CN105187382B - Prevent from hitting the multiple-factor identity identifying method of storehouse attack - Google Patents

Prevent from hitting the multiple-factor identity identifying method of storehouse attack Download PDF

Info

Publication number
CN105187382B
CN105187382B CN201510473859.9A CN201510473859A CN105187382B CN 105187382 B CN105187382 B CN 105187382B CN 201510473859 A CN201510473859 A CN 201510473859A CN 105187382 B CN105187382 B CN 105187382B
Authority
CN
China
Prior art keywords
user
password
random number
server
mobile phone
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510473859.9A
Other languages
Chinese (zh)
Other versions
CN105187382A (en
Inventor
金方园
杨超
马建峰
李金库
安迪
何思蒙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201510473859.9A priority Critical patent/CN105187382B/en
Publication of CN105187382A publication Critical patent/CN105187382A/en
Application granted granted Critical
Publication of CN105187382B publication Critical patent/CN105187382B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of multiple-factor identity identifying method for preventing from hitting storehouse attack, mainly solves the problems, such as that user password is subject to Brute Force and hits storehouse attack in website login system.The multiple-factor of the present invention is user password, mobile phone and bracelet, and three is indispensable, the common safety certification for completing user identity.Implementation step is:(1) user generates original master key with short password by termination key derivation functions, with reference to related two random numbers are processed twice to original master key respectively to bracelet and mobile phone, generates server storage password simultaneously presence server;(2) user combines two factors of bracelet and mobile phone and successively exports original master key and two different random numbers, generates server storage password;(3) user is with server storage password and server interaction certification.It is of the invention to generate different original master keys and safeguard protection for different web sites, it effectively prevent single password and be easily stolen and carry out the danger of identity camouflage.

Description

Prevent from hitting the multiple-factor identity identifying method of storehouse attack
Technical field
The invention belongs to field of information security technology, more particularly to a kind of user's entry password generation and storage method, tool Body is a kind of multiple-factor identity identifying method for preventing from hitting storehouse attack, the increasing available for authentication ability of the server to user By force and prevent user from leaking the entry password reused when dangerous website is registered.
Background technology
Secure communication on open network is one of study hotspot of contemporary cryptology.Core of the cryptography as information security Heart technology, there is provided the cryptographic algorithm such as enciphering/deciphering, eap-message digest, digital signature, confidentiality, the integrality of information can be realized And non repudiation.Password plays an important role in many aspects such as data protection, secure accessing, trust systems construction, It is to solve the most effective and most economical approach of information security issue.
Password is simply easy to remember, easy to use, without hardware supported.Therefore, the identity based on password authentication construction high quality Certification is an effective method of maturation.The security that password authentication key exchanges places one's entire reliance upon the confidentiality of user password, Therefore, the protection to password is particularly important.But security issues become increasingly urgent in open environment, password is only relied on to confirm identity Authentication mode be faced with stern challenge.When user inputs password, it is subject to prison and peeps;Or computer poisoning, input through keyboard During password, trojan horse program can record input through keyboard;For the convenience of memory, user is generally by phone number, birthday, number etc. The numeral easily remembered easily guesses that security is poor as password, user password.And user is in order to facilitate easy to remember, usually Same password is used in multiple different websites, further triggers and hits storehouse attack, it is hacker by having collected internet to hit storehouse The user of leakage and encrypted message, dictionary table corresponding to generation, attempt after batch logs in other websites, to obtain a series of to step on The user of record.Many users use identical account number cipher in different web sites, therefore hacker can be by obtaining user in A The account of website is so as to logon attempt B network address, and this is it can be understood that to hit storehouse attack.
Existing password disposably generates in registration phase through user mostly, and is stored in service directly or through simple encryption Device end, operation of confusion is not carried out to ensure that it is not used in the case of stolen by disabled user.And entry stage is excessively simple, Authentication ability to user is not strong enough, and disabled user can start with from the larger server end of target, steal and can be used directly User password, and palm off validated user identity logs website.For the security of strengthening system, the mechanism quilt of double factor authentication It is proposed, i.e., on the basis of the password factor, increase a physical agent, such as smart card, password card, electronic passwords board etc..Even if One certification factor is broken, and two-factor authentication system is still safe.But these certification factors are not user's custom mostly The equipment carried with, such as smart card reader or Fingerprint Identification Unit, lack practicality;And simply simply store or show Show information, be not engaged in the calculating process that user generates password, if device losses, the factor can be utilized easily by attacker, Security is low.
The content of the invention
It is an object of the invention to overcome the shortcomings of above-mentioned prior art, a kind of multiple-factor body for preventing from hitting storehouse attack is proposed Identity authentication method, it is characterised in that the multiple-factor includes user password, mobile phone and bracelet, and three is indispensable, multiple-factor The common registration and login for participating in completing user, specific implementation step of the invention include:
(1) initial phase:
1a) complete bracelet initialization:Registration activation bracelet, and bind it on the mobile phone terminal that user U is specified, it is ensured that hand Ring has Bluetooth function, and can carry out bluetooth connection with associated mobile phone terminal;
1b) ensure that user U at the PC ends that registration phase uses is safe and reliable;
(2) registration phase:
User U utilizes short password pwd at PC ends, by stopping key derivation functions (HKDF), generate original master key k and Verify character string v;By shaking the hand, ring generates random number x, and using original master key k and random number x, at PC ends, generation security adds Strong user's registration password pu;User U is registered first in server S, and server S is that the user U generates random number y, profit With user's registration password pu and random number y, the stronger server storage password ps of generation security;User U utilizes mobile phone terminal string Code IMEI and short password pwd hash values, the random number y that encryption server S is sent, in mobile phone terminal generation hiding information ctext; Server S is finally stored securely in user's registration information in database, and log-on message includes:Identity id, hiding information Ctext, user mobile phone number num, verify character string v and server storage password ps;
(3) pre- entry stage:
3a) the identity id of oneself is sent to server S by user U;
It is corresponding with User Identity id hidden in searching data storehouse after 3b) server S receives User Identity id Hide information ctext and checking character string v, then generate a random number challenge, and by random number challenge with it is hidden Hide information ctext and checking character string v sends back to user U together;
3c) the checking character string v that user U is sent using server, and on mobile phone terminal input registration phase use it is short Password pwd, the original master key k, i.e. HKDF.Extract (v, pwd) → (k) of export registration phase generation are calculated by HKDF:
3d) the random number x that user U is gone in ring when being registered for generation by shaking the hand, and random number x sent by bluetooth in one's hands In generator terminal;
3e) user U utilizes original master key k and random number x, generation user's registration password pu in mobile phone terminal;
3f) user U utilizes mobile phone terminal string code IMEI and short password pwd hash values, decrypts hiding information ctext, obtains The random number y of registration phase Website server generation;User's registration password pu and random number y is utilized in mobile phone terminal again, is generated Server storage password ps;
(4) entry stage:
4a) the user U combinations server storage password ps and random number challenge received, calculate message authentication code R= MAC (ps, challenge), and message authentication code R is sent to server S;
After 4b) server S receives message authentication code R, the service corresponding with User Identity id in searching data storehouse Device stores password ps, in conjunction with challenge, calculates message authentication code R '=MAC (ps, challenge);Finally, use is compared The message authentication code R ' that the message authentication code R that family U is sent calculates with server S, if equal, user U is allowed to log in;It is no Then, logging request is refused.
The present invention strengthens the security of the key by combining two factor mobile phones and bracelet, to prevent malicious attacker By the weaker website of attack-defending ability to obtain the user account and password in its database, thereby using these Thus the information disguising of leakage steals more individuals into other more valuable websites of the identity logon attempt of validated user Information, further prevent from hitting privacy information that place obtains by offender using carrying out the crime such as swindling.Enhance server Verify login user identity ability, fundamentally avoid hit storehouse attack may be to the loss that user brings.
The present invention has advantages below compared with prior art:
1. user need to only remember a simple short password pwd in the present invention, by stopping key derivation functions (HKDF) different random number r is inputted, so as to generate different original master key k and checking character string v, root for different web sites The generation for hitting storehouse attack is avoided in sheet;It is further ensured that and is also differed for different web sites, user's registration password pu, even if dislikes Meaning server is conspired, and also can not obtain log-in password of the user in other security websites by cracking user profile;Service Device stores password ps and is generated different random number y for different user by server and obtained, and different server is for same The random number y of user's generation is also different from, so as to again avoiding the generation for hitting storehouse attack;
2. the present invention has carried out combining polyfactorial computing twice to original master key k, enhance and user identity is carried out The ability of checking, it effectively prevent the single password factor and be easily stolen and carry out the danger of identity camouflage;The present invention will easily Bracelet is as another factor in addition to the mobile phone factor, the server storage mouth using the generation of bracelet auxiliary eventually for login Ps is made, it is user-friendly, have a wide range of application.
Brief description of the drawings
Fig. 1 is the general flow chart of the present invention;
Fig. 2 is the sub-process figure in user's registration stage in the present invention;
Fig. 3 is the sub-process figure of the pre- entry stage of user in the present invention;
Fig. 4 is the sub-process figure of user's entry stage in the present invention.
Embodiment
Embodiment of the present invention is further illustrated below by the drawings and specific embodiments.
Mostly by the poor short password of security, password is simply easily guessed and is easier to repeat to make for authentication at this stage With different user easily uses identical simple challenge, is subject to Brute Force attack;Same user uses phase in different web sites Same password, it is subject to hit storehouse attack.Therefore, the present invention expands exploration and research, it is proposed that one kind can prevent Brute Force from attacking Hit and hit the multiple-factor identity identifying method of storehouse attack.
Embodiment 1
The present invention is a kind of multiple-factor identity identifying method for preventing from hitting storehouse attack, and multiple-factor includes user in the present invention Password, mobile phone and bracelet, three is indispensable, and multiple-factor participates in completing the registration and login of user, reference picture 1, this hair jointly Bright specific implementation step includes:
(1) initial phase:
1a) complete bracelet initialization:Registration activation bracelet, and bind it on the mobile phone terminal that user U is specified, it is ensured that hand Ring has Bluetooth function, and can carry out bluetooth connection with associated mobile phone terminal.
1b) ensure that user U at the PC ends that registration phase uses is safe and reliable.
(2) registration phase:
Short password pwds of the user U at PC ends using oneself convenient memory, by stopping key derivation functions (HKDF), life Into original master key k and checking character string v;By shaking the hand, ring generates random number x, using original master key k and random number x, The user's registration password pu that PC ends generation security is strengthened;User U is registered first in server S, and server S is the user U generates random number y, utilizes user's registration password pu and random number y, the stronger server storage password ps of generation security;With Family U utilizes mobile phone terminal string code IMEI and short password pwd hash values, the random number y that encryption server S is sent, is given birth in mobile phone terminal Into hiding information ctext;Server S is finally stored securely in user's registration information in database, and log-on message includes:Identity Id, hiding information ctext, user mobile phone number num are identified, verifies character string v and server storage password ps.
The present invention has carried out combining polyfactorial computing twice to safer original master key k, with random number x to original Master key k has carried out an operation of confusion generation user's registration password pu, and user's registration password pu is mixed with random number y Computing of confusing generates server storage password ps, has carried out computing twice equivalent to original master key k, has enhanced to user identity The ability verified, it effectively prevent the single password factor and be easily stolen and carry out the danger of identity camouflage.And finally with Family identity id, hiding information ctext, user mobile phone number num, character string v and server storage password ps is in target for checking Server S is registered.
Registration phase is disposable in the present invention, is the initial setting up that user U has to carry out.User U needs simultaneously Possess PC ends, bracelet and mobile phone this three successfully could interact registration with target website server S, and this meets user U and existed Carry out focusing on safe and complete rather than quick characteristic during only once registration.After successfully completing registration phase, when user U wants Using targeted website service when, you can into login process, now, user U only can come and service by mobile phone and bracelet Device is interacted without PC ends, and this meets user U and more focuses on simple and efficient demand in multiple login process afterwards Characteristic.Pre- landing phase is carried out continuously with entry stage, and they collectively form the login process of complete set, and this hair The bright security that ensure that login process.
(3) pre- entry stage:
Reference picture 3, this step are implemented as follows:
3a) the identity id of oneself is sent to server S by user U.
It is corresponding with User Identity id hidden in searching data storehouse after 3b) server S receives User Identity id Hide information ctext and checking character string v, then generate a random number challenge, and by random number challenge with it is hidden Hide information ctext and checking character string v sends jointly to user U.
3c) the checking character string v that user U is sent using server S, and on mobile phone terminal input registration phase use it is short Password pwd, the original master key k, i.e. HKDF.Extract (v, pwd) → (k) of export registration phase generation are calculated by HKDF.
From the characteristic of HKDF functions, if the short password pwd for decryption verification character string v of disabled user's input Incorrect, HKDF.Extract () function cyclically will go down in computing, it is impossible in time, be properly generated original master key k.This Even if ensuring that attacker takes checking character string v, original master key k also therefrom can not be accurately drawn, more can not be further Generate the server storage password ps for Website login.
3d) the random number x that user U is gone in ring when being registered for generation by shaking the hand, and random number x sent by bluetooth in one's hands In generator terminal.
3e) user U utilizes original master key k and random number x, generation user's registration password pu in mobile phone terminal.
3f) user U utilizes mobile phone terminal string code IMEI and short password pwd hash values, decrypts hiding information ctext, obtains The random number y of registration phase Website server generation;User's registration password pu and random number y is utilized in mobile phone terminal again, is generated Server storage password ps.
(4) entry stage:
Reference picture 4, this step are implemented as follows:
4a) user U combines the server storage password ps that pre- entry stage calculates and the random number received Challenge, message authentication code R=MAC (ps, challenge) is calculated, and message authentication code R is sent to server S.
After 4b) server S receives message authentication code R, the service corresponding with User Identity id in searching data storehouse Device stores password ps, in conjunction with challenge, calculates message authentication code R '=MAC (ps, challenge);Finally, use is compared The message authentication code R ' that the message authentication code R that family U is sent calculates with server S, if equal, user U is allowed to log in;It is no Then, logging request is refused.
Present invention uses two in addition to password multiple-factor, i.e. mobile phone and bracelet, and they are people in actual life The two intelligent movable equipment carried be familiar with and generally used, with traditional multiple-factor physical equipment such as smart card, electronics Password board etc., which is compared, has the advantages of more popularizing.When using bracelet multiple-factor, in order to strengthen the security of the factor, profit Computing factor i.e. random number x is generated with gravity sensing device record user behavior custom feature in bracelet.Even if bracelet is fallen into In attacker's hand, attacker can not replicate the behavioural characteristic that user rocks bracelet because not knowing the behavioural habits of the user, Therefore bracelet information can not also be obtained.
Embodiment 2
Prevent from hitting the multiple-factor identity identifying method of storehouse attack with embodiment 1, reference picture 2, the user's registration stage it is specific Realize as follows:
2a) user U for the current destination server S for wishing to register select random number a r, an iterations t and The short password pwd of oneself convenient memory, calculate one ostensible checking character string v of generation at PC ends using HKDF and one true Fixed original master key k, i.e. HKDF.Prepare (r, t, pwd) → (v, k).
When generating original master key k, user U can utilize the characteristic of HKDF functions, selection life according to security level Into original master key k complexity, that is, select iterations t:For domestic consumer, it is less that iterations may be selected Key generates computing;Enterprise or individual for needing more high safety rank, the more key generation fortune of iterations may be selected Calculate.Moreover, user U can be according to the HKDF functions of existing shaping, the manual abort user interface when it carries out prepare computings To complete the selection to iterations t.
Here short password pwd is to beginning to existing only in eventually in user's brain, not in the poor network environment of security Be transmitted, so user is when selecting short password pwd, even if using as the security such as phone number, date of birth it is relatively low Weak passwurd nor affect on overall security, and because the original master key k of HKDF computings generation is random string, and extremely It is 128 bits less, security is ensured.
2b) user U is accustomed to ring of shaking the hand by factum, generates a random number x, and random number x is sent by bluetooth To mobile phone terminal, user U in mobile phone terminal eye recognition random number x, using can input equipment such as keyboard random number x is input to PC End, and original master key k and random number x is combined at PC ends, generation user's registration password pu;In other words, as using at random Number x is processed for the first time to original master key k, obtains the user's registration password pu of security reinforcement.
2c) user U sends the identity id of oneself, phone number num, checking character string v by PC ends to server S With user's registration password pu.
After 2d) server S receives the log-on message that user U is sent, server S is that the user generates one uniquely at random Y is counted, and y is sent to by secure short message channel the mobile phone terminal of the registered numbers of user U.
2e) server S utilizes user's registration password pu and random number y, generates server storage password ps, and by ps with using Family identity id is stored in database, then, forgets about y;Wherein, server S passes through user's log-in password pu and random number Y, server storage password ps is calculated, because user's registration password pu is that original master key k is carried out just by random number x Secondary process obtains, so here it can be appreciated that be that random number y carries out secondary operation to original master key k, obtains safety The stronger server storage password ps of property.
2f) user U utilizes mobile phone terminal string code IMEI and short password after the random number y that mobile phone terminal receives that server S is sent Pwd hash values, random number y is encrypted, the hiding information ctext after generation encryption, and hiding information ctext is passed through Secure network communications channel is sent to server S, and user U can forget about hiding information ctext after sending successfully.So do both to User U mitigates memory burden, and safeguard protection is got up in the form of hiding information by random number y.
After 2g) server S receives the hiding information ctext of user U transmissions, by hiding information ctext and corresponding user's account Number identity id, user mobile phone number num, checking character string v and server storage password ps be stored together as user Log-on message.These information closely related safely with user account are stored in server database, so as to mitigate user Store pressure.
The termination key derivation functions (Halting Key Derivation Functions) used in the present invention are one The function of kind generation key, this function are divided into two parts:Key-function HKDF.prepare () and cipher key-extraction function HKDF.extract().HKDF.prepare () function with the secret value (such as password, private key) of user, iterations and with Machine character string exports key and the ciphertext on the key (exports original master key and authenticator in the present invention as input Symbol string).HKDF.extract () function exports key using the ciphertext on key and the secret value of user as input.In key In the extraction stage, if user fails to input correct secret value to HKDF.extract () function, the function can not be according to just True number stops interative computation in time, and properly generates key, and function will also continue cycling through ground interative computation and go down. In the case that checking character string v is fallen into attacker's hand, short password pwd of the attacker due to not knowing user, with regard to nothing Method obtains the original master key k of registration phase generation of the present invention, i.e., can not further obtain on any of subscriber authentication Effective information.
Embodiment 3
Prevent from hitting the multiple-factor identity identifying method of storehouse attack with embodiment 1-2, registration phase step 2b) in generation with Machine number x is that the bracelet that one of multiple-factor is rocked by user obtains, and user, which rocks bracelet, has behavioural characteristic, for not Same user, because behavioural habits are different, in pre- entry stage, even if attacker obtains user's bracelet, because can not be accurate The behavioural characteristic that user U rocks bracelet in generation random number x for the first time is imitated, also can not just accurately generate matching registration phase Random number x, so having certain protective effect to random number x.Random number x is bound using bluetooth short range transmission to user Mobile phone on, attacker is difficult the mobile phone and bracelet for obtaining user simultaneously, also can not just transmit random number x, and this embodies this hair Bright middle multiple-factor participates in jointly, indispensable characteristic, also embodies effective protection of the multiple-factor to legal user password safety And the multiple limitation of behavior is logged in disabled user.
Embodiment 4
Prevent from hitting the multiple-factor identity identifying method of storehouse attack with embodiment 1-3, user's registration password pu generation be by After original master key k and random number x are connected in series, obtained by hash computings, wherein, original master key k is as message First half, random number x are attached to latter half of the original master key k end as message, then to the newly-generated message Hash computings are done, obtain user's registration password pu=hash (then x).
Embodiment 5
Prevent that hit the multiple-factor identity identifying method attacked in storehouse is with embodiment 1-4, server storage password ps generation Register customers as after password pu and random number y is connected in series, obtaining by hash computings, wherein, user's registration password pu makees For the first half of message, random number y is attached to latter half of the user's registration password pu end as message, then new to this The message of generation does hash computings, obtains server storage password ps=hash (hash (k | | x) | | y).
Embodiment 6
For the multiple-factor identity identifying method for preventing from hitting storehouse attack with embodiment l-5, hiding information ctext generation is by hand After machine string code IMEI and short password pwd hash values are connected in series, symmetric cryptography fortune is carried out to the random number y of server S generation Calculation Encrypt (IMEI | | hash (pwd), y) obtain, wherein, first halfs of the mobile phone string code IMEI as encryption key is short Password pwd hash values are attached to latter half of the mobile phone string code IMEI end as encryption key, and random number y is to need to encrypt Plaintext.
Above description is only some instantiations of the present invention, and any restrictions of not paired enough the present invention.Obviously for , all may be without departing substantially from the principle of the invention, structure after present invention and principle has been understood for one of skill in the art In the case of, the various modifications and variations in progress form and details, but these modifications and variations based on inventive concept Still within the claims of the present invention.

Claims (6)

1. a kind of multiple-factor identity identifying method for preventing from hitting storehouse attack, it is characterised in that the multiple-factor, which includes, uses the registered permanent residence Order, mobile phone and bracelet, three is indispensable, and the common registration and login for participating in completing user, authentication method includes following step Suddenly:
(1) initial phase:
1a) complete bracelet initialization:Registration activation bracelet, and bind it on the mobile phone terminal that user U is specified, it is ensured that bracelet has There is Bluetooth function, and bluetooth connection can be carried out with associated mobile phone terminal;
1b) ensure that user U at the PC ends that registration phase uses is safe and reliable;
(2) registration phase:
Short password pwds of the user U at PC ends using oneself convenient memory, by stopping the key in key derivation functions (HKDF) Generating function HKDF.prepare (), generate original master key k and checking character string v;Random number x, profit are generated by ring of shaking the hand With original master key k and random number x, the user's registration password pu that generation security is strengthened at PC ends;User U enters in server S Row is registered first, and server S is that the user U generates random number y, using user's registration password pu and random number y, generates security Stronger server storage password ps;User U utilizes mobile phone terminal string code IMEI and short password pwd hash values, encryption server S The random number y sent, in mobile phone terminal generation hiding information ctext;User's registration information is finally stored securely in number by server S According in storehouse, log-on message includes:Identity id, hiding information ctext, user mobile phone number num, verify character string v and service Device storage password ps;
(3) pre- entry stage:
3a) the identity id of oneself is sent to server S by user U;
After 3b) server S receives User Identity id, the hiding letter corresponding with User Identity id in searching data storehouse Ctext and checking character string v are ceased, then generates a random number challenge, and by random number challenge with hiding letter Breath ctext and checking character string v send jointly to user U;
3c) the checking character string v that user U is sent using server S, and the short password that registration phase uses is inputted on mobile phone terminal Pwd, export registration phase life is calculated by stopping the cipher key-extraction function HKDF.extract () in key derivation functions HKDF Into original master key k, i.e. HKDF.Extract (v, pwd) → (k);
3d) the random number x that user U is gone in ring when being registered for generation by shaking the hand, and random number x is sent to mobile phone terminal by bluetooth On;
3e) user U utilizes original master key k and random number x, generation user's registration password pu in mobile phone terminal;
3f) user U utilizes mobile phone terminal string code IMEI and short password pwd hash values, decrypts hiding information ctext, is registered The random number y of stage Website server generation;Again user's registration password pu and random number y, generation service are utilized in mobile phone terminal Device storage password ps;
(4) entry stage:
4a) the user U combinations server storage password ps and random number challenge received, calculate message authentication code R=MAC (ps, challenge), and message authentication code R is sent to server S;
After 4b) server S receives message authentication code R, the server corresponding with User Identity id is deposited in searching data storehouse Password ps is stored up, in conjunction with challenge, calculates message authentication code R '=MAC (ps, challenge);Finally, user U hairs are compared The message authentication code R ' that the message authentication code R sent calculates with server S, if equal, user U is allowed to log in;Otherwise, refuse Logging request.
2. the multiple-factor identity identifying method according to claim 1 for preventing from hitting storehouse attack, it is characterised in that the user The specific steps of registration phase include:
2a) user U selects random number a r, an iterations t and short mouth for the current destination server S for wishing to register Pwd is made, generation one is calculated at PC ends using the key-function HKDF.prepare () stopped in key derivation functions HKDF Individual ostensible checking character string v and the original master key k, i.e. HKDF.Prepare (r, t, pwd) → (v, k) of a determination;
2b) user U generates a random number x, random number x is sent to mobile phone terminal by bluetooth, and user U is in hand by ring of shaking the hand Generator terminal eye recognition random number x, random number x is input to PC ends using input equipment, and original master key k is utilized at PC ends With random number x, generation user's registration password pu;
2c) user U sends the identity id of oneself, phone number num by PC ends to server S, verifies character string v and use Family log-in password pu;
After 2d) server S receives the log-on message that user U is sent, server S is that the user generates a unique random number y, And y is sent to by secure short message channel the mobile phone terminal of the registered numbers of user U;
2e) server S utilizes user's registration password pu and random number y, generates server storage password ps, and by ps and user's body Part mark id is stored in database, then, forgets about y;
2f) user U utilizes mobile phone terminal string code IMEI and short password pwd after the random number y that mobile phone terminal receives that server S is sent Hash values, random number y is encrypted, hiding information ctext is generated, and hiding information ctext is led to by secure network Letter channel is sent to server S, and user U can forget about hiding information ctext after sending successfully;
After 2g) server S receives the hiding information ctext of user U transmissions, by hiding information ctext and corresponding user account Identity id, user mobile phone number num, checking character string v and server storage password ps are stored together as user's registration Information.
3. the multiple-factor identity identifying method according to claim 2 for preventing from hitting storehouse attack, it is characterised in that the step The random number x of generation in 2b) is user to be rocked to obtain by bracelet have behavioural characteristic, and near using bluetooth Distance Transmission is on the mobile phone of binding.
4. the multiple-factor identity identifying method according to claim 1 or 2 for preventing from hitting storehouse attack, it is characterised in that described User's registration password pu generation is after being connected in series original master key k and random number x, to be obtained by hash computings, its In, first halfs of the original master key k as message, random number x is attached to original master key k end as the later half of message Part, then hash computings are done to the newly-generated message, obtain user's registration password pu=hash (k | | x).
5. the multiple-factor identity identifying method according to claim 1 or 2 for preventing from hitting storehouse attack, it is characterised in that described Server storage password ps generation is to register customers as after password pu and random number y is connected in series, obtaining by hash computings , wherein, first halfs of the user's registration password pu as message, the end that random number y is attached to user's registration password pu is made For the latter half of message, then hash computings are done to the newly-generated message, obtain server storage password ps=hash (hash (k||x)||y)。
6. the multiple-factor identity identifying method according to claim 1 or 2 for preventing from hitting storehouse attack, it is characterised in that described Hiding information ctext generation is after mobile phone string code IMEI and short password pwd hash values are connected in series, and server S is given birth to Into random number y carry out what symmetric encryption operation Encrypt (IMEI | | hash (pwd), y) was obtained, wherein, mobile phone string code IMEI As the first half of encryption key, short password pwd hash values are attached to mobile phone string code IMEI end as encryption key Latter half, random number y is the plaintext that need to encrypt.
CN201510473859.9A 2015-08-05 2015-08-05 Prevent from hitting the multiple-factor identity identifying method of storehouse attack Active CN105187382B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510473859.9A CN105187382B (en) 2015-08-05 2015-08-05 Prevent from hitting the multiple-factor identity identifying method of storehouse attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510473859.9A CN105187382B (en) 2015-08-05 2015-08-05 Prevent from hitting the multiple-factor identity identifying method of storehouse attack

Publications (2)

Publication Number Publication Date
CN105187382A CN105187382A (en) 2015-12-23
CN105187382B true CN105187382B (en) 2018-03-06

Family

ID=54909226

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510473859.9A Active CN105187382B (en) 2015-08-05 2015-08-05 Prevent from hitting the multiple-factor identity identifying method of storehouse attack

Country Status (1)

Country Link
CN (1) CN105187382B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106059764B (en) * 2016-08-02 2019-05-03 西安电子科技大学 Based on the password and fingerprint tripartite's authentication method for terminating key derivation functions
CN106453352B (en) * 2016-10-25 2020-04-17 电子科技大学 Single-system multi-platform identity authentication method
CN106934275B (en) * 2017-01-22 2020-10-16 华东师范大学 Password strength evaluation method based on personal information
CN107835506B (en) * 2017-10-26 2022-04-22 努比亚技术有限公司 Bluetooth communication method, Bluetooth device and computer readable storage medium
CN110365626B (en) * 2018-04-09 2022-12-06 厦门雅迅网络股份有限公司 User login security authentication method for anti-collision library, terminal equipment and storage medium
CN109711173B (en) * 2019-02-03 2020-10-09 北京大学 Password file leakage detection method
CN112100611A (en) * 2020-08-14 2020-12-18 广州江南科友科技股份有限公司 Password generation method and device, storage medium and computer equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7546276B2 (en) * 2006-01-23 2009-06-09 Randle William M Common authentication service for network connected applications, devices, users, and web services
CN103024706A (en) * 2013-01-10 2013-04-03 甘肃省科学技术情报研究所 Short message based device and short message based method for bidirectional multiple-factor dynamic identity authentication
CN104468581A (en) * 2014-12-10 2015-03-25 小米科技有限责任公司 Method and device for logging into application program

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8251286B2 (en) * 2009-11-24 2012-08-28 Magtek, Inc. System and method for conducting secure PIN debit transactions
US9412283B2 (en) * 2012-12-31 2016-08-09 Piyush Bhatnagar System, design and process for easy to use credentials management for online accounts using out-of-band authentication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7546276B2 (en) * 2006-01-23 2009-06-09 Randle William M Common authentication service for network connected applications, devices, users, and web services
CN103024706A (en) * 2013-01-10 2013-04-03 甘肃省科学技术情报研究所 Short message based device and short message based method for bidirectional multiple-factor dynamic identity authentication
CN104468581A (en) * 2014-12-10 2015-03-25 小米科技有限责任公司 Method and device for logging into application program

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Multi-factor authentication in key management systems;Rick Lopes de Souza等;《Trust,Security and Privacy in Computing and Communications(TrustCom),2013 12th IEEE International Conference on》;20130718;全文 *
ZigBee节点多因子身份认证方案研究;周伟伟 等;《系统仿真学报》;20150519;全文 *

Also Published As

Publication number Publication date
CN105187382A (en) 2015-12-23

Similar Documents

Publication Publication Date Title
CN105187382B (en) Prevent from hitting the multiple-factor identity identifying method of storehouse attack
US10027631B2 (en) Securing passwords against dictionary attacks
CN100545852C (en) Verification System and authentication method
US8132020B2 (en) System and method for user authentication with exposed and hidden keys
US10320564B2 (en) System and method for generating and depositing keys for multi-point authentication
CN108965338B (en) Three-factor identity authentication and key agreement method under multi-server environment
CN102026195B (en) One-time password (OTP) based mobile terminal identity authentication method and system
US20100332841A1 (en) Authentication Method and System
WO2013117019A1 (en) Method and device for system login based on dynamic password generated autonomously by user
Shunmuganathan et al. Secure and efficient smart-card-based remote user authentication scheme for multiserver environment
JP2016502377A (en) How to provide safety using safety calculations
CN105516201A (en) Lightweight anonymous authentication and key negotiation method in multi-server environment
CN103905437B (en) Remote protocol authentication method based on passwords
Jarecki et al. Two-factor authentication with end-to-end password security
EP2150915B1 (en) Secure login protocol
CN106789032B (en) Single password three-party authentication method for secret sharing between server and mobile equipment
TWI522841B (en) Anonymity authentication method in multi-server environments
CN109040060B (en) Terminal matching method and system and computer equipment
CN106059764B (en) Based on the password and fingerprint tripartite's authentication method for terminating key derivation functions
CN107615797B (en) Device, method and system for hiding user identification data
Li et al. Two-factor user authentication in multi-server networks
EP3101609A1 (en) Dual-channel identity authentication selection device, system and method
Pranata et al. 2FYSH: two-factor authentication you should have for password replacement
Doshi et al. A Novel Approach for Biometric Based Remote User Authentication Scheme using Smart Card
Mehra et al. Remote user authentication and issues: a survey

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant