CN103795724A - Method for protecting account security based on asynchronous dynamic password technology - Google Patents
Method for protecting account security based on asynchronous dynamic password technology Download PDFInfo
- Publication number
- CN103795724A CN103795724A CN201410044761.7A CN201410044761A CN103795724A CN 103795724 A CN103795724 A CN 103795724A CN 201410044761 A CN201410044761 A CN 201410044761A CN 103795724 A CN103795724 A CN 103795724A
- Authority
- CN
- China
- Prior art keywords
- user
- certificate server
- challenge code
- dynamic password
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a method for protecting account security based on an asynchronous dynamic password technology. The method is characterized by including the steps that a user and a service provider agree on the encryption mode of challenge codes and the calculation formula of dynamic codes; after a log-in request of the user is verified successfully, an authentication server generates the challenge code A, the challenge code B and the dynamic code C, the challenge code A is encrypted to obtain the challenge code B, and the challenge code A is calculated through the calculation formula to obtain the dynamic code C; the authentication server sends a feedback message containing the challenge code B to a mobile phone of the user; the user decrypts the challenge code B according to the encryption mode and then substitutes the decrypted challenge code B into the calculation formula to obtain the dynamic code D; the user inputs the dynamic code D and an account name in the log-in interface on the client side to log in. A system is high in reliability, the secrecy degree for transmitting the challenge codes and other information is high, leakage of code information of the user can be effectively avoided, and moreover user operation is safe and reliable.
Description
Technical field
The present invention relates to the operation application technology that note transmission and Computer Database combine, be specially a kind of method of the protection account safety based on asynchronous dynamical password technology.
Background technology
At present, known mobile phone dynamic password and asynchronous dynamical password technology mainly contain following several mode:
The first, asynchronous dynamical password technology, also be challenge response mode, as its name suggests, identity authorization system based on challenge/response mode be exactly while authenticating at every turn certificate server all send different " challenge " word string to client, client-side program is received after this " challenge " word string, makes corresponding " replying ", the system of development with this mechanism.Verification step is: 1, enter application login interface, input account name and static password value are obtained challenge code numeral; 2, obtain dynamic password input challenge code numeral on dynamic password token after; 3, the dynamic password showing at dynamic password input frame input dynamic password token; 4, certificate server authentication of users information and user submit the correctness of dynamic password to; 5, authentication result is fed back to application server or application program by certificate server, completing user authentication.Its defect is: the each login of user all need to be sent request to certificate server in login interface; authentication is carried out in requirement; conventionally also carry out authentication by account name and static password; authentication sends " challenge " word string to client by rear certificate server; challenge code adopts expressly and sends, without any safeguard measure, in the time suffering from fishing website swindle attack; account name and static password are just under unsafe state, and dynamic password still can be stolen by fishing website.The token that generates in addition dynamic password all offers user by service provider, and the algorithm of the dynamic password that login is used is integrated in hardware (token), and user cannot learn algorithm, more can not arbitrarily change algorithm.
The second, SMS sends dynamic password authentication mode, and it comprises user's mobile phone, certificate server, management work station and Short Message Service Gateway composition, management work station is responsible for user's registration, the binding of phone number and cancellation binding.When user logins, first in client input static password transmission, after the static password that certificate server authentication of users sends, send one group of dynamic password expressly by note and bind the mobile phone of account name to user, user uses the dynamic password receiving again to carry out login authentication in client, lost efficacy by rear dynamic password, user logins successfully.Its advantage is: simple to operate, do not need memory, and higher being convenient to of mobile phone popularity rate realized.Its defect is: dynamic password is expressly to send, do not possess confidentiality, cannot take precautions against lawless person utilizes the swindle of fishing website to attack, cannot take precautions against lawless person utilizes mobile phone wooden horses such as " stealthy robbers " to intercept and capture and forward the dynamic password of user for logining, also cannot take precautions against lawless person " mending card attacks " simultaneously, report the loss user's Mobile phone card by the subscriber data malice getting in advance, the Mobile phone card of again making up user is gained user's dynamic password by cheating." stealthy robber " is a kind of mobile phone wooden horse, after operation, can implement interception to user's note, all be forwarded on lawless person's mobile phone with the form of note simultaneously, then just note is let pass, after letting pass, user just can see short message prompt, that is to say that wooden horse sees short message content than cellie is more Zao.According to another analysis, " stealthy robber " can delete specific note, such as notes such as the mobile phone identifying code of lawless person in the time stealing victim's Net silver account, will directly be deleted by wooden horse, victim can't see at all, also just can not find that there is people the very first time and steal Net silver account.
The third, SMS sends two groups of dynamic password+identification code authentication modes
It comprises user's mobile phone, certificate server, and management work station and Short Message Service Gateway composition, management work station is responsible for user's registration, the binding of phone number and cancellation binding.When user logins, the active coding note that transmission and phone number, account name are bound is mutually to certificate server, after being verified, certificate server sends two groups of dynamic password+identification codes to user mobile phone by the mode of note, dynamic password and identification code are all expressly to send, user first uses first group of dynamic password to login in client, by check identification code that login interface shows and whether send to before identification code in own mobile phone identical later, after user's identification is passed through, input and send second group of dynamic password, after being verified, login successfully.Its advantage is: simple to operate, user's left-hand seat difficulty is lower, obtain dynamic password and identification code owing to sending active coding with the mobile phone of binding account name, lawless person can not carry out steal-number behavior without discover in the situation that user, and higher being convenient to of mobile phone popularity rate realized.Its defect is: dynamic password is expressly to send, do not possess confidentiality, identification code just sends with plaintext before user logins, the time of identification code being put into fishing website to lawless person, user can not effectively judge the true and false of service end, cannot take precautions against lawless person and utilize the mobile phone wooden horse such as " stealthy robber " to intercept and capture and forward user to invade for the dynamic password of logining user's account.
The above method both cannot be taken precautions against the attack of " mending card attacks " and Trojan for stealing numbers, also cannot take precautions against lawless person and utilize fishing website to swindle attack to user, and the safety of account cannot be protected.Lawless person utilizes various means, URL address and the content of pages of counterfeit true website, or utilize the leak in true Website server program to insert dangerous HTML code in some webpage of website, gain user's the private data such as account name, password by cheating, user's account name within the extremely short time simultaneously, the true website of password login, steals user's property.
Summary of the invention
For the weak point of above-mentioned several cryptoguard technology; the invention provides a kind of method of the protection account safety based on asynchronous dynamical password technology; its system reliability is high; it is high that the authorization informations such as challenge code transmit secrecy; can effectively avoid user password information to reveal; not only can effectively take precautions against lawless person's " mending card attacks " and the attack of Trojan for stealing numbers virus, and can defend the swindle that fishing website is implemented user to attack, user operates safe and reliable.
Its technical scheme is such:
It comprises the following steps: (1), registration, (2), user sends logging request, (3), service end checking logging request, (4), service end feedback, (5), user's identification, (6), user's login, (7), service end checking, it is characterized in that: user and service provider are in step (1) the agreement cipher mode of challenge code and the computing formula of dynamic password, described cipher mode and described computing formula are stored in the database of certificate server, certificate server described in step (3) is proved to be successful rear generation challenge code A in the logging request of step (2), challenge code B and dynamic password C, and by challenge code A, challenge code B and dynamic password C are stored in the database of certificate server, described challenge code B is encrypted and obtains through described cipher mode by described challenge code A, described dynamic password C is calculated through described computing formula by described challenge code A, certificate server described in step (4) sends to described user's mobile phone the feedback note that comprises described challenge code B, computing formula described in substitution after user described in step (6) deciphers described challenge code B according to described cipher mode, obtain dynamic password D, described user inputs account name and described dynamic password D in client login interface, certificate server described in step (7) will be to described dynamic password C and the described dynamic password D checking of comparing.
It is further characterized in that:
Logging request described in step (2) comprises that described user sends authentication request note to described certificate server, certificate server described in step (3) receives after described user's authentication request note, when verifying described user's phone number, also need to verify the access times of described computing formula, described certificate server is provided with the counter that the access times of described computing formula are recorded, described in step (3), certificate server generates after dynamic password C at every turn, described Counter Value+1, when described Counter Value exceedes described user in step (1) during with the threshold value of the access times of the described computing formula of service provider agreement, computing formula imminent failure, described certificate server refusal user's logging request,
Described in step (2), authentication request note comprises the current public network IP address of client, described in step (3), certificate server is stored in the IP address in authentication request note in database, the content of feeding back note described in step (4) also comprises and in step (3), is stored in the IP address in database, user described in step (5) is receiving after described feedback note, first to compare IP address in described feedback note whether identical with the IP address in the described authentication request note oneself sending, only have both identical, user could perform step the register in (6), several bit digital in IP address in described feedback short message content are hidden by service end,
The checking of service end described in step (7) comprises the following steps of carrying out successively: identification registrant identity, checking login time and authentication of users password;
Described identification registrant identity comprises that the IP address of submitting in authentication request note described in IP address when described certificate server is logined user and step (2) compares, whether the people that checking client sends password is user, if not user, aborting step (7);
Described certificate server judges that registrant is not user, in aborting step (7), by SMS platform, the note that comprises registrant IP address is sent to user, at the safe mobile phone number of step (1) binding and/or in the mode of Email, the mail that comprises registrant IP address is sent to the safe electronic mailbox of user in step (1) binding, prompting has lawless person to invade user's account;
Described user arranges the term of validity of dynamic password in step (1) with service provider, described certificate server is provided with the timer that the described term of validity is recorded, described checking login time comprises that input time of dynamic password of described certificate server checking client is whether in the described term of validity, if overtime, at client login interface prompting login failed for user, be kept at that dynamic password C in the database of certificate server is instant to be nullified and timer is reset simultaneously;
Described user arranges after described threshold value, described cipher mode or described computing formula with service provider again, and Counter Value is reset;
Described service end includes but not limited to certificate server, management work station, Short Message Service Gateway, SMS platform, timer sum counter, described timer record user's login time, the access times of described counter records computing formula, described service end is provided by service provider.
It is further characterised in that:
It specifically comprises the following steps:
(1), registration: user submits binding information to service provider, and binding information comprises user's an account name, a phone number, the cipher mode of challenge code, the term of validity of dynamic password, the threshold value of the computing formula of dynamic password and the access times of computing formula, a safe electronic email address and/or another safe mobile phone number, the cipher mode of challenge code, the term of validity of dynamic password, the threshold value of the computing formula of dynamic password and the access times of computing formula is arranged jointly by user and service provider, and can be given for change or be revised by safe electronic mailbox and/or another safe mobile phone number, the account name that management work station is submitted to user, phone number, safe electronic email address and/or another safe mobile phone number are verified, the computing formula of dynamic password generates and is selected in the register interface of client by user to determine by management work station is random, after user registration success, require user to keep properly this computing formula, and by account name and phone number, the cipher mode of challenge code, the term of validity of dynamic password, the threshold value of the computing formula of dynamic password and the access times of computing formula, safe electronic email address and/or another safe mobile phone number are saved in the database of certificate server after mutually binding,
(2), user sends logging request: user submits client current public network IP address by Short Message Service Gateway to SMS platform with the form of SMS;
(3), service end checking logging request: SMS platform is receiving the IP address of extracting after user's logging request in user's note and user's phone number, and be transferred to certificate server, certificate server is retrieved the subscriber phone number receiving in the database of certificate server to it, if the phone number in user's logging request conforms to certificate server internal information, IP address format that user sends Counter Value correct and that record computing formula access times does not exceed threshold value, be verified, certificate server generates challenge code A temporarily, the computing formula of agreement in challenge code A substitution step (1), draw dynamic password C, Counter Value+1 of the computing formula access times in recording step (1) simultaneously, certificate server is according to the cipher mode of challenge code, after being encrypted, challenge code A generates challenge code B, user's IP address, challenge code A, challenge code B is kept in the database of certificate server together with dynamic password C, after falling several, the user's that certificate server receives step (2) IP address hiding is transferred to SMS platform together with challenge code B, if the information of binding in the database of subscriber phone number and certificate server is not inconsistent, or the IP address format that user sends is incorrect, authentication failed, certificate server authentication failed message transport to SMS platform, exceed threshold value if record the Counter Value of computing formula access times, computing formula imminent failure, authentication failed, certificate server authentication failed message transport to SMS platform,
(4), service end feedback: after step (3) is verified, the user of SMS platform by the challenge code B of step (3) generation and after hiding several IP address sends to this user mobile phone in the mode of feedback note by Short Message Service Gateway, after being sent completely, challenge code A and challenge code B in the database of certificate server nullify immediately, and timer is started working, the timing time limit for according to user in step (1) with the term of validity of the dynamic password of service provider agreement, step (3) checking is not passed through, and points out user rs authentication failure by SMS platform;
(5), user's identification: user receives after the note of step (4) transmission, the part of first the IP address in the note receiving not being hidden is compared with the own IP address sending out in step (2), if both are different, user judges that the note oneself sending suffers that lawless person distorts, abandon login, if identical, enter next step;
(6), user's login: user is by after the checking of step (5), by the challenge code B obtaining in step (4) according to the cipher mode of challenge code, challenge code B is reduced into challenge code A, then substitution computing formula, draw dynamic password D, when login, account name and dynamic password D are inputted and sent in the client of system;
(7), service end checking, comprise the following steps of carrying out successively:
Identification registrant identity: certificate server receives user after the account name and dynamic password D of step (6) transmission, first extract client and be connected to the IP address of service end, comparing in the IP address that it is obtained with the step (3) being kept in the database of certificate server, whether it identical in checking, if authentication failed, at client login interface prompting login failed for user, be kept at the IP address of the user in the database of certificate server simultaneously, dynamic password C nullifies immediately, timer is reset, by SMS platform, the note that comprises registrant IP address is sent to user simultaneously, at the safe mobile phone number of step (1) binding and/or in the mode of Email, the mail that comprises registrant IP address is sent to the safe electronic mailbox of user in step (1) binding, prompting has lawless person to invade user's account, if the verification passes, nullify immediately the IP address that is kept at the user in the database of certificate server, enter next step,
Checking login time: certificate server extracts the input time of the dynamic password of client, verify whether before the deadline it, if overtime, at client login interface prompting login failed for user, be kept at that dynamic password C in the database of certificate server is instant to be nullified and timer is reset simultaneously, if before the deadline, be verified, timer is reset, and enters next step;
Authentication of users password: certificate server carries out validation verification to the user account name receiving and dynamic password D, account name and the dynamic password D that user is sent and be kept at account name in certificate server and dynamic password C compares and verifies that whether it is legal, if authentication failed, at client login interface prompting login failed for user, dynamic password C in the database of certificate server nullifies immediately simultaneously, if the verification passes, user can successfully login, after user logins successfully, dynamic password C in the database of certificate server nullifies immediately, and point out the surplus value of the access times of the computing formula generating in user steps (3) counter, when user again with the access times of service provider agreement computing formula, the cipher mode of challenge code or selected after one group of new computing formula, Counter Value is reset,
(8), when user exceedes threshold value because misoperation causes the Counter Value that records computing formula access times, or when user has forgotten in step (1) with the computing formula of service provider agreement, user reappoints new threshold value or computing formula by the safe electronic email address submitted in step (1) or another safe mobile phone number and service provider;
(9), in the time that user needs login system again, need repetition (2), (3), (4), (5), (6), (7) step.
Adopt after method of the present invention, its beneficial effect is:
1) certificate server sends to user mobile phone by note challenge code A after encrypting with the cipher mode of user's agreement, after user's cipher mode is according to a preconcerted arrangement decrypted, the computing formula of substitution and service provider's agreement draws the dynamic password that login authentication is used, in whole login authentication process, service end and client can not revealed challenge code A, effectively take precautions against the attack of mobile phone wooden horses such as " stealthy robbers ", ensured the safety of account;
2) can be at any time change with service provider agreement for generating the threshold value of access times of computing formula, computing formula of dynamic password of login authentication, once Counter Value exceeds threshold value, computing formula imminent failure, certificate server refusal user's logging request, simultaneously, in the time learning that lawless person invades customer account, client can change the computing formula of dynamic password, has further ensured the fail safe of account;
3) because the computing formula relating in the inventive method can be set comparatively simply, can alleviate the computing pressure of certificate server, and all passwords generate step and all before user's login, just complete, in process of user login, certificate server generates step without carrying out password, further alleviates the computing pressure of service for checking credentials end;
4) user and certificate server bidirectional recognition, first, user is receiving after the note of SMS platform transmission, first to compare IP address in the note receiving whether identical with the not hidden parts that oneself sends the IP address in logging request note, only have both identical, user could carry out register, before login, user just can accurately judge that the note oneself sending do not suffer that lawless person distorts, secondly, certificate server to client send account name and password carry out login authentication before first will by comparison IP address verify registrant's legal identity, in the time judging that registrant is not user, certificate server refusal registrant's follow-up register, and by SMS platform, the note that comprises registrant IP address is sent to user, at the safe mobile phone number of step (1) binding and/or in the mode of Email, the mail that comprises registrant IP address is sent to the safe electronic mailbox of user in step (1) binding, reminding user account is invaded, guarantee that user can receive the information warning that service provider sends timely and effectively, further ensure the fail safe of account,
5) use the authentication techniques of the inventive method, user only need to remember one group of extremely simple computing formula, contrast existing authentication techniques in complexity, there is no increase many, but fail safe but greatly improves;
6) identity identifying technology of the inventive method can use separately, also can be combined with existing static password technology, for example, the account name that certificate server sends client and static password carry out before login authentication, first registrant's IP address being verified for the first time, and be applicable to computer client and mobile client simultaneously, many accounts name can adopt same authentication techniques, user purchases incompatible token without the account name for different, the hardware identification devices such as password card, also without various incompatible APP authentication means is installed in mobile phone, make the inventive method simple to operate, be easy to left-hand seat,
7) the inventive method can effectively be taken precautions against lawless person's network interception, Replay Attack and decimal are attacked, effectively taking precautions against lawless person utilizes various wooden horses or the interception of cell phone system leak to forward at mobile phone terminal, distort or peep and steal user and include the note of dynamic password for the account of login user, effectively taking precautions against lawless person's malice reports the loss user mobile phone card and makes up user mobile phone card and gain dynamic password attack by cheating, effectively prevent that lawless person from gaining user's dynamic password by cheating with fishing note, can effectively take precautions against the attack of the Trojan for stealing numbers virus of computer end simultaneously, and solved existing identification code just sends with plaintext before user logins, the time of identification code being put into fishing website to lawless person, user can not effectively judge the defect of the true and false of service end, can defend the swindle that fishing website is implemented user to attack,
In sum, its system reliability of the inventive method is high, it is high that the authorization informations such as challenge code transmit secrecy, can effectively avoid user profile to reveal, not only can effectively take precautions against lawless person's " mending card attacks " and the attack of Trojan for stealing numbers virus, and can defend the swindle that fishing website is implemented user to attack, user operates safe and reliable.
Accompanying drawing explanation
Fig. 1 is that in the present invention, user uses SMS to carry out the flow chart of logging request;
Fig. 2 is the flow chart that in the present invention, user logins in client.
Embodiment
Embodiment 1:
(1), registration: user submits binding information to service provider, and binding information comprises user's an account name, a phone number, the cipher mode of challenge code, the term of validity of dynamic password, the threshold value of the computing formula of dynamic password and the access times of computing formula, a safe electronic email address and/or another safe mobile phone number, the cipher mode of challenge code, the term of validity of dynamic password, the threshold value of the computing formula of dynamic password and the access times of computing formula is arranged jointly by user and service provider, and can be given for change or be revised by safe electronic mailbox and/or another safe mobile phone number, the account name that management work station is submitted to user, phone number, safe electronic email address and/or another safe mobile phone number are verified, the computing formula of dynamic password generates and is selected in the register interface of client by user to determine by management work station is random, after user registration success, require user to keep properly this computing formula, and by account name and phone number, the cipher mode of challenge code, the term of validity of dynamic password, the threshold value of the computing formula of dynamic password and the access times of computing formula, safe electronic email address and/or another safe mobile phone number are saved in the database of certificate server after mutually binding, and wherein, user's login time is by timer record, and the access times of computing formula are by counter records,
(2), user sends logging request: user submits client current public network IP address by Short Message Service Gateway to SMS platform with the form of SMS;
(3), service end checking logging request: SMS platform is receiving the IP address of extracting after user's logging request in user's note and user's phone number, and be transferred to certificate server, certificate server is retrieved the subscriber phone number receiving in the database of certificate server to it, if the phone number in user's logging request conforms to certificate server internal information, IP address format that user sends Counter Value correct and that record computing formula access times does not exceed threshold value, be verified, certificate server generates challenge code A temporarily, the computing formula of agreement in challenge code A substitution step (1), draw dynamic password C, Counter Value+1 of the computing formula access times in recording step (1) simultaneously, certificate server is according to the cipher mode of challenge code, after being encrypted, challenge code A generates challenge code B, user's IP address, challenge code A, challenge code B is kept in the database of certificate server together with dynamic password C, after falling several, the user's that certificate server receives step (2) IP address hiding is transferred to SMS platform together with challenge code B, if the information of binding in the database of subscriber phone number and certificate server is not inconsistent, or the IP address format that user sends is incorrect, authentication failed, certificate server authentication failed message transport to SMS platform, exceed threshold value if record the Counter Value of computing formula access times, computing formula imminent failure, authentication failed, certificate server authentication failed message transport to SMS platform,
(4), service end feedback: after step (3) is verified, the user of SMS platform by the challenge code B of step (3) generation and after hiding several IP address sends to this user mobile phone in the mode of feedback note by Short Message Service Gateway, after being sent completely, challenge code A and challenge code B in the database of certificate server nullify immediately, timer is started working, the timing time limit for according to user in step (1) with the term of validity of the dynamic password of service provider agreement, step (3) checking is not passed through, and points out user rs authentication failure by SMS platform;
(5), user's identification: user receives after the note of step (4) transmission, the part of first the IP address in the note receiving not being hidden is compared with the own IP address sending out in step (2), if both are different, user judges that the note oneself sending suffers that lawless person distorts, abandon login, if identical, enter next step;
(6), user's login: user is by after the checking of step (5), by the challenge code B obtaining in step (4) according to the cipher mode of challenge code, challenge code B is reduced into challenge code A, then substitution computing formula, draw dynamic password D, when login, account name and dynamic password D are inputted and sent in the client of system;
(7), service end checking, comprise the following steps of carrying out successively:
Identification registrant identity: certificate server receives user after the account name and dynamic password D of step (6) transmission, first extract client and be connected to the IP address of service end, comparing in the IP address that it is obtained with the step (3) being kept in the database of certificate server, whether it identical in checking, if authentication failed, at client login interface prompting login failed for user, be kept at the IP address of the user in the database of certificate server simultaneously, dynamic password C nullifies immediately, timer is reset, by SMS platform, the note that comprises registrant IP address is sent to user simultaneously, at the safe mobile phone number of step (1) binding and/or in the mode of Email, the mail that comprises registrant IP address is sent to the safe electronic mailbox of user in step (1) binding, prompting has lawless person to invade user's account, if the verification passes, nullify immediately the IP address that is kept at the user in the database of certificate server, enter next step,
Checking login time: certificate server extracts the input time of the dynamic password of client, verify whether before the deadline it, if overtime, at client login interface prompting login failed for user, be kept at that dynamic password C in the database of certificate server is instant to be nullified and timer is reset simultaneously, if before the deadline, be verified, timer is reset, and enters next step;
Authentication of users password: certificate server carries out validation verification to the user account name receiving and dynamic password D, account name and the dynamic password D that user is sent and be kept at account name in certificate server and dynamic password C compares and verifies that whether it is legal, if authentication failed, at client login interface prompting login failed for user, dynamic password C in the database of certificate server nullifies immediately simultaneously, if the verification passes, user can successfully login, after user logins successfully, dynamic password C in the database of certificate server nullifies immediately, and point out the surplus value of the access times of the computing formula generating in user steps (3) counter, when user has arranged the access times of computing formula again with service provider, the cipher mode of challenge code or selected after one group of new computing formula, Counter Value is reset,
(8), when user exceedes threshold value because misoperation causes Counter Value, or when user has forgotten in step (1) with the computing formula of service provider agreement, user reappoints new threshold value or computing formula by the safe electronic email address submitted in step (1) or another safe mobile phone number and service provider;
(9), in the time that user needs login system again, need repetition (2), (3), (4), (5), (6), (7) step.
Be described in detail below in conjunction with 1,2 pairs of operating process of the present invention of accompanying drawing, wherein, do not describe the content of step (1):
User is in follow-up certain login, the IP address of supposing active client is " 49.76.211.241 ", the cipher mode of user and service provider's agreement challenge code is for pressing " the 3rd of challenge code A, the 4th, the 1st, the 2nd " reading order rearrange and generate challenge code B, the computing formula of dynamic password C is " challenge code A+341-2 ", the threshold value of the access times of computing formula is 5 times, the value of the access times of the current computing formula of user is 3 times, challenge code A is " 4716 ", lawless person's IP address is " 202.10.69.11 ", wherein, "+341-2 " in computing formula is " the 3rd of cipher mode, the 4th, the 1st, the 2nd " basis on random split and in conjunction with generating after simple arithmetic, facilitate user to remember.
The flow process that user obtains the challenge code B after encryption by SMS is:
The first step: user uses and the mobile phone editing short message " 49.76.211.241 " of account name binding sends to SMS platform.
Second step: SMS platform extracts " 49.76.211.241 " and user's the phone number in user's note receiving after user's logging request, and be transferred to certificate server, certificate server is verified user's phone number, the IP address format that user is sent is verified and whether the current value of access times for the computing formula that generates dynamic password of authentication of users exceedes threshold value (current is 3 < threshold values 5), if phone number conforms to information in certificate server internal database, correct and the Counter Value of IP address format that user sends does not exceed threshold value, be verified, certificate server generates challenge code A " 4716 ", " 4716 " substitution computing formula " challenge code A+341-2 " is drawn to dynamic password C " 5055 ", Counter Value+1 of at this moment recording computing formula access times becomes " 4 ", challenge code A " 4716 " according to " the 3rd, the 4th, the 1st, the 2nd " reading order be rearranged into challenge code B " 1647 ", " 49.76.211.241 ", challenge code A " 4716 ", challenge code B " 1647 " and dynamic password C " 5055 " are kept in the database of certificate server together, certificate server is hidden " 211 " in " 49.76.211.241 ", replace with " * ".Challenge code B " 1647 " and " 49.76.***.241 " are transferred to SMS platform.If the IP address format that in phone number and certificate server internal database, information is not inconsistent or user sends is incorrect,, authentication failed, certificate server is transferred to SMS platform authentication failure message, if Counter Value superthreshold, computing formula " challenge code+341-2 " imminent failure, authentication failed, certificate server is transferred to SMS platform authentication failure message.
The 3rd step: if the verification passes, SMS platform sends to user mobile phone challenge code B " 1647 " and " 49.76.***.241 " by note, after being sent completely, challenge code A " 4716 " and challenge code B " 1647 " in the database of certificate server nullify immediately, and timer starts countdown simultaneously.If authentication failed, SMS platform sends to user mobile phone authentication failure message by note.
The flow process of user's login is:
The first step: user receives after the note of SMS platform transmission, first check that in the IP address " 49.76.***.241 " in note, whether not consistent with own IP address in transmission logging request note hidden parts is, if not, user judges that the logging request note oneself sending suffers that lawless person distorts, abandon login, if correct, carry out next step.
Second step: user extracts the challenge code B " 1647 " in the note receiving, first according to the reading order " the 3rd, the 4th, the 1st, the 2nd " of agreement, challenge code B " 1647 " is reduced into challenge code A " 4716 ", the computing formula " challenge code A+341-2 " again challenge code A " 4716 " substitution system being generated and confirmed by user draws dynamic password D " 5055 ", in client login interface input account name and dynamic password " 5055 " transmission.
The 3rd step: certificate server receives after the account name and dynamic password D " 5055 " of user's transmission, first checking client is connected to whether the IP address of service end is " 49.76.211.241 ", if authentication failed, at client login interface prompting login failed for user, be kept at the user in the database of certificate server " 49.76.211.241 " simultaneously, nullify immediately " 5055 ", timer is reset, by SMS platform, the note that comprises registrant IP address is sent to the safe mobile phone number of user's binding and/or in the mode of Email, the mail that comprises registrant IP address sent to the safe electronic mailbox that user binds simultaneously, if correct, be verified, " 49.76.211.241 " that be kept in the database of certificate server nullifies immediately, enter next step.
The 4th step: the login time of certificate server authentication of users, if overtime, at client login interface prompting login failed for user, be kept at that nullify immediately " 5055 " in the database of certificate server and timer is reset simultaneously, if do not have overtime, authentication is passed through, and time set is reset, and enters next step.
The 5th step: account name and dynamic password D " 5055 " that certificate server authentication of users sends, if authentication failed, at client login interface prompting login failed for user, nullify immediately " 5055 " in the database of certificate server simultaneously, if the verification passes, the dynamic password " 5055 " being kept in the database of certificate server is nullified immediately, the residue access times that login successfully and point out user's computing formula for " 1 " inferior.
The inventive method is prevented to fishing website swindle is attacked, lawless person mends card attack and specific explanations is carried out in mobile phone wooden horse " stealthy robber " attack below.
One, take precautions against the principle that fishing website swindle is attacked:
Suppose that user has received the note that comprises challenge code B " 1647 " and " 49.76.***.241 " that SMS platform sends, at this moment user has entered the fishing website that lawless person makes and has logined, lawless person has obtained account name and the dynamic password D " 5055 " of user's input, then lawless person enters official website by the IP address " 202.10.69.11 " of oneself client input account name and dynamic password D " 5055 " carry out login authentication, certificate server first checking client is connected to the IP address of service end, IP address while login due to lawless person is " 202.10.69.11 ", be not " 49.76.211.241 " that user sends by note, so certificate server judges that registrant is as lawless person, authentification failure, log off, by SMS platform, the note that comprises lawless person IP address " 202.10.69.11 " is sent to the safe mobile phone number of user's binding and/or in the mode of Email, the mail that comprises lawless person IP " 202.10.69.11 " address sent to the safe electronic mailbox that user binds simultaneously, prompting user account suffers lawless person's invasion.
Two, take precautions against lawless person and mend the principle that card is attacked:
Suppose that lawless person has made up user's Mobile phone card by the user identity data of forging, lawless person uses the mobile phone editing short message " 202.10.69.11 " that the user mobile phone card of making up is housed to send to SMS platform, SMS platform extracts phone number and " 202.10.69.11 " is transferred to certificate server, and certificate server is verified rear use SMS platform and sends the note that comprises challenge code B " 1647 " and " 202.10.***.11 " to lawless person's mobile phone terminal.But lawless person does not know the reading order that the challenge code A of user and service provider's agreement is correct, challenge code B " 1647 " cannot be reduced into challenge code A " 4716 ", more do not know what kind of system generation the computing formula of being confirmed by user be, cannot calculate correct dynamic password D " 5055 ", login authentication failure, if attempting repeatedly obtaining challenge code B, lawless person attempts to crack, in the time that Counter Value exceedes threshold value " 5 ", computing formula " challenge code A+341-2 " imminent failure, authentication failed, certificate server refusal lawless person's logging request.By SMS platform, the note that comprises lawless person IP address " 202.10.69.11 " is sent to the safe mobile phone number of user's binding and/or in the mode of Email, the mail that comprises lawless person IP " 202.10.69.11 " address sent to the safe electronic mailbox that user binds simultaneously, prompting user account suffers lawless person's invasion.
Three, take precautions against the principle that mobile phone wooden horse " stealthy robber " is attacked:
Suppose that user mobile phone has suffered " stealthy robber " wooden horse, user uses and the mobile phone editing short message " 49.76.211.241 " of account name binding sends to SMS platform, SMS platform extracts phone number and " 49.76.211.241 " is transferred to certificate server, certificate server is verified rear use SMS platform and sends the note that comprises challenge code B " 1647 " and " 49.76.***.241 " to user mobile phone end, at this moment the note that comprises challenge code B " 1647 " and " 49.76.***.241 " that wooden horse sends certificate server is tackled, and be forwarded to lawless person's mobile phone, lawless person does not also know the IP address that user is complete, if use IP address " 202.10.69.11 " logon attempt of oneself, certificate server first checking client is connected to the IP address of service end, IP address while login due to lawless person is " 202.10.69.11 ", be not " 49.76.211.241 " that user sends by note, can not be by checking, and lawless person cannot be reduced into challenge code B " 1647 " challenge code A " 4716 ", more do not know what kind of system generation the computing formula of being confirmed by user be, cannot calculate correct dynamic password D " 5055 ", login authentication failure.
Claims (9)
1. the method for the protection account safety based on asynchronous dynamical password technology, it comprises the following steps: (1), registration, (2), user sends logging request, (3), service end checking logging request, (4), service end feedback, (5), user's identification, (6), user's login, (7), service end checking, it is characterized in that: user and service provider are in step (1) the agreement cipher mode of challenge code and the computing formula of dynamic password, described cipher mode and described computing formula are stored in the database of certificate server, certificate server described in step (3) is proved to be successful rear generation challenge code A in the logging request of step (2), challenge code B and dynamic password C, and by challenge code A, challenge code B and dynamic password C are stored in the database of certificate server, described challenge code B is encrypted and obtains through described cipher mode by described challenge code A, described dynamic password C is calculated through described computing formula by described challenge code A, certificate server described in step (4) sends to described user's mobile phone the feedback note that comprises described challenge code B, computing formula described in substitution after user described in step (6) deciphers described challenge code B according to described cipher mode, obtain dynamic password D, described user inputs account name and described dynamic password D in client login interface, certificate server described in step (7) will be to described dynamic password C and the described dynamic password D checking of comparing.
2. the method for a kind of protection account safety based on asynchronous dynamical password technology according to claim 1, it is characterized in that: logging request described in step (2) comprises that described user sends authentication request note to described certificate server, certificate server described in step (3) receives after described user's authentication request note, when verifying described user's phone number, also need to verify the access times of described computing formula, described certificate server is provided with the counter that the access times of described computing formula are recorded, described in step (3), certificate server generates after dynamic password C at every turn, described Counter Value+1, when described Counter Value exceedes described user in step (1) during with the threshold value of the access times of the described computing formula of service provider agreement, computing formula imminent failure, described certificate server refusal user's logging request.
3. the method for a kind of protection account safety based on asynchronous dynamical password technology according to claim 2, it is characterized in that: described in step (2), authentication request note comprises the current public network IP address of client, described in step (3), certificate server is stored in the IP address in authentication request note in database, the content of feeding back note described in step (4) also comprises and in step (3), is stored in the IP address in database, user described in step (5) is receiving after described feedback note, first to compare IP address in described feedback note whether identical with the IP address in the described authentication request note oneself sending, only have both identical, user could perform step the register in (6).
4. the method for a kind of protection account safety based on asynchronous dynamical password technology according to claim 3, is characterized in that: several bit digital in the IP address in described feedback short message content are hidden by service end.
5. the method for a kind of protection account safety based on asynchronous dynamical password technology according to claim 4, is characterized in that: the checking of service end described in step (7) comprises the following steps of carrying out successively: identification registrant identity, checking login time and authentication of users password.
6. the method for a kind of protection account safety based on asynchronous dynamical password technology according to claim 5; it is characterized in that: described identification registrant identity comprises that the IP address of submitting in authentication request note described in IP address when described certificate server is logined user and step (2) compares; whether the people that checking client sends password is user; if not user, aborting step (7).
7. the method for a kind of protection account safety based on asynchronous dynamical password technology according to claim 6; it is characterized in that: described certificate server judges that registrant is not user; in aborting step (7), by SMS platform, the note that comprises registrant IP address is sent to user, at the safe mobile phone number of step (1) binding and/or in the mode of Email, the mail that comprises registrant IP address is sent to the safe electronic mailbox of user in step (1) binding, prompting has lawless person to invade user's account.
8. the method for a kind of protection account safety based on asynchronous dynamical password technology according to claim 7, it is characterized in that: described user arranges the term of validity of dynamic password in step (1) with service provider, described certificate server is provided with the timer that the described term of validity is recorded, described checking login time comprises that input time of dynamic password of described certificate server checking client is whether in the described term of validity, if overtime, at client login interface prompting login failed for user, be kept at that dynamic password C in the database of certificate server is instant to be nullified and timer is reset simultaneously.
9. the method for a kind of protection account safety based on asynchronous dynamical password technology according to claim 8, is characterized in that: described user arranges after described threshold value, described cipher mode or described computing formula with service provider again, and Counter Value is reset.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410044761.7A CN103795724B (en) | 2014-02-07 | 2014-02-07 | Method for protecting account security based on asynchronous dynamic password technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410044761.7A CN103795724B (en) | 2014-02-07 | 2014-02-07 | Method for protecting account security based on asynchronous dynamic password technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103795724A true CN103795724A (en) | 2014-05-14 |
| CN103795724B CN103795724B (en) | 2017-01-25 |
Family
ID=50671010
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410044761.7A Active CN103795724B (en) | 2014-02-07 | 2014-02-07 | Method for protecting account security based on asynchronous dynamic password technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103795724B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105681044A (en) * | 2015-12-25 | 2016-06-15 | 张晓峰 | Verification code recognition system taking password or verification code as sequence number |
| CN106657045A (en) * | 2016-12-13 | 2017-05-10 | 翁印嵩 | Multi-network integrated security and authentication method and system |
| CN107079022A (en) * | 2014-10-24 | 2017-08-18 | 统有限责任两合公司 | The method being authenticated during for logging on the server to user equipment |
| CN107171789A (en) * | 2017-04-20 | 2017-09-15 | 努比亚技术有限公司 | A kind of safe login method, client device and server |
| CN107493295A (en) * | 2017-09-06 | 2017-12-19 | 中南大学 | A kind of different account number safety login method based on blind quantum calculation |
| CN109076080A (en) * | 2016-04-25 | 2018-12-21 | 株式会社电子暴风 | authentication method and system |
| CN109302394A (en) * | 2018-09-29 | 2019-02-01 | 武汉极意网络科技有限公司 | A kind of anti-simulation login method of terminal, device, server and storage medium |
| CN109586923A (en) * | 2018-12-20 | 2019-04-05 | 武汉璞华大数据技术有限公司 | Single time password offline authentication method and device |
| CN109787852A (en) * | 2017-11-15 | 2019-05-21 | 小草数语(北京)科技有限公司 | Account validation checking method, apparatus and its equipment |
| CN109922035A (en) * | 2017-12-13 | 2019-06-21 | 华为技术有限公司 | Method, request end and the checkout terminal of password resetting |
| CN110677431A (en) * | 2019-10-14 | 2020-01-10 | 云深互联(北京)科技有限公司 | Bidirectional verification method and device |
| CN111090841A (en) * | 2019-11-22 | 2020-05-01 | 中国联合网络通信集团有限公司 | Authentication method and device for industrial control system |
| CN111382422A (en) * | 2018-12-28 | 2020-07-07 | 卡巴斯基实验室股份制公司 | System and method for changing password of account record under threat of illegal access to user data |
| CN111581613A (en) * | 2020-04-29 | 2020-08-25 | 支付宝(杭州)信息技术有限公司 | Account login verification method and system |
| CN112399360A (en) * | 2020-11-13 | 2021-02-23 | 平安科技(深圳)有限公司 | Short message dynamic password verification method, server, client and storage medium |
| TWI758260B (en) * | 2015-11-05 | 2022-03-21 | 大陸商中國銀聯股份有限公司 | Website login method and login system based on mobile phone short message |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1855810B (en) * | 2005-04-26 | 2010-09-08 | 上海盛大网络发展有限公司 | Dynamic code verification system, method and use |
| CN1832401A (en) * | 2006-04-06 | 2006-09-13 | 陈珂 | Method for protecting safety of account number cipher |
| CN1937498A (en) * | 2006-10-09 | 2007-03-28 | 网之易信息技术(北京)有限公司 | Dynamic cipher authentication method, system and device |
| CN101453458B (en) * | 2007-12-06 | 2013-07-10 | 北京唐桓科技发展有限公司 | Personal identification process for dynamic cipher password bidirectional authentication based on multiple variables |
| CN101257489A (en) * | 2008-03-20 | 2008-09-03 | 陈珂 | Method for protecting account number safety |
| CN102164141B (en) * | 2011-04-24 | 2014-11-05 | 陈珂 | Method for protecting security of account |
-
2014
- 2014-02-07 CN CN201410044761.7A patent/CN103795724B/en active Active
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107079022A (en) * | 2014-10-24 | 2017-08-18 | 统有限责任两合公司 | The method being authenticated during for logging on the server to user equipment |
| CN107079022B (en) * | 2014-10-24 | 2020-07-17 | 统一有限责任两合公司 | Method for authenticating a user device during a login on a server |
| TWI758260B (en) * | 2015-11-05 | 2022-03-21 | 大陸商中國銀聯股份有限公司 | Website login method and login system based on mobile phone short message |
| CN105681044A (en) * | 2015-12-25 | 2016-06-15 | 张晓峰 | Verification code recognition system taking password or verification code as sequence number |
| CN109076080A (en) * | 2016-04-25 | 2018-12-21 | 株式会社电子暴风 | authentication method and system |
| CN106657045A (en) * | 2016-12-13 | 2017-05-10 | 翁印嵩 | Multi-network integrated security and authentication method and system |
| CN107171789A (en) * | 2017-04-20 | 2017-09-15 | 努比亚技术有限公司 | A kind of safe login method, client device and server |
| CN107493295A (en) * | 2017-09-06 | 2017-12-19 | 中南大学 | A kind of different account number safety login method based on blind quantum calculation |
| CN109787852A (en) * | 2017-11-15 | 2019-05-21 | 小草数语(北京)科技有限公司 | Account validation checking method, apparatus and its equipment |
| CN109922035A (en) * | 2017-12-13 | 2019-06-21 | 华为技术有限公司 | Method, request end and the checkout terminal of password resetting |
| CN109922035B (en) * | 2017-12-13 | 2021-11-19 | 华为技术有限公司 | Password resetting method, request terminal and verification terminal |
| US11388194B2 (en) | 2017-12-13 | 2022-07-12 | Huawei Cloud Computing Technologies Co., Ltd. | Identity verification and verifying device |
| CN109302394A (en) * | 2018-09-29 | 2019-02-01 | 武汉极意网络科技有限公司 | A kind of anti-simulation login method of terminal, device, server and storage medium |
| CN109586923A (en) * | 2018-12-20 | 2019-04-05 | 武汉璞华大数据技术有限公司 | Single time password offline authentication method and device |
| CN111382422B (en) * | 2018-12-28 | 2023-08-11 | 卡巴斯基实验室股份制公司 | System and method for changing passwords of account records under threat of illegally accessing user data |
| CN111382422A (en) * | 2018-12-28 | 2020-07-07 | 卡巴斯基实验室股份制公司 | System and method for changing password of account record under threat of illegal access to user data |
| CN110677431A (en) * | 2019-10-14 | 2020-01-10 | 云深互联(北京)科技有限公司 | Bidirectional verification method and device |
| CN111090841A (en) * | 2019-11-22 | 2020-05-01 | 中国联合网络通信集团有限公司 | Authentication method and device for industrial control system |
| CN111581613A (en) * | 2020-04-29 | 2020-08-25 | 支付宝(杭州)信息技术有限公司 | Account login verification method and system |
| CN111581613B (en) * | 2020-04-29 | 2023-11-14 | 支付宝(杭州)信息技术有限公司 | Account login verification method and system |
| CN112399360A (en) * | 2020-11-13 | 2021-02-23 | 平安科技(深圳)有限公司 | Short message dynamic password verification method, server, client and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103795724B (en) | 2017-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103795724B (en) | Method for protecting account security based on asynchronous dynamic password technology | |
| CN102164141B (en) | Method for protecting security of account | |
| CN104469767B (en) | The implementation method of integrated form security protection subsystem in a set of mobile office system | |
| CN105024819B (en) | A kind of multiple-factor authentication method and system based on mobile terminal | |
| CN101272237B (en) | Method and system for automatically generating and filling login information | |
| CN102880960B (en) | Based on the payment by using short messages method and system of fingerprint recognition mobile phone | |
| CN105897424B (en) | A kind of enhancing identity authentication method | |
| CN101897165B (en) | Method of authentication of users in data processing systems | |
| CN101257489A (en) | Method for protecting account number safety | |
| Kumar | A New Secure Remote User Authentication Scheme with Smart Cards. | |
| CN108684041A (en) | The system and method for login authentication | |
| CN105357186B (en) | A kind of secondary authentication method based on out-of-band authentication and enhancing OTP mechanism | |
| CN102202300A (en) | System and method for dynamic password authentication based on dual channels | |
| CN106027501B (en) | A kind of system and method for being traded safety certification in a mobile device | |
| CN103853950A (en) | Authentication method based on mobile terminal and mobile terminal | |
| US20150170144A1 (en) | System and method for signing and authenticating secure transactions through a communications network | |
| CN103888255A (en) | Identity authentication method, device and system | |
| US9654466B1 (en) | Methods and systems for electronic transactions using dynamic password authentication | |
| CN104125230B (en) | A kind of short message certification service system and authentication method | |
| CN105591745A (en) | Method and system for performing identity authentication on user using third-party application | |
| CN102281138A (en) | Method and system for improving safety of verification code | |
| CN104125064B (en) | A kind of dynamic cipher authentication method, client and Verification System | |
| CN103024706A (en) | Short message based device and short message based method for bidirectional multiple-factor dynamic identity authentication | |
| CN103401686B (en) | A kind of user's OTP WEB Authentication System and application process thereof | |
| CN102868702A (en) | System login device and system login method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |