CN106921640A - Identity identifying method, authentication device and Verification System - Google Patents
Identity identifying method, authentication device and Verification System Download PDFInfo
- Publication number
- CN106921640A CN106921640A CN201511001209.0A CN201511001209A CN106921640A CN 106921640 A CN106921640 A CN 106921640A CN 201511001209 A CN201511001209 A CN 201511001209A CN 106921640 A CN106921640 A CN 106921640A
- Authority
- CN
- China
- Prior art keywords
- server
- identity
- random number
- user
- cryptographic hash
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
Abstract
The invention provides a kind of identity identifying method, authentication device and Verification System.Wherein, identity identifying method comprises the following steps:The generation checking information of user identity first;The checking information of user identity first is sent to server;Receive the server authentication information that the server is returned;The server authentication information is that server carries out subscriber authentication according to the checking information of the user identity first for receiving, and the information generated when subscriber authentication passes through;According to the server authentication information authentication service device identity for returning, if checking does not pass through, the failure of user login services device;If the verification passes, then the first condition of user login services device is met.The present invention is not only provided with checking of the server to user identity, meanwhile, it is also equipped with authentication of the user to server, the mode of the bidirectional identity authentication, it is to avoid forge the attack that server identity is caused, also resist the message replay attack of attacker.
Description
Technical field
The present invention relates to field of computer technology, in particular to a kind of identity identifying method, authentication device and certification
System.
Background technology
With the development of network technology, the quantity of Internet service is also significantly increased, people using internet when, typically
First user identity is authenticated, traditional authenticating user identification system is mostly based on static identity, and user is to system registry body
Part mark and password, server carry out authentication by matching the information of storage, and password is mostly preservation in plain text, attacker
User's trace can be obtained by eavesdropping communication, so as to spy upon user profile, carry out forging user's attack.And it is based on dynamic ID
Method, mainly smart cards for storage key and algorithm, profit is generated algorithmically by dynamic password, then believes dynamic password and user
Breath is sent to server end, and certificate server calculates dynamic password and is compared, although can so be effectively prevented from attacker
Tracking to specific user, but the malice forgery attack of validated user can not be resisted, even from the impersonation attack of server.
The content of the invention
In consideration of it, the present invention proposes a kind of identity identifying method, it is intended to solve in the prior art due to imitating server
And the problem of the attack for causing.The invention allows for a kind of identification authentication system and identity authorization system.
On one side, the present invention proposes a kind of identity identifying method, and the method comprises the following steps:Generation user identity
First checking information;The checking information of user identity first is sent to server;Receive the server that the server is returned
Authentication information;The server authentication information is server according to the checking information of the user identity first for receiving
Subscriber authentication is carried out, and the information generated when subscriber authentication passes through;The server identity according to returning is tested
Card information authentication service device identity, if checking does not pass through, the failure of user login services device;If the verification passes, then meet
The first condition of user login services device.
Further, in above-mentioned identity identifying method, generation user identity the first checking information step is further wrapped
Include:The first random number is generated, and receives user identity mark, User Identity and password code, and to user's body
Part mark, password code and the first random number carry out Hash calculation, obtain the first cryptographic Hash;To first random number and in advance
The server identity mark of storage carries out XOR calculating, obtains the first XOR value;By first cryptographic Hash, first XOR
Value and the user identity mark are defined as the checking information of user identity first.
Further, in above-mentioned identity identifying method, the server authentication information step that the server is returned is received
Suddenly further include:Receive the second cryptographic Hash that the server is returned;The generation method of second cryptographic Hash is:Server
The first random number is obtained from the first XOR value for receiving, and according to the user identity flag information for receiving from the use for prestoring
Family information bank obtains User Identity and password code, and User Identity, password code and the first random number are carried out
Hash calculation, obtains the first cryptographic Hash, and the first cryptographic Hash being calculated and first cryptographic Hash for receiving are compared
Compared with, if unanimously, subscriber authentication passes through, and the second random number of generation, the second random number and server identity are entered
Row Hash calculation obtains the second cryptographic Hash;Receive the second XOR value that the server is returned;Wherein, the second XOR value is
The server carries out what XOR was obtained to first random number and second random number.
Further, it is described according to the server authentication Information Authentication for returning in above-mentioned identity identifying method
Server step is further included:The second random number is obtained from the second XOR value;To the server identity mark and
Second random number carries out Hash calculation, obtains the second cryptographic Hash;Compare the second cryptographic Hash being calculated and the service for receiving
The second cryptographic Hash that device is returned, if unanimously, server authentication passes through.
Further, in above-mentioned identity identifying method, when the first condition of user login services device is met, user is determined
Log in the server success.
Further, above-mentioned identity identifying method also comprises the following steps:User identity second is sent to the server
Checking information;Receive the result of user identity second that the server is returned;The result of the user identity second is
The information whether server passes through according to the subscriber authentication that the checking information of the user identity second for receiving is returned;
When the result of the user identity second is to be verified, the second condition of user login services device, User logs in are met
Server success;When the result of the user identity second does not pass through, the failure of user login services device.
Further, it is described to send user identity the second checking information step to server in above-mentioned identity identifying method
Further include:Calculate the 3rd cryptographic Hash of the first random number;3rd cryptographic Hash is sent to the server;Receive institute
The determination method of the result of user identity second stated in user identity the second the result step of server return is:Clothes
Business device carries out Hash calculation to the first random number, obtains the 3rd cryptographic Hash, compares the 3rd cryptographic Hash that is calculated and receives
The 3rd cryptographic Hash, if unanimously, subscriber authentication passes through, if inconsistent, subscriber authentication does not pass through.
In the present embodiment, server is first verified to the identity of user, if checking does not pass through, login failure, if testing
Card passes through, and server can then generate one includes the server authentication information of server S ID, and sends that information to visitor
Family end, after client receives the information, the identity to server is verified, if authentication failed, login failed for user;If
It is proved to be successful, then meets the first condition of user login services device, now, user can direct login service device, it is also possible to again
Other verification conditions are set, and when other verification conditions meet, user just can be with Successful login server.As can be seen that
The present invention is not only provided with checking of the server to user identity, meanwhile, authentication of the user to server is also equipped with, should
The mode of bidirectional identity authentication, it is to avoid forge the attack that server identity is caused, also resist the message replay attack of attacker.
On the other hand, the invention allows for a kind of identification authentication system, the device includes:Generation module, for generating
The checking information of user identity first;Sending module, for sending the checking information of user identity first to server;Receive mould
Block, for receiving the server authentication information that the server is returned, the server authentication information is server
The checking information of the user identity first according to receiving carries out subscriber authentication, and subscriber authentication by when generate
Information;Authentication module, for according to the server authentication information authentication service device identity for returning.
Further, in above-mentioned identification authentication system, the generation module is additionally operable to:The first random number is generated, and is received
User identity mark, User Identity and password code, and it is random to the User Identity, password code and first
Number carries out Hash calculation, obtains the first cryptographic Hash;The first random number is generated, to first random number and the service for prestoring
Device identity carries out XOR calculating, obtains the first XOR value;By first cryptographic Hash, the first XOR value and the use
Family identity tag is defined as the checking information of user identity first;The receiver module is additionally operable to:Receive what the server was returned
Second cryptographic Hash;Wherein, the generation method of second cryptographic Hash is:Server obtains first from the first XOR value for receiving
Random number, and User Identity and mouth are obtained from the user information database for prestoring according to the user identity flag information for receiving
Password is made, and Hash calculation is carried out to User Identity, password code and the first random number, obtain the first cryptographic Hash, and
First cryptographic Hash being calculated is compared with from the first cryptographic Hash for receiving, if unanimously, subscriber authentication is led to
Cross, and generate the second random number, Hash calculation is carried out to the second random number and server identity and obtains the second cryptographic Hash;Connect
Receive the second XOR value that the server is returned;Wherein, the second XOR value is the server to first random number
Carry out what XOR was obtained with second random number;The authentication module is additionally operable to obtain from the second XOR value
Two random numbers;Server identity mark according to prestoring is calculated the second random number;To the server identity
Mark and the second random number carry out Hash calculation, obtain the second cryptographic Hash;Compare the second cryptographic Hash for being calculated and receive
Server return the second cryptographic Hash, if unanimously, server authentication passes through.
Another aspect, the invention allows for a kind of identity authorization system, the system includes client and server;Its
In, the client is used for:The generation checking information of user identity first, and the checking information of the user identity first is sent to
Server;The server is used for:Receive the checking information of the user identity first, and according to the user identity for receiving the
One checking information carries out subscriber authentication, and subscriber authentication by when generate server authentication information, and by institute
State server authentication information and be sent to client;The client is used for:Receive the server authentication letter that the server sends
Breath, and according to the server authentication information authentication service device identity for returning.
Further, in above-mentioned identity authorization system, the client is additionally operable to:The first random number is generated, and receives use
Family identity tag, User Identity and password code, and to the User Identity, password code and the first random number
Hash calculation is carried out, the first cryptographic Hash is obtained;First random number and the server identity for prestoring mark are carried out different
Or calculate, obtain the first XOR value;First cryptographic Hash, the first XOR value and the user identity mark are sent to
Server;The server is additionally operable to:Receive first cryptographic Hash and the first XOR value, and from first XOR for receiving
The first random number is obtained in value, and user is obtained from the user information database for prestoring according to the user identity flag information for receiving
Identity and password code, and Hash calculation is carried out to User Identity, password code and the first random number, obtain first
Cryptographic Hash, and first cryptographic Hash being calculated is compared with from the first cryptographic Hash for receiving, if unanimously, user
Authentication passes through, and generates the second random number, Hash calculation is carried out to the second random number and server identity and obtains the
Two cryptographic Hash;XOR is carried out to first random number and second random number and obtains the second XOR value;By described
Two cryptographic Hash and the second XOR value are sent to client;The client is additionally operable to:Receive second cryptographic Hash and
Two XOR values, and obtain the second random number from the second XOR value;To server identity mark and the second random number
Hash calculation is carried out, the second cryptographic Hash is obtained;Compare the second cryptographic Hash being calculated and the server that receives is returned the
Two cryptographic Hash, if unanimously, server authentication passes through.
Because identification authentication system, identity authorization system are identical with above-mentioned identity identifying method principle, so having and body
Identity authentication method identical technique effect.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit is common for this area
Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention
Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 is the flow chart of identity identifying method provided in an embodiment of the present invention;
Fig. 2 be identity identifying method provided in an embodiment of the present invention in, generate the checking information of user identity first flow chart;
Fig. 3 be identity identifying method provided in an embodiment of the present invention in, the reception server return server authentication information stream
Cheng Tu;
Fig. 4 is in identity identifying method provided in an embodiment of the present invention, the server authentication Information Authentication according to return takes
The flow chart of device identity of being engaged in;
During Fig. 5 is identity identifying method provided in an embodiment of the present invention, to the flow chart of user identity certification again;
Fig. 6 is the structured flowchart of identification authentication system provided in an embodiment of the present invention;
Fig. 7 is the structured flowchart of identity authorization system provided in an embodiment of the present invention;
Fig. 8 is the workflow diagram of identity authorization system provided in an embodiment of the present invention.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.Conversely, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.It should be noted that in the case where not conflicting, embodiment in the present invention and
Feature in embodiment can be mutually combined.Describe the present invention in detail below with reference to the accompanying drawings and in conjunction with the embodiments.
Authentication method embodiment:
Referring to Fig. 1, Fig. 1 is the flow chart of identity identifying method provided in an embodiment of the present invention.As illustrated, the method is included such as
Lower step:
Step S1, generates the checking information of user identity first.Specifically, the use that user can use when client is input into and registers
Family identity(English full name identity, referred to as ID), password code etc. logged in, client is receiving user
After the information such as ID, password code, and the checking information of user identity first is generated according to ID, password code etc., to identify use
The identity characteristic at family.
Step S2, sends the checking information of user identity first, so that server enters to first checking information to server
Row checking.
Step S3, the server authentication information that the reception server is returned.Wherein, server authentication information is server
The checking information of user identity first according to receiving carries out subscriber authentication, and the letter generated when subscriber authentication passes through
Breath.Server receives the checking information of user identity first, and user identity is verified by first checking information, when testing
When card passes through, server authentication information is generated, the identity of server should be included in the server authentication information
(English full name is security identifiers, referred to as SID)Information, after the generation of server authentication information, sends
To client.Server is obstructed out-of-date to the first checking information of user identity, login failure, at this point it is possible to be returned to client
Return the information of login failure.It should be noted that the registrar that server herein is used when can be user's registration,
Can be other certificate servers, when for other certificate servers, registrar should be with other each certificate server phases
Connection, each certificate server is sent to by the log-on message of user, and each certificate server is preserved to the log-on message of user,
To be verified to user login information.
Step S4, according to the server authentication information authentication service device identity for returning, if checking does not pass through, uses
Family login service device failure;If the verification passes, then the first condition of user login services device is met.Specifically, client can
To pre-save the SID of server, the SID of server is extracted from the server authentication information for receiving, and when extraction
Server SID it is consistent with the SID confidence of the server for pre-saving when, determine that server authentication passes through, if differing
Cause, then server authentication does not pass through, and user is unable to login service device.
In the present embodiment, server is first verified to the identity of user, if checking does not pass through, login failure, if testing
Card passes through, and server can then generate one includes the server authentication information of server S ID, and sends that information to visitor
Family end, after client receives the information, the identity to server is verified, if authentication failed, login failed for user;If
It is proved to be successful, then meets the first condition of user login services device, now, user can direct login service device, it is also possible to again
Other verification conditions are set, and when other verification conditions meet, user just can be with Successful login server.As can be seen that
The present embodiment is not only provided with checking of the server to user identity, meanwhile, authentication of the user to server is also equipped with,
The mode of the bidirectional identity authentication, it is to avoid forge the attack that server identity is caused, the message-replay for also resisting attacker is attacked
Hit.
Referring to Fig. 2, during Fig. 2 is above-described embodiment, the method flow diagram of the checking information of user identity first is generated.As schemed
Show, the method comprises the following steps:
First calculates sub-step S11, generates the first random number, and it is close to receive user identity mark, User Identity and password
Code, and Hash calculation is carried out to User Identity, password code and the first random number, obtain the first cryptographic Hash.Wherein, use
Family identity and password code are log-on messages when user is registered in registrar, using hash algorithm to
Family identity and password code carry out Hash calculation, obtain the first cryptographic Hash, because circular is art technology
Well known to personnel, therefore do not repeat.When user identity mark is also user's registration, registrar distributes to user, is used to mark
Know the identity of user, the user identity mark is corresponded with user.
Second calculates sub-step S12, and XOR calculating is carried out to the first random number and the server identity for prestoring mark,
Obtain the first XOR value.Wherein, the first random number is that client is generated at random, and circular is those skilled in the art
It is known, therefore do not repeat.
Determine sub-step S13, the first cryptographic Hash, the first XOR value and user identity mark are defined as user identity first
Checking information.
Referring to Fig. 3, in above-described embodiment, the server authentication information that the reception server is returned may further include:
First receives sub-step S14, the second cryptographic Hash that the reception server is returned.Wherein, the second cryptographic Hash is given birth to by server
Into and be sent to client, specific generation method is:Server parses the first random number from the first XOR value for receiving,
And User Identity and password code are obtained from the user information database for prestoring according to the user identity flag information for receiving,
And Hash calculation is carried out to User Identity, password code and the first random number, the first cryptographic Hash is obtained, and this is calculated
The first cryptographic Hash for obtaining is compared with the first cryptographic Hash for receiving, if inconsistent, subscriber authentication does not pass through;If one
Cause, it is determined that subscriber authentication passes through, login failure.The method that the first random number is parsed from the first XOR value is ability
Well known to field technique personnel, therefore do not repeat.
Second receives sub-step S15, the second XOR value that the reception server is returned.Wherein, the second XOR value is server
What XOR was obtained is carried out to the first random number and the second random number.It should be noted that first receives sub-step S14 and the
Order between two reception sub-step S15 can be exchanged in no particular order.
It is further according to the server authentication information authentication service device identity for returning in above-described embodiment referring to Fig. 4
Including:Checking sub-step S16, the second random number is parsed from the second XOR value;To server identity mark and second
Random number carries out Hash calculation, obtains the second cryptographic Hash;The server for comparing the second cryptographic Hash being calculated and receiving is returned
The second cryptographic Hash returned, if unanimously, server authentication passes through, meets the first condition of User logs in.
When the first condition of User logs in is met, user and server have been completed and are mutually authenticated, now, Yong Huke
With Successful login server, during specific implementation, for the sake of security, it is also possible to set up server recognizing again to user identity again
Card, referring to Fig. 5, can also specifically comprise the following steps:
The checking information of user identity second is sent to server.Specifically, the checking information of user identity second can include:Pass through
Hash algorithm calculates the 3rd cryptographic Hash of the first random number;3rd cryptographic Hash of the first random number is sent to server;And connect
Receive the result of user identity second that server is returned.Wherein, the result of user identity second is server according to reception
The information that whether passes through of subscriber authentication that returns of the checking information of user identity second.It is random to first during specific implementation
Number carries out Hash calculation, obtains the 3rd cryptographic Hash, compares the 3rd cryptographic Hash being calculated and the 3rd cryptographic Hash for receiving, if
Unanimously, then subscriber authentication passes through, if inconsistent, subscriber authentication passes through.It should be noted that in the present embodiment
The step is the subsequent step after subscriber authentication passes through in the first reception sub-step S14, that is to say, that now, service
Device is stored to first random number.
When the result of user identity second is to be verified, then the second condition of user login services device is met, this
When user can be with Successful login server;When the result of user identity second does not pass through, the failure of user login services device.
In present embodiment, after user and server carry out two-way authentication, be additionally arranged again server to
The certification again of family identity, further ensures the reliability of authentication result, it is ensured that the security of User logs in.
During specific implementation, when user is registered to registrar, in addition to sending ID and password code, may be used also
To send a random number, to further determine that the uniqueness of ID, during registration, it is close that registration center can distribute to the user one
Key, it will be appreciated by those skilled in the art that in above-mentioned whole verification process, all data between client and server are passed
Send and all carry the key all the time, to be defined as the authentication information of same user.
During user's registration, user profile can also be stored using smart card.Specifically, client receives user input
ID, random number and password code after, Hash calculation is carried out to ID, random number and password code, obtain a Kazakhstan
Uncommon value A, and the cryptographic Hash is sent to registrar;It is user distribution one after registrar receives cryptographic Hash A
Individual key, then server calculate the cryptographic Hash of the key, cryptographic Hash A and ID respectively, each cryptographic Hash shape being calculated
Into a hash combination, the hash combination is sent to client by server, after client receives the hash combination, and generates one
Individual random number b, hash combination and random number b are stored in smart card in the lump.In authentication phase, user first can insert smart card
Enter client, be then input into ID and password code, when ID and password code and the storage in smart card of user input
It is consistent when, client validation smart card passes through, and after checking smart card passes through, then carries out follow-up user and server identity
It is mutually authenticated.Additionally, during specific implementation, the hash combination at this can be as user identity mark.
To sum up, the present embodiment is not only provided with checking of the server to user identity, meanwhile, user is also equipped with to service
The authentication of device, the mode of the bidirectional identity authentication, it is to avoid forge the attack that server identity is caused, also resist attacker
Message replay attack.
Identification authentication system embodiment:
Referring to the structured flowchart that Fig. 6, Fig. 6 are authentication means provided in an embodiment of the present invention.As illustrated, the device bag
Include:Generation module 100, sending module 200, receiver module 300 and authentication module 400.Wherein, generation module is used to generate user
The checking information of identity first;Sending module is used to send the checking information of user identity first to server;Receiver module is used to connect
The server authentication information that server is returned is received, server authentication information is that server is verified according to the user identity first for receiving
Information carries out subscriber authentication, and the information generated when subscriber authentication passes through;Authentication module is used for according to return
Server authentication information authentication service device identity.
Further, generation module is additionally operable to:The first random number is generated, and receives user identity mark, user identity mark
Know and password code, Hash calculation is carried out to User Identity, password code and the first random number, obtain the first cryptographic Hash;
XOR calculating is carried out to the first random number and the server identity for prestoring mark, the first XOR value is obtained;By the first Hash
Value, the first XOR value and user identity mark are defined as the checking information of user identity first;Receiver module is additionally operable to:Receive service
The second cryptographic Hash that device is returned;Wherein, the generation method of second cryptographic Hash is:Server is from the first XOR value for receiving
The first random number is obtained, and user identity is obtained from the user information database for prestoring according to the user identity flag information for receiving
Mark and password code, and Hash calculation is carried out to User Identity, password code and the first random number, obtain the first Hash
Value, and first cryptographic Hash being calculated is compared with from the first cryptographic Hash for receiving, if unanimously, user identity
It is verified, and generates the second random number, Hash calculation is carried out to the second random number and server identity and obtains the second Kazakhstan
Uncommon value;Receive the second XOR value that the server is returned;Wherein, the second XOR value is server to the first random number and second
Random number carries out what XOR was obtained;Authentication module is additionally operable to obtain the second random number from the second XOR value;To server
Identity and the second random number carry out Hash calculation, obtain the second cryptographic Hash;Compare the second cryptographic Hash for being calculated and connect
The second cryptographic Hash that the server for receiving is returned, if unanimously, server authentication passes through.
Wherein, the specific implementation process ginseng of generation module 100, sending module 200, receiver module 300 and authentication module 400
See above method embodiment, the present embodiment will not be repeated here.
Because authentication method embodiment has the effect above, so the authentication device embodiment is also imitated with corresponding technology
Really.
Verification System embodiment:
Referring to Fig. 7, Fig. 7 is the structured flowchart of identity authorization system provided in an embodiment of the present invention.As illustrated, the device includes
Client 500 and server 600.Wherein, client is used for:The generation checking information of user identity first, and by user identity the
One checking information is sent to server;Server is used for:The checking information of user identity first is received, and according to the user's body for receiving
Part the first checking information carries out subscriber authentication, and subscriber authentication by when generate server authentication information, and
Server authentication information is sent to client;Client is used for:The server authentication information that the reception server sends, and according to
The server authentication information authentication service device identity of return.
Further, client is additionally operable to:The first random number is generated, and receives user identity mark, User Identity
And password code, and Hash calculation is carried out to User Identity, password code and the first random number, obtain the first Hash
Value;The first random number is generated, XOR calculating is carried out to the first random number and the server identity for prestoring mark, obtain first
XOR value;First cryptographic Hash, the first XOR value and user identity mark are sent to server;Server is additionally operable to:Receive the
One cryptographic Hash and the first XOR value, and the first random number is obtained from the first XOR value for receiving, and according to the user's body for receiving
Part flag information obtains User Identity and password code from the user information database for prestoring, and to User Identity,
Password code and the first random number carry out Hash calculation, obtain the first cryptographic Hash, and the first cryptographic Hash that this is calculated
Compare with from the first cryptographic Hash for receiving, if unanimously, subscriber authentication passes through, and generates the second random number, to the
Two random numbers and server identity carry out Hash calculation and obtain the second cryptographic Hash;To the first random number and described second random
Number carries out XOR and obtains the second XOR value;Second cryptographic Hash and the second XOR value are sent to client;Client
It is additionally operable to:The second cryptographic Hash and the second XOR value are received, and the second random number is obtained from the second XOR value;To server identity
Mark and the second random number carry out Hash calculation, obtain the second cryptographic Hash;Compare the second cryptographic Hash for being calculated and receive
Server return the second cryptographic Hash, if unanimously, server authentication passes through.
Further, after the authentication in client to server passes through, server can also enter to user identity
Row certification again, specially:User end to server sends the checking information of user identity second, specifically, user identity second
Checking information can include:The 3rd cryptographic Hash of the first random number is calculated by hash algorithm;By the 3rd Kazakhstan of the first random number
Uncommon value is sent to server;And the result of user identity second that the reception server is returned.Wherein, user identity second is verified
Result is the information whether server passes through according to the subscriber authentication that the checking information of user identity second for receiving is returned.Tool
When body is implemented, server parses the first random number according to the 3rd cryptographic Hash for receiving, when the first random number for parsing and the
When the first random number in one reception sub-step S14 is consistent, determine that subscriber authentication passes through, now, user can wait login
To server.
Referring to Fig. 8, the storage mode of smart card is stored into reference to user profile, to the identity in the embodiment of the present invention
Authentication method is illustrated in more detail:
Smart card is first inserted into client, and ID and password code are input into client, client receives user input
ID and password code, and be compared with the ID and password code of storage in smart card, if unanimously, smart card
It is verified, if inconsistent, smart card authentication does not pass through.After smart card authentication passes through, client generates the first random number,
Hash calculation is carried out to ID, password code and the first random number by hash algorithm, the first cryptographic Hash M1 is obtained;To client
The server S ID that prestores of end and the first random number n1 carry out XOR calculating, obtain the first XOR value M2, and by the first Hash
Value M1 and the first XOR value M2 are sent to server.After server receives the first cryptographic Hash M1 and the first XOR value M2, from
The first random number n1 is parsed in first XOR value M2, and sent according to the user identity mark inquiry registration center for receiving
User profile, obtains user identity ID, then carries out Hash calculation to ID, password code and the first random number, obtains
One cryptographic Hash, when the first cryptographic Hash being calculated is consistent with the first cryptographic Hash for receiving, subscriber authentication passes through, and
The first random number n1 is stored, while generating the second random number n2, the second random number n2 and server identity SID is breathed out
Uncommon to be calculated the second cryptographic Hash M3, carrying out XOR to the first random number n1 and the second random number n2 obtains the second XOR value
M4, and the second cryptographic Hash M3 and the second XOR value M4 are sent to client.Client receives the second cryptographic Hash M3 and second different
Or after value M4, the second random number n2 is parsed from the second XOR value M4, server identity mark and the second random number are carried out
Hash calculation, obtains the second cryptographic Hash M3, when the second cryptographic Hash being calculated is consistent with the second cryptographic Hash for receiving, then
Determine that server authentication passes through, now, the two-way authentication of user and server has passed through, and user can successfully step on
Record server, but for the sake of security, server can also be authenticated to user identity again, that is, calculate the first random number n1
The 3rd cryptographic Hash M5;3rd cryptographic Hash M5 is sent to server, server receives the 3rd cryptographic Hash M5, and according to above
The first stored random number n1 calculates the 3rd cryptographic Hash M5, when the 3rd cryptographic Hash being calculated and the 3rd cryptographic Hash for receiving
When consistent, it is determined that subscriber authentication passes through, and user can be with Successful login server, when inconsistent, and subscriber authentication is not
Pass through.
The present embodiment is not only provided with checking of the server to user identity, meanwhile, user is also equipped with to server
Authentication, the mode of the bidirectional identity authentication, it is to avoid forge the attack that server identity is caused, also resist disappearing for attacker
Breath Replay Attack.
Due to the authentication method in the present embodiment, authentication device and Verification System principle likeness in form, related part can be mutual
Reference.
Obviously, those skilled in the art can carry out various changes and modification without deviating from essence of the invention to the present invention
God and scope.So, if these modifications of the invention and modification belong to the scope of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to comprising these changes and modification.
Claims (11)
1. a kind of identity identifying method, it is characterised in that comprise the following steps:
The generation checking information of user identity first;
The checking information of user identity first is sent to server;
Receive the server authentication information that the server is returned;The server authentication information be server according to
The checking information of the user identity first for receiving carries out subscriber authentication, and the letter generated when subscriber authentication passes through
Breath;
According to the server authentication information authentication service device identity for returning, if checking does not pass through, User logs in
Server failure;If the verification passes, then the first condition of user login services device is met.
2. identity identifying method according to claim 1, it is characterised in that the checking information of generation user identity first
Step is further included:
The first random number is generated, and receives user identity mark, User Identity and password code, and to user's body
Part mark, password code and the first random number carry out Hash calculation, obtain the first cryptographic Hash;
XOR calculating is carried out to first random number and the server identity for prestoring mark, the first XOR value is obtained;
First cryptographic Hash, the first XOR value and the user identity mark are defined as user identity first and verify letter
Breath.
3. identity identifying method according to claim 2, it is characterised in that receive the server body that the server is returned
Part checking information step is further included:
Receive the second cryptographic Hash that the server is returned;The generation method of second cryptographic Hash is:Server from receive
The first random number is obtained in first XOR value, and according to the user identity flag information for receiving from the user information database for prestoring
User Identity and password code are obtained, and Hash calculation are carried out to User Identity, password code and the first random number,
The first cryptographic Hash is obtained, and the first cryptographic Hash being calculated and first cryptographic Hash for receiving are compared, if unanimously,
Then subscriber authentication passes through, and generates the second random number, and Hash calculation is carried out to the second random number and server identity
Obtain the second cryptographic Hash;
Receive the second XOR value that the server is returned;Wherein, the second XOR value is the server to described first
Random number and second random number carry out what XOR was obtained.
4. identity identifying method according to claim 3, it is characterised in that described according to the server identity for returning
Checking information authentication server step is further included:
The second random number is obtained from the second XOR value;
Hash calculation is carried out to server identity mark and the second random number, the second cryptographic Hash is obtained;
Compare the second cryptographic Hash of the second cryptographic Hash being calculated and the server return for receiving, if unanimously, server
Authentication passes through.
5. identity identifying method according to any one of claim 1 to 4, it is characterised in that meeting User logs in clothes
During the first condition of business device, server success described in User logs in is determined.
6. identity identifying method according to claim 4, it is characterised in that also comprise the following steps:
The checking information of user identity second is sent to the server;
Receive the result of user identity second that the server is returned;The result of the user identity second is the clothes
The information whether business device passes through according to the subscriber authentication that the checking information of the user identity second for receiving is returned;
When the result of the user identity second is to be verified, the second condition of user login services device, user are met
The success of login service device;When the result of the user identity second does not pass through, the failure of user login services device.
7. identity identifying method according to claim 6, it is characterised in that
It is described to be further included to server transmission user identity the second checking information step:Calculate the 3rd Kazakhstan of the first random number
Uncommon value;3rd cryptographic Hash is sent to the server;
Receive the result of user identity second in user identity the second the result step that the server is returned really
The method of determining is:Server carries out Hash calculation to the first random number, obtains the 3rd cryptographic Hash, compares the 3rd Hash being calculated
The 3rd cryptographic Hash for being worth and receiving, if unanimously, subscriber authentication passes through, if inconsistent, subscriber authentication is not led to
Cross.
8. a kind of identification authentication system, it is characterised in that including:
Generation module, for generating the checking information of user identity first;
Sending module, for sending the checking information of user identity first to server;
Receiver module, for receiving the server authentication information that the server is returned, the server authentication letter
Cease for server carries out subscriber authentication according to the checking information of the user identity first for receiving, and in subscriber authentication
By when the information that generates;
Authentication module, for according to the server authentication information authentication service device identity for returning.
9. identification authentication system according to claim 8, it is characterised in that
The generation module is additionally operable to:The first random number is generated, and it is close to receive user identity mark, User Identity and password
Code, and Hash calculation is carried out to the User Identity, password code and the first random number, obtain the first cryptographic Hash;It is raw
Into the first random number, XOR calculating is carried out to first random number and the server identity for prestoring mark, obtain first
XOR value;First cryptographic Hash, the first XOR value and the user identity mark are defined as into user identity first to test
Card information;
The receiver module is additionally operable to:Receive the second cryptographic Hash that the server is returned;Wherein, the life of second cryptographic Hash
It is into method:Server obtains the first random number from the first XOR value for receiving, and according to the user identity mark letter for receiving
Cease from the user information database for prestoring and obtain User Identity and password code, and to User Identity, password code
Carry out Hash calculation with the first random number, obtain the first cryptographic Hash, and the first cryptographic Hash that this is calculated with from reception
The first cryptographic Hash compare, if unanimously, subscriber authentication passes through, and generate the second random number, to the second random number
Hash calculation is carried out with server identity obtain the second cryptographic Hash;Receive the second XOR value that the server is returned;Its
In, the second XOR value is obtained for the server carries out XOR to first random number and second random number
's;
The authentication module is additionally operable to obtain the second random number from the second XOR value;According to the service for prestoring
Device identity is calculated the second random number;Hash calculation is carried out to server identity mark and the second random number, is obtained
To the second cryptographic Hash;
Compare the second cryptographic Hash of the second cryptographic Hash being calculated and the server return for receiving, if unanimously, server
Authentication passes through.
10. a kind of identity authorization system, it is characterised in that including client and server;Wherein,
The client is used for:The generation checking information of user identity first, and the checking information of the user identity first is sent
To server;
The server is used for:The checking information of the user identity first is received, and according to the user identity first for receiving
Checking information carries out subscriber authentication, and subscriber authentication by when generate server authentication information, and will be described
Server authentication information is sent to client;
The client is used for:The server authentication information that the server sends is received, and according to the server for returning
Checking information authentication server identity.
11. identity authorization systems according to claim 10, it is characterised in that
The client is additionally operable to:The first random number is generated, and it is close to receive user identity mark, User Identity and password
Code, and Hash calculation is carried out to the User Identity, password code and the first random number, obtain the first cryptographic Hash;It is right
First random number and the server identity mark for prestoring carry out XOR calculating, obtain the first XOR value;By described
One cryptographic Hash, the first XOR value and the user identity mark are sent to server;
The server is additionally operable to:Receive first cryptographic Hash and the first XOR value, and from the first XOR value for receiving
The first random number of middle acquisition, and user's body is obtained from the user information database for prestoring according to the user identity flag information for receiving
Part mark and password code, and Hash calculation is carried out to User Identity, password code and the first random number, obtain the first Kazakhstan
Uncommon value, and first cryptographic Hash being calculated is compared with from the first cryptographic Hash for receiving, if unanimously, user's body
Part is verified, and generates the second random number, carries out Hash calculation to the second random number and server identity and obtains second
Cryptographic Hash;XOR is carried out to first random number and second random number and obtains the second XOR value;By described second
Cryptographic Hash and the second XOR value are sent to client;
The client is additionally operable to:Second cryptographic Hash and the second XOR value are received, and is obtained from the second XOR value
Second random number;Hash calculation is carried out to server identity mark and the second random number, the second cryptographic Hash is obtained;Compare meter
The second cryptographic Hash that the second cryptographic Hash for obtaining and the server for receiving are returned, if unanimously, server authentication leads to
Cross.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201511001209.0A CN106921640A (en) | 2015-12-28 | 2015-12-28 | Identity identifying method, authentication device and Verification System |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201511001209.0A CN106921640A (en) | 2015-12-28 | 2015-12-28 | Identity identifying method, authentication device and Verification System |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106921640A true CN106921640A (en) | 2017-07-04 |
Family
ID=59455100
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201511001209.0A Pending CN106921640A (en) | 2015-12-28 | 2015-12-28 | Identity identifying method, authentication device and Verification System |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106921640A (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108632295A (en) * | 2018-05-09 | 2018-10-09 | 湖南东方华龙信息科技有限公司 | The method for preventing terminal attack server repeatedly |
CN109347887A (en) * | 2018-12-17 | 2019-02-15 | 郑州云海信息技术有限公司 | A kind of identity authentication method and device |
CN109391474A (en) * | 2018-12-25 | 2019-02-26 | 武汉思普崚技术有限公司 | A kind of safety certifying method and system of non-encrypted link |
CN110198316A (en) * | 2019-05-30 | 2019-09-03 | 全链通有限公司 | Auth method, equipment and storage medium based on alliance's block chain |
CN110784466A (en) * | 2019-10-29 | 2020-02-11 | 北京汽车集团有限公司 | Information authentication method, device and equipment |
CN111740982A (en) * | 2020-06-18 | 2020-10-02 | 深圳市今天国际物流技术股份有限公司 | Server anti-attack method and system based on computing power certification |
CN111901346A (en) * | 2020-07-29 | 2020-11-06 | 北京奇艺世纪科技有限公司 | Identity authentication system |
CN112086176A (en) * | 2020-07-29 | 2020-12-15 | 重庆市人口和计划生育科学技术研究院 | Data acquisition analysis and feedback system for sperm library |
CN112383535A (en) * | 2020-11-10 | 2021-02-19 | 平安普惠企业管理有限公司 | Method and device for detecting Hash transfer attack behavior and computer equipment |
CN113254898A (en) * | 2021-05-13 | 2021-08-13 | 谢利珍 | Chinese teaching interactive system with teaching effect feedback function |
CN113347143A (en) * | 2021-04-14 | 2021-09-03 | 西安慧博文定信息技术有限公司 | Identity authentication method, device, equipment and storage medium |
CN113722686A (en) * | 2021-08-17 | 2021-11-30 | 深圳市新国都股份有限公司 | Debugging bridge authorization method, device, equipment and computer readable storage medium |
CN113765856A (en) * | 2020-06-04 | 2021-12-07 | 中移(成都)信息通信科技有限公司 | Identity authentication method, device, equipment and medium |
WO2022135401A1 (en) * | 2020-12-26 | 2022-06-30 | 西安西电捷通无线网络通信股份有限公司 | Identity authentication method and apparatus, storage medium, program, and program product |
CN117056976A (en) * | 2023-08-22 | 2023-11-14 | 哈尔滨商业大学 | Financial data processing method, device and system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102195782A (en) * | 2011-06-07 | 2011-09-21 | 吉林大学 | Two-way identity authentication method with integration of identity and password for mailing system |
CN103905437A (en) * | 2014-03-22 | 2014-07-02 | 哈尔滨工程大学 | Remote protocol authentication method based on passwords |
CN105072110A (en) * | 2015-08-06 | 2015-11-18 | 山东科技大学 | Two-factor remote identity authentication method based on smart card |
-
2015
- 2015-12-28 CN CN201511001209.0A patent/CN106921640A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102195782A (en) * | 2011-06-07 | 2011-09-21 | 吉林大学 | Two-way identity authentication method with integration of identity and password for mailing system |
CN103905437A (en) * | 2014-03-22 | 2014-07-02 | 哈尔滨工程大学 | Remote protocol authentication method based on passwords |
CN105072110A (en) * | 2015-08-06 | 2015-11-18 | 山东科技大学 | Two-factor remote identity authentication method based on smart card |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108632295A (en) * | 2018-05-09 | 2018-10-09 | 湖南东方华龙信息科技有限公司 | The method for preventing terminal attack server repeatedly |
CN108632295B (en) * | 2018-05-09 | 2020-11-24 | 湖南东方华龙信息科技有限公司 | Method for preventing terminal from repeatedly attacking server |
CN109347887A (en) * | 2018-12-17 | 2019-02-15 | 郑州云海信息技术有限公司 | A kind of identity authentication method and device |
CN109391474A (en) * | 2018-12-25 | 2019-02-26 | 武汉思普崚技术有限公司 | A kind of safety certifying method and system of non-encrypted link |
CN110198316A (en) * | 2019-05-30 | 2019-09-03 | 全链通有限公司 | Auth method, equipment and storage medium based on alliance's block chain |
CN110784466B (en) * | 2019-10-29 | 2022-07-12 | 北京汽车集团有限公司 | Information authentication method, device and equipment |
CN110784466A (en) * | 2019-10-29 | 2020-02-11 | 北京汽车集团有限公司 | Information authentication method, device and equipment |
CN113765856A (en) * | 2020-06-04 | 2021-12-07 | 中移(成都)信息通信科技有限公司 | Identity authentication method, device, equipment and medium |
CN113765856B (en) * | 2020-06-04 | 2023-09-08 | 中移(成都)信息通信科技有限公司 | Identity authentication method, device, equipment and medium |
CN111740982A (en) * | 2020-06-18 | 2020-10-02 | 深圳市今天国际物流技术股份有限公司 | Server anti-attack method and system based on computing power certification |
CN111740982B (en) * | 2020-06-18 | 2022-02-11 | 深圳市今天国际物流技术股份有限公司 | Server anti-attack method and system based on computing power certification |
CN111901346A (en) * | 2020-07-29 | 2020-11-06 | 北京奇艺世纪科技有限公司 | Identity authentication system |
CN112086176A (en) * | 2020-07-29 | 2020-12-15 | 重庆市人口和计划生育科学技术研究院 | Data acquisition analysis and feedback system for sperm library |
CN112383535B (en) * | 2020-11-10 | 2022-10-25 | 平安普惠企业管理有限公司 | Method and device for detecting Hash transfer attack behavior and computer equipment |
CN112383535A (en) * | 2020-11-10 | 2021-02-19 | 平安普惠企业管理有限公司 | Method and device for detecting Hash transfer attack behavior and computer equipment |
WO2022135401A1 (en) * | 2020-12-26 | 2022-06-30 | 西安西电捷通无线网络通信股份有限公司 | Identity authentication method and apparatus, storage medium, program, and program product |
CN113347143A (en) * | 2021-04-14 | 2021-09-03 | 西安慧博文定信息技术有限公司 | Identity authentication method, device, equipment and storage medium |
CN113254898A (en) * | 2021-05-13 | 2021-08-13 | 谢利珍 | Chinese teaching interactive system with teaching effect feedback function |
CN113722686A (en) * | 2021-08-17 | 2021-11-30 | 深圳市新国都股份有限公司 | Debugging bridge authorization method, device, equipment and computer readable storage medium |
CN117056976A (en) * | 2023-08-22 | 2023-11-14 | 哈尔滨商业大学 | Financial data processing method, device and system |
CN117056976B (en) * | 2023-08-22 | 2024-03-08 | 哈尔滨商业大学 | Financial data processing method, device and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106921640A (en) | Identity identifying method, authentication device and Verification System | |
CN104378206B (en) | A kind of virtual desktop safety certifying method and system based on USB Key | |
KR101853610B1 (en) | Digital signature authentication system based on biometric information and digital signature authentication method thereof | |
CN101340437B (en) | Time source regulating method and system | |
CN104579649B (en) | Personal identification method and system | |
CN104283885B (en) | A kind of implementation method of many SP secure bindings based on intelligent terminal local authentication | |
CN106533696A (en) | Block chain-based identity authentication methods, authentication server and user terminal | |
JP2018501567A (en) | Device verification method and equipment | |
CN103345690B (en) | Anti-counterfeiting method based on RFID and physical unclonable function | |
CN103679436A (en) | Electronic contract security system and method based on biological information identification | |
CN102271042A (en) | Certificate authorization method, system, universal serial bus (USB) Key equipment and server | |
CN103338201B (en) | The remote identity authentication method that under a kind of environment of multi-server, registration center participates in | |
CN101765108A (en) | Safety certification service platform system, device and method based on mobile terminal | |
CN103929425B (en) | A kind of identity registration, identity authentication method, equipment and system | |
CN112165382B (en) | Software authorization method and device, authorization server side and terminal equipment | |
CN106330838A (en) | Dynamic signature method, client using the same and server | |
CN105207776A (en) | Fingerprint authentication method and system | |
CN106411950A (en) | Block-chain transaction ID based authentication method, device and system | |
CN106850207A (en) | Identity identifying method and system without CA | |
CN109347875A (en) | Internet of things equipment, platform of internet of things and the method and system for accessing platform of internet of things | |
CN102281138A (en) | Method and system for improving safety of verification code | |
CN102982603A (en) | Internet lottery secure transaction and awarding method based on iris recognition | |
CN108667801A (en) | A kind of Internet of Things access identity safety certifying method and system | |
Jan | An improved lightweight privacy preserving authentication scheme for SIP-Based-VoIP using smart card | |
CN106911700A (en) | A kind of method that RFID label tag group proves |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170704 |