937498A (en) * | 2006-10-09 | 2007-03-28 | 网之易信息技术(北京)有限公司 | Dynamic cipher authentication method, system and device |
| CN101640591A (en) * | 2008-07-31 | 2010-02-03 | 西门子(中国)有限公司 | Authentication method |
| CN102387016A (en) * | 2010-08-26 | 2012-03-21 | 西门子公司 | Authentication method, device and system |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104579649A (en) * | 2013-10-28 | 2015-04-29 | 腾讯科技(深圳)有限公司 | Identity recognition method and system |
| CN104579649B (en) * | 2013-10-28 | 2019-01-11 | 腾讯科技(深圳)有限公司 | Personal identification method and system |
| CN103944889A (en) * | 2014-04-04 | 2014-07-23 | 联动优势科技有限公司 | Method for online identity authentication of network user and authentication server |
| CN103944889B (en) * | 2014-04-04 | 2017-04-05 | 联动优势科技有限公司 | A kind of method and certificate server of network user's online identity certification |
| CN105139204A (en) * | 2015-07-27 | 2015-12-09 | 飞天诚信科技股份有限公司 | Method and system for carrying out security authentication |
| CN105139204B (en) * | 2015-07-27 | 2019-07-12 | 飞天诚信科技股份有限公司 | A kind of method and system carrying out safety certification |
| CN105282738A (en) * | 2015-11-24 | 2016-01-27 | 苏州铭冠软件科技有限公司 | Security authentication method for mobile terminal |
| CN109525565A (en) * | 2018-11-01 | 2019-03-26 | 石豫扬 | A kind of defence method and system for SMS interception attack |
| CN109525565B (en) * | 2018-11-01 | 2021-04-30 | 石豫扬 | Defense method and system for short message interception attack |
| CN112217632A (en) * | 2020-10-12 | 2021-01-12 | 国网电子商务有限公司 | Identity authentication method and device based on intelligent contract and Hash chain |
| CN112217632B (en) * | 2020-10-12 | 2023-09-08 | 国网数字科技控股有限公司 | Identity authentication method and device based on intelligent contract and hash chain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Li et al. | A secure chaotic maps and smart cards based password authentication and key agreement scheme with user anonymity for telecare medicine information systems | |
| CN111431713B (en) | Private key storage method and device and related equipment | |
| US20160080157A1 (en) | Network authentication method for secure electronic transactions | |
| KR101985179B1 (en) | Blockchain based id as a service | |
| CN105577612B (en) | Identity authentication method, third-party server, merchant server and user terminal | |
| CN104378379B (en) | A kind of digital content encrypted transmission method, equipment and system | |
| CN101815091A (en) | Cipher providing equipment, cipher authentication system and cipher authentication method | |
| KR20090089394A (en) | Secure password distribution to a client device of a network | |
| CN112989426B (en) | Authorization authentication method and device, and resource access token acquisition method | |
| CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
| CN105447715A (en) | Method and apparatus for anti-theft electronic coupon sweeping by cooperating with third party | |
| CN109981576B (en) | Key migration method and device | |
| CN103368918A (en) | Method, device and system for dynamic password authentication | |
| CN104580256A (en) | Method and device for logging in through user equipment and verifying user's identity | |
| US20210241270A1 (en) | System and method of blockchain transaction verification | |
| CN110380859B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol | |
| CN112765626A (en) | Authorization signature method, device and system based on escrow key and storage medium | |
| CN113709115A (en) | Authentication method and device | |
| Sharma et al. | Advanced multi-factor user authentication scheme for E-governance applications in smart cities | |
| Hanumanthappa et al. | Privacy preserving and ownership authentication in ubiquitous computing devices using secure three way authentication | |
| Shashidhara et al. | On the design of lightweight and secure mutual authentication system for global roaming in resource-limited mobility networks | |
| CN109740319B (en) | Digital identity verification method and server | |
| CN110610418B (en) | Transaction state query method, system, device and storage medium based on block chain | |
| CN110572392A (en) | Identity authentication method based on HyperLegger network | |
| Truong et al. | Improved Chebyshev Polynomials‐Based Authentication Scheme in Client‐Server Environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20131023 |