CN104333555A - Dynamic token working method and dynamic token working system - Google Patents
Dynamic token working method and dynamic token working system Download PDFInfo
- Publication number
- CN104333555A CN104333555A CN201410647744.2A CN201410647744A CN104333555A CN 104333555 A CN104333555 A CN 104333555A CN 201410647744 A CN201410647744 A CN 201410647744A CN 104333555 A CN104333555 A CN 104333555A
- Authority
- CN
- China
- Prior art keywords
- code
- seed
- secret key
- signature
- login
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The invention a dynamic token working method and a dynamic token working system. The authentication requirements of users are divided into two categories in advance, namely login authentication requirements and signature authentication requirements during signature in the transaction processes (after login); after the dynamic token is activated successfully, the dynamic token generates corresponding login private keys and signature private keys for the two categories of the authentication requirements in advance. Subsequently, when a user has the transaction requirement and needs login or signature authentication, the dynamic token generates a corresponding login answer-back code or a signature answer-back code for the user according to the login private key or the signature private key in combination with a challenge code input by the user at the moment. Obviously, according to the dynamic token working method, different calculation private keys are set for different authentication requirements of the users, and therefore, the private keys of the dynamic token are not easy to break, and the working mechanism and the working flow of the dynamic token are safer; besides, dual authentication during the transactions of the users is realized, the difficulty for lawbreakers to reversely infer the working principle of the dynamic token is improved, and the security of user accounts is guaranteed.
Description
Technical field
The invention belongs to the technical field of security authentication of banking system, particularly relate to a kind of dynamic token method of work and system.
Background technology
Dynamic token is used to generate the terminal of dynamic password, and dynamic password is a kind of account anti-theft technique of safe and convenient, can available protecting transaction time the authentication security that logs in.
Dynamic token can be divided into three types from technical standpoint, time sync-type, event synchronization type and challenge/response type.At present, the method for work of challenge/response type dynamic token, all based on OATH (vow) algorithm standard rules, in conjunction with challenge code and the built-in secret key of seed of token of user's input, calculates corresponding answer back code, to realize login authentication when concluding the business.Visible, the working mechanism of existing challenge/response type dynamic token and flow process are comparatively simple, and the difficulty that result in the anti-derivation dynamic token operation principle of lawless person is lower, and then the fail safe that result in user account is lower.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of dynamic token method of work and system, to solve existing challenge/response type dynamic token working mechanism and flow process comparatively simple question, strengthen the difficulty of the anti-derivation dynamic token operation principle of lawless person, and then ensure the fail safe of user account.
For this reason, the present invention's openly following technical scheme:
A kind of dynamic token method of work, comprising:
The login answer back code receiving user generates request, and described login answer back code generates request and comprises login challenge code;
The secret key of login generated in advance in described login challenge code, dynamic token and current real-time time are processed, obtain logging in answer back code, the secret key of described login is dynamic token when being activated, the secret key that the active coding provided according to the secret key of its built-in seed, login purposes code and certificate server generates;
The signature answer back code receiving user generates request, and described signature answer back code generates request and comprises signature challenge code;
The secret key of signature generated in advance in described signature challenge code, dynamic token and current real-time time are processed, obtain answer back code of signing, the secret key of described signature is dynamic token when being activated, the secret key that the active coding provided according to the secret key of its built-in seed, signature purposes code and certificate server generates.
Said method, preferably, before the login answer back code of described reception user generates request, also comprises following preprocessing process:
The active coding that certificate server provides is verified, if be verified, performs following operation:
Utilize the close SM3 hash algorithm of state, and adopt formula Work_Seed=SM3 (Seed|ActiveCode) to generate the secret key Work_Seed of work, wherein, SM3 represents the close SM3 hash algorithm of state, and Seed represents the secret key of work, and ActiveCode represents active coding;
Utilize the close SM3 hash algorithm of state, and adopt formula Otp_Seed=SM3 (Work_Seed|alg_type_1) to generate the secret key Otp_Seed of login, wherein, alg_type_1 represents login purposes code;
Utilize the close SM3 hash algorithm of state, and adopt formula sign_Seed=SM3 (Work_Seed|alg_type_2) to generate the secret key sign_Seed of signature, wherein, alg_type_2 represents signature purposes code.
Said method, preferably, carries out process to the secret key of login generated in advance in described login challenge code, dynamic token and current real-time time and obtains logging in answer back code, comprising:
Utilize the close SM3 hash algorithm of state and SM3 cut position algorithm, and adopt formula OTP=Truncate_SM3 (SM3 (Otp_Seed|UTC|ChallengeCode)) to generate login answer back code OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithm, and ChallengeCode represents login challenge code, and UTC represents current world's unified time.
Said method, preferably, carries out process to the secret key of signature generated in advance in described signature challenge code, dynamic token and current real-time time and obtains answer back code of signing, comprising:
Utilize the close SM3 hash algorithm of state and SM3 cut position algorithm, and adopt formula Sign_OTP=Truncate_SM3 (SM3 (Sign_Seed|UTC|SignCode)) to generate signature answer back code Sign_OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithm, and SignCode represents signature challenge code, and UTC represents current world's unified time.
Said method, preferably, when active coding is by checking, described preprocessing process also comprises:
Utilize the close SM3 hash algorithm of state, and adopt formula Puk_Seed=SM3 (Work_Seed|alg_type_3) to generate the secret key Puk_Seed of unblock, wherein, alg_type_3 represents unblock purposes code.
Said method, preferably, also comprises:
Token start after, receive user input individual recognition code PIN code, and to input PIN code carry out verification of correctness, if PIN code mistake input number of times reach setting numerical value, then lock token, and show token locked prompting and unlocking request code;
Receive the PUK of user's input and unlock, described PUK is that certificate server generates according to formula PUK=Truncate_SM3 (SM3 (Puk_Seed|Puk_Request)), wherein, Truncate_SM3 represents SM3 cut position algorithm, PUK represents PUK, and Puk_Request represents unlocking request code.
A kind of dynamic token work system, comprising:
First receiver module, generates request for the login answer back code receiving user, and described login answer back code generates request and comprises login challenge code;
First processing module, for processing the secret key of login generated in advance in described login challenge code, dynamic token and current real-time time, obtain logging in answer back code, the secret key of described login is dynamic token when being activated, the secret key that the active coding provided according to the secret key of its built-in seed, login purposes code and certificate server generates;
Second receiver module, generates request for the signature answer back code receiving user, and described signature answer back code generates request and comprises signature challenge code;
Second processing module, for processing the secret key of signature generated in advance in described signature challenge code, dynamic token and current real-time time, obtain answer back code of signing, the secret key of described signature is dynamic token when being activated, the secret key that the active coding provided according to the secret key of its built-in seed, signature purposes code and certificate server generates.
Said system, preferably, also comprises pretreatment module, and described pretreatment module comprises:
Authentication unit, verifies for the active coding provided certificate server, and is being verified the following secret key generation unit of work of triggering;
Work secret key generation unit, for utilizing the close SM3 hash algorithm of state, and adopts formula Work_Seed=SM3 (Seed|ActiveCode) to generate the secret key Work_Seed of work, wherein, SM3 represents the close SM3 hash algorithm of state, and Seed represents the secret key of work, and ActiveCode represents active coding;
Logging in secret key generation unit, for utilizing the close SM3 hash algorithm of state, and adopting formula Otp_Seed=SM3 (Work_Seed|alg_type_1) to generate the secret key Otp_Seed of login, wherein, alg_type_1 represents login purposes code;
Signing secret key generation unit, for utilizing the close SM3 hash algorithm of state, and adopting formula sign_Seed=SM3 (Work_Seed|alg_type_2) to generate the secret key sign_Seed of signature, wherein, alg_type_2 represents signature purposes code.
Said system, preferably, described first processing module comprises:
Logging in answer back code generation unit, for utilizing the close SM3 hash algorithm of state and SM3 cut position algorithm, and adopting formula OTP=Truncate_SM3 (SM3 (Otp_Seed|UTC|ChallengeCode)) to generate login answer back code OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithm, and ChallengeCode represents login challenge code, and UTC represents current world's unified time.
Said system, preferably, described second processing module comprises:
Signature answer back code generation unit, for utilizing the close SM3 hash algorithm of state and SM3 cut position algorithm, and adopts formula Sign_OTP=Truncate_SM3 (SM3 (Sign_Seed|UTC|SignCode)) to generate signature answer back code Sign_OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithm, and SignCode represents signature challenge code, and UTC represents current world's unified time.
Said system, preferably, described pretreatment module also comprises:
Unlocking secret key generation unit, for utilizing the close SM3 hash algorithm of state, and adopting formula Puk_Seed=SM3 (Work_Seed|alg_type_3) to generate the secret key Puk_Seed of unblock, wherein, alg_type_3 represents unblock purposes code.
Said system, preferably, also comprises security protection module, and described security protection module comprises:
Lock cell, for after token start, receives the individual recognition code PIN code of user's input, and verification of correctness is carried out to the PIN code of input, if PIN code mistake input number of times reach setting numerical value, then lock token, and show token locked prompting and unlocking request code;
Separate lock unit, for receiving the PUK of user's input and unlocking, described PUK is that certificate server generates according to formula PUK=Truncate_SM3 (SM3 (Puk_Seed|Puk_Request)), wherein, Truncate_SM3 represents SM3 cut position algorithm, PUK represents PUK, and Puk_Request represents unlocking request code.
From above scheme, the certification demand of user is divided into two kinds by the present invention in advance, signature authentication demand in login authentication demand and process of exchange during (after logging in) signature, and dynamic token activates successfully at it in advance, be respectively two kinds of certification demands and generate the secret key of corresponding login and secret key of signing.Follow-up have business transaction demand user, need carry out logging in or signature authentication time, dynamic token can respectively according to logging in secret key or the secret key the challenge code inputted at that time in conjunction with user is corresponding for user generates logs in answer back code or answer back code of signing of signing.Visible, the present invention is directed to the different certification demand of user and be provided with the secret key of different calculating respectively, the key of dynamic token is not easily cracked, and the working mechanism of dynamic token and flow process safer, by being respectively login, signature authentication demand provides corresponding login, signature answer back code, achieve double authentication during customer transaction, increase the difficulty of the anti-derivation dynamic token operation principle of lawless person, ensure that the fail safe of user account.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only embodiments of the invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to the accompanying drawing provided.
Fig. 1 is dynamic token method of work flow chart disclosed in the embodiment of the present invention one;
Fig. 2 is dynamic token locking disclosed in the embodiment of the present invention two and unlocks flow chart;
Fig. 3 is that dynamic token disclosed in the embodiment of the present invention two unlocks schematic diagram;
Fig. 4 is a kind of structural representation of dynamic token work system disclosed in the embodiment of the present invention three;
Fig. 5 is the another kind of structural representation of dynamic token work system disclosed in the embodiment of the present invention three;
Fig. 6 is another structural representation of dynamic token work system disclosed in the embodiment of the present invention three.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Embodiment one
The present embodiment one discloses a kind of dynamic token method of work, and with reference to figure 1, described method can comprise the following steps:
S101: the login answer back code receiving user generates request, described login answer back code generates request and comprises login challenge code.
Before user uses dynamic token for the first time, need to activate dynamic token, namely each step of the present invention needs to be based upon to activate on this pretreated basis dynamic token.
When activating dynamic token, produce active coding by certificate server, then the active coding that server produces manually is inputted dynamic token by user, and wherein, the generating algorithm of active coding is as follows:
ActiveCode=ChallengeRand|Truncate_SM3(SM3(Seed|ChallengeRand))) (1)
In formula (1), ActiveCode represents the active coding of 12; ChallengeRand represents the decimal system random number of 6, needs to mend 0 in its back and make it to the length of 128bit when bringing algorithmic formula into; SM3 represents the close SM3 hash algorithm of state; Truncate_SM3 represents SM3 cut position algorithm, its decimal number of exportable 6; Seed is the seed plaintext of 32Byte.
Wherein, the present invention proposes a kind of SM3 cut position algorithm on the basis of state close SM3 hash algorithm, and defines it, and SM3 cut position algorithm is exactly algorithm SM3 hash result or HMAC result being converted into 6 dynamic passwords.Particularly, the present invention makes as given a definition to it:
Definition S1, S2, S3, S4, S5, S6, S7, S8, represent 8 4Byte integers, and assignment by the following method:
S1=S[0]<<24|S[1]<<16|S[2]<<8|S[3]
S2=S[4]<<24|S[5]<<16|S[6]<<8|S[7]
S3=S[8]<<24|S[9]<<16|S[10]<<8|S[11]
S4=S[12]<<24|S[13]<<16|S[14]<<8|S[15]
S5=S[16]<<24|S[17]<<16|S[18]<<8|S[19]
S6=S[20]<<24|S[21]<<16|S[22]<<8|S[23]
S7=S[24]<<24|S[25]<<16|S[26]<<8|S[27]
S8=S[28]<<24|S[29]<<16|S[30]<<8|S[31]
OD=(S1+S2+S3+S4+S5+S6+S7+S8)MOD 232
Password (i.e. the Output rusults of SM3 cut position algorithm) obtains: otp=OD mod 1000000.
Dynamic token is verified active coding after receiving the active coding of user's input.Concrete checking principle is: use the ChallengeRand in active coding (i.e. active coding first 6) to calculate an OTP (One-time Password, dynamic password), then latter 6 of this OTP and active coding are compared, if it is identical that comparison result is for both, then be verified, activate successfully, otherwise activate unsuccessfully.
In the present invention, dynamic token is verified active coding and is activated successfully, continue to implement the conversion of secret key, particularly, adopt the close SM3 hash algorithm of state, primordial seed Seed (being built in dynamic token) and active coding are processed, the secret key of the work that obtains, and preserve the secret key of work produced.
The formula that the secret key of generation work adopts is as follows:
Work_Seed=SM3(Seed|ActiveCode) (2)
In formula (2), Seed represents seed key, 32Byte; ActiveCode represents active coding, and it participates in computing with the form of ASCII character, such as 123456889012, the form adopted when it participates in computing is: 0x31,0x32 ... .0x32.
The certification demand of user is divided into two classes by the present invention: login authentication demand (logging in authentication demand during transaction) and signature authentication demand (authentication demand when signing in process of exchange), correspondingly, the present invention is respectively described two kinds of certification requirements set and calculates secret key accordingly: log in key and the secret key of signature.
In the present embodiment, carry out as given a definition to the secret key of login and the secret key of signature respectively:
Char alg_1 [32]; // log in key Otp_Seed;
Char alg_2 [32]; // signature key Sign_Seed.
Two kinds of purposes codes calculating secret key corresponding are defined as respectively:
Int alg_type_1=1; // logging in dynamic password, int is 4Byte integer;
Int alg_type_2=2; // signature dynamic password, int is 4Byte integer.
Dynamic token is activating successfully and after the secret key of the work that generates, continue to adopt state close SM3 hash algorithm to process the secret key of work generated and calculating defined above secret key purposes code, obtain logging in secret key accordingly, secret key of signing, namely particularly, message is formed by working key (32Byte)+purposes code (4Byte), state close SM3 hash algorithm is adopted formed message to be carried out to the generation of Hash Value, and generated Hash Value is made the computation key of dynamic password, provide support with the generation being embodied as subsequent user authentication response code.
Need to use working key, so dynamic token must carry out the generating run calculating secret key after synchronous working key owing to producing computation key.
Wherein, the formula (3) that concrete employing is following generates and logs in secret key:
Otp_Seed=SM3(Work_Seed|alg_type_1) (3)
In formula (3), Work_Seed represents working key, altogether 32Byte; Alg_type_1 represents login purposes code, 4Byte altogether, and low level is front, and the form with 00000001 participates in computing.
Correspondingly, following formula (4) is adopted to generate the secret key of signature:
sign_Seed=SM3(Work_Seed|alg_type_2) (4)
In formula (3), Work_Seed represents working key, altogether 32Byte; Alg_type_2 represents signature purposes code, 4Byte altogether, and its low level is front, and the form with 00000002 participates in computing.
Be the work that dynamic token carries out after it is activated and is verified with upper part, this partial content can be used as the pretreatment work of the inventive method.
On this basis, when user needs to carry out application transaction, for ensureing the fail safe of user account, first need to carry out login authentication to user, now, certificate server can log in challenge code for user generates one, and shows user on application system webpage; Afterwards, login challenge code on webpage is inputed to dynamic token by user, and press and log in answer back code and generate button (also can adopt and first press the button, the mode of rear input challenge code) and generate request to realize sending the corresponding answer back code that logs in dynamic token.After dynamic token receives the login answer back code generation request of user's triggering, namely log in answer back code according to processing logic of the present invention accordingly for user generates.
S102: the secret key of login generated in advance in described login challenge code, dynamic token and current real-time time are processed, obtain logging in answer back code, the secret key of described login is dynamic token when being activated, the secret key that the active coding provided according to the secret key of its built-in seed, login purposes code and certificate server generates.
Particularly, after the login answer back code receiving user's triggering generates request, dynamic token utilizes the close SM3 hash algorithm of state and SM3 cut position algorithm, and adopts following formula (5) to generate login answer back code:
OTP=Truncate_SM3(SM3(Otp_Seed|UTC|ChallengeCode)) (5)
In formula (5), OTP (6Byte) represents that namely entry password logs in answer back code, is the decimal system; Truncate_SM3 represents SM3 cut position algorithm; Otp_Seed represents login key, and for 32Byte:UTC (Universal Time Coordinated, the world unified time) represents the current UTC time, 8Byte, UTC are a minute counting, and high-order front, low level is rear; ChallengeCode is the login challenge code of 4-20 position that server produces, high Byte front, after what participate in computing is its ASCII character, such as: 123456, converting ASCII character to is then 0x31,0x32,0x33,0x34,0x35,0x36;
Wherein, when UTC|ChallengeCode brings formula (5) into, if the inadequate 128bit of its total length, then mend 0 below, make the total length of UTC|ChallengeCode reach 128bit, if total length is more than 128bit, then directly brings formula (5) into and carry out computing.
Afterwards, user can read the login answer back code that dynamic token produces, and is inputed to application system webpage and realize login authentication.
S103: the signature answer back code receiving user generates request, described signature answer back code generates request and comprises signature challenge code.
When login authentication is successfully concluded the business, if user needs to carry out trading signature, the present invention, in order to ensure the fail safe of user account further, need carry out signature authentication to user, now, certificate server for user generate one signature challenge code.User reads from application system webpage signature challenge code that server produces and is inputed to dynamic token, and presses signature answer back code on dynamic token and generate button and realize sending signature answer back code to dynamic token and generate request.
S104: the secret key of signature generated in advance in described signature challenge code, dynamic token and current real-time time are processed, obtain answer back code of signing, the secret key of described signature is dynamic token when being activated, the secret key that the active coding provided according to the secret key of its built-in seed, signature purposes code and certificate server generates.
After dynamic token receives above-mentioned request, utilize the close SM3 hash algorithm of state and SM3 cut position algorithm, and adopt following formula (6) to generate signature answer back code:
Sign_OTP=Truncate_SM3(SM3(Sign_Seed|UTC|SignCode)) (6)
In formula (6), Sign_OTP (6Byte) represents that namely signature password signs answer back code, is the decimal system; Truncate_SM3 represents SM3 cut position algorithm; Sign_Seed represents signature key, 32Byte; UTC represents the current UTC time, and 8Byte, UTC are a minute counting, and high-order front, low level is rear; SignCode represents the signature answer back code of the 4-20 position that server produces, high Byte front, after what participate in computing is its ASCII character.
Wherein, when UTC|SignCode brings formula (6) into, if the inadequate 128bit of its total length, then mend 0 below, make the total length of UTC|SignCode reach 128bit; If its total length is more than 128bit, then directly carries it into formula (6) and carry out computing.
Afterwards, user can read the signature answer back code that dynamic token produces, and is inputed to application system webpage and realize signature authentication.
From above scheme, the certification demand of user is divided into two kinds by the present invention in advance: the authentication demand in login authentication demand and process of exchange during (after logging in) signature, and dynamic token activates successfully at it in advance, be respectively two kinds of certification demands and generate the secret key of corresponding login and secret key of signing.Follow-up have business transaction demand user, need carry out logging in or signature authentication time, dynamic token can respectively according to logging in secret key or the secret key the challenge code inputted at that time in conjunction with user is corresponding for user generates logs in answer back code or answer back code of signing of signing.Visible, the present invention is directed to the different certification demand of user and be provided with the secret key of different calculating respectively, the key of dynamic token is not easily cracked, and the working mechanism of dynamic token and flow process safer, by being respectively login, signature authentication demand provides corresponding login, signature answer back code, achieve double authentication during customer transaction, increase the difficulty of the anti-derivation dynamic token operation principle of lawless person, ensure that the fail safe of user account.
Embodiment two
In the present embodiment two, with reference to figure 2, described method can also comprise the following steps:
S105: token start after, receive user input individual recognition code PIN code, and to input PIN code carry out verification of correctness, if PIN code mistake input number of times reach setting numerical value, then lock token, and show token locked prompting and unlocking request code;
S106: receive the PUK of user's input and unlock.Described PUK is that certificate server generates according to formula PUK=Truncate_SM3 (SM3 (Puk_Seed|Puk_Request)), wherein, Truncate_SM3 represents SM3 cut position algorithm, and PUK represents PUK, and Puk_Request represents unlocking request code.
Particularly, the present embodiment will calculate that secret key expands is 3: log in secret key, the secret key and unlock secret key of signing.Thus, while the secret key of pre-defined login and secret key of signing, also carry out as given a definition to the secret key of unblock:
Char alg_3 [32]; // Personal Unlocking Key Puk_Seed.
Correspondingly, the secret key purposes code of unblock is defined:
Int alg_type_3=3; // unlocking, int is 4Byte integer.
On this basis, in the present embodiment, described preprocessing process also comprises: utilize the close SM3 hash algorithm of state, and adopts following formula (7) to generate the secret key of unblock:
Puk_Seed=SM3(Work_Seed|alg_type_3) (7)
In formula (7), Work_Seed represents working key, 32Byte; Alg_type_3 represents unblock purposes code, and its low level is front, and the form with 00000003 participates in computing.
In order to ensure the safety of user account further, the present embodiment is when dynamic token is started shooting, for dynamic token adds the link of PIN (Personal Identification Number, individual recognition code) code checking, namely user is at every turn to after dynamic token start, all need to input corresponding PIN code, if PIN code input is correct, then by checking, dynamic token is started shooting successfully, otherwise, boot failure.
If the number of times of PIN code mistake input reaches setting numerical value, then dynamic token locking, in such cases, dynamic token carries out locking to user and points out and show corresponding unlocking request code.
Afterwards, described unlocking request code is inputed to certificate server by user, produces corresponding PUK by certificate server according to following formula (8):
PUK=Truncate_SM3(SM3(Puk_Seed|Puk_Request)) (8)
In formula (8), PUK represents PUK, altogether 6Byte; Truncate_SM3 represents SM3 cut position algorithm; Puk_Seed represents Personal Unlocking Key, altogether 32Byte; Puk_Request represents the unlocking request code of 6, its decimal system random number generated for token, adopt ASCII character form, and high Byte is front when it participates in computing.
Wherein, Puk_Request brings formula (8) into when carrying out computing, needs after it, mend 0 and makes its total length reach 128bit.
On this basis, the PUK input dynamic token that server produces by user, can realize unlocking.The unblock principle of dynamic token specifically can with reference to shown in figure 3.
Embodiment three
The present embodiment three discloses a kind of dynamic token work system, and this system is corresponding with dynamic token method of work disclosed in embodiment one and embodiment two.
First, corresponding to embodiment one, with reference to figure 4, described system comprises the first receiver module 100, first processing module 200, second receiver module 300 and the second processing module 400.
First receiver module 100, generates request for the login answer back code receiving user, and described login answer back code generates request and comprises login challenge code.
First processing module 200, for processing the secret key of login generated in advance in described login challenge code, dynamic token and current real-time time, obtain logging in answer back code, the secret key of described login is dynamic token when being activated, the secret key that the active coding provided according to the secret key of its built-in seed, login purposes code and certificate server generates.
Wherein, the first processing module 200 comprises login answer back code generation unit.
Logging in answer back code generation unit, for utilizing the close SM3 hash algorithm of state and SM3 cut position algorithm, and adopting formula OTP=Truncate_SM3 (SM3 (Otp_Seed|UTC|ChallengeCode)) to generate login answer back code OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithm, and ChallengeCode represents login challenge code, and UTC represents current world's unified time.
Second receiver module 300, generates request for the signature answer back code receiving user, and described signature answer back code generates request and comprises signature challenge code.
Second processing module 400, for processing the secret key of signature generated in advance in described signature challenge code, dynamic token and current real-time time, obtain answer back code of signing, the secret key of described signature is dynamic token when being activated, the secret key that the active coding provided according to the secret key of its built-in seed, signature purposes code and certificate server generates.
Described second processing module 400 comprises signature answer back code generation unit.
Signature answer back code generation unit, for utilizing the close SM3 hash algorithm of state and SM3 cut position algorithm, and adopts formula Sign_OTP=Truncate_SM3 (SM3 (Sign_Seed|UTC|SignCode)) to generate signature answer back code Sign_OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithm, and SignCode represents signature challenge code, and UTC represents current world's unified time.
In present system, the need of work of modules is based upon on the basis of the secret key of the generation login calculating such as secret key, secret key of signing, therefore, with reference to figure 5, described system also needs to comprise pretreatment module 500, and this module comprises authentication unit, the secret key generation unit that works, log in secret key generation unit and secret key generation unit of signing.
Authentication unit is used for verifying the active coding that certificate server provides, and is being verified the following secret key generation unit of work of triggering;
The secret key generation unit that works is used for utilizing the close SM3 hash algorithm of state, and adopt formula Work_Seed=SM3 (Seed|ActiveCode) to generate the secret key Work_Seed of work, wherein, SM3 represents the close SM3 hash algorithm of state, Seed represents the secret key of work, and ActiveCode represents active coding;
Log in secret key generation unit to be used for utilizing the close SM3 hash algorithm of state, and adopt formula Otp_Seed=SM3 (Work_Seed|alg_type_1) to generate the secret key Otp_Seed of login, wherein, alg_type_1 represents login purposes code;
Secret key generation unit of signing is used for utilizing the close SM3 hash algorithm of state, and adopts formula sign_Seed=SM3 (Work_Seed|alg_type_2) to generate the secret key sign_Seed of signature, and wherein, alg_type_2 represents signature purposes code.
Corresponding to embodiment two, with reference to figure 6, described system also comprises security protection module 600, and this module comprises lock cell and conciliates lock unit.
Lock cell, for after token start, receives the individual recognition code PIN code of user's input, and verification of correctness is carried out to the PIN code of input, if mistake input number of times reach setting numerical value, then lock token, and show token locked prompting and unlocking request code;
Separate lock unit, for receiving the PUK of user's input and unlocking, described PUK is that certificate server generates according to formula PUK=Truncate_SM3 (SM3 (Puk_Seed|Puk_Request)), wherein, Truncate_SM3 represents SM3 cut position algorithm, PUK represents PUK, and Puk_Request represents unlocking request code.
For dynamic token work system disclosed in the embodiment of the present invention three, because it is corresponding with dynamic token method of work disclosed in above each embodiment, so description is fairly simple, relevant similarity refers to the explanation of dynamic token method of work part in above each embodiment, no longer describes in detail herein.
In sum, the present invention uses safer domestic cryptographic algorithm on challenge/response type dynamic token, and be combined the cut position algorithm innovated voluntarily on the basis of domestic cryptographic algorithm answer back code generative process is processed, can make the working mechanism of dynamic token and flow process safer, meet national Password Management office supports domestic cryptographic algorithm compliance to dynamic token equipment simultaneously; And the present invention is provided with the secret key of corresponding different calculating respectively according to the different authentication demand of user, and the key of dynamic token can be made not easily to be cracked, increases the difficulty of the anti-derivation dynamic token operation principle of lawless person, thus ensure that the fail safe of user account.
For convenience of description, various module or unit is divided into describe respectively with function when describing above system.Certainly, the function of each unit can be realized in same or multiple software and/or hardware when implementing the application.
As seen through the above description of the embodiments, those skilled in the art can be well understood to the mode that the application can add required general hardware platform by software and realizes.Based on such understanding, the technical scheme of the application can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment of the application or embodiment.
Finally, also it should be noted that, in this article, the relational terms of such as first, second, third and fourth etc. and so on is only used for an entity or operation to separate with another entity or operating space, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment comprising described key element and also there is other identical element.
It should be noted that, each embodiment in this specification all adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar part mutually see.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (12)
1. a dynamic token method of work, is characterized in that, comprising:
The login answer back code receiving user generates request, and described login answer back code generates request and comprises login challenge code;
The secret key of login generated in advance in described login challenge code, dynamic token and current real-time time are processed, obtain logging in answer back code, the secret key of described login is dynamic token when being activated, the secret key that the active coding provided according to the secret key of its built-in seed, login purposes code and certificate server generates;
The signature answer back code receiving user generates request, and described signature answer back code generates request and comprises signature challenge code;
The secret key of signature generated in advance in described signature challenge code, dynamic token and current real-time time are processed, obtain answer back code of signing, the secret key of described signature is dynamic token when being activated, the secret key that the active coding provided according to the secret key of its built-in seed, signature purposes code and certificate server generates.
2. method according to claim 1, is characterized in that, before the login answer back code of described reception user generates request, also comprises following preprocessing process:
The active coding that certificate server provides is verified, if be verified, performs following operation:
Utilize the close SM3 hash algorithm of state, and adopt formula Work_Seed=SM3 (Seed|ActiveCode) to generate the secret key Work_Seed of work, wherein, SM3 represents the close SM3 hash algorithm of state, and Seed represents the secret key of work, and ActiveCode represents active coding;
Utilize the close SM3 hash algorithm of state, and adopt formula Otp_Seed=SM3 (Work_Seed|alg_type_1) to generate the secret key Otp_Seed of login, wherein, alg_type_1 represents login purposes code;
Utilize the close SM3 hash algorithm of state, and adopt formula sign_Seed=SM3 (Work_Seed|alg_type_2) to generate the secret key sign_Seed of signature, wherein, alg_type_2 represents signature purposes code.
3. method according to claim 2, is characterized in that, carries out process and obtains logging in answer back code, comprising the secret key of login generated in advance in described login challenge code, dynamic token and current real-time time:
Utilize the close SM3 hash algorithm of state and SM3 cut position algorithm, and adopt formula OTP=Truncate_SM3 (SM3 (Otp_Seed|UTC|ChallengeCode)) to generate login answer back code OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithm, and ChallengeCode represents login challenge code, and UTC represents current world's unified time.
4. method according to claim 2, is characterized in that, carries out process and obtains answer back code of signing, comprising the secret key of signature generated in advance in described signature challenge code, dynamic token and current real-time time:
Utilize the close SM3 hash algorithm of state and SM3 cut position algorithm, and adopt formula Sign_OTP=Truncate_SM3 (SM3 (Sign_Seed|UTC|SignCode)) to generate signature answer back code Sign_OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithm, and SignCode represents signature challenge code, and UTC represents current world's unified time.
5. method according to claim 2, is characterized in that, when active coding is by checking, described preprocessing process also comprises:
Utilize the close SM3 hash algorithm of state, and adopt formula Puk_Seed=SM3 (Work_Seed|alg_type_3) to generate the secret key Puk_Seed of unblock, wherein, alg_type_3 represents unblock purposes code.
6. method according to claim 5, is characterized in that, also comprises:
Token start after, receive user input individual recognition code PIN code, and to input PIN code carry out verification of correctness, if PIN code mistake input number of times reach setting numerical value, then lock token, and show token locked prompting and unlocking request code;
Receive the PUK of user's input and unlock, described PUK is that certificate server generates according to formula PUK=Truncate_SM3 (SM3 (Puk_Seed|Puk_Request)), wherein, Truncate_SM3 represents SM3 cut position algorithm, PUK represents PUK, and Puk_Request represents unlocking request code.
7. a dynamic token work system, is characterized in that, comprising:
First receiver module, generates request for the login answer back code receiving user, and described login answer back code generates request and comprises login challenge code;
First processing module, for processing the secret key of login generated in advance in described login challenge code, dynamic token and current real-time time, obtain logging in answer back code, the secret key of described login is dynamic token when being activated, the secret key that the active coding provided according to the secret key of its built-in seed, login purposes code and certificate server generates;
Second receiver module, generates request for the signature answer back code receiving user, and described signature answer back code generates request and comprises signature challenge code;
Second processing module, for processing the secret key of signature generated in advance in described signature challenge code, dynamic token and current real-time time, obtain answer back code of signing, the secret key of described signature is dynamic token when being activated, the secret key that the active coding provided according to the secret key of its built-in seed, signature purposes code and certificate server generates.
8. system according to claim 7, is characterized in that, also comprises pretreatment module, and described pretreatment module comprises:
Authentication unit, verifies for the active coding provided certificate server, and is being verified the following secret key generation unit of work of triggering;
Work secret key generation unit, for utilizing the close SM3 hash algorithm of state, and adopts formula Work_Seed=SM3 (Seed|ActiveCode) to generate the secret key Work_Seed of work, wherein, SM3 represents the close SM3 hash algorithm of state, and Seed represents the secret key of work, and ActiveCode represents active coding;
Logging in secret key generation unit, for utilizing the close SM3 hash algorithm of state, and adopting formula Otp_Seed=SM3 (Work_Seed|alg_type_1) to generate the secret key Otp_Seed of login, wherein, alg_type_1 represents login purposes code;
Signing secret key generation unit, for utilizing the close SM3 hash algorithm of state, and adopting formula sign_Seed=SM3 (Work_Seed|alg_type_2) to generate the secret key sign_Seed of signature, wherein, alg_type_2 represents signature purposes code.
9. system according to claim 8, is characterized in that, described first processing module comprises:
Logging in answer back code generation unit, for utilizing the close SM3 hash algorithm of state and SM3 cut position algorithm, and adopting formula OTP=Truncate_SM3 (SM3 (Otp_Seed|UTC|ChallengeCode)) to generate login answer back code OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithm, and ChallengeCode represents login challenge code, and UTC represents current world's unified time.
10. system according to claim 8, is characterized in that, described second processing module comprises:
Signature answer back code generation unit, for utilizing the close SM3 hash algorithm of state and SM3 cut position algorithm, and adopts formula Sign_OTP=Truncate_SM3 (SM3 (Sign_Seed|UTC|SignCode)) to generate signature answer back code Sign_OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithm, and SignCode represents signature challenge code, and UTC represents current world's unified time.
11. system according to claim 8, is characterized in that, described pretreatment module also comprises:
Unlocking secret key generation unit, for utilizing the close SM3 hash algorithm of state, and adopting formula Puk_Seed=SM3 (Work_Seed|alg_type_3) to generate the secret key Puk_Seed of unblock, wherein, alg_type_3 represents unblock purposes code.
12. systems according to claim 11, is characterized in that, also comprise security protection module, and described security protection module comprises:
Lock cell, for after token start, receives the individual recognition code PIN code of user's input, and verification of correctness is carried out to the PIN code of input, if PIN code mistake input number of times reach setting numerical value, then lock token, and show token locked prompting and unlocking request code;
Separate lock unit, for receiving the PUK of user's input and unlocking, described PUK is that certificate server generates according to formula PUK=Truncate_SM3 (SM3 (Puk_Seed|Puk_Request)), wherein, Truncate_SM3 represents SM3 cut position algorithm, PUK represents PUK, and Puk_Request represents unlocking request code.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410647744.2A CN104333555B (en) | 2014-11-14 | A kind of dynamic token method of work and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410647744.2A CN104333555B (en) | 2014-11-14 | A kind of dynamic token method of work and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104333555A true CN104333555A (en) | 2015-02-04 |
| CN104333555B CN104333555B (en) | 2018-02-09 |
Family
ID=
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105553983A (en) * | 2015-12-17 | 2016-05-04 | 北京海泰方圆科技股份有限公司 | Webpage data protection method |
| CN109120396A (en) * | 2018-07-10 | 2019-01-01 | 成都安恒信息技术有限公司 | A kind of application method of the data encrypting and deciphering system based on challenge response code |
| CN110399715A (en) * | 2019-07-30 | 2019-11-01 | 飞天诚信科技股份有限公司 | Key devices Information Authentication method, electronic equipment and computer readable storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008004312A1 (en) * | 2006-07-07 | 2008-01-10 | Jcb Co., Ltd. | Net settlement assisting device |
| CN101500011A (en) * | 2009-03-13 | 2009-08-05 | 北京华大智宝电子系统有限公司 | Method and system for implementing dynamic password security protection |
| CN101789864A (en) * | 2010-02-05 | 2010-07-28 | 中国工商银行股份有限公司 | On-line bank background identity identification method, device and system |
| CN101800645A (en) * | 2010-02-05 | 2010-08-11 | 中国工商银行股份有限公司 | Identity authentication method, device and system |
| CN102664736A (en) * | 2012-04-13 | 2012-09-12 | 天地融科技股份有限公司 | Electronic cipher generating method, device and equipment and electronic cipher authentication system |
| CN103457739A (en) * | 2013-09-06 | 2013-12-18 | 北京握奇智能科技有限公司 | Method and device for acquiring dynamic token parameters |
| CN103731272A (en) * | 2014-01-06 | 2014-04-16 | 飞天诚信科技股份有限公司 | Identity authentication method, system and equipment |
| CN103888470A (en) * | 2014-04-02 | 2014-06-25 | 飞天诚信科技股份有限公司 | Dynamic token synchronizing method and system |
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008004312A1 (en) * | 2006-07-07 | 2008-01-10 | Jcb Co., Ltd. | Net settlement assisting device |
| CN101500011A (en) * | 2009-03-13 | 2009-08-05 | 北京华大智宝电子系统有限公司 | Method and system for implementing dynamic password security protection |
| CN101789864A (en) * | 2010-02-05 | 2010-07-28 | 中国工商银行股份有限公司 | On-line bank background identity identification method, device and system |
| CN101800645A (en) * | 2010-02-05 | 2010-08-11 | 中国工商银行股份有限公司 | Identity authentication method, device and system |
| CN102664736A (en) * | 2012-04-13 | 2012-09-12 | 天地融科技股份有限公司 | Electronic cipher generating method, device and equipment and electronic cipher authentication system |
| CN103457739A (en) * | 2013-09-06 | 2013-12-18 | 北京握奇智能科技有限公司 | Method and device for acquiring dynamic token parameters |
| CN103731272A (en) * | 2014-01-06 | 2014-04-16 | 飞天诚信科技股份有限公司 | Identity authentication method, system and equipment |
| CN103888470A (en) * | 2014-04-02 | 2014-06-25 | 飞天诚信科技股份有限公司 | Dynamic token synchronizing method and system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105553983A (en) * | 2015-12-17 | 2016-05-04 | 北京海泰方圆科技股份有限公司 | Webpage data protection method |
| CN105553983B (en) * | 2015-12-17 | 2017-06-13 | 北京海泰方圆科技股份有限公司 | A kind of web data guard method |
| CN109120396A (en) * | 2018-07-10 | 2019-01-01 | 成都安恒信息技术有限公司 | A kind of application method of the data encrypting and deciphering system based on challenge response code |
| CN110399715A (en) * | 2019-07-30 | 2019-11-01 | 飞天诚信科技股份有限公司 | Key devices Information Authentication method, electronic equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102148685B (en) | Method and system for dynamically authenticating password by multi-password seed self-defined by user | |
| CN101197667B (en) | Dynamic password authentication method | |
| CN101425897B (en) | Customer authentication method, system, server and customer node | |
| US20150207790A1 (en) | Method and system for generating and authorizing dynamic password | |
| CN101252437A (en) | Dynamic verification method, system and apparatus of client terminal identification under C/S architecture | |
| CN101500011A (en) | Method and system for implementing dynamic password security protection | |
| CN102281138B (en) | Method and system for improving safety of verification code | |
| CN101958913B (en) | Bidirectional ID (Identity) authentication method based on dynamic password and digital certificate | |
| CN103853950A (en) | Authentication method based on mobile terminal and mobile terminal | |
| He et al. | Weaknesses of a Remote User Password Authentication Scheme Using Smart Card. | |
| CN105553667A (en) | Dynamic password generating method | |
| CN103338202A (en) | Remote user password dual-verification method based on intelligent card | |
| KR101202245B1 (en) | System and Method For Transferring Money Using OTP Generated From Account Number | |
| CN102176712A (en) | Identity authentication method and data card | |
| CN113656775A (en) | Offline password verification method and system with expiration date and intelligent lock | |
| CN104579659A (en) | Device for safety information interaction | |
| CN103684796A (en) | SMI (subscriber identity module) card and personal identity authentication method | |
| CN102164036B (en) | Dynamic token as well as two-way authentication method and two-way authentication system with dynamic token | |
| CN202672887U (en) | Coded lock | |
| CN115208676B (en) | Data encryption method and system based on blockchain technology | |
| CN109644137B (en) | Method for token-based authentication with signed messages | |
| CN104333555A (en) | Dynamic token working method and dynamic token working system | |
| CN109088888A (en) | A kind of safety communicating method and its system based on smart card | |
| CN104333555B (en) | A kind of dynamic token method of work and system | |
| CN101424142B (en) | Lock, unlocking method thereof, lock administrative center and control method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |