CN104243158A - Authentication method, communication system, device and server - Google Patents
Authentication method, communication system, device and server Download PDFInfo
- Publication number
- CN104243158A CN104243158A CN201410265308.9A CN201410265308A CN104243158A CN 104243158 A CN104243158 A CN 104243158A CN 201410265308 A CN201410265308 A CN 201410265308A CN 104243158 A CN104243158 A CN 104243158A
- Authority
- CN
- China
- Prior art keywords
- mentioned
- password
- equipment
- server
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
- Telephonic Communication Services (AREA)
Abstract
Disclosed are an Authentication method, a communication system, a device and a server. The device sends updated parameters, first password identification information, and second password identification information. The first password identification information is corresponding to a non-updated first password, and the second password identification information is corresponding to an updated first password. The server determines the identification to be successful in the condition that the received first password identification information and the first password identification information stored in the server are consistent. In the condition, the server updates the first password identification information to the second password identification information, and then updates the second password based on the second password and the updated parameters. In the condition that the server determines the identification to be successful, the device updates the first password identification information into the second password identification information, and then updates the first password based on the first password and the updated parameters.
Description
Technical field
The present invention relates to the authentication method, communication system, equipment and the server that use in a kind of certification between the device and the server.
Background technology
In the past, the known certification being carried out equipment when carrying out between the device and the server communicating by server.In this case, the authentication request comprising the authentication information such as user ID, password is sent from device-to-server.As the sending method of authentication information, have and send the method for authentication information and the method for transmission after being changed by authentication information Hash (Hash) with plaintext (not encrypted information).
But, expressly to send in the method for authentication information, authentication information easily steal by third-party equipment.In addition, even the method will sent after authentication information hashed, the third-party equipment of the authentication information that also can be stolen pretended to be.That is, despiteful third-party equipment unlawfully can obtain authentication information, pretends regular equipment to carry out action.
As the technology addressed this is that, the communication (such as with reference to Japanese Unexamined Patent Publication No 2008-204250 (hereinafter referred to as " document 1 ")) of known use disposal password (One-time password).
But, in technology in the past, there is following problem: as mentioned above, even if authentication information is by hashed, if the authentication information after hashed is stolen, also can be pretended to be, thus be subject to despiteful attack.
Even the authentication method described in document 1, also there is following problem: if in the situation sending disposal password from certificate server to portable phone once property password steal by third party, then third party can pretend to be and carries out logging request.
Summary of the invention
The present invention completes in view of the above problems, even if the object of the present invention is to provide, a kind of information relevant with certification is stolen also can be protected with the authentication method of despiteful attacks such as not pretended to be, communication system, equipment and server.
Authentication method of the present invention is used in and is storing the equipment of first password and the communication system of carrying out between the server storing the second password communicating, above-mentioned second password is consistent with above-mentioned first password, the feature of this authentication method is, there are following steps: first step, the said equipment sends undated parameter to above-mentioned server, first password identifying information and the second cipher code recognition information, this undated parameter is used for the renewal of one group of above-mentioned first password and above-mentioned second password, this first password identifying information is corresponding with the above-mentioned first password before renewal, this second cipher code recognition information is corresponding with the above-mentioned first password after renewal, second step, the above-mentioned first password identifying information that the above-mentioned first password identifying information received from the said equipment and above-mentioned server store contrasts by above-mentioned server, is judged as authentication success when two above-mentioned first password identifying informations are consistent, third step, above-mentioned server is judged as authentication success in above-mentioned second step, sends the response of authentication success to the said equipment, 4th step, above-mentioned server is judged as authentication success in above-mentioned second step, the above-mentioned first password identifying information stored by above-mentioned server is updated to above-mentioned second cipher code recognition information received from the said equipment, and generating new password based on above-mentioned second password and above-mentioned undated parameter, is this new password by above-mentioned second password update, and the 5th step, the said equipment is when receiving the response of above-mentioned authentication success from above-mentioned server, the above-mentioned first password identifying information stored by the said equipment is updated to above-mentioned second cipher code recognition information, and generate new password based on above-mentioned first password and above-mentioned undated parameter, above-mentioned first password is updated to this new password, wherein, when the said equipment carries out connection request to above-mentioned server execution from above-mentioned first step to above-mentioned 5th step.
Communication system of the present invention possesses the equipment storing first password and the server storing second password consistent with above-mentioned first password, between the said equipment and above-mentioned server, certification is carried out when the said equipment carries out connection request to above-mentioned server, upgrade one group of above-mentioned first password to communicate with above-mentioned second password, the feature of this communication system is, above-mentioned server comprises: acceptance division, it receives undated parameter from the said equipment, first password identifying information and the second cipher code recognition information, this undated parameter is used for the renewal of one group of above-mentioned first password and above-mentioned second password, this first password identifying information is corresponding with the above-mentioned first password before renewal, this second cipher code recognition information is corresponding with the above-mentioned first password after renewal, comparing part, the above-mentioned first password identifying information that above-mentioned acceptance division receives from the said equipment contrasts with the above-mentioned first password identifying information that above-mentioned server stores by it, judging part, it is judged as authentication success when two above-mentioned first password identifying informations are consistent, sending part, it sends the response of authentication success to the said equipment when above-mentioned judging part is judged as authentication success, and update section, it is when above-mentioned judging part is judged as authentication success, the above-mentioned first password identifying information stored by above-mentioned server is updated to above-mentioned second cipher code recognition information received from the said equipment, and generate new password based on above-mentioned second password and above-mentioned undated parameter, be this new password by above-mentioned second password update, the said equipment is when receiving the response of above-mentioned authentication success from above-mentioned server, the above-mentioned first password identifying information stored by the said equipment is updated to above-mentioned second cipher code recognition information, and generate new password based on above-mentioned first password and above-mentioned undated parameter, above-mentioned first password is updated to this new password.
The feature of equipment of the present invention is, is used in above-mentioned communication system, manages multiple electrical load.
The feature of server of the present invention is, is used in above-mentioned communication system.
According to the present invention, can being identical password by one group of first password and the second password update when device-to-server carries out connection request, even if therefore relevant with certification information is stolen, also can protect the despiteful attack such as not pretended to be.
In addition, according to the present invention, whenever carrying out connection request, undated parameter, first password identifying information and the second cipher code recognition information are upgraded, therefore, it is possible in equipment and server synchronously more new password.
Accompanying drawing explanation
Record the preferred embodiment of the present invention in more detail.Other features and advantages of the present invention can be understood further in conjunction with detailed record below and accompanying drawing.
Fig. 1 is the sequential chart of the authentication method represented involved by execution mode.
Fig. 2 is the synoptic diagram of the communication system involved by execution mode.
Fig. 3 is the block diagram of the structure of the server represented involved by execution mode.
Fig. 4 is the block diagram of the structure of the equipment represented involved by execution mode.
Fig. 5 is the figure representing the register information of registering in the equipment involved by execution mode.
Fig. 6 is the figure representing the register information of registering in the server involved by execution mode.
Fig. 7 is the sequential chart of the authentication method represented involved by execution mode.
Fig. 8 is the sequential chart of the first example of the authentication method represented involved by execution mode.
Fig. 9 is the sequential chart of the second example of the authentication method represented involved by execution mode.
Figure 10 is the sequential chart of the 3rd example of the authentication method represented involved by execution mode.
Figure 11 is the synoptic diagram of the variation of communication system involved by execution mode.
Figure 12 is the figure of the register information of registering in the variation of the server represented involved by execution mode.
Embodiment
Below, the details of authentication method involved by execution mode and communication system are described with reference to accompanying drawing.
As shown in Figure 2, the communication system 1 involved by present embodiment possesses server 3 and multiple (being two in illustrated example) equipment 2.Equipment 2 is arranged at resident family 4, such as, be HEMS (Home Energy Management System: the home energy source management system) equipment managed the amount of power used in the state of the multiple electrical loads (not shown) in resident family 4 and resident family 4.Equipment 2 such as utilizes HTTP (Hyper Text Transfer Protocol: HTML (Hypertext Markup Language)) or FTP (File Transfer Protocol: file transfer protocol (FTP)) etc. and communicates with server 3 with network 6 via the router five in resident family 4.Server 3 is arranged at the management company etc. of equipment 2, to give and accept information with the multiple equipment 2 be arranged in multiple resident family 4.Server 3 carries out the certification of equipment 2 when setting up communication session.
As shown in Figure 4, equipment 2 possesses storage part 21, generating unit 22, sending part 23, acceptance division 24 and update section 25.Equipment 2 is such as to be equipped with the computer (comprising microcomputer) of CPU (Central Processing Unit: central processing unit) and memory for main structure key element.Equipment 2 carries out various process by performing various program.Various program is stored in storage part 21.
As shown in Figure 5, storage part 21 stores user ID (" resident family _ ID " of resident family ID, Fig. 5), server ID (" the server 1_ID " of Fig. 5) and first password (" PW " of Fig. 5).User ID is in order to identify that the resident family 4 i.e. user of equipment 2 of the equipment of being provided with 2 gives.Storage part 21 storing initial password under equipment 2 does not once carry out the initial condition of connection request to server 3 yet, as first password, stores up-to-date password afterwards as first password.Further, storage part 21 stores the cipher code recognition information (" PW_PI " of Fig. 5) of the generation when equipment 2 carries out connection request to server 3.Cipher code recognition information is numbering or timestamp etc.Cipher code recognition information during initial authentication is " 0 ".Cipher code recognition information is the general name of first password identifying information described later and the second cipher code recognition information.In addition, storage part 21 in addition to the foregoing, also stores various information as required.
Generating unit 22 shown in Fig. 4 generates undated parameter.Undated parameter is the parameter of the renewal for one group of first password and the second password (aftermentioned).The numerical value generated randomly is such as set to undated parameter by generating unit 22.
Sending part 23 pairs of servers 3 carry out connection request.Afterwards, when acceptance division 24 receives from server 3 the connection response comprising inquiry (challenge) information, sending part 23 sends the first authentication information, device id, the undated parameter generated by generating unit 22, first password identifying information and the second cipher code recognition information to server 3.In addition, the transmission of device id is not necessary.In addition, the first password after renewal is put at this moment and is not yet generated.In addition, sending part 23 in addition to the foregoing, also sends various information to server 3 as required.
The information etc. for determining authentication method is comprised in inquiry message.Authentication method comprise using expressly send user ID and first password be used as the first authentication information method and by after user ID and first password hashed as the method that the first authentication information sends.
First password identifying information gives accordingly with the first password before renewal.That is, the identifying information generated by equipment 2 when first password identifying information is last certification.Second cipher code recognition information gives accordingly with the first password after renewal.That is, the second cipher code recognition information is the identifying information generated by equipment 2 after the connection request carrying out this and before carrying out this authentication request.
First authentication information is the information based on user ID and first password.Device id is given in order to identification equipment 2.In addition, the first authentication information also can be only based on the information of user ID.
In addition, when the authentication method of inquiry message is with the method expressly sending user ID and first password, user ID and first password are in statu quo sent to server 3 as the first authentication information by sending part 23.On the other hand; when the authentication method of inquiry message be by user ID and first password hashed after send method, sending part 23 using use regulation hash algorithm as the first authentication information, server 3 is sent to the first cryptographic Hash that user ID and first password carry out hashed gained.
Acceptance division 24 receives the response of authentication success and the response of authentification failure from server 3.In addition, acceptance division 24 in addition to the foregoing, also receives various information from server 3 as required.
When acceptance division 24 receives the response of authentication success from server 3, the first password identifying information that equipment 2 stores by update section 25 is updated to the second cipher code recognition information.That is, the cipher code recognition information (the second cipher code recognition information) that equipment 2 after renewal stores by equipment 2 is used as first password identifying information when upper once certification.Further, update section 25 uses the generating algorithm of regulation and generates new password based on first password and undated parameter, first password is updated to the password that this is new.First password after renewal uses when upper once certification.That is, the password (new password) after upgrading is used as first password when upper once certification by equipment 2.The generating algorithm of regulation is shared in advance between equipment 2 and server 3.In addition, update section 25 also can generate new password based on first password, undated parameter and the second cipher code recognition information, first password is updated to the password that this is new.In addition, update section 25 can also generate new password based on first password, undated parameter and user ID, first password is updated to the password that this is new.
On the other hand, when acceptance division 24 receives the response of authentification failure from server 3, update section 25 does not perform the process upgrading first password identifying information and first password.
As shown in Figure 3, server 3 possesses storage part 31, acceptance division 32, comparing part 33, judging part 34, sending part 35 and update section 36.Server 3 is such as to be equipped with the computer (comprising microcomputer) of CPU and memory for main structure key element.Server 3 carries out various process by performing various program.Various program is stored in storage part 31.
As shown in Figure 6, storage part 31 stores user ID (" the resident family 1_ID ", " resident family 2_ID " of resident family ID, Fig. 6), device id (" the equipment 1_ID " of Fig. 6) and the second password (" the equipment 1_PW " of Fig. 6) by each equipment 2 (resident family 4).Storage part 31 storing initial password under equipment 2 does not once carry out the initial condition of connection request to server 3 yet, as the second password, stores up-to-date password afterwards as the second password.Further, storage part 31 stores the first password identifying information (" the equipment 1_PW_PI " of Fig. 6) got from equipment 2 by each equipment 2 (resident family 4).In addition, storage part 31 in addition to the foregoing, also stores various information as required.
Acceptance division 32 shown in Fig. 3 receives the undated parameter of the renewal being used for one group of first password and the second password, the first password identifying information corresponding with the first password before upgrading and second cipher code recognition information corresponding with the first password after upgrading from equipment 2.In addition, acceptance division 32 in addition to the foregoing, also receives various information from equipment 2 as required.
The first password identifying information that acceptance division 32 receives from equipment 2 contrasts with the first password identifying information that storage part 31 stores by comparing part 33.
In addition, the first authentication information that acceptance division 32 receives from equipment 2 contrasts with the second authentication information that storage part 31 stores by comparing part 33.
Second authentication information is the information based on user ID and the second password.In addition, the second authentication information also can be only based on the information of user ID.
In addition, when the first authentication information is the first cryptographic Hash, the first cryptographic Hash that acceptance division 32 receives from equipment 2 contrasts with the second cryptographic Hash by comparing part 33.Second cryptographic Hash is the value using the hash algorithm of regulation user ID and the second password to be carried out to hashed gained.That is, in the present embodiment, equipment 2 and server 3 use same hash algorithm.
In addition, when initial authentication, comparing part 33 only carries out contrasting of the first authentication information and the second authentication information.
Judging part 34 is judged as authentication success when two first password identifying informations (the first password identifying information that the first password identifying information that acceptance division 32 receives from equipment 2, storage part 31 store) are consistent and the first authentication information is consistent with the second authentication information.On the other hand, when at least one party's failure in the contrasting of the contrast of two first password identifying informations and the first authentication information and the second authentication information, judging part 34 is judged as authentification failure.
When judging part 34 is judged as authentication success, sending part 35 sends the response of this authentication success to equipment 2.On the other hand, when judging part 34 is judged as authentification failure, sending part 35 sends the response of this authentification failure to equipment 2.In addition, sending part 35 in addition to the foregoing, also sends various information to equipment 2 as required.
When judging part 34 is judged as authentication success, the first password identifying information that storage part 31 stores by update section 36 is updated to the second cipher code recognition information that acceptance division 32 receives from equipment 2.That is, the cipher code recognition information (the second cipher code recognition information) that storage part 31 after renewal stores by server 3 is used as first password identifying information when upper once certification.Further, update section 36 uses the generating algorithm identical with the update section 25 of equipment 2, and generating new password based on the second password and undated parameter, is this new password by the second password update.The second password after renewal uses when upper once certification.That is, the password (new password) after upgrading is used as the second password when upper once certification by server 3.The generating algorithm of regulation is shared in advance between equipment 2 and server 3.In addition, update section 36 also can generate new password based on the second password, undated parameter and the second cipher code recognition information, is this new password by the second password update.In addition, update section 36 can also generate new password based on the second password, undated parameter and user ID, is this new password by the second password update.
On the other hand, when judging part 34 is judged as authentification failure, update section 36 does not perform the process upgrading first password identifying information and the second password.In addition, when confirming this transmission failed when sending the response of authentication success to equipment 2, update section 36 does not perform the process upgrading first password identifying information and the second password yet.
Then, use Fig. 1 illustrates the authentication method involved by present embodiment.
First, equipment 2 carries out connection request (S1) to server 3.Server 3, when getting connection request from equipment 2, sends connection response (S2) comprising inquiry message to equipment 2.
Equipment 2, when getting connection response from server 3, generates undated parameter and the second cipher code recognition information (S3).
Afterwards, equipment 2 sends authentication request (the first authentication information, device id, undated parameter, first password identifying information (" PI1 " of Fig. 1), the second cipher code recognition information (" PI2 " of Fig. 1)) (S4) to server 3.First authentication information is the information based on user ID and first password.
The first authentication information received from equipment 2 contrasts with the second authentication information by server 3, and is carried out contrasting (S5) by the first password identifying information that the first password identifying information received from equipment 2 and server 3 store.Then, server 3 when two first password identifying information is consistent and the first authentication information is consistent with the second authentication information be judged as authentication success.On the other hand, when two first password identifying informations are inconsistent or the first authentication information and the second authentication information inconsistent when, server 3 is judged as authentification failure.
When server 3 is judged as authentication success in step s 5, send the response (S6) of authentication success to equipment 2.On the other hand, when being judged as authentification failure in step s 5, server 3 sends the response of authentification failure to equipment 2.
In addition, when server 3 is judged as authentication success in step s 5, the first password identifying information stored by server 3 is updated to the second cipher code recognition information (S7) received from equipment 2.Further, server 3 generates new password based on the second password and undated parameter, is this new password (S8) by the second password update.On the other hand, when being judged as authentification failure, server 3 does not perform step S7, S8.
Equipment 2 is when receiving the response of authentication success from server 3, and the first password identifying information stored by equipment 2 is updated to the second cipher code recognition information (S9).Further, equipment 2 generates new password based on first password and undated parameter, first password is updated to this new password (S10).On the other hand, when receiving the response of authentification failure from server 3, equipment 2 does not perform step S9, S10.
Then, use Fig. 7 illustrate authentication request by third party's (third-party equipment) 7 of malice the situation of stealing.First, third party 7 steals the authentication request of equipment 2, emits fill device 2 to send authentication request (user ID, password, device id, undated parameter, first password identifying information, the second cipher code recognition information) (S11, S12) to server 3.Now, even if stolen information in statu quo uses by third party 7, because server 3 has carried out upgrading (step S8) to the second password, but be last first password from the password of third party 7, therefore also can be inconsistent from the first password of third party 7 and the second password.In addition, even if third party 7 optionally generating cipher, due to generating algorithm not steal by third party 7, therefore also can be inconsistent from the password of third party 7 and the second password.
Thus, even if third party 7 has stolen authentication request, because server 3 is judged as authentification failure, therefore also can prevent third party 7 from pretending to be when certification.Its result, can reduce the access without authorization of third party's 7 pairs of servers 3.
Then, use Fig. 8 ~ 10 that the example of the authentication method involved by present embodiment is described.First, as the first example, use Fig. 8 that the situation of the authentication method using present embodiment in the HTTP of Basic certification (Basic Authentication) is described.
First, equipment 2 carries out asking (S21) to server 3.Server 3, when getting request from equipment 2, sends response (S22) to equipment 2.
Equipment 2, when getting response from server 3, generates undated parameter and the second cipher code recognition information (S23).
Afterwards, equipment 2 sends request (the first authentication information, device id, undated parameter, first password identifying information (" PI1 " of Fig. 8), the second cipher code recognition information (" PI2 " of Fig. 8)) (S24) to server 3.First authentication information is the plaintext of user ID and first password (Fig. 8 " password ").
The first authentication information received from equipment 2 contrasts with the second authentication information by server 3, and is carried out contrasting (S25) by the first password identifying information that the first password identifying information received from equipment 2 and server 3 store.Then, server 3 when two first password identifying information is consistent and the first authentication information is consistent with the second authentication information be judged as authentication success.On the other hand, when two first password identifying informations are inconsistent or the first authentication information and the second authentication information inconsistent when, server 3 is judged as authentification failure.
Server 3 sends the response (authentication success or authentification failure) (S26) corresponding to the judged result of step S25 to equipment 2.
In addition, when server 3 is judged as authentication success in step s 25, the first password identifying information stored by server 3 is updated to the second cipher code recognition information (S27).Further, server 3 generates new password based on the second password and undated parameter, is this new password (S28) by the second password update.On the other hand, when being judged as authentification failure, server 3 does not perform step S27, S28.
Equipment 2 is when receiving the response of authentication success from server 3, and the first password identifying information stored by equipment 2 is updated to the second cipher code recognition information (S29).Further, equipment 2 generates new password based on first password and undated parameter, first password is updated to this new password (S30).On the other hand, when receiving the response of authentification failure from server 3, equipment 2 does not perform step S29, S30.
Then, as the second example, use Fig. 9 that the situation of the authentication method using present embodiment in the HTTP of Digest certification (digest authentication) is described.
First, in the same manner as the step S21 ~ S23 of Basic certification, equipment 2 is asked to server 3, and server 3 sends response to equipment 2, and equipment 2 generates undated parameter and the second cipher code recognition information (S41 ~ S43).
Afterwards, equipment 2 sends to server 3 and carries out first cryptographic Hash (the first authentication information) of hashed gained, device id, undated parameter, first password identifying information (" PI1 " of Fig. 9) and the second cipher code recognition information (" PI2 " of Fig. 9) (S44) to user ID and first password (" password " of Fig. 9).
The first cryptographic Hash received from equipment 2 contrasts with the second cryptographic Hash by server 3, and is carried out contrasting (S45) by the first password identifying information that the first password identifying information received from equipment 2 and server 3 store.Then, server 3 when two first password identifying information is consistent and the first cryptographic Hash is consistent with the second cryptographic Hash be judged as authentication success.On the other hand, when two first password identifying informations are inconsistent or the first cryptographic Hash and the second cryptographic Hash inconsistent when, server 3 is judged as authentification failure.
Server 3, in the same manner as the step S26 of Basic certification, sends the response (authentication success or authentification failure) (S46) corresponding to judged result to equipment 2.
In addition, server 3 is in the same manner as step S27, the S28 of Basic certification, when being judged as authentication success, first password identifying information being updated to the second cipher code recognition information (S47), is new password (S48) by the second password update.On the other hand, when being judged as authentification failure, server 3 does not perform step S47, S48.
Equipment 2 is in the same manner as step S29, the S30 of Basic certification, when receiving the response of authentication success from server 3, first password identifying information is updated to the second cipher code recognition information (S49), first password is updated to new password (S50).On the other hand, when receiving the response of authentification failure from server 3, equipment 2 does not perform step S49, S50.
Then, as the 3rd example, use Figure 10 that the situation of the authentication method using present embodiment in the FTP of cipher authentication is described.
First, equipment 2 carries out asking (S61) to server 3.Server 3, when getting request from equipment 2, sends the user command (S62) comprising user ID to equipment 2.
Equipment 2, when getting user command from server 3, generates undated parameter and the second cipher code recognition information (S63).
Afterwards, equipment 2 sends PASS order (first password (" password " of Figure 10), device id, undated parameter, first password identifying information (" PI1 " of Figure 10), the second cipher code recognition information (" PI2 " of Figure 10)) (S64) to server 3.
The first password received from equipment 2 contrasts with the second password by server 3, and is carried out contrasting (S65) by the first password identifying information that the first password identifying information received from equipment 2 and server 3 store.Then, server 3 when two first password identifying information is consistent and first password is consistent with the second password be judged as authentication success.On the other hand, when two first password identifying informations are inconsistent or first password and the second password inconsistent when, server 3 is judged as authentification failure.
Server 3 sends the response (authentication success or authentification failure) (S66) corresponding to the judged result of step S65 to equipment 2.
In addition, server 3 is judged as authentication success in step S65, the first password identifying information stored by server 3 is updated to the second cipher code recognition information (S67).Further, server 3 generates new password based on the second password and undated parameter, is this new password (S68) by the second password update.On the other hand, when being judged as authentification failure, server 3 does not perform step S67, S68.
Equipment 2 is when receiving the response of authentication success from server 3, and the first password identifying information stored by equipment 2 is updated to the second cipher code recognition information (S69).Further, equipment 2 generates new password based on first password and undated parameter, first password is updated to this new password (S70).On the other hand, when receiving the response of authentification failure from server 3, equipment 2 does not perform step S69, S70.
Authentication method involved by present embodiment described above is used in and is storing the equipment 2 of first password and the communication system 1 of carrying out between the server 3 storing the second password consistent with first password communicating.Authentication method involved by present embodiment has first step ~ the 5th step.In a first step, equipment 2 sends undated parameter, first password identifying information and the second cipher code recognition information to server 3.Undated parameter is used for the renewal of one group of first password and the second password.First password identifying information is corresponding with the first password before renewal.Second cipher code recognition information is corresponding with the first password after renewal.In the second step, the first password identifying information that the first password identifying information received from equipment 2 and server 3 store contrasts by server 3, is judged as authentication success when two first password identifying informations are consistent.In third step, when server 3 is judged as authentication success in the second step, send the response of authentication success to equipment 2.In the 4th step, when server 3 is judged as authentication success in the second step, the first password identifying information stored by server 3 is updated to the second cipher code recognition information received from equipment 2, and generating new password based on the second password and undated parameter, is this new password by the second password update.In the 5th step, equipment 2 is when receiving the response of authentication success from server 3, the first password identifying information stored by equipment 2 is updated to the second cipher code recognition information, and generate new password based on first password and undated parameter, first password is updated to the password that this is new.Authentication method involved by present embodiment in execution when equipment 2 carries out connection request to server 3 from first step to the 5th step.
According to this authentication method, can be identical password by one group of first password and the second password update when equipment 2 carries out connection request to server 3, also can protect the despiteful attack such as not pretended to be even if therefore stolen.
In addition, according to this authentication method, whenever carrying out connection request, undated parameter, first password identifying information and the second cipher code recognition information are upgraded, therefore, it is possible in equipment 2 and server 3 synchronously more new password.
Further, according to this authentication method, equipment 2 after (being connected) once with server 3 certification, even if initial password leaked also no problem.In addition, without the need to by user's manually regular update password.
Preferably, as the authentication method involved by present embodiment, first step and second step as follows.In a first step, the first authentication information based on first password is sent to server 3 by equipment 2 together with undated parameter, first password identifying information and the second cipher code recognition information.In the second step, second authentication information of the first authentication information received from equipment 2 with the second password stored based on server 3 contrasts by server 3, when two first password identifying information is consistent and the first authentication information is consistent with the second password be judged as authentication success.
Preferably, as the authentication method involved by present embodiment, first step and second step as follows.In a first step, first authentication information of the user ID stored based on equipment 2 is sent to server 3 by equipment 2 together with undated parameter, first password identifying information and the second cipher code recognition information, wherein, above-mentioned user ID is given in order to the user of identification equipment 2.In the second step, second authentication information of the first authentication information received from equipment 2 with the user ID stored based on server 3 contrasts by server 3, when two first password identifying information is consistent and the first authentication information is consistent with the second authentication information be judged as authentication success.
Preferably, as the authentication method involved by present embodiment, second step, third step and the 5th step are as follows.In the second step, server 3 when the inconsistent situation of two first password identifying informations and/or the first authentication information and the second authentication information inconsistent be judged as authentification failure.In third step, server 3 sends the response of authentification failure to equipment 2.In the 5th step, equipment 2, when receiving the response of authentification failure from server 3, does not perform the process upgrading first password identifying information and first password.
In this authentication method, when server 3 is judged as authentification failure, equipment 2 does not perform the process upgrading first password identifying information and first password.Thus, in the authentication method of present embodiment, can prevent only having equipment 2 pairs of passwords to upgrade.
Preferably, as the authentication method involved by present embodiment, in the 4th step, server 3 confirms this transmission failed when sending the response of authentication success to equipment 2, do not perform the process upgrading first password identifying information and the second password.
In this authentication method, when the transmission failure of the response of authentication success, server 3 not more new password.Thus, in the authentication method of present embodiment, can prevent only having server 3 pairs of passwords to upgrade.
Preferably, as the authentication method involved by present embodiment, first step and second step as follows.In a first step, equipment 2 is sent to server 3 to the first cryptographic Hash that user ID and first password carry out hashed gained as the first authentication information using using the hash algorithm of regulation.In the second step; the second cryptographic Hash that the first cryptographic Hash received from the equipment 2 and user ID using the hash algorithm that specifies to store server 3 and the second password carries out hashed gained contrasts by server 3, when two first password identifying information is consistent and the first cryptographic Hash is consistent with the second cryptographic Hash be judged as authentication success.
In this authentication method, all use the cryptographic Hash of user ID and password (first password) from equipment 2 to server 3.Thereby, it is possible to prevent information from equipment 2 to server 3 that send from and user ID and password steal by third party.
Preferably, as the authentication method involved by present embodiment, first step and second step as follows.In a first step, the device id given in order to identification equipment 2 sends by equipment 2 together with undated parameter, first password identifying information, the second cipher code recognition information and the first authentication information.In the second step, the device id that the device id received from equipment 2 and server 3 store contrasts by server 3, when two first password identifying information is consistent, the first authentication information is consistent with the second authentication information and two device ids are consistent be judged as authentication success.
Communication system 1 involved by present embodiment possesses the equipment 2 storing first password and the server 3 storing second password consistent with first password.And communication system 1, between equipment 2 and server 3, carries out certification when equipment 2 carries out connection request to server 3, upgrades one group of first password and communicates with the second password.Server 3 possesses acceptance division 32, comparing part 33, judging part 34, sending part 35 and update section 36.Acceptance division 32 receives undated parameter, first password identifying information and the second cipher code recognition information from equipment 2.Undated parameter is used for the renewal of one group of first password and the second password.First password identifying information is corresponding with the first password before renewal.Second cipher code recognition information is corresponding with the first password after renewal.The first password identifying information that acceptance division 32 receives from equipment 2 contrasts with the first password identifying information that server 3 stores by comparing part 33.Judging part 34 is judged as authentication success when two first password identifying informations are consistent.When judging part 34 is judged as authentication success, sending part 35 sends the response of authentication success to equipment 2.When judging part 34 is judged as authentication success, the first password identifying information that server 3 stores by update section 36 is updated to the second cipher code recognition information received from equipment 2.Further, in this case, update section 36 generates new password based on the second password and undated parameter, is this new password by the second password update.Equipment 2 is when receiving the response of authentication success from server 3, and the first password identifying information stored by equipment 2 is updated to the second cipher code recognition information.Further, in this case, equipment 2 generates new password based on first password and undated parameter, first password is updated to the password that this is new.
Equipment 2 involved by present embodiment is used in communication system 1, manages multiple electrical load.
Server 3 involved by present embodiment is used in communication system 1.
In addition, as the variation of the communication system 1 involved by present embodiment, also as shown in Figure 11, place of each resident family 4 can be provided with multiple equipment 2.In this case, register information is as shown in figure 12 stored in storage part 31 by server 3.In the example in figure 12, the second password (" the equipment n_PW " of Figure 12 (n=1,2 ... )) give for each equipment 2.
In addition, as the variation of the communication system 1 involved by present embodiment, also the second password can be given for each resident family 4.That is, same second password is given to the multiple equipment 2 in resident family 4.
In authentication method in this case, preferably, the 4th step and the 5th step as follows.In the 4th step, the first password identifying information of all devices 2 being endowed same user ID and the second password, when upgrading for the first password identifying information of some equipment 2 and the second password, upgrade by server 3 simultaneously.In the 5th step, each equipment 2 and be endowed same user ID other all devices 2 Share update after first password identifying information and first password.
In this authentication method, multiple equipment 2 in resident family 4 synchronously more new password simultaneously can be made.
Further, when equipment 2 communicates with multiple server 3, equipment 2 also can keep first password by each server 3.Further, equipment 2 can also keep first password by each should being used for of server 3.
Utilize several preferred implementation to describe the present invention, but various correction and distortion can not carried out with departing from script spirit and scope, i.e. claims of the present invention by those skilled in the art.
Claims (11)
1. an authentication method, be used in and storing the equipment of first password and the communication system of carrying out between the server storing the second password communicating, above-mentioned second password is consistent with above-mentioned first password, and the feature of this authentication method is to have following steps:
First step, the said equipment sends undated parameter, first password identifying information and the second cipher code recognition information to above-mentioned server, this undated parameter is used for the renewal of one group of above-mentioned first password and above-mentioned second password, this first password identifying information is corresponding with the above-mentioned first password before renewal, and this second cipher code recognition information is corresponding with the above-mentioned first password after renewal;
Second step, the above-mentioned first password identifying information that the above-mentioned first password identifying information received from the said equipment and above-mentioned server store contrasts by above-mentioned server, is judged as authentication success when two above-mentioned first password identifying informations are consistent;
Third step, above-mentioned server is judged as authentication success in above-mentioned second step, sends the response of authentication success to the said equipment;
4th step, above-mentioned server is judged as authentication success in above-mentioned second step, the above-mentioned first password identifying information stored by above-mentioned server is updated to above-mentioned second cipher code recognition information received from the said equipment, and generating new password based on above-mentioned second password and above-mentioned undated parameter, is this new password by above-mentioned second password update; And
5th step, the said equipment is when receiving the response of above-mentioned authentication success from above-mentioned server, the above-mentioned first password identifying information stored by the said equipment is updated to above-mentioned second cipher code recognition information, and generate new password based on above-mentioned first password and above-mentioned undated parameter, above-mentioned first password is updated to this new password
Wherein, when the said equipment carries out connection request to above-mentioned server execution from above-mentioned first step to above-mentioned 5th step.
2. authentication method according to claim 1, is characterized in that,
In above-mentioned first step, the first authentication information based on above-mentioned first password is sent to above-mentioned server by the said equipment together with above-mentioned undated parameter, above-mentioned first password identifying information and above-mentioned second cipher code recognition information,
In above-mentioned second step, second authentication information of above-mentioned first authentication information received from the said equipment with above-mentioned second password stored based on above-mentioned server contrasts by above-mentioned server, when two above-mentioned first password identifying information is consistent and above-mentioned first authentication information is consistent with above-mentioned second authentication information be judged as authentication success.
3. authentication method according to claim 1, is characterized in that,
In above-mentioned first step, first authentication information of the user ID stored based on the said equipment is sent to above-mentioned server by the said equipment together with above-mentioned undated parameter, above-mentioned first password identifying information and above-mentioned second cipher code recognition information, wherein, above-mentioned user ID is in order to identify that the user of the said equipment gives
In above-mentioned second step, second authentication information of above-mentioned first authentication information received from the said equipment with the above-mentioned user ID stored based on above-mentioned server contrasts by above-mentioned server, when two above-mentioned first password identifying information is consistent and above-mentioned first authentication information is consistent with above-mentioned second authentication information be judged as authentication success.
4. authentication method according to claim 3, is characterized in that,
In above-mentioned second step, above-mentioned server when the inconsistent situation of two above-mentioned first password identifying informations and/or above-mentioned first authentication information and above-mentioned second authentication information inconsistent be judged as authentification failure,
In above-mentioned third step, above-mentioned server sends the response of above-mentioned authentification failure to the said equipment,
In above-mentioned 5th step, the said equipment, when receiving the response of above-mentioned authentification failure from above-mentioned server, does not perform the process upgrading above-mentioned first password identifying information and above-mentioned first password.
5. the authentication method according to claim 3 or 4, is characterized in that,
In above-mentioned 4th step, above-mentioned server confirms this transmission failed when sending the response of above-mentioned authentication success to the said equipment, do not perform the process upgrading above-mentioned first password identifying information and above-mentioned second password.
6. the authentication method according to any one in claim 3 ~ 5, is characterized in that,
In above-mentioned 4th step, the first password identifying information of all devices being endowed same user ID and the second password, when upgrading above-mentioned first password identifying information and above-mentioned second password, upgrade by above-mentioned server simultaneously,
In above-mentioned 5th step, the above-mentioned first password identifying information after the said equipment and other all devices Share update being endowed same user ID and above-mentioned first password.
7. the authentication method according to any one in claim 3 ~ 6, is characterized in that,
In above-mentioned first step, the hash algorithm of use regulation is carried out hashed gained by the said equipment the first cryptographic Hash to above-mentioned user ID and above-mentioned first password is sent to above-mentioned server as above-mentioned first authentication information,
In above-mentioned second step; the second cryptographic Hash that above-mentioned first cryptographic Hash received from the said equipment and the above-mentioned user ID using the hash algorithm of afore mentioned rules to store above-mentioned server and above-mentioned second password carry out hashed gained contrasts by above-mentioned server, when two above-mentioned first password identifying information is consistent and above-mentioned first cryptographic Hash is consistent with above-mentioned second cryptographic Hash be judged as authentication success.
8. the authentication method according to any one in claim 3 ~ 7, is characterized in that,
In above-mentioned first step, the said equipment by order to identify that the device id that the said equipment is given sends together with above-mentioned undated parameter, above-mentioned first password identifying information, above-mentioned second cipher code recognition information and above-mentioned first authentication information,
In above-mentioned second step, the said equipment ID received from the said equipment contrasts with the said equipment ID that above-mentioned server stores by above-mentioned server, when two consistent, above-mentioned first authentication information of above-mentioned first password identifying information is consistent with above-mentioned second authentication information and two the said equipment ID are consistent be judged as authentication success.
9. a communication system, possess the equipment storing first password and the server storing second password consistent with above-mentioned first password, between the said equipment and above-mentioned server, certification is carried out when the said equipment carries out connection request to above-mentioned server, upgrade one group of above-mentioned first password to communicate with above-mentioned second password, the feature of this communication system is
Above-mentioned server comprises:
Acceptance division, it receives undated parameter, first password identifying information and the second cipher code recognition information from the said equipment, this undated parameter is used for the renewal of one group of above-mentioned first password and above-mentioned second password, this first password identifying information is corresponding with the above-mentioned first password before renewal, and this second cipher code recognition information is corresponding with the above-mentioned first password after renewal;
Comparing part, the above-mentioned first password identifying information that above-mentioned acceptance division receives from the said equipment contrasts with the above-mentioned first password identifying information that above-mentioned server stores by it;
Judging part, it is judged as authentication success when two above-mentioned first password identifying informations are consistent;
Sending part, it sends the response of authentication success to the said equipment when above-mentioned judging part is judged as authentication success; And
Update section, it is when above-mentioned judging part is judged as authentication success, the above-mentioned first password identifying information stored by above-mentioned server is updated to above-mentioned second cipher code recognition information received from the said equipment, and generate new password based on above-mentioned second password and above-mentioned undated parameter, be this new password by above-mentioned second password update
Wherein, the said equipment is when receiving the response of above-mentioned authentication success from above-mentioned server, the above-mentioned first password identifying information stored by the said equipment is updated to above-mentioned second cipher code recognition information, and generate new password based on above-mentioned first password and above-mentioned undated parameter, above-mentioned first password is updated to this new password.
10. an equipment, is characterized in that, is used in communication system according to claim 9, manages multiple electrical load.
11. 1 kinds of servers, is characterized in that, are used in communication system according to claim 9.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP2013124568A JP2015001764A (en) | 2013-06-13 | 2013-06-13 | Authentication method, communication system, apparatus and server |
| JP2013-124568 | 2013-06-13 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104243158A true CN104243158A (en) | 2014-12-24 |
Family
ID=52230564
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410265308.9A Pending CN104243158A (en) | 2013-06-13 | 2014-06-13 | Authentication method, communication system, device and server |
Country Status (2)
| Country | Link |
|---|---|
| JP (1) | JP2015001764A (en) |
| CN (1) | CN104243158A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105578400A (en) * | 2016-02-22 | 2016-05-11 | 浙江大学 | Renting managing method of public vehicles under offline condition |
| CN106130995A (en) * | 2016-06-30 | 2016-11-16 | 三星电子(中国)研发中心 | Set up the method for communication connection, Apparatus and system |
| CN107911168A (en) * | 2017-11-30 | 2018-04-13 | 南京协众汽车空调集团有限公司 | A kind of car plate authentication method and device based on car light |
| CN109166199A (en) * | 2018-07-06 | 2019-01-08 | 嘟嘟物联网(深圳)有限公司 | A kind of generation method of password, device and equipment |
| CN109194696A (en) * | 2018-11-01 | 2019-01-11 | 福建工程学院 | A kind of data-interface non-proliferation method |
| CN113226858A (en) * | 2018-12-28 | 2021-08-06 | 日立安斯泰莫株式会社 | Information processing apparatus |
| WO2024045680A1 (en) * | 2022-08-31 | 2024-03-07 | 华为技术有限公司 | Device authentication method and related device |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3091769A1 (en) * | 2015-05-07 | 2016-11-09 | Gemalto Sa | Method of managing access to a service |
| KR101831633B1 (en) * | 2016-10-11 | 2018-02-23 | 이화여자대학교 산학협력단 | Mutual authentication method based on visual cryptography and control method of device for mutual authentication based on visual cryptography |
| KR102057564B1 (en) * | 2018-06-07 | 2019-12-18 | 주식회사 넵튠 | User Authentication System Using Authentication Variable And Method Thereof |
| WO2023167567A1 (en) * | 2022-03-04 | 2023-09-07 | 주식회사 센스톤 | Apparatus and method for preventing hacking via authentication based on virtual code for authentication |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1599314A (en) * | 2004-08-25 | 2005-03-23 | 湖南大学 | Two-way verification disposable password verification method based on S/KEY system |
| CN1886930A (en) * | 2003-12-26 | 2006-12-27 | 三菱电机株式会社 | Authentication device, device to be authenticated, and key update method |
| JP2008204250A (en) * | 2007-02-21 | 2008-09-04 | Nomura Research Institute Ltd | Authentication system and authentication method |
| CN101582762A (en) * | 2009-04-02 | 2009-11-18 | 北京飞天诚信科技有限公司 | Method and system for identity authentication based on dynamic password |
| CN102025716A (en) * | 2010-06-29 | 2011-04-20 | 北京飞天诚信科技有限公司 | Method for updating seeds of dynamic password token |
| CN102546580A (en) * | 2011-01-04 | 2012-07-04 | 中国移动通信有限公司 | Method, system and device for updating user password |
| US8312519B1 (en) * | 2010-09-30 | 2012-11-13 | Daniel V Bailey | Agile OTP generation |
-
2013
- 2013-06-13 JP JP2013124568A patent/JP2015001764A/en active Pending
-
2014
- 2014-06-13 CN CN201410265308.9A patent/CN104243158A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1886930A (en) * | 2003-12-26 | 2006-12-27 | 三菱电机株式会社 | Authentication device, device to be authenticated, and key update method |
| CN1599314A (en) * | 2004-08-25 | 2005-03-23 | 湖南大学 | Two-way verification disposable password verification method based on S/KEY system |
| JP2008204250A (en) * | 2007-02-21 | 2008-09-04 | Nomura Research Institute Ltd | Authentication system and authentication method |
| CN101582762A (en) * | 2009-04-02 | 2009-11-18 | 北京飞天诚信科技有限公司 | Method and system for identity authentication based on dynamic password |
| CN102025716A (en) * | 2010-06-29 | 2011-04-20 | 北京飞天诚信科技有限公司 | Method for updating seeds of dynamic password token |
| US8312519B1 (en) * | 2010-09-30 | 2012-11-13 | Daniel V Bailey | Agile OTP generation |
| CN102546580A (en) * | 2011-01-04 | 2012-07-04 | 中国移动通信有限公司 | Method, system and device for updating user password |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105578400A (en) * | 2016-02-22 | 2016-05-11 | 浙江大学 | Renting managing method of public vehicles under offline condition |
| CN105578400B (en) * | 2016-02-22 | 2019-04-16 | 浙江大学 | The rental management method of utility car under a kind of off-line case |
| CN106130995A (en) * | 2016-06-30 | 2016-11-16 | 三星电子(中国)研发中心 | Set up the method for communication connection, Apparatus and system |
| CN107911168A (en) * | 2017-11-30 | 2018-04-13 | 南京协众汽车空调集团有限公司 | A kind of car plate authentication method and device based on car light |
| CN109166199A (en) * | 2018-07-06 | 2019-01-08 | 嘟嘟物联网(深圳)有限公司 | A kind of generation method of password, device and equipment |
| CN109166199B (en) * | 2018-07-06 | 2021-02-23 | 嘟嘟物联网(深圳)有限公司 | Password generation method, device and equipment |
| CN109194696A (en) * | 2018-11-01 | 2019-01-11 | 福建工程学院 | A kind of data-interface non-proliferation method |
| CN109194696B (en) * | 2018-11-01 | 2021-09-21 | 福建工程学院 | Data interface anti-diffusion method |
| CN113226858A (en) * | 2018-12-28 | 2021-08-06 | 日立安斯泰莫株式会社 | Information processing apparatus |
| WO2024045680A1 (en) * | 2022-08-31 | 2024-03-07 | 华为技术有限公司 | Device authentication method and related device |
Also Published As
| Publication number | Publication date |
|---|---|
| JP2015001764A (en) | 2015-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104243158A (en) | Authentication method, communication system, device and server | |
| CN108173662B (en) | Equipment authentication method and device | |
| CN108377190B (en) | Authentication equipment and working method thereof | |
| CN105516195B (en) | A kind of security certification system and its authentication method based on application platform login | |
| CN102017514B (en) | Authentication information management method in home network and an apparatus therefor | |
| CN101291228B (en) | Generating, authenticating method for super code, system and device thereof | |
| CN109560931B (en) | Equipment remote upgrading method based on certificate-free system | |
| CN106487744B (en) | Shiro verification method based on Redis storage | |
| CN109756446B (en) | Access method and system for vehicle-mounted equipment | |
| KR101744747B1 (en) | Mobile terminal, terminal and method for authentication using security cookie | |
| RU2006126074A (en) | SYSTEM, METHOD AND DEVICES FOR AUTHENTICATION IN A WIRELESS LOCAL COMPUTER NETWORK (WLAN) | |
| CN107135205B (en) | Network access method and system | |
| CN108259502A (en) | For obtaining the identification method of interface access rights, server-side and storage medium | |
| CN105099690A (en) | OTP and user behavior-based certification and authorization method in mobile cloud computing environment | |
| KR20190002598A (en) | A method and apparatus for issuing assertions within a distributed database of a mobile communication network and personalizing object Internet devices | |
| EP3432508B1 (en) | Computer-implemented method for generating passwords and computer program products of same | |
| KR102387865B1 (en) | Password generating device and password verification device | |
| CN108650261B (en) | Mobile terminal system software burning method based on remote encryption interaction | |
| CN112671720A (en) | Token construction method, device and equipment for cloud platform resource access control | |
| CN104580235A (en) | Authentication method and authentication system for equipment connection | |
| CN112887282A (en) | Identity authentication method, device and system and electronic equipment | |
| CN112333133B (en) | Data security transmission method, device, equipment and computer readable storage medium | |
| CN101540757A (en) | Method and system for identifying network and identification equipment | |
| KR102301478B1 (en) | Smart lock device, lock management system including the device, and lock management method using the system | |
| CN103139201A (en) | Network strategy acquiring method and data center switchboard |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20160107 Address after: Osaka Japan Applicant after: PANASONIC INTELLECTUAL PROPERTY MANAGEMENT Co.,Ltd. Address before: Osaka Japan Applicant before: Matsushita Electric Industrial Co.,Ltd. |
|
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20141224 |