CN106230594B - A method of user authentication is carried out based on dynamic password - Google Patents
A method of user authentication is carried out based on dynamic password Download PDFInfo
- Publication number
- CN106230594B CN106230594B CN201610579570.XA CN201610579570A CN106230594B CN 106230594 B CN106230594 B CN 106230594B CN 201610579570 A CN201610579570 A CN 201610579570A CN 106230594 B CN106230594 B CN 106230594B
- Authority
- CN
- China
- Prior art keywords
- user
- password
- dynamic password
- seconds
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 230000014759 maintenance of location Effects 0.000 claims description 6
- 230000003993 interaction Effects 0.000 claims description 5
- 230000002441 reversible effect Effects 0.000 claims description 4
- YSMRWXYRXBRSND-UHFFFAOYSA-N TOTP Chemical compound CC1=CC=CC=C1OP(=O)(OC=1C(=CC=CC=1)C)OC1=CC=CC=C1C YSMRWXYRXBRSND-UHFFFAOYSA-N 0.000 claims description 3
- 230000001360 synchronised effect Effects 0.000 claims 1
- 238000007726 management method Methods 0.000 description 10
- 238000013461 design Methods 0.000 description 7
- 238000002955 isolation Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of methods for carrying out user authentication based on dynamic password, it realizes process are as follows: configures in server-side and client deadline, wherein for realizing authentication service, client is then used to propose authentication service server-side, so that the time keeps synchronizing, time error is within ten seconds;It carries out the configuration of server-side user key: to whole business management system account initializations, generating the unique key of each account at random, by field prefabricated in database table, record each account's unique identification and key information;Key is input to client in client setting user's dynamic password, i.e., the two dimensional code generated by scanning certification end or using manually input mode, server-side then differentiates user login information certification according to dynamic password.Compared with prior art, dynamic password collection capacity is bigger, only needs password that can authenticate for a kind of method based on dynamic password progress user authentication of the invention, practical, applied widely, easy to spread.
Description
Technical field
The present invention relates to field of computer technology, specifically a kind of side that user authentication is carried out based on dynamic password
Method.
Background technique
In traditional business management system, common user authentication mode is to need user to input username and password to submit service
End, the password set before with this user that server-side saves are compared, authenticate and pass through if consistent.With e-government
Gradually development, government affairs operation system quantity is more and more, the different network environments involved in numerous operation systems, custom composition
Operation system is located at government affairs outer net, and part system is located at government intranet, and two sets are improved the network environment being isolated, for government affairs system
Operation system of uniting is integrated, and there are many technical difficulties, especially in the integrated side of the operation system single-sign-on for running on heterogeneous networks
Face, authentication center and each operation system immediate data communication modes are infeasible.
In the prior art, dynamic password is to generate uncertain random spelling words intellectual using certain special algorithm,
Primary in current time period effectively after i.e. fixed cycle, dynamic updates generates password at random again, is now widely used for leading to
Believe the fields such as operator, bank, network game, E-Government, enterprise, simultaneously because the random unpredictability of dynamic password,
It is a kind of account anti-theft technology of safe and convenient, it can be with effective protection system authentication safety, using whole after dynamic password mode
User is not necessarily to configure and remember numerous many and diverse passwords, is based on this, and the present invention is provided one kind and recognized based on dynamic password progress user
The method of card is leaked risk using the dynamic-password technique so as to avoid the password as caused by user management is improper,
User authentication link ensure that the safety of operation system system.
Summary of the invention
Technical assignment of the invention is place against the above deficiency, provides and a kind of carries out user authentication based on dynamic password
Method.
A method of user authentication is carried out based on dynamic password, realizes process are as follows:
It is configured in server-side and client deadline, wherein server-side is then used for for realizing authentication service, client
It is proposed authentication service, so that the time keeps synchronizing, time error is within ten seconds;
It carries out the configuration of server-side user key: to whole business management system account initializations, generating each account at random
Unique key records each account's unique identification and key information by field prefabricated in database table;
In client setting user's dynamic password, i.e., the two dimensional code generated by scanning certification end or using manually input side
Key is input to client by formula, and server-side then differentiates user login information certification according to dynamic password.
Server-side and client carry out time configuration and refer to through Network Time Protocol, make each computer, terminal device in network
Retention time synchronization, and be physically isolated between the arbitrary equipment of retention time synchronization, between each other without immediate data interaction, match
Process is set by having been manually done, realizes time consistency of the error in 10 seconds between equipment.
The dynamic password refers to that user after client binds initialized terminal device, passes through TOTP dynamic password
What algorithm obtained.
Server-side differentiates that user login information certification refers to by dynamic password, and user is in request certification or user in business
When system submits dynamic password to call service end interface, server-side is audited by dynamic password, when dynamic password is certain use
Then certification passes through when family current time period or the password in front and back period, and the jump request that creation state is 302 exists simultaneously
The authentication state information based on user's unique identification and operation system mark reversible encryption is added in http header.
It is then authenticated by referring to each use when dynamic password is certain user's current time period or the password in front and back period
Certification password of the family in 30 seconds behind 30 seconds, 30 seconds that server-side is kept in current time 30 seconds or before 30 seconds, i.e., except 30
It is outer with password in 30 seconds to carry out correct configuration certification by user in second, and user is in 30 seconds with password before 30 seconds or password carries out after 30 seconds
Certification passes through, to solve 30 seconds context errors of password of time existing error generation between each equipment, the certification base
Whole account password Hash tables are kept in real time in server end.
Compared to the prior art a kind of method for carrying out user authentication based on dynamic password of the invention, has beneficial below
Effect:
A kind of method carrying out user authentication based on dynamic password of the invention is remembered in each operation system without user
The fixed password of setting, in 6 text incoming traffic management systems that the terminal device by having initialized completion is shown
It realizes user authentication, is not easy to remember all kinds of passwords and operation system security level is high particularly suitable for operation system is numerous
Scene accomplishes on-demand so that software product be made to be more in line with the requirement of user to a certain extent;By operation system list
Point is logged in integrate and be combined with dynamic password, realizes that across government affairs internal, external networks net the unifying user authentication under physical isolation scene more;
Password set can by user, press operation system dynamic configuration, support Chinese character password set, realize magnanimity password set it is random, limiting
Violence in fixed cycle guesses that solution mode is almost impossible;Support Android, IOS, WindowsMobile and RestApi,
WebServices much information interface, it is practical, it is applied widely, it is easy to spread.
Detailed description of the invention
Attached drawing 1 is user's dynamic password login authentication realization procedure chart of the invention.
Specific embodiment
The present invention will be further explained below with reference to the attached drawings and specific examples.
As shown in Fig. 1, a kind of method carrying out user authentication based on dynamic password of the invention, realizes process are as follows:
It is configured in server-side and client deadline, wherein server-side is then used for for realizing authentication service, client
It is proposed authentication service, so that the time keeps synchronizing, time error is within ten seconds;
It carries out the configuration of server-side user key: to whole business management system account initializations, generating each account at random
Unique key records each account's unique identification and key information by field prefabricated in database table;
User's dynamic password is set in client, i.e., is generated by scanning certification end and is based on ISO international standard ISO/
Key is input to client under security context guarantee using manually input mode by the two dimensional code of IEC18004, and server-side is then
User login information certification is differentiated according to dynamic password.
Server-side and client carry out time configuration and refer to through Network Time Protocol, make each computer, terminal device in network
Retention time synchronization, and be physically isolated between the arbitrary equipment of retention time synchronization, between each other without immediate data interaction, match
Process is set by having been manually done, time consistency of the error in 10 seconds between equipment is realized, has small range time error appearance
Wrong feature.
The dynamic password refers to that user after client binds initialized terminal device, passes through TOTP dynamic password
What algorithm obtained.
Server-side differentiates that user login information certification refers to by dynamic password, and user is in request certification or user in business
When system submits dynamic password to call service end interface, server-side is audited by dynamic password, when dynamic password is certain use
Then certification passes through when family current time period or the password in front and back period, and the jump request that creation state is 302 exists simultaneously
The authentication state information based on user's unique identification and operation system mark reversible encryption is added in http header.
It is then authenticated by referring to each use when dynamic password is certain user's current time period or the password in front and back period
Certification password of the family in 30 seconds behind 30 seconds, 30 seconds that server-side is kept in current time 30 seconds or before 30 seconds, i.e., except 30
It is outer with password in 30 seconds to carry out correct configuration certification by user in second, and user is in 30 seconds with password before 30 seconds or password carries out after 30 seconds
Certification passes through, to solve 30 seconds context errors of password of time existing error generation between each equipment, the certification base
Whole account password Hash tables are kept in real time in server end.
In addition, operation system single sign-on authentication is also abstracted into interface by the present invention, i.e., by user authentication service abstraction at
One interface, wherein including operation system identification, user's identification, user's dynamic password authentication, time inquiring, user authentication record
Deng service, to provide specific aim specific implementation for each operation system.
In method of the invention, each user's private cipher key is dynamically configurable, for the first time configure after the completion of, subsequent interaction without
There are private key information, safety guarantee;The private cipher key of each user is dynamically configurable in operation system, supports change, replacement each
User's private cipher key.After the completion of private cipher key configures for the first time, authenticating in interactive process just will not carry key sensitive information, it is ensured that
Key is in use without intercepting and capturing, steal.
The present invention also supports the safety certification of government private network environment to require:
Government private network is the infrastructure network platform of information resources share and network office between government's constituent parts, with internet
Physical isolation completely cannot have immediate data interaction, and business management system passes through craft with terminal device in non-private network in private network
Setup time near-synchronous realizes second grade error, can realize safety certification on the network that space is isolated.
Business management system is isolated with the certification terminal device of each user physical isolation union space in government private network, strictly
Guarantee two-way Key Exposure risk, becoming the rogue attacks in addition to solution approach is guessed in violence can not.
In method of the invention, key business is operated after authenticating user login information, is carried out dynamic examining permission and is let pass:
It authenticates, is authenticated by configuring the audit that key business can be supported to operate, by business operation except being realized in login process
User triggers application, is audited and is let pass by service management personnel.
When the business function for needing re-authentication surely is accessed in user, operation system requires user aobvious by its terminal device
In the instant dynamic password incoming traffic system shown and submit application;Application is turned to be audited by service management personnel by system, is passed through
User's successful access target industry function afterwards.
It realizes the dynamic configuration management of key business operation, ensures the security requirement of key business operation.
It supports Android mobile phone system, IOS cell phone system, Web Service much information interface, specially provides simultaneously
Rest API and Web Service interface API is called for Android mobile phone system, IOS cell phone system and each terminal interface.
Implement example:
The present invention includes the following contents and step:
One, the workflow of dynamic password single sign-on authentication, as shown in Fig. 1.
Two, the implementation method of certification end user key configuration.
(1) design can be used for user key configuration field, be recorded with table TOTP_USERKEYS.
(2) design can be used for user password code table field, be recorded with table TOTP_PWDTAB.
(3) design can be used for the period dynamic password control literary name section of the current front and back of user three, with table TOTP_PWDLIST
Record:
Three, user authentication process part is designed.
Design Table A UTH_LIST is used to record user authentication process, and the structure of table is as follows:
Four, operation system request call designs.
Design Table I NVOKE_LIST is used to record, and the structure of table is as follows:
Five, authentication data transmits design between operation system.
User authenticates in request or user is when operation system submits dynamic password to call certification end interface, certification end
It is audited, is authenticated if dynamic password is certain user's current time period or the password in front and back period logical by dynamic password
It crosses, and the jump request that creation state is 302 is added in http header based on user's unique identification and operation system simultaneously
Identify the authentication state information of reversible encryption.
The technical personnel in the technical field can readily realize the present invention with the above specific embodiments,.But it answers
Work as understanding, the present invention is not limited to above-mentioned specific embodiments.On the basis of the disclosed embodiments, the technical field
Technical staff can arbitrarily combine different technical features, to realize different technical solutions.
Except for the technical features described in the specification, it all is technically known to those skilled in the art.
Claims (2)
1. a kind of method for carrying out user authentication based on dynamic password, which is characterized in that it realizes process are as follows:
It is configured in server-side and client deadline, wherein for realizing authentication service, client is then used to propose server-side
Authentication service, so that the time keeps synchronizing, time error is within ten seconds;
It carries out the configuration of server-side user key: to whole business management system account initializations, it is unique to generate each account at random
Key each account's unique identification and key information are recorded by field prefabricated in database table;
User's dynamic password is set in client, i.e., the two dimensional code generated by scanning certification end or use manually input mode will
Key is input to client, and server-side then differentiates user login information certification according to dynamic password;
The dynamic password refers to that user after client binds initialized terminal device, passes through TOTP dynamic password algorithm
It obtains;
Server-side differentiates that user login information certification refers to by dynamic password, and user is in request certification or user in operation system
When dynamic password being submitted to call service end interface, server-side is audited by dynamic password, when dynamic password is that certain user works as
Then certification passes through when the password in preceding time cycle or front and back period, and the jump request that creation state is 302 is simultaneously in http
The authentication state information based on user's unique identification and operation system mark reversible encryption is added in header;
It is then authenticated by referring to that each user exists when dynamic password is certain user's current time period or the password in front and back period
Server-side keeps the certification password in current time 30 seconds or in 30 seconds before 30 seconds, 30 seconds after 30 seconds, i.e., except in 30 seconds
It is outer that user with password in 30 seconds carries out correct configuration certification, and user is in 30 seconds with password before 30 seconds or password authenticates after 30 seconds
Pass through, to solve 30 seconds context errors of password of time existing error generation between each equipment, which is based on clothes
Business device end keeps whole account password Hash tables in real time.
2. a kind of method for carrying out user authentication based on dynamic password according to claim 1, which is characterized in that server-side
Time configuration is carried out with client to refer to through Network Time Protocol, keeps each computer in network, terminal device retention time synchronous,
And be physically isolated between the arbitrary equipment of retention time synchronization, between each other without immediate data interaction, configuration process passes through hand
Work is completed, and realizes time consistency of the error in 10 seconds between equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610579570.XA CN106230594B (en) | 2016-07-22 | 2016-07-22 | A method of user authentication is carried out based on dynamic password |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610579570.XA CN106230594B (en) | 2016-07-22 | 2016-07-22 | A method of user authentication is carried out based on dynamic password |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106230594A CN106230594A (en) | 2016-12-14 |
| CN106230594B true CN106230594B (en) | 2019-06-25 |
Family
ID=57531232
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610579570.XA Active CN106230594B (en) | 2016-07-22 | 2016-07-22 | A method of user authentication is carried out based on dynamic password |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106230594B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11843596B2 (en) | 2021-06-30 | 2023-12-12 | Micro Focus Llc | Reregistration of client device with server device using user device |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790166A (en) * | 2016-12-29 | 2017-05-31 | 郑州云海信息技术有限公司 | A kind of method of safety certification, apparatus and system |
| CN106953872B (en) * | 2017-04-18 | 2019-08-16 | 韵盛发科技(北京)股份有限公司 | A kind of method and apparatus of business authentication |
| CN107277059A (en) * | 2017-08-08 | 2017-10-20 | 沈阳东青科技有限公司 | A kind of one-time password identity identifying method and system based on Quick Response Code |
| CN108833608B (en) * | 2018-06-12 | 2021-04-27 | 北斗天地股份有限公司 | Method for dynamically determining and changing server through password |
| CN108924104B (en) * | 2018-06-21 | 2021-06-15 | 甘肃万维信息技术有限责任公司 | E-government affair encryption and decryption method |
| CN111342964B (en) * | 2020-05-15 | 2020-08-11 | 深圳竹云科技有限公司 | Single sign-on method, device and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741567A (en) * | 2009-12-31 | 2010-06-16 | 北京飞天诚信科技有限公司 | Dynamic password-based authentication method and device |
| CN101800644A (en) * | 2010-01-11 | 2010-08-11 | 上海众烁信息科技有限公司 | Computer security protection system and method based on dynamic countersign |
| CN103501228A (en) * | 2013-08-01 | 2014-01-08 | 沈阳华矿新能源装备科技有限公司 | Dynamic two-dimension code token and authentication method of dynamic two-dimension code instruction |
| CN105516104A (en) * | 2015-12-01 | 2016-04-20 | 神州融安科技(北京)有限公司 | Identity verification method and system of dynamic password based on TEE (Trusted execution environment) |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8127142B2 (en) * | 2005-09-09 | 2012-02-28 | University Of South Florida | Method of authenticating a user on a network |
-
2016
- 2016-07-22 CN CN201610579570.XA patent/CN106230594B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741567A (en) * | 2009-12-31 | 2010-06-16 | 北京飞天诚信科技有限公司 | Dynamic password-based authentication method and device |
| CN101800644A (en) * | 2010-01-11 | 2010-08-11 | 上海众烁信息科技有限公司 | Computer security protection system and method based on dynamic countersign |
| CN103501228A (en) * | 2013-08-01 | 2014-01-08 | 沈阳华矿新能源装备科技有限公司 | Dynamic two-dimension code token and authentication method of dynamic two-dimension code instruction |
| CN105516104A (en) * | 2015-12-01 | 2016-04-20 | 神州融安科技(北京)有限公司 | Identity verification method and system of dynamic password based on TEE (Trusted execution environment) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11843596B2 (en) | 2021-06-30 | 2023-12-12 | Micro Focus Llc | Reregistration of client device with server device using user device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106230594A (en) | 2016-12-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106230594B (en) | A method of user authentication is carried out based on dynamic password | |
| US9992176B2 (en) | Systems and methods for encrypted communication in a secure network | |
| US20180295137A1 (en) | Techniques for dynamic authentication in connection within applications and sessions | |
| US9350548B2 (en) | Two factor authentication using a protected pin-like passcode | |
| US8434137B2 (en) | Method of securely logging into remote servers | |
| TWI436627B (en) | Method and apparatus for authenticatiing online transactions using a browser | |
| CN105554098B (en) | A kind of equipment configuration method, server and system | |
| EP2932428B1 (en) | Method of allowing establishment of a secure session between a device and a server | |
| US20090300168A1 (en) | Device-specific identity | |
| CN107251035A (en) | Account recovers agreement | |
| CN105656862B (en) | Authentication method and device | |
| CN103780397A (en) | Multi-screen multi-factor WEB identity authentication method convenient and fast to implement | |
| WO2016068916A1 (en) | Active authentication session transfer | |
| Ferry et al. | Security evaluation of the OAuth 2.0 framework | |
| Beltran | Characterization of web single sign-on protocols | |
| US11716312B1 (en) | Platform for optimizing secure communications | |
| CN108347428A (en) | Accreditation System, the method and apparatus of application program based on block chain | |
| US9954853B2 (en) | Network security | |
| US20150328119A1 (en) | Method of treating hair | |
| KR101510290B1 (en) | Apparatus for implementing two-factor authentication into vpn and method for operating the same | |
| CN105681350A (en) | Zero interaction double-factor authentication system and method | |
| Binu et al. | A mobile based remote user authentication scheme without verifier table for cloud based services | |
| Gibbons et al. | Security evaluation of the OAuth 2.0 framework | |
| Paranjape et al. | An approach towards security in private cloud using OTP | |
| Chhabra et al. | Strong authentication system along with virtual private network: A secure cloud solution for cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |