CN104734856B - A kind of command identifying method of anti-server information leakage - Google Patents
A kind of command identifying method of anti-server information leakage Download PDFInfo
- Publication number
- CN104734856B CN104734856B CN201510098392.4A CN201510098392A CN104734856B CN 104734856 B CN104734856 B CN 104734856B CN 201510098392 A CN201510098392 A CN 201510098392A CN 104734856 B CN104734856 B CN 104734856B
- Authority
- CN
- China
- Prior art keywords
- user
- ttp
- information
- application server
- sent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The invention discloses a kind of command identifying method of anti-server information leakage.This method is:1) user by selected application identifier AI, account name user and logs in password pw and is sent to trusted third party TTP by escape way;2) TTP generates a secret value x according to its key k and (AI, user, pw), and (user, x) then is sent into the application server that AI is specified;3) (user, x) information of the application server for storage user, and the information that succeeds in registration is returned to by TTP;4) when logging in, (AI, user, the pw ') of input is sent to the TTP by secure network channel and is calculated a secret value x ' by client, and should (user, x ') be sent to the application server that AI is specified and be authenticated;If certification success, return log in successful message.The present invention protects the safety for logging in password, has wide applicability.
Description
Technical field
The invention belongs to network technique field, more particularly to a kind of command identifying method of anti-server information leakage.
Background technology
With the continuous development of network technology, the application system based on the network platform is more and more.These systems are generally adopted
The authenticity of the user identity of server is logged on the guarantee of various identity identifying technologies, so as to ensure the safety of system and data
And authorize the legitimate rights and interests of visitor.
At present, authentication is mainly realized by one or a combination set of following three Basic Ways:Knowledge based engineering body
Part certification, the authentication based on biological property and the authentication based on token device such as smart card.Wherein knowledge based
Authentication be widely used because simple and convenient.
Password authentication is as typical Knowledge based engineering identity identifying technology, it has also become the preferred authenticating party of many systems
Formula.In password authentication mode, server end has user name and treated password, and user only inputs effective user
Name and matching password could pass through certification.But there is a variety of causes that the information of server end can be caused to let out in reality
Dew, so as to cause the password by conversion also to reveal.Because password space is smaller, therefore opponent is easily by offline dictionary attack
Etc. mode password is logged in obtain user.
For avoid because user password space is smaller and caused by password be subject to offline dictionary attack the problem of, it is some to have
The system of greater security requirement also add other authentication means, user need to be by a variety of in addition to using password authentication
Certification could be completed to log in.This authentication techniques are referred to as dual factor anthentication.Dual factor anthentication may need token device such as intelligence
Card logs in required key to store and handle user.Because key space is very big, even if opponent obtains server end storage
Information also be difficult to by modes such as offline dictionary attacks come breaking cryptographic keys.However, to increase user extra for above-mentioned token device
Expenditure, and be only supported in the equipment of special interface and use, while need to carry with just can logging in online account by user.This
Outside, there is also the risk lost and illegally obtained by opponent for the token device that user holds.
The content of the invention
For solve the problems, such as due to user password space is smaller and caused by password be subject to offline dictionary attack, the present invention
On the premise of without increasing token device such as smart card from user terminal, propose that a kind of password of anti-server information leakage is recognized
Card method.
The present invention relates to three kinds of network entities:User, trusted third party (Trusted Third Party, TTP) and application
Server (Application Server, AS).Wherein user holds network account name and corresponding entry password, TTP profits
Log-on message with its key using special algorithm processing user, and application server safeguards the account name of user and logs in password
The database of relevant information, and the log on request of user is authenticated accordingly.
The technical solution adopted by the present invention is as follows:
A kind of command identifying method of anti-server information leakage, its step are:User's registration is completed by TTP and stepped on
The application of land process completes registration on TTP, i.e. TTP knows the mark and its corresponding server or domain name of each application
Deng.
First, registration process
1) user by the application identifier AI for wishing register account number and the account name user oneself selected and logs in password
Pw is sent to TTP by secured fashion;
2) inputs of (AI, user, the pw) that TTP is sent with its key k and user as special algorithm f, is calculated one
Individual secret x, and (user, x) is sent to the application server that AI is specified;
3) application server checking user profile legitimacy (such as whether be registered according to user name or in accordance with
The requirements such as specification judge the legitimacy of user), (user, x) is stored if legal, and return and register to user by TTP
The information of work(.
2nd, landfall process
1) the application identifier AI and note that user wishes to log in by local client (such as browser login page) input
Volume and logs in password pw ' at account name user accordingly;
2) (AI, user, the pw ') that user inputs is sent to TTP by local client by secure network channel, TTP with
X ', and the application specified based on x ' and AI is calculated as special algorithm f input in its key k and (AI, user, pw ')
Server performs authentication protocol;
If 3) certification success, server is returned to user by TTP and logs in successful message, and user can complete system
Log in.
Further, described secure network channel need to use the communication protocol of safety.
Further, the key k of the TTP comes from sufficiently large key space, such as length is not less than 128 bits.
Further, the special algorithm f is security algorithm, i.e., is only computationally from algorithm output Backstepping input
It is infeasible, such as SHA-256 algorithms or AES encryption algorithm.
Further, the TTP, which has been played, is changed into the user password for coming from smaller space from larger space
Secret x and storage application identifier AI and the incidence relation of corresponding server effect.
Further, unique user can by same TTP on multiple different application servers register account number, also may be used
To apply register account number in the multiple of same server;(AI, user) unique mark is which applies which upper account.
Further, the x of server end storage can be the direct result that TTP is calculated, or x is encoded or turns
Result after alternatively.
Further, the authentication protocol between the TTP and server is initiated and completed by server, can be directly to verify
X ' and the simple form whether consistent x being locally stored, or the challenge responses based on secret x initiated by server end are assisted
View etc., for example use such as MAP1, DH-EKE, EVE1 etc. the authentication method of the authentication protocol based on wildcard.
Compared with prior art, the present invention proposes a kind of command identifying method of anti-server information leakage, and its is beneficial
Effect is:
A) present invention makes user not increase to user and appoint without that just can complete authentication in locally increase token device
What extra expense (expense introduced in such as dual factor anthentication technology by token device), even and if opponent obtained by certain means
Obtaining the secret information of server end storage can not still guess that user's logs in password, protects the safety for logging in password;This hair
Ming Zhong trusted third party has played the work that the user password for coming from smaller space is changed into the secret x from larger space
With.
B) proposed by the present invention is a kind of general framework, therefore has wide applicability, the enterprise network that is particularly suitable for use in, campus
The network environment that the multiservers such as net are managed by same authoritative institution.
Brief description of the drawings
Fig. 1 is the exemplary plot of user's registration process in certain application system in the present invention.
Fig. 2 is the exemplary plot of user's landfall process in certain application system in the present invention.
Embodiment
In order that the object, technical solutions and advantages of the present invention become apparent from understanding, below with reference to specific embodiment, and
The present invention is described in detail referring to the drawings.
Registered in the present embodiment with user by TTP in an application system (it is assumed that carrying out registration on TTP)
And log in and be illustrated by TTP completions system, wherein TTP key k length is 128 bits, and the f used calculates for SHA-256
Method, idiographic flow are as follows:
First, registration process
As shown in figure 1, registration process of the user in certain application system is as follows:
1) user by the application identifier AI for wishing register account number and the account name user oneself selected and logs in password
Pw is sent to TTP by secure network channel;
2) inputs of (AI, user, the pw) that TTP is sent with its key k and user as f, is calculated a secret x
=f (AI, user, pw, k), and (user, x) is sent to destination server;
3) legitimacy of server authentication user, (user, x) is stored if legal, and return the information that succeeds in registration to
TTP;
4) information to succeed in registration is returned to user by TTP, so far user registration success.
2nd, landfall process
As shown in Fig. 2 landfall process of the user in certain application system is as follows:
1) application system name AI and the login account name that user wishes to log in local client (or browser) input
User and log in password pw ' accordingly;
2) (AI, user, the pw ') that local client (or browser) inputs user is sent to by secure network channel
X '=f (AI, user, pw ', k) is calculated using the above- mentioned information received and its key k as f input by TTP, TTP, and
Will (user, x ') it is sent to destination server;
3) destination server receives (user, the x ') of TTP transmissions, is found in the user's registration information being locally stored
Entry corresponding to user (user, x), if the entry is implicitly present in and corresponding x is equal with x ', return logs in successful information
To TTP;
4) TTP will log in successful information and return to user, and so far user logs in success.
In summary, the present invention proposes a kind of command identifying method of anti-server information leakage so that Yong Huwu
Authentication just need to can be completed in locally increase token device, any extra expense will not be increased to user, even and if opponent
The information of server end storage is obtained by certain means can not still guess that user's logs in password, protects and logs in password
Safety.Simultaneously proposed by the present invention is a kind of general framework, therefore has wide applicability, the enterprise network that is particularly suitable for use in, campus
The network environment that the multiservers such as net are managed by same authoritative institution.
Embodiment described above is only to better illustrate the purpose of the present invention, technical scheme and beneficial effect.It should be understood that
, the foregoing is only the present invention specific embodiment, be not intended to limit the invention, it is all the present invention spirit and
Any modification, equivalent substitution and improvements done within principle etc., should be included in the scope of the protection.
Claims (9)
1. a kind of command identifying method of anti-server information leakage, its step are:
1) user by selected application identifier AI, account name user and logs in password pw and is sent to credible by escape way
Tripartite TTP;
2) information (AI, user, pw) that trusted third party TTP is sent according to its key k and the user generates a secret value x,
Then (user, x) is sent to the application server that application identifier AI specifies;
3) application server is verified to the legitimacy of the user profile, stored if being verified the user (user,
X) information, and the information to succeed in registration is returned to the user by trusted third party TTP;
4) when user includes application identifier AI, account name user and the log-on message for logging in password pw ' in client input
Afterwards, (AI, user, the pw ') that the client currently inputs the user is sent to trusted third party TTP by escape way,
A secret value x ' is calculated according to its key k and the information being currently received (AI, user, pw ') in trusted third party TTP,
And should (user, x ') be sent to the application server that application identifier AI is specified and be authenticated;If certification success, should answer
Returned with server by the trusted third party to user and log in successful message.
2. the method as described in claim 1, it is characterised in that the method that the application server is authenticated is:Using clothes
Business device is according to the information (user, x ') received, the entry corresponding to searching user in the user's registration information being locally stored
(user, x), if the entry is implicitly present in and corresponding x is equal with x ', certification success.
3. method as claimed in claim 2, it is characterised in that the application server is encoded or changed to secret value x
After preserve;The application server to secret value x ' carry out corresponding encoded or conversion after with it is corresponding encoded or conversion after
X is compared, if equal, certification success.
4. the method as described in claim 1 or 2 or 3, it is characterised in that the application server uses to be compiled with x or its process
Code or the x after changing are authenticated into the authentication protocol of wildcard to user.
5. the method as described in claim 1 or 2 or 3, it is characterised in that the user passes through same trusted third party TTP
The register account number on multiple different application servers.
6. the method as described in claim 1 or 2 or 3, it is characterised in that the user is multiple same application server
Using upper register account number;The application server is applied according to corresponding to (AI, user) determines each register account number.
7. the method as described in claim 1 or 2 or 3, it is characterised in that the key k comes from close not less than 128 bits
Key space.
8. the method as described in claim 1, it is characterised in that the trusted third party is according to its key k and is currently received
Information (AI, user, pw ') the secret value x ' is calculated using security algorithm.
9. method as claimed in claim 8, it is characterised in that the security algorithm is that SHA-224 algorithms or SHA-256 are calculated
Method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510098392.4A CN104734856B (en) | 2015-03-05 | 2015-03-05 | A kind of command identifying method of anti-server information leakage |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510098392.4A CN104734856B (en) | 2015-03-05 | 2015-03-05 | A kind of command identifying method of anti-server information leakage |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104734856A CN104734856A (en) | 2015-06-24 |
| CN104734856B true CN104734856B (en) | 2017-12-26 |
Family
ID=53458317
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510098392.4A Expired - Fee Related CN104734856B (en) | 2015-03-05 | 2015-03-05 | A kind of command identifying method of anti-server information leakage |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104734856B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105897730A (en) * | 2016-05-12 | 2016-08-24 | 广西尊达电子商务有限公司 | User name and password information encryption and verification method |
| CN106921663B (en) * | 2017-03-03 | 2020-04-10 | 浙江智贝信息科技有限公司 | Identity continuous authentication system and method based on intelligent terminal software/intelligent terminal |
| CN109711173B (en) * | 2019-02-03 | 2020-10-09 | 北京大学 | Password file leakage detection method |
| CN111314090B (en) * | 2020-03-25 | 2021-03-26 | 北京航空航天大学 | Secure multi-cloud password management method based on bit level threshold |
| CN112671786B (en) * | 2020-12-29 | 2022-06-28 | 科来网络技术股份有限公司 | System and method for safe login based on third party authentication |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101304318A (en) * | 2008-07-04 | 2008-11-12 | 任少华 | Safe network authentication system and method |
| CN102195957A (en) * | 2010-03-19 | 2011-09-21 | 华为技术有限公司 | Resource sharing method, device and system |
| CN102739708A (en) * | 2011-04-07 | 2012-10-17 | 腾讯科技(深圳)有限公司 | System and method for accessing third party application based on cloud platform |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7694136B2 (en) * | 2003-02-10 | 2010-04-06 | International Business Machines Corporation | Method for distributing and authenticating public keys using hashed password protection |
| AU2013243768B2 (en) * | 2012-04-01 | 2017-12-21 | Payfone, Inc. | Secure authentication in a multi-party system |
-
2015
- 2015-03-05 CN CN201510098392.4A patent/CN104734856B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101304318A (en) * | 2008-07-04 | 2008-11-12 | 任少华 | Safe network authentication system and method |
| CN102195957A (en) * | 2010-03-19 | 2011-09-21 | 华为技术有限公司 | Resource sharing method, device and system |
| CN102739708A (en) * | 2011-04-07 | 2012-10-17 | 腾讯科技(深圳)有限公司 | System and method for accessing third party application based on cloud platform |
Non-Patent Citations (1)
| Title |
|---|
| 《基于身份的认证协议的理论及应用研究》;曹雪菲;《中国博士学位论文全文数据库信息科技辑》;20090715(第07期);正文第3-6章 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104734856A (en) | 2015-06-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI436627B (en) | Method and apparatus for authenticatiing online transactions using a browser | |
| CN104468115B (en) | information system access authentication method and device | |
| Kaul et al. | Security enhancement of an improved remote user authentication scheme with key agreement | |
| Ali et al. | An efficient three factor–based authentication scheme in multiserver environment using ECC | |
| CN104734856B (en) | A kind of command identifying method of anti-server information leakage | |
| CN105827573B (en) | System, method and the relevant apparatus of internet of things equipment strong authentication | |
| JP2009508189A (en) | Extended one-time password method and apparatus | |
| CN105430014B (en) | A kind of single-point logging method and its system | |
| CN108400962B (en) | Authentication and key agreement method under multi-server architecture | |
| Mirsaraei et al. | A secure three-factor authentication scheme for IoT environments | |
| US20170085381A1 (en) | Persistent authentication system incorporating one time pass codes | |
| US9954853B2 (en) | Network security | |
| US20150328119A1 (en) | Method of treating hair | |
| Kim et al. | A design of one-time password mechanism using public key infrastructure | |
| Alqubaisi et al. | Should we rush to implement password-less single factor FIDO2 based authentication? | |
| CN107248997A (en) | Authentication method based on smart card under environment of multi-server | |
| CN106657125A (en) | Flow control mechanism suitable for online identity authentication | |
| CN112383401B (en) | User name generation method and system for providing identity authentication service | |
| US20090319778A1 (en) | User authentication system and method without password | |
| Alemu et al. | Fingerprint based authentication architecture for accessing multiple cloud computing services using single user credential in IOT environments | |
| Aiash | A formal analysis of authentication protocols for mobile devices in next generation networks | |
| Kiennert et al. | Authentication systems | |
| CN106877996A (en) | User in PKI domains accesses the authentication key agreement method of the resource in IBC domains | |
| KR101962349B1 (en) | Consolidated Authentication Method based on Certificate | |
| KR100959201B1 (en) | Smartcard-Based Remote User Authentication Method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20171226 Termination date: 20190305 |