CN103840943A - Method for achieving multi-service authentication based on challenge-response dynamic passwords - Google Patents
Method for achieving multi-service authentication based on challenge-response dynamic passwords Download PDFInfo
- Publication number
- CN103840943A CN103840943A CN201410088259.6A CN201410088259A CN103840943A CN 103840943 A CN103840943 A CN 103840943A CN 201410088259 A CN201410088259 A CN 201410088259A CN 103840943 A CN103840943 A CN 103840943A
- Authority
- CN
- China
- Prior art keywords
- dynamic password
- service
- challenge response
- key
- response dynamic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The invention discloses a method for achieving multi-service authentication based on challenge-response dynamic passwords. According to the method, corresponding calculation secret keys are formed according to different services in the calculating process of the challenge-response dynamic passwords in an authentication system and at the two ends of a hardware token, so that the challenge-response dynamic passwords corresponding to different services are generated. By the adoption of the method, in the generating process of the challenge-response dynamic passwords, different challenge-response dynamic passwords can be generated within the range of the same challenge value and the same stepping value.
Description
Technical field
The present invention relates to dynamic password authentication technology, be specifically related to a kind of challenge type dynamic password authentication technology.
Background technology
Dynamic password: be to generate a uncertain random digit combination according to special algorithm, each password can only use once, is widely used at present the applications such as Net silver, network game, telecom operators, ecommerce, enterprise.
Dynamic password mainly divides two kinds by technology at present: synchronous password technology, asynchronous password technology.
Step value: dynamic password comprises a step value parameter, such as the step value of time type dynamic password, generally adopts 60 seconds; The dynamic password that is illustrated in the generation in each 60 seconds is identical, and that this dynamic password only allows in the time that Verification System end authenticates is once certified, and the dynamic password generating in next 60 seconds has become another different dynamic password.
Seed key: for according to some parameters, calculate the seed key that generates dynamic password.
The dynamic password of common challenge response type, it belongs to the dynamic password of asynchronous password-type, in the time generating dynamic password, require Verification System to generate a challenging value in service end, then this challenging value is passed to the client who holds the hardware token of supporting dynamic password algorithm, client inputs this challenging value on token, token can be according to this challenging value, calculating one replys, be referred to as challenge response dynamic password, then dynamic password being passed to Verification System service end authenticates, service end is calculated dynamic password with same challenging value, and compare with the dynamic password that client passes over, if identical, authentication success, if difference is authentification failure.
Existing challenge response password calculates authentication principles as shown in Figure 1, the dynamic password of existing challenge response type produces challenging value at Verification System end, and input this challenging value at hardware token end, hardware token uses the seed key identical with Verification System end to generate challenge response dynamic password, then Verification System end uses the seed key identical with hardware token the inside to generate a dynamic password, and compare in the challenge response dynamic password of hardware token generation, authenticate.
If in the step value of dynamic password (such as time type dynamic base step value is the hardware token of 60 seconds, being in the time range of 60 seconds) scope, generate identical response value: challenge response dynamic password is all the same at every turn.
So authentication mode, in the step value of a dynamic password, is merely able to realize a kind of safety certification of business.For example:
Banking system is in the time carrying out " transferring accounts " function on the net, require to authenticate client with challenge response dynamic password, in 60 seconds, the Verification System of (being the step value of dynamic password) Net silver end can generate a random challenge value according to certain rule, and require Net silver client on the hardware token of holding, to input this random challenge value, then Net silver client authenticates the Verification System that dynamic password is delivered to Net silver end of replying of calculating on hardware token.
And in these 60 seconds (being within the scope of same step value), if this client uses other business, during such as " online payment " function, if use identical challenging value, may generate identical dynamic password, and service end is in the time of this password of certification, may think Replay Attack, cannot authenticate.
Summary of the invention
For dynamic password existing problem in verification process of existing challenge response type, a kind of method that realizes multi-service certification based on challenge response dynamic password that provides is provided, in the process that the method generates at challenge response dynamic password, within the scope of identical challenging value, same step value, produce different challenge response dynamic passwords.
In order to achieve the above object, the present invention adopts following technical scheme:
Realize the method for multi-service certification based on challenge response dynamic password, described method is respectively at Verification System and hardware token two ends, in the time calculating challenge response dynamic password, form corresponding computation key according to different business, and to become the challenge response dynamic password corresponding to different business this next life.
In preferred embodiment, Verification System end and hardware token end are introduced corresponding service code parameter according to different business, and original seed key is carried out to computing with corresponding service code parameter, obtain the computation key corresponding to different business; Re-use this computation key and calculate the challenge response dynamic password corresponding to different business in conjunction with corresponding calculating parameter.
Further, described service code parameter is the numerical value of a shaping, is shown as the sequence number of function menu at token end.
Further, in process of exchange, Verification System end can be selected specified services code according to service needed, and form corresponding service code require prompting, the requirement that client points out according to Verification System end in the time of tokens, on token, select corresponding business function, to keep token consistent with the service code of service end.
Further, in described Verification System end and hardware token end, use decentralized algorithm to calculate computation key.
Further, in the time utilizing decentralized algorithm computation key, by primordial seed data, divide according to service code the computation key that sheds, while specifically calculating, form message by working key+service code, Hash Value is made the computation key of dynamic password.
Further, the formula of described computation key is as follows:
Calc_Seed=SM3(Work_Seed|alg_type_1);
Wherein, Work_Seed (Byte): original working key, if token packet containing mobilizing function, is the working key after activating;
Alg_type_1 (4Byte): service code, high-order front;
Calc_Seed: the computation key of output, maximum 32 bytes; If desired seed length is less than 32 bytes, intercepts.
The present invention disperses tactful method by having introduced many challenges seed, realize within the scope of identical seed key, different service codes, identical challenging value, same step value, for generating the seed key difference of challenge response dynamic password, thereby realize, within the scope of identical challenging value, same step value, produce different challenge response dynamic passwords, can realize within the scope of same step value multiple business are authenticated.
Brief description of the drawings
Further illustrate the present invention below in conjunction with the drawings and specific embodiments.
Fig. 1 is that existing challenge response password calculates authentication principles figure;
Fig. 2 is the schematic diagram of realizing of the present invention.
Embodiment
For technological means, creation characteristic that the present invention is realized, reach object and effect is easy to understand, below in conjunction with concrete diagram, further set forth the present invention.
The present invention disperses strategy by introducing many challenge seeds, realize in the process generating at challenge response dynamic password, within the scope of identical challenging value, same step value, produce different challenge response dynamic passwords, thereby realize within the scope of same step value multiple services certification.
Referring to Fig. 2, the schematic diagram of realizing multi-service authentication method based on challenge response dynamic password provided by the invention shown in it.As seen from the figure, this method is respectively at Verification System and hardware token two ends, in the time calculating challenge response dynamic password, introduce corresponding service code parameter according to the different business that will authenticate and form the computation key corresponding to different business, and to become the challenge response dynamic password corresponding to different business this next life.
This service code parameter is specifically as follows the numerical value of a shaping, is shown as the sequence number of function menu at token end, such as " 1-transfers accounts, 2-payment, 3-pays the fees " etc.
Based on above-mentioned principle, this programme is in the time that specific implementation authenticates, and first Verification System end generates corresponding challenging value within the scope of certain step value, and inputs this challenging value at hardware token end.
Then, Verification System end and hardware token end generate before dynamic password at use seed key, the business of certification is quoted corresponding service code parameter as required, and use a decentralized algorithm, seed key original in it and the service code parameter of quoting are carried out to computing, obtain the computation key of a corresponding corresponding service.
Service code parameter is in actual transaction application, is determined, and point out user business function corresponding to choice for use in token use procedure by certificate server, and the token business that can reach like this client's use is consistent with the service code of service end.
For example, in process of exchange, Net silver or service end can be selected specified services code (such as 1-transfers accounts) according to service needed, and form corresponding instruction requirement; Client will, according to the requirement of Net silver or service end prompting, select corresponding business function in the time of tokens on token.Token in client's hand will be consistent with the service code of service end like this.
Decentralized algorithm used herein, is mainly by primordial seed data, divides according to service code the computation key that sheds, and its concrete computational process is as follows:
Form message by working key+service code (4Byte), Hash Value is made the computation key of dynamic password, and formula is as follows:
Calc_Seed=SM3(Work_Seed|alg_type_1);
Wherein, Work_Seed (Byte): original working key, if token packet containing mobilizing function, is the working key after activating;
Alg_type_1 (4Byte): service code, high-order front, as 1 byte array form with 0x000x000x000x01 of service code participates in computing;
Calc_Seed: the computation key of output, maximum 32 bytes; If desired seed length is less than 32 bytes, intercepts, and intercepts algorithm and intercepts algorithmic descriptions with reference to SM3 seed.
Then, Verification System end and hardware token end use the computation key that calculates to generate challenge response dynamic password according to corresponding challenging value, some other parameters (such as time value etc.) of generating dynamic password again.
Finally, challenge response dynamic password hardware token end being generated is input to Verification System end and completes certification.
Based on such scheme, if also need to authenticate other different business within the scope of same step value time, due within the scope of same step value, therefore the challenging value forming in Verification System is identical, and Verification System and hardware token need the service code parameter corresponding according to this service selection again, and calculate corresponding computation key, finally recycle this computation key and generate challenge response dynamic password according to challenging value now, some other parameters (such as time value etc.) of generating dynamic password.
Because the service code parameter that different business is corresponding is different, therefore the computation key that front and back calculate according to different business is not identical yet.Moreover due within the scope of same step value, the challenging value forming in Verification System is identical, and owing to being identical Verification System and dynamic token, therefore it is also identical to generate some other parameters (such as time value etc.) of dynamic password,
Some other parameters of computation key based on different like this, identical challenging value and identical generation dynamic password (such as time value etc.), calculate the challenge response dynamic password generating not identical, can realize " simultaneously " (being within the scope of the same step value) certification to different business.
Thus, this programme can generate by different service code different from generating the computation key of challenge response dynamic password, thereby guarantee within the scope of identical seed key, different service codes, identical challenging value, same step value, make generation challenge response dynamic password out different, realize " simultaneously " (being within the scope of the same step value) certification to different business.
Moreover, this programme is in actual mechanical process, when within the scope of same step value, need to authenticate two kinds of different business time simultaneously, Verification System is selected corresponding service parameter to calculate according to different business and is produced two different dynamic passwords, forms service parameter prompting requirement simultaneously, require client in the time of tokens according to the requirement of Net silver or service end prompting, on token, select corresponding business function, avoid with this confusion or the mistake that authenticate.Must in the time using token, must select the function of which kind of business by service end (such as internet banking system) prompting user, avoid certification to occur mistake.
Such as: in bank's Verification System, set the token function of " transferred account service " certification corresponding to " 1-transfers accounts " on dynamic token, user logins Net silver in the time doing transferred account service, now Net silver Verification System forms prompting according to transferred account service, prompting user must use " 1-transfers accounts " function on token, if user has selected wrong business function or do not selected, will cause the situation that cannot authenticate.
Illustrate by a concrete application example below, utilize this programme in the case of identical seed key, identical challenging value, within the scope of same step value, realize the process of multi-service certification.
Service code parameter corresponding in the dynamic token relating in this example is the numerical value of a shaping, is specifically shown as the sequence number of function menu: " 1-transfers accounts, and 2-pays, 3-payment ".
When user need to be in the time that Net silver end uses same account to transfer accounts, pay two kinds of different business, and both amount of money of relating to identical be all 1000 yuan.
Thus, need to adopt different dynamic passwords to authenticate respectively two kinds of business for two kinds of different business, and both business to be transferred accounts identical with the amount of money paying, it is all 1000 yuan, can realize within the scope of same step value, to the certification of two kinds of business, its process is as follows:
First, when user uses current account to transfer accounts, select to transfer accounts function at Net silver end, and input 1000 yuan of the amount of money, within the scope of the step value of a 60s, the Verification System of Net silver end is first according to 1000 yuan of corresponding challenging values of formation of the amount of money of user's input, the transferred account service function of simultaneously selecting according to user forms corresponding transferred account service parameter 1, and use a decentralized algorithm, seed key original in it and service parameter 1 are carried out to computing, obtain the computation key of a transferred account service, and the challenging value that utilizes this computation key and formation calculates the certification dynamic password of transferring accounts of Net silver end certification, and Net silver end also forms the prompting of " please selecting the 1-function of transferring accounts at token ".
Meanwhile, at dynamic token end, user inputs 1000 yuan of the amount of money, and dynamic token is according to 1000 yuan of corresponding challenging values of formation of the amount of money (it is identical with the challenging value that Net silver end generates) of user's input; User is according to the prompting of Net silver end, input transferred account service function button 1, dynamic token end forms corresponding transferred account service parameter 1 by the button inputted numerical value of business function, and use a decentralized algorithm, seed key original in it and service parameter 1 are carried out to computing, obtain the computation key (it is identical with the computation key that Net silver end generates) of a transferred account service, and utilize the challenging value of this computation key and formation to calculate dynamic password, and utilize the certification dynamic password of transferring accounts of this dynamic password and the generation of Net silver certification end to complete the certification of transferred account service.
After complete transferred account service, user also need to be within the scope of the step value of this 60s, carry out the certification of payment transaction, due to also within the scope of same step value, the challenging value of challenging value in Net silver end when transferring accounts before business authentication identical (being formed by 1000 yuan of the amount of money of input input), the payment transaction function of simultaneously selecting according to user forms corresponding payment transaction parameter 2, and use a decentralized algorithm, seed key original in it and payment transaction parameter 2 are carried out to computing, obtain the computation key of a payment transaction, and the challenging value that utilizes this computation key and formation calculates the payment authentication dynamic password of Net silver end certification, and Net silver end also forms the prompting of " please selecting 2-payment function at token ".
Meanwhile, at dynamic token end, due to also within the scope of same step value, the now challenging value of the challenging value in dynamic token end when transferring accounts before business authentication identical (being formed by 1000 yuan of the amount of money of input input), user is according to the prompting of Net silver end, input payment transaction function button 2, dynamic token end forms corresponding payment transaction parameter 2 according to the button inputted numerical value of business function, and use a decentralized algorithm, seed key original in it and payment transaction parameter 2 are carried out to computing, obtain the computation key (it is identical with the payment computation key that Net silver end generates) of a payment transaction, and utilize this computation key and the challenging value in it to calculate dynamic password, and the payment authentication dynamic password that utilizes this dynamic password and Net silver certification end to generate completes the certification of payment transaction.
More than show and described general principle of the present invention, principal character and advantage of the present invention.The technical staff of the industry should understand; the present invention is not restricted to the described embodiments; that in above-described embodiment and specification, describes just illustrates principle of the present invention; without departing from the spirit and scope of the present invention; the present invention also has various changes and modifications, and these changes and improvements all fall in the claimed scope of the invention.The claimed scope of the present invention is defined by appending claims and equivalent thereof.
Claims (7)
1. realize the method for multi-service certification based on challenge response dynamic password, it is characterized in that, described method is respectively at Verification System and hardware token two ends, in the time calculating challenge response dynamic password, form corresponding computation key according to different business, and to become the challenge response dynamic password corresponding to different business this next life.
2. the method that realizes multi-service certification based on challenge response dynamic password according to claim 1, it is characterized in that, Verification System end and hardware token end are introduced corresponding service code parameter according to different business, original seed key is carried out to computing with corresponding service code parameter, obtain the computation key corresponding to different business; Re-use this computation key and calculate the challenge response dynamic password corresponding to different business in conjunction with corresponding calculating parameter.
3. the method that realizes multi-service certification based on challenge response dynamic password according to claim 1, is characterized in that, described service code parameter is the numerical value of a shaping, is shown as the sequence number of function menu at token end.
4. according to realizing the method for multi-service certification based on challenge response dynamic password described in claim 1 or 2 or 3, it is characterized in that, in process of exchange, Verification System end can be selected specified services code according to service needed, and form corresponding service code require prompting, client according to the requirement of Verification System end prompting, selects corresponding business function, to keep token consistent with the service code of service end in the time of tokens on token.
5. the method that realizes multi-service certification based on challenge response dynamic password according to claim 1, is characterized in that, in described Verification System end and hardware token end, uses decentralized algorithm to calculate computation key.
6. the method that realizes multi-service certification based on challenge response dynamic password according to claim 5, it is characterized in that, in the time utilizing decentralized algorithm computation key, by primordial seed data, divide according to service code the computation key that sheds, when concrete calculating, form message by working key+service code, Hash Value is made the computation key of dynamic password.
7. the method that realizes multi-service certification based on challenge response dynamic password according to claim 6, is characterized in that, the formula of described computation key is as follows:
Calc_Seed=SM3(Work_Seed|alg_type_1);
Wherein, Work_Seed (Byte): original working key, if token packet containing mobilizing function, is the working key after activating;
Alg_type_1 (4Byte): service code, high-order front;
Calc_Seed: the computation key of output, maximum 32 bytes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410088259.6A CN103840943A (en) | 2014-03-11 | 2014-03-11 | Method for achieving multi-service authentication based on challenge-response dynamic passwords |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410088259.6A CN103840943A (en) | 2014-03-11 | 2014-03-11 | Method for achieving multi-service authentication based on challenge-response dynamic passwords |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103840943A true CN103840943A (en) | 2014-06-04 |
Family
ID=50804112
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410088259.6A Pending CN103840943A (en) | 2014-03-11 | 2014-03-11 | Method for achieving multi-service authentication based on challenge-response dynamic passwords |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103840943A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916247A (en) * | 2014-03-31 | 2014-07-09 | 上海动联信息技术股份有限公司 | Multi-task seed scattering method based on time type dynamic passwords |
| CN105391553A (en) * | 2015-10-15 | 2016-03-09 | 上海动联信息技术股份有限公司 | Method for generating challenge-response dynamic password based on sum-contained challenge factor |
| CN112087438A (en) * | 2020-08-28 | 2020-12-15 | 上海军睿信息技术有限公司 | Otp algorithm-based anti-replay attack authentication method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110113A (en) * | 2007-08-10 | 2008-01-23 | 魏恺言 | Multi-use safety device for computing electronic payment code and its generating method |
| CN101777158A (en) * | 2010-01-13 | 2010-07-14 | 北京飞天诚信科技有限公司 | Method and system for secure transaction |
| CN103220145A (en) * | 2013-04-03 | 2013-07-24 | 天地融科技股份有限公司 | Method and system for electronic signature token to respond to operation request, and electronic signature token |
| CN103220148A (en) * | 2013-04-03 | 2013-07-24 | 天地融科技股份有限公司 | Method and system for electronic signature token to respond operation request, and electronic signature token |
-
2014
- 2014-03-11 CN CN201410088259.6A patent/CN103840943A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110113A (en) * | 2007-08-10 | 2008-01-23 | 魏恺言 | Multi-use safety device for computing electronic payment code and its generating method |
| CN101777158A (en) * | 2010-01-13 | 2010-07-14 | 北京飞天诚信科技有限公司 | Method and system for secure transaction |
| CN103220145A (en) * | 2013-04-03 | 2013-07-24 | 天地融科技股份有限公司 | Method and system for electronic signature token to respond to operation request, and electronic signature token |
| CN103220148A (en) * | 2013-04-03 | 2013-07-24 | 天地融科技股份有限公司 | Method and system for electronic signature token to respond operation request, and electronic signature token |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916247A (en) * | 2014-03-31 | 2014-07-09 | 上海动联信息技术股份有限公司 | Multi-task seed scattering method based on time type dynamic passwords |
| CN105391553A (en) * | 2015-10-15 | 2016-03-09 | 上海动联信息技术股份有限公司 | Method for generating challenge-response dynamic password based on sum-contained challenge factor |
| CN112087438A (en) * | 2020-08-28 | 2020-12-15 | 上海军睿信息技术有限公司 | Otp algorithm-based anti-replay attack authentication method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12021987B2 (en) | Methods for secure cryptogram generation | |
| TWI725124B (en) | Determining a common secret for the secure exchange of information and hierarchical, deterministic cryptographic keys | |
| EP3664005B1 (en) | Credential generation and distribution method and system for a blockchain network | |
| CN104160656B (en) | System and method for client device to be connected with network | |
| EP3659082B1 (en) | Computer-implemented system and method enabling secure storage of a large blockchain over a plurality of storage nodes | |
| US8650403B2 (en) | Crytographic method for anonymous authentication and separate identification of a user | |
| CN106341232B (en) | A kind of anonymous entity discrimination method based on password | |
| TW202020711A (en) | System and method for information protection | |
| CN113595726A (en) | Method for controlling and distributing blockchain implementation of digital content | |
| US10846372B1 (en) | Systems and methods for trustless proof of possession and transmission of secured data | |
| WO2016045520A1 (en) | Token-based mobile payment method and mobile payment system | |
| CN110599164B (en) | Supervision-capable quick payment method for any payee under chain | |
| JP2015537399A (en) | Application system for mobile payment and method for providing and using mobile payment means | |
| Fleischhacker et al. | A modular framework for multi-factor authentication and key exchange | |
| CN112839041B (en) | Block chain-based power grid identity authentication method, device, medium and equipment | |
| WO2019110399A1 (en) | Two-party signature device and method | |
| CN116418560A (en) | System and method for online quick identity authentication based on blockchain intelligent contract | |
| KR20120091618A (en) | Digital signing system and method using chained hash | |
| CN107615797B (en) | Device, method and system for hiding user identification data | |
| CN103840943A (en) | Method for achieving multi-service authentication based on challenge-response dynamic passwords | |
| JPH04191787A (en) | Disclosure key producing method and disclosure key generating system | |
| CN107547199B (en) | Method for realizing forward safety repudiation key exchange protocol for improving network competitive bidding system | |
| CN106330430B (en) | A kind of third party's method of mobile payment based on NTRU | |
| CN103916247A (en) | Multi-task seed scattering method based on time type dynamic passwords | |
| CN104980276A (en) | Identity authentication method for security information interaction |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140604 |
|
| WD01 | Invention patent application deemed withdrawn after publication |